Udemy CASP Practice Exam 4

Question 1

Jason is conducting an assessment of a network-enabled software platform that contains a published API. In reviewing the platform’s key management, he discovers that API keys are embedded in the application’s source code. Which of the following statements best describes the security flaw with this coding practice?

A. The embedded key may be discovered by an attacker who reverse engineers in the source code
B. It is difficult to control the permission levels for embedded keys
C. Key management is no longer required since the key is embedded in the source code
D. Changing the API key will require a corresponding software upgrade

Answer 1

A. The embedded key may be discovered by an attacker who reverse engineers in the source code

Explanation:
OBJ-1.3: A sophisticated adversary may discover the software’s embedded key through reverse engineering the source code. This inadvertent key disclosure could then allow an attacker to abuse the API in ways other than intended. Key management would still be required, even if the key is embedded in the source code. Permission levels of a software-embedded key are still controlled like any other key. While the added inconvenience of installing new software on the client side every time the key is changed would be inconvenient, this option does not address the underlying security issues with embedding API keys into the source code.

Question 2

Dion Training has decided to install a web application firewall to mitigate the risk of a successful SQL injection occurring against their web server. What phase of the risk management lifecycle is Dion Training currently operating in?

A .Assess
B. Review
C. Identify
D. Control

Answer 2

D. Control

Explanation:
OBJ-4.1: This is the control phase. The identify phase is used to inventory assets and for the identification of all risk items in an organization. The assess phase is used to analyze identified risks to determine their associated level of risk before any mitigations or controls are implemented. The control phase is used to identify effective methods for risk reduction for identified risks in an organization. The review phase is used to periodically re-evaluate the risks in an organization by determining if the risk level has changed and identified controls are still effective.

Question 3

A company has implemented the capability to send all log files to a centralized server by utilizing an encrypted TLS channel. Once received at the server, the log files are reviewed and analyzed by a cybersecurity analyst. A recently released exploit has caused the company’s encryption to become insecure. What would you do to mitigate or correct this vulnerability in the server’s implementation of this encrypted TLS channel?

A. Utilize SMTP for log file collection
B. Utilize an FTP server for log collection
C. Configure the firewall to block port 22
D. Install a security patch on the server

Answer 3

D. Install a security patch on the server

Explanation:
OBJ-3.7: Vulnerability patching is the process of checking your operating systems, software, applications, and network components for vulnerabilities that could allow a malicious user to access your system and cause damage, and then applying a security patch or reconfiguring the device to mitigate the vulnerabilities found. If there is a working exploit against the server’s encryption protocols, a technician must install a security patch to mitigate or correct this vulnerability. Both FTP and SMTP are considered insecure protocols and transmit data in plain text, therefore they would make the log files even more insecure by using these protocols. Port 22 is used by secure shell (SSH), which is encrypted by default. Blocking port 22 would prevent SSH from being used in the network and would not mitigate the vulnerability identified in this question.

Question 4

Which of the following roles should coordinate communications with the media during an incident response?

A. Public Relations
B. Seenior leadership
C. Human resources
D. System administrators

Answer 4

A. Public Relations

Explanation:
OBJ-2.7: Public relations staff should be included in incident response teams to coordinate communications with the general public and the media to manage any negative publicity from a serious incident. Information about the incident should be released in a controlled way when appropriate through known press and external public relations agencies. Senior leadership should be focused on how the incident affects their departments or functional areas to make the best decisions. The senior leadership should not talk to the media without guidance from the public relations team. System administrators are part of the incident response team since they know the network’s normal baseline behavior and its system better than anyone else. System administrators should not talk to the media during an incident response. Human resources are part of the incident response team to appropriately contact any suspected insider threats and ensure no breaches of employment law or employment contracts are made.

Question 5

Which of the following is the biggest advantage of using Agile software development?

A. Its inherent agility allows developers to maintain focus on the overall goals of the project
B. Reacts quickly to changing customer requirements since it allows all phases of software development to run inn parallel
C. Its structured and phase orineted approach ensures that customer requirements are rigorously defined before development begins
D. It can provude better, more secure and more efficient code

Answer 5

B. Reacts quickly to changing customer requirements since it allows all phases of software development to run inn parallel

Explanation:
OBJ-1.3: Agile development can react quickly to changing customer requirements since it allows all phases of software development to run in parallel instead of a linear or sequenced approach. Waterfall development, not agile development, is a structured and phase-oriented model. A frequent criticism is that the agile model can allow developers to lose focus on the project’s overall objective. Agile models do not necessarily produce better, more secure, or more efficient code than other methods.

Question 6

Which of the following will an adversary do during the command and control phase of the Lockheed Martin kill chain? (SELECT TWO)

A. Release of malicious email
B. Create a point of presence by adding services, scheduled tasks or AutoRun keys
C. Utilize web, DNS and email protocols to conduct control of the target
D. Destroy systems
E. Open up a two way communication channel to an established infrastructure
F. Conduct internal reconnaissance of the target network

Answer 6

C. Utilize web, DNS and email protocols to conduct control of the target
E. Open up a two way communication channel to an established infrastructure

Explanation:
OBJ-2.1: During the command and control (C2) phase, the adversary is testing that they have control over any implants that have been installed. This can be conducted using the web, DNS, and email protocols to control the target and relies on an established two-way communication infrastructure to control the target system using remote access. Internal reconnaissance or destructive actions occur in the actions on objectives phase. The release of malicious emails occurs in the delivery phase.

Question 7

Which of the following techniques would be the most appropriate solution to implementing a multi-factor authentication system?

A. Fingerprint and retinal scan
B. Smartcard and PIN
C. Password and security question
D. Username and password

Answer 7

B. Smartcard and PIN

Explanation:
OBJ-1.5: Multi-factor authentication (MFA) creates multiple security layers to help increase the confidence that the user requesting access is who they claim to be by requiring two distinct factors for authentication. These factors can be something you know (knowledge factor), something you have (possession factor), something you are (inheritance factor), something you do (action factor), or somewhere you are (location factor). By selecting a smartcard (something you have) and a PIN (something you know), you have implemented multi-factor authentication. Choosing a fingerprint and retinal scan would instead use only one factor (inheritance). Choosing a username, password, and security question would also be only using one factor (knowledge). For something to be considered multi-factor, you need items from at least two different authentication factor categories: knowledge, possession, inheritance, location, or action.

Question 8

Your company hosts all of the company’s virtual servers internally in your data center. If a total failure or disaster occurs, the server images can be restored on a cloud provider and accessed through a VPN. Which of the following types of cloud services is your company using in this scenario?

A. Public IaaS
B. Hybrid SaaS
C. Community PaaS
D. Private SaaS

Answer 8

A. Public IaaS

Explanation:
OBJ-3.4: Infrastructure as a service (IaaS) is a type of cloud computing service that offers essential compute, storage, and networking resources on-demand, on a pay-as-you-go basis. Since the company is hosting all of its servers as virtual machines, they could quickly restore their datacenter capabilities by restoring the VM images to a public cloud IaaS solution and then connecting to them using a VPN. Platform as a Service (PaaS) is a complete development and deployment environment in the cloud, with resources that enable you to deliver everything from simple cloud-based apps to sophisticated, cloud-enabled enterprise applications. Software as a Service (SaaS) allows users to connect to and use cloud-based apps over the Internet. Common examples are email, calendaring, and office tools (such as Microsoft Office 365). SaaS provides a complete software solution that you purchase on a pay-as-you-go basis from a cloud service provider.

Question 9

During which phase of the incident response process does an organization assemble an incident response toolkit?

A. Preparation
B. Post-incident activity
C. Containment, eradication, and recovery
D. Detection and analysis

Answer 9

A. Preparation

Explanation:
OBJ-2.7: During the preparation phase, the incident response team conducts training, prepares their incident response kits, and researches threats and intelligence. During the detection and analysis phase, an organization focuses on monitoring and detecting any possible malicious events or attacks. During the containment, eradication, and recovery phase of an incident response, an analyst must preserve forensic and incident information for future needs, prevent future attacks or bring up an attacker on criminal charges. During the post-incident activity phase, the organization conducts after-action reports, creates lessons learned, and conducts follow-up actions to better prevent another incident from occurring.

Question 10

Which protective feature is used to prevent a buffer overflow attack from specific applications by randomizing where a program’s components are run from in memory?

A. ASLR
B. DLP
C. DEP
D. DLL

Answer 10

A. ASLR

Explanation:
OBJ-3.2: ASLR randomizes where components of a running process (such as the base executable, APIs, and the heap) are placed in memory, which makes it more difficult to conduct a buffer overflow at specific points in the address space. The Windows Data Execution Prevention (DEP) feature protects processes against exploits that try to execute code from a writable memory area (stack/heap). Windows DEP prevents code from being run from a non-executable memory region. Data loss prevention (DLP) software detects potential data breaches/data ex-filtration transmissions and prevents them by monitoring, detecting, and blocking sensitive data while in use, in motion, and at rest. A dynamic link library (DLL) is a library that contains code and data that can be used by more than one program at the same time.

Question 11

Dion Training is building a new web application that requires encryption capabilities. The development team needs to select a symmetric block encryption cipher that can support a block size of 64-bits and an effective encryption key size of 112-bits or 168-bits. Which of the following algorithms should the development team select?

A. 3DES
B. Salsa20
C. AES
D. ChaCha

Answer 11

A. 3DES

Explanation:
OBJ-3.6: Triple Digital Encryption Standard (3DES) was built as a temporary replacement for the older DES algorithm. 3DES utilizes 3 different 56-bit encryption keys in an encrypt-decrypt-encrypt workflow to effectively increase the security of the weaker DES algorithm. 3DES is a symmetric block encryption cipher and utilizes a 64-bit block size. The Advanced Encryption Standard (AES) is the current standard for the U.S. federal government’s symmetric block encryption cipher. AES can use a key size of 128-bits, 192-bits, or 256-bits with a 128-bit block size. Salsa20 is a modern and efficient symmetric stream cipher that uses a 128-bit or 256-bit encryption key. Salsa20 is not used in many cryptographic implementations, but a variant of Salsa20 known as ChaCha is widely adopted by Google for use in Android devices and the Google Chrome browser. ChaCha is a variant of Salsa20 that is a modern and efficient symmetric stream cipher that uses a 128-bit or 256-bit encryption key. ChaCha is widely used in combination with the Poly1305 hashing algorithm in the TLS implementation of the Google Chrome browser and the Android operating system. ChaCha is also used by OpenSSH and the random number generator in BSD operating systems as a replacement to the older RC4 algorithm.

Question 12

Dion Training wants to install a software agent on all of their workstations to collect system data and logs for analysis by their cybersecurity analysts. The software agent should also allow for early detection of threats and malware on the endpoint. When malicious activity is detected, the agent should allow for the containment of malware to the endpoint and help incident responders in the remediation of the endpoint to a safe and secure baseline. Which of the following endpoint security controls would BEST meet these requirements?

A. Host based intrusion detection system (HIDS)
B. Host based firewall
C. User and entity behavior analytics (UEBA)
D. Endpoint detection and response (EDR)

Answer 12

D. Endpoint detection and response (EDR)

Explanation:
OBJ-3.2: Endpoint detection and response (EDR) is a software agent that collects system data and logs for analysis by a monitoring system to provide early detection of threats. User and entity behavior analytics (UEBA) is a type of cybersecurity application or appliance that identifies anomalous or malicious behavior by using machine learning and statistical analysis to identify deviations from normally established baselines and patterns of activity. A host-based intrusion detection system (HIDS) is a type of IDS that monitors a computer system for unexpected behavior or drastic changes to the system’s state. A host-based firewall is a firewall implemented as application software running on the host that provides sophisticated filtering of network traffic as well as block processes at the application level.

Question 13

You are analyzing the vulnerability scanning results from a recent web vulnerability scan in preparation for the exploitation phase of an upcoming assessment. A portion of the scan results is shown below.
Which exploit is the website vulnerable to based on the results?

