1
Q
Organization suffers multiple breaches due to pretexting attacks. What is the best option for dealing with this issue?
1. Terminate, bring your own device programs.
2. Deploy secure baselines on critical systems.
3. Require all retired backup media to be sanitized.
4. Implement a security awareness training program.
A
- Implement a security awareness training program.
The organization should implement a security awareness training program. In a pretexting attack, a malicious actor creates a bogus scenario or pretext to lure a victim into sharing sensitive information or performing some other harmful action. For example, an attacker could impersonate a utility company to get a victim to share sensitive personal information under the pretext of performing critical maintenance. This type of attack is considered a social engineering attack.
2
Q
Following a breach, an organization implements awareness training to help users identify the risks associated with removable media. Which of the following attacks will this training help mitigate?
Side loading.
Steganography
Injection.
Baiting
A
Baiting enter this training will help mitigate baiting attacks. In a baiting attack. An attacker leaves a malware infected removable storage device in a conspicuous location. The premise of a baiting attack is that someone will find the device and be curious enough to attached to their computer.
3
Q
An organization has implemented anti-fishing security controls. However, users continue to fall for phishing scams which results in lost data. A security contractor recommends that the organization implement an administrative control. Which of the following controls should the organization consider as part of this recommendation?
Awareness training.
Email encryption.
Multi-factor authentication.
Data loss prevention.
A
The organization should consider awareness training awareness. Training is used to instruct end users on how to perform their job duty securely as it relates to fishing. Awareness training could include phishing campaigns that mimic popular attack methods.
4
Q
What is the best matching role for each data responsibility?
Entity responsible for technical control of data including availability, security, scalability, technical standards and backup and restore.
Entity who collects or creates the data and is legally responsible and accountable for the data and its protection.
Entity responsible for protecting the rights and privacy of the data subject and controlling the procedures and purpose of data use .
Entity that works with data under the direction of responsible party but does not control the data or its use.
A
Data custodian. The data custodian is entity responsible for technical control of data including availability, security, scalability, technical standards and backup and restore.
Data owner. Data owner is entity who collects or creates the data and is legally responsible and accountable for the data and its protection.
Data controller. Data controller is the entity responsible for protecting the rights and privacy of the data’s subject and controlling the procedures and purpose of data use.
Data processor. Data processor is the entity that works with a data under the direction of a responsible party but does not control the data or its use.
5
Q
During a risk assessment, potentially sensitive data is discovered on a file server. Which entity is responsible for determining the risk associated with leaving this data in its current storage location?
1. Data Custodian.
2. Data Subject.
3. Data Owner.
4. Data Steward.
A
- Data Owner.
The data owner is responsible for determining the risk associated with leaving this data in its current storage location. The data owner is typically a high-ranking executive or director. Although the data owner will not deal with the day-to-day data management, they will be called on if the data is not handled properly. The data owner determines who has access to the data, how frequently it should be back up, and how it should be stored.
6
Q
Which activity is specifically designed to emulate an attack who has some knowledge of an internal network, servers, or applications?
1. Red teaming.
2. White-box testing.
3. Blue teaming.
4. Grey-box testing.
A
- Grey-box testing.
Grey-box testing is specifically designed to emulate an attacker who has some knowledge of an internal network, servers, or applications. This approach is useful when an organization wants to emulate an internal user who has some knowledge of the environment but may not have full access to network architecture systems.
7
Q
During which phase of a penetration test is the tester most likely to use OSINT?
1. Analysis.
2. Reconnaissance.
3. Maintaining access.
4. Gaining access.
A
- Reconnaissance.
Open-source intelligence (OSINT) is publicly available information that a potential attack or penetration tester can use to learn more about how and where an organization operates. The first phase of penetration testing is typically considered to be planning and reconnaissance.
8
Q
Why would an organization use Security Content Automation Protocol (SCAP)?
1. To determine if system configurations are consistent and secure.
2. To determine if data is being exfiltrated accidentally or intentionally.
3. To aggregate and correlate system logs from organizational servers.
4. To facilitate single sign-on (SSO) for on-premises and cloud resources.
A
- To determine if system configurations are consistent and secure.
SCAP can be used to determine if system configurations are consistent and secure. SCAP provides a set of tools and processes that can be used to audit system configurations.
9
Q
What is the MOST likely consequence of non-compliance with GDPR?
1. BPA Violation.
2. SLA Breach.
3. Reputational Damage.
4. Fines.
A
- Fines.
Fines are the most likely consequence of non-compliance with General Data Protection Regulation (GDPR). GDPR is a privacy regulation that was introduced in the European Union in 2018. GDPR compliance is required for any organization that collects, processes, or stores information about EU citizens.
10
Q
Following a breach investigation, a company is found negligent and in violation of due care requirements by a cybersecurity insurer. What BEST explains this finding?
1. Missing attestation documentation from third-party auditors.
2. A lack of reasonable cybersecurity policies and procedures.
3. Failure to honor customer requests to have their data deleted.
4. Failure to perform comprehensive vendor risk assessments.
A
- A lack of reasonable cybersecurity policies and procedures.
The best explanation is that the company exhibited a lack of reasonable cybersecurity policies and procedures. Due care involves implementing and maintaining processes that keep an organization’s operations in peak operational performance.
11
Q
A company is required to complete a SOC 2 Type 2 audit as part of external compliance reporting. How does this differ from a SOC 2 Type 1 audit?
1. A Type 2 audit covers a particular time frame.
2. A Type 2 audit is focused on financial controls.
3. A Type 2 audit does not inspect physical controls.
4. A Type 2 audit is considered a point-in-time audit.
A
- A Type 2 audit covers a particular time frame.
A Type 2 audit covers a time frame, usually 12 months. The purpose of this audit is to determine if an organization implements and maintains secure operations consistently over time.
12
Q
What is a requirement of General Data Protection Regulation (GDPR)?
1. The right to be forgotten.
2. Supply chain analysis.
3. Evidence of internal audits.
4. Acceptable use policies.
A
- The right to be forgotten.
The right to be forgotten gives consumers the power to have data collected by vendors removed.
13
Q
Which method can be used to implement a managerial control for an educational institution that stores sensitive information about students?
1. Implement MFA on all servers holding sensitive information.
2. Implement full-disk encryption on servers holding sensitive information.
3. Perform a risk assessment for servers holding sensitive information.
4. Require users who access sensitive information remotely to use a VPN.
A
- Perform a risk assessment for servers holding sensitive information.
Security controls fall into three families or categories: managerial, operational, or technical. A risk assessment is a managerial control. During a risk assessment, vulnerabilities and threats are identified and the impact of a vulnerability being exploited is calculated.
13
Q
Which of the following tasks is MOST likely performed by a third-party as part of compliance monitoring for an organization?
1. Due care.
2. Continuous monitoring.
3. Cyber attestation.
4. Data inventory.
A
- Cyber attestation.
Attestation involves an auditor or assessor attesting that an organization meets certain cybersecurity guidelines. In the context of compliance monitoring, attestation is used to show that an organization’s information security practices have been independently reviewed and found in compliance with a standard or regulation.
14
Q
A honeypot is BEST described what type of control?
1. Detective.
2. Compensating.
3. Preventive.
4. Directive.
A
- Detective.
Detective controls are used to identify unwanted or unauthorized activity. A honeypot is used as a decoy for attacks so you can detect and study hacking attempts. Other detective’s controls include intrusion detection systems (IDS) and motion detectors.
