Udemy CASP Practice Exam 5

Question 1

Dion Training wants to install a new accounting system and is considering moving to a cloud-based solution to reduce cost, reduce the information technology overhead costs, improve reliability, and improve availability. Your Chief Information Officer is supportive of this move since it will be more fiscally responsible. Still, the Chief Risk Officer is concerned with housing all of the company’s confidential financial data in a cloud provider’s network that might be shared with other companies. Since the Chief Information Officer is determined to move to the cloud, what type of cloud-based solution would you recommend to account for the Chief Risk Officer’s concerns?

A. PaaS in a hybrid cloud
B. SaaS in a public cloud
C. SaaS in a private cloud
D. PaaS in a community cloud

Answer 1

C. SaaS in a private cloud

Explanation:
OBJ-1.6: A SaaS (Software as a Service) solution best describes an accounting system or software used as part of a cloud service. This meets the CIO’s requirements. To mitigate the concerns of the Chief Risk Officer, you should use a private cloud solution. This type of solution ensures that the cloud provider does not comingle your data with other customers’ data and providers dedicated servers and resources for your company’s use only.

Question 2

A company’s NetFlow collection system can handle up to 2 Gbps. Due to excessive load, this has begun to approach full utilization at various times of the day. If the security team does not have additional money in their budget to purchase a more capable collector, which of the following options could they use to collect useful data?

A. Enable sampling of the data
B. Enable QoS
C. Enable NetFlow compression
D. Enable full packet capture

Answer 2

A. Enable sampling of the data

Explanation:
OBJ-1.1: The organization should enable sampling of the data collected. Sampling can help them capture network flows that could be useful without collecting everything passing through the sensor. This reduces the bottleneck of 2 Gbps and still provides useful information. Quality of Service (QoS) is a set of technologies that work on a network to guarantee its ability to run high-priority applications and traffic dependably, but that does not help in this situation. Compressing NetFlow data helps save disk space, but it does not increase the capacity of the bottleneck of 2 Gbps during collection. Enabling full packet capture would take even more resources to process and store and not minimize the bottleneck of 2 Gbps during collection.

Question 3

When you purchase an exam voucher at diontraining.com, the system only collects your name, email, and credit card information. Which of the following privacy methods is being used by Dion Training?

A. Data masking
B. Tokenization
C. Data minimization
D. Anonymization

Answer 3

C. Data minimization

Explanation:
OBJ-1.4: Data minimization involves limiting data collection to only what is required to fulfill a specific purpose. Reducing what information is collected reduces the amount and type of information that must be protected. Since we only need your name and email to deliver the voucher and your credit card to receive payment for the voucher, we do not collect any additional information, such as your home address or phone number. Data masking can mean that all or part of a field’s contents are redacted, by substituting all character strings with x, for example. Tokenization means that all or part of data in a field is replaced with a randomly generated token. The token is stored with the original value on a token server or token vault, separate from the production database. An authorized query or app can retrieve the original value from the vault, if necessary, so tokenization is a reversible technique. Data anonymization is the process of removing personally identifiable information from data sets so that the people whom the data describe remain anonymous.

Question 4

What type of services can allow you to get more storage and more resources added to the cloud as fast as possible?

A. Rapid elasticity
B. Measured services
C. Resource pooling
D. Metered services

Answer 4

A. Rapid elasticity

Explanation:
OBJ-1.2: Rapid elasticity allows users to automatically request additional space in the cloud or other types of services. Because of the setup of cloud computing services, provisioning can be seamless for the client or user. Providers still need to allocate and de-allocate resources that are often irrelevant on the client or user’s side. This feature allows a service to be scaled up without purchasing, installing, and configuring new hardware, unlike if you had to install more physical storage into a server or datacenter. Resource pooling refers to the concept that allows a virtual environment to allocate memory and processing capacity for a VMs use. Metered services are pre-paid, a-la-carte, pay-per-use, or committed offerings. A metered service like a database may charge its users based on the actual usage of the service resources on an hourly or monthly basis. For example, Dion Training used the AWS Lambda serverless product in some of our automation. This service charges us $0.20 for every 1 million requests processed. Measured service is a term that IT professionals apply to cloud computing that references services where the cloud provider measures or monitors the provision of services for various reasons, including billing, effective use of resources, or overall predictive planning.

Question 5

Marta’s organization is concerned with the vulnerability of a user’s account being vulnerable for an extended period of time if their password was compromised. Which of the following controls should be configured as part of their password policy to minimize this vulnerability?

A. Password history
B. Password expiration
C. Password complexity
D. Minimum password length

Answer 5

B. Password expiration

Explanation:
OBJ-1.5: A password expiration control in the policy would force users to change their passwords at specific time intervals. This will then locks out a user who types in the incorrect password or create an alter that the user’s account has been potentially compromised. While the other options are good components of password security to prevent an overall compromise, they are not effective against the vulnerability described in this particular scenario. It states the issue is based on time. Password history is used to determine the number of unique passwords a user must use before using an old password again. The Passwords must meet complexity requirements policy setting determines whether passwords must meet a series of guidelines that are considered important for a strong password. Maximum password length creates a limit to how long the password can be, but a longer password is considered stronger against a brute force attack.

Question 6

During the analysis of data as part of ongoing security monitoring activities, which of the following is NOT a good source of information to validate the results of an analyst’s vulnerability scans of the network’s domain controllers?

A. DMARC and DKIM
B. Log files
C. SIEM systems
D. Configuration moanagement systems

Answer 6

A. DMARC and DKIM

Explanation:
OBJ-2.3: Vulnerability scans should never take place in a vacuum. Analysts should correlate scan results with other information sources, including logs, SIEM systems, and configuration management systems. DMARC (domain-based message authentication, reporting, and conformance) and DKIM (domain keys identified mail) are configurations performed on a DNS server to verify whether an email is sent by a third-party are verified to send it on behalf of the organization. For example, if you are using a third-party mailing list provider, they need your organization to authorize them to send an email on your behalf by setting up DMARC and DKIM in your DNS records. While this is an important security configuration, it would not be a good source of information to validate the results of an analyst’s vulnerability scans on a domain controller.

Question 7

In which phase of the security intelligence cycle is information from several different sources aggregated into useful repositories?

A. Dissemination
B. Collection
C. Analysis
D. Feedback

Answer 7

B. Collection

Explanation:
OBJ-2.1: The collection phase is usually implemented by administrators using various software suites, such as security information and event management (SIEM). This software must be configured with connectors or agents that can retrieve data from sources such as firewalls, routers, IDS sensors, and servers. The analysis phase focuses on converting collected data into useful information or actionable intelligence. The dissemination phase refers to publishing information produced by analysis to consumers who need to develop the insights. The final phase of the security intelligence cycle is feedback and review, which utilizes both intelligence producers’ and intelligence consumers’ input. This phase aims to improve the implementation of the requirements, collection, analysis, and dissemination phases as the life cycle is developed.

Question 8

Dion Training is drafting a new business continuity plan and is trying to determine the appropriate recovery time objective for their practice exam web application. This application is used by all of Dion Training’s students to prepare for their upcoming certification exams. Historically, the organization has observed that if the application is down for more than a few hours, then a large number of complaints are created by students. Which of the following roles is most qualified to determine the appropriate recovery time objective to use for this application?

A. Data custodian
B. CEO
C. Cybersecurity analysis
D. Director of studen success

Answer 8

D. Director of studen success

Explanation:
OBJ-4.4: The “director of student success” is the person responsible for supporting the students and answering their complaints and serves as the business unit manager or director for the training of students at Dion Training. They are the person most qualified to determine the maximum amount of time that performing a recovery should take without creating a negative experience for the students (customers). The recovery time objective defines the maximum amount of time that performing a recovery can take and the service can be offline. The data custodian is responsible for the safe custody, transport, storage of the data, and implementation of the organization’s business rules. Cybersecurity analysts plan and carry out security measures to protect a company’s computer networks and systems, but they do not define the recovery time objective. The chief executive officer (CEO) is the head of the executive team and manages the day-to-day operations of the organization, its people, and resources. The CEO might make the final decision on the recovery time objective based on comparing the costs and benefits of meeting a certain recovery time objective proposed by the director of student success (the business unit manager/director).

Question 9

Review the following packet captured at your NIDS:

After reviewing the packet above, you discovered there is an unauthorized service running on the host. Which of the following ACL entries should be implemented to prevent further access to the unauthorized service while maintaining full access to the approved services running on this host?

A. DENY IP HOST 86.18.10.3 EQ 3389
B. DENY TCP ANY HOST 86.18.10.3 EQ 25
C. DENY TCP ANY HOST 71.168.10.45 EQ 3389
D. DENY IP HOST 71.168.10.45 ANY EQ 25

Answer 9

C. DENY TCP ANY HOST 71.168.10.45 EQ 3389

Explanation:
OBJ-2.2: Since the question asks you to prevent unauthorized service access, we need to block port 3389 from accepting connections on 71.168.10.45 (the host). This option will deny ANY workstation from connecting to this machine (host) over the Remote Desktop Protocol service that is unauthorized (port 3389).

Question 10

Dion Training performed an assessment as part of its disaster recovery planning. The assessment found that the organization can only tolerate a maximum of 60 minutes worth of data loss in the event of a disaster. Therefore, the organization has implemented a system of database snapshots that are backed up every hour. Which of the following metrics would best represent this timeframe?

A. RPO
B. RTO
C. MTTR
D. MTBF

Answer 10

A. RPO

Explanation:
OBJ-4.4: Recovery point objective (RPO) describes the timeframe in which an enterprise’s operations must be restored following a disruptive event, e.g., a cyberattack, natural disaster, or communications failure. RPO is about how much data you afford to lose before it impacts business operations. For example, at Dion Training, if 1 hour of data loss occurred, that means that any student progress within the last hour would be lost once the organization restored a server from a known good backup.

Question 11

Which type of personnel control is being implemented if Kirsten must receive and inventory any items that her coworker, Bob, orders?

A. Background checks
B. Mandatory vacation
C. Dual control
D. Seperation of Duties

Answer 11

D. Seperation of Duties

Explanation:
OBJ-4.1: This organization uses separation of duties to ensure that neither Kirsten nor Bob can exploit the organization’s ordering processes for their gain. Separation of duties is the concept of having more than one person required to complete a particular task to prevent fraud and error. Dual control, instead, requires both people to act together. For example, a nuclear missile system uses dual control and requires two people to each turn a different key simultaneously to allow for a missile launch to occur. Mandatory vacation policies require employees to take time away from their job and detect fraud or malicious activities. A background check is a process a person or company uses to verify that a person is who they claim to be and provides an opportunity for someone to check a person’s criminal record, education, employment history, and other past activities to confirm their validity.

Question 12

Which of the following types of operational technologies is designed to be used for a single purpose or function and cannot be patched when a flaw or defect is identified?

A. FPGA
B. IoT
C. SoC
D. ASIC

Answer 12

D. ASIC

Explanation:
OBJ-3.3: An application-specific integrated circuit (ASIC) is a type of processor designed to perform a specific function. ASICs are expensive to design and only work for a single application or function, such as the ASICs used to conduct switching in an Ethernet switch. ASICs cannot be rewritten, flashed, or updated once they are created and installed. If a flaw or defect is discovered in the ASIC, it must be replaced to patch the vulnerability. A field programmable gate array (FPGA) is a type of processor that can be programmed to perform a specific function by a customer rather than at the time of manufacture. A FPGA can be configured by the end customer to run programming logic on the device for their specific use case or application. A System on a Chip (SoC) integrates practically all the components of a traditional chipset (which is comprised of as many as four chips that control communication between the CPU, RAM, storage, and peripherals) into a single chip. SoC includes the processor as well as a GPU (graphics processor), memory, USB controller, power management circuits, and wireless radios. Internet of Things (IoT) is a term used to describe a global network of appliances and personal devices that have been equipped with sensors, software, and network connectivity. The Internet of Things includes hub/control systems, smart devices, wearables, and sensors.

Question 13

Dion Training has just installed a new security patch into their existing practice exam web application. Which of the following tests should be conducted to ensure that all of the previous system functionality still works as expected after installing the patch?

A. Unit testing
B. Integration testing
C. Regression testing
D. CI/CD

Answer 13

C. Regression testing

Explanation:
OBJ-1.3: Regression testing is the process of testing an application after changes are made to see if these changes have triggered problems in older areas of code. Continuous integration/continuous delivery (CI/CD) is a software development methodology in which code updates are tested and committed to a development or build server/code repository rapidly. Integration testing is used to test individual components of a system together to ensure that they interact as expected. Unit testing is used to test a particular block of code performs the exact action intended and provides the exact output expected. Normally, unit testing is coded into the software using simply pass/no pass tests for each block of code.

Question 14

You are analyzing the vulnerability scanning results from a recent web vulnerability scan in preparation for the exploitation phase of an upcoming assessment. A portion of the scan results is shown below.
Which exploit is the website vulnerable to based on the results?

A. Session hijacking
B. Cookie manipulation
C. SQL Injection
D. Local file inclusion

Answer 14

C. SQL Injection

Explanation:
OBJ-2.4: The most common type of code injection is SQL injection. An SQL injection attempts to modify one or more of an SQL query’s four basic functions: select, insert, delete, or update. Two common methods of performing an SQL injection are either using a single apostrophe (‘) or submitting an always true statement like 1=1. In the scan results, you can see that a statement of “1 OR 17 - 7 = 10” was used. Notice that %20 is the ASCII encoded equivalent of the space character. As a penetration tester, you need to be familiar with common ASCII encoded text used in URLs equivalents like %20 (space), %5c (), and %2F (/) to identify SQL injections and file inclusions.

Question 15

Dion Training is developing a new web-based practice exam test engine. The application uses REST API and TLS to communicate securely between the front end and backend servers. You have been hired as a security analyst and have been asked to provide a solution that would help secure the application from attack. Which of the following solutions should you recommend to prevent an on-path or interception attack against this web-based application?

A. Certificate pinning
B. Secure encrypted enclave
C. Extended validation certificate
D. HSTS

Answer 15

D. HSTS

Explanation:
OBJ-3.5: HTTP Strict Transport Security (HSTS) is configured as a response header on a web server and notifies a browser to connect to the requested website using HTTPS only. HSTS helps prevent on-path and downgrade attacks. Certificate pinning is a deprecated method of trusting digital certificates that bypasses the CA hierarchy and chain of trust to minimize on-path (formerly man-in-the-middle) attacks. Certificate pinning is no longer considered secure and should not be used. Extended Validation (EV) digital certificates are subject to a process that requires more rigorous checks on the subject’s legal identity and control over the domain or software being signed. A major drawback to EV certificates is that they cannot be issued for a wildcard domain. Secure encrypted enclaves protect CPU instructions, dedicated secure subsystems in a system on a chip (SoC), or a protected region of memory in a database engine by only allowing data to be decrypted on the fly within the CPU, SoC, or protected region.

Question 16

Christina is conducting a penetration test against Dion Training’s network. The goal of this engagement is to conduct data exfiltration of the company’s exam database without detection. Christina enters the following command into the terminal:
Next, Christina emailed the beachpic.png file to her personal email account. Which of the following techniques did she use to exfiltrate the file?

A. NTFS Encryption
B. DLL Hijacking
C. Alternate data streams
D. Unquoted service path

Answer 16

C. Alternate data streams

Explanation:
OBJ-1.4: An alternate data stream (ADS) is a feature of Microsoft’s NT File System (NTFS) that enables multiple data streams for a single file name by forking one or more files to another. ADS can be abused by hiding one file into another, as shown in this scenario. Once received in her email, she could access the database by opening the file as “beachpic.png:exams.db”.

Question 17

You have just completed writing the scoping document for your next penetration test, which clearly defines what tools, techniques, and targets you intend to include during your assessment. Which of the following actions should you take next?

A. Conduct a port scan of the target network
B. Conduct passive fingerprinting on target servers
C. Provide a copy of the scoping document to local law enforcement
D. Get leadership concurrence on the scoping document

Answer 17

D. Get leadership concurrence on the scoping document

Explanation:
OBJ-2.4: Once the scoping document has been prepared, you must get concurrence with your plan before you begin your penetration test. Therefore, you must get the scoping plan reviewed and approved by the organization’s leadership as your next action. You should never begin a penetration test before you have written permission and concurrence from the target organization. Port scanning of the target and even passive fingerprinting could be construed as a cybercrime if you did not get the scoping document signed off before beginning your assessment. There is no requirement to notify local law enforcement of your upcoming penetration test as long as you have a signed scoping document and contract with the targeted company.

Question 18

Susan is working at a nuclear power plant as a reactor operator. During his shift, the reactor temperature starts rising rapidly. Suddenly, he sees flashing lights on the console and hears a warning siren. The automatic controls take over and scram the reactor by inserting the control rods and returning the plant to a safe state while the other engineers investigate what went wrong. Which of the following operational technologies was responsible for the lights, siren, and initiating a reactor scram?

A. Data historian
B. Safety instrumented system
C. Human machine interface
D. Ladder Logic

Answer 18

B. Safety instrumented system

Explanation:
OBJ-3.3: A Safety Instrumented System (SIS) is composed of sensors, logic solvers, and final control elements (devices like horns, flashing lights, and/or sirens) used to return an industrial process to a safe state after predetermined conditions are detected. The human-machine interface (HMI) provides the input and output controls on a PLC to allow a user to configure and monitor the system. In this scenario, Jason is sitting at a control panel with buttons and switches that are used to manually control the PLCs located throughout the reactor plant. Ladder Logic is a graphical, flowchart-like programming language used to program the special sequential control sequences used by a programmable logic controller (PLC). The data historian is a type of software that aggregates and catalogs data from multiple sources within an industrial control system’s control loop.

Question 19

Janet, a defense contractor for the military, performs an analysis of their enterprise network to identify what type of work the Army would be unable to perform if the network were down for more than a few days. Which of the following was Janet trying to identify?

A. Critical systems
B. Backup and restoration plan
C. Mission essential function
D. Single point of failure

Answer 19

C. Mission essential function

Explanation:
OBJ-4.4: Mission essential functions are things that must be performed by an organization to meet its mission. For example, the Army being able to deploy its soldiers is a mission-essential function. If they couldn’t do that because a network server is offline, then that system would be considered a critical system and should be prioritized for higher security and better defenses.

Question 20

Why would a company want to utilize a wildcard certificate for their servers?

A. To secure the certificates private key
B. To reduce the certificate management burden
C. To increase the certificates encryption key length
D. To extend the renewal date of the certificate

Answer 20

B. To reduce the certificate management burden

Expolanation:
OBJ-3.5: A wildcard certificate is a public key certificate that can be used with multiple subdomains of a domain. This saves money and reduces the management burden of managing multiple certificates, one for each subdomain. A single wildcard certificate for *.diontraining.com will secure all these domains (www.diontraining.com, mail.diontraining.com, ftp.diontraining.com, etc.). The other options provided are not solved by using a wildcard certificate.

Question 21

What phase of the software development lifecycle is sometimes known as the acceptance, installation, and deployment phase?

A. Training and transition
B. Operations and maintenance
C. Development
D. Disposition

Answer 21

A. Training and transition

Explanation:
OBJ-1.3: The training and transition phase ensures that end users are trained on the software and entered general use. Because of these activities, this phase is sometimes called the acceptance, installation, and deployment phase. Disposition is focused on the retirement of an application or system. Operations and maintenance are focused on the portion of the lifecycle where the application or system goes into use to provide value to the end-users. Development is the portion of the lifecycle focused on designing and coding the application or system.

Question 22

Dion Training has been issued a digital certificate for a test server from an intermediate certificate authority (R3) who is subordinate to the root certification authority (ISRG Root X1). The digital certificate was issued for 12 months and has been in use without any issues for the past 4 months. When Jason accessed the test server’s login page today, he noticed that there was an error stating that the connection is untrusted. Which of the following is MOST likely causing this error?

A. There is a chain issue with the certificate authorities
B. There is a validity date error on the certificate
C. There are incorrect permissions on the template
D. The certificate was self signed

Answer 22

A. There is a chain issue with the certificate authorities

Explanation:
OBJ-3.7: Chain issues occur when the root, subordinate, or leaf certificate fails to pass a validity check. Since the certificate authorities must all pass the validity checks for the certification issued to be considered valid, if any of these are invalid then the entire chain is considered invalid, too. A validity date error occurs when a certificate is presented for use on a date that is already past the expiration date. The expiration date is not reached yet as it still has 8 months remaining on the digital certificate. A self-signed certificate is a certificate generated independently of a certificate authority and is considered not trustworthy. Since there is a root and intermediate certificate authority involved, the digital certificate is not self-signed. An incorrect permissions error is generated when a template is used for certificate enrollment but the template’s permissions are misconfigured. This can result in a “cannot enroll for this type of certificate” or an “operation failed” error. Since the question was not asking about enrolling or renewing a certificate, it cannot be an incorrect permissions error.

