Comptia review questions Flashcards
(247 cards)
1
Q
You go out the back door of your building and notice someone looking
through your company’s trash. If this person were trying to acquire sensitive
information, what would this attack be known as?
A
Dumpster diving
2
Q
User education can help to defend against which type of attacks?
A
Social engineering
3
Q
You can often configure your email servers or email cloud services to add
a message in the email subject line to identify emails that are coming from
outside of the organization. This technique is also known as __________.
A
Prepending
4
Q
What is the most common reason that social engineering succeeds?
A
Lack of user awareness
5
Q
In which two environments would social engineering attacks be most effective?
A
A public building with shared office space
6
Q
What is a social engineering technique used by adversaries that leverages user
errors (“typos”) when entering a given URL in their web browser for a given
website?
A
Typo squatting
7
Q
A man pretending to be a data communications repair technician enters your
building and states that there is networking trouble and he needs access to the
server room. What is this an example of?
A
Social engineering
8
Q
Turnstiles, double entry doors, and security guards are all preventive measures
for what kind of social engineering?
A
Tailgating
9
Q
What is the social engineering technique where the attacker redirects the
victim from a valid website or resource to a malicious one that could be made
to appear as the valid site to the user?
A
Pharming
10
Q
Why would you implement password masking and privacy screens/filters?
A
To deter shoulder surfing
11
Q
What is a group of compromised computers that have software installed by a
worm or Trojan?
A
Botnet
12
Q
What term is often used to describe a compromised system that can be
updated automatically and remotely?
A
Bot
13
Q
What is a common symptom of spyware?
A
Pop-up windows with advertisements
14
Q
You noticed that your DHCP server is flooded with information. After analyzing this condition, you found that the information is coming from more than
100 computers on the network. What is most likely the reason?
A
You have been infected with a worm
15
Q
Which type of malicious software encrypts sensitive files and asks the user to
pay in order to obtain a key recover those files?
A
Ransomware
16
Q
What is a malicious attack that executes at the same time every week?
A
Logic bomb
17
Q
What is still one of the most common ways that attackers spread ransomware?
A
Through email
18
Q
What is a type of malware that appears to a user as legitimate but actually
enables unauthorized access to the user’s computer?
A
Trojan
19
Q
What tool is used by many penetration testers, attackers, and even malware
that can be useful for retrieving password hashes from memory?
A
Mimikatz
20
Q
What is the act of restructuring driver code called?
A
Driver refactoring
21
Q
What type of attack occurs when the attacker performs an MITM attack and
can redirect a client to an insecure HTTP connect?
A
SSL stripping attack
22
Q
What is a modern framework of API documentation and development that is
the basis of the OpenAPI Specification (OAS)?
A
Swagger
23
Q
What type of attack occurs when a user browsing the web is tricked into clicking something different than what the user thought he or she was clicking?
A
Clickjacking
24
Q
What type of attack is difficult to exploit because it takes advantage of the
small window of time between when a service is used and its corresponding
security control is executed in an application, operating system, or when temporary files are created?
A
Race condition
25
What feature is supported in most modern operating systems that can help
prevent the exploitation of buffer overflows, remote code execution, and memory corruption vulnerabilities?
Address space layout randomization (ASLR)
26
What is a type of input validation vulnerability and attack against an application that parses XML input?
XML External Entity (XXE)
27
What is a Microsoft scripting language that attackers have used to perform
postexploitation activities such as privilege escalation or to enumerate users?
PowerShell
28
What is a standard that was designed to thwart spammers from spoofing your
domain to send email?
DMARC
29
What is a web application vulnerability that could allow an attacker to perform
a URL redirection attack?
Cross-site scripting (XSS)
30
What is the modification of name resolution information that should be in a
DNS server’s cache?
DNS poisoning
31
In what type of attack does the attacker sniff the network for valid MAC
addresses and then use those MAC addresses to perform other actions?
MAC cloning or spoofing
32
What includes the tactics and techniques that adversaries use while preparing
for an attack, including gathering of information (open-source intelligence,
technical and people weakness identification, and more)?
MITRE PRE-ATT&CK
33
What standard was designed to document threat intelligence in a machinereadable format?
STIX
34
What standard was designed as a transport mechanism of threat intelligence
and to perform automated indicator sharing (AIS)?
TAXII
35
What is the vulnerability database maintained by NIST?