15
Q
A company’s internal network has experienced several attempted attacks from the internet. The administrator needs to collect as much information about the attackers and their attack methods as possible. The administrator should minimize the risk to the internal network.
1. Honeynet.
2. DMZ.
3. Extranet.
4. VLAN.
A
- Honeynet.
You should use a honeynet that is isolated from your internet network. A honeynet is a decoy network set up to look like an operational network but configured with intentional vulnerabilities and devices designed to capture information about attacks (honeypots).
16
Q
A company is designing a data processing application that will support various levels of context and location-sensitive levels of access. Sensitive data is replaced in the database with a non-sensitive data equivalent that has no exploitable meaning or value. The database value is securely mapped to the actual data, which is stored in a separate location. What is this an example of?
1. Encryption.
2. Tokenization.
3. Data masking.
4. De-identification.
A
- Tokenization.
Tokenization is the process of replacing sensitive data with a non-sensitive equivalent that has no exploitable meaning or value, referred to as a token. The token is mapped back to the original value through a tokenization system.
17
Q
A company is preparing to deploy several new computers that have the most recent version of TPM hardware installed.
What is the significance of TPM being installed in the computers?
1. The TPM will work with encryption to generate keys that require a TPM and system platform measurements for decryption.
2. The TPM will require to configure full disk encryption after you install each computer’s operating system.
3. The TPM will encrypt the hard disks so that they will be encrypted before the computers are set up.
4. The TPM will check to ensure that the operating system you install on the computers is configured for multifactor authentication.
A
- The TPM will work with encryption to generate keys that require a TPM and system platform measurements for decryption.
A Trusted Platform Module (TPM) is a hardware component that provides cryptographic functionality. It works with the computers BIOS and encryption software to provide high-level encryption support.
18
Q
Which of the following best describes a digital signature?
1. A message hash encrypted with the sender’s private key.
2. A message hash encrypted with the recipient’s private key.
3. A message hash encrypted with the recipient’s public key.
4. A message hash encrypted with the sender’s public key.
A
- A message hash encrypted with the sender’s private key.
A digital signature is really a hash of the message that has been encrypted with the sender’s private key. The recipient then uses the sender’s public key to decrypt the hash.
19
Q
To protect sensitive PHI, an organization plans to substitute random characters for original data, while maintaining the data’s format. Which of the following technologies or methods should they use?
1. Encryption.
2. Hashing.
3. Tokenization.
4. Masking.
A
- Tokenization.
Tokenization is designed to protect Personal Health Information (PHI) and other sensitive information by replacing the original data with data in the same format. Most tokenization methods use random character replacement and store the original-to-tokenized data mapping in an encrypted database or file.
20
Q
A company is configuring a secure web server. What must be submitted to a CA when requesting an SSL certificate?
1. CSR.
2. CRL.
3. OID.
4. OCSP.
A
- CSR.
A Certificate Signing Request (CSR) must be submitted to a Certificate Authority (CA) requesting a Secure Sockets Layer (SSL) Certificate. The CSR contains the information that a CA must have to issue a certificate. The CSR and the public and private encryption key pair to be used with the certificate must be created on the server on which the certificate will be used.
21
Q
Which key is used to encrypt data in an asymmetric encryption system?
1. The sender’s public key.
2. The recipient’s private key.
3. The sender’s private key.
4. The recipient’s public key.
A
- The recipient’s public key.
The recipient makes his or her public key available to anyone wants to send him or her data. The sender uses this public key to encrypt the data, which can then be decrypted only with the recipient’s private key.
22
Q
In order to increase security, an organization that stores PHI has decided to implement tokenization of sensitive data. What should the organization do with the original data that was tokenized?
1. Store the data in an encrypted file or database.
2. Mask the data and store with the token.
3. Hash the data and store it offline.
4. Discard the data because it is no longer needed.
A
- Store the data in an encrypted file or database.
Tokenization is designed to protect PHI and other sensitive information by replacing the original data with data in the same format.
23
Q
What is a limitation of using a CRL to determine if a certificate is valid?
1. A CRL does not provide for real-time updates.
2. A CRL cannot be used to block access.
3. A CRL does not allow for manual revocation of certificates.
4. A CRL is not recognized in most PKI deployments.
A
- A CRL does not provide for real-time updates.
The CRL is updated periodically, but a recent copy of the CRL must be downloaded for you to have the most recent information.
24
An organization implements a distributed, cloud-based app using resources and services from multiple CSPs. App nodes authenticate with one another using shared secrets. The organization equipped each node with trusted X.509 certificate. Which method should the organization use to ensure that shared secrets can be sent securely and can only be decrypted by the destination node?
1. Encrypt the shared secrets with the destination node's public key.
2. Encrypt the shared secrets with the sending node's public key.
3. Encrypt the shared secrets with the destination node's private key.
4. Encrypt the shared secrets with the sending node's private key.
1. Encrypt the shared secrets with the destination node's public key.
PKI keys come in asymmetric pairs, which means that when one key is used to encrypt data, the corresponding key is used to decrypt that same data. The public key is shareable and is embedded in an X.509 certificate. The private key is not shareable.
25
A company is pursuing a PCI DSS certification. The company wants to implement secure management of the entire cryptography key lifecycle for the enterprise and prevent outside access to cryptographic keys. What should the company use?
1. NIPS.
2. CA.
3. HSM.
4. TPM
3. HSM.
A Hardware Security Module (HSM) can be implemented as a physical device that can be plugged into a computer. The HSM provides secure management for cryptographic keys and is used to provide cryptographic keys for activities such as encryption, decryption, and authentication.
26
A security administrator discovers an attack that users PowerShell to make unauthorized registry changes. What should the administrator do to prevent this attack on sensitive systems?
1. Whitelist allowed applications.
2. Configure each system's firewall.
3. Install a HIDS on sensitive systems.
4. Disable access to the CLI.
1. Whitelist allowed applications.
An application whitelist can be used to prevent unauthorized software from running on a user's device. An applicate whitelist is a list of all applications that can run on a system.
27
After performing a firmware update on a router, an administrator notices a dramatic increase in dropped packets. What should the administrator do next?
1. Record the finding in the impact analysis log.
2. Extend the planned maintenance window.
3. Check the trigger criteria in the backout plan.
4. Initiate an incident response playbook.
3. Check the trigger criteria in the backout plan.
A backout plan is used as part of a change management to provide step-by-step instructions for reverting a change. Among other details, the backout plan should define the criteria, that when met, activates the backout plan steps.
28
As part of an after-action review following a malware breach, a security administrator identifies a false negative in an IPS log collected during the incident. What should the administrator do next?
1. Label the malware that was blocked.
2. Tune the alert process on the IPS.
3. Report the event as correctly identified.
4. Categorize the event as harmless.
2. Tune the alert process on the IPS.
A false negative occurs when malicious activity is not correctly identified. This means that the IPS (Intrusion Prevention System) has failed to perform its role correctly and malicious behavior has gone undetected or that it was detected and labeled as benign.
29
A company is concerned about users sending sensitive information to recipients outside of the network. This is a concern due to potential insider threats and the need to meet stringent data privacy requirements. What should the company implement to help prevent this?
1. SSL/TLS.
2. DLP.
3. Hashing.
4. DNS sinkhole.
2. DLP.
DLP (Data Loss Prevention) refers to software solutions used to classify data and ensure that users cannot send critical or sensitive data outside of the company network. DLP is used to help prevent both accidental and malicious data disclosure.