Question 23

If you want to conduct an operating system identification during a nmap scan, which syntax should you utilize?

A. nmap -id
B. nmap -os
C. nmap -O
D. nmap -osscan

Answer 23

C. nmap -O

Explanation:
OBJ-2.9: The -O flag indicates to nmap that it should attempt to identify the target’s operating system during the scanning process. It does this by evaluating the responses it received during the scan against its signature database for each operating system.

Question 24

What type of wireless security measure can easily be defeated by a hacker by spoofing their network interface card’s hardware address?

A. WPS
B. MAC Filtering
C. DIsable SSID Broadcast
D. WEP

Answer 24

B. MAC Filtering

Explanation:
OBJ-1.1: Wireless access points can utilize MAC filtering to ensure only known network interface cards are allowed to connect to the network. If the hacker changes their MAC address to a trusted MAC address, they can easily bypass this security mechanism. MAC filtering is considered a good security practice as part of a larger defense-in-depth strategy, but it won’t stop a skilled hacker for long. MAC addresses are permanently burned into the network interface card by the manufacturer and serve as the device’s physical address. WEP is the Wired Equivalent Privacy encryption standard, which is considered obsolete in modern wireless networks. WEP can be broken using a brute force attack within just a few minutes by an attacker. Another security technique is to disable the SSID broadcast of an access point. While this prevents the SSID broadcast, a skilled attacker can still find the SSID using discovery scanning techniques. WPS is the WiFi Protected Setup. WPS is used to connect and configure wireless devices to an access point easily.

Question 25

Which of the following would a virtual private cloud (VPC) infrastructure be classified as?

A. PaaS
B. SaaS
C. IaaS
D. Function as a Service

Answer 25

C. IaaS

Explanation:
OBJ-1.6: Infrastructure as a Service (IaaS) is a computing method that uses the cloud to provide any or all infrastructure needs. In a VPC environment, an organization may provision virtual servers in a cloud-hosted network. The service consumer is still responsible for maintaining the IP address space and routing internally to the cloud. Platform as a Service (PaaS) is a computing method that uses the cloud to provide any platform-type services. Software as a Service (SaaS) is a computing method that uses the cloud to provide users with application services. Function as a Service (FaaS) is a cloud service model that supports serverless software architecture by provisioning runtime containers to execute code in a particular programming language.

Question 26

Which of the following security controls provides Windows system administrators with an efficient way to deploy system configuration settings across many devices?

A. Anti malware
B. HIPS
C. Patch management
D. GPO

Answer 26

D. GPO

Explanation:
OBJ-3.2: Microsoft’s Group Policy Object (GPO) is a collection of Group Policy settings that defines what a system will look like and how it will behave for a defined group of users. A Group Policy is the primary administrative tool for defining and controlling how programs, network resources, and the operating system operate for users and computers in an organization. In an active directory environment, Group Policy is applied to users or computers based on their membership in sites, domains, or organizational units. A host-based intrusion detection system (HIDS) is a device or software application that monitors a system for malicious activity or policy violations. Any malicious activity or violation is typically reported to an administrator or collected centrally using a security information and event management system. Anti-malware software is a program that scans a device or network for known viruses, Trojans, worms, and other malicious software. Patch management is the process of distributing and applying updates to the software to prevent vulnerabilities from being exploited by an attacker or malware. Proper patch management is a technical control that would prevent future outbreaks.

Question 27

You have noticed some unusual network traffic outbound from a certain host. The host is communicating with a known malicious server over port 443 using an encrypted TLS tunnel. You ran a full system anti-virus scan of the host with an updated anti-virus signature file, but the anti-virus did not find any infection signs. Which of the following has MOST likely occurred?

A. Password spraying
B. Zero Day Attack
C. Session hijacking
D. Directory traversal

Answer 27

B. Zero Day Attack

Explanation:
OBJ-2.2: Since you scanned the system with the latest anti-virus signatures and did not find any signs of infection, it would most likely be evidence of a zero-day attack. A zero-day attack has a clear sign of compromise (the web tunnel being established to a known malicious server). The anti-virus doesn’t have a signature yet for this particular malware variant. Password spraying occurs when an attacker tries to log in to multiple different user accounts with the same compromised password credentials. Session hijacking is exploiting a valid computer session to gain unauthorized access to information or services in a computer system. Based on the scenario, it doesn’t appear to be session hijacking since the user would not normally attempt to connect to a malicious server. Directory traversal is an HTTP attack that allows attackers to access restricted directories and execute commands outside of the web server’s root directory. A directory traversal is usually indicated by a dot dot slash (../) in the URL being attempted.

Question 28

The Chief Security Officer at Dion Training is concerned with the threat of data remnants being exposed as their cloud-based servers elastically scale to meet rising and falling user demands. Which of the following cryptographic techniques would BEST be used to mitigate the risk of data remnants being read by a malicious attacker?

A. User a self signature certificate
B. Key rotation
C. Cryptographic obfuscation
D. Crypto shredding

Answer 28

D. Crypto shredding

Explanation:
OBJ-3.7: Crypto shredding is used to destroy a decryption key to effectively destroy the data that key was used to protect. This technique ensures that the data will remain encrypted if the key is fully destroyed and the encryption algorithm itself remains secure. To protect against data remnants left behind during elastic scaling operations, the storage of each cloud server should be encrypted using a different key and that key should be destroyed when the server is deprovisioned during scaling in operations. Cryptographic obfuscation is used to transform protected data into an unreadable format. For example, the Linux user passwords stored in the /etc/shadow file are obfuscated to protect them. Key rotation is the process of purposely changing keys periodically to mitigate against brute force attacks and key disclosure compromises. During key rotation, the previous key is also revoked and invalidated. A self-signed certificate is a certificate generated independently of a certificate authority and is considered not trustworthy.

Question 29

Your network security manager wants a monthly report of the security posture of all the assets on the network (e.g., workstations, servers, routers, switches, firewalls). The report should include any feature of a system or appliance that is missing a security patch, OS update, or other essential security feature and its risk severity. Which tool would work best to find this data?

A. Penetration test
B. Vulnerability Scanner
C. Security policy
D. Antivirus scan

Answer 29

B. Vulnerability Scanner

Explanation:
OBJ-2.4: A vulnerability scanner is a computer program designed to assess computers, computer systems, networks, or applications for weaknesses. Most vulnerability scanners also create an itemized report of their findings after the scan.

Question 30

A small business recently experienced a catastrophic data loss due to flooding from a recent hurricane. The customer had no backups, and flooding destroyed all of the hardware associated with the small business. As part of the rebuilding process, the small business contracts with your company to help create a disaster recovery plan to ensure this never reoccurs again. Which of the following recommendations should you include as part of the disaster recovery plan?

A. Purchase waterproof devices to prevent data loss
B. Local backups should be conducted
C. Backups should be conducted to a cloud based storage solution
D. Local backups should be verified weekly to ensure no data loss occurs

Answer 30

C. Backups should be conducted to a cloud based storage solution

Explanation:
OBJ-4.4: While losing the hardware is a problem for the business, their insurance will replace the hardware if flooding destroyed it. The data involved is more of a concern. Therefore, backups should be the primary concern. Local backups are risky since a flood might also destroy them; therefore, using a cloud-based storage solution would be ideal and prevent future data loss.

Question 31

Dion Consulting Group has recently been awarded a contract to provide cybersecurity services for a major hospital chain in 48 cities across the United States. You are conducting a vulnerability scan of the hospital’s enterprise network when you detect several devices that could be vulnerable to a buffer overflow attack. Upon further investigation, you determine that these devices are PLCs used to control the hospital’s elevators. Unfortunately, there is not an update available from the elevator manufacturer for these devices. Which of the following mitigations do you recommend?

A. recommend immediate replacement of the PLCs with ones that are not vulnerable to this type of attack
B. Conduct a penetration test of the elevator control system to prove that the possibility of this kind of attack exists
C. Recommend isolation of the elevator control system from the rest of the production network through the change control process
D. Recommend immediate disconnection of the elevators control system from the enterprise neetwork

Answer 31

C. Recommend isolation of the elevator control system from the rest of the production network through the change control process

Explanation:
OBJ-3.3: The best recommendation is to conduct the elevator control system’s logical or physical isolation from the rest of the production network and the internet. This should be done through the change control process that brings the appropriate stakeholders together to discuss the best way to mitigate the vulnerability to the elevator control system that defines the business impact and risk of the decision. Sudden disconnection of the PLCs from the rest of the network might have disastrous results (i.e., sick and injured trapped in an elevator) if there were resources that the PLCs were dependent on in the rest of the network. Replacement of the elevators may be prohibitively expensive, time-consuming, and likely something that the hospital would not be able to justify to mitigate this vulnerability. Attempting further exploitation of the buffer overflow vulnerability might inadvertently trap somebody in an elevator or cause damage to the elevators themselves.

Question 32

Which of the following is NOT considered a phase in the incident response cycle?

A. Detection and analysis
B. Notification and communication
C. Preparation
D. Containment, eradication and recovery

Answer 32

B. Notification and communication

Explanation:
OBJ-2.7: There are four phases to the incident response cycle: preparation; detection and analysis; containment, eradication, and recovery; and post-incident activity. While you will conduct some notifications and communication during your incident response, that term is not one of the four defined phases.

Question 33

Which of the following layers within software-defined networking focuses on providing network administrators the ability to oversee network operations, monitor traffic conditions, and display the status of the network?

A .Control lyaer
B. Infrastructure layer
C. Application layer
D. Management plane

Answer 33

D. Management plane

Explanation:
OBJ-1.1: The management plane is used to monitor traffic conditions, the status of the network, and allows network administrators to oversee the network and gain insight into its operations. The application layer focuses on the communication resource requests or information about the network. The control layer uses the information from applications to decide how to route a data packet on the network and to make decisions about how traffic should be prioritized, how it should be secured, and where it should be forwarded to. The infrastructure layer contains the physical networking devices that receive information from the control layer about where to move the data and then perform those movements.

Question 34

(This is a simulated performance-based question.)
Review the network diagram provided. Which of the following ACL entries should be added to the firewall to allow only the Human Resources (HR) computer to have SMB access to the file server (Files)?

(Note: The firewall in this network is using implicit deny to maintain a higher level of security. ACL entries are in the format of Source IP, Destination IP, Port Number, TCP/UDP, Allow/Deny.)

Question 35

What kind of security vulnerability would a newly discovered flaw in a software application be considered?

A. Input validation flaw
B. Time to check to time to use flaw
C. HTTP Header INjection vulnerability
D. Zero day vulnerability

Answer 35

D. Zero day vulnerability

Explanation:
OBJ-2.5: A zero-day vulnerability refers to a hole in software unknown to the vendor and newly discovered. This security hole can become exploited by hackers before the vendor becomes aware of it and can fix it. An input validation attack is any malicious action against a computer system that involves manually entering strange information into a normal user input field that is successful due to an input validation flaw. HTTP header injection vulnerabilities occur when user input is insecurely included within server response headers. The time of check to time of use is a class of software bug caused by changes in a system between checking a condition (such as a security credential) and using the check’s results and the difference in time passed. This is an example of a race condition.

Question 36

Which technique would provide the largest increase in security on a network with ICS, SCADA, or IoT devices?

A. User and entity behavior analytics
B. Installation of antivirus tools
C. Implement endpoint protection platforms
D. Use of a host based IDS or IPS

Answer 36

A. User and entity behavior analytics

Explanation:
OBJ-3.3: Since ICS, SCADA, and IoT devices often run proprietary, inaccessible, or unpatchable operating systems, the traditional tools used to detect the presence of malicious cyber activity in normal enterprise networks will not function properly. Therefore, user and entity behavior analytics (UEBA) is best suited to detect and classify known-good behavior from these systems to create a baseline. Once a known-good baseline is established, deviations can be detected and analyzed. UEBA may be heavily dependent on advanced computing techniques like artificial intelligence and machine learning and may have a higher false-positive rate. As the name suggests, the analytics software tracks user account behavior across different devices and cloud services. Entity refers to machine accounts, such as client workstations or virtualized server instances, and embedded hardware, such as the Internet of Things (IoT) devices. Traditional technologies include anti-virus tools, host-based IDS and IPS, and endpoint protection platforms.

Question 37

Dion Training wants to implement an endpoint security control that will monitor indicators and logs from various systems and endpoints to identify anomalous or malicious behavior. The organization wants to ensure the tool utilizes machine learning or artificial intelligence due to the volume of indicators and logs collected across the network. This security control should monitor and identify activity across user accounts, workstations, servers, and virtual machines. Which of the following endpoint security controls would BEST meet these requirements?

A. Endpoint detection and response
B. Host based intrusion detection system
C. Host based firewall
D. User and entity behavior analytics (UEBA)

Answer 37

D. User and entity behavior analytics (UEBA)

Explanation:
OBJ-3.2: User and entity behavior analytics (UEBA) is a type of cybersecurity application or appliance that identifies anomalous or malicious behavior by using machine learning and statistical analysis to identify deviations from normally established baselines and patterns of activity. Endpoint detection and response (EDR) is a software agent that collects system data and logs for analysis by a monitoring system to provide early detection of threats. A host-based intrusion detection system (HIDS) is a type of IDS that monitors a computer system for unexpected behavior or drastic changes to the system’s state. A host-based firewall is a firewall implemented as application software running on the host that provides sophisticated filtering of network traffic as well as block processes at the application level.

Question 38

Dion Training is updating its disaster recovery plan. Currently, the company has a small office building that contains both its offices and its data center. The company cannot afford to purchase a second location. Instead, the CEO has negotiated an MOU with Fuller Solutions to use three empty server cabinets in their data center as an alternate location for recovery from a disaster. The CEO has also approved a reserved line of accounting in the budget each year to purchase the necessary servers and equipment to restore operations at the alternate site, but this money cannot be accessed until a disaster occurs. Which of the following recovery site strategies would you recommend to BEST meet these requirements?

A. Warm site
B. Mobile site
C. Hot site
D. Cold site

Answer 38

D. Cold site

Explanation:
OBJ-4.4: A cold site is a predetermined alternative location where a network can be rebuilt after a disaster. A cold site does not have a pre-established information systems capability, but it is open and available for building out an alternate site after the disaster occurs. A warm site is an alternate processing location that is dormant or performs noncritical functions under normal conditions, but which can be rapidly converted to a key operations site when needed. A warm site typically includes a data center that is typically scaled down from the primary site to include the capacity and throughput needed to run critical systems and software. A hot site is a fully configured alternate processing site that can be brought online either instantly or very quickly after a disaster. A hot site requires specialized knowledge, sophisticated automation capabilities, and platforms that are designed to operate as a fully redundant and ready alternate site. A mobile site is essentially a data center in a container or trailer that can be rapidly deployed to a given location. A mobile site is best categorized as a mixture of a cold site and a warm site which can also be relocated when needed.

Question 39

Your organization’s primary operating system vendor just released a critical patch for your servers. Your system administrators have recently deployed this patch and verified the installation was successful. This critical patch was designed to remediate a vulnerability that can allow a malicious actor to execute code on the server over the Internet remotely. You ran a vulnerability scan of the network and determined that all servers are still being reported as having the vulnerability. You verified all your scan configurations are correct. Which of the following might be the reason that the scan report still shows the servers as vulnerable? (SELECT ALL THAT APPLY)

A. The vulnerability assessment scan is returning a false positive
B. The wrong IP address range was scanned during your vulnerability assessment
C. You conducted the vulnerability scan without waiting long enough after the patch was installed
D. This critical patch did not remediate the vulnerability

Answer 39

D. This critical patch did not remediate the vulnerability

Explanation:
OBJ-2.4: There are two reasonable choices presented: (1) the vulnerability assessment scan is returning a false positive, or (2) this critical patch did not remediate the vulnerability. It is impossible to know which is based on the description in the question. If the patch was installed successfully, as the question states, then it is possible that the critical patch was coded incorrectly and did not remediate the vulnerability. While most operating system vendors test their patches before release to prevent this, they are sometimes rushed into production with extremely critical patches. The other possibility is that the patch does not remediate the vulnerability on all systems. When this occurs, the vendor will issue a subsequent patch to fix it and supersede the original patch. The other option is that the vulnerability assessment tool is incorrectly configured and is returning a false positive. This can occur when the signature used to detect the vulnerability is too specific or too generic to detect whether the system was patched for the vulnerability or not. The other options are incorrect, as you do not have to wait a certain period of time after installation before scanning. It is assumed that you are scanning the same IP range both times as you have verified your scan configuration.

Question 40

Your company failed a recent security audit. The IT Directory has issued a new policy dictating that all workstations must be locked when not in use for more than 2 minutes. A password must be entered before booting up the operating system, and that the hard drive is fully encrypted. You have been asked to configure the corporate workstations to enforce these new security measures. Which THREE of the following should you configure FIRST?

A. Enable a UEFI password
B. Enable a screen lock
C. Enable BitLocker
D. Enable strong passwords
E. Require the use of smart cards

Answer 40

A. Enable a UEFI password
B. Enable a screen lock
C. Enable BitLocker

Explanation:
OBJ-3.2: These requirements can be met by enabling BitLocker to encrypt the hard drive, enabling a UEFI password to require a password to be entered before booting an operating system, and enabling a screen lock that turns on after 2 minutes of inactivity. While the use of strong passwords, smart cards, or multifactor authentication is beneficial, they alone will not meet the requirements outlined in this scenario.

Question 41

Which of the following types of mobile device screen locks uses biometrics to securely unlock the device?

A. Swipe
B. Passcode
C. TouchID
D. FaceID

Answer 41

C. TouchID
D. FaceID

Explanation:
OBJ-3.1: The FaceID and TouchID screen locks rely upon biometric data to securely unlock the device. Face ID is a facial recognition system designed and developed by Apple. Touch ID is an electronic fingerprint recognition feature designed and released by Apple. Since biometrics are body measurements and calculations related to human characteristics, the use of a person’s face or fingerprint is classified as a biometric authentication system. A swipe lock is a term for unlocking a device by tracing a predetermined on-screen pattern or joining dots on the screen. This was commonly used in Android devices until biometric methods like fingerprint scanners and facial recognition became more prevalent. A passcode unlock is a term for unlocking a device by entering a 4 to 6 digit pin.

Question 42

Dion Training wants to test the power outage portion of its business continuity plan. The company has decided that they will disconnect their headquarters and datacenter from the power grid at 12:15 pm and leave it disconnected for seven days to validate their ability to continue operations using their backup batteries and generators. Which of the following types of tests are they planning to utilize to validate their BCP?

A. Parallel test
B. Tabletop exercise
C. Full interruption test
D. Walk through

Answer 42

C. Full interruption test

Explanation:
OBJ-4.4: The organization is using a full interruption test to validate its BCP in this scenario. A full interruption test is used to take the primary site offline and shift operations to the alternate site. A parallel test occurs when the alternative site is brought online as if a real disaster occurred, but the primary site is not taken offline or affected, thereby keeping both the primary and alternate sites operating in parallel. A tabletop exercise will identify a specific objective or goal, provide injects or additional details, and then observe the actions that the participants would have taken to respond to a given incident or disaster scenario. A walk-through test typically occurs as a group conference where a representative from each business unit discusses the actions taken by their teams, reviews the plan, analyzes the plan’s effectiveness, and provides feedback or changes.

Question 43

You have just completed identifying, analyzing, and containing an incident. You have verified that the company uses self-encrypting drives as part of its default configuration. As you begin the eradication and recovery phase, you must sanitize the storage devices’ data before restoring the data from known-good backups. Which of the following methods would be the most efficient to use to sanitize the affected hard drives?

A. Perform a cryptographic erase (CE) on the storage devices
B. Conduct zero fill on the storage devices
C. Use a secure erase (SE) utility on the storage devices
D. Incinerate and replace the storage devices

Answer 43

A. Perform a cryptographic erase (CE) on the storage devices

Explanation:
OBJ-4.3: Sanitizing a hard drive can be done using cryptographic erase (CE), secure erase (SE), zero-fill, or physical destruction. In this case, the hard drives already used data at rest. Therefore, the most efficient method would be to choose CE. The cryptographic erase (CE) method sanitizes a self-encrypting drive by erasing the media encryption key and then reimaging the drive. A secure erase (SE) is used to perform the sanitization of flash-based devices (such as SSDs or USB devices) when cryptographic erase is not available. The zero-fill method relies on overwriting a storage device by setting all bits to the value of zero (0), but this is not effective on SSDs or hybrid drives, and it takes much longer than the CE method. The final option is to conduct physical destruction, but since the scenario states that the storage device will be reused, this is not a valid technique. Physical destruction occurs by mechanical shredding, incineration, or degaussing magnetic hard drives.