National Vulnerability Database (NVD)
36
What is the attack vector where evil twins are used?
Wireless
37
You were hired to perform a penetration test against three different applications for a large enterprise. You are considered a(n) ______________ hacker.
Authorized or ethical
38
You are hired to investigate a cyber attack. Your customer provided different
types of information collected from compromised systems such as malware
hashes and the IP address of a potential command and control (C2). What are
these elements often called?
Indicators of compromise (IoCs)
39
What name is often used to describe a government or state-sponsored
persistent and sophisticated attack?
Advanced persistent threat (APT)
40
What is the term used when an employee or a group of employees use IT
systems, network devices, software, applications, and services without the
approval of the corporate IT department?
Shadow IT
41
What software tool or service acts as the gatekeeper between a cloud offering
and the on-premises network, allowing an organization to extend the reach of
its security policies beyond its internal infrastructure?
Cloud access security broker (CASB)
42
What is the name given to a type of vulnerability that is disclosed by an
individual or exploited by an attacker before the creator of the software can
create a patch to fix the underlying issue?
Zero-day vulnerability
43
What cloud architecture model is a mix of public and private, but one where
multiple organizations can share the public portion?
Community cloud
44
What type of vulnerability occurs when an attacker obtains control of a target
computer through some sort of vulnerability, gaining the power to execute
commands on that remote computer?
Remote code execution (RCE)
45
What protocol uses TCP ports 465 or 587 in most cases?
SMTP with TLS encryption
46
What type of vulnerability scanner can be used to assess vulnerable web
services?
A web application vulnerability scanner
47
1
1
48
What documents do vendors, vulnerability coordination centers, and security
researchers publish to disclose security vulnerabilities?
Security advisories and bulletins
49
What term is used to describe an organization that can assign CVEs to
vulnerabilities?
CVE Numbering Authorities (CNAs)
50
What public database can anyone use to obtain information about security
vulnerabilities affecting software and hardware products?
National Vulnerability Database (NVD)
51
How many score “groups” are supported in CVSS?
Three
52
A vulnerability with a CVSS score of 4.9 is considered a ___________ severity
vulnerability.
Medium
53
What is the process of iteratively looking for threats that may have bypassed
your security controls?
Threat hunting
54
You were hired to perform a penetration test against a set of applications. After
the exploitation phase, you need to maintain a foothold in a compromised
system to perform additional tasks such as installing and/or modifying services
to connect back to the compromised system. This process is referred to as
_____________.
Persistence
55
What is the process of elevating the level of authority (privileges) of a
compromised user or a compromised application?
Privilege escalation
56
What is the term used to define the type of testing where the penetration
testers may be provided credentials but not full documentation of the network
infrastructure?
Partially known environment
57
What is the term used when an organization provides recognition or
compensation to security researchers and ethical hackers who report security
vulnerabilities or bugs? Often organizations can use brokers and companies
that manage the compensation and communication with the security
researchers.
Bug bounties
58
OSINT is used in the ________ reconnaissance phase of the penetration
testing lifecycle.
Passive
59
In the context of site resiliency, a ________ will have backups of data that
might need to be restored; they will probably be several days old. This type
of site is chosen most often by organizations because it has a good amount of
configuration yet remains less expensive than a hot site
Warm site
60
What can be used as bait files intended to lure adversaries to access and then
send alarms to security analysts for detection?
Honeyfiles
61
What is the name given to a set of access control technologies that are used to
control the use of proprietary hardware, software, and copyrighted works?
Digital rights management (DRM)
62
What term is used when data is actively used and undergoing constant
change? For instance, data could be stored in databases or spreadsheets and be
processed by running applications.
Data in use/processing
63
What is the process of generating a random value for plaintext data and
storing the mapping in a database?
Tokenization
64
What system can be used to interconnect a virtual private cloud (VPC) and
on-premises networks?
Transit gateway
65
___________ are used in the process of creating, assigning, and managing rules
over the cloud resources that systems (virtual machines, containers, and so on)
or applications use.
Resource policies
66
What is a series of tools and technologies used to connect different systems,
applications, code repositories, and physical or virtual network infrastructure
to allow the real-time exchange of data and processes?
Cloud services integration
67
AWS Lambda is an example of which type of cloud service architecture?
Serverless architecture
68
OpenDaylight (ODL) is an example of a(n) _________ controller.
