Flashcards before the exam

Question 1

What are Zigbee and Z-wave used for in IoT?

Answer 1

Zigbee and Z-wave are protocols used in the Internet of Things (IoT) to network various devices. These include:

• Hub/control systems
• Smart devices
• Wearables
• Sensors

Para sa mga low-power wireless machine-to-machine (M2M) and internet of things (IoT)

Question 2

What is the purpose of distributed consensus in a decentralized system?

Answer 2

Distributed consensus is used in a distributed or decentralized system to solve a specific computation. Its main purpose is to maintain the overall integrity of the distributed system or blockchain.

Question 3

What is the best way to address an intrusion prevention system (IPS) failing to block a known exploit?

Answer 3

Regularly update IPS rule sets to include the latest threat signatures and attack patterns.

Question 4

What are the risks of increasing IPS sensitivity indiscriminately or blocking all traffic by default?

Answer 4

Increasing sensitivity indiscriminately may result in false positives, and blocking all traffic by default would disrupt legitimate operations.

Question 4

What is data minimization and its purpose?

Answer 4

Data minimization involves limiting data collection to only what is required to fulfill a specific purpose. Reducing the amount of information collected minimizes the amount and type of information that must be protected.

Question 5

What should you attempt to exploit to gain access to all websites hosted on the same physical underlying server in application containers?

Answer 5

Exploit the common libraries shared by application containers.

Since application containers share the same host kernel and use common libraries, exploiting these libraries will grant access to every website on that server.

Explanation: Application containers are virtualized environments designed to package and run a single computing application or service. They share the same host kernel and common libraries. By exploiting these common libraries, you can gain access to all websites on the server, even if they are in separate application containers.

Question 5

Detecting Malware Beaconing

Which of the following is NOT a typical means of identifying a malware beacon’s behavior on the network?

• The beacon’s protocol
• The removal of known traffic
• The beacon’s persistence
• The beaconing interval

Answer 5

The beacon’s protocol is not typically a means of identifying a malware beacon. A beacon can be sent over numerous protocols, including ICMP, DNS, HTTP, and numerous others. Filtering out beacons by protocol alone could lead to prematurely eliminating malