CompTia practice questions Flashcards

Question

Which type of injection attack occurs when code is run within the address space of another process, forcing it to load another library? a. DLL injection b. LDAP injection c. SQL injection d. None of these answers are correct.

Answer 1

A. DLL injection occurs when code is run within the address space of another process by forcing it to load a dynamic link library (DLL). Ultimately, this type of attack can influence the behavior of a program that was not originally intended. This attack can be uncovered through penetration testing.

Answer 2

D. A null pointer dereference occurs when a program dereferences a pointer that it expects to be valid but is null, which can cause the application to exit or the system to crash. From a programmatical standpoint, the main way to prevent this situation is to use meticulous coding. Programmers can use special memory error analysis tools to enable error detection for a null pointer dereference.

Answer 3

D. Directory traversal, path traversal, and the ../ (“dot-dot-slash”) attack are methods of accessing unauthorized parent (or worse, root) directories. They are often used on web servers that have PHP files and are Linux or UNIXbased but can also be perpetrated on Microsoft operating systems (in which case, it would be ..\ or the “dot-dot-backslash” attack).

Answer 4

B. A dictionary password attack pulls words from the dictionary or word lists to attempt to discover a user’s password. A dictionary attack uses a predefined dictionary to look for a match between the encrypted password and the encrypted dictionary word.

Answer 5

B. Race conditions are also known as time-of-check (TOC) or time-of-use (TOU) attacks.

Answer 6

C. Error handling or error exception handling code should be checked thoroughly so that a malicious user can’t find out any additional information about the system. These error handling methods are sometimes referred to technically as pseudocodes.

Answer 7

B. A fuzzer is a program that can send crafted messages to a vulnerable application or system to find input validation vulnerabilities.

Answer 8

D. A replay attack is a network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed. It differs from session hijacking in that the original session is simply intercepted and analyzed for later use. In a replay attack, an attacker might use a packet sniffer to intercept data and retransmit it later. In this way, the attacker can impersonate the entity that originally sent the data.

Answer 9

A. Session replay attacks occur when an attacker steals a user’s valid session ID and reuses that ID to perform malicious transactions and activities with a web application.

Answer 10

D. Cross-site request forgery (XSRF) attacks leverage the trust that the application has in the targeted user. For example, the attacker could inherit the privileges of the user to perform an undesired action, such as stealing sensitive information, creating users, or downloading malware.

Answer 11

``` D. All of the available answers are best practices to help protect application programming interfaces (APIs). ```

Answer 12

C. Resource exhaustion is an attack against availability that is designed to bring the network, or access to a particular TCP/IP host/server, to its knees by flooding it with useless traffic. Resource exhaustion attacks are a form of denial-of-service (DoS) attacks. They can also leverage software vulnerabilities such as memory leaks and file descriptor leaks.

Answer 13

D. A memory leak is a type of resource leak caused when a program does not release memory properly. The lack of freed-up memory can reduce the performance of a computer, especially in systems with shared memory or limited memory. A kernel-level leak can lead to serious system stability issues. The memory leak might happen on its own due to poor programming, or it could be that code resides in the application that is vulnerable and is later exploited by an attacker who sends specific packets to the system over the network.

Answer 14

A. An attacker can launch an SSL strip attack in different ways. One of the most common ways is to create a wireless hotspot and lure the victims to connect to it.

Answer 15

D. Attackers can potentially modify drivers through the use of driver shimming (the adding of a small library that intercepts API calls) and driver refactoring (the restructuring of driver code).

Answer 16

D. Pass the hash attacks leverage deficiencies in Windows NTLM implementations.

Answer 17

A. An initialization vector (IV) attack is a type of related-key attack, which occurs when an attacker observes the operation of a cipher using several different keys and finds a mathematical relationship between those keys, allowing the attacker to ultimately decipher data.

Answer 18

B. ARP cache poisoning (also known as ARP spoofing) is an example of an attack that leads to a man-in-the-middle scenario. An ARP spoofing attack can target hosts, switches, and routers connected to a Layer 2 network by poisoning the ARP caches of systems connected to the subnet and by intercepting traffic intended for other hosts on the subnet.

Answer 19

A. With an on-path attack, the attacker must first infect the victim’s computer with a Trojan. The attacker usually gets the malware onto the victim’s computer through some form of trickery or deceit.

Answer 20

A. With an on-path attack, the attacker must first infect the victim’s computer with a Trojan. The attacker usually gets the malware onto the victim’s computer through some form of trickery or deceit.

Answer 21

D. Attackers launch MAC flooding attacks by sending numerous unknown MAC addresses to a network switch to cause a DoS condition. In addition,when the Layer 2 forwarding table limit is exceeded, packets are flooded to all ports in a virtual LAN (VLAN). This, in turn, enables the attacker to sniff network connections over a switched network while disrupting network performance.

Answer 22

D. Domain hijacking is a type of hijacking attack in which the attacker changes the registration of a domain name without the permission of the original owner/registrant. One of the most common methods to perform a domain hijacking is using social engineering.

Answer 23

B. One specific type of DDoS attack is the DNS amplification attack. Amplification attacks generate a high volume of packets ultimately intended to flood a target website.

Answer 24

B. Visual Basic for Applications (VBA) is an event-driven programming capability in Microsoft operating systems and applications. Attackers have used VBA to create malicious macros in applications such as Excel or Word.

Answer 25

A. The name hacktivist is often applied to different kinds of activities—from hacking for social change, to hacking to promote political agendas, to fullblown cyberterrorism. Due to the ambiguity of the term, a hacktivist could be inside a company or attack from the outside and will have varying amounts of resources and funding. However, a hacktivist is usually far more competent than a script kiddie.

Answer 26

B. Cybercriminals might work on their own, or they might be part of criminal syndicates and organized crime—a centralized enterprise run by people motivated mainly by money.

Answer 27

D. The level of sophistication/capability, resources, and funding are all attributes of threat actors that put them into different categories (that is, statesponsored actors, script kiddies, hacktivists, criminals).

Answer 28

C. The Diamond Model is designed to represent a cybersecurity incident and is made up of four parts. Active intrusions start with an adversary who targets a victim. The adversary will use various capabilities along some form of infrastructure to launch an attack against the victim. Capabilities can be various forms of tools, techniques, and procedures, while the infrastructure is what connects the adversary and victim. The lines connecting each part of the model depict a mapping of how one point reached another. This mapping helps you understand the motives, intent, sophistication, capabilities, and resources that a threat actor may have.

Answer 29

A. One of the most effective attacks for mass compromise is to attack the supply chain of a vendor to tamper with hardware and/or software. This tampering might occur in-house or earlier, while in transit through the manufacturing supply chain.

Answer 30

D. Attackers can leverage misconfigured and insecure cloud deployments including unpatched applications, operating systems, and storage buckets.

Answer 31

A. Threat intelligence refers to knowledge about an existing or emerging threat to assets, including networks and systems. Threat intelligence includes context, mechanisms, indicators of compromise (IoCs), implications, and actionable advice.

Answer 32

A. Open-source intelligence (OSINT) applies to offensive security (ethical hacking/penetration testing) and defensive security. In offensive security, OSINT enables you to leverage public information from DNS records, social media sites, websites, search engines, and other sources for reconnaissance—in other words, to obtain information about a targeted individual or an organization. When it comes to threat intelligence, OSINT refers to public and free sources of threat intelligence.

Answer 33

D. Vendor websites, threat feeds, and vulnerability feeds could all be used for threat and vulnerability research.

Answer 34

C. The MITRE ATT&CK framework (https://attack.mitre.org) is a collection of different matrices of tactics and techniques. InfraGard is a collaborative effort between the FBI and the private sector. The Common Vulnerability and Exposure (CVE) is a standard to identify vulnerabilities created and maintained by MITRE. The Common Weakness Enumeration (CWE) is a standard to identify the weaknesses (root cause) of security vulnerabilities. CWE was also created by MITRE

Answer 35

A. Infrastructure as a service (IaaS) is a type of cloud service that offers computer networking, storage, load balancing, routing, and VM hosting. Platform as a service (PaaS) provides various software solutions to organizations, especially the capability to develop applications in a virtual environment without the cost or administration of a physical platform. Software as a service (SaaS) is a cloud service model where the cloud provider offers the complete infrastructure and the application. Examples of SaaS include Gmail, Office 365, Webex, Zoom, Dropbox, Google Drive, and many other applications you use every day

Answer 36

D. Encryption, authentication methods, and identity management are all security concerns in cloud deployments and environments.

Answer 37

B. A zero-day vulnerability is a type of vulnerability that is disclosed by an individual or exploited by an attacker before the creator of the software can create a patch to fix the underlying issue. Attacks leveraging zero-day vulnerabilities can cause damage even after the creator knows of the vulnerability because it may take time to release a patch to prevent the attacks and fix damage caused by them.

Answer 38

D. Default settings and passwords, weak encryption, and open permissions are examples of the most prevalent types of weak configurations that can be leveraged by an attacker to perform malicious activities and compromise systems.

Answer 39

D. Protocols such as Telnet, FTP (without encryption), and HTTP without encryption should be avoided at all times because they are considered unsecure.

Answer 40

D. Vendor management, system integration, lack of vendor support, supply chain, and outsourced code development should all be assessed when performing an analysis of third-party risks.

Answer 41

A. A security update is a broadly released fix for a product-specific securityrelated vulnerability or group of vulnerability. Security vulnerabilities are rated based on their severity, which is indicated in the Microsoft Security Bulletin as critical, important, moderate, or low.

Answer 42

D. Legacy platforms and products that have passed the end of support date are often affected by unfixed security vulnerabilities and do not have modern security features. When a device is past the last day of support, vendors will not investigate or patch security vulnerabilities in those devices.

Answer 43

. D. A security breach could have direct financial impact to a corporation (such as fines and lawsuits). The brand and reputation of a company can also be damaged by major cybersecurity incidents and breaches. Cybersecurity incidents can also lead to outages and availability loss.

Answer 44

D. Attackers can leverage different types of obfuscation and evasion techniques to go undetected (including encoding of data, tunneling, and encryption).

Answer 45

B. Threat hunting is the act of proactively and iteratively looking for threats in your organization.

Answer 46

A. The MITRE ATT&CK is a collection of matrices that outline adversary tactics, techniques, and procedures (TTPs) that modern attackers use.

Answer 47

A. Most of the vulnerabilities disclosed to the public are assigned Common Vulnerability and Exposure (CVE) identifiers. CVE is a standard created by MITRE (www.mitre.org) that provides a mechanism to assign an identifier to vulnerabilities so that you can correlate the reports of those vulnerabilities among sites, tools, and feeds.

Answer 48

C. A false positive is a broad term that describes a situation in which a security device triggers an alarm, but no malicious activity or actual attack is taking place. In other words, false positives are false alarms, and they are also called benign triggers.

Answer 49

A. A true positive is a successful identification of a security attack or a malicious event. A true negative occurs when the intrusion detection device identifies an activity as acceptable behavior and the activity is actually acceptable. False positives are false alarms, and false negative is the term used to describe a network intrusion device’s inability to detect true security events under certain circumstances—in other words, a malicious activity that is not detected by the security device.

Answer 50

A. Vulnerability scanners can often log in to the targeted system to perform deep analysis of the operating system, running applications, and security misconfigurations. This technique is called a credentialed scan.

Answer 51

D. SIEMs can provide log collection, normalization, and correlation.

Answer 52

A. NetFlow is a technology invented by Cisco to collect network metadata about all the different “flows” of traffic on your network.

Answer 53

A. Security Orchestration, Automation, and Response (SOAR) systems extend beyond traditional SIEMs to allow organizations to collect security threat data and alerts from multiple sources and to perform many different automated response capabilities.

Answer 54

D. Unlike traditional SIEM platforms, SOAR solutions can also be used for threat and vulnerability management, security incident response, and security operations automation (including playbook and runbook automation, as well as orchestration of multiple SOC tools).

Answer 55

D. Ethical hacking, pen testing, and penetration testing are all terms used to define the process of finding vulnerabilities and mimicking what an attacker could do against your systems and networks. Penetration testing is done after obtaining permission from the system or network owner.

Answer 56

A. In the known environment pen testing type, the pen tester starts out with a significant amount of information about the organization and its infrastructure. The tester would normally be provided network diagrams, IP addresses, configurations, and a set of user credentials, for example. If the scope includes an application assessment, the tester might also be provided the source code of the target application. The idea of this type of test is to identify as many security holes as possible.

Answer 57

D. The pre-engagement tasks include items such as contract negotiations, the statement of work (SOW), scoping, and the rules of engagement.

Answer 58

D. The rules of engagement document typically includes the testing timeline, location of the testing, time window of the testing, preferred method of communication, the security controls that could potentially detect or prevent testing, IP addresses or networks from which testing will originate, and the scope of the engagement.

Answer 59

A. Open-source intelligence (OSINT) gathering is the term used when a penetration tester uses public records to perform passive reconnaissance.

Answer 60

D. Active reconnaissance is carried out mostly by using network and vulnerability scanners. Nmap is an open-source network and port scanner. Nessus is a vulnerability scanner sold by Tenable. Nikto is an open-source web application vulnerability scanner.

Answer 61

C. Purple teams integrate the defensive capabilities of a blue team with the adversarial techniques used by the red team. Often the purple team is not a separate team, but a solid dynamic between the blue and red teams.

Answer 62

A. White teams are individuals who are focused on governance, management, risk assessment, and compliance.

Answer 63

A. Configuration management is an ongoing process created with the goal of maintaining computer systems, servers, network infrastructure, and software in a desired, consistent state. One of the primary goals of configuration management is to ensure that your infrastructure performs as it’s expected to as changes are made over time.

Answer 64

C. After a minimum desired state of security is defined, baselines should be taken to assess the current security state of computers, servers, network devices, and the network in general. Baseline configurations should be properly documented and reviewed to include a set of specifications for information systems or configuration items within those systems. Baseline configurations are used by security professionals, along with network and system administrators, as a basis for future deployments, releases, or changes to information systems and applications.

Answer 65

A. You should make sure that your organization has appropriate naming conventions for describing IT infrastructure, applications, and users. Appropriate naming conventions are used to avoid conflicts and to be able to correlate data among disparate systems.

Answer 66

B and C. The General Data Protection Regulation (GDPR) is a regulation in the European Union and the European Economic Area focused on data protection and privacy. Another example is the California Consumer Privacy Act (CCPA). These regulations give consumers the right to know what personal information is being collected by companies, government, and any other organizations.

Answer 67

D. Data loss prevention (DLP) systems can be software or hardware-based solutions and are categorized in three general types: endpoint, network, and storage DLP systems

Answer 68

D. You should always encrypt data at rest, in use, and in motion in order to protect sensitive data.

Answer 69

C. Hashes are used in digital signatures, in file and message authentication, and as a way to protect the integrity of sensitive data—for example, data entered into databases or perhaps entire hard drives. A hash is generated through the use of a hash function to verify the integrity of the file or message, most commonly after transit over a network.

Answer 70

A. A hot site is a near duplicate of the original site of the organization that can be up and running within minutes (in some cases longer). Computers and phones are installed and ready to go, a simulated version of the server room stands ready, and the vast majority of the data is replicated to the site on a regular basis in the event that the original site is not accessible to users for whatever reason.

Answer 71

B. A honeypot is generally a single computer but could also be a file, group of files, or an area of unused IP address space, whereas a honeynet is a group of computers, servers, or an area of a network; a honeynet is used when a single honeypot is not sufficient. Either way, the individual computers, or group of servers, will usually not house any important company information. Various analysis tools are implemented to study the attacker; these tools, along with a centralized group of honeypots (or a honeynet), are known collectively as a honeyfarm.

Answer 72

D. Honeyfiles are used as bait files intended to lure adversaries to access them and then send alarms to a security analyst to potentially learn the tactics and techniques used by the attacker.

Answer 73

A. In a DNS sinkhole you configure one or more DNS servers to provide false results to attackers and redirect them to areas in the network where you can observe their tactics and techniques. DNS sinkholes have been used to contain different types of malware such as the infamous WannaCry ransomware and to disrupt certain malicious DNS operations in denial-of-service (DoS) and other attacks.

Answer 74

A. IaaS is a service that offers computer networking, storage, load balancing, routing, and VM hosting. More and more organizations are seeing the benefits of offloading some of their networking infrastructure to the cloud.

Answer 75

A. A community cloud is a mix of public and private cloud deployments where multiple organizations can share the public portion.

Answer 76

A. A community cloud is a mix of public and private cloud deployments where multiple organizations can share the public portion.

Answer 77

A. Google Drive, Office 365, and Dropbox are examples of the software as a service (SaaS) cloud service model.

Answer 78

C. A managed security service provider (MSSP) provides services to manage your security devices and can also help monitor and respond to security incidents.

Answer 79

D. Managed service providers (MSPs) can deliver network, application, system, and management services using a pay-as-you-go model. An MSP is an organization that can manage your network infrastructure, servers, and in some cases your security devices. Companies that provide services to manage your security devices and can also help monitor and respond to security incidents are called managed security service providers (MSSPs).

Answer 80

C. The term edge computing describes an ecosystem of resources and applications in new network services (including 5G and IoT). One of the main benefits is to provide greater network speeds, low latency, and computational power near the user.

Answer 81

A. Thin clients are computer systems that run from resources stored on a central server or from the cloud instead of a local (on-premises) system. When you use a thin client, you connect remotely to a server-based computing environment where the applications, sensitive data, and memory are stored.

Answer 82

D. Docker Swarm, Apache Mesos, and Kubernetes are technologies and solutions to manage, deploy, and orchestrate containers.

Answer 83

A. VM sprawl (otherwise known as virtualization sprawl) occurs when an organization can no longer effectively control and manage all the VMs on a network or in the cloud.

Answer 84

A. In a VM escape attack, the guest VM breaks out of its isolated environment and attacks the hypervisor or compromises other VMs hosted and controlled by the hypervisor.

Answer 85

A. The traditional software development methodology is the waterfall model, which is a software and hardware development and project management methodology that has at least five to seven phases that follow in strict linear order. Each phase cannot start until the previous phase has been completed.

Answer 86

B. You can integrate with log aggregation tools to maintain and analyze logs of every element that goes into the provisioning. This allows you to respond quickly and deprovision the application in the event that something went wrong. When you go back, you can check the logs and accurately find and fix the root cause of the error.

Answer 87

D. Unit testing, integration testing, and identifying a code integrity manager can help software (code) integrity.

Answer 88

C. Threat modeling enables you to prioritize threats to an application based on their potential impact. This modeling process includes identifying assets to the system or application, uncovering vulnerabilities, identifying threats, documenting threats, and rating those threats according to their potential impact. The more risk, the higher the rating. Threat modeling is often incorporated into the software development lifecycle (SDLC) during the design, testing, and deployment phases.

Answer 89

D. Input validation, principle of least privilege, and failing securely are all important security principles that should be incorporated into the SDLC.

Answer 90

D. Compile time refers to the duration of time during which the statements written in any programming language are checked for errors. Compile-time errors might include syntax errors in the code and type-checking errors. A programmer can check these errors without actually running the program and instead check it in the compile stage when it is converted into machine code.

Answer 91

D. One of the most popular OWASP projects is the Top 10 Web Application Security Risks. You can find the latest Top 10 Web Application Security Risks at https://owasp.org/www-project-top-ten. All of these answers are top web application security risks.

Answer 92

C. In an example of software diversity, a compiler is modified to generate variants of a binary (target application) that operates in the same way when processing benign input; however, it may operate in a different manner when given malicious input. This new aspect of software diversity is handled by generating variants of a program by building a binary with a diversifying compiler that can randomize the code layout, stack variables, and random allocations of heap objects at different locations in each variant.

Answer 93

``` A. Continuous integration (CI) is a software development practice in which programmers merge code changes in a central repository multiple times a day. Continuous delivery (CD) sits on top of CI and provides a way for automating the entire software release process. When you adopt CI/CD methodologies, each change in code should trigger an automated build-and-test sequence. This automation should also provide feedback to the programmers who made the change. ```

Answer 94

C. Elasticity is the ability of an underlying infrastructure to react to a sudden increase in demand by provisioning more resources in an automated way. Elasticity and scalability are often achieved by deploying technologies such as load balancers and by deploying applications and resources in multiple geographical locations (data centers around the world). Other technologies such as enabling concurrent processing (parallel processing) and automated container deployments (that is, using Kubernetes) allow organizations to auto-scale.

Answer 95

D. Microsoft Active Directory (AD) allows administrators to organize elements of a network, such as users, computers, and devices, into a hierarchical containment structure.

Answer 96

D. Microsoft Active Directory (AD) allows administrators to organize elements of a network, such as users, computers, and devices, into a hierarchical containment structure.

Answer 97

D. Users authenticate against a directory service to ensure that it is highly available at all times. A best practice requires that it be distributed in multiple locations.

Answer 98

C. In biometrics, facial recognition is the most common and least accurate way to identify a user; it has higher false rejection and higher false acceptance rates than other biometric security methods.

Answer 99

B. Speaker verification is a 1:1 match where one speaker’s voice is matched to one template, also called a voice print or voice model.