Question 44

Dion Training Solutions has just installed a backup generator for their offices that use SCADA/ICS for remote monitoring of the system. The generator’s control system has an embedded cellular modem that periodically connects to the generator’s manufacturer to provide usage statistics. The modem is configured for outbound connections only, and the generator has no data connection with any of Dion Training’s other networks. The manufacturer utilizes data minimization procedures and uses the data to recommend preventative maintenance service and ensure maximum uptime and reliability by identifying parts that need to be replaced. Which of the following cybersecurity risk is being assumed in this scenario?

A. There is a minimal risk being assumed since the cellular modem is configured for outbound connections only
B. There is a medium risk being assumed since the manufacturer could use the data for purposes other than originally agreed upon
C. There is a critical risk being assumed since the cellular modem represents a threat to the enterprise network if an attacker exploits the generator and then pivots to the production environment
D. There is a high risk being assumed since the presence of a cellular modem could allow an attacker to remotely disrupt the genrator

Answer 44

A. There is a minimal risk being assumed since the cellular modem is configured for outbound connections only

Explanation:
OBJ-3.3: There is a minimal risk being assumed in this scenario since the cellular modem is configured for outbound connections only. This also minimizes the risk of an attacker gaining remote access to the generator. The generator is logically and physically isolated from the rest of the enterprise network, so even if an attacker could exploit the generator, they could not pivot into the production network. While there is a risk of the manufacturer using the data for purposes other than originally agreed upon, this is a minimal risk due to the manufacturer’s data minimization procedures and the type of data collected. Should the manufacturer choose to use usage statistics about the generator for some other purpose, it would have a negligible impact on the company since it does not contain any PII or proprietary company data.

Question 45

(This is a simulated performance-based question.)
You are working as a help desk technician and received a call from a user who complains about their computer’s performance has slowed down over the last week since they installed a new free video game on the computer. As part of your troubleshooting efforts, you enter the command prompt in Windows and run the following command:
Based on the output provided, what type of malware may have been installed on this user’s computer?

A. Worm
B. Keylogger
C. RAT
D. Spam

Answer 45

C. RAT

Explanation:
OBJ-2.2: Based on the scenario and the output provided, the best choice is a RAT. A RAT is a Remote Access Trojan, and it is usually installed accidentally by a user when they install free software on their machine that has a RAT embedded into it. The first two output lines show that ports 135 and 445 are open and listening for an inbound connection (typical of a RAT). This is not an example of a worm because the user admitted to installing a free program, and worms can install themselves and continue to send data outbound across the network to continue to spread. There is no indication in the scenario that a keylogger is being used, nor that spam (unsolicited emails) has been received.

Question 46

Jennifer decided that the licensing cost for a piece of video editing software was too expensive. Instead, she decided to download a keygen program to generate a license key and install a pirated version of the editing software. After she runs the keygen, a license key is created, but her system performance becomes very sluggish, and her antimalware suite begins to display numerous alerts. Which type of malware might her computer be infected with?

A. Trojan
B. Worm
C. Adware
D. Logic bomb

Answer 46

A. Trojan

Explanation:
OBJ-2.7: A trojan is a program in which malicious or harmful code is contained inside a harmless program. In this example, the harmless program is the key generator (which does create a license key). It also has malicious code inside it causing the additional alerts from the antimalware solution. A Trojan is designed to damage, disrupt, steal, or in general, inflict some other harmful action on your data or network. The most common form of a trojan is a Remote Access Trojan (RAT), which allows an attacker to control a workstation or steal information remotely. To operate, a trojan will create numerous processes that run in the background of the system. A worm is a standalone malware computer program that replicates itself to spread to other computers. Often, it uses a computer network to spread itself, relying on security failures on the target computer to access it. A worm can spread on its own, whereas a virus needs a host program or user interaction to propagate itself. A logic bomb is a malicious program that is triggered when a logical condition is met, such as after a number of transactions have been processed, or on a specific date. Adware is software that displays unwanted advertisements on your computer.

Question 47

Which law requires government agencies and other organizations that operate systems on behalf of government agencies to comply with security standards?
A. FISMA
B. HIPAA
C. COPPA
D. SOX

Answer 47

A. FISMA

Explanation:
OBJ-4.3: The Federal Information Security Management Act (FISMA) is a United States federal law that defines a comprehensive framework to protect government information, operations, and assets against natural or human-made threats. FISMA requires that government agencies and other organizations that operate systems on behalf of government agencies comply with security standards. The Health Insurance Portability and Accountability Act (HIPAA) is a United States federal law designed to provide privacy standards to protect patients’ medical records and other health information provided to health plans, doctors, hospitals, and other health care providers. The Children’s Online Privacy Protection Act (COPPA) is a United States federal law that imposes certain requirements on operators of websites or online services directed to children under 13 years of age and on operators of other websites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age. Sarbanes–Oxley (SOX) is a United States federal law that sets new or expanded requirements for all U.S. public company boards, management, and public accounting firms.

Question 48

A financial services company wants to donate some old hard drives from their servers to a local charity. Still, they are concerned about the possibility of residual data being left on the drives. Which of the following secure disposal methods would you recommend the company use?

A. overwrite
B. Zero fill
C. Cryptographic erase
D. Secure erase

Answer 48

C. Cryptographic erase

Explanation:
OBJ-4.3: In a cryptographic erase (CE), the storage media is encrypted by default. The encryption key itself is destroyed during the erasing operation. CE is a feature of self-encrypting drives (SED) and is often used with solid-state devices. Cryptographic erase can be used with hard drives, as well. Zero-fill is a process that fills the entire storage device with zeroes. For SSDs and hybrid drives, zero-fill-based methods might not be reliable because the device uses wear-leveling routines in the drive controller to communicate which locations are available for use to any software process accessing the device. A secure erase is a special utility provided with some solid-state drives that can perform the sanitization of flash-based devices. Overwrite is like zero-fill but can utilize a random pattern of ones and zeroes on the storage device. The most secure option would be a cryptographic erase (CE) for the question’s scenario.

Question 49

A cybersecurity analyst is analyzing an employee’s workstation that is acting abnormally. The analyst runs the netstat command and reviews the following output:
Based on this output, which of the following entries is suspicious? (SELECT THREE)

Question 50

You are conducting an intensive vulnerability scan to detect which ports might be open to exploitation. During the scan, one of the network services becomes disabled and impacts the production server. Which of the following sources of information would provide you with the most relevant information for you to use in determining which network service was interrupted and why?

A. NIDS
B. Syslog
C. network mapping
D. firewall logs

Answer 50

B. Syslog

Explanation:
OBJ-1.1: The Syslog server is a centralized log management solution. By looking through the Syslog server’s logs, the technician could determine which service failed on which server since all the logs are retained on the Syslog server from all of the network devices and servers. Network mapping is conducted using active and passive scanning techniques and could help determine which server was offline, but not what caused the interruption. Firewall logs would only help determine why the network connectivity between a host and destination may have been disrupted. A network intrusion detection system (NIDS) is used to detect hacking activities, denial of service attacks, and port scans on a computer network. It is unlikely to provide the details needed to identify why the network service was interrupted.

Question 51

Dion Training has added a salt and cryptographic hash to their passwords to increase the security before storing them. To further increase security, they run this process many times before storing the passwords. What is this technique called?

A. Salting
B. Collision resistance
C. Key streching
D. Rainbow table

Answer 51

C. Key streching

Explanation:
OBJ-3.6: In cryptography, key stretching techniques are used to make a possibly weak key, typically a password or passphrase, more secure against a brute-force attack by increasing the resources it takes to test each possible key. The question describes one such key stretching technique.

Question 52

Dion Training is drafting a new business continuity plan and is trying to determine the appropriate metric to utilize in defining the recovery requirements for their practice exam web application. This application is used by all of Dion Training’s students to prepare for their upcoming certification exams. The Chief Operating Officer (COO) has decided that she can only accept a loss of up to 2 hours of student practice exam results after an incident occurs. Which of the following metrics best defines this 2-hour timeframe?

A. MTTR
B. RTO
C. RSL
D. RPO

Answer 52

D. RPO

Explanation:
OBJ-4.4: The COO has defined the recovery point objective as 2 hours. The recovery point objective defines the maximum amount of data that can be lost without irreparable harm to the operation of the business. The recovery time objective defines the maximum amount of time that performing a recovery can take and the service can be offline. The recovery service level is the minimum acceptable amount of services that must be restored for a given system to consider it recovered. For example, your organization may need to restore its databases and websites to meet its recovery service level objectives while leaving its print servers offline since they may not be considered a mission-essential function in your organization. The mean time to recovery is the average amount of downtime calculated based on when a service or device fails and when its functionality is restored.

Question 53

A software assurance test analyst performs a dynamic assessment on an application by automatically generating random data sets and inputting them in an attempt to cause an error or failure condition. Which technique is the analyst utilizing?

A. Fuzzing
B. Known bad data injection
C. Static code analysis
D. Sequential data sets

Answer 53

A. Fuzzing

Explanation:
OBJ-1.3: Fuzzing is an automated software assessment technique that involves providing invalid, unexpected, or random data as inputs to a computer program. The program is then monitored for exceptions (crashes), failing built-in code assertions, or finding potential memory leaks. Static code analysis is a method of debugging by examining source code before a program is run. Known bad data injection is a technique where data known to cause an exception or fault is entered as part of the testing/assessment. With known bad data injections, you would not use randomly generated data sets, though.

Question 54

Dion Training has a $15,000 server that has frequently been crashing. Over the past 12 months, the server has crashed 10 times, requiring the server to be rebooted to recover from the crash. Each time, this has resulted in a 5% loss of functionality or data. Based on this information, what is the Annual Loss Expectancy (ALE) for this server?