A. SQL Injection
B. Local File Inclusion
C. Session hijacking
D. Cookie manipulation

Answer 13

B. Local File Inclusion

Explanation:
OBJ-2.4: Based on the results, you can determine that this website is vulnerable to a file inclusion exploit. If you were able to decode the Base64 data in the vulnerability (which you are not expected to on the exam in real-time), you would see it references a local file like c:\wwwroot\image.jpg or similar. You could also use the process of elimination on this question by seeing no SQL or cookies displayed in the results.

Question 14

Consider the following REGEX search string:
Which of the following strings would NOT be included in the output of this search?

A. 37.259.129.207
B. 205.255.255.001
C. 001.02.3.40
D. 1.2.3.4

Answer 14

A. 37.259.129.207

Explanation:
OBJ-2.2: The \b delimiter indicates that we are looking for whole words for the complete string. The REGEX is made up of four identical repeating strings, (25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).”. For now, let us refer to these octets, such as the ones used in internet protocol version 4 addresses. Each octet will allow the combination of 25[0-5] OR (|) 2[0-4][9-] OR numbers 00-99 is preceded by (?) a 0 or 1, or just a single number followed by a “.”. Since the period is treated as a special character in a REGEX operator, the escape character () is required to enable the symbol to act as a dot or period in the output. This sequence repeats four times, allowing for all variations of normal IP addresses to be entered for values 0-255. Since 259 is outside the range of 255, this is rejected. More specifically, character strings starting with 25 must end with a number between 0 and 5 (25[0-5]). Therefore, 259 would be rejected. Now, on exam day, if you received a question like this, you can try to figure out the pattern as explained above, or you can take the logical shortcut. The logical shortcut is to look at the answer first and see that they all look like IP addresses. Remember, grep and REGEX are used by a cybersecurity analyst to search logs for indicators of compromise (like an IP address), so don’t be afraid to take a logical guess if you need to conserve time during your exam. So, which one isn’t a valid IP address? Clearly, 37.259.129.107 is not a valid IP address, so if you had to guess as to what wouldn’t be an output of this complex-looking command, you should guess that one!

Question 15

A cybersecurity analyst is working at a college that wants to increase its network’s security by implementing vulnerability scans of centrally managed workstations, student laptops, and faculty laptops. Any proposed solution must scale up and down as new students and faculty use the network. Additionally, the analyst wants to minimize the number of false positives to ensure accuracy in their results. The chosen solution must also be centrally managed through an enterprise console. Which of the following scanning topologies would be BEST able to meet these requirements?

A. Passive scanning engine located at the core of the network infrastructure
B . Combination of server based and agent based scanning engines
C. Active scanning engine installed on the enterprise console
D. Combination of cloud based and server based scanning engines

Answer 15

C. Active scanning engine installed on the enterprise console

Explanation:
OBJ-2.3: Since the college wants to ensure a centrally-managed enterprise console, an active scanning engine installed on the enterprise console would best meet these requirements. The college’s cybersecurity analysts could then perform scans on any devices connected to the network using the active scanning engine at the desired intervals. Agent-based scanning would be ineffective since the college cannot force the agents’ installation onto each of the personally owned devices brought in by the students or faculty. A cloud-based or server-based engine may be useful, but it won’t address the centrally-managed requirement. Passive scanning is less intrusive but is subject to a high number of false positives.

Question 16

Cybersecurity analysts are experiencing some issues with their vulnerability scans aborting because the previous day’s scans are still running when the scanner attempts to start the current day’s scans. Which of the following recommendations is LEAST likely to resolve this issue?

A. Reduce the scope of the scans
B. Reduce the sensitivity of the scans
C. Add another vulnerability scanner
D .Reduce the frequency of scans

Answer 16

B. Reduce the sensitivity of the scans

Explanation:
OBJ-2.4: If the cybersecurity analyst were to reduce the scans’ sensitivity, it still would not decrease the time spent scanning the network and could alter the effectiveness of the results received. In this scenario, the scans, as currently scoped, are taking more than 24 hours to complete with the current resources. The analyst could reduce the scans’ scope, thereby scanning fewer systems or vulnerabilities signatures and taking less time to complete. Alternatively, the analyst could reduce the scans’ frequency by moving to a less frequent schedule, such as one scan every 48 hours or one scan per week. The final option would be to add additional vulnerability scanners to the process. This would allow the two scanners to work together to divide the workload and complete the task within the 24-hour scan frequency currently provided.

Question 17

William would like to use full-disk encryption on his laptop. He is worried about slow performance, though, so he has requested that the laptop have an onboard hardware-based cryptographic processor. Based on this requirement, what should William ensure the laptop contains?

A. AES
B. PAM
C. FDE
D. TPM

Answer 17

D. TPM

Explanation:
OBJ-3.2: This question is asking if you know what each acronym means. Trusted Platform Module (TPM) is a hardware-based cryptographic processing component that is a part of the motherboard. A Pluggable Authentication Module (PAM) is a device that looks like a USB thumb drive and is used as a software key in cryptography. Full Disk Encryption (FDE) can be hardware or software-based. Therefore, it isn’t the right answer. The Advanced Encryption System (AES) is a cryptographic algorithm. Therefore, it isn’t a hardware solution.

Question 18

Dion Training has just acquired Small Time Tutors and ordered an analysis to determine the sensitivity level of the data contained in their databases. In addition to determining the sensitivity of the data, the company also wants to determine exactly how they have collected, used, and maintained the data throughout its data lifecycle. Once this is fully identified, Dion Training intends to update the terms and conditions on their website to inform their customers and prevent any possible legal issues from any possible mishandling of the data. Based on the information provided, which of the following types of analysis is the team at Dion Training going to perform?

A. Gap analysis
B. Business impact analysis
C. Tradeoff analysis
D. Privacy impact analysis

Answer 18

D. Privacy impact analysis

Explanation:
OBJ-4.4: A privacy impact assessment is conducted by an organization for it to determine where its privacy data is stored and how that privacy data moves throughout an information system. It evaluates the impacts that may be realized by a compromise to the confidentiality, integrity, and/or availability of the data. A tradeoff analysis compares potential benefits to potential risks and determines a course of action based on adjusting factors that contribute to each area. A business impact analysis describes the collaborative effort to identify those systems and software that perform essential functions, meaning the organization cannot run without them. A gap analysis measures the difference between the current state and desired state to assess the scope of work included in a project. By measuring ALE, MTTR, MTBF, TCO, and other factors, the organization can identify how closely it is performing to the desired outcomes or requirements.

Question 19

Review the network diagram provided. Which of the following ACL entries should be added to the firewall to allow only the system administrator’s computer (IT) to have SSH access to the FTP, Email, and Web servers in the DMZ?

(Note: The firewall in this network is using implicit deny to maintain a higher level of security. ACL entries are in the format of Source IP, Destination IP, Port Number, TCP/UDP, Allow/Deny.)

A. 172.16.1.0/24, 192.168.0.0/24, ANY, TCP, ALLOW
B. 192.168.0.3/24, 172.16.1.4, ANY, TCP, ALLOW
C. 192.168.0.0/24, 172.16.1.4, 22, TCP, ALLOW
D. 172.16.1.4,192.168.0.0/24, 22, TCP, ALLOW

Answer 19

D. 172.16.1.4,192.168.0.0/24, 22, TCP, ALLOW

Explanation:
OBJ-1.1: Since the scenario requires you to set up SSH access from the IT computer to all three servers in the DMZ, you will need to use a /24 subnet to set up the ACL rule correctly (or have 3 separate ACL entries). Since you can only select one in this example, you will have to use the /24 for the destination network. This means that the Source IP is 172.16.1.4 (IT computer), the Destination IP is 192.168.0.0/24 (the entire DMZ), the port is 22 for SSH and operates over TCP, and the condition is set to ALLOW.

Question 20

What techniques are commonly used by port and vulnerability scanners to enumerate the services running on a target system?

A. Comparing response fingerprints and registry s canning
B. Banner grabbing and UDP response timing
C. Banner grabbing and comparing response fingerprints
D. Using the -O option in nmap and UDP response timing

Answer 20

C. Banner grabbing and comparing response fingerprints

Explanation:
OBJ-2.4: Service and version identification are often performed by conducting a banner grab or by checking responses for services to known fingerprints for those services. UDP response timing and other TCP/IP stack fingerprinting techniques are used to identify operating systems only. Using nmap -O will conduct an operating system fingerprint scan, but it will not identify the other services being run.

Question 21

What type of scan will measure the size or distance of a person’s external features with a digital video camera?

A. Iris Scan
B. Retinal Scan
C. Facial Recognition Scan
D. Signature Kinetics Scan

Answer 21

C. Facial Recognition Scan

Explanation:
OBJ-1.5: A face recognition system is a computer application capable of identifying or verifying a person from a digital image or a video frame from a video source. One way to do this is by comparing selected facial features from the image and a face database. By measuring the external facial features, such as the distance between your eyes and nose, you can uniquely identify the user. A retinal scan is a biometric technique that uses unique patterns on a person’s retina blood vessels. Iris recognition or iris scanning is the process of using visible and near-infrared light to take a high-contrast photograph of a person’s iris. A signature kinetics scan measures a user’s action when signing their name and compares it against a known-good example or baseline.

Question 22

A cybersecurity analyst is reviewing the logs of a proxy server and saw the following URL, https://www.google.com/search?q=password+filetype%3Axls+site%3Adiontraining.com&pws=0&filter=p. Which of the following is true about the results of this search? (SELECT THREE)

A. Returns only MIcrosoft Excel spreadsheets
B. Returns only files hosted at diontraining.com
C. Personalization is turned off
D. Find sites related to diontraining.com
E. All search filters are deactivated
F. Excludes Microsoft Excel spreadsheets

Answer 22

A. Returns only MIcrosoft Excel spreadsheets
B. Returns only files hosted at diontraining.com

Explanation:
OBJ-2.2: The above example searches for files with the name “password” in them (q=password) and (+) have a filetype equal to xls (filetype%3Axls, %3A is the hex-code for ‘:’) and (+) limits the results to files hosted on diontraining.com (site%3Adiontraining.com) and (&) disables personalization (pws=0) and (&) deactivates the directory filtering function (filter=p). If you wanted to exclude Microsoft Excel spreadsheets, this would be done by typing -filetype%3Axls as part of the search query. To find related websites or pages, you would include the “related:” term to the query. To deactivate all filters from the search, the “filter=0” should be used. To deactivate the directory filtering function, the “filter=p” is used.

Question 23

Your organization has recently been the target of a spearphishing campaign. You have identified the website associated with the link in the spearphishing emails and want to deny access to it. Which of the following techniques would be the MOST effective in this situation?

A. URL Filter
B. Quarantine
C. Application blocklist
D. Contiainment

Answer 23

A. URL Filter

Explanation:
OBJ-1.1: A URL filter can be used to block a website based on its website address or universal resource locator (URL). This is not a containment technique but a blocking and filtering technique. Quarantine would be used against an infected machine, and it would not be effective against trying to block access to a given website across the entire organization. An application blocklist is used to prevent an application from running, so this cannot be used to block a single malicious or suspicious website or URL.

Question 24

Michelle has just finished installing a new database application on her server. She then proceeds to uninstall the sample configuration files, properly configure the application settings, and update the software to the latest version according to her company’s policy. What best describes the actions Michelle just took?

A. Input validation
B. Application hardening
C. Patch management
D. Vulnerability scanning

Answer 24

B. Application hardening

Explanation:
OBJ-3.2: Application hardening involves taking actions to best secure the application from attack. This involves removing any default or sample configurations, properly configuring settings, and updating the application to the latest and more secure version. Patch management is incorrect because only updating the software falls under patch management, not the configuration portions of her actions. Vulnerability scanning involves scanning a device for known vulnerabilities to update the device and prevent a future attack. Input validation is a technique to verify user-provided data meets the expected length and type before allowing a program to utilize it.

Question 25

Dion Training is concerned with the possibility of a data breach causing a financial loss to the company. After performing a risk analysis, the COO decides to purchase data breach insurance to protect the company from an incident. Which of the following best describes the company’s risk response?