SDN
69
What type of debugging is carried out by examining the code without executing the program? It can be done by scrutinizing code visually, or with the aid
of specific automated tools—static code analyzers—based on the language
being used
Static analysis
70
What is the process of measuring your source code’s quality when it is passed
on to the quality assessment (QA)?
Software integrity measurement
71
What is the software development environment where you create your code
on your computer or in the cloud?
Development
72
What is a development environment that allows you to test your code or application but is as similar to the production environment as it can be? This environment allows you to ensure that each component of your application still
does its job with everything else going on around it.
. Staging
73
What is a software development and project management process where a
project is managed by breaking it up into several stages and involving constant
collaboration with stakeholders and continuous improvement and iteration at
every stage?
Agile
74
What can replicate data widely to increase availability and reliability and thus
reduce response time?
Directory services
75
What directory service operation targets a specific, unique entry, such as a
domain name?
Lookup
76
What is the process where one system is responsible for authentication of a
user and provides that information to another resource as authenticated?
Federation
77
Which biometric method uses blood vessel patterns as a personal identifying
factor?
Vein or vein authentication
78
What is the study of a human motion, body mechanics, and activity of the
muscles?
Gait analysis
79
What is the point where the false rejection rate (FRR) and the false acceptance
rate (FAR) are equal?
The crossover error rate (CER) describes the point where the false rejection
rate (FRR) and false acceptance rate (FAR) are equal. The crossover error rate
describes the overall accuracy of a biometric system.
80
What is geographical dispersal?
Geographical dispersal is the practice of placing valuable data assets around
the city, state, country, or world to provide an extra level of protection from
attacks, mistakes, and disasters.
81
What is disk redundancy?
In the simplest of terms, disk redundancy is a system’s ability to write data to
two or more disks at the same time. Having the same data stored on separate
disks enables you to recover the data in the event of a disk failure.
82
What is a UPS?
An uninterruptible power supply or uninterruptible power source (UPS) is
an electrical device that provides emergency power to a load when the input
power source or mains power fails. Generally, UPSs are battery based—a bank
of batteries and circuits that provide power during main power failure.
83
What is replication?
Data replication via a SAN is the most common method of replication. Replicating data from one data center to another via dual SANs allows you to replicate large volumes of data quickly using SAN technology
84
What is reverting to known state?
Reverting to known state is returning the system to a state prior to a specific
moment in time or state of existence.
85
What is an Arduino device?
Arduino devices are hardware and software combined into an extremely flexible platform; they can read inputs such as a light on a sensor or a button press.
The Arduino software is easy for beginners to use yet flexible enough for
advanced users. It runs on Mac, Windows, and Linux.
86
What is the purpose of an FPGA?
Field-programmable gate arrays (FPGAs) are integrated circuits designed to
be configured by a customer or designer after manufacturing—hence the term
field programmable
87
What systems do the SCADA/ICS control systems actually control in the
manufacturing process?
In the manufacturing process, control systems can help with the reduction of
product errors and discards, due to earlier problem detection and remedies.
These systems improve productivity, maximizing the effectiveness of machine
uptime.
88
Look around your house. What IoT-related devices do you own? What is the
number one problem with IoT devices being developed and sold?
Cybersecurity and attacks on the platform are the biggest problem with IoT
devices being developed and sold. Cybersecurity must be designed into IoT
devices from the ground up and at all points in the ecosystem to prevent vulnerabilities in one part from jeopardizing the security of the entire system.
89
Today’s vehicles are mostly computerized. Which protocol/system do most
vehicles use for ECU to communicate between themselves?
The CAN bus system enables each ECU to communicate with all other
ECUs, without complex dedicated wiring. An ECU can prepare and broadcast
information (that is, sensor data) via the CAN bus, consisting of two wires—
CAN low and CAN high. The broadcasted data is accepted by all other ECUs
on the CAN network.
90
What are badges used for in physical security controls?
An access badge is a credential used to gain entry to an area having automated
readers for access control entry points
91
What purpose does signage serve in controlling security in a building or
factory?
Appropriately placed signage provides direction and guidance for staff and
visitors; it also provides clear expectations and the repercussions for failure to
abide by those rules.
92
What does industrial camouflage accomplish in today’s business and industrial
environment?
It enables corporate, industrial, and data centers to blend into their environment. When you surround the premises with trees, bushes, and vegetation and
implement low-profile security measures around the perimeter, the building
becomes one with the area. This ensures it does not stick out and become a
highly visible target.
93
How does two-person integrity/control ensure systems and corporate data
integrity are accomplished?
One of the two people is there as an observer; this person monitors the person
performing the work and ensures that person is performing work exactly as
described in the change request and can also question any variance. The monitor typically reports any unusual or suspicious activity immediately to security
or the guards’ office.
94
What sensors provide access to an area?
A proximity reader or prox reader, typically an RFID reader, reads a card by
placing it near (within proximity of) the reader. The reader sends energy in the
form of a field to the card, powering up the card, which enables the reader to
read the information stored on the prox card. Prox cards are used as part of an
access control system.
95
Digital signatures employ which stream type?
Digital signatures employ asymmetric cryptography. In many instances, they
provide a layer of validation and security to messages sent through a nonsecure
channel. Properly implemented, a digital signature gives the receiver reason to
believe the message was sent by the claimed sender
96
2
2
97
What are key stretching techniques used for?
```
Key stretching techniques are used to make a possibly weak key, typically a
password or passphrase, more secure against brute-force attacks by increasing
the resources (time and possibly space) needed to test each possible key
```
98
What does salting passwords protect against?
Salts defend against a precomputed hash attack. Because salts are different in
each case, they also protect commonly used passwords, or those users who use
the same password on several sites, by making all salted hash instances for the
same password different from each other.
99
What type of key do block ciphers use?
Block ciphers are an encryption method that applies a deterministic algorithm
along with a symmetric key to encrypt a block of text instead of encrypting
one bit at a time as in stream ciphers.
100
What type of encryption is known as public key cryptography?
Asymmetric encryption is also known as public key cryptography; asymmetric
encryption uses two keys to encrypt plaintext. Secret keys are exchanged over
the network. This type of encryption ensures that malicious persons do not
misuse the keys. It is important to note that anyone with the secret key can
decrypt the message, and this is why asymmetric encryption uses two related
keys to boost security.
101
With an asymmetric key system, to send an encrypted message to someone,
what must you encrypt the message with?
In an asymmetric key system, each user has a pair of keys: a private key and a
public key. To send an encrypted message, you must encrypt the message with
the recipient’s public key. The recipient then decrypts the message with his or
her private key. The easiest thing to remember is that public keys encrypt and
private keys decrypt
102
What kind of key is designed to be used for a single transaction or session?
Ephemeral describes something of a temporary or short duration. Ephemeral keys are designed to be used for a single transaction or session. The term
ephemeral is increasingly used in computer technology.
103
What is a secure protocol?
A cryptographic protocol or encryption protocol is an abstract of a protocol
that performs a security-related function and applies cryptographic methods,
often as sequences of cryptographic primitives.
104
How does SSH help secure connections?
SSH uses encryption to ensure secure transfer of information between the host
and the client. Host refers to the remote server you are trying to access, and
the client is the computer you are using to access the host.
105
What cryptography method does S/MIME use?
S/MIME is based on asymmetric cryptography, which uses a pair of mathematically related keys to operate: a public key and a private key.
106
Secure Real-Time Transport Protocol uses which cipher by default?
SRTP and SRTCP use the Advanced Encryption Standard (AES) as the
default cipher
107
LDAPS is a secure version of LDAP that is used to communicate with Active
Directory. What TCP port does LDAPS over SSL/TLS use?
You can enable LDAPS by installing a properly formatted certificate from a
certificate authority (CA) according to the guidelines. LDAPS over SSL/TLS
uses TCP port 636.
108
What are the three strategies that antimalware software uses to protect systems from malicious software?
Antimalware software uses signature-based detection, behavior-based detection, and sandboxing
109
What is the first step toward achieving a trusted infrastructure on computers
and networking devices?
Boot integrity refers to using a secure method to boot a system and verify the
integrity of the operating system and loading mechanism. Boot integrity represents the first step toward achieving a trusted infrastructure
110
In boot attestation, what is measured and committed during the boot process?
In boot attestation, software integrity measurements are immediately committed to during boot, thus relaxing the traditional requirement for secure
storage
111
What places an exterior guard on the internal contents of a device?
Full-disk encryption (FDE) is a cryptographic method that applies encryption
to the entire hard drive, including data, files, operating system, and software
programs. FDE encryption places an exterior guard on the internal contents of
the device
112
What aspect of a disk array requires that replacement drives be configured to
match the encryption protection at installation?
Self-encrypting drives (SEDs) are disk drives that use an encryption key to
secure the data stored on the disk. This encryption protects the data and array
from data theft when a drive is removed from the array. Because SED operates
across all disks in an array at once, the drive must be configured as an SED
when introduced to the array
113
During an audit of your servers, you notice that most servers have large
amounts of free disk space and have low memory utilization. What is the primary impact on your organization when utilizing this type of practice?
Cost
114
What concept of network security can help defend against pivoting during a
compromise?
Network segmentation
115
Which kind of VPN implementation does not install software on the host system to establish the VPN connection?
Clientless
116
In which type of attack does an attacker generate a high number of requests
over port 53?
DNS amplification
117
Which type of network security control could be used to control access to a
network based on the security posture?
Network access control (NAC)
118
Which type of management access would require an alternative path?
Out-of-Band
119
Which feature present in most Cisco switches is used to provide access control
by restricting the MAC address that can connect?
Port security
120
Which type of appliance secures a network by keeping machines behind it
anonymous?
Proxy server
121
Which type of ACL would control access based on MAC address?
Layer 2
122
Which routing protocol is most common in route manipulation attacks?
Border Gateway Protocol (BGP)
123
Which QOS feature can be used for guaranteed bandwidth?
Class-based weighted fair queuing (CBWFQ)
124
Which type of IPv6 address is structured like a unicast address?
Anycast
125
What is one of the key enhancements in WPA3 and a replacement for PSKl?
SAE
126
What type of EAP authentication uses the protected access credential?
EAP-FAST
127
What type of EAP authentication uses the protected access credential?
CCMP
128
What encryption protocol addresses some of the vulnerabilities of TKIP?
Supplicant
129
Which component of 802.1X is a software client?
Authenticator
130
3
3
131
Which tool can be used to get a visual picture of Wi-Fi channel saturation?
Wi-Fi Analyzer
132
Which encryption protocol is used with WPA2 and WPA3?
AES
133
What solution do some organizations use to address BYOD challenges, where
users connect to an environment to access all the applications and data needed
to do their work?
Virtual desktop infrastructure (VDI)
134
What is a security enhancement based on mandatory access control (MAC)?
SEAndroid
135
What is the adding of data to content that would help gather location-specific
information?
Geotagging
136
What is the denial of individual applications called?
Application deny/block list
137
What is the sending of unsolicited messages to Bluetooth-enabled devices such
as mobile phones?
Bluejacking
138
What mobile phone feature allows a phone to connect an external device such
as a USB flash drive?
USB On-The-Go (USB OTG)
139
What is the unauthorized access of information from a wireless device through
a Bluetooth connection?
Bluesnarfing
140
What is the art of loading third-party apps from a location outside the official
application store for that device?
Sideloading
141
. In cloud computing environments, which type of policy would be used to control access to things like CPU and memory allocation?
Resource policies
142
What cloud security control is utilized by a cloud computing environment to
handle API keys?
Secrets management
143
In cloud computing environments, what is a term used for storage instances?
Buckets
144
Which type of subnet would have a route to the Internet?
Public subnet
145
What tool is used to control access to cloud-based environments?
CASB
146
What cloud security solution would help to enable remote worker access more
efficiently?
SWG
147
Which Open Systems Interconnection (OSI) layer do cloud-based firewalls
focus on?
Application
148
Which type of cloud control is typically provided by the actual cloud
computing environment vendor?
Cloud native
149
Which command can be used to determine who is logged in to a Linux
system?
whoami
150
What factor of multifactor authentication utilizes something you are?
Biometrics
151
How many factors are needed for multifactor authentication?
Two
152
Which type of password is generated by an external entity and synchronized
with internal resources?
One-time password (OTP)
153
What type of access control is dynamic and context-aware?
Attribute-based access control (ABAC)
154
_________ is the actual method of determining the physical location of the
user trying to authenticate.
Geolocation
155
What is a security model where users are given only the number of privileges
needed to do their job?
Least privilege
156
What concept denies all traffic to a resource unless the users who generate the
traffic are specifically granted access to the resource?
Implicit deny
157
What kind of file system permissions are broken down into read, write, and
execute?
Linux
158
What is an access model based on roles or sets of permissions involved in an
operation?