A. $2,500
B. $7,500
C. $15,000
D. $1,500

Answer 54

B. $7,500

Explanation:
OBJ-4.1: To calculate the ALE, you need to multiple the Single Loss Expectancy (SLE) by the Annual Rate of Occurrence (ARO). The SLE is calculated by multiplying the Exposure Factor (EF) by the Asset Value (AV). Therefore, SLE = EF x AV, and ALE = SLE x ARO. For this scenario, the asset value is $15,000, the annual rate of occurrence is 10 times per year, and the exposure factor is 5% (or 0.05). To calculate the SLE, SLE = 0.05 x $15,000 = $750. Therefore, the ALE = SLE x ARO = $750 x 10 = $7,500.

Question 55

A coworker is conducting open-source intelligence gathering for an upcoming penetration test against Dion Training. You look over their shoulder and see them enter the following URL, https://www.google.com/search?q=*%40diontraining.com. Which of the following is true about the results of this search?

A. Returns all web pages containing the text diontraining.com
B. Returns all web pages hosted at diontraining.com
C. Returns all web pages containing an emaill address affiliated with diontraining.com
D. Returns no useful results for an attacker

Answer 55

C. Returns all web pages containing an emaill address affiliated with diontraining.com

Explanation:
OBJ-2.1: Google interprets this statement as <anything>@diontraining.com and understands that the user is searching for email addresses since %40 is the hex code for the @ symbol. The * is a wild card character meaning that any text could be substituted for the * in the query. This type of search would provide an attacker with a list of email addresses associated with diontraining.com, which could be used as part of a spear phishing campaign. To return all web pages hosted at diontraining.com, you should use the "site:" modifier in the query. To return all web pages with the text diontraining.com, enter "diontraining.com" into the Google search bar with no modifiers to return those results.</anything>

Question 56

You are conducting a penetration test against the Dion Training test server. You have just run Nikto against the server and received the results below:
Based on the results above, which of the following exploits should develop for this engagement?

Question 57

Dion Training wants to implement a public key infrastructure to properly identify students logging into the website using token-based authentication using a smart card. The company has decided to use a single root server to issue the certificates to a student’s device after properly requesting the digital certificate by submitting a CSR. Which of the following would be another name for the root server in this PKI implementation?

A. Subordinate CA
B. Inteermediate CA
C. Registration authority
D. Certificate authority

Answer 57

D. Certificate authority

Explanation:
OBJ-3.5: The root CA or root server is another name for a certificate authority (CA). The certificate authority (CA) is the entity responsible for issuing and guaranteeing certificates. In a technical implementation, the certificate authority is the server that guarantees subject identities by issuing signed digital certificate wrappers for their public keys. Subordinate/intermediate CA is the entity responsible for issuing certificates to subjects (leaf or end entities) on behalf of the root certificate authority. Registration authority (RA) is the entity responsible for accepting requests for digital certificates and performs various steps to validate that the requestor is authorized to make a request.

Question 58

Which term defines the collection of all points from which an adversary could interact with a system and cause it to function in a way other than how it was designed?

A. Attack vector
B. Adversary capability set
C. Attack surface
D. Threat model

Answer 58

C. Attack surface

Explanation:
OBJ-2.1: The collection of all points from which an adversary may attack is considered the attack surface. The attack vector represents the specific points an adversary has chosen for a particular attack. The threat model defines the behavior of the adversary. An adversary capability set is the list of items an adversary can use to conduct its attack.

Question 59

Jason is teaching a CompTIA course at a large company, but they do not allow non-employees to connect to their network. Since Jason needs the Internet for an in-class demonstration, he connects his laptop to his iPhone using a USB cable. He essentially connects to the Internet using the smartphone as a modem. Which of the following terms best describes this configuration?

A. Baseband update
B. Tunneling
C. Hotspot
D. Tethering

Answer 59

D. Tethering

Explanation:
OBJ-3.1: Tethering is the use of a mobile device’s cellular data plan to provide Internet access to a laptop or PC. The PC can be tethered to the mobile by USB, Bluetooth, or Wi-Fi. One method of doing this is to connect the laptop to the device using a USB cable, and then it can be used as a wired network connection. A portable hotspot is a dedicated mobile device that connects to a cellular network and provides a wireless (Wi-Fi) network for a small number of users. A tunneling (or encapsulation) protocol wraps up data from one protocol for transfer over a different type of network. For example, PPP can carry TCP/IP data over a dial-up line, enabling a remote computer to communicate with the LAN. A baseband update is the modification of the firmware of a cellular modem.

Question 60

Dion Security Group is analyzing the encryption implementation of one of its customers. An analyst has discovered that they are using an older mode of operation that would allow an attacker to use the padding validation of a cryptographic message to decrypt the ciphertext into the corresponding plaintext. Which of the following mode or modes of operation is vulnerable to this padding-oracle attack?

A. Cipher block chaining
B. Electronic codebook
C. Counteer mode
D. Galois/counter mode
E. Output feedback

Answer 60

A. Cipher block chaining
B. Electronic codebook

Explanation:
OBJ-3.6: Cipher block chaining (CBC) and the electronic codebook (ECB) are simple modes of enabling symmetric block ciphers to work with large sets of data and are older methods that are vulnerable to the padding-oracle attack. Galois/counter mode (GCM) provides a method of authenticated encryption with associated data (AEAD) that enables symmetric block ciphers to work with large sets of data. GCM is a specialized variant of the older counter mode that adds the authenticated data feature for the integrity and authenticity of the data. Counter (CTR) mode enables symmetric block ciphers to work with large sets of data by using an initialization vector and adding an incrementing counter value to the key to generate a keystream. Counter mode does not use padding in its operations and simply discards any unused space in the final block. Output feedback (OFB) enables symmetric block ciphers to work with large sets of data by using an initial chaining vector (ICV) during the first round of encryption and then combining the output of the previous rounds into the subsequent rounds.

Question 61

You have been assigned to assist with deploying a new web-based application to your company’s intranet. After installing the application, it was identified that the database server is becoming overloaded by the number of requests that the users create. The team lead has proposed adding a device between the web server and the database server to alleviate the issue. Which of the following is being implemented by adding this new device?

A. Conduct port sniffing and protocol analysis
B. Implement load balancing and provide high availability
C. Implement clustering and NIC teaming to the database server
D. Conduct content filtering and network analysis

Answer 61

B. Implement load balancing and provide high availability

Explanation:
OBJ-1.2: The device being added is most likely a load balancer. Adding this device will allow the delivery team to install a series of database servers to handle the requests by dividing the incoming requests among the various servers. NIC teaming would be an action that occurs on the database server itself. It is not a separate device. The other options are focused on troubleshooting efforts, not increasing the database server’s capability or availability.

Question 62

Which of the following information is traditionally found in the Scope of Work (SOW) for a penetration test?

A. Format of the executive summary report
B. Maintenance windows
C. Timing of the scan
D. Excluded hosts

Answer 62

D. Excluded hosts

Explanation:
OBJ-2.4: A Scope of Work (SOW) for a penetration test normally contains the list of excluded hosts. This ensures that the penetration tester does not affect hosts, workstations, or servers outside the assessment scope. The timing of the scan and the maintenance windows are usually found in the rules of engagement (ROE). The executive summary report contents are usually not identified in any of the scoping documents, only the requirement of whether such a report is to be delivered at the end of the assessment.

Question 63

You are a cybersecurity analyst, and your company has just enabled key-based authentication on its SSH server. Review the following log file:
Which of the following actions should be performed to secure the SSH server?

A. Disable password authentication for SSH
B. Disable anonymous SSH logon
C. Disable SSHv1
D. Disable remote root SSH logon

Answer 63

A. Disable password authentication for SSH

Explanation:
OBJ-3.2: It is common for attackers to log in remotely using the ssh service and the root or other user accounts. The best way to protect your server is to disable password authentication over ssh. Since your company just enabled key-based authentication on the SSH server, all legitimate users should be logging in using their RSA key pair on their client machines, not usernames and passwords. Based on the logs, you see the server runs SSHv2, so there is no need to disable SSHv1 (it may already be disabled). You don’t want to fully disable remote root SSH logins, either, since this would make it difficult for administrators to conduct their work. Finally, based on the logs, it doesn’t appear that anonymous SSH logins are an issue, either, as we don’t see any anonymous attempts in the logs.

Question 64

A cybersecurity analyst at a mid-sized retail chain has been asked to determine how much information can be gathered from the store’s public webserver. The analyst opens up the terminal on his Kali Linux workstation and uses netcat to gather some information.
What type of action did the analyst perform, based on the command and response above?

A. Cross site scripting
B. Banner grabbing
C. SQL injection
D. Querying the whois database

Answer 64

B. Banner grabbing

Explanation:
OBJ-2.4: The analyst conducted banner grabbing. Banner grabbing is a technique used to learn information about a computer system on a network and the services running on its open ports. In the question, the command “nc test.diontraining.com 80” was used to establish a connection to a target web server using netcat, then send an HTTP request (HEAD / HTTP/1.1). The response contains information about the service running on the webserver. In this example, the server software version (Apache 2.0.46) and the operating system (Red Hat Linux). Cross-Site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in a browser side script, to a different end-user. SQL injection is a code injection technique used to attack data-driven applications where malicious SQL statements are inserted into an entry field for execution, such as dumping the database contents to the attacker. A query to the WHOIS database would return information on the website owner, not the server’s operating system.

Question 65

Matt is conducting a penetration test against Dion Training’s network. This engagement aims to simulate an advanced persistent threat and demonstrate persistence for 30 days without their system administrators identifying the intrusion. Matt enters the following command into the terminal:
Which of the following types of persistence is Matt trying to utilize?

A. PS Remoting
B. Scheduled Task
C. Registry Startup
D. Services

Answer 65

C. Registry Startup

Explanation:
OBJ-2.4: A penetration tester can use the “reg add” command to cause a particular program or command to start every time the Windows machine is booted up. To achieve this, the penetration tester stores the program in the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run and HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run registry keys. The first one will cause the program to run whenever any user logs into the machine. The second will only cause the program to start when the victimized user logs in again.

Question 66

Dion Training is developing a new digital contracting system to allow their corporate customers to create orders online. Once the customer creates their order, they will need to digitally sign the contract. The algorithm should use the complexity of factoring large numbers to protect the digital signature, and the speed of verifying the digital signature should be prioritized over the speed of generating the digital signature. Which of the following cryptographic algorithms would best meet these requirements?