A. Trasnference
B. Mitigation
C. Avoidance
D. Acceptance

Answer 25

A. Trasnference

Explanation:
OBJ-4.1: Transference (or sharing) means assigning risk to a third party (such as an insurance company or a contract with a supplier that defines liabilities). Avoidance means that the company stops doing an activity that is risk-bearing. Risk mitigation is the overall process of reducing exposure to or the effects of risk factors, such as patching a vulnerable system. Acceptance means that no countermeasures are put in place either because the risk level does not justify the cost or because there will be an unavoidable delay before the countermeasures are deployed.

Question 26

Richard attempted to visit a website and received a DNS response from the DNS cache server pointing to the wrong IP address. Which of the following attacks has occurred?

A. DNS Poisoning
B. ARP Spoofing
C. MAC Spoofing
D. DNS Brute Forcing

Answer 26

A. DNS Poisoning

Explanation:
OBJ-1.3: DNS poisoning (also known as DNS cache poisoning or DNS spoofing) is a type of attack which uses security gaps in the Domain Name System (DNS) protocol to redirect internet traffic to malicious websites. MAC spoofing is a technique for changing a factory-assigned Media Access Control (MAC) address of a network interface on a networked device. ARP spoofing is a type of attack in which a malicious actor sends falsified ARP (Address Resolution Protocol) messages over a local area network using layer 2 address information. DNS brute-forcing is used to check for wildcard entries using a dictionary or wordlist. This technique is used when a DNS zone transfer is not allowed by a system.

Question 27

An analyst’s vulnerability scanner did not have the latest set of signatures installed. Due to this, several unpatched servers may have vulnerabilities that were undetected by their scanner. You have directed the analyst to update their vulnerability scanner with the latest signatures at least 24 hours before conducting any scans. However, the results of their scans still appear to be the same. Which of the following logical controls should you use to address this situation?

A. Test the vulnerability remediations in a sandbox before deploying them into production
B. Create a script to automatically update the signatures every 24 hours
C. Ensure the analyst manually validates that the updates are being performed as directed
D. Configure the vulnerability scanners to run a credentialed scan

Answer 27

B. Create a script to automatically update the signatures every 24 hours

Explanation:
OBJ-2.6: Since the analyst appears not to be installing the latest vulnerability signatures according to your instructions, it would be best to create a script and automate the process to eliminate human error. The script will always ensure that the latest signatures are downloaded and installed in the scanner every 24 hours without any human intervention. While you may want the analyst to manually validate the updates were performed as part of their procedures, this is still error-prone and likely not to be conducted properly. Regardless of whether the scanners are being run in uncredentialed or credentialed mode, they will still miss vulnerabilities if using out-of-date signatures. Finally, the option to test the vulnerability remediations in a sandbox is a good suggestion. Still, it won’t solve this scenario since we are concerned with the scanning portion or vulnerability management and not remediation.

Question 28

Dion Security Response Group is conducting an incident response on an ICS/SCADA network used to control an oil pipeline. When the incident responder arrives on the scene, she believes that the ICS/SCADA system may have been infected with malware that caused the pumps to continue pumping past their safe limits which resulted in an overflow of the holding tanks. To test this theory, she needs to check the logs from the ICS control loop. Which of the following operational technologies should she look at first?

A. Human machine interface
B. Data historian
C. Safety instrumented system
D. Ladder logic

Answer 28

B. Data historian

Explanation:
OBJ-3.3: The data historian is a type of software that aggregates and catalogs data from multiple sources within an industrial control system’s control loop. Essentially, the data historian acts like a SIEM for ICS/SCADA systems and, therefore, the incident responders should review the data historian first. The human-machine interface (HMI) provides the input and output controls on a PLC to allow a user to configure and monitor the system. A Safety Instrumented System (SIS) is composed of sensors, logic solvers, and final control elements (devices like horns, flashing lights, and/or sirens) used to return an industrial process to a safe state after predetermined conditions are detected. Ladder Logic is a graphical, flowchart-like programming language used to program the special sequential control sequences used by a programmable logic controller (PLC).

Question 29

During a penetration test of your company’s network, the assessor came across a spreadsheet with the passwords being used for several servers. Four of the passwords recovered are listed below. Which one is the weakest password and should be changed FIRST to increase the password’s complexity?

A. Pa55w0rd
B. P@$$w0rd
C. P@$$W0RD
D. pa55word

Answer 29

D. pa55word

Explanation:
OBJ-1.5: Password policies often enforce a mixture of standard character types, including uppercase letters, lowercase letters, numbers, and symbols. The option ‘pa55word’ is the weakest choice since it only includes lowercase letters and numbers. The option ‘Pa55w0rd’ is slightly more complex since it includes uppercase letters, lowercase letters, and numbers. The option ‘P@$$W0RD is also similar in complexity since it includes uppercase letters, numbers, and special characters. The most secure option is ‘P@5$w0rd’ since it includes a mixture of uppercase letters, lowercase letters, numbers, and special characters.

Question 30

You are analyzing the vulnerability scanning results from a recent web vulnerability scan in preparation for the exploitation phase of an upcoming assessment. A portion of the scan results is shown below. Which exploit is the website vulnerable to based on the results?

A. Session hijacking
B. Information Disclosure
C. SQL Injection
D. Local File Inclusion

Answer 30

B. Information Disclosure

Explanation:
OBJ-2.4: Information disclosure is any condition that allows the attacker to gain access to protected information. In this case, the server is vulnerable to disclosing information about the version of PHP being used. The phpinfo.php file should not be accessible to remote users over the internet, as it can be used to provide them with valuable information to help plan an attack.

Question 31

Judith is conducting a vulnerability scan of her data center. She notices that a management interface for a virtualization platform is exposed to her vulnerability scanner. Which of the following networks should the hypervisor’s management interface be exposed to ensure the best security of the virtualization platform?

A. Management network
B. Internal zone
C. External Zone
D. Screened subnet

Answer 31

A. Management network

Explanation:
OBJ-1.2: The management interface should only be exposed to an isolated or dedicated network used for the management and configuration of the network device and platforms only. This would also help reduce the likelihood of an attack against the virtualization platform or the hypervisor itself. The external zone (internet), internal zone (LAN), or screened subnet (formerly called a DMZ) should not have the management interface exposed to them.

Question 32

A supplier needs to connect several laptops to an organization’s network as part of their service agreement. These laptops will be operated and maintained by the supplier. Victor, a cybersecurity analyst for the organization, is concerned that these laptops could contain some vulnerabilities that could weaken the network’s security posture. What can Victor do to mitigate the risk to other devices on the network without having direct administrative access to the supplier’s laptops?

A. Implement a jumpbox system
B. Require 2FA on the laptops
C. Increase the encryption level of VPN used by the laptops
D. Scan the laptops for vulnerabilities and patch them

Answer 32

A. Implement a jumpbox system

Explanation:
OBJ-1.1: A jumpbox is a system on a network used to access and manage devices in a separate security zone. This would create network segmentation between the supplier’s laptops and the rest of the network to minimize the risk. A jump-box system is a hardened and monitored device that spans two dissimilar security zones and provides a controlled means of access between them. While the other options listed are all good security practices, they do not fully mitigate the risk that insecure systems pose since Victor cannot enforce these configurations on a supplier-provided laptop. Instead, he must find a method of segmenting the laptops from the rest of the network, either physically, logically, using an air gap, or using a jumpbox.

Question 33

Dion Training is building a new mobile application that requires encryption capabilities. The development team needs to select a secure symmetric stream encryption cipher that can support an encryption key size of 128-bits or 256-bits. Which of the following algorithms should the development team select?

A. RC4
B. ChaCha
C. AES
D. 3DES

Answer 33

B. ChaCha

Explanation:
OBJ-3.6: ChaCha is a variant of Salsa20 that is a modern and efficient symmetric stream cipher that uses a 128-bit or 256-bit encryption key. ChaCha is widely used in combination with the Poly1305 hashing algorithm in the TLS implementation of the Google Chrome browser and the Android operating system. ChaCha is also used by OpenSSH and the random number generator in BSD operating systems as a replacement to the older RC4 algorithm. RC4 is a stream cipher that was used in the wireless encryption protocol (WEP) and many SSL/TLS implementations. RC4 is considered extremely vulnerable to attack and should not be used in modern applications. The Advanced Encryption Standard (AES) is the current standard for the U.S. federal government’s symmetric block encryption cipher. AES can use a key size of 128-bits, 192-bits, or 256-bits with a 128-bit block size. Triple Digital Encryption Standard (3DES) was built as a temporary replacement for the older DES algorithm. 3DES utilizes 3 different 56-bit encryption keys in an encrypt-decrypt-encrypt workflow to effectively increase the security of the weaker DES algorithm. 3DES is a symmetric block encryption cipher and utilizes a 64-bit block size.

Question 34

Which of the following secure coding best practices ensures a character like < is translated into the &lt string when writing to an HTML page?

A. Session mannagement
B. Error handling
C. Input validation
D. Output encoding

Answer 34

D. Output encoding

Explanation:
OBJ-1.3: Output encoding involves translating special characters into some different but equivalent form that is no longer dangerous in the target interpreter, for example, translating the < character into the < string when writing to an HTML page. Input validation is performed to ensure only properly formed data is entering the workflow in an information system, preventing malformed data from persisting in the database and triggering the malfunction of various downstream components. Improper error handling can introduce various security problems where detailed internal error messages such as stack traces, database dumps, and error codes are displayed to an attacker. The session management implementation defines the exchange mechanism that will be used between the user and the web application to share and continuously exchange the session ID.

Question 35

You have been tasked to create some baseline system images to remediate vulnerabilities found in different operating systems. Before any of the images can be deployed, they must be scanned for malware and vulnerabilities. You must ensure the configurations meet industry-standard benchmarks and that the baselining creation process can be repeated frequently. What vulnerability scanner option would BEST create the process requirements to meet the industry-standard benchmarks?

A. Utilizing a non-credential
B. Utilizing a known malware plugin
C. Utilizing an authorized credential scan
D. Utilizing an operating system SCAP

Answer 35

D. Utilizing an operating system SCAP

Explanation:
OBJ-2.4: Security Content Automation Protocol (SCAP) is a multi-purpose framework of specifications supporting automated configuration, vulnerability and patch checking, technical control compliance activities, and security measurement. It is an industry standard and supports testing for compliance. The other options will not allow for a truly repeatable process since individual scans would occur each time instead of comparing against a known good baseline.

Question 36

Dion Training is building a new video streaming service with support for digital encryption of the content. The development team needs to select a strong symmetric stream encryption cipher that operates well on both desktop and mobile devices. Which of the following algorithms should the development team select?

A. 3DES
B. AES
C. ChaCha
D. RC4

Answer 36

C. ChaCha

Explanation:
OBJ-3.6: ChaCha is a variant of Salsa20 that is a modern and efficient symmetric stream cipher that uses a 128-bit or 256-bit encryption key. ChaCha is widely used in combination with the Poly1305 hashing algorithm in the TLS implementation of the Google Chrome browser and the Android operating system. ChaCha is also used by OpenSSH and the random number generator in BSD operating systems as a replacement to the older RC4 algorithm. RC4 is a stream cipher that was used in the wireless encryption protocol (WEP) and many SSL/TLS implementations. RC4 is considered extremely vulnerable to attack and should not be used in modern applications. The Advanced Encryption Standard (AES) is the current standard for the U.S. federal government’s symmetric block encryption cipher. AES can use a key size of 128-bits, 192-bits, or 256-bits with a 128-bit block size. Triple Digital Encryption Standard (3DES) was built as a temporary replacement for the older DES algorithm. 3DES utilizes 3 different 56-bit encryption keys in an encrypt-decrypt-encrypt workflow to effectively increase the security of the weaker DES algorithm. 3DES is a symmetric block encryption cipher and utilizes a 64-bit block size.

Question 37

While conducting a penetration test of a web application, you enter the following URL, http://test.diontraining.com/index.php?id=1%20OR%2017-7%3d10. What type of exploit are you attempting?