Role-based access control (RBAC)
159
What is an access model where access is controlled by the owner?
Discretionary access control (DAC)
160
What is a system used to centrally manage access to privileged accounts?
Privileged access management (PAM)
161
What is an access model where permissions are determined by the system?
Mandatory access control (MAC)
162
What is an authentication protocol designed by MIT that enables computers
to prove their identity to each other in a secure manner?
Kerberos
163
What is an access control model that is dynamic and context-aware?
Attribute-based access control (ABAC)
164
What is a physical device that can act as a secure cryptoprocessor?
Hardware security module (HSM)
165
What is an authentication based on knowledge of information associated with
an individual?
Knowledge-based authentication (KBA)
166
In X.509, the owner does not use a ______ key.
In X.509, the owner does not use a symmetric key.
167
What two items are included in a digital certificate?
A digital certificate includes the certificate authority’s digital signature and the
user’s public key. A user’s private key should be kept private and should not be
within the digital certificate.
168
Rick has a local computer that uses software to generate and store key pairs.
What type of PKI implementation is this?
Decentralized. When creating key pairs, PKI has two methods: centralized
and decentralized. In centralized, keys are generated at a central server and are
transmitted to hosts. In decentralized, keys are generated and stored on a local
computer system for use by that system.
169
What ensures that a CRL is authentic and has not been modified?
Certificate revocation lists are digitally signed by the certificate authority for
security purposes. If a certificate is compromised, it will be revoked and placed
on the CRL. CRLs are later generated and published periodically.
170
What encryption concept is PKI based on?
The public key infrastructure is based on the asymmetric encryption concept.
171
You are in charge of PKI certificates. What should you implement so that stolen certificates cannot be used?
You should implement a certificate revocation list so that stolen certificates, or
otherwise revoked or held certificates, cannot be used.
172
What should you publish a compromised certificate to?
A compromised certificate should be published to the certificate revocation list.
173
You have been asked to set up authentication through PKI and encryption of
a database using a different cryptographic process to decrease latency. What
encryption types should you use?
Public key encryption to authenticate users and private keys to encrypt the
database. PKI uses public keys to authenticate users. If you are looking for
a cryptographic process that allows for decreased latency, then symmetrical
keys (private) would be the way to go. So, the PKI system uses public keys to
authenticate the users, and the database uses private keys to encrypt the data.
174
Describe key escrow
A key escrow is implemented to secure a copy of the user’s private key (not the
public key) in case it is lost.
175
When a user’s web browser communicates with a CA, what PKI element does
the CA require from the browser?
The browser must present the public key, which is matched against the CA’s
private key.
176
What IP tool on Windows and Linux measures transit delays between packets
across a network?
In computing, traceroute is a computer network diagnostic command for displaying possible routes and measuring transit delays of packets across a network.
177
What open-source software allows you to take a suspicious file, isolate it, and
run tests to provide a report on its behavior?
Cuckoo Sandbox is open-source software for automating analysis of suspicious
files. To do so, it makes use of custom components that monitor the behavior
of the malicious processes while running in an isolated environment. You can
throw any suspicious file at it, and in a matter of minutes, Cuckoo will provide
a detailed report outlining the behavior of the file when executed inside a realistic but isolated environment.
178
What IP level tool is mainly used to verify connectivity to other hosts and uses
ICMP?
ping verifies IP-level connectivity to another TCP/IP computer by sending
Internet Control Message Protocol (ICMP) echo request messages.
179
Which IP tool supports TCP, UDP, ICMP, and RAW IP protocols; has the
ability to send files and perform firewall testing; and has many advanced
features including operating system fingerprinting?
hping supports TCP, UDP, ICMP, and RAW-IP protocols; has a traceroute
mode; can send files between a covered channel, and provides many other
features. It has a wide range of additional uses, including firewall testing,
manual path MTU discovery, advanced traceroute, remote OS fingerprinting,
advanced port scanning, remote uptime guessing, and TCP/IP stack auditing.
180
.
.
181
The curl tool can be used to transfer data from host to host by using which
protocol?
The curl command-line tool can transfer data to or from a server, using any
of the supported protocols: HTTP, FTP, IMAP, POP3, SCP, SFTP, SMTP,
TFTP, TELNET, LDAP, or FILE. Curl is powered by Libcurl.
182
Having an incident response plan is imperative; the first step is identifying and
having the right people with the right skill sets and experience available and
ready to respond. How often should you test and update your plan?