30
An organization plans to improve its email security stance by deploying SPF. What is a benefit of this approach?
1. The IP addresses of source SMTP servers will be checked for authorization.
2. Emails will be scanned for sensitive content and the content will be removed.
3. Locally installed agents will be used to verify compliance with central policies.
4. Sensitive emails will be digitally signed using the recipient's shared public key.
1. The IP addresses of source SMTP servers will be checked for authorization.
The IP addresses of source Simple Mail Transfer Protocol (SMTP) servers will be checked for authorization. Sender Policy Framework (SPF) is used to authenticate source SMTP servers by requiring a domain owner to specify the servers that are approved senders for the domain.
31
After an administrator installs a new firewall, users complain they have intermittent access to the Internet. The firewall rules are shown in the table below:
1. Allow_FTP - Inbound - Allow - TCP 20, 21
2. Allow_RDP - Inbound - Allow - TCP 3389
3. Deny_SSL - Inbound - Deny - TCP 443
4. Allow_VPN - Inbound - Allow - TCP 1723
5. Allow_HTTP - Outbound - Allow - TCP 80
6. Allow_DNS - Outbound - Allow - UDP 53
7. Allow_HTTPS - Outbound - Allow - UDP 443
8. Allow_Email - Outbound - Allow - TCP 25
9. Allow_Email2 - Outbound - Allow - TCP 110
10. Allow_PING - Outbound - Allow - ICMP
What should the administrator do to fix the issue?
In rule number 7, change UDP to TCP under PORT.
The administrator should change the rule number 7, which has been misconfigured using UDP port 443 and should be changed to TCP port 443. HTTP uses TCP port 443, not UDP port 443. Browsing the Internet requires both HTTP and HTTPS to be allowed outbound.
32
The company CSO has ordered that all emails sent or received by senior management personnel be preserved. Managers should not be able to delete emails. If changes are made to an email, both the original and modified versions should be preserved. Managers should still have access to their email accounts. Security personnel are tasked with ensuring this. What should the security personnel use?
1. Legal hold.
2. Forensic hashing.
3. Chain of custody.
4. Principle of least privilege.
1. Legal hold.
Legal precedent in the United States and many other countries requires that relevant information be preserved when there is a reasonable anticipation of legal action.
33
A server is the victim of a data breach. Customer password information is exposed to the attacker. Which step in the incident process is necessary to mitigate the risk of a reoccurrence of the attack?
1. Conduct a post-mortem review to identify the lessons learned.
2. Notify the customers that their passwords should be changed.
3. Escalate the incident to the CEO.
4. Quarantine the server.
1. Conduct a post-mortem review to identify the lessons learned.
The documentation and lessons learned from an incident is used to help prepare for and protect against future incidents. A post-mortem review is part of the preparation process and helps identify vulnerabilities and make recommendations for hardening the environment.
34
After organizing an incident response team, the team leader wants to guide the team through a mock incident. What should the team leader do?
1. Schedule a parallel test and include IT services.
2. Request members to review the incident response plan checklist.
3. Schedule a tabletop exercise for all team members.
4, Perform a group-based threat model exercise.
3. Schedule a tabletop exercise for all team members.
A tabletop exercise allows an incident response team to convene and review each member's role.
35
A security administrator discovers that an employee is exfiltrating proprietary company information. The administrator is concerned that the user may try to cover their tracks. What should the administrator do?
1. Create a bit-stream image of the employee's workstation.
2. Enable data loss prevention on email servers.
3. Implement a legal hold on the user's mailbox.
4. Install a keylogger on the employee's workstation.
3. Implement a legal hold on the user's mailbox.
A legal hold is typically the first action in an eDiscovery process. A legal hold can be a process, a software feature, or a combination of both. HR or Legal will likely approve a legal hold and notify the data custodians such as system admins to retain all files related to an incident.
36
Which are valid examples of multifactor authentication (MFA) requirements?
1. Access token and smart card.
2. Retina scan and voice analysis.
3. Smart card and PIN.
4. Password and PIN.
5. Retina scan and password.
3. Smart card and PIN.
5. Retina scan and password.
A smart card and PIN require something you have and something you know. A retina scan and password are something you are and something you know.
37
Which statement describes a primary benefit provided by MFA?
1. Federated authentication.
2. Mitigation of phishing attacks.
3. Required use of biometrics.
4. Protection of data in motion.
2. Mitigation of phishing attacks.
MFA requires at least two different authentication factors for successful authentication. MFA mitigates phishing and other social engineering attacks that successfully compromise a user's password because the attacker will be unable to provide a second factor.
38
An organization recently deployed a biometric authentication system. Which of the following should the organization use as its primary tuning metric?
1. Crossover error rate.
2. True positive rate.
3. False acceptance rate.
4. False rejection rate.
1. Crossover error rate.
Biometric system tuning seeks to find a balance between the false acceptance rate (FAR) and the false rejection rate (FRR). The point where these two rates meet is known as the crossover error rate (CER) or equal error rate (EER).
39
A network for a small project group is being deployed. Each group should be responsible for securing access to his or her own computer's resources. What access control model should be used?
1. DAC.
2. MAC.
3. Role-based access control.
4. Rule-based access control.
1. DAC.
In the DAC model, users have control over access to their own data or local computer resources. This model is used, for example, to manage security on client computers in a peer-to-peer network environment.
40
A company has an ethernet network with four switches, as well as two wireless APs. All devices that connect to either network must be authenticated using EAP. What should the company use?
1. WPA.
2. XTACACS
3. SAML
4. 802.1X
4. 802.1X
The 802.1X protocol allows centralized authentication, authorization, and accounting for various types of connections, including wired Ethernet, wireless, and virtual private network (VPN). The authentication protocol used is Extensible Authentication Protocol (EAP), which supports various types of authentications.
41
A development team manager a complex e-commerce platform and is responsible for scaling up the platform when demand increases and scaling down as demand wanes. Which tool or technology should the team use to ensure this scaling is done in a secure manner?
1. Trusted Automated eXchange of Indicator Information (TAXII).
2. Security Orchestration, Automation and Response (SOAR).
3. Simple Object Access Protocol (SOAP).
4. Infrastructure as code (IaC).
4. Infrastructure as code (IaC).
IaC is used to store the configuration of devices as servers or routers in a centralized database.
42
Which of the following is the best option for automating a response to an on-path attack?
1. Identity and Access Management (IAM).
2. Network-based Intrusion Prevention System (NIPS).
3. Host-Based Intrusion Detection Systems (HIDS).
4. Network Access Control (NAC).
2. Network-based Intrusion Prevention System (NIPS).
NIPS can recognize the activity of an on-path attack and automatically block all sessions between the attacker and their target.
43
What is the primary benefit of using SOAR?
1. Enhanced employee retention.
2. Reduced reaction time.
3. Elimination of single points of failure.
4. Configuration enforcement.
2. Reduced reaction time.
SOAR allows you to automate incident response activities which in turn reduces the reaction time for responding to incidents.
44
Which of the following is provided by OpenSCAP?
1. Baseline enforcement.
2. Secure authentication.
3. Intrusion detection.
4. Intrusion prevention.
1. Baseline enforcement.
OpenSCAP (Open Security Content Automation Protocol) provides tools that can be used to audit system configurations. OpenSCAP can be used to search systems for these deviations from a secure baseline and report on them.
45
An organization deploys cloud-based compute resources. The organization needs to ensure stateful packet filtering for these resources. Which action should the organization take?
1. Configure a security group.
2. Configure a gateway endpoint.
3. Only expose trusted ports.
4 Deploy a secure web gateway.
1. Configure a security group.
Stateful packet filtering only allows inbound packets if they are in response to an outbound request. This feature is common on network firewalls. In essence, security groups provide Layer 4 firewall services for all resources within the VPC.
46
An organization discovers and patches a vulnerability during a periodic scan. What should the organization do next?
1. Create an exclusion for the path.
2. Update the risk register.
3. Complete onboarding.
4. Run a vulnerability scan.
4. Run a vulnerability scan.
A vulnerability scanner is used to identify open service ports, potential misconfigurations, and vulnerabilities on a target system.
47
An organization wants to use source code inspections to identify vulnerabilities in custom-built apps. Which method should the organization use?
1. Extended detection and response (XDR).
2. Vulnerability scanning.
3. Static Application Security Testing (SAST).
4. Dynamic Application Security Testing (DAST).
3. Static Application Security Testing (SAST).
SAST is a method of testing that involves testing applications without actually executing them. This process is often deployed early in the development process and can help identify bugs or other security vulnerabilities before development is complete.
48
Which of the following states BEST describes the purpose of Common Vulnerabilities and Exposures (CVE)?
1. To provide a standardized approach to vulnerability identification.
2. To provide severity scoring for known vulnerabilities and attacks.
3. To provide an exploitability assessment for a specific vulnerability.
4. To provide details about a vulnerability's impacts and remediations.
1. To provide a standardized approach to vulnerability identification.
CVE accomplishes this task by providing a standardized identifier for each given vulnerability or exposure.
49
As part of a security assessment, an organization must be able to rank vulnerabilities based on severity. Which of the following protocols or platforms should the organization use?
1. CVE.
2. CVSS.
3. SIEM.
4. SOAR.
2. CVSS.
CVSS is a scoring system for rating security vulnerabilities based on several metrics such as how complex an attack is. CVSS scores range from 0 to 10 with 1 being low vulnerability and 10 being severe.
50
In a large organization, which role is responsible for managing daily data backups?
1. Data owner.
2. Data steward.
3. Data custodian.
4. Data subject.
3. Data custodian.
A data custodian is typically a server or storage administrator who is responsible for the operational storage of, and access to, data.
51
A technician pulls SSDs from retired corporate laptops prior to donating them. The technician has been instructed to destroy the drives using the most effective method. Which option should the technician choose?
1. Degauss the SSDs.
2. Wipe the SSDs.
3. Shred the SSDs.
4. Erase the SSDs.
3. Shred the SSDs.
This method is designed to make recovering the original device extremely time consuming and costly, if not impossible.
52
LOG1
Aug 12 17:36:34.303: Sig:3051 Subsig:1 Sev:4
TCP Connection WIndow Size DoS [1.1.100.11: 19223 -> 172.16.1.10:80
LOG2
Aug 12 11: 13:44 Inbound TCP connection denied
from 1.1.1.1/21 to 10.10.10.1/51172 flags SYN ACK on interface outside
Which device most likely generated these messages?
1. LOG1 - DLP, LOG2 - AP
2. LOG1 - Firewall, LOG2 - IPS
3. LOG1 - Firewall, LOG2 - DLP
4. LOG1 - IPS, LOG2- Firewall
5. LOG1 - DLP, LOG2 - Firewall
6. LOG1 - AP, LOG2 - DLP
4. LOG1 - IPS, LOG2- Firewall.
The first log has been generated by an Intrusion Prevention Systems (IPS). You can see the signature number that has triggered (3051/1) - a Denial of Service attack (DoS). An IPS is designed to analyze network traffic, find anomalies, and drop a message if required.
The second log has been generated by a firewall. You can see a TCP connection that has been dropped. In this case, it was due to asymmetric routing. A firewall is designed to secure a network by block unauthorized access.
53
A brute-force password attack is used to compromise an account. An incident response team is unsure which systems may have been affected. Which of the following actions should the team take first?
1. Search the NIPS logs for events related to multiple failed logon attempts.
2. Search all Security logs for successful and failed logon events.
3. Search the SIEM logs for logons using the compromised account.
4. Search the firewall logs traffic to and from the attacker's IP address.
3. Search the SIEM logs for logons using the compromised account.
SIEM software is designed to ingest data from a variety of network components, such as user workstations or laptops, network routers and switches, firewalls, servers, and other appliances. The SIEM then analyzes the data to identify trends, pending security issues, and security breaches.
54
A company wants to introduce a new enterprise mobility strategy for all users. Which deployment model will the enterprise use if it wants to allow an employee to choose a mobile phone from a company-approved list of devices?
1. VDI.
2. CYOD
3. BYOD.
4. COPE.
2. CYOD.
CYOD (Choose Your Own Device) offers a list of approved devices that can also be used for private purposes.
55
Several employees of an organization had their smartphones stolen while they were traveling. Sensitive information stored on the phones was compromised. To mitigate this risk, the organization would like the ability to remotely wipe devices. Which solution or technology should the organization deploy?
1. Deploy a centralized MDM and enroll the smartphones before use.
2. Enable geolocation support on devices and configure GPS policies.
3. Enable storage encryption and sideload secure settings to the phones.
4. Configure MAM and specify policies for managing phone settings.
1. Deploy a centralized MDM and enroll the smartphones before use.
MDM platforms offer a broad range of management capabilities. An MDM could be used to remotely wipe a device if it is lost or stolen.
56
A company is implementing BYOD. The company will take advantage of cloud-based apps to synchronize data between the user's computer and tablet. Which two tasks should the company's BYOD policy address as part of its offboarding policy?
1. Deleting accounts for cloud-based apps.
2. Removing the device from the inventory tracking system.
3. Removing company data from the personal device.
4. Uninstalling the cloud-based apps from the personal device.
5. Removing the device from the asset tracking system.
1. Deleting accounts for cloud-based apps.
3. Removing company data from the personal device.
When a company implements a BYOD policy, it should include mechanisms for secure offboarding of employees who resign or are terminated.
57
A company was using wireless desktop computers to process warehouse pick slips for customer orders. The company switched to mobile devices that warehouse workers can take with them while pulling orders to improve efficiency. Workers discover that there are several places in the warehouse where their devices are unable to connect. What should the company do first?
1. Increase the signal strength on all WAPs.
2. Look for the rogue access points.
3. Check channel usages on WAPs.
4. Perform a site survey.
4. Perform a site survey.
The most likely problem is that there are either dead spots where the signal is not strong enough to support a connection or that there are wireless access points with overlapping channels that are causing interference.
58
A developer is preparing to deploy an e-commerce website. The website uses dynamically generated web pages based on user input. This is a requirement for the application running on the website. The site must be designed to prevent cross-site scripting attacks. What should the developer do?
1. Use only inline JavaScript.
2. Implement URL filtering.
3. Implement user input validation.
4. Use encrypted cookies.
3. Implement user input validation.
Input validation lets you check for tags and other content that identifies an attempted XSS attack, letting you block the input.
59
An organization plans to supply users with company-owned smartphones. The devices are primarily intended to be used for business purposes. However, employees will be able to install their own apps and use the devices for personal tasks. Device procurement and management overhead should be minimized. What should the organization do?
1. Institute a BYOD model and enroll all devices in a MAM platform.
2. Institute a COPE model and supply all users with a common device.
3. Institute a VDI model and configure all devices with remote access policies.
4. Institute a CYOD model and enroll all devices in an MDM platform.
2. Institute a COPE model and supply all users with a common device.
This allows the organization to have more control over the device, and the organization can dictate usage via policy or using technical controls such as Mobile Device Management (MDM).
60
To reduce management complexity and increase operational security, an organization plans to deploy AAA services. Which of the following platforms or technologies will help the organization meet this goal?
1. SIEM.
2. SDN.
3. NIPS.
4. RADIUS.
4. RADIUS.
A RADIUS (Remote Authentication Dial-In User Service) provides AAA (Authentication, Authorization, and Accounting) functionality for networked systems. AAA describes a system that can enhance security by authenticating users, authorizing users to perform certain tasks and then tracking what users do on the network.
61
An organization deployed an office-wide wireless network using 100 APs. However, the wireless administrator has found managing authentication for each of the APs cumbersome. To remedy this, the organization has deployed a wireless LAN controller and a server running Microsoft Active Directory. How should the wireless network be configured so that users are centrally authenticated using their individual acccounts?
1. Enable key-based authentication on each of the APs and distribute keys to users.
2. Configure MAC filtering on the WLAN controller and define trusted addresses.
3. Configure the WLAN controller to use 802.1x and specify a RADIUS server.
4. Configure WPA2-PSK authentication on the controller and provision the APs.
3. Configure the WLAN controller to use 802.1x and specify a RADIUS server.
When WLC is configured to use 802.1x, an authentication server that can process the client authentication requests must be defined. In most environments, this is done by configuring an external RADIUS server. This server in turn submits client authentication requests to an authentication server, such as Microsoft Active Directory.
62
Which is NOT a vulnerability associated with embedded systems?
1. Embedded systems are susceptible to replicated attacks across multiple devices.
2. The operating system versions used are unstable and difficult to manage.
3. Software patches are rarely available and even more rarely applied.
4. Embedded systems use older operating systems versions.
2. The operating system versions used are unstable and difficult to manage.
The operating system versions used are stables, but older, versions of well-known operating systems. The operating system versions used are not a cause of management difficulty, even though operating system-level management tools may not be available. It is a vulnerability that embedded systems use older operating systems versions, often going unchanged even as new versions of the devices are released. The use of older, less secure operating system versions is one of the ways manufacturers minimize their costs.
63
Which of the following is a security benefit offered by Software-Defined Networking (SDN)?
1. TLS encryption for all communications
2. Support for micro-segmentation.
3. Automatic data obfuscation.
4. Built-in honeypots for threat management.
2. Support for micro-segmentation.
SDN is used to separate network controls and data flows from the physical underlying hardware. Among other benefits, this allows network controls to be very granular and data flows to be segmented. Micro-segmentation takes this one step further and can be used to isolate individual workloads.
64
An organization plans to deploy remote IoT devices that will monitor environmental conditions. Due to processing constraints, the devices do not support PKI, but the organization is concerned that stored secrets might be easily compromised if a device is stolen. Which of the following can be used to mitigate this risk?
1. TPM.
2. IPsec.
3. VPN.
4. 802.1x
1. TPM.
A TPM (Trusted Platform Modules) is a cryptographic component, typically installed as a discrete chip or integrated with other chipsets, that protects encryption keys. The TPM provides a hardware root of trust because the keys it holds cannot be exported. If the TPM chip is tampered with, the keys are invalidated and cannot be used for further encryption operations.
65
Which of the following describes a risk organization should consider prior to migrating an on-premises application to a serverless architecture?
1. Reliability.
2. Multitenancy.
3. Latency.
4. Scalability.
2. Multitenancy.
Multitenancy in serverless computing refers to the fact that customers do not receive dedicated hardware for running their applications. This allows cloud vendors to maximize efficiencies and provide competitive pricing for customers. However, this means that errors or vulnerabilities in code created by other customers could impact any processes running in the shared environment. Additionally, an organization's sensitive data could be accidentally exposed to other customers.
66
A company is deploying IoT devices on its production network. What are two vulnerabilities that can place the network at greater risk?
1. Devices introduce non-standard network protocols that interfere with secure protocols.
2. Device do not have the computing resources to implement advanced security.
3. Devices cannot be detected or monitored by network access controls or intrusion detection devices.
4. Devices use hard-coded or well-known default passwords.
5. Devices cannot be patched or updated.
2. Device do not have the computing resources to implement advanced security.
4. Devices use hard-coded or well-known default passwords.
IoT (Internet of Things) is blanket term used to describe a wide variety of devices that support internet connectivity, including computing devices, sensors, office equipment, appliances, and even personal devices like watches. Connecting these devices to a production network introduces vulnerabilities that can put the network as a whole at a greater risk. Smart home devices, manufacturing controls, and vehicles are considered to be especially at risk.
Two common vulnerabilities are that devices use hard-coded or well-known default passwords and do not have the computing resources to implement advanced security.
67
What is a security benefit of migrating an intranet application to the cloud?
1. Reduced connectivity reliance.
2. Availability of multitenancy.
3. Increased control of resources.
4. Increased scalability under load.
4. Increased scalability under load.
Availability is a core tenant of cybersecurity, and the cloud can enhance availability through massive scalability. This is useful in scenarios where application use varies over time.
68
What is a PRIMARY security concern when using containerization technologies such as Docker?
1. Infected images in public repositories.
2. Configuring XDR in each container.
3. Container OS updates and patching.
4. Managing container device drivers.
1. Infected images in public repositories.
Containerization is a virtualization technology that bundles all the components needed for an app in a single, portable unit. This includes all binaries, settings and libraries the app needs to run. Containers are often created and shared publicly in container repositories, which means they could be preloaded with malware or other malicious components.
69
An organization plans to move some application functionality to SaaS. Which of the following implications should the organization consider prior this migration?
1. This organization will no longer be responsible for managing data.
2. The organization will remain responsible for managing mobile devices.
3. The organization will remain responsible for managing operating systems.
4. The organization will no longer be responsible for managing user accounts.
2. The organization will remain responsible for managing mobile devices.
In the software as a service (SaaS) cloud model, customers use an application that is installed and managed by the cloud service provider (CSP). In this model the CSP ensure that the application is secure and reachable, but the customer is still responsible for managing any device that will access the application. Google's gmail is an example of SaaS application.
70
An organization wants to minimize the risk of vulnerabilities created by accidental misconfigurations on servers and other networking nodes. Which of the following technologies should the organization use to automate configuration of newly deployed devices?
1. Supervisory Control and Data Acquisition (SCADA).
2. Secure Access Service Edge (SASE).
3. Unified Threat Management (UTM).
4. Infrastructure as Code (IaC).
4. Infrastructure as Code (IaC).
IaC is used to store the configuration of devices such as servers or routers in a centralized database. These configuration templates can be customized with variables for node-specific details such as node names an IP addresses.
71
In response to a newly discovered information security risk, an organization purchases cyber liability insurance. Which statement BEST describes this approach?
1. The risk has been eliminated.
2. This risk has been accepted.
3. The risk has been transferred.
4. The risk has been mitigated.
3. The risk has been transferred.
When risk is transferred, the impact of the risk being realized is shifted to a third party. This is most commonly accomplished via some sort of insurance.
72
Which of the following statements correctly describes an advantage provided by availability zones in cloud computing?