A. Session hijacking
B. Buffer overflow
C. XML Injection
D. SQL Injection

Answer 37

D. SQL Injection

Explanation:
OBJ-2.5: This is an example of a Boolean-based SQL injection. This occurs when data input by a user is interpreted as a SQL command rather than as normal data by the backend database. In this example, notice that the statement being parsed as part of the URL after the equal sign is equivalent to 1 or 17-7=10. This means the portion of the statement that is 17-7=10 would return a value of 1 (since it is true). Then, we are left to compute if 1 = 1, and since it does, the SQL database will treat this as a positive authentication. This is simply an obfuscation technique of a 1=1 SQL injection technique. A buffer overflow is an exploit that attempts to write data to a buffer and exceed that buffer’s boundary to overwrite an adjacent memory location. A session hijacking attack consists of exploiting the web session control mechanism, normally managed for a session token. XML Injection is an attack technique used to manipulate or compromise an XML application or service’s logic.

Question 38

Which of the following terms is used to describe the period of the time taken to correct a fault so that the system is restored to full operations after a failure or incident?

A. RPO
B. RTO
C. MTTR
D. MTBF

Answer 38

C. MTTR

Explanation:
OBJ-4.1: Mean time to repair (MTTR) is a measure of the time taken to correct a fault to restore the system to full operation. MTTR is often used to describe the average time to replace or recover a system or product. Recovery time objective (RTO) is when an individual IT system may remain offline following a disaster. This represents the amount of time it takes to identify that there is a problem and then perform recovery (restore from backup or switch in an alternative system, for instance). Recovery point objective (RPO) is the amount of data loss that a system can sustain, measured in time. That is, if a virus destroys a database, an RPO of 24 hours means that the data can be recovered (from a backup copy) to a point not more than 24 hours before the database was infected. Mean time between failure (MTBF) represents the expected lifetime of a product before it fails and must be replaced or repaired.

Question 39

Dion Training is developing a password manager for use by its employees. The company wants to ensure that all of the passwords stored by the password manager are secure from brute-force attacks even if the employee enters a chosen password that is weak. Which of the following cryptographic protocols should Dion Training use in their password manager to ensure the passwords are salted and stretched before storing them in the database?

A. MD5
B. RIPEMD-160
C. SHA256
D. PBKDF2

Answer 39

D. PBKDF2

Explanation:
OBJ-3.6: Password-Based Key Derivation Function 2 (PBKDF2) is a form of key stretching that utilizes a hash-based message authentication code (HMAC), the input password, and a salt value to create a more secure derived key. Message Digest Algorithm (MD5) is a one-way cryptographic function that accepts a message of any length as input and returns as output a fixed-length 128-bit hash digest value to be used for authenticating the original message. MD5 can be easily brute-forced and has a high chance of collision. Secure Hashing Algorithm (SHA-1) is a one-way cryptographic function that accepts a message of any length as input and returns as output a fixed-length 160-bit hash digest value to be used for authenticating the original message. SHA-1 is considered weak and no longer used for digital signatures, time stamps, or any application that requires collision resistance as of 2015. RACE Integrity Primitives Evaluation Message Digest (RIPEMD-160) is a one-way cryptographic function that accepts a message of any length as input and returns as output a fixed-length 160-bit hash digest value to be used for authenticating the original message. RIPEMD is used in PGP and the Bitcoin standard.

Question 40

Which of the following formats do SAML transactions use when communicating information between the identity provider and the service provider?

A. HTML
B. JSON
C. CSV
D. XML

Answer 40

D. XML

Explanation:
OBJ-1.5: Security Assertion Markup Language (SAML) is an open standard that allows identity providers (IdP) to pass authorization credentials to service providers (SP). SAML transactions use Extensible Markup Language (XML) for standardized communication between the identity and service providers. SAML is the link between the authentication of a user’s identity and the authorization to use a service.

Question 41

A competitor recently bought Dion Training’s ITIL 4 Foundation training course, transcribed the video captions into a document, re-recorded the course exactly word for word as an audiobook, then published this newly recorded audiobook for sale on Audible. From Dion Training’s perspective, how would you BEST classify this situation?

A. Mission essential function
B. Data breach
C. Identity theft
D. IP Theft

Answer 41

D. IP Theft

Explanation:
-OBJ-4.3: This is an example of intellectual property (IP) theft and it happened in 2019 to our company. The competitor wasn’t even smart enough to change the examples we used throughout our course from our website (diontraining.com) to their website and re-recorded our entire 8-hour course word-for-word to sell as an audiobook. This is not identity theft because they didn’t pretend to be Jason Dion or Dion Training. This is not a data breach because they did not compromise our systems to steal the course. Instead, they went to our website and purchased it. The risk is not a mission-essential function. A mission essential function is something that your organization must do to maintain its operations. For example, at Dion Training, our mission essential functions are (1) recording and editing training videos and (2) writing and publishing practice exams.

Question 42

BigCorpData recently had suffered a massive data breach caused by a hacker. You have been hired as an expert to assist in their incident response and recovery. You look through the shell history on a Linux server and see the following entry: # echo “ “ > /var/log/syslog. Which of the following techniques did the attacker use to attempt to cover their tracks?

A. Erasing the syslog file securely
B. Changing or forging syslog entries
C. Clearing the syslog file
D. Clearing specific syslog entries

Answer 42

C. Clearing the syslog file

Explanation:
OBJ-2.2: The attacker issued attempted to overwrite the /var/log/syslog file. If this command were successful, they would have overwritten all of the log’s contents with a single space character. If the server writes its logs to a centralized Syslog server, the original logs would still be available for review. Additionally, this method does not securely erase the file, and it could be restored from a backup or even from the hard drive using forensic techniques. If the attacker wanted to erase the file securely, they should have used the “shred -zu /var/log/syslog” command. This would overwrite the area of the hard drive that contained the file with zeros for increased security.

Question 43

Dion Training wants to implement technology within their corporate network to BEST mitigate the risk that a zero-day virus might infect their workstations. Which of the following should be implemented FIRST?

A. Intrusion detection system
B. Host based firewall
C. Application allow list
D. Anti malware solution

Answer 43

C. Application allow list

Explanation:
OBJ-3.2: Application allow list will only allow a program to execute if it is specifically listed in the approved exception list. All other programs are blocked from running. This makes it the BEST mitigation against a zero-day virus. An intrusion detection system might detect the anomalous activity created by a piece of malware, but it will only log or alert based on the activity, not prevent it. A host-based firewall may prevent a piece of malware from establishing a network connection with a remote server. Still, again, it wouldn’t prevent infection or prevent it from executing. An anti-malware solution is a good investment towards improving your security. Since the threat is a zero-day virus, an anti-malware solution will not detect it using its signature database.

Question 44

You are going to perform a forensic disk image of a macOS laptop. What type of hard drive format should you expect to encounter?

A. FAT32
B. NTFS
C. exFAT
D. HFS+

Answer 44

D. HFS+

Explanation:
OBJ-2.8: The default macOS file system for the drive is HFS+ (Hierarchical File System Plus). While macOS does provide support for FAT32 and exFAT, they are not the default file system format used by the macOS system. NTFS is not supported by macOS without additional drivers and software tools. This question may seem beyond the scope. Still, the exam objectives allow for “other examples of technologies, processes, or tasks about each objective may also be included on the exam although not listed or covered” in the objectives’ bulletized lists. The content examples listed in the objectives are meant to clarify the test objectives and should not be construed as a comprehensive listing of this examination’s content. Therefore, questions like this are fair game on test day. That said, your goal isn’t to score 100% on the exam; it is to pass it. Don’t let questions like this throw you off on test day. If you aren’t sure, take your best guess and move on!

Question 45

You are in the recovery steps of an incident response. Your analysis revealed that the attacker exploited an unpatched vulnerability on a public-facing web server as the initial intrusion vector in this incident. Which of the following mitigations should be implemented first during the recovery?

A. Restrict shell commands by user or host to ensure least privilege is followed
B. Scan the network for additional instances of this vulnerability and patch the affected assets
C. Restrict host acceess to peripheral protocols like USB and Bluetooth
D. Disable unused user account and reset the administrator credentials

Answer 45

B. Scan the network for additional instances of this vulnerability and patch the affected assets

Explanation:
OBJ-2.7: All of the options listed are the best security practices to implement before and after a detected intrusion, but scanning for additional instances of this vulnerability should be performed first. Often, an enterprise network uses the same baseline configuration for all servers and workstations. Therefore, if a vulnerability is exploited on one device (such as an insecure configuration), that same vulnerability could exist on many other assets across the network. During your recovery, you must identify if any other network systems share the same vulnerability and mitigate them. If you don’t, the attacker could quickly reinfect your network by simply attacking another machine using the same techniques used during this intrusion. The other options listed are all examples of additional device hardening that should be conducted during recovery after you have identified the exploited vulnerability across the rest of the network.

Question 46

Which of the following services is used to detect potentially malicious inbound patterns or outbound data leaks by inspecting traffic at layer 7 for signs of an XXE or other similar types of malicious activity?

A. NAT Gateway
B. VPN Gateway
C. XML Gateway
D. API Gateway

Answer 46

C. XML Gateway

Explanation:
OBJ-1.1: An extensible markup language (XML) gateway acts as an application layer firewall specifically to monitor XML formatted messages as they enter or leave a network or system. An XML gateway is used for inbound pattern detection and the prevention of outbound data leaks. XML is a document structure that is both human and machine-readable. Information within an XML document is placed within tags that describe how the information within the document is structured. Application programming interface (API) gateway is a special cloud-based service that is used to centralize the functions provided by APIs. An API is a type of software interface that offers a service to other pieces of software to build or connect to specific functions or features. A NAT Gateway within a cloud platform allows private subnets in a Virtual Private Cloud (VPC) access to the Internet. A VPN gateway is a type of networking device that connects two or more devices or networks in a VPN infrastructure. It is designed to bridge the connection or communication between two or more remote sites, networks, or devices and/or to connect multiple VPNs.

Question 47

ou walked up behind a penetration tester in your organization and saw the following output on their Kali Linux terminal:

What type of test is the penetration tester currently conducting?

A. Conducting a port scan of 192.168.1.142
B. Conducting a Denial of Service attack on 192.168.1.142
C. Conducting a brute force login attempt of a remote service on 192.168.1.142
D. Conduct a ping sweep of 192.168.1.142/24

Answer 47

C. Conducting a brute force login attempt of a remote service on 192.168.1.142

Explanation:
OBJ-2.4: The penetration tester is attempting to conduct a brute force login attempt of a remote service on 192.168.1.142, as shown by the multiple login attempts with common usernames and passwords. A brute force attack attempts to crack a password or username or find a hidden web page, or find the key used to encrypt a message, using a trial and error approach and hoping, eventually, to guess correctly. Port Scanning is the name for the technique used to identify open ports and services available on a network host. A denial-of-service (DoS) attack occurs when legitimate users cannot access information systems, devices, or other network resources due to a malicious cyber threat actor’s actions. A ping sweep is a basic network scanning technique used to determine which range of IP addresses map to live hosts.

Question 48

Where should a forensic analyst search to find a list of the wireless networks that a laptop has previously connected to with a company-owned laptop?

A. Search the registry for a complete list
B. Search the user’s profile directory for the list
C. Search the wirfeless adapter cache for the list
D. A list of the preeviously connected wireless networks is not stored on the laptop

Answer 48

A. Search the registry for a complete list

Explanation:
OBJ-2.8: The Windows registry keeps a list of the wireless networks that a system has previously connected to. The registry keys can be found in the directory of HKLM\Software\Microsoft\WindowsNT\CurrentVersion\NetworkList\Profiles. This is stored in Local Machine because it logs a copy of every access point connected to all users of the machine, not just the currently logged in user.

Question 49

Which of the following refers to using virtual machines as a method of provisioning workstations for corporate users?