A. ECDSA
B. RSA
C. PBKDF2
D. DSA

Answer 66

B. RSA

Explanation:
OBJ-3.6: Rivest, Shamir, and Adleman (RSA) is an asymmetric algorithm that uses the complexity of factoring large prime numbers to provide security. The digital signature algorithm (DSA) is a cryptographic algorithm that uses logarithmic and modulus math to generate and verify digital signatures. The DSA is faster than RSA at generating digital signatures, but it is slower than RSA when verifying them. Elliptic-Curve Digital Signature Algorithm (ECDSA) is an asymmetric algorithm that utilizes the properties of elliptic curves to provide comparable levels of protection as RSA with a much smaller key size. Password-Based Key Derivation Function 2 (PBKDF2) is a form of key stretching that utilizes a hash-based message authentication code (HMAC), the input password, and a salt value to create a more secure derived key.

Question 67

Which of the following are valid concerns when migrating to a serverless architecture? (SELECT THREE)

A. Protection of endpoint security
B. Management of VPC offerings
C. Patching of the backend infrastructure
D. Management of physical servers
E. Limited disaster recovery options
F. Dependency on the cloud service provider

Answer 67

A. Protection of endpoint security
E. Limited disaster recovery options
F. Dependency on the cloud service provider

Explanation:
OBJ-3.4: Serverless is a modern design pattern for service delivery. With serverless, all the architecture is hosted within a cloud, but unlike “traditional” virtual private cloud (VPC) offerings, services such as authentication, web applications, and communications aren’t developed and managed as applications running on servers located within the cloud. Instead, the applications are developed as functions and microservices, each interacting with other functions to facilitate client requests. There is a heavy dependency on the cloud service provider in a serverless architecture system since all of the back-end infrastructure’s patching and management functions are done by them. An organization using such an architecture would still need to prevent compromise of the user endpoints, though the cloud service provider does not manage these. Another concern with serverless architectures is that there are limited options for disaster recovery if service provisioning fails. Patching of backend infrastructure is eliminated because the infrastructure is eliminated with serverless architectures. Once migration is complete, there are no physical servers to manage, which reduces the workload on your system administration teams.

Question 68

A cybersecurity analyst is reviewing the logs of a Citrix NetScaler Gateway running on a FreeBSD 8.4 server and saw the following output:
What type of attack was most likely being attempted by the attacker?

A. XML Injection
B. SQL Injection
C. Directory Traversal
D. Password Spraying

Answer 68

C. Directory Traversal

Explanation:
OBJ-2.5: A directory traversal attack aims to access files and directories stored outside the webroot folder. By manipulating variables or URLs that reference files with “dot-dot-slash (../)” sequences and its variations or using absolute file paths, it may be possible to access arbitrary files and directories stored on the file system, including application source code or configuration and critical system files. The example output provided comes from a remote code execution vulnerability being exploited in which a directory traversal is used to access the files. XML Injection is an attack technique used to manipulate or compromise an XML application or service’s logic. SQL injection is the placement of malicious code in SQL statements via web page input. Password spraying attempts to crack various users’ passwords by attempting a compromised password against multiple user accounts.

Question 69

A software developer has just finished writing a new application. You have been contracted to conduct a scan to determine what vulnerabilities may exist. The developer provides you with the source code and the binary for the application. Which of the following should you perform FIRST?

A. Compliance Scan
B. Vulnerability Scan
C. Dynamic Application Scan
D. Static application scan

Answer 69

D. Static application scan

Explanation:
OBJ-1.3: A static application scan, or static code analysis, is the process of reviewing the source code while it is not executing. This requires the source code of the application, which in this scenario was provided. Static analysis can help you discover how the application functions and will allow you to find mistakes caused by poor programming practices, such as the failure to conduct input validation. If you have the source code and understand how to read the language used in it, you should first conduct a static code analysis. Once completed, you can move on to a dynamic application scan.

Question 70

Which of the following emerging technology creates a public ledger of transactional records that is secured using cryptographic methods?

A. Homomorphic encryption
B. Big data
C. Machine learning
D. Blockchain

Answer 70

D. Blockchain

Explanation:
OBJ-1.8: The blockchain is an expanding list of transactional records listed in a public ledger that is secured using cryptography. Homomorphic encryption is a method of encryption that allows the computation of certain fields in a dataset without first decrypting the dataset. Big data refers to data collections that are too large and complex for a traditional database to manage. A machine learning (ML) system uses a computer to accomplish a task without being explicitly programmed.

Question 71

Dion Training wants to implement a public key infrastructure to properly identify students logging into the website using token-based authentication using a smart card. The company requires that all students provide a valid form of identification to the enrollment coordinator before a smart card is issued. This ensures that each student is uniquely identified and verified during the certificate request process. Which of the following roles does the enrollment coordinator fulfill in this PKI implementation?

A. Registration authority
B. Subordinate CA
C. Certificate authority
D. Intermediate CA

Answer 71

A. Registration authority

Explanation:
OBJ-3.5: Registration authority (RA) is the entity responsible for accepting requests for digital certificates and performs various steps to validate that the requestor is authorized to make a request. The certificate authority (CA) is the entity responsible for issuing and guaranteeing certificates. In a technical implementation, the certificate authority is the server that guarantees subject identities by issuing signed digital certificate wrappers for their public keys. Subordinate/intermediate CA is the entity responsible for issuing certificates to subjects (leaf or end entities) on behalf of the root certificate authority.

Question 72

Which of the following types of access control provides the strongest level of protection?

A. MAC
B. RBAC
C. DAC
D. ABAC

Answer 72

A. MAC

Explanation:
OBJ-1.5: Mandatory Access Control (MAC) requires all access to be predefined based on system classification, configuration, and authentication. MAC is commonly used in highly centralized environments and usually relies on a series of labels, such as classification levels of the data.

Question 73

Dion Consulting Group has been hired to design a PKI architecture for a large organization. The organization has five main departments with around 1 million end users spread across six continents. Each user should be issued a digital certificate embedded on a smart card that is used to gain access to any network resources. To receive their smart card, each user must appear at a local registration office with proof of their identity. Based on the size and scope of this organization, which trust model do you recommend the organization utilize?

A. Hierarchical model
B. Single CA Model
C. Cross certification model
D. Bridge model

Answer 73

A. Hierarchical model

Explanation:
OBJ-3.5: A hierarchical model would be best for this scenario since each department can have its own intermediate CA and then create additional subordinate CAs under its intermediate CA. A hierarchical model allows a root certificate authority to trust multiple intermediate or subordinate certificate authorities in a parent/child relationship. Through this trust model, all members trust the root server and, therefore, they can also trust each other. A single CA is used to issue certificates to users and users only trust certificates issued by that CA. A cross certification model is a trust model that allows a trust relationship to be established between two certification authorities. Cross certification allows users and devices of two organizations to be recognized by the other, regardless of which organization’s root CA signed their certificate. A bridge model is a trust model that allows a local CA to connect to a centralized bridge CA which maintains bilateral arrangements with the local CAs from other organizations. This model forms a star topology of trust, where all trust and verification occur through the central bridge node.

Question 74

Jack is assessing the likelihood of reconnaissance activities being performed against his organization. Which of the following would best classify the likelihood of a port scan being conducted against his DMZ?

A. Medium
B. High
C. None
D. Low

Answer 74

B. High

Explanation:
OBJ-4.1: Since Jack’s DMZ would contain systems and servers exposed to the Internet, there is a high likelihood that they are constantly being scanned by potential attackers performing reconnaissance.

Question 75

Your organization has recently suffered a data breach due to a server being exploited. As a part of the remediation efforts, the company wants to ensure that the default administrator password on each of the 1250 workstations on the network is changed. What is the easiest way to perform this password change requirement?

A. Revoke the digital certificate
B. Utilize the key escrow process
C. Create a new security group
D. Deploy a new group policy

Answer 75

D. Deploy a new group policy

Explanation:
OBJ-3.2: A group policy is used to manage Windows systems in a Windows network domain environment utilizing a Group Policy Object (GPO). GPOs can include many settings related to credentials, such as password complexity requirements, password history, password length, and account lockout settings. You can force a reset of the default administrator account password by using a group policy update.

Question 76

You have been hired to investigate a possible insider threat from a user named Terri. Which command would you use to review all sudo commands ever issued by Terri (whose login account is terri and UID=1003) on a Linux system? (Select the MOST efficient command)

A. journalctl_UID=1003| grep -e 1003 | grep sudo
B. journalctl_UID=1003| grep -e [Tt]erri | grep -e 1003 | grep sudo
C. journalctl_UID=1003 | grep sudo
D. journalctl_UID=1003| grep -e [Tt]erri | grep sudo

Answer 76

C. journalctl_UID=1003 | grep sudo

Explanation:
OBJ-2.2: journalctl is a command for viewing logs collected by systemd. The systemd-journald service is responsible for systemd’s log collection, and it retrieves messages from the kernel, systemd services, and other sources. These logs are gathered in a central location, which makes them easy to review. If you specify the parameter of _UID=1003, you will only receive entries made under the authorities of the user with ID (UID) 1003. In this case, that is Terri. Using the piping function, we can send that list of entries into the grep command as an input and then filter the results before returning them to the screen. This command will be sufficient to see all the times that Terri has executed something as the superuser using privilege escalation. If there are too many results, we could further filter the results using regular expressions with grep using the -e flag. Since the UID of 1003 is only used by Terri, it is unnecessary to add [Tt]erri to your grep filter as the only results for UID 1003 (terri) will already be shown. So, while all four of these would produce the same results, the most efficient option to accomplish this is by entering “journalctl _UID=1003 | grep sudo” in the terminal. Don’t get afraid when you see questions like this; walk through each part of the command step by step and determine the differences. In this question, you may not have known what journalctl is, but you didn’t need to. You needed to identify which grep expression was the shortest that would still get the job done. By comparing the differences between the options presented, you could likely take your best guess and identify the right one.

Question 77

Which of the following authentication mechanisms involves receiving a one-time use shared secret password, usually, through a token-based key fob or smartphone app, that automatically expires after a short period of time (for example, 60 seconds)?

A. Smart card
B. HOTP
C. EAP
D. TOTP

Answer 77

D. TOTP

Explanation:
OBJ-1.5: The Time-based One-time Password Algorithm (TOTP) is a refinement of the HOTP. One issue with HOTP is that tokens can be allowed to persist unexpired, raising the risk that an attacker might obtain one and decrypt data in the future. In TOTP, the HMAC is built from the shared secret plus a value derived from the device’s and server’s local timestamps. TOTP automatically expires each token after a short window (60 seconds, for instance).

Question 78

Which of the following is the correct usage of the tcpdump command to create a packet capture filter for all traffic going to and from the server located at 10.10.1.1?

A. tcpdump -i eth0 dst 10.10.1.1
B. tcpdump -i eth0 proto 10.10.1.1
C. tcpdump -i eth0 src 10.10.1.1
D. tcpdump -i eth0 host 10.10.1.1

Answer 78

D. tcpdump -i eth0 host 10.10.1.1

Explanation:
OBJ-2.9: Knowing tcpdump is an essential skill that will come in handy for any system administrator, network engineer, or security professional. The tcpdump tool is used to conduct packet capturing of network traffic. The host option specifies a filter to capture all traffic going to (destination) and from (source) the designated IP address. If the DST filter is used, this only captures data going to the designated IP address. If the SRC filter is used, this only captures data going from the designated IP. If the proto filter is used, this will capture all traffic going to or from a designated port, such as FTP if proto 21 was used.

Question 79

Dion Training has set up a LAMP server in the cloud to host a new WordPress website. As the site begins to gain visitors, it has been slowing down. Jason decided to upgrade the server from 1 vCPU to 2 vCPUs and increase the RAM to 8 GB instead of 4 GB. Which of the following BEST describes the type of action used to meet the increasing demands on the server?

A. Autoscaling
B. Vertical Scaling
C. Horizontal scaling
D. Clustering

Answer 79

B. Vertical Scaling

Explanation:
OBJ-1.2: Vertical scaling allows additional resources to be added to an individual system, such as adding processors, memory, and storage to an existing server. Horizontal scaling allows additional capacity to be achieved by adding servers to help process the same workload, such as adding nodes to a distributed system or adding web servers to an existing server farm. Autoscaling is the ability to expand and contract the performance of workloads based on policies with specific maximum and minimum capacity specifications. Autoscaling can be used with either horizontal or vertical scaling depending on your cloud service provider. Clustering allows multiple redundant processing nodes that share data to accept connections. The cluster appears to be a single server to the clients but provides additional levels of redundancy and resiliency.

Question 80

A recent threat has been announced in the cybersecurity world, stating a critical vulnerability in a particular operating system’s kernel. Unfortunately, your company has not maintained a current asset inventory, so you are unsure of how many of your servers may be affected. What should you do to find all of the affected servers within your network?

A. Manually review the syslog server’s logs
B. Conduct an OS fingerprinting scan across the network
C. Conduct a service discovery scan on the network
D. Conduct a packet capture of data traversing the server network

Answer 80

B. Conduct an OS fingerprinting scan across the network

Explanation:
OBJ-2.4: By utilizing operating system fingerprinting using a tool like nmap, you can identify the servers running each version of an operating system. This will give you an accurate list of the possibly affected servers. Once you have this list, you can focus your attention on just those servers that need further inspection and scanning. Manually reviewing the Syslog server’s log would take too long, and would not find servers that don’t send their logs to the Syslog server. Conducting a packet capture would only allow you to find the server actively transmitting data during the period of time you are capturing. Conducting a service discovery scan would not identify which servers are running which operating systems effectively. For example, if you see that the Apache web service is running on port 80, it doesn’t indicate running Linux or Windows as the underlying server.

Question 81

Which of the following methods is used to replace all or part of a data field with a randomly generated number used to reference the original value stored in another vault or database?

A. Data minimization
B. Tokenization
C. Data masking
D. Anonymization

Answer 81

B. Tokenization

Explanation:
OBJ-1.4: Tokenization means that all or part of data in a field is replaced with a randomly generated token. The token is stored with the original value on a token server or token vault, separate from the production database. An authorized query or app can retrieve the original value from the vault, if necessary, so tokenization is a reversible technique. Data masking can mean that all or part of a field’s contents is redacted, by substituting all character strings with x, for example. Data minimization involves limiting data collection to only what is required to fulfill a specific purpose. Reducing what information is collected reduces the amount and type of information that must be protected. Data anonymization is the process of removing personally identifiable information from data sets so that the people whom the data describe remain anonymous.

Question 82

Which tool should a malware analyst utilize to track the registry’s changes and the file system while running a suspicious executable on a Windows system?

A. DiskMon
B. Autoruns
C. ProcDump
D. Process Montior

Answer 82

D. Process Montior

Explanation:
OBJ-2.9: Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry, and process/thread activity. Autoruns shows you what programs are configured to run during system bootup or login. ProcDump is a command-line utility whose primary purpose is monitoring an application for CPU spikes and generating crash dumps during a spike that an administrator or developer can use to determine the cause of the spike. DiskMon is an application that logs and displays all hard disk activity on a Windows system. This question may seem beyond the scope of the exam. Still, the objectives allow for “other examples of technologies, processes, or tasks about each objective may also be included on the exam although not listed or covered” in the objectives’ bulletized lists. The content examples listed in the objectives are meant to clarify the test objectives and should not be construed as a comprehensive listing of this examination’s content. Therefore, questions like this are fair game on test day. That said, your goal isn’t to score 100% on the exam; it is to pass it. Don’t let questions like this throw you off on test day. If you aren’t sure, take your best guess and move on!

Question 83

Jason is conducting a penetration test against an organization’s Windows network. He then enters a command into the shell and receives the following output:
Based on the output above, which of the following types of vulnerabilities does this Windows system contain?

A. Unsecure file/folder permissions
B. Clear text credentials in LDAP
C. Writable services
D. Unquoted service path

Answer 83

D. Unquoted service path

Explanation;
OBJ-2.4: This Windows machine contains an unquoted service path vulnerability, as shown in the output. If a service is created with an executable path that contains spaces and is not enclosed within quotes, then an unquoted service path vulnerability exists. In Windows, if the service is not enclosed within quotes and is having spaces, it would handle the space as a break and pass the rest of the service path as an argument. If the service involved has SYSTEM privileges, an attacker could exploit this vulnerability and gain SYSTEM level access. This command finds the service name, executable path, the display name of the service, and auto starts in all the directories except C:\Windows\ (since by default there is no such service that has spaces and is unquoted in this folder). As shown in the output, the service called “VulnerableService” has an unquoted service path.

Question 84

Which of the following actions should be done FIRST after forensically imaging a hard drive for evidence in an investigation?

A. Digitally sign the image file to provide non repudiation of the collection
B. Encrypt the image file to ensure it maintains data integrity
C. Encrypt the source drive to ensure an attacker cannot modify its contents
D. Create a hash digest of the source drive and image file to ensure they match

Answer 84

D. Create a hash digest of the source drive and image file to ensure they match

Explanation:
OBJ-2.8: The first thing that must be done after acquiring a forensic disk image is to create a hash digest of the source drive and destination image file to ensure they match. A critical step in the presentation of evidence will be to prove that analysis has been performed on an identical image to the data present on the physical media and that neither data set has been tampered with. The standard means of proving this is to create a cryptographic hash or fingerprint of the disk contents and any derivative images made from it. When comparing hash values, you need to use the same algorithm used to create the reference value. While encrypting the image files is a good security practice to maintain the data’s confidentiality, it does not provide data integrity like a hash digest does. Once imaged, the source drive should not be altered or encrypted. Digitally signing the image file could serve the function of non-repudiation, but it is an uncommon practice and not required to be performed.

Question 85

You are conducting a password audit. Which of these options is the most complex password?

Question 86

An organization has hired a cybersecurity analyst to conduct an assessment of its current security posture. The analyst begins by conducting an external assessment against the organization’s network to determine what information is exposed to a potential external attacker. What technique should the analyst perform first?

A. Enumeration
B. Technical control audits
C. DNS Query Log Reviews
D. Intranet portal reviews

Answer 86

A. Enumeration

Explanation:
OBJ-2.4: Scanning and enumeration are used to determine open ports and identify the software and firmware/device types running on the host. This is also referred to as footprinting or fingerprinting. This technique is used to create a security profile of an organization by using a methodological manner to conduct the scanning. If this scan is conducted from outside of the organization’s network, it can be used to determine the network devices and information available to an unauthorized and external attacker. A DNS query log review, intranet portal review, or technical control audit would require internal access to the network, which is typically not accessible directly to an external attacker.

Question 87

Which of the following authentication mechanisms involves receiving a one-time use shared secret password, usually through a token-based key fob or smartphone app, that does not expire?

A. EAP
B. Smart Card
C. HOTP
D. TOTP

Answer 87

HOTP

Explanation:
OBJ-1.5: HMAC-based One-time Password Algorithm (HOTP) is an algorithm for token-based authentication. The authentication server and client token are configured with the same shared secret. The token could be a fob-type device or implemented as a smartphone app. The token does not have an expiration under HOTP, but an improved version known as TOTP does include token expirations.

Question 88

Dion Training’s security team recently discovered a bug in their software’s code. The development team released a software patch to remove the vulnerability caused by the bug. What type of test should a software tester perform on the application to ensure that it is still functioning properly after the patch is installed?

A. Regression testing
B. Fuzzing
C. user acceptance testing
D. Penetration testing

Answer 88

A. Regression testing

Explanation:
OBJ-1.3: Regression testing is re-running functional and non-functional tests to ensure that previously developed and tested software still performs after a change. After installing any patch, it is important to conduct regression testing to confirm that a recent program or code change has not adversely affected existing features or functionality. Fuzzing is an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program. The program is then monitored for exceptions such as crashes, failing built-in code assertions, or potential memory leaks. User acceptance testing is a test conducted to determine if the specifications or contract requirements have been met. A penetration test is an authorized simulated cyberattack on a computer system, performed to evaluate the system’s security.

Question 89

You just completed a Nmap scan against a workstation and received the following output:

Based on these results, which of the following operating system is most likely being run by this workstation?

A. macOS
B. Ubuntu
C. CentOS
D. Windows

Answer 89

D. Windows

Explanation:
OBJ-2.4: The workstation is most likely running a version of the Windows operating system. Port 139 and port 445 are associated with the SMB file and printer sharing service run by Windows. Since Windows 2000, the NetBIOS file and print sharing has been running over these ports on all Windows systems by default.

Question 90

Which of the following protocols could be used inside a virtual system to manage and monitor the network?

A. EIGRP
B. BGP
C. SNMP
D. SMTP

Answer 90

C. SNMP

Explanation:
OBJ-1.1: SNMP is used to monitor and manage networks, both physical and virtual. SMTP is used for email. BGP and EIGRP are used for routing network data.