1. Zones in a region share at least one data center to enhance availability.
2. Each availability zone is located in a different region to increase resiliency.
3. Availability zones are air-gapped to enhance network security.
4. Zones in a region share high speed connections to increase responsiveness.
4. Zones in a region share high speed connections to increase responsiveness.
Availability zones (AZ) and regions are architectural elements used in cloud computing. Each AZ contains one or more data centers and two or more AZs are grouped in regions. Within a region, AZs share high speed connectivity with very low latencies. Resources can be placed in different AZs to provide redundancy without sacrificing network performance and responsiveness.
73
As part of disaster recovery planning (DRP), and organization would like to activate a recently deployed recovery site. The goal is to determine if the recovery site can be activated without issues. However, production systems should not be impacted. Which of the following DRP activities should the organization perform next?
1. Parallel test.
2. Simulation test.
3. Failover test.
4. Tabletop exercise.
1. Parallel test.
In disaster recovery planning (DRP), recovery systems are physically activated during a parallel test. The purpose of this test is to evaluate DR preparedness, including the process of performing some of the actions that would be required during a DR event.
74
An organization plans to contract with a provider for a disaster recovery site that will host server hardware. When the primary data center fails, data will be restored, and the secondary site will be activated. Costs must be minimized. Which type of disaster recovery site should the organization deploy?
1. Warm site.
2. Hot site.
3. Cold site.
4. Mobile site.
1. Warm site.
A warm site includes power, networking, and server hardware. In the event of a disaster, the servers must be powered on and operating systems installed or updated. A warm site does not typically host all the same hardware as the primary site and often provides just enough processing capability for the organization to operate while the primary site is restored.
75
A company needs to identify the appropriate type of recovery sites to meet business requirements.
1. The company must ensure business continuity through use of alternate processing location that supports its standard business processes in case of failure at the main site.
2. The company must have an alternate location available with the facilities infrastructure to support business operations. Costs must be kept to a minimum.
3. The company must be able to return to full operations as quickly as possible after a catastrophic failure. The site will maintain copies of all current backups.
1. Hot site.
2. Cold site.
3. Hot site.
A HOT SITE is necessary to return to full operations as quickly as possible after a catastrophic failure. The site can include copies of all current backups and can double as a secure offsite location for backups.
An alternate location available with facilities infrastructure to support business operations is a COLD SITE. Costs must be kept to a minimum because the site does not have any hardware, data, or personnel.
A WARM SITE is a site setup with the necessary computing and network infrastructure, often at a minimum level. Data at the site is typically not up-to-date and is usually days to weeks old.
76
A security analyst has been tasked with implementing secure access to a file server that stores sensitive data. The analyst plans to create rules using the IP addresses of systems that will be allowed to connect to the server. The analyst has been instructed to minimize costs and administrative overhead. Which type of device is the best solution in this scenario?
1. Layer 4 firewall.
2. Web Application Firewall (WAF).
3. Next-Generation Firewall (NGFW).
4. Intrusion Detection System (IDS).
1. Layer 4 firewall.
A layer 4 firewall operates at or below layer 4 of the open systems interconnection (OSI) model. This model provides a layered network architecture that identifies the protocols or services that operate at each level. Layer 4 of the OSI model is the transport layer and supports protocols such as Transmission Control Protocol (TCP). Layer 4 firewalls also work at layer 3, or the network layer. This layer supports protocols such as Internet Control Message Protocol (ICMP) and Internet Protocol (IP).
77
An organization plans to deploy a secure access service edge (SASE) architecture. Which of the following technologies is MOST likely to be included in this deployment?
1. Wi-Fi Protected Access 3 (WPA3).
2. Simple Network Management Protocol (SNMP).
3. Cloud Access Security Broker (CASB).
4. Supervisory Control and Data Acquisition (SCADA).
3. Cloud Access Security Broker (CASB).
SASE is used to provide secure, distributed network services via the cloud. SASE can include technologies such as firewalls, zero trust, and CASB services. A CASB is used to provide policy-based protection for cloud-based resources. This is particularly important as organizations deploy more and more cloud resources and employees access cloud-based services. CASB is often considered a core component of a sound SASE architecture.
78
To increase security and prevent active attacks on a branch office network, an organization connects an IPS to a network tap. The IPS shows alerts for active attacks, but the network still suffers multiple breaches in quick succession. What should the organization do to address the situation?
1. Implement an SD-WAN.
2. Replaced the IPS with a firewall.
3. Place the IPS device inline.
4. Require a VPN for all connections.
3. Place the IPS device inline.
A network tap is designed to mirror traffic to another port or device. This allows the traffic to be monitored without interrupting normal traffic flows. In this question, the IPS analyze the mirrored traffic and generates alerts, but because the device is connected to a network tap, it cannot prevent the intrusions. When the IPS is moved inline, the traffic will actually flow through the device.
79
A security administrator plans to use SD-WAN to enhance enterprise infrastructure security. What is the PRIMARY benefit of this approach?
1. SD-WAN can be used to segment and route traffic using application-aware policies.
2. SD-WAN obscures network topology from attacks by hiding network nodes.
3. SD-WAN focuses on encryption of data in transit, ensuring data confidentiality.
4. SD-WAN ensures that all traffic is isolated and connections from external nodes will be blocked.
1. SD-WAN can be used to segment and route traffic using application-aware policies.
SD-WAN is designed to enhance network connectivity and management by placing a software layer between physical networking devices, such as routers, and logical data flows and management. This also allows for centralized monitoring, policy management, and traffic control.
80
The administrator deploys three web servers, all hosting the same web application and data, on his company's perimeter network. The administrator implements load balancing through the use of a load balancer. This is BEST described as an example of which resiliency strategy?
1. Scalability.
2. Distributive computer.
3. High availability.
4. Elasticity.
3. High availability.
The use of load balancing means that load is shared between the web servers, making the application more readily available to users.
81
To enhance availability, an organization has configured authentication and storage servers that provide redundancy for on-premises servers. However, the organization must ensure that all data is encrypted between the data center and the private cloud network. What should the organization do to meet this requirement?
1. Configure an IPsec tunnel between the data center and cloud gateway routers.
2. Deploy NGFW appliances in the data center and cloud and share X.509 certificates.
3. Configure IPsec in transport mode between routers in each location.
4. Deploy a NAT gateway and only permit inbound connections from the cloud network.
1. Configure an IPsec tunnel between the data center and cloud gateway routers.
IPsec is a Layer 3 protocol that can be used to enforce data confidentiality and data integrity for Internet Protocol (IP) packets. IPsec can be configured in one of two modes: tunnel mode or transport mode. Tunnel mode is used to create a secure tunnel between two trusted networks.
82
A company stores sensitive identification numbers for its clients. Rather than store the numbers in an internet-accessible database, a security engineer has suggested that the sensitive IDs should be moved to an encrypted database and fake numbers used in their place. The original data will be retrievable, as needed. Which of the following methods is the engineer recommending?
1. Tokenization.
2. Masking.
3. Segmentation.
4. Hashing.
1. Tokenization.
Tokenization replaces a data value using the same format. For example, if the company was storing Social Security numbers for US citizens, the value 008-23-1011 could be stored in the same format, but using random numbers, such as 111-22-3333.
83
Which of the following data elements, on their own, are MOST likely to be classified as sensitive data?
1. Full name.
2. Passport number.
3. Phone number.
4. Driver's license number.
5. Home address.
2. Passport number.
4. Driver's license number.
This information is considered Personally Identifiable Information (PII), which includes information that can be used to identify an individual. PII is considered sensitive if its unauthorized disclosure could cause an individual significant harm.