Answer 100

B. You must have this physical item with you—something you have such as a crypto card, token, or key fob that is used as a method to authenticate you as a user.

Answer 101

A. Physical movements such as the way you walk, typing patterns, and mouse movements are examples of a personality trait, behavior, or observable biometric that can be used to authenticate you as a person.

Answer 102

A. Authentication, authorization, and accounting (AAA) is a framework for intelligently controlling access to computer resources, enforcing policies, and auditing usage. These processes working in concert are important for effective network management and security.

Answer 103

A. Authentication provides a method of identifying a user, typically by having the user enter a valid username and password before access to the network is granted. Authentication is based on each user having a unique set of login credentials for gaining network access.

Answer 104

C. Enterprises that elect to use a cloud computing model need to pay only for the resources that they use, with none of the maintenance and upkeep costs. The price adjusts up or down depending on how much is consumed.

Answer 105

B. On-premises authentication is preferred. Many companies these days operate under some form of regulatory control, regardless of the industry. The most common one is the Health Insurance Portability and Accountability Act (HIPAA) for private health information, but there are other government and industry regulations. For companies that are subject to such regulations, it is imperative that they remain compliant and know where their data is at all times.

Answer 106

A. Geographic dispersal of computing and data assets if a disaster, natural or person-made, occurs ensures the company can continue to function. In such cases, the company relies on infrastructure in another city, state, or country to be available.

Answer 107

A. RAID 5 writes the parity over all disks, making it possible to continue to run even if one disk fails. Recovery is done by removing the failed drive and executing the recovery process, where the drive is rebuilt and added to the array once completed.

Answer 108

A. RAID 0 is known as disk striping; it is the process of dividing data into blocks and spreading the data blocks across multiple storage devices, such as hard disks or solid-state drives (SSDs). In a Redundant Array of Independent Disks (RAID) group, there is no parity. The more hard drives in a RAID 0 array, the higher probability of array failure.

Answer 109

B. By deploying NIC teaming on your server, you can maintain a connection to multiple physical switches and use a single IP address. Load balancing becomes readily available, fault tolerance becomes instant instead of waiting for DNS records to time out or update, and management becomes simpler.

Answer 110

B. Redundant power is a critical component in high-availability systems. In the simplest solution, two power supplies can drive a load through bused (vertical line shared among equipment) or N+1 configuration, where two power supply outputs are load-shared together or have one active and one or more in standby mode.

Answer 111

``` B. SAN-connected servers contain special fiber interface cards called host bus adapters (HBAs). They are configured as pairs, typically called HBA1 and HBA2. The fiber is then connected to a pair of SAN network switches. ```

Answer 112

A. Azure Active Directory is a fully managed multi-tenant cloud-based offering from Microsoft that offers identity and access capabilities for applications running in an on-premises environment. It is not a replacement for on-premises Active Directory Services but could be, or it can be used with it to extend on-prem directory services and sync the directories to cloud applications.

Answer 113

D. Cloud-based backups are a model of data storage in which the data can be accessed, managed, and stored in a remote cloud server via the Internet. Cloud backups are maintained and supported by a cloud storage provider responsible for keeping the user’s data available and accessible at any time.

Answer 114

C. Backups to a cloud services backup (IaaS) provider can be slower than on-premises backups where they are connected at gigabit speeds. Depending on the amount of data being backed up, restoring data from them could take many hours or even days to complete.

Answer 115

D. A highly available system should be able to quickly recover from any sort of failure state to minimize interruptions for the end user. Best practice for achieving high availability is to eliminate single points of failure or any node that would impact the system as a whole if it becomes dysfunctional. The highest level of uptime is considered “five nines,” or 99.999 percent, which refers to a standard of reliability. Five nines is equivalent to downtime of only 5 minutes and 15 seconds per year (1 minute and 18 seconds in a quarter, or 26 seconds monthly). These are very high standards to meet.

Answer 116

D. Without the network, systems will be unable to communicate with each other. When building the restore order for your organization, do not forget this critical step, and make sure you add it to your desktop exercises.

Answer 117

A, B, C. These are all steps that can be taken to enhance an organization’s resilience and provide fault tolerance and diversity

Answer 118

A. A field-programmable gate array (FPGA) is an integrated circuit designed to be configured by a customer or designer after manufacturing—hence the term field-programmable

Answer 119

A. SCADA systems are capable of managing parts inventories for just-in-time manufacturing, regulate industrial automation and robots, and monitor processes and quality control.

Answer 120

A. A SCADA programmable logic controller (PLC) is an industrial computer control system that continuously monitors the state of input devices and makes decisions based on a custom program to control the state of output devices.

Answer 121

B. Smart watches can monitor your pulse, heart, blood pressure, exercises, calories, and sleep patterns to help you become more fit.

Answer 122

A. Lighting and air conditioning controls are part of building automation and can be controlled to help reduce the overexpense of energy use by properly implementing sensors to know when people are in the building.

Answer 123

D. Users should utilize the strongest encryption method available on devices, always create and rotate very complex passwords, set up a continuous method to log and audit access to the devices, and finally, ensure use of the latest manufacturer updates.

Answer 124

D. Today’s modern surveillance systems are capable of performing facial recognition, monitoring data center access, and if exploited, pivoting to and compromising other systems in the network.

Answer 125

D. Zigbee creates flexibility for developers and end users while delivering stellar interoperability. It was created on the IEEE’s 802.15.4 standard, using the 2.4-GHz band and a self-healing true mesh network, and has a defined rate of 250 kbps. It is best suited for intermittent data transmissions from a sensor or input device.

Answer 126

C. Cryptography constraints for building secure embedded systems hardware and software have to do with the amount of code required to implement a secure algorithm and the processing power required to crunch the number.

Answer 127

C and D. A system on a chip (SoC) is essentially an integrated circuit or an IC that takes a single platform and integrates an entire electronic or computer system onto it.

Answer 128

A. Nucleus RTOS from Mentor is a real-time operating system (RTOS) software component that rapidly switches between tasks, giving the impression that multiple programs are being executed at the same time on a single processing core. In fact, the processing core can execute only one program at any one time.

Answer 129

``` B. Embedded computers used in unmanned system applications are often characterized by their low SWaP-C (size, weight, power, and cost) profiles, small form factor (SFF), and rugged operating ranges, which are vital components for unmanned aerial vehicles (UAVs), ```

Answer 130

A. An access control vestibule, formerly known as a mantrap, allows security guards to see visitors before they are allowed through the second door. Guards can use cameras and voice communication to ascertain identity.

Answer 131

C. Vestibules are an excellent access control addition. Entries with panels built from prefabricated composite or metal are used as a way for companies to control the heat and airflow in their facilities.

Answer 132

B. Optical detectors convert incoming optical energy into electrical signals. The two main types of optical detectors are photon detectors and thermal detectors. Photon detectors produce one electron for each incoming photon of optical energy. The electron is then detected by the electronic circuitry

Answer 133

D. Robot sentries act as 24/7/365 guards, continuously monitoring and alerting on differentials. Robot sentries report anything out of the ordinary to the appropriate personnel, who then can take additional action.

Answer 134

D. The reception desk plays a front-line role in the physical security program of a company. Receptionists do this by creating a buffer between the corporate offices, employees, and contractors. Visitors are unable to pass until the employees meeting them come and pick them up. This reduces loitering and inquisitive visitors.

Answer 135

D. Biometric locks provide a unique way of making sure people are who they say they are by monitoring or matching human characteristics such as a fingerprint, retina, or voice prior to unlocking and granting access.

Answer 136

A. A skeleton key normally work with warded or lever locks. With a warded lock, a skeleton key lacks interior notches to interfere with or correspond with the wards, or obstructions, thereby allowing it to open the lock.

Answer 137

C. A proximity reader is capable of reading a prox card that is within a few millimeters of the reader/pad; it does this through induction.

Answer 138

C. A vault can consist of an entire room or even multiple rooms. Vaults allow everything inside to be protected through multiple layers of security measures, including guards, alarms, cameras, locks, gates, and secure doors.

Answer 139

D. Pulverizing grinds devices down to bare-metal scraps. There is nothing left that would allow recovery, unlike shredding and degaussing.

Answer 140

A. A key generation algorithm that selects a private key uniformly at random from a set of possible private keys is one of three digital signature scheme algorithms. This algorithm outputs the private key and a corresponding public key.

Answer 141

D. Cryptographic hash functions have many information-security applications, notably in digital signatures, message authentication codes (MACs), and other forms of authentication.

Answer 142

D. Quantum cryptography, or quantum key distribution (QKD), uses a series of photons (light particles) to transmit data from one location to another over a fiber-optic cable. By comparing measurements of the properties of a fraction of these photons, the two endpoints can determine what the key is and if it is safe to use.

Answer 143

B. Photons travel to a receiver, which uses two beam splitters (horizontal/vertical and diagonal) to “read” the polarization of each photon.

Answer 144

A. A blockchain is essentially a digital ledger of transactions that are duplicated and distributed across the entire network of computer systems on the blockchain.

Answer 145

B. Cipher suites usually contain a set of algorithms that include a key exchange algorithm, bulk encryption algorithm, and message authentication code (MAC) algorithm. The key exchange algorithm is used to exchange a key between two devices.

Answer 146

D. Steghide, Foremost, Xiao, Stegais, and Concealment are tools that can be used to conceal data in images and audio files.

Answer 147

A. The most common use cases are mobile devices and portable systems. Because of the low-power draw requirements, you may use smaller symmetric key sizes and elliptic-curve asymmetric encryption.

Answer 148

C. Time is used in generating keys used in cryptography. They have been mostly replaced with more randomness.

Answer 149

D. Key stretching runs a password through an algorithm to produce an enhanced key.

Answer 150

C and D. Bcrypt and Password-Based Key Derivation Function 2 (PBKDF2) are key derivation functions (KDFs) that are primarily used for key stretching, which provides a means to “stretch” a key or password, making an existing key or password stronger and protecting against brute-force attacks.

Answer 151

D. DNSSEC is used in securing the chain of trust that exists between the Domain Name System (DNS) records that are stored at each domain level.

Answer 152

``` B. You can enable LDAPS by installing a properly formatted certificate from a certificate authority (CA) according to the guidelines. ```

Answer 153

B. SSH uses asymmetric (public key) RSA cryptography for both connection and authentication.

Answer 154

B. S/MIME is based on asymmetric cryptography that uses a pair of mathematically related keys to operate: a public key and a private key

Answer 155

C. AH is an optional packet header used to guarantee connectionless integrity and data origin authentication for IP packets.

Answer 156

C. IMAPS downloads a message only when you click on it, and attachments aren’t automatically downloaded. IMAPS operates on port 993 (SSL/TLS).

Answer 157

D. HTTPS uses an encryption protocol to encrypt communications. The protocol is called Transport Layer Security (TLS).

Answer 158

D. Enterprises looking to deploy time synchronization should utilize three public servers, set up a local internal NTP server that is used for all internal hosts as a reference timekeeper, and only have the internal NTP server make requests to the public servers. You should ensure that you are standardizing on UTC time across all systems; it will make researching attacks and issues more relevant.

Answer 159

A. A virtual private network (VPN) provides privacy and security to users by creating a private network connection across a public network connection. VPNs are used to access company networks protected by firewalls that deny inbound and outbound access to/from systems on the network.

Answer 160

A, B, C, D. All the responses are correct. You should use caching-only DNS servers, use DNS forwarders, use DNS advertisers and resolvers, protect DNS from cache pollution, enable DDNS for secure connections only, disable zone transfers, and use firewalls to control communication to and from the DNS servers.

Answer 161

A. According a report published by Cybersecurity Ventures in May 2019, damages from ransomware cost businesses an astonishing $11 billion in lost revenue, productivity, and remediation.

Answer 162

B. Antimalware software that uses behavior-based malware detection can detect previously unknown threats by identifying malware based on characteristics and behaviors.

Answer 163

C. One of the primary functions of endpoint detection and response (EDR) is providing forensics and analysis tools to research identified threats and search for suspicious activities (similar to threat hunting).

Answer 164

A. Data loss prevention (DLP) software and tools monitor and control endpoint activities, filter data streams on corporate networks, and monitor data in the cloud to protect data at rest and in motion.

Answer 165

B. The newer specification addresses several limitations of the BIOS, including restrictions on hard disk partition size and the amount of time the BIOS takes to perform its tasks.

Answer 166

D. Database tokenization is the process of turning sensitive data into nonsensitive data called tokens that can be used in a database or internal system without bringing it into scope.

Answer 167

D. The secure session cookies store information about a user session after the user logs in to an application. This information is very sensitive because an attacker can use a session cookie to impersonate the victim.

Answer 168

A. Patch management is a process that helps acquire, test, and install multiple patches (code changes) on existing applications and software tools on a computer, enabling systems to stay updated on existing patches and determining which patches are the appropriate ones.

Answer 169

C. When a self-encrypting drive (SED) is installed into a mixed-disk configuration or a configuration containing unencrypted drives, it operates as an unencrypted disk. Likewise, a pool consisting of all SEDs might replicate to a pool with only a few SEDs or no SEDs at all.

Answer 170

C. Code from the outside needs to be validated prior to running it on a secure CPU. This tamper resistance can be implemented in many ways—for example, using a dedicated ROM that can only be accessed by the hardware root of trust.

Answer 171

D. The TPM uses a unique key to digitally sign the log recorded by the UEFI.

Answer 172

A. Sandboxing is a strategy that isolates a test environment for applications. It provides an extra layer of security that prevents malware or harmful applications from negatively affecting your system.

Answer 173

A. If you migrate some of these low-resource servers to a virtual environment, you could end up spending more on licensing but less on hardware, due to the nature of virtualization. In fact, the goal is to have the gains of hardware savings outweigh the losses of licensing. Load balancing and clustering deal with an operating system utilizing the hardware of multiple servers. This will not be the case when you go virtual, nor would it have been the case anyway, because clustering and load balancing are used in environments where the server is very resource-intensive. Baselining, unfortunately, will remain the same; you should analyze all of your servers regularly, whether they are physical or virtual. These particular servers should not encounter latency or lowered throughput because they are low-resource servers in the first place. If, however, you considered placing a Windows Server that supports 5000 users into a virtual environment, you should definitely expect latency

Answer 174

B. You can defend against pivoting by providing proper access control, network segmentation, DNS security, reputation security, and proper patch management.

Answer 175

C. A remote-access VPN is typically used for client access to a headend device, which connects them to the corporate network. Most remote access VPNs use IPsec or SSL/TLS connections.

Answer 176

D. One specific type of DDoS is the DNS amplification attack. Amplification attacks generate a high volume of packets ultimately intended to flood a target website. In the case of a DNS amplification attack, the attacker initiates DNS requests with a spoofed source IP address. The attacker relies on reflection; responses are not sent back to the attacker but are instead sent “back” to the victim server. Because the DNS response is larger than the DNS request (usually), it amplifies the amount of data being passed to the victim. An attacker can use a small number of systems with little bandwidth to create a sizable attack. However, a DNS amplification attack can also be accomplished with the aid of a botnet, which has proven to be devastating to sections of the Internet during the period when the attack was carried out.

Answer 177

D. Domain hijacking is a type of hijacking attack in which the attacker changes the registration of a domain name without the permission of the original owner/registrant. One of the most common methods used to perform a domain hijacking is using social engineering.

Answer 178

B. Some companies (such as Cisco) offer hardware-based NAC solutions, whereas other organizations offer paid software-based NAC solutions and free ones such as PacketFence (https://packetfence.org), which is open source. The IEEE 802.1X standard, known as port-based network access control, or PNAC, is a basic form of NAC that enables the establishment of authenticated point-to-point connections, but NAC has grown to include software; 802.1X is now considered a subset of NAC.

Answer 179

B. As administrator, you might need to take an alternate path to manage network devices. In this case, you might require out-of-band management. This is common for devices that do not have a direct network connection, such as UPSs, PBX systems, and environmental controls.

Answer 180

D. Port security is a security feature present in most routers and switches, and it is used to provide access control by restricting the Media Access Control (MAC) addresses that can be connected to a given port. This differs from a MAC access list because it works only on the source MAC address without matching the MAC destination.

Answer 181

D. IP proxy secures a network by keeping machines behind it anonymous; it does this through the use of NAT. For example, a basic four-port router can act as an IP proxy for the clients on the LAN it protects. An IP proxy can be the victim of many network attacks, especially DoS attacks. Regardless of whether the IP proxy is an appliance or a computer, it should be updated regularly, and its log files should be monitored periodically and audited according to organization policies.

Answer 182

D. A Layer 2 access control list (ACL) operates at the data link layer of the OSI model and implements filters based on Layer 2 information. An example of this type of access list is a MAC access list, which uses information about MAC addresses to create the filter.

Answer 183

D. There are different route manipulation attacks, but one of the most common is the Border Gateway Protocol (BGP) hijacking attack. BGP is a dynamic routing protocol used to route Internet traffic. An attacker can launch a BGP hijacking by configuring or compromising an edge router to announce prefixes that have not been assigned to his or her organization. If the malicious announcement contains a route that is more specific than the legitimate advertisement or presents a shorter path, the victim’s traffic may be redirected to the attacker. In the past, threat actors have leveraged unused prefixes for BGP hijacking to avoid attention from the legitimate user or organization.

Answer 184

D. As administrator, you can use QoS capabilities to control application prioritization. Protocol discovery features in Cisco AVC show the mix of applications currently running on the network. This information helps you define QoS classes and policies, such as how much bandwidth to provide to missioncritical applications and how to determine which protocols should be policed. Per protocol bidirectional statistics are available, such as packet and byte counts, as well as bit rates. After you classify the network traffic, you can apply class-based weighted fair queuing (CBWFQ) for guaranteed bandwidth.

Answer 185

D. An anycast address is assigned to a group of interfaces on multiple nodes. Packets are delivered to the “first” interface only. Anycast is structured like unicast addresses.

Answer 186

A. To capture packets and measure throughput, you need a tap on the network before you can start monitoring. Most tools that collect throughput leverage a single point configured to provide raw data, such as pulling traffic from a switch or router. If the access point for the traffic is a switch, typically a network port is configured as a Switched Port Analyzer (SPAN) port, sometimes also called port mirroring or port spanning. The probe capturing data from a SPAN port can be either a local probe or data from a SPAN port that is routed to a remote monitoring tool.

Answer 187

A. Baselining is the process of measuring changes in networking, hardware, software, applications, and so on. The process of documenting and accounting for changes in a baseline is known as baseline reporting. Baseline reporting enables you to identify the security posture of an application, system, or network. The security posture can be defined as the risk level to which a system, or other technology element, is exposed. Security posture assessments (SPAs) use baseline reporting and other analyses to discover vulnerabilities and weaknesses in systems.

Answer 188

C. File integrity is important when securing log files, and File Integrity Monitoring (FIM) helps you maintain this integrity. Encrypting the log files through the concept known as hashing is a good way to verify the integrity of the log files if they are moved and/or copied. You could also flat-out encrypt the entire contents of the file so that other users cannot view it. Integrity means that data has not been tampered with. Authorization is necessary before data can be modified in any way; this is done to protect the data’s integrity.

Answer 189

A. WPA3 includes a more robust authentication mechanism than WPA2. It also provides a higher level of encryption capabilities. It enables a very robust authentication based on passwords by utilizing a technology called Simultaneous Authentication of Equals (SAE). This innovation in Wi-Fi security replaces the preshared key (PSK). SAE helps protect against brute-force password attacks and offline dictionary attacks.

Answer 190

B. Counter-mode/CBC-MAC protocol or CCMP is based on the Advanced Encryption Standard (AES). It provides a stronger mechanism for securing privacy and integrity over Temporal Key Integrity Protocol (TKIP), which was previously used with WPA. An advantage to CCMP is that it utilizes 128-bit keys as well as a 48-bit initialization vector. This enhancement greatly reduces the possibility of replay attacks. One drawback to using CCMP over TKIP is that it requires additional processing power. That is why you will typically see it supported on newer hardware.

Answer 191

A. 802.1X is an IEEE standard that defines port-based network access control (PNAC). Not to be confused with 802.11X WLAN standards, 802.1X is a data link layer authentication technology used to connect hosts to a LAN or WLAN. 802.1X allows you to apply a security control that ties physical ports to end-device MAC addresses, and prevents additional devices from being connected to the network. It is a good way of implementing port security, much better than simply setting up MAC filtering.

Answer 192

D. Following are the three components to an 802.1X connection: ■ Supplicant: A software client running on a workstation. This is also known as an authentication agent. ■ Authenticator: A wireless access point or switch. ■ Authentication server: An authentication database, most likely a RADIUS server.

Answer 193

D. The supplicant is a software client running on a workstation. It is also known as an authentication agent.

Answer 194

D. The Protected Extensible Authentication Protocol (PEAP) uses MSCHAPv2, which supports authentication via Microsoft Active Directory databases. It competes with EAP-TTLS and includes legacy password-based protocols. It creates a TLS tunnel by acquiring a public key infrastructure (PKI)certificate from a server known as a certificate authority (CA). The TLS tunnel protects user authentication much like EAP-TTLS.

Answer 195

B. EAP-FAST uses a protected access credential instead of a certificate to achieve mutual authentication. FAST stands for Flexible Authentication via Secure Tunneling.

Answer 196

C. The preshared key (PSK) used to enable connectivity between wireless clients and the WAP is a complex passphrase. PSK is automatically used when you select WPA-Personal in the Security Mode section. The other option is WPA-Enterprise, which uses a RADIUS server. So, if you ever see the term WPA2-PSK, this means that the WAP is set up to use the WPA2 protocol with a preshared key, and not an external authentication method such as RADIUS.

Answer 197

B. Wi-Fi Protected Setup (WPS) is a security vulnerability. Created originally to give users easy connectivity to a wireless access point, later all major manufacturers suggested that it be disabled (if possible). In a nutshell, the problem with WPS was the eight-digit code. It effectively worked as two separate smaller codes that collectively could be broken by a brute-force attack within hours.

Answer 198

D. Strategic wireless access point (WAP) placement is vital. That is why it is essential to perform a site survey before deploying wireless equipment. A site survey is typically performed using Wi-Fi Analyzer tools to produce a heat map of all wireless activity in the area.

Answer 199

A. Near-field communication (NFC) has obvious benefits for contactless payment systems or any other non-contact-oriented communications between devices. However, for optimal security, you should use contact-oriented readers and cards.

Answer 200

B. Geofencing is an excellent way to be alerted to users entering and exiting an organization’s physical premises. It can provide security for wireless networks by defining the physical borders and allowing or disallowing access based on the physical location of the user, or more accurately, the user’s computer or mobile device.

Answer 201

A. You should encrypt data communication between a device and the organization and enable full device encryption of data stored on the device or in removable storage.

Answer 202

D. One of the characteristics of an MDM solution is the use of over-the-air (OTA) device management updates. OTA historically refers to the deployment and configuration performed via a messaging service, such as Short Message Service (SMS), Multimedia Messaging Service (MMS), or Wireless Application Protocol (WAP). Now it’s used to indicate remote configuration and deployment of mobile devices.

Answer 203

D. Insecure user configurations such as rooting and jailbreaking can be blocked from MDM, as can sideloading—the art of loading third-party apps from a location outside the official application store for that device. Note that sideloading can occur in several ways: by direct Internet connection (usually disabled by default), by connecting to a second mobile device via USB OTG (USB On-The-Go) or Bluetooth, by copying apps directly from a microSD card, or by tethering to a PC or Mac.

Answer 204

B. Bluejacking is the sending of unsolicited messages to Bluetooth-enabled devices such as mobile phones. You can stop bluejacking by setting the affected Bluetooth device to undiscoverable or by turning off Bluetooth altogether.

Answer 205

B. Encryption is one of the best ways to ensure that data is secured and that applications work properly without interference from potential attackers. However, you should consider whole device encryption, which encrypts the internal memory and any removable (SD) cards.

Answer 206

B. Companies may implement strategies such as choose your own device (CYOD), where employees select a device from a company-approved list, or corporate-owned, personally enabled (COPE), where the company supplies employees with phones that can also be used for personal activities.

Answer 207

. A. Resource policies in cloud computing environments are meant to control access to a set of resources. A policy is deployed to manage the access to the resource itself.

Answer 208

B. In cloud computing environments, the management of things like API keys, passwords, and certificates is typically handled by some kind of secrets management tool. It provides a mechanism for managing the access and auditing the secrets used in the cloud environment

Answer 209

A. In cloud computing environments, storage is referred to as buckets. The access to these buckets is controlled by an Identity and Access Management (IAM) policy.

Answer 210

D. In cloud computing environments, the concept of a public subnet is one that has a route to the Internet. A private subnet would be a subnet in the cloud environment that does not have a route to the Internet.

Answer 211

D. A cloud access security broker (CASB) is a tool that organizations utilize to control access to and use of cloud-based computing environments and resources. Many cloud-based tools are available for corporate and personal use. The flexible access nature of these tools makes them a threat to data leak prevention and the like. It is very easy to make the mistake of copying a file that contains sensitive data into the wrong folder and making it available to the world. This is the type of scenario that CASB solutions help mitigate.

Answer 212

B. The concept of a Secure Web Gateway (SWG) is top of mind these days. At the time of this writing, we are currently in a global pandemic that has forced millions to work from home. For many years, the solution for providing employees a way to work from home was simply a remote-access VPN back into the office. This solution allowed all of the traffic from the employees’ computers to flow back through the corporate network, which would in turn traverse the same security controls that were in place if the employees were plugged into the corporate network. With the advent of cloud-based access to applications and storage, this solution is no longer the most efficient way of securing remote workers. This is where the SWG comes into play. A Secure Web Gateway enables you to secure your remote workers’ Internet access while not overloading the corporate Internet pipe. This approach is sometimes thought of as a cloud firewall. However, an SWG typically has many other protection mechanisms in place, including things like CASB. One example of an SWG is Cisco Umbrella.

Answer 213

B. Cloud-based firewalls can work at all layers of the OSI model. However, in many cloud computing environments, the firewall is used at the application layer to control access and mitigate threats to applications being hosted by the cloud environment.

Answer 214

B. A cloud native control is typically provided by the actual cloud-computing environment vendor. A non-cloud native control is provided by a third-party vendor. For instance, each cloud computing environment has security controls built into its platform. However, these controls might not be sufficient for all use cases. That is where third-party solutions come into play. Many companies out there today provide these third-party solutions to supplement those areas where cloud native controls are lacking. Of course, most virtual machine–based controls can be deployed in any cloud computing environment. However, for it to be native, it must go through various integration, testing, and certification efforts. Because each cloud computing environment is built differently and on different platforms, the controls must be adapted to work as efficiently as possible with the specifications of the environment. Many times, the decision between utilizing cloud native versus third-party solutions comes down to the actual requirements of the use case and the availability of the solution that fits those requirements.

Answer 215

B. An identity provider (IdP) is a service provider that also manages the authentication and authorization process on behalf of other systems in the federation.

Answer 216

B. Authentication is the process of proving the identity of a subject or user. Once a subject has identified itself in the identification step, the enforcer has to validate the identity—that is, be sure that the subject (or user) is the one it is claiming to be. This is done by requesting that the subject (or user) provide something that is unique to the requestor. This could be something known only by the user, usually referred to as authentication by knowledge, or owned only by the user, usually referred to as authentication by ownership, or it could be something specific to the user, usually referred to as authentication by characteristic.

Answer 217

A. Most certificates are based on the X.509 standard, which is a common PKI standard developed by the ITU-T that often incorporates the single sign-on (SSO) authentication method.

Answer 218

D. SAML is an open standard for exchanging authentication and authorization data between identity providers. SAML is used in many single sign-on (SSO) implementations.

Answer 219

D. A service account is typically used on a server to provide a separate set of credentials and permissions to an application or service that is running. For instance, a server that is running Apache web server might have an apache_ user account. That account would then be provided with only the access it needs to be able to perform the functions that services provide.

Answer 220

B. A tool you can use to validate who is logged in to a Windows system is the PsLoggedOn application. For this application to work, it has to be downloaded and placed somewhere on your local computer that will be remotely checking hosts. After it’s installed, simply open a command prompt and execute the command C:\PsTools\psloggedon.exe\\HOST_TO_CONNECT.

Answer 221

C. For Linux machines, various commands can show who is logged in to a system, such as the w, who, users, whoami, and last “user name” commands.

Answer 222

B. Geolocation is the actual method of determining the physical location of the user trying to authenticate.

Answer 223

C. A time-based attribute can be used when authenticating and authorizing a user. When a user logs in and provides his or her identity, that user can be given specific access based on the time he or she connects. For instance, if you do not expect that someone should be connecting to your wireless network at 3 a.m., then you can set a policy that blocks access between specific hours of operation.

Answer 224

B. Geotagging is the process of attaching location information in the metadata of files, such as pictures taken from a smartphone.

Answer 225

A. Password keys are a technology typically deployed by corporations when implementing two-factor authentication. The primary use case is remote access to the organization’s environment. However, many organizations also use them internally. These keys are especially important to use for access to highly sensitive data or applications that serve that data—for instance, financial applications or anything involving intellectual property, such as source code. Many types of password keys are on the market these days. They come in various form factors and are utilized in different ways. For instance, some are used by inserting into a computer USB port. Some are simply one-time password tokens used as a second factor when authenticating, whereas others are a combination of different functions.

Answer 226

B. A password vault is also often referred to as a password manager. It is simply a piece of software that is utilized to store and manage credentials. Typically, the credentials are stored in an encrypted database. Having an encrypted database protects the credentials from being compromised if the database is obtained by a threat actor through the compromise of a system holding the database.

Answer 227

A. NIST defines knowledge-based authentication (KBA) as authentication of an individual based on knowledge of information associated with his or her claimed identity in public databases. Knowledge of such information is considered to be private rather than secret, because it may be used in contexts other than authentication to a verifier, thereby reducing the overall assurance associated with the authentication process. A popular use case for this type of authentication is to recover a username or reset a password. Typically, a set of predetermined questions is asked of the user. These questions must have already been provided by the end user at the time of account setup or provided as an authenticated user at a later time. The idea is that the information that was provided is something that only the user would know. That is why it is important to utilize a set of questions that cannot be easily guessed or are not public knowledge.

Answer 228

D. Using single sign-on (SSO), a user can log in once but gain access to multiple systems without being asked to log in again. This system is complemented by single sign-off, which is basically the reverse; logging off signs off a person from multiple systems. SSO is meant to reduce password fatigue or password chaos, which occurs when a person can become confused and possibly even disoriented when having to log in with several different usernames and passwords. This system is also meant to reduce IT help desk calls and password resets.

Answer 229

D. Single sign-on (SSO) is a derivative of federated identity management (also called FIM or FIdM). In this system, a user’s identity and attributes are shared across multiple identity management systems. These various systems can be owned by one organization; for example, Microsoft offers the Forefront Identity Manager software, which can control user accounts across local and cloud environments.

Answer 230

B. Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data between identity providers. SAML is used in many single sign-on (SSO) implementations. The OASIS Security Assertion Markup Language standard is currently the most-used standard for implementing federated identity processes. SAML is an XML-based framework that describes the use and exchange of SAML assertions in a secure way between business entities. The standard describes the syntax and rules to request, create, use, and exchange these assertions.

Answer 231

B. Discretionary access control (DAC) is an access control policy generally determined by the owner. Objects such as files and printers can be created and accessed by the owner. Also, the owner decides which users are allowed to have access to the objects and what level of access they may have. The levels of access, or permissions, are stored in access control lists (ACLs).

Answer 232

B. Mandatory access control (MAC) is an access control policy determined by a computer system, not by a user or owner, as it is in DAC. Permissions are predefined in the MAC model. Historically, it has been used in highly classified government and multilevel military systems, but you can find lesser implementations of it in today’s more common operating systems as well. The MAC model defines sensitivity labels that are assigned to subjects (users) and objects (files, folders, hardware devices, network connections, and so on).

Answer 233

B. Least privilege is a security principle in which users are given only the privileges needed to do their job and not one iota more. A basic example would be the Guest account in a Windows computer. This account (when enabled) can surf the web and use other basic applications but cannot make any modifications to the computer system. However, least privilege as a principle goes much further. One of the ideas behind the principle is to run the user session with only the processes necessary, thus reducing the amount of CPU power needed.

Answer 234

B. Role-based access control (RBAC) is an access model that, like MAC, is controlled by the system, and, unlike DAC, not by the owner of a resource. However, RBAC is different from MAC in the way that permissions are configured. RBAC works with sets of permissions instead of individual permissions that are label-based. A set of permissions constitutes a role. When users are assigned to roles, they can then gain access to resources.

Answer 235

A. Users need a private key to encrypt the digital signature of a private email. The difference in type of key is the level of confidentiality. A public key certificate obtained by a web browser is public and might be obtained by thousands of individuals. The private key used to encrypt the email is not to be shared with anyone.

Answer 236

B. A public key certificate obtained by a web browser is public and might be obtained by thousands of individuals. A private key used to encrypt email is not to be shared with anyone.

Answer 237

A. Most certificates are based on the X.509 standard, which is a common PKI standard developed by the ITU-T that often incorporates the single sign-on (SSO) authentication method.

Answer 238

D. Components of an X.509 certificate include the following: ■ Owner (user) information, including public key ■ Certificate authority information, including name, digital signature, serial number, issue and expiration dates, and version

Answer 239

D. Many companies have subdomains for their websites. Generally, if you connect to a secure website that uses subdomains, a single certificate allows for connections to the main website and the subdomains. This is known as a wildcard certificate; for example, *.h4cker.org, meaning all subdomains of h4cker.org.

Answer 240

B. By modifying the Subject Alternative Name (SAN) field, an organization can specify additional hostnames, domain names, IP addresses, and so on.

Answer 241

B. Canonical Encoding Rules (CER) is a restricted version of BER in that it allows the use of only one encoding type; all others are restricted.

Answer 242

B. If a root CA is compromised, all of its certificates are then also compromised, which could affect an entire organization and beyond. The entire certificate chain of trust can be affected. One way to add a layer of security to avoid root CA compromise is to set up an offline root CA. Because it is offline, it cannot communicate over the network with the subordinate CAs, or any other computers for that matter. Certificates are transported to the subordinate CAs physically using USB flash drives or other removable media. Of course, you would need to have secure policies regarding the use and transport of media, and would need to incorporate data loss prevention (DLP), among other things. But the offline root CA has some obvious security advantages compared to an online root CA. Consider this offline mindset when dealing with critical data and encryption methods.

Answer 243

B. One way to add security to a certificate validation process is to use certificate pinning, also known as SSL pinning or public key pinning. It can help detect and block many types of on-path attacks by adding an extra step beyond normal X.509 certificate validation. Essentially, a client obtains a certificate from a CA in the normal way but also checks the public key in the server’s certificate against a hashed public key used for the server name. This functionality must be incorporated into the client side, so it is important to use a secure and up-to-date web browser on each client in order to take advantage of certificate pinning.

Answer 244

A. Using the Linux traceroute command enables you to document hosts’ locations on your local network and map out the current location/configuration and connected devices. A baseline network diagram should be used and continuously updated to document systems.

Answer 245

B. nslookup is a simple but practical command-line tool. It is principally used to find the IP address that corresponds to a host or the domain name that corresponds to an IP address (a process called reverse DNS lookup).

Answer 246

C. The Linux-centric head command reads the first 10 lines of a given filename

Answer 247

B. The cat command is a widely used and universal tool. It copies standard input to standard output. The command supports scrolling if the text file doesn’t fit the current screen.

Answer 248

B. A shell can have two types of variables: environment variables that are exported to all processes spawned by the shell and shell (local) variables.

Answer 249

D. The environment is an area that the shell builds every time it starts a session. This area contains variables that define system properties.

Answer 250

C. Wireshark is available on Windows, Linux, and macOS. There are both command-line and GUI versions.

Answer 251

D. The pps-multi command sets the number of packets to send for each time interval. This option must appear in combination with the following option: pps. This option takes an integer number as its argument. The value of the number is constrained to being greater than or equal to one. The default number for this option is one; therefore, you should use --pps-multi=# to set pps.

Answer 252

B. You can use the dd tool to create a complete image of the hard disk /dev/hda by using # dd if = /dev/hda of = ~/hdadisk.img. This image can be used to preserve forensic evidence of a computer system that was attacked or used to exploit other systems.

Answer 253

D. Three of the most notable exploitation frameworks are Metasploit, Core Impact, and Immunity Canvas, although there are a number of less famous frameworks.

Answer 254

C. Hashcat is one of the most popular and widely used password crackers in existence. It is available on every operating system and supports more than 300 different types of hashes. It enables highly parallelized password-cracking capabilities, enabling you to crack multiple different passwords on multiple different devices at the same time and to support a distributed hash-cracking system via overlays. Cracking is optimized with integrated performance tuning and temperature monitoring.

Answer 255

C. There are three methods to achieve data sanitization: physical destruction, cryptographic erasure, and data erasure. However, the downside of these techniques is that they damage the storage media and do not allow it to be sold or reused. The only real method to ensure the data is unrecoverable is to shred the hard drive or data as it is.

Answer 256

A. Playbook documents are step-by-step procedures and should be high level and focused on specific areas such as malware, insider threats, unauthorized access, ransomware, and phishing.

Answer 257

D. Data breach notification laws are becoming more common: the European Union’s General Data Protection Regulation (GDPR), for instance, requires that companies report data security incidents within 72 hours of discovery

Answer 258

C. A triage matrix provides an understanding of the severity of an incident so that it can be prioritized quickly and correctly.

Answer 259

C. The lessons learned phase of the incident response process should be performed no later than two weeks from the end of the incident. A Post Incident Response (PIR) meeting ensures information is fresh on the team’s mind.

Answer 260

A. The tabletop exercise is often used to validate and/or improve an organization’s incident response (IR) plan. Real-life scenarios are used to put the response plan to the test, highlighting areas where your team excels and areas to be addressed.

Answer 261

C and D. The Diamond Model places the basic components of malicious activity at one of the four points on a diamond shape: adversary, infrastructure, capability, and victim. The model provides for analysis of threats related to intrusion.

Answer 262

B. Procedures describe the way adversaries implement a technique. A procedure concerns the particular instance use and can be useful for understanding exactly how the technique is used and for replication of an incident with adversary emulation as well for specifics on how to detect the instance in use.

Answer 263

D. There are five key stakeholders for any IR team; they are IT Services, Security Management, Legal, Human Resources, and Public Relations.

Answer 264

C. When your team is engaged with an incident, you should have them set up proactive alerting. They don’t need to call everyone every time, but your handlers need to plan ahead. Your incident response team needs to keep key contacts up to date so that when they have to notify contacts, it doesn’t come as a surprise. Notifying key contacts with only incident-relevant data as it becomes available reduces overcommunication of nonimportant data.

Answer 265

C. A disaster recovery (DR) plan is a formal document created by organizations that contains detailed instructions on how to respond to unplanned incidents such as natural disasters, power outages, cyber attacks, or other disruptive events.

Answer 266

C. Disruptions lead to lost revenue, brand damage, and dissatisfied customers. The longer the recovery time, the greater the adverse impact to the business.

Answer 267

C. Many people think a disaster recovery (DR) plan is the same as a business continuity plan (BCP), but a DR plan focuses mainly on restoring an IT infrastructure and operations after a crisis. It’s actually just one part of a complete business continuity plan, because a BCP looks at the continuity of the entire organization.

Answer 268

A. A continuity of operations plan (COOP) ensures the restoration of organizational functions in the shortest possible time, even if services resume at a reduced level of effectiveness or availability.

Answer 269

A, B, D. An incident response team is a group of people who prepare for and respond to any emergency incident, such as a natural disaster or an interruption of business operations.

Answer 270

B. NIST SP 800-53 outlines the requirements that contractors and federal agencies need to take to meet the Federal Information Security Management Act (FISMA). It requires data retention for a minimum of three years.

Answer 271

A. Historical vulnerability scans can provide significant insight after an incident. By comparing the previous scans with the most recent, you can also look for variances in devices and systems that may have been changed

Answer 272

D. Network vulnerability scans should include all devices with an IP address (workstations, laptops, printers and multifunction printers, IoT devices, routers, switches, hubs, IDS/IPS, servers, wireless networks, and firewalls) and all the software running on them.

Answer 273

B. Sensors should be deployed before an incident. Sensor placement around the network allows for greater visibility and can aid in forensic investigation by quickly identifying the depths of the spread

Answer 274

C. SIEMs can tune sensitivity to what is considered suspect behavior or suspicious files (risk-based prioritization) to help reduce or increase the amount of data/matches during an investigation.

Answer 275

D. The log data you collect from your systems and devices may seem pretty routine. These logs could contain the precise evidence needed to investigate and successfully eradicate incidents from your network.

Answer 276

D. Session Initiation Protocol (SIP) is a signaling protocol used to establish, maintain, and tear down a call when terminated. SIP allows the calling parties’ called user agents to locate one another using the network.

Answer 277

A, B, C. Syslog is available on most network devices (for example, routers, switches, and firewalls), as well as printers and Linux-based systems. A syslog server listens for and then logs data messages coming from syslog clients. Rsyslog and syslog-ng build on syslog capabilities by adding support for advanced filtering and configuration. Event Viewer is a Windows-based tool that enables users or administrators to view event logs on Windows-based remote or local systems.

Answer 278

C. If you need to access logs for a specific time window—for instance, journalctl -since 2021-03-15 15:05:00—the time format is YYYY-MM-DD HH:MM:SS. journalctl is a valuable tool used to collect logs and sort through mountains of data to help you find a needle in a haystack.

Answer 279

A. NXLog can process high volumes of event logs from many different sources. Log processing includes rewriting, correlating, alerting, filtering, pattern matching, log file rotation buffering, and prioritized processing. Application, system, and security logs are Windows-specific Event Viewer logs.

Answer 280

C. Bandwidth monitors track bandwidth use over all areas of the network, including devices, applications, servers, WAN, and Internet links. One benefit of deploying bandwidth monitors is that they map out historical trends for capacity planning. With bandwidth monitors, you can quickly identify abnormal bandwidth usage, top talkers, and unique communications, all useful in finding infected systems that may be exfiltrating data or scanning the network looking to spread to other hosts.

Answer 281

A. Metadata is created from every activity you perform, whether it’s on your personal computer or online, every email, web search, and social or public application. Metadata is defined as “data that provides information about other data.” On its own, it might not seem like much, but when combined with additional context can lead to a break in a case.

Answer 282

C. A flow is a unidirectional set of packets sharing common session attributes, such as source and destination, IP, TCP/UDP ports, and type of service. NetFlow statefully tracks flows or sessions, aggregating packets associated with each flow into flow records, which are bidirectional flows.

Answer 283

D. Protocol analyzers allow network engineers and security teams to capture network traffic and perform analysis of the captured data to identify potential malicious activity or problems with network traffic. The network traffic data can be observed in real time for troubleshooting purposes, monitored by an alerting tool such as a SIEM to identify active network threats, and/or retained to perform forensic analysis.

Answer 284

A. You spend time up front building a whitelist of approved applications for the application approved list. Then with your central management or endpoint security solution, you roll out the whitelist enterprisewide to all endpoints.

Answer 285

B. An application block list or deny list is a basic access control mechanism that denies specific applications or code on the list from being installed or run.

Answer 286

D. The main action of the quarantine function is to safely store reported objects such as malware, infected files, or potentially unwanted applications. During an investigation, this storage log should be one of the places investigators check for evidence and history of suspect files.

Answer 287

D. With mobile device management (MDM), it is important to establish a baseline understanding of the changes that are common to specific types of mobile devices. Mobile platforms have several attack vectors that you need to consider: hardware, firmware, mobile OS, applications, and the device combination.

Answer 288

D. Data loss prevention (DLP) is an end-to-end goal that ensures users do not send sensitive or critical information outside the corporate network. The term routinely describes software products that help a network administrator control the data that users can view or transfer. Intellectual property, corporate data, and customer data are some of the types of data you would use DLP to help protect against exfiltration.

Answer 289

A. Once a compromised endpoint has been infected because malware, a virus, or a Trojan was detected, or it is part of a much wider attack, it should be quarantined and isolated.

Answer 290

C. When you know where the issue is and what systems have been affected, you should contain those systems so that threats cannot spread through the network. To do this, you disable network access for the affected computers and devices, or you place them in a sandbox network. You also should change passwords so intruders no longer have access.

Answer 291

D. Network segmentation is an architectural approach that divides a network into multiple networks, subnets, or segments. It allows network administrators to control the flow of traffic between these networks based on a granular policy.

Answer 292

A. A SOAR system alerts for suspected phishing emails, endpoint attacks, failed user logins, malware, and other threat information that come from a variety of detection sources, such as SIEMs, systems, switches, and logging services. IT operations use a SOAR runbook for reference for routine procedures that administrators perform. A SOAR playbook provides manual orchestration of incident response. Web content filtering is the practice of blocking access to web content that may be deemed offensive or inappropriate, or even contain dangerous items.

Answer 293

D. Data preservation is the first step when litigation has been filed or will be soon filed, with a focus on the preservation of data in its current state, such as emails, SMS, MMS, and deleted messages (still on disk and not destroyed) on all devices including cell phones, PCs, and mobile devices.

Answer 294

``` B. File formats can vary, as well as settings for recording video, such as frames per second (FPS) and video resolution. These features can all factor into how and what video information is stored. ```

Answer 295

B. It has become imperative that evidence collection standards and procedures are consistent, documented, and coherent in the chain of custody. Strict guidelines are to be followed, and accurate documentation must be kept.

Answer 296

B. Evidence tagging helps identify collected items. A tag can consist of something as little as a sticker with the date, time, control number, and name or initials of the investigator. Using a control number is an easy way to identify a piece of evidence in documentation, such as a chain of custody. The combination of a tag and photographs can provide the exact location and condition in which the item was collected.

Answer 297

A. The collection of evidence should start with the most volatile item and end with the least volatile. The order of volatility is the order in which the digital evidence is collected.

Answer 298

``` D. Forensic artifacts are objects that have forensic value. They are not behaviorally driven; they do not necessarily reflect the behavior or intent of a threat actor or adversary. Some of the artifacts that can be extracted from suspect hosts are logs, the registry, the browser history, the RDP cache, and Windows Error Reporting (WER). ```

Answer 299

B. RAM is considered volatile memory. It is perceived to be more trusted than nonvolatile memory, like ROM, disk, magnetic, or optical storage. Investigations using live forensic techniques require special handling because the volatile data in RAM can contain code used by attackers.

Answer 300

D. Checksums may also be called hashes. Small changes in a file produce different-looking checksums. You can use checksums to check files and other data for errors that occur during transmission or storage, as well as for evidence in a forensic investigation to ensure it hasn’t been tampered with

Answer 301

B. Cloud-based and on-premises are simply terms that describe where systems store data. Many of the same vulnerabilities that affect on-premises systems also affect cloud-based systems.

Answer 302

D. A copy of digital evidence must be properly preserved and collected in accordance with forensic best practices. Otherwise, the digital evidence may be inadmissible in court, or spoliation sanctions may be imposed.

Answer 303

A. Organizations should have a legal hold process to perform e-discovery to preserve and gather such information.

Answer 304

C. Forensic data recovery is the extraction of data from damaged, deleted, or purposely destroyed evidence sources in a forensically sound manner. This method of recovering data means that any evidence resulting from it can later be relied on in a court of law.

Answer 305

D. Nonrepudiation makes it difficult to successfully deny who and where a message came from as well as the authenticity and integrity of that message. Digital signatures can offer nonrepudiation when it comes to online transactions.

Answer 306

A. Counterintelligence is information gathered and activities conducted to protect against espionage, other intelligence activities, or sabotage conducted by or on behalf of other elements. The intelligence is designed to quickly direct resources to the most significant problems first and address them head on.

Answer 307

A. Managerial controls are techniques and concerns addressed by an organization’s management (managers and executives). Generally, these controls focus on decisions and the management of risk. They also concentrate on procedures, legal and regulatory policies, the software development lifecycle (SDLC), the computer security lifecycle, information assurance, and vulnerability management/scanning. In short, these controls focus on how the security of your data and systems is managed.

Answer 308

B. Operational controls are the controls executed by people. They are designed to increase individual and group system security. They include user awareness and training, fault tolerance and disaster recovery plans, incident handling, computer support, baseline configuration development, and environmental security. The people who carry out the specific requirements of these controls must have technical expertise and understand how to implement what management desires of them

Answer 309

A. Technical controls are the logical controls executed by the computer system. Technical controls include authentication, access control, auditing, and cryptography. The configuration and workings of firewalls, session locks, RADIUS servers, or RAID 5 arrays would be within this category, as well as concepts such as least privilege implementation.

Answer 310

D. Preventative controls are employed before an event and are designed to prevent an incident. Examples include biometric systems designed to keep unauthorized persons out, network intrusion prevention systems (NIPSs) to prevent malicious activity, and RAID 1 to prevent loss of data. They are also sometimes referred to as deterrent controls. Preventative controls enforce security policy and should prevent incidents from happening. The only way to bypass a preventative control is to find a flaw in its implementation or logic. These controls are usually not optional. Examples of preventative controls are access lists, passwords, and fences

Answer 311

D. Detective controls aim at monitoring and detecting any unauthorized behavior or hazard. These types of controls are generally used to alert of a failure in other types of controls such as preventative, deterrent, and compensating controls. Detective controls are very powerful while an attack is taking place, and they are useful in the post-mortem analysis to understand what has happened. Audit logs, intrusion detection systems, motion detection, and Security Information and Event Management (SIEM) systems are examples of detective controls.

Answer 312

B. Corrective controls are used after an event. They limit the extent of damage and help the company recover from damage quickly. Tape backup, hot sites, and other fault tolerance and disaster recovery methods are also included here. They are sometimes referred to as compensating controls. Corrective controls include all the controls used during an incident to correct the problem. Quarantining an infected computer, sending a guard to block an intruder, and terminating an employee for not having followed the security policy are all examples of corrective controls.

Answer 313

B. Compensating controls, also known as alternative controls, are mechanisms put in place to satisfy security requirements that are either impractical or too difficult to implement. For example, instead of using expensive hardwarebased encryption modules, an organization might opt to use network access control (NAC), data loss prevention (DLP), and other security methods. Or, on the personnel side, instead of implementing separation of duties, an organization might opt to do additional logging and auditing. You should approach compensating controls with great caution. They do not give the same level of security as their replaced counterparts.

Answer 314

A. The General Data Protection Regulation is a European Union (EU) law that was enacted in 2018. Its overall focus is on data protection and privacy for individuals. Although it is a law enacted in the EU, it applies to any organization collecting information about people in the EU. This means that if your organization collects and handles the personal data of EU citizens, then this regulation applies to you. For instance, if you run a business that offers goods or services in the EU and that business requires you to collect information about your customers, then you would be required to follow the GDPR requirements. Not following them could result in large fines. This is one of the factors that makes GDPR a larger concern to organizations than many other laws that have been in place for many years. GDPR penalties can be very high. For additional information on GDPR, refer to https://gdpr.eu/.

Answer 315

B. The Sarbanes–Oxley Act (SOX), enacted in 2002, governs the disclosure of financial and accounting information.

Answer 316

A. The Health Insurance Portability and Accountability Act (HIPAA), enacted in 1996, governs the disclosure and protection of health information.

Answer 317

D. The Center for Internet Security (CIS) is a nonprofit organization that was established in 2000. Its overall goal is to provide security best practice guidance for enhancing the security of cyberspace.

Answer 318

C. The National Institute of Standards and Technology (NIST) developed the Risk Management Framework (RMF) in 2017 as a result of an executive order from the president, which required all federal agencies to comply with it. For mor information about the NIST RMF, visit www.nist.gov/cyberframework/ risk-management-framework.

Answer 319

C. The National Institute of Standards and Technology (NIST) developed the Cybersecurity Framework (CSF) in 2014 as a result of executive order 13636 from the president. The NIST CSF is made of five core functions: Identify, Protect, Detect, Respond, and Recover. For more information about the NIST CSF, visit www.nist.gov/cyberframework.

Answer 320

A. The Cloud Security Alliance (CSA) is a nonprofit organization established in 2008 with the goal of promoting security best practices in cloud computing environments. The Cloud Controls Matrix is a framework established by the CSA for cloud computing. This organization also developed the reference architecture to help cloud providers with guidance on developing secure interoperability best practices. For more information related to CSA, visit https://cloudsecurityalliance.org/.

Answer 321

C. Security Content Automation Protocol (SCAP) was created to provide a standardized solution for security automation. The SCAP mission is to maintain system security by ensuring security configuration best practices are implemented in the enterprise network, verifying the presence of patches, and maintaining complete visibility of the security posture of systems and the organization at all times.

Answer 322

A. The Privacy Act of 1974 sets many standards when it comes to the security of personally identifiable information (PII). However, most organizations will go further and define their own privacy policy, which explains how users’ identities and other similar information will be secured. For example, if an organization has an Internet-based application that internal and external users access, the application will probably retain some of their information—possibly details of their identity. Not only should this information be secured, but the privacy policy should state in clear terms what data is allowed to be accessed, and by whom, as well as how the data will be retained and distributed (if at all). An organization might also enact a policy that governs the labeling of data to ensure that all employees understand what data they are handling and to prevent the mishandling of confidential information. Before any system administrators or other personnel gather information about these users, they should consult the privacy policy.

Answer 323

B. Acceptable use policies (AUPs) define the rules that restrict how a computer, network, or other system may be used. They state what users are and are not allowed to do when it comes to the technology infrastructure of an organization. Often, employees must sign an AUP before they begin working on any systems. This policy protects the organization but also defines to employees exactly what they should and should not be working on.

Answer 324

A. Separation of duties defines when more than one person is required to complete a particular task or operation. This distributes control over a system, infrastructure, or particular task.

Answer 325

D. When it comes to information security, due diligence means ensuring that IT infrastructure risks are known and managed. An organization needs to spend time assessing risk and vulnerabilities and might state in a policy how it will give due diligence to certain areas of its infrastructure.

Answer 326

D. Due care is the mitigation action that an organization takes to defend against the risks that have been uncovered during due diligence.

Answer 327

B. Due process is the principle that an organization must respect and safeguard personnel’s rights. The purpose is to protect the employee from the state and from frivolous lawsuits.

Answer 328

A. All employees should be trained on personally identifiable information (PII). This information is used to uniquely identify, contact, or locate a person. This type of information could be a name, birthday, Social Security number, biometric information, and so on. Employees should know what identifies them to the organization and how to keep that information secret and safe from outsiders. Another key element of user education is the dissemination of the password policy. Employees should understand that passwords need to be complex and know the complexity requirements. They should also understand that they should never give out their password or ask for another person’s password to any resource.

Answer 329

C. A memorandum of understanding (MOU) is not an agreement at all, but an understanding between two organizations or government agencies. It does not specify any security controls either. However, a memorandum of agreement (MOA) does constitute a legal agreement between two parties wishing to work together on a project but still does not detail any security controls.

Answer 330

B. A business partnership agreement (BPA) is a type of contract that can establish the profits each partner will get, what responsibilities each partner will have, and exit strategies for partners. Often this type of agreement applies to supply chain and business partners.

Answer 331

B. Top secret means the highest sensitivity of data; few people should have access, and security clearance may be necessary. Information is broken into sections on a need-to-know basis.

Answer 332

B. When you’re discussing policies for systems internal to your organization or devices that are owned by your organization, such as servers and laptops, it is also important to detail policies regarding how they should be deployed. For instance, service accounts should follow a specific credential policy. Often service accounts have higher-level permissions to enable the specific service. That means these accounts can cause more damage if they are compromised. They should always be configured using the least privilege approach. There should also be a service account for each service.

Answer 333

B. Change management is a structured way of changing the state of a computer system, network, or IT procedure. The idea behind this is that change is necessary, but that an organization should adapt with change and be knowledgeable of it. Any change that a person wants to make must be introduced to the heads of each department that it might affect. They must approve the change before it goes into effect. Before this happens, department managers will most likely make recommendations and/or give stipulations. When the necessary people have signed off on the change, it should be tested and then implemented. During implementation, it should be monitored and documented carefully.

Answer 334

A. Risks to your organization or environment can come in many shapes and forms. The primary concern of most organizations is external risk. This is, of course, the biggest concern to most because it is risk that comes from an external entity who could have many different motivations and therefore targets the inside of your organization. Many imagine an external “hacker” as someone sitting in a basement hammering away at the keyboard in front of 10 different monitors in a black hoodie. That, of course, is usually not the case. External risk most likely is from an organized threat actor or an organization of threat actors who have various motivations. To carry out their attacks, they will use many different methods. The primary goal of external attackers is to gain access to your organization’s computing environment, gain a foothold, and keep it as long as possible to carry out their objectives, whatever they may be.

Answer 335

B. Many organizations tend to overlook internal risks. The majority of internal risk stems from employees or those internal to the organization such as contractors. While the motivation of external cybercriminals may be to gain and keep access, the internal threat actor already has access to the organization’s environment. This person’s motivations are usually different from those of external threat actors—although the goal may be the same in the end. Most internal attacks result in the exfiltration or destruction of sensitive data that belongs to the organization. The theft of intellectual property (IP) is a primary goal of internal and external threat actors.

Answer 336

A. Risk management can be defined as the identification, assessment, and prioritization of risks, and the mitigating and monitoring of those risks. Specifically, when we talk about computer hardware and software, risk management is also known as information assurance (IA). The two common models of IA include the well-known CIA, and the DoD’s “Five Pillars of IA,” which comprise the concepts of the CIA triad (confidentiality, integrity, and availability) but also include authentication and nonrepudiation.

Answer 337

D. Some organizations opt to avoid risk. Risk avoidance usually entails not carrying out a proposed plan because the risk factor is too great. An example of risk avoidance: If a high-profile organization decided not to implement a new and controversial website based on its belief that too many attackers would attempt to exploit it.

Answer 338

C. An example of risk transference (also known as risk sharing) would be an organization that purchases cybersecurity insurance for a group of servers in a data center. The organization still takes on the risk of losing data in the case of server failure, theft, and disaster, but transfers the risk of losing the money those servers are worth in case they are lost.

Answer 339

B. Risk assessment is the attempt to determine the number of threats or hazards that could possibly occur in a given amount of time to your computers and networks.

Answer 340

B. Qualitative risk assessment is an assessment that assigns numeric values to the probability of a risk and the impact it can have on the system or network.

Answer 341

C. NIST defines risk mitigation as “prioritizing, evaluating, and implementing the appropriate risk-reducing controls/countermeasures recommended from the risk management process.”

Answer 342

A. Person-made disasters can be defined as being caused by the influence of humans.

Answer 343

A. Mean time between failures (MTBF) defines the average number of failures per million hours of operation for a product in question.

Answer 344

A. Although it’s impossible to predict the future accurately, it can be quantified on an average basis using concepts such as mean time between failures (MTBF).

Answer 345

A. Regardless of what industry you are responsible for protecting, the ultimate goal is to protect your intellectual property. This is, of course, the crown jewels and can be in many different forms. For a company that develops software, the crown jewels are the source code of the product it is selling. Even a company that produces food products has intellectual property that it is trying to protect, such as a secret recipe

Answer 346

B. The US Securities and Exchange Commission (SEC) requires that any publicly traded company provide a public notification and disclosure of a data breach.

Answer 347

A. Unauthorized access to top secret information would cause grave damage to national security.

Answer 348

D. Unauthorized access to unclassified information would cause no damage to national security

Answer 349

D. Unauthorized access to private information could cause severe damage to the organization. Examples of information or assets that could receive this type of classification are human resources (HR) information (for example, employee salaries) and medical records.

Answer 350

B. According to the Executive Office of the President, Office of Management and Budget (OMB) and the U.S. Department of Commerce, Office of the Chief Information Officer, personally identifiable information, or PII, refers to “information which can be used to distinguish or trace an individual’s identity.”

Answer 351

B. Data minimization is a term used to explain a concept or approach to privacy design. The overall concept of data minimization is simply to minimize the amount of your personal information that is consumed by online entities. Data minimization is a privacy tool that is used in many different ways. For instance, a website may choose to not store your personal information if it is not needed—as opposed to many that store it and even resell it for a profit. Additionally, it can be used to develop policies regarding the amount of time the data that is collected about you is actually maintained before being permanently deleted. Individuals can also use tools that will clear information from applications such as web browsers. As you know, web browsers collect a large amount of data, which could in turn be compromised. Minimizing this data reduces the risk of such a compromise.

Answer 352

C. Another privacy enhancing technology concept is data masking. The goal of data masking is to protect or obfuscate sensitive data. This goal must be achieved while not rendering the data unusable in any way. An example of data masking being used in a real-world environment would be data that is displayed on terminal screens in banks or doctors’ offices. Social Security numbers can be masked to show only the last four digits so that they can be used for verification purposes while not exposing the full Social Security number.

Answer 353

B. The data owner, also called the information owner, is usually part of the management team and maintains ownership of and responsibility over a specific piece or subset of data. Part of the responsibility of this role is to determine the appropriate classification of the information, ensure that the information is protected with controls, to periodically review classification and access rights, and to understand the risk associated with the information.

Answer 354

D. The General Data Protection Regulation (GDPR) in the European Union (EU) defines the information lifecycle in four different phases. It is sometimes named differently based on the source; however, the phases themselves are still the same. Starting with the collection of data, this is obviously the phase where the data is consumed by the data processor. GDPR states that when collecting data there must be a defined consent from the data owner as well as a clear definition of how the data will be used. The overall intent is to follow the principle of collecting only data that is necessary and not overcollecting.

Answer 355

A. Before data is collected, stored, secured, and disposed of throughout the information lifecycle, it is important to understand how that data, if compromised, could impact the privacy of the individuals whose data it holds. To accomplish this, an organization should complete an impact assessment on any new projects that are to be instated where data will be collected as well as any time the scope of the data use will change. These impact assessments are also sometimes called Privacy Impact Assessments (PIAs) or Data Privacy Impact Assessments (DPIAs). The result of an impact assessment should produce some kind of report that will identify specific high risks to the data subjects and provide recommendations on how that risk can be minimized. A PIA or DPIA is also something that is required in the GDPR.

Answer 356

D. Another privacy concept that has been adopted by the General Data Protection Regulation (GDPR) in the European Union (EU) is the terms of agreement. In many cases, this is called the data processing agreement. The overall purpose of the data processing agreement is to protect the personal information and the individuals the data is about. The agreement is actually a legal contract that is agreed upon by any entities that will fit the role of data processor in the information lifecycle. This is one of the basic requirements of GDPR and will lead to fines if not followed by an organization collecting data.

Answer 357

D. Along with the agreement of how data will be collected, utilized, and processed by an organization, the organization must also provide notification to the individuals it is collecting data from or about. Again, this is a requirement for the General Data Protection Regulation (GDPR) in the European Union (EU). GDPR ensures that individuals are notified about how their data is being used. This is done via a privacy notice. The notice itself is a document sent from the collecting organization stating how it is conforming to data privacy principles.