You should regularly test and update your incident response plan. Everyone
who is part of the plan should understand their role and the role of others to
help reduce confusion during a real event.
183
Part of your incident response process includes the Eradication phase. During
this phase, how long afterward should you increase your monitoring?
Regardless of how you choose to eradicate an infection, you need to have a
plan for increased monitoring of any affected systems for some period of time
after the eradication process within 30 days.
184
Incident response simulations are fundamentally about what?
Incident response simulations are internal events that provide a structured
opportunity to practice your incident response plan and procedures during a
realistic scenario. SIRS events are fundamentally about being prepared and
iteratively improving your response capabilities.
185
Which attack framework emphasizes the relationships and characteristics of
four basic components?
The Diamond Model of Intrusion Analysis emphasizes the relationships and
characteristics of four basic components: the adversary, capabilities, infrastructure, and victims.
186
The cyber kill chain is a series of eight steps that trace stages of a cyber attack.
What is step 4?
Privilege escalation: Attackers often need more privileges on a system to get
access to more data and permissions: for this, they need to escalate their privileges, often to an Admin.
187
What is an indicator of a host on your network being compromised?
Indicators can be anything from additional TCP/UDP ports being shown as
open to detection of unauthorized software, or scheduled host system events
and even unrecognized outbound communications.
188
How does a SIEM use data correlation to help with discovering what took
place during an incident?
Data correlation allows you to take data and logs from disparate systems, like
Windows server events, firewalls logs, VPN connections, and RAS devices, and
bring them all together to see exactly what took place during that event
189
Application logging can help an investigator by building a picture of what
________ looks like
Logging for critical process information about user, system, and web application behavior can help incident responders build a better understanding of
what normal looks like when an application is running and being used.
190
There are nearly a dozen logs available from DNS. They include which two
message types?
The DNS protocol has two message types: queries and replies. Both use the
same format. These messages are used to transfer resource records (RRs). An
RR contains a name, a time-to-live (TTL), a class (normally IN), a type, and
a value. There are nearly a dozen different types of logs that are of particular
interest; obtaining and including them in your investigation can help build a
full picture.
191
What platform would cybercriminals use to make nearly anonymous calls?
VoIP technology is an attractive platform to criminals. The reason is that call
managers and VoIP systems are global telephony services, in which it is difficult to verify the user’s location and identification.
192
What is the purpose of an application approved list?
The purpose is to specify an index of approved software applications or executable files that are permitted to be present and active on a computer system.
193
When a file or application is quarantined, what happens to it?
When a file is quarantined, the file is moved to a location on disk where it cannot be executed.
194
5
5
195
In data loss prevention (DLP) systems, how is exfiltration of sensitive data
protected?
A set of tools and processes is used to ensure that sensitive data is not lost,
misused, or accessed by unauthorized users. These tools allow only authorized
persons to have access and to run copy/move commands on those specific files.
196
What is the purpose of revoking a certificate?
Certificate revocation is the act of invalidating a certificate before its scheduled
expiration date. A certificate should be revoked immediately when its private
key shows signs of being compromised.
197
SOAR requires runbooks and playbooks. Whereas playbooks consist of a
number of plays, runbooks are a series of what types of steps?
A runbook consists of a series of conditional steps to perform actions such as
enriching data, containing threats, and sending notifications automatically as
part of the incident response or security operations process.
198
What are the three rules for evidence?
Whether evidence is admissible is determined by following three rules:
(1) Best evidence means that courts prefer original evidence rather than copies to avoid alteration of evidence. (2) The exclusionary rule means that data
collected in violation of the Fourth Amendment (no unreasonable searches or
seizures) is not admissible. (3) Hearsay is second-hand evidence and is often
not admissible, but some exceptions apply.
199
What are three standards for evidence?
It must be (1) sufficient, which is to say convincing without question; (2) competent, which means it is legally qualified; and (3) relevant, which means it
must matter to the case at hand.
200
When are checksums useful?
Computers use checksum-style techniques to check data for problems in the
background. You could also use checksums to verify the integrity of any other
type of file, from applications to documents and media. Forensic investigators use checksums to ensure data is not tampered with after it has been collected
from an incident.
201
What is the role of a hash in computer forensics?
By definition, forensic copies are exact, bit-for-bit duplicates of the original. To
verify this, you can use a hash function to produce a type of unique checksum
of the source data. Hash functions have four defining properties that make
them useful; they are deterministic, collision resistant, pre-image resistant, and
computationally efficient
202
What does NFAT mean in the context of network forensics?
Network forensic analysis tools (NFATs) typically provide the same functionality as packet sniffers, protocol analyzers, and SIEM software in a single product. NFAT software focuses primarily on collecting, examining, and analyzing
network traffic
203
What control category is addressed by an organization’s management?
Managerial
204
What control category is designed to increase individual and group system
security?
Operational
205
What control category would include firewalls?
Technical
206
What control type enforces security policy?
Preventative
207
What control type is intended to discourage someone from violating policies?
Deterrent
208
What control type warns that physical security measures are being violated?
Detective
209
What control type includes all the controls used during an incident?
Corrective
210
What control type is also known as an alternative control?
Compensating
211
Which type of control would include something like door access?
Physical
212
Which type of control would you put in place to control access to a server room?
Physical
213
What regulation was established in the European Union to protect data and
privacy?
General Data Protection Regulation (GDPR)
214
6
6
215
What act governs the disclosure of financial and accounting information?
Sarbanes-Oxley Act (SOX)
216
What act governs the disclosure and protection of health information?
Health Insurance Portability and Accountability Act (HIPAA)
217
Which nonprofit organization enstablished in 2000 focuses on security best
practices guides?
Center for Internet Security
218
Which organization developed the Cybersecurity Framework in 2014?
National Institute of Standards and Technology
219
Which nonprofit organization established in 2008 is focused on cloud security
best practices?
Cloud Security Alliance
220
_______________ was created to provide a standardized solution for security
automation.
Security Content Automation Protocol (SCAP)
221
What policy defines the rules that restrict how a computer, network, or other
system may be used?
Acceptable use policy (AUP)
222
What is the security concept where more than one person is required to
complete a particular task or operation?
Separation of duties
223
Your company expects its employees to behave in a certain way. How could a
description of this behavior be documented?
Code of ethics
224
Employees are asked to sign a document that describes the methods of
accessing a company’s servers. What best describes this document?
Acceptable use policy (AUP)
225
One of the developers for your company asks you what to do before making
a change to the code of a program’s authentication. What process should you
instruct this developer to follow?
Change management
226
As a network administrator, you are responsible for dealing with Internet
service providers. You want to ensure that a provider guarantees end-to-end
traffic performance. What is this known as?
Service-level agreement (SLA)
227
What is considered information that available to anyone?
Public information
228
One of the accounting people is forced to change roles with another
accounting person every three months. What is this an example of?
. Job rotation
229
When it comes to security policies, what should HR personnel be trained in?
Guidelines and enforcement
230
Which type of plan is based on the determination of disaster impact?
Recovery plan
231
____________is the time required for a service to be restored after a disaster.
Recovery time objective (RTO)
232
What procedure is used to determine a disaster’s full impact on the
organization?
Impact determination
233
What is considered the risk left over after a detailed security plan and disaster
recovery plan have been implemented?
Residual risk
234
What is considered an element, object, or part of a system that, if it fails,
causes the whole system to fail?
Single point of failure
235
___________ defines the average number of failures per million hours of
operation for a product in question
Mean time between failures (MTBF)
236
Which type of assessment measures risk by using exact monetary values?
Quantitative risk assessment
237
What term is used when risk is reduced or eliminated altogether?
Risk mitigation
238
Which type of assessment assigns numeric values to the probability of a risk
and the impact it can have on the system or network?
Qualitative risk assessment
239
What is the attempt to determine the number of threats or hazards that could
possibly occur in a given amount of time to your computers and networks?
Risk assessment
240
Unauthorized access to ______ information could cause severe damage to the
organization
Private
241
A compromise of __________ data could cause grave damage to national
security?
Top secret
242
Telephone and fax numbers are a form of which type of information?
PII
243
Medical records are a form of which type of information?
PHI
244
The term ___________ is used to explain reducing the amount of data as a
privacy tool.
Data minimization
245
What form of data obfuscation is performed by replacing data in a reversable
manner?
Tokenization
246
What is the role of the individual who has the greatest responsibility in data
privacy?
Data controller
247
What leadership role in an organization is responsible for the overall protection and adherence to the data protection process?
Data protection officer (DPO)