84
An attacker breaches an organization's virtualization system and exfiltrates VMs containing sensitive data. Which of the following is the BEST method to address this risk?
1. Implementing HIPS on all VMs.
2. Using full disk encryption.
3. Requiring a VPN for all connections.
4. Deploying DLP.
2. Using full disk encryption.
Full disk encryption encrypts data before it is written to disk and then decrypts data when it is accessed. In this scenario, the attacker has exfiltrated virtual machine (VM) disks, which are stored as files on the VM host. If the VM disks are encrypted, the attacker will be unable to read the data they hold without the proper decryption key.
85
Which of the following technologies should be used to protect data in transit? (Choose two.)
1. SSH.
2. FTP.
3. SMTP.
4. HTTPS.
5. SNMPv2.
1. SSH.
4. HTTPS.
Data is in transit when it is traversing a network; this includes both privates networks and the internet. SSH is a secure network protocol that is primarily used to connect to remote nodes like servers, firewalls, or routers.
HTTPS is the secure version of Hypertext Transfer Protocol (HTTP), which is considered to be the protocol of the web.
86
What method should be used to verify a file has not been modified while in transit across the internet?
1. Hashing.
2. Masking.
3. Encryption.
4. Obfuscation.
1. Hashing.
Hashing algorithms take variable length data as input and produce a fixed-length, unique output. The hashing process is one-way, meaning that data that is hashed should not be reversible. If a hash of the source file is created prior to sending, the recipient can hash the received file and then compare the hashes. If the hashes are the same, the recipient knows that the file has not been modified.
87
What can be done to prevent an internet attacker from using a replay attack to gain access to a secure public website?
1. Require username and password for authentication.
2. Deploy the web server in the internal network.
3. Timestamp session packets.
4. Deploy the web server in a perimeter network.
3. Timestamp session packets.
By placing a timestamp on the packets, they become time sensitive. If the attacker attempts to retransmit the packets to gain access, the server will be able to determine if the time is outside of a reasonable tolerance and refuse to accept the packets.
88
A security analyst determines that the hosts file on a Windows-based laptop has been modified. The file contains several known-malicious IP addresses. Which type of attack has the analyst discovered?
1. Logic bomb.
2. DNS spoofing.
3. On-path.
4. DDoS.
2. DNS spoofing.
DNS spoofing attacks attempt to intercept or modify the hostname to IP address resolution process. Both Windows and Linux-based clients attempt to resolve hostnames locally first by querying the hosts file. By modifying this file, an attacker can spoof the IP address of a trusted service or website.
89
Your network is attacked by a self-replicating program. What type of malware does this indicate?
1. Logic bomb.
2. Virus.
3. Trojan horse.
4. Worm.
4. Worm.
Worms do not rely on other programs to spread. A worm may be initially sent as an e-mail attachment, but it propagates on its own.
90
An nmap scan of open ports includes TCP ports 21, 22, 23, 80, 443, and 990. Which tree ports indicate that unsecure protocols are in use on the computer? Select three.
1. 990.
2. 22.
3. 23.
4. 80.
5. 21.
6. 443.
3. 23.
4. 80.
5. 21.
FTP uses port 21. FTP is unsecure and unencrypted and often configured to allow anonymous access. FTPS is a better choice.
Port 23 is used by Telnet, which lets you connect to and run commands on remote computers. All Telnet traffic unencrypted. SSH is recommended instead of Telnet.
Port 80 is the default hypertext transfer protocol (HTTP). There are various ways to lockdown access through HTTP, but data transfers are unencrypted and the protocol is considered inherently unsecure. HTTPS is recommended instead.
91
A company deploys virtual desktop infrastructure (VD) to replace expensive desktop computers. However, many of the VDI instances are quickly breach through well-known vulnerabilities. Which technology or process should the company use to avoid this issue in the future?
1. Hardened VM templates.
2. Network segmentation.
3. Robust Access Control Lists (ACLs).
4. Active threat monitoring.
1. Hardened VM templates.
This will allow the company to mitigate the risk as close to its source as possible. A hardened VM template would not only be preconfigured with the applications and services the users require, but it would also be configured using a secure baseline, with antimalware, host-based firewall, and other security controls already in place.
92
A security administrator performs a vulnerability scan for a network and discovers an extensive list of vulnerabilities for several Windows-based file servers. What should the administrator do FIRST to mitigate the risks created by these vulnerabilities?
1. Install missing patches.
2. Remove any unnecessary software.
3. Create application deny lists.
4. Install HIDS software.
2. Remove any unnecessary software.
One of the basic tenets of operating system (OS) hardening is removing unnecessary software and services. Not only do such items impact performance on the server, but each service is a potential attack vector that increases the risk of a breach.
93
Which of the following describes the most significant risk resulting from misconfigured access controls?
1. Credential replay.
2. Privilege escalation.
3. Buffer overflow.
4. Denial of service.
2. Privilege escalation.
Privilege escalation involves exploiting vulnerabilities on a target system to gain an increasing level of privileges or permissions.
94
An attacker uses a buffer overflow to compromise a critical database service on a database system. Which of the following methods would most likely be used to mitigate this risk in the future?
1. Deploy host-based firewalls on database servers.
2. Disable unused services or ports on sensitive systems.
3. Create patch management policies and procedures.
4. Implement multifactor authentication on sensitive systems.
3. Create patch management policies and procedures.
A buffer overflow occurs when an attacker sends a memory buffer more information than the buffer is designed to handle. This can lead to risks ranging from application crashes to full system exploitation.
95
An organization discovers that some of its proprietary data is for sale on a dark web hacker site. As part of the incidents response, a security administrator analyzes application and system logs on all Internet-facing servers. On one web server, the administrator observes the following text listed repeatedly in POST requests: " or ""=" Which type of application attack is most likely indicated by this finding?
1. XSS.
2. Directory traversal.
3. SQL injection.
4. CSRF.
3. SQL injection.
SQL injection occurs when malicious SQL statements are inserted into an application or website field. A SQL injection attack is designed to exploit application vulnerabilities and extract, modify, or delete database information. In this scenario, the attacker attempts to bypass SQL conditional checks by including a condition that will always evaluate to true: "=". Input validate can mitigate SQL Injection attacks.
96
Which of the following attacks is most likely to lead to a cryptographic vulnerability?
1. Credential reply.
2. Downgrade.
3. Spraying.
4. Directory traversal.
2. Downgrade.
In a downgrade attack, an attacker attempts to trick a target system into using an outdated or less-secure version of a security protocol. Some systems run outdated and unsecure protocols to be backward compliant with older clients.
97
Which of the following provides the best protection against zero-day attacks?
1. Up-to-date cyber threat intelligence.
2. Anomaly-based detection.
3. Effective patch management.
4. Transport encryption.
2. Anomaly-based detection.
A zero-day attack is one which is either not known to software or application developers or is publicly known but has not been remediated. Depending on the capabilities of antivirus software, zero-day attacks can be detected using behavior-based or anomaly-based detection.
98
Which type of threat actor is most likely to become an advanced persistent threat (APT)?
1. Inside threat actor.
2. Shadow IT threat actor.
3. Unskilled attacker.
4. Nation-state threat actor.
4. Nation-state threat actor.
The sponsors nation-state threat actors often have access to vast resources such as money, tools and human resources. As a result, these attackers can perpetrate advanced attacks on multiple fronts.
