651-675 Flashcards

1
Q

A security engineer is reviewing log files after a third party discovered usernames and passwords for the organization’s accounts. The engineer sees there was a change in the IP address for a vendor website one week earlier. This change lasted eight hours. Which of the following attacks was MOST likely used?

A. Man-in-the-middle
B. Spear-phishing
C. Evil twin
D. DNS poisoning

A

D. DNS poisoning

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

A user recently entered a username and password into a recruiting application website that had been forged to look like the legitimate site. Upon investigation, a security analyst identifies the following:

  • The legitimate website’s IP address is 10.1.1.20 and eRecruit.local resolves to this IP.
  • The forged website’s IP address appears to be 10.2.12.99, based on NetFlow records.
  • All three of the organization’s DNS servers show the website correctly resolves to the legitimate IP.
  • DNS query logs show one of the three DNS servers returned a result of 10.2.12.99 (cached) at the approximate time of the suspected compromise.

Which of the following MOST likely occurred?

A. A reverse proxy was used to redirect network traffic.
B. An SSL strip MITM attack was performed.
C. An attacker temporarily poisoned a name server.
D. An ARP poisoning attack was successfully executed.

A

C. An attacker temporarily poisoned a name server.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

A recent audit uncovered a key finding regarding the use of a specific encryption standard in a web application that is used to communicate with business customers. Due to the technical limitations of its customers, the company is unable to upgrade the encryption standard. Which of the following types of controls should be used to reduce the risk created by this scenario?

A. Physical
B. Detective
C. Preventive
D. Compensating

A

D. Compensating

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Which of the following is a team of people dedicated to testing the effectiveness of organizational security programs by emulating the techniques of potential attackers?

A. Red team
B. White team
C. Blue team
D. Purple team

A

A. Red team

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

A security assessment determines DES and 3DES are still being used on recently deployed production servers. Which of the following did the assessment identify?

A. Unsecure protocols
B. Default settings
C. Open permissions
D. Weak encryption

A

D. Weak encryption

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

The cost of removable media and the security risks of transporting data have become too great for a laboratory. The laboratory has decided to interconnect with partner laboratories to make data transfers easier and more secure. The Chief Security Officer (CSO) has several concerns about proprietary data being exposed once the interconnections are established. Which of the following security features should the network administrator implement to prevent unwanted data exposure to users in partner laboratories?

A. VLAN zoning with a file-transfer server in an external-facing zone
B. DLP running on hosts to prevent file transfers between networks
C. NAC that permits only data-transfer agents to move data between networks
D. VPN with full tunneling and NAS authenticating through the Active Directory

A

A. VLAN zoning with a file-transfer server in an external-facing zone

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

A vulnerability assessment report will include the CVSS score of the discovered vulnerabilities because the score allows the organization to better:

A. validate the vulnerability exists in the organization’s network through penetration testing.
B. research the appropriate mitigation techniques in a vulnerability database.
C. find the software patches that are required to mitigate a vulnerability.
D. prioritize remediation of vulnerabilities based on the possible impact.

A

D. prioritize remediation of vulnerabilities based on the possible impact.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

A security analyst is performing a forensic investigation involving compromised account credentials. Using the Event Viewer, the analyst was able to detect the following message: “Special privileges assigned to new logon.” Several of these messages did not have a valid logon associated with the user before these privileges were assigned. Which of the following attacks is MOST likely being detected?

A. Pass-the-hash
B. Buffer overflow
C. Cross-site scripting
D. Session replay

A

A. Pass-the-hash

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Company engineers regularly participate in a public Internet forum with other engineers throughout the industry. Which of the following tactics would an attacker MOST likely use in this scenario?

A. Watering-hole attack
B. Credential harvesting
C. Hybrid warfare
D. Pharming

A

A. Watering-hole attack

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

As company uses wireless for all laptops and keeps a very detailed record of its assets, along with a comprehensive list of devices that are authorized to be on the wireless network. The Chief Information Officer (CIO) is concerned about a script kiddie potentially using an unauthorized device to brute force the wireless PSK and obtain access to the internal network. Which of the following should the company implement to BEST prevent this from occurring?

A. A BPDU guard
B. WPA-EAP
C. IP filtering
D. A WIDS

A

B. WPA-EAP

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

In the middle of a cyberattack, a security engineer removes the infected devices from the network and locks down all compromised accounts. In which of the following incident response phases is the security engineer currently operating?

A. Identification
B. Preparation
C. Lessons learned
D. Eradication
E. Recovery
F. Containment

A

F. Containment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

A network administrator would like to configure a site-to-site VPN utilizing IPSec. The administrator wants the tunnel to be established with data integrity, encryption, authentication, and anti-replay functions. Which of the following should the administrator use when configuring the VPN?

A. AH
B. EDR
C. ESP
D. DNSSEC

A

C. ESP

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

A security incident may have occurred on the desktop PC of an organization’s Chief Executive Officer (CEO). A duplicate copy of the CEO’s hard drive must be stored securely to ensure appropriate forensic processes and the chain of custody are followed. Which of the following should be performed to accomplish this task?