A. VDI
B. SaaS
C. IaaS
D. PaaS

Answer 49

A. VDI

Explanation:
OBJ-1.6: Virtual Desktop Infrastructure (VDI) refers to using a VM as a means of provisioning corporate desktops. In a typical VDI, desktop computers are replaced by low-spec, low-power thin client computers. When the thin client starts, it boots a minimal OS, allowing the user to log on to a VM stored on the company server or cloud infrastructure. The user connects to the VM using some remote desktop protocol (Microsoft Remote Desktop or Citrix ICA, for instance). The thin client has to find the correct image and use an appropriate authentication mechanism. Software as a Service (SaaS) is a cloud computing service that enables a service provider to make applications available over the Internet to end-users. This can be a calendar, scheduling, invoicing, word processor, database, or other programs. For example, Google Docs and Office 365 are both word processing SaaS solutions. Platform as a Service (PaaS) is a cloud computing service that enables consumers to rent fully configured systems that are set up for specific purposes. Infrastructure as a Service (IaaS) is a cloud computing service that enables a consumer to outsource computing equipment purchases and running their own data center.

Question 50

The Dion Development Group is a young startup that is about to release a minimum viable product (MVP) of their new Software as a Service (SaaS) tool to the marketplace. The company has a scheduled launch date for next week and just identified a critical vulnerability in their application. They will be unable to mitigate the vulnerability to an acceptable level per their risk management policy before the launch, but the development team states that they can mitigate the risk to a medium risk using temporary compensating controls and then eliminate the vulnerability within the next two sprints. Both the CEO and CIO have officially documented their decisions to accept this medium level of risk using the compensating controls and they will reassess the status of the vulnerability within two weeks. Which of the following BEST describes this type of risk?

A. RIsk exception
B. Inherent risk
‘C. Residual risk
D. Risk transfer

Answer 50

A. RIsk exception

Explanation:
OBJ-4.1: A risk exception occurs when a particular policy, standard, security program requirement, or security best practice cannot be fully implemented. In this scenario, the development team cannot create a security patch to eliminate the vulnerability in time for the launch, so they have requested a risk exception to be made. This exception must be documented and signed by the executives who are approving this exception. Risk transfer occurs when risk is moved to or shared with another entity. Most often, risk transfer occurs by purchasing an insurance policy. Residual risk is the risk that remains after compensating controls have been implemented. Since temporary compensating controls were being used in this scenario, a risk exception is a better classification than residual risk since residual risk relies on permanent compensating controls being implemented. Inherent risk is the level of risk that exists before any compensating controls have been implemented.

Question 51

Dion Security Group is analyzing the encryption implementation of one of its customers. An analyst has discovered that they are using a mode of operation that provides for the authenticated encryption with associated data (AEAD) to protect the confidentiality, integrity, and authenticity of the data being encrypted. Which of the following modes of operation is being used by the customer?

A. Output feedback
B. Electronic codebook
C. Galois/counter mode
D. Counter mode

Answer 51

C. Galois/counter mode

Explanation:
OBJ-3.6: Galois/counter mode (GCM) provides a method of authenticated encryption with associated data (AEAD) that enables symmetric block ciphers to work with large sets of data. GCM is a specialized variant of the older counter mode that adds the authenticated data feature for the integrity and authenticity of the data. Counter (CTR) mode enables symmetric block ciphers to work with large sets of data by using an initialization vector and adding an incrementing counter value to the key to generate a keystream. Counter mode does not use padding in its operations and simply discards any unused space in the final block. Output feedback (OFB) enables symmetric block ciphers to work with large sets of data by using an initial chaining vector (ICV) during the first round of encryption and then combining the output of the previous rounds into the subsequent rounds. Electronic codebook (ECB) is a simple mode of enabling symmetric block ciphers to work with large sets of data and is an older method that is vulnerable to the padding-oracle attack.

Question 52

Which of the following layers within software-defined networking determines how to route a data packet on the network?

A. Control layer
B. Infrastructure layer
C. Management plane
D. Application layer

Answer 52

A. Control layer

Explanation:
OBJ-1.1: The control layer uses the information from applications to decide how to route a data packet on the network and to make decisions about how traffic should be prioritized, how it should be secured, and where it should be forwarded to. The application layer focuses on the communication resource requests or information about the network. The infrastructure layer contains the physical networking devices that receive information from the control layer about where to move the data and then perform those movements. The management plane is used to monitor traffic conditions, the status of the network, and allows network administrators to oversee the network and gain insight into its operations.

Question 53

Which of the following provides a cryptographic authentication mechanism to positively identify an organization as the authorized sender of email for a particular domain name?

A. DMARC
B. SPF
C. DKIM
D. SMTP

Answer 53

C. DKIM

Explanation:
OBJ-1.7: DomainKeys Identified Mail (DKIM) provides a cryptographic authentication mechanism. This can replace or supplement SPF. To configure DKIM, the organization uploads a public key as a TXT record in the DNS server. Sender Policy Framework (SPF) uses a DNS record published by an organization hosting an email service. The SPF record identifies the hosts authorized to send emails from that domain, and there must be only one per domain. SPF does not provide a cryptographic authentication mechanism like DKIM does, though. The Domain-Based Message Authentication, Reporting, and Conformance (DMARC) framework can ensure that SPF and DKIM are being utilized effectively. DMARC relies on DKMI for the cryptographic authentication mechanism, making it the incorrect option for this question. The simple mail transfer protocol (SMTP) is a communication protocol for electronic mail transmission, which does not utilize cryptographic authentication mechanisms by default.

Question 54

Which security tool is used to facilitate incident response, threat hunting, and security configuration by orchestrating automated runbooks and delivering data enrichment?

A. DLP
B. MDM
C. SOAR
D. SIEM

Answer 54

C. SOAR

Explanation:
OBJ-1.2: A security orchestration, automation, and response (SOAR) is used to facilitate incident response, threat hunting, and security configuration by orchestrating automated runbooks and delivering data enrichment. A SOAR may be implemented as a standalone technology or integrated within a SIEM as a next-gen SIEM. A SOAR can scan the organization’s store of security and threat intelligence, analyze it using machine/deep learning techniques, and then use that data to automate and provide data enrichment for the workflows that drive incident response and threat hunting.

Question 55

Which of the following terms is used to describe the timeframe following a disaster that an individual IT system may remain offline?

A. MTBF
B. RPO
C. MTTR
D. RTO

Answer 55

D. RTO

Explanation:
OBJ-4.4: Recovery time objective (RTO) is when an individual IT system may remain offline following a disaster. This represents the amount of time it takes to identify a problem and then perform recovery (restore from backup or switch in an alternative system, for instance). Recovery point objective (RPO) is the amount of data loss that a system can sustain, measured in time. That is, if a virus destroys a database, an RPO of 24 hours means that the data can be recovered (from a backup copy) to a point not more than 24 hours before the database was infected. Mean time between failure (MTBF) represents the expected lifetime of a product before it fails and must be replaced or repaired. Mean time to repair (MTTR) is a measure of the time taken to correct a fault to restore the system to full operation.

Question 56

You work for a bank interested in moving some of its operations to the cloud, but it is worried about security. You recently discovered an organization called CloudBank that was formed by 15 local banks as a way for them to build a secure cloud-based environment that can be accessed by the 15 member banks. Which cloud model BEST describes the cloud created by CloudBank?

A. Public cloud
B. Community cloud
C. Private cloud
D. Hybrid cloud

Answer 56

B. Community cloud

Explanation:
OBJ-1.6: Community Cloud is another type of cloud computing in which the cloud setup is shared manually among different organizations that belong to the same community or area. A multi-tenant setup is developed using the cloud among different organizations belonging to a particular community or group with similar computing concerns. For joint business organizations, ventures, research organizations, and tenders, a community cloud is an appropriate solution. Based on the description of 15 member banks coming together to create the CloudBank organization and its cloud computing environment, a community cloud model is most likely described. A public cloud contains services offered by third-party providers over the public Internet and is available to anyone who wants to use or purchase them. They may be free or sold on-demand, allowing customers to pay only per usage for the CPU cycles, storage, or bandwidth they consume. A private cloud contains services offered either over the Internet or a private internal network and only to select users instead of the general public. A hybrid cloud is a cloud computing environment that uses a mix of on-premises, private cloud, and third-party public cloud services with orchestration between these platforms. This typically involves a connection from an on-premises data center to a public cloud.

Question 57

A military defense contracting company has hired your company to conduct a penetration test against their networks. Their company has a strong vulnerability management program in place, but they are concerned that they may still be subject to remote hackers’ intrusion. They have asked your company to create a red team with their most skilled hackers and conduct a long-term engagement over 6-12 months. The goal of this assessment is to emulate an attacking group that uses stealth while infiltrating the network, quietly maintaining persistence, and slowly exfiltrating data out of the network over time to determine if their cybersecurity analysts could detect this type of threat. Which of the following type of threat actors will your red team need to emulate?

A. Hacktivisits
B. Insider threat
C. APT
D. Script kiddies

Answer 57

C. APT

Explanation:
OBJ-2.1: An advanced persistent threat (APT) is a type of attacker that keeps a low profile while infiltrating a remote network. Once inside the network, they maintain their patience while gathering intelligence and slowly exfiltrating data out of the network. Many APTs work for a nation-state and focus on intelligence operations. Some APTs also perform corporate espionage to steal highly guarded trade secrets from competitors. APTs commonly use several attack vectors to ensure their success in gaining unauthorized access to information.

Question 58

Lamont is in the process of debugging a software program. As he examines the code, he discovers that it is miswritten. Due to the error, the code does not validate a variable’s size before allowing the information to be written into memory. Based on Lamont’s discovery, what type of attack might occur?

A. Malicious logic
B. Cross-site scripting
C. SQL Injection
D. Buffer overflow

Answer 58

D. Buffer overflow

Explanation:
OBJ-2.5: A buffer overflow occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information can cause an overflow into adjacent buffers, corrupting or overwriting the valid data held in them. Although it may occur accidentally through programming error, buffer overflow is an increasingly common security attack on data integrity. In buffer overflow attacks, the extra data may contain codes designed to trigger specific actions, in effect sending new instructions to the attacked computer that could, for example, damage the user’s files, change data, or disclose confidential information. Programs should use the variable size validation before writing the data to memory to ensure that the variable can fit into the buffer to prevent this type of attack.

Question 59

Jamie’s organization is attempting to budget for the next fiscal year. Jamie has calculated that the asset value of a database server is $120,000. Based on her analysis, she believes that a data breach to this server will occur once every four years and has a risk factor is 30%. What is the ALE for a data breach within Jamie’s organization?

A. $360,000
B. $9,000
C. $90,000
D. $36,000

Answer 59

B. $9,000

Explanation:
OBJ-4.1: The single loss expectancy (SLE) is the amount that would be lost in a single occurrence (AV) times the exposure factor (EF). The annual loss expectancy (ALE) is the total cost of a risk to an organization annually. This is determined by multiplying the SLE by the annual rate of occurrence (ARO). SLE = AV x RF = $120,000 x 30% = $36,000 ALE = SLE x ARO = $36,000 x 0.25 = $9,000

Question 60

Dion Consulting Group is helping an organization build a new enterprise network. The organization wants to ensure that system files on their endpoints are not modified once fielded and deployed. Which of the following types of sensors or systems should be implemented to detect any changes to the endpoint’s operating system files?

A. Data loss prevention (DLP)
B. Security and information event management (SIEM)
C. File integrity monitoring (FIM)
D. Simple Network Management Protocol (SNMP) traps

Answer 60

C. File integrity monitoring (FIM)

Explanation:
OBJ-1.1: File integrity monitoring (FIM) is a type of software that reviews system files to ensure that they have not been tampered with. Security information and event management system (SIEM) is a solution that provides real-time or near-real-time analysis of security alerts generated by network hardware and applications. Data Loss Prevention (DLP) is a software solution designed to detect and prevent sensitive information from being used, transmitted, or stored inappropriately. Simple network management protocol (SNMP) traps are used to send monitoring and management information from networked devices back to a centralized monitoring station.

Question 61

Dion Training utilizes DevSecOps in its software development methodology. The company has a goal of releasing code updates at least twice a day. The company believes that by releasing code updates more frequently, they can increase the security of their application since software bugs can be patched and rectified faster. Which of the following development techniques should Dion Training implement to reach their goal?

A. Waterfall
B. CI/CD
C. Spiral
D. Middleware

Answer 61

B. CI/CD

Explanation:
OBJ-1.3: Continuous integration/continuous delivery (CI/CD) is a software development methodology in which code updates are tested and committed to a development or build server/code repository rapidly. Waterfall is a software development model where the phases of the SDLC cascade so that each phase will start only when all tasks identified in the previous phase are complete. Spiral development allows the modification of the development repeatedly in response to stakeholder feedback and input but still follows an overall beginning-to-end structure. Both waterfall and spiral development are too slow to support code deployments multiple times per day, so agile development must be utilized. Middleware generally describes more comprehensive software applications designed to integrate two systems. Middleware can perform more sophisticated mechanisms and include multiple APIs to connect to various sources, enabling more feature-rich operations or to detach features from individual systems so they can be separately managed and controlled. Middleware is not a development technique.

Question 62

Due to a global pandemic, your company decides to implement a telework policy for its employees. Unfortunately, the company doesn’t have enough time to issue laptops and smartphones to each employee. The Chief Information Officer (CIO) has decided to allow employees to use their laptops and smartphones when conducting their work from home. Which of the following policies and technology should be implemented to provide security guidance to employees on the use of these devices? (Select TWO)

A. DRM
B. EULA
C. BYOD
D. COPE
E. MDM
F. ACL

Answer 62

C. BYOD
E. MDM

Explanation:
OBJ-3.1: The Bring Your Own Device (BYOD) policy is a security framework used to facilitate the use of personally-owned devices to access corporate networks and data. Mobile Device Management (MDM) is a class of management software designed to apply security policies to the use of mobile devices in the enterprise. Since the employees will be using their laptops and smartphones, the company will need a good BYOD policy to provide security guidance. The company may also implement and install MDM across the employee’s devices to better secure the BYOD devices if they give the company permission.

Question 63

An insurance company has developed a new web application to allow its customers to choose and apply for an insurance plan. You have been asked to help perform a security review of the new web application. You have discovered that the application was developed in ASP and used MSSQL for its backend database. You have been able to locate an application’s search form and introduced the following code in the search input field:
When you click submit on the search form, your web browser returns a pop-up window that displays Vulnerable_to_Attack. Which of the following vulnerabilities did you discover in the web application?

A. Cross site scripting
B. SQL Injection
C. Command injection
D. Cross site request forgery

Answer 63

A. Cross site scripting

Explanation:
OBJ-2.5: This is a form of Cross-Site Scripting (XSS). Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users. Attackers may use a cross-site scripting vulnerability to bypass access controls such as the same-origin policy. Cross-site request forgery (CSRF or XSRF) is a malicious exploit of a website where unauthorized commands are transmitted from a user that the web application trusts. There are many ways in which a malicious website can transmit commands, such as specially-crafted image tags, hidden forms, and JavaScript XMLHttpRequests can all work without the user’s interaction or even knowledge. SQL injection is a code injection technique used to attack data-driven applications. Malicious SQL statements are inserted into an entry field for execution, such as dumping the database contents to the attacker. Command injection is an attack in which the goal is to execute arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user-supplied data (forms, cookies, HTTP headers, etc.) to a system shell.

Question 64

When conducting forensic analysis of a hard drive, what tool would BEST prevent changing the hard drive contents during your analysis?

A. Forensic drive duplicator
B. Software write blocker
C. Degausser
D. Hardware write blocker

Answer 64

D. Hardware write blocker

Explanation:
OBJ-2.8: Both hardware and software write blockers are designed to ensure that forensic software and tools cannot change a drive inadvertently by accessing it. But, since the question indicates that you need to choose the BEST solution to protect the drive’s contents from being changed during analysis, you should pick the hardware write blocker. A hardware write blocker’s primary purpose is to intercept and prevent (or ‘block’) any modifying command operation from ever reaching the storage device. A forensic drive duplicator copies a drive and validates that it matches the original drive but cannot be used by itself during analysis. A degausser is used to wipe magnetic media. Therefore, it should not be used on the drive since it would erase the hard drive contents.

Question 65

Vulnerability scans must be conducted continuously to meet regulatory compliance requirements for the storage of PHI. During the last vulnerability scan, a cybersecurity analyst received a report of 2,592 possible vulnerabilities and was asked by the Chief Information Security Officer (CISO) for a plan to remediate all the known issues. Which of the following should the analyst do next?

A. Place any assets that contain PHI in a sandbox environment and then remediate all the vulnerabilities
B. Filter the scan results to include only those items listed as creitical in the asset inventory and remediate those vulnerabilities first
C. Wait to perform any additional scanning until the current list of vulnerabilitties havee been remediated fully
D. Attempt to identify all the false positives and exceptions, then resolve any remaining items

Answer 65

B. Filter the scan results to include only those items listed as creitical in the asset inventory and remediate those vulnerabilities first

Explanation:
OBJ-2.3: PHI is an abbreviation for Personal Health Information. When attempting to remediate numerous vulnerabilities, it is crucial to prioritize the vulnerabilities to determine which ones should be remediated first. In this case, there is a regulatory requirement to ensure the security of the PHI data. Therefore, those critical assets to the secure handling or storage of PHI are of the highest risk should be prioritized for remediation first. It is impractical to resolve all 2,592 vulnerabilities at once. Therefore, you should not identify all the false positives and exceptions and then resolve any remaining items since they won’t be prioritized for remediation. You should also not wait to perform additional scanning because a scan is only a snapshot of your current status. If it takes 30 days to remediate all the vulnerabilities and do not scan, new vulnerabilities may have been introduced. Placing all the PHI assets into a sandbox will not work either because you have removed them from the production environment and can no longer serve their critical business functions.

Question 66

Susan, an executive at Dion Training, will be traveling to Italy for a conference next week. She is worried about remaining connected to the internet while overseas and plans to use the WiFi in her hotel room and the local coffee shop with her laptop. Which of the following should she purchase and configure before leaving for Italy to ensure her communications remain secure regardless of where she is connecting from?

A. International data roaming plan on her cellphone
B. Local mobile hotspot
C. Local SIM card for her smartphone
D. VPN

Answer 66

D. VPN

Explanation:
OBJ-3.1: While WiFi is available almost everywhere these days, it is not safe to use it without first configuring and using a VPN. A Virtual Private Network (VPN) connects the components and resources of two (private) networks over another (public) network. This utilizes an encryption tunnel to protect data being transferred to and from her laptop to the Dion Training servers and other websites. The other options are all focused on connecting her cellphone but would still not be considered safe without a VPN being utilized. A local mobile hotspot should be used to provide internet connectivity to the laptop (if she uses this instead of the hotel and coffee shop WiFi). Still, for best security, it should also use a VPN when using this connection.

Question 67

Sarah is conducting a penetration test against Dion Training’s Windows-based network. This engagement aims to simulate an advanced persistent threat and demonstrate persistence for 30 days without their system administrators identifying the intrusion. Which of the following commands should Sarah use to run a script that beacons back to her computer every 20 minutes?

A. (crontab -L; each”/20/tmp/beacon”)| crontab -
B. schtasks /create /tn beacon /tr /tmp/beacon /sc MINUTE /mo 20 /ru SYSTEM
C. (crontab -l; echo “/20**/tmp/beacon”)| crontab -
D. schtasks /create /tn beacon /tr C:\temp\beacon.bat /sc MINUTE /mo 20 /ru SYSTEM

Answer 67

D. schtasks /create /tn beacon /tr C:\temp\beacon.bat /sc MINUTE /mo 20 /ru SYSTEM

Explanation:
OBJ-2.6: A scheduled task or scheduled job is an instance of execution, like initiating a process or running a script, that the system performs on a set schedule. Once the task executes, it can prompt the user for interaction or run silently in the background; it all depends on what the task is set up to do. Scheduled tasks in Windows use the schtasks command. The correct answer for this persistence is to enter the command “schtasks /create /tn beacon /tr C:\temp\beacon.bat /sc MINUTE /mo 20 /ru SYSTEM” that will create a task called “beacon” that runs the script at “C:\temp\beacon.bat every 20 minutes as the SYSTEM level user. The other variant of schtasks is incorrect because it used a Linux-based file directory structure to reference the script location and would fail to run in Windows. The crontab options are used in Linux, not in Windows.

Question 68

Dion Training is updating its disaster recovery plan. Currently, the company uses an office building as its headquarters that contains both its offices and data center, as well as a second small office building (alternate site) located about 2 hours away. The alternate site has a basic office network that connects back to their main data center using a site-to-site VPN. Backups of the data center are conducted to tape backup daily and those tapes are relocated to the alternate site weekly. In the event of a disaster at their main data center, the organization wants to be able to restore their services using an unused server room at the small office building site within 3 days. The Chief Executive Officer has approved a budget large enough to equip the server room but not enough to staff it with personnel. Which of the following recovery site strategies should you recommend to BEST meet these requirements?

A. Mobile site
B. Hot site
C. Cold site
D. Warm site

Answer 68

D. Warm site

Explanation:
OBJ-4.4: A warm site is an alternate processing location that is dormant or performs noncritical functions under normal conditions, but which can be rapidly converted to a key operations site when needed. A warm site typically includes a data center that is typically scaled down from the primary site to include the capacity and throughput needed to run critical systems and software. A cold site is a predetermined alternative location where a network can be rebuilt after a disaster. A cold site does not have a pre-established information systems capability, but it is open and available for building out an alternate site after the disaster occurs. A hot site is a fully configured alternate processing site that can be brought online either instantly or very quickly after a disaster. A hot site requires specialized knowledge, sophisticated automation capabilities, and platforms that are designed to operate as a fully redundant and ready alternate site. A mobile site is essentially a data center in a container or trailer that can be rapidly deployed to a given location. A mobile site is best categorized as a mixture of a cold site and a warm site which can also be relocated when needed.

Question 69

Which of the following lists the UEFI boot phases in the proper order?

A. Security, Pre-EFI initilization, Driver Execution Environment, Boot Device Select, Transient System Load, Runtime
B. Pre EFI initialization, Security, Boot Device Select, Transient System Load, Drtiver Execution Environment, Runtime
C. Boot Device Select, Pre-EFI Initilization, Driver Execution Environment, Transient System Load. Runtime
D. Driver Execution Environmennt, Boot Device Select, Security, Transient System Load, Pre EFI intialization, Runtime

Answer 69

A. Security, Pre-EFI initilization, Driver Execution Environment, Boot Device Select, Transient System Load, Runtime

Explanation:
OBJ-3.2: The security must first prevent any potential contamination from advanced malware from affecting the system as it proceeds into its startup process. The security consists of initializing the code that the system executes after powering on the EFI system. Pre-EFI initialization initializes the CPU, temporary memory, and boot firmware volume (BFV). Driver Execution Environment initializes the entire system’s physical memory, I/O, and MIMO (Memory Mapped Input Output) resources. Finally, it begins dispatching DXE Drivers present in the system Firmware Volumes (given in the HOBL). Boot Device Select interprets the boot configuration data and selects the Boot Policy for later implementation. Runtime focuses on clearing the UEFI program from memory and transferring control to the operating system.

Question 70

Dion Training Solutions has received proposals from four suppliers to install a new data loss prevention (DLP) system and contractors to operate it. The cost of each full-time equivalent (FTE) position to operate the system costs $75,000 per year. Supplier Alpha’s system will require 3 FTE positions to operate and costs $100,000 for licensing and maintenance fees per year. Supplier Bravo’s system will require 2 FTE positions to operate and costs $150,000 for licensing and maintenance fees per year. Supplier Charlie’s system will require 4 FTE positions to operate and costs $50,000 for licensing and maintenance fees per year. Supplier Delta’s system will require 1 FTE position to operate and costs $250,000 for licensing and maintenance fees per year. If all of the data loss prevention systems would provide equivalent security, which supplier’s system would provide the highest TCO?