99
What are the two most likely motivations for a hacktivist?
1. Financial gain.
2. War.
3. Espionage.
4. Philosophical beliefs.
5. Disruption of service.
4. Philosophical beliefs.
5. Disruption of service.
A hacktivist is typically someone who hacks to support an ethical or moral agenda. Typically, the goal is to punish the organization/individual or to bring the public's attention to the hacktivist's cause.
100
Which process is most likely to be impacted by employees using unsupported software?
1. Vulnerability scanning.
2. Incident response.
3. Change management.
4. Software decommissioning.
3. Change management.
If a piece of software is unsupported, this means that either the vendor is no longer creating patches to address security vulnerabilities, or the user is not entitled to these patches. In either case, the software is likely to be develop vulnerabilities over time.
101
Which statement describes a social engineering attack?
1. An attacker impersonates a utility worker and gains access to a secure data center.
2. An attacker scans users' personal social media accounts for useful information.
3. An attacker enters false DNS entries to try and hijack users' social media accounts.
4. An attacker defaces a company's website in support of an environmental cause.
1. An attacker impersonates a utility worker and gains access to a secure data center.
With impersonation, an attacker pretends to be an employee, vendor, or other trusted entity in order to trick users into providing access to data, a secure location, or other resource. This is considered social engineering because it relies on trust and other social mechanisms to deceive or defraud a target victim.
102
An organization plans to onboard a new vendor that will supply components used in manufacturing. Which of the following activities should the organization perform to ensure the new vendor meets the organization's cybersecurity standards?
1. Due diligence
2. Attestation
3. Due care
4. Active reconnaissance
1. Due diligence
In the context provided by this question, due diligence involves researching, investigating, analyzing, and verifying that a third-party vendor meets an organization's cybersecurity standards.
103
Which type of cybersecurity assessment or audit is most likely to require an independent third party?
1. Vulnerability assessment
2. Risk assessment
3. Compliance audit
4. Penetration testing.
3. Compliance audit
Compliance audits are used to evaluate an organization's compliance with government or industry-imposed regulations or frameworks. Depending on the standard or regulation in question, these audits are usually performed by independent third parties to ensure an unbiased result.
104
Why would an organization use Security Content Automation Protocol (SCAP)?
1. To facilitate single sign-on (SSO) for on-premises and cloud resources.
2. To aggregate and correlate system logs from organizational servers.
3. To determine if system configurations are consistent and secure.
4. To determine if data is being exfiltrated accidentally or intentionally.
3. To determine if system configurations are consistent and secure.
SCAP provides a set of tools and processes that can be used to audit system configurations.
105
Which formula is used to calculate annualized loss expectancy (ALE) in cybersecurity risk analysis?
1. ALE = AV x EF
2. ALE = SLE x ARO
3. ALE = likelihood x impact
4. ALE = damage + reproducibility + exploitability + affected users + discoverability
2. ALE = SLE x ARO
(Annual loss expectancy = single loss expectancy x annual rate of occurrence). ALE attempts to quantify the cost a risk poses on an annualized basis. It is calculated by first determining the cost of a single loss, or SLE and then multiplying that with the number of times a loss is expected on an annualized basis.
106
Which key is used to encrypt data in an asymmetric encryption system?
1. The recipient's private key.
2. The sender's private key.
3. The sender's public key.
4. The recipient's public key.
4. The recipient's public key.
The recipient makes his or her public key available to anyone who wants to send him or her data. The sender uses this public key to encrypt the data, which can then be decrypted only with the recipient's private key.
107
An organization implements a distributed, cloud-based app using resources and services from multiple CSPs. App nodes authenticate with one another using shared secrets. The organization equipped each node with trusted X.509 certificate. Which method should the organization use to ensure that shared secrets can be sent securely and can only be decrypted by the destination node?
1. Encrypt the shared secrets with the destination node's public key.
2. Encrypt the shared secrets with the destination node's private key.
3. Encrypt the shared secrets with the sending node's private key.
4. Encrypt the shared secrets with the sending node's public key.
1. Encrypt the shared secrets with the destination node's public key.
Public Key Infrastructure (PKI) keys come in asymmetric pairs, which means that when one key is used to encrypt data, the corresponding key is used to decrypt that same data. The public key is shareable and is embedded in an X.509 certificate. The private key is not shareable.
108
A company is pursuing a PCI DSS certification. The company wants to implement secure management of the entire cryptography key lifecycle for the enterprise and prevent outside access to cryptographic keys. What should the company use?
1. TPM
2. HSM
3. NIPS
4. CA
2. HSM
An HSM (Hardware Security Module) can be implemented as a physical device that can be plugged into a computer. The HSM provides secure management for cryptographic keys and is used to provide cryptographic keys for activities such as encryption, decryption, and authentication.
109
An organization plans to improve its email security stance by deploying SPF. What is the benefit of this approach?
1. Locally installed agents will be used to verify compliance with central policies.
2. Sensitive emails will be digitally signed using the recipient's shared public key.
3. Emails will be scanned for sensitive content and the content will be removed.
4. The IP addresses of source SMTP servers will be checked for authorization.
4. The IP addresses of source SMTP servers will be checked for authorization.
Sender Policy Framework (SPF) is used to authenticate source SMTP servers by requiring a domain owner to specify the servers that are approved senders for the domain. If SPF is configured, when an email server receives an inbound message, it performs a lookup for the sender's domain and ensures the connecting SMTP server is authorized to send for the domain.
110
A company is deploying IoT devices on its production network. What are two vulnerabilities that can place the network at greater risk?
1. Devices introduce non-standard network protocols that interfere with secure protocols.
2. Devices do not have the computing resources to implement advanced security.
3. Devices cannot be detected or monitored by network access controls or intrusion detection devices.
4. Devices use hard-coded or well-known default passwords.
5. Devices cannot be patched or updated.
2. Devices do not have the computing resources to implement advanced security.
4. Devices use hard-coded or well-known default passwords.
Two common vulnerabilities are that devices use hard-coded or well-known default passwords and do not have the computing resources to implement advanced security. Other vulnerabilities include default configuration settings are unsecure and rarely change, devices often use weak encryption or no encryption at all for data at rest or in motion, and security controls are inconsistent due to a lack of industry-accepted security standards.
111
An organization plans to deploy a secure access service edge (SASE) architecture. Which of the following is most likely to be included in this deployment?
1. Wi-Fi Protected Access 3 (WPA3)
2. Simple Network Management Protocol (SNMP)
3. Supervisory Control and Data Acquisition (SCADA)
4. Cloud Access Security Broker (CASB)
4. Cloud Access Security Broker (CASB)
SASE is used to provide secure, distributed network services via the cloud. A CASB is designed to provide policy-based protection for cloud-based resources.
112
An attacker breaches an organizations virtualization system and exfiltrates VMs containing sensitive data. Which of the following is the best method to address this risk?
1. Using full disk encryption
2. Requiring a VPN for all connections
3. Implementing HIPS on all VMs
4. Deploying DLP
1. Using full disk encryption
Full disk encryption encrypts data before it is written to disk and then decrypts data when it is accessed. In this scenario, the attacker has exfiltrated virtual machine (VM) disks, which are stored as files on the VM host. If the VM disks are encrypted, the attacker will be unable to read the data they hold without the proper decryption key.
CompTIA Flashcards
flashcards
Decks in class (2)
# Cards