A. Install a new hard drive in the CEO’s PC, and then remove the old hard drive and place it in a tamper-evident bag.
B. Connect a write blocker to the hard drive. Then, leveraging a forensic workstation, utilize the dd command in a live Linux environment to create a duplicate copy.
C. Remove the CEO’s hard drive from the PC, connect to the forensic workstation, and copy all the contents onto a remote fileshare while the CEO watches.
D. Refrain from completing a forensic analysis of the CEO’s hard drive until after the incident is confirmed; duplicating the hard drive at this stage could destroy evidence.

A

B. Connect a write blocker to the hard drive. Then, leveraging a forensic workstation, utilize the dd command in a live Linux environment to create a duplicate copy.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

A security engineer at an offline government facility is concerned about the validity of an SSL certificate. The engineer wants to perform the fastest check with the least delay to determine if the certificate has been revoked. Which of the following would BEST meet these requirements?

A. RA
B. OCSP
C. CRL
D. CSR

A

C. CRL

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

A security administrator needs to create a RAID configuration that is focused on high read speeds and fault tolerance. It is unlikely that multiple drives will fail simultaneously. Which of the following RAID configurations should the administrator use?

A. RAID 0
B. RAID 1
C. RAID 5
D. RAID 10

A

D. RAID 10

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Which of the following algorithms has the SMALLEST key size?

A. DES
B. Twofish
C. RSA
D. AES

A

A. DES

17
Q

During an incident response, a security analyst observes the following log entry on the web server:

GET http://www.companysite.com/product_info.php?
show=../../../../etc/passwrd HTTP/1.1
Host: www.companysite.com

Which of the following BEST describes the type of attack the analyst is experiencing?

A. SQL injection
B. Cross-site scripting
C. Pass-the-hash
D. Directory traversal

A

D. Directory traversal

18
Q

A security audit has revealed that a process control terminal is vulnerable to malicious users installing and executing software on the system. The terminal is beyond end-of-life support and cannot be upgraded, so it is placed on a protected network segment. Which of the following would be MOST effective to implement to further mitigate the reported vulnerability?

A. DNS sinkholing
B. DLP rules on the terminal
C. An IP blacklist
D. Application whitelisting

A

D. Application whitelisting

19
Q

A document that appears to be malicious has been discovered in an email that was sent to a company’s Chief Financial Officer (CFO). Which of the following would be BEST to allow a security analyst to gather information and confirm it is a malicious document without executing any code it may contain?

A. Open the document on an air-gapped network.
B. View the document’s metadata for origin clues.
C. Search for matching file hashes on malware websites.
D. Detonate the document in an analysis sandbox.

A

C. Search for matching file hashes on malware websites.

20
Q

A security analyst has received an alert about PII being sent via email. The analyst’s Chief Information Security Officer (CISO) has made it clear that PII must be handled with extreme care. From which of the following did the alert MOST likely originate?

A. S/MIME
B. DLP
C. IMAP
D. HIDS

A

B. DLP

21
Q

A company has drafted an insider-threat policy that prohibits the use of external storage devices. Which of the following would BEST protect the company from data exfiltration via removable media?

A. Monitoring large data transfer transactions in the firewall logs
B. Developing mandatory training to educate employees about the removable media policy
C. Implementing a group policy to block user access to system files
D. Blocking removable-media devices and write capabilities using a host-based security tool

A

D. Blocking removable-media devices and write capabilities using a host-based security tool

22
Q

After a ransomware attack, a forensics company needs to review a cryptocurrency transaction between the victim and the attacker. Which of the following will the company MOST likely review to trace this transaction?

A. The public ledger
B. The NetFlow data
C. A checksum
D. The event log

A

A. The public ledger

23
Q

A network administrator is setting up wireless access points in all the conference rooms and wants to authenticate devices using PKI. Which of the following should the administrator configure?

A. A captive portal
B. PSK
C. 802.1X
D. WPS

A

C. 802.1X

24
Q

A security analyst is reviewing the following attack log output:

user comptia\john.smith attempted to login with the password123
user comptia\john.doe attempted to login with the password123
user comptia\user.1 attempted to login with the password123
user comptia\user.2 attempted to login with the password123
user comptia\user.3 attempted to login with the password123

user comptia\john.smith attempted to login with the password234
user comptia\john.doe attempted to login with the password234
user comptia\user.1 attempted to login with the password234
user comptia\user.2 attempted to login with the password234
user comptia\user.3 attempted to login with the password234

Which of the following types of attacks does this MOST likely represent?

A. Rainbow table
B. Brute-force
C. Password-spraying
D. Dictionary

A

C. Password-spraying

25
Q

An organization has hired a security analyst to perform a penetration test. The analyst captures 1Gb worth of inbound network traffic to the server and transfers the pcap back to the machine for analysis. Which of the following tools should the analyst use to further review the pcap?

A. Nmap
B. cURL
C. Netcat
D. Wireshark

A

D. Wireshark

26
Q
A