A. Supplier Alpha
B. Supplier Delta
C. Supplier Bravo
D. Supplier Charlie

Answer 70

D. Supplier Charlie

Explanation:
OBJ-4.1: Supplier Charlie would have the higher TCO with a value of $350,000 per year. The total cost of ownership (TCO) is the associated costs of an asset including acquisition costs and costs to maintain and safely operate the asset over its entire lifespan. Since the DLP system in this scenario will be charged under a SaaS model using yearly contract labor, licensing, and maintenance fees, you can calculate the TCO simply by comparing one year of each supplier’s fees against the others. Supplier Alpha’s TCO would equal 3 FTEs ($225,000) plus $100,000 (licensing/maintenance fee) which equals $325,000. Supplier Bravo’s TCO would equal 2 FTEs ($150,000) plus $150,000 (licensing/maintenance fee) which equals $300,000. Supplier Charlie’s TCO would equal 4 FTEs ($300,000) plus $50,000 (licensing/maintenance fee) which equals $350,000. Supplier Delta’s TCO would equal 1 FTEs ($75,000) plus $250,000 (licensing/maintenance fee) which equals $325,000.

Question 71

OBJ-4.1: Supplier Charlie would have the higher TCO with a value of $350,000 per year. The total cost of ownership (TCO) is the associated costs of an asset including acquisition costs and costs to maintain and safely operate the asset over its entire lifespan. Since the DLP system in this scenario will be charged under a SaaS model using yearly contract labor, licensing, and maintenance fees, you can calculate the TCO simply by comparing one year of each supplier’s fees against the others. Supplier Alpha’s TCO would equal 3 FTEs ($225,000) plus $100,000 (licensing/maintenance fee) which equals $325,000. Supplier Bravo’s TCO would equal 2 FTEs ($150,000) plus $150,000 (licensing/maintenance fee) which equals $300,000. Supplier Charlie’s TCO would equal 4 FTEs ($300,000) plus $50,000 (licensing/maintenance fee) which equals $350,000. Supplier Delta’s TCO would equal 1 FTEs ($75,000) plus $250,000 (licensing/maintenance fee) which equals $325,000.

A. Kerberos
B. LDAP
C. RADIUS
D. PKI

Answer 71

C. RADIUS

Explanation:
OBJ-1.5: Remote Authentication Dial-In User Service (RADIUS) is a networking protocol operating on port 1812 that provides centralized Authentication, Authorization, and Accounting (AAA or Triple-A) management for users who connect and use a network service. The RADIUS protocol utilizes an obfuscated password created from the shared secret and creates an MD5 hash of the authentication request to protect the communications.

Question 72

Dion Training has submitted a new application to the App Store for distribution. Before submitting the app, the developers conducted both static and dynamic analysis to reduce or eliminate the number of known vulnerabilities in the application. The application was completed and a digital certificate was attached to the application during distribution to signify that it was written and published by “Dion Training Solutions, LLC”. When the user downloads the app, their device will conduct an integrity check using a hash and comparing it to the one included in the digital certificate they received. Which of the following certificate use cases is described by this scenario?

A. Digital signature
B. Code signing
C. Server authentication
D. Client authentication

Answer 72

B. Code signing

Explanation:
OBJ-3.5: Code signing is a method of using a digital signature to ensure the source and integrity of programming code. If a valid code signature exists, this indicates that the code has not been changed or modified since being released by the code’s author or publisher. A digital signature is created by encrypting the hash digest with the sender’s private key. For example, when digitally signing an email, the email is first hashed and then the hash is encrypted with the private key of the sender to prove its integrity and non-repudiation when sent. Client authentication describes the mechanism by which a server can verify that a connection request is originating from a preauthorized endpoint. Client authorization is commonly used by SSH servers by storing a local copy of a client’s public SSH key on the SSH server and using this to authorize the client during a connection. Server authentication is utilized by a client device when the client establishes that the server is genuine. For example, when visiting a new website, a client will use the web server’s digital certificate and public key to authenticate that the server they connected to is legitimate.

Question 73

A penetration tester is emulating an insider threat during an engagement. The penetration tester was given access to a regular user account and a basic Windows 10 client on the network. The penetration tester did not receive any network diagrams, maps, or target IP address. Their goal is to identify any possible Windows domain controllers on the intranet.diontaining.com domain. Which of the following commands should they use from the command prompt to achieve their goal?

A. nslookup -type=any_ldap._tcp.inteanet.diontraining.com
B. nolookup -type=any_lanman_tcp.intranet.diontraining.com
C. nslookup -type=any_smtp._tcp.intranet.diontraining
D. nslookup -type=any_ntlm._tcp.intranet.diontraining
E. nslookup -type=any_kerberos._tcp.intranet.diontraining.com

Answer 73

A. nslookup -type=any_ldap._tcp.inteanet.diontraining.com
E. nslookup -type=any_kerberos._tcp.intranet.diontraining.com

Explanation:
OBJ-1.5: There are several methods for locating Domain Controllers, depending on what you know about the environment you are using. If you are using a Windows client, you can use the nslookup command. You need to specify which protocol you are searching for in the name. Since we are trying to identify domain controllers, we need to look for Kerberos and LDAP-based protocols on the intranet.diontraining.com domain. If you were using a Linux client, you could run a similar command syntax using dig.

Question 74

Dion Training is a cloud-first company and utilizes AWS, Azure, and Google Cloud for different areas and functions of their business. Which of the following key management systems would allow Dion Training to effectively automate and orchestrate their key management across their different service providers?

A. Multi-Cloud Key Management System
B. Cloud Service Using External Key Management Systems
C. Cloud Native Key Management System
D. External Key Origination

Answer 74

A. Multi-Cloud Key Management System

Explanation:
OBJ-3.4: A Multi-Cloud Key Management System (MCKMS) is a key management system that can be used by multiple clouds. A MCKMS incorporates the features of a Cloud Native Key Management System, an External Key Origination, and a Cloud Service Using External Key Management Systems. A Cloud Native Key Management System uses a KMS that is configured and operated by the same provider being used to run the organization’s cloud services. An External Key Origination uses keys generated by a KMS not managed by the same cloud provider that will use the keys. An External Key Origination model is commonly used to meet legal or regulatory compliance requirements when the cloud customer must wholly own the keys. A Cloud Service Using External Key Management Systems allows the customer to leverage a cloud service offering to provide KMS-hosted external services on-premises or through an alternate cloud service provider. The KMS hardware can be acquired by the customer or the KMS may be a service offering of the cloud provider. Either way, the HSM is exclusively used by the customer who owns the keys.

Question 75

Which of the following methods should a cybersecurity analyst use to locate any instances on the network where passwords are being sent in cleartext?

A. Full packet capture
B. Software design documentation review
C. Net flow capture
D. SIEM event log monitoring

Answer 75

A. Full packet capture

Explanation:
OBJ-2.2: Full packet capture records the complete payload of every packet crossing the network. The other methods will not provide sufficient information to detect a cleartext password being sent. A net flow analysis will determine where communications occurred, by what protocol, to which devices, and how much content was sent. Still, it will not reveal anything about the content itself since it only analyzes the metadata for each packet crossing the network. A SIEM event log being monitored might detect that an authentication event has occurred. Still, it will not necessarily reveal if the password was sent in cleartext, as a hash value, or in the ciphertext. A software design documentation may also reveal the designer’s intentions for authentication when they created the application, but this only provides an ‘as designed’ approach for a given software and does not provide whether the ‘as-built’ configuration was implemented securely.

Question 76

OBJ-2.2: Full packet capture records the complete payload of every packet crossing the network. The other methods will not provide sufficient information to detect a cleartext password being sent. A net flow analysis will determine where communications occurred, by what protocol, to which devices, and how much content was sent. Still, it will not reveal anything about the content itself since it only analyzes the metadata for each packet crossing the network. A SIEM event log being monitored might detect that an authentication event has occurred. Still, it will not necessarily reveal if the password was sent in cleartext, as a hash value, or in the ciphertext. A software design documentation may also reveal the designer’s intentions for authentication when they created the application, but this only provides an ‘as designed’ approach for a given software and does not provide whether the ‘as-built’ configuration was implemented securely.

A. Parallel test
B. Checklist
C. Tabletop
D. Full interruption test

Answer 76

C. Tabletop

Explanation:
OBJ-4.4: A tabletop exercise will identify a specific objective or goal, provide injects or additional details, and then observe the actions that the participants would have taken to respond to a given incident or disaster scenario. Checklist test uses a copy of the business continuity/disaster recovery plan to review and provide comments, updates, or changes to the plan during a periodic update. A parallel test occurs when the alternative site is brought online as if a real disaster occurred, but the primary site is not taken offline or affected, thereby keeping both the primary and alternate sites operating in parallel. A full interruption test is used to take the primary site offline and shift operations to the alternate site.

Question 77

Dion Training provides its team members a mobile device so that they can respond to questions when they are out of the office. To minimize the support costs, Dion Training has decided to support only three models of mobile devices. When hired, an employee may request either an iPhone 13, iPhone 13 Max, or iPad Pro for their use outside of the office. Each device is then configured using a mobile device management (MDM) solution and a containerized app is used to process and store all corporate data on the device. Each employee signs an AUP that states they can use the device for work-related and personal use, but the device and any data stored on it remain the property of Dion Training. Which of the following policies BEST describes Dion Training’s mobile device deployment model?

A. COPE
B> COBO
C. BYOD
D. CYOD

Answer 77

D. CYOD

Explanation:
OBJ-3.1: Choose Your Own Device (CYOD) is a mobile device deployment model where employees are offered a selection of corporate devices for work and, optionally, private use. Corporate Owned Business Only (COBO) is a mobile device deployment model that provides the employee with a corporate-owned device that may only be used for official work functions and purposes. Corporate Owned Personally Enabled (COPE) is a mobile device deployment model where the device remains the property of the organization, but certain personal use, such as private email, social networking, and web browsing, is also permitted. Bring Your Own Device (BYOD) is a mobile device deployment model that facilitates the use of personally owned devices to access corporate networks and data.

Question 78

Which of the following features of homomorphic encryption creates methods for parties to jointly compute a function over their inputs while keeping those inputs private?

A. Private Function Evaluation
B. Secure Multi Party COmputation
C. Private Information Retrieval
D. Secure Function Evaluation

Answer 78

B. Secure Multi Party COmputation

Explanation:
OBJ-1.8: Secure Multi-Party Computation creates methods for parties to jointly compute a function over their inputs while keeping those inputs private. Private Function Evaluation (PFE) allows two parties to jointly evaluate a private function without revealing their respective inputs. Secure Function Evaluation (SFE) allows two parties to jointly evaluate a publicly known function without revealing their respective inputs. Private Information Retrieval (PIR) retrieves an item from a service in possession of a database without revealing which item is retrieved.

Question 79

Which of the following policies or plans would dictate how an organization would respond to an unplanned outage of their primary internet connection?

A. Business continuity plan
B. System life cycle plan
C. Incident response plan
D. Disaster recovery plan

Answer 79

A. Business continuity plan

Explanation:
OBJ-4.4: A business continuity plan is a document that outlines how a business will continue operating during an unplanned service disruption. A business continuity plan is more comprehensive than a disaster recovery plan and contains contingencies for business processes, assets, human capital and business partners, and essentially every other aspect of the business that might be affected. A disaster recovery plan is a documented, structured approach that documents how an organization can quickly resume work after an unplanned incident. These unplanned incidents include things like natural disasters, power outages, cyber attacks, and other disruptive events. An incident response plan contains a set of instructions to help our network and system administrators detect, respond to, and recover from network security incidents. These types of plans address issues like cybercrime, data loss, and service outages that threaten daily work. System life cycle plans, also known as life cycle planning, describe the approach to maintaining an asset from creation to disposal. In the information technology world, we normally have a 5-phase lifecycle that is used for all of our systems and networks: Planning, Design, Transition, Operations, and Retirement.

Question 80

Your boss is looking for a recommendation for a cloud solution that will only allow your company’s employees to use the service while preventing anyone else from accessing it. What type of cloud model would you recommend to ensure the contents are best secured from those outside your company?

A. Private Cloud
B. Community Cloud
C. Hybrid Cloud
D. Public Cloud

Answer 80

A. Private Cloud

Explanation:
OBJ-1.6: A private cloud service would be the best recommendation to protect and secure the services from those outside the company from accessing its contents. The private cloud is defined as computing services offered either over the Internet or a private internal network and only to select users instead of the general public. Private cloud computing gives businesses many of the benefits of a public cloud including self-service, scalability, and elasticity with the additional control and customization available from dedicated resources over a computing infrastructure hosted on-premises. Private clouds also deliver a higher level of security and privacy through both company firewalls and internal hosting to ensure operations and sensitive data are not accessible to third-party providers. A public cloud contains services offered by third-party providers over the public Internet and is available to anyone who wants to use or purchase them. They may be free or sold on-demand, allowing customers to pay only per usage for the CPU cycles, storage, or bandwidth they consume. A public cloud contains services offered by third-party providers over the public Internet and is available to anyone who wants to use or purchase them. They may be free or sold on-demand, allowing customers to pay only per usage for the CPU cycles, storage, or bandwidth they consume. A community cloud is a collaborative effort in which infrastructure is shared between several organizations from a specific community with common concerns (security, compliance, jurisdiction, etc.), whether managed internally or by a third party and hosted internally or externally.

Question 81

Jason is attempting to connect to a remote SSH server. The server maintains a local list of the users’ public SSH keys on the server, When Jason connects to the server, the server issues a challenge that is encrypted using the client’s public key. Which of the following certificate use cases is described by this scenario?

A. Server authentication
B. Client authentication
C. Code Signing
D. Digital signature

Answer 81

B. Client authentication

Explanation:
OBJ-3.5: Client authentication describes the mechanism by which a server can verify that a connection request is originating from a preauthorized endpoint. Client authorization is commonly used by SSH servers by storing a local copy of a client’s public SSH key on the SSH server and using this to authorize the client during a connection. Server authentication is utilized by a client device when the client establishes that the server is genuine. For example, when visiting a new website, a client will use the web server’s digital certificate and public key to authenticate that the server they connected to is legitimate. A digital signature is created by encrypting the hash digest with the sender’s private key. For example, when digitally signing an email, the email is first hashed and then the hash is encrypted with the private key of the sender to prove its integrity and non-repudiation when sent. Code signing is a method of using a digital signature to ensure the source and integrity of programming code. If a valid code signature exists, this indicates that the code has not been changed or modified since being released by the code’s author or publisher.

Question 82

Which of the following layers within software-defined networking focuses on resource requests or information about the network?

A. Application layer
B. Infrastructure layer
C. Management plane
D. Control layer

Answer 82

A. Application layer

Explanation:
OBJ-1.1: The application layer focuses on the communication resource requests or information about the network. The control layer uses the information from applications to decide how to route a data packet on the network and to make decisions about how traffic should be prioritized, how it should be secured, and where it should be forwarded to. The infrastructure layer contains the physical networking devices that receive information from the control layer about where to move the data and then perform those movements. The management plane is used to monitor traffic conditions, the status of the network, and allows network administrators to oversee the network and gain insight into its operations.

Question 83

After conducting a recent vulnerability assessment, Dion Training has decided that they need to upgrade the security of their authentication system. The current system allowed the use of a simple alphanumeric password of only 8 digits. The team is currently trying to decide between implementing a long, strong, and complex password policy and implementing two-factor authentication. While the two-factor authentication would be more secure, it is also more costly to implement. The Chief Financial Officer prefers using the complex password policy as the solution to save money, but the Chief Security Officer prefers using multi-factor authentication for higher security. They have both created their course of action and will present it to the CEO for final approval and decision. Based on the information provided, which of the following types of analysis is the team at Dion Training performing?

A. Gap analysis
B. Privacy impact analysis
C. Tradeoff analysis
D. Business impact analysis

Answer 83

C. Tradeoff analysis

Explanation:
OBJ-4.1: A tradeoff analysis compares potential benefits to potential risks and determines a course of action based on adjusting factors that contribute to each area. A business impact analysis describes the collaborative effort to identify those systems and software that perform essential functions, meaning the organization cannot run without them. A privacy impact assessment is conducted by an organization for it to determine where its privacy data is stored and how that privacy data moves throughout an information system. It evaluates the impacts that may be realized by a compromise to the confidentiality, integrity, and/or availability of the data. A gap analysis measures the difference between the current state and desired state to assess the scope of work included in a project. By measuring ALE, MTTR, MTBF, TCO, and other factors, the organization can identify how closely it is performing to the desired outcomes or requirements.

Question 84

Your organization is updating its Acceptable User Policy (AUP) to implement a new password standard that requires a guest’s wireless devices to be sponsored before receiving authentication. Which of the following should be added to the AUP to support this new requirement?

A. Network authentication of all guest users should occur using the 802.1x protocol as authenticated by a RADIUS server
B. All guests must provide valid identification when registering their wireless devices for use on the network
C. Open authentication standards should be implemented on all wireless infrastructure
D. Sponsored guest passwords must be at least 14 alphanumeric characters containing a mixture of uppercase, lowercase, and special characters

Answer 84

B. All guests must provide valid identification when registering their wireless devices for use on the network

Explanation:
OBJ-4.1: Sponsored authentication of guest wireless devices requires a guest user to provide valid identification when registering their wireless device for use on the network. This requires that an employee validates the guest’s need for access, known as sponsoring the guest. While setting a strong password or using 802.1x are good security practices, these alone do not meet the question’s sponsorship requirement. An open authentication standard only requires that the guest know the Service-Set Identifier (SSID) to gain access to the network. Therefore, this does not meet the sponsorship requirement.

Question 85

Your company just launched a new invoicing website for use by your five largest vendors. You are the cybersecurity analyst and have been receiving numerous phone calls that the webpage is timing out, and the website overall is performing slowly. You have noticed that the website received three million requests in just 24 hours, and the service has now become unavailable for use. What do you recommend should be implemented to restore and maintain the availability of the new invoicing system?

A. VPN
B. MAC Filtering
C. Intrusion Detection System
D. Implement an allow list

Answer 85

D. Implement an allow list

Explanation:
OBJ-1.1: By implementing an allow list of the authorized IP addresses for the five largest vendors, they will be the only ones who can access the webserver. This can be done by creating rules in the Access Control List (ACL) to deny ALL other users except these five vendors, thereby dropping a large number of requests from any other IP addresses, such as those from an attacker. Based on the scenario’s description, it appears like the system is under some form of denial of service attack. Still, by implementing an allow list at the edge of the network and sinkholing any traffic from IP addresses that are not allow listed, the server will no longer be overwhelmed or perform slowly to respond to legitimate requests. MAC filtering is only applicable at layer 2 of the OSI model (which would not work for traffic being sent over the internet from your vendors to your server). A VPN is a reasonable solution to secure the connection between the vendors and your systems, but it will not deal with the DoS condition being experienced. An intrusion detection system may detect the DoS condition, but an IDS cannot resolve it (whereas an IPS could).

Question 86

Sagar is planning to patch a production system to correct a detected vulnerability during his most recent network vulnerability scan. What process should he follow to minimize the risk of a system failure while patching this vulnerability?

A. Contact the vendor to determine a safe time frame for deploying the patch into the production environment
B. Wait 60 days to deploy the patch to ensure there are no associated bugs reported with it
C. Deploy the patch immediately on the production system to remediate the vulnerability
D. Deploy the patch in a sandbox environment to test it before platching the production system

Answer 86

D. Deploy the patch in a sandbox environment to test it before platching the production system

Explanation:
OBJ-3.2: While patching a system is necessary to remediate a vulnerability, you should always test the patch before implementation. It is considered a best practice to create a staging or sandbox environment to test the patches’ installation before installing them into the production environment. This reduces the risks of the patch breaking something in the production system. Unless you are dealing with a very critical vulnerability and the risk of not patching is worse than the risk of patching the production system directly, you should not immediately patch the production systems without testing the patch first. You should not wait 60 days to deploy the patch. Waiting this long provides attackers an opportunity to reverse engineer the patch and create a working exploit against the vulnerability. Finally, asking the vendor for a safe time frame is not helpful since the vendor does not know the specifics of your environment or your business operations.

Question 87

A company has recently experienced a data breach and has lost nearly 1 GB of personally identifiable information about its customers. You have been assigned as part of the incident response team to identify how the data was leaked from the network. Your team has conducted an extensive investigation, and so far, the only evidence of a large amount of data leaving the network is from the email server. One user has sent numerous large attachments out of the network to their personal email address. Upon closer inspection, those emails only contain pictures of that user’s recent trip to Australia. What is the most likely explanation for how the data left the network?

A. The files were downloaded from home while connnected to the corporate VPN
B. The data was encrypted and emailed to their spouses email account
C. The data wwas hashed and then emailed to their personal email account
D. Steganography was used to hide the leaked data inside the users photos

Answer 87

D. Steganography was used to hide the leaked data inside the users photos

Explanation:
OBJ-2.8: The most likely explanation is that the user utilized steganography to hide the leaked data inside their trip photos. Steganography is the process of hiding one message inside another. By hiding the customer’s information within the digital photos, the incident response team would not see the data being hidden without knowing to look for it inside the seemingly benign pictures from the trip. The scenario did not mention whether or not the user connected to the corporate VPN from their home, and the company should log all VPN connections, so this is not the correct answer. Additionally, the user could not hash the data and email it to themselves without losing the information since hashes are a one-way algorithm. Therefore, even if the user had the hash value, they still would not have the customers’ personal information. Finally, according to the scenario, the user’s email showed no evidence of encrypted files being sent.

Question 88

Jason is working at a nuclear power plant as a reactor operator. During his shift, he is responsible for maintaining the proper temperature and pressure inside the reactor core. As Jason performs his role, he presses buttons to turn on heaters and turns switches to open or shut valves to allow more or less coolant into the reactor. Which of the following operational technologies is Jason using to manually control the PLCs located throughout the reactor plant?

A. Safety instrumented system
B. Human machine interface
C. Data historian
D. Ladder logic

Answer 88

B. Human machine interface

Explanation:
OBJ-3.3: The human-machine interface (HMI) provides the input and output controls on a PLC to allow a user to configure and monitor the system. In this scenario, Jason is sitting at a control panel with buttons and switches that are used to manually control the PLCs located throughout the reactor plant. A Safety Instrumented System (SIS) is composed of sensors, logic solvers, and final control elements (devices like horns, flashing lights, and/or sirens) used to return an industrial process to a safe state after predetermined conditions are detected. The data historian is a type of software that aggregates and catalogs data from multiple sources within an industrial control system’s control loop. Ladder Logic is a graphical, flowchart-like programming language used to program the special sequential control sequences used by a programmable logic controller (PLC).

Question 89

A penetration tester has issued the following command on a victimized host: nc -l -p 8080 | nc 192.168.1.76 443. What will occur based on this command?

A. Netcat will listen on port 8080 and output anything received to a remote connection on 192.168.1.76
B. Netcat will listen on port 8080 and then output anything received to local interface 192.168.1.76
C. Netcat will listen on the 192.168.1.76 interface for 443 seconds on port 8080
D. Netcat will listen for a connection from 192.168.1.176 on port 443 and output anything received to port 8080

Answer 89

A. Netcat will listen on port 8080 and output anything received to a remote connection on 192.168.1.76

Explanation:
OBJ-2.2: The proper syntax for netcat (nc) is -l to signify listening and -p to specify the listening port. Then, the | character allows multiple commands to execute during a single command’s execution. Next, netcat sends the data to the given IP (192.168.1.76) over port 443. This is a common technique to bypass the firewall by sending traffic over port 443 (a secure SSL/TLS tunnel).

Question 90

Sarah is working at a startup that is focused on making secure banking apps for smartphones. Her company needs to select an asymmetric encryption algorithm to encrypt the data being used by the app. Due to the need for high security of the banking data, the company needs to ensure that whatever encryption they use is considered strong, but also needs to minimize the processing power required since it will be running on a mobile device with lower computing power. Which algorithm should Sarah choose to provide the same level of high encryption strength with a lower overall key length?

A. ECC
B. Twofish
C. RSA
D. Diffie-Hellman

Answer 90

A. ECC

Explanation:
OBJ-3.6: Elliptic curve cryptography (ECC) is an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields. One of the main benefits of ECC over non-ECC cryptography is an application that can achieve the same level of security provided by non-ECC cryptography while using a shorter key length. For example, an ECC algorithm using a 256-bit key length is just as strong as an RSA or Diffie-Hellman algorithm using a 3072-bit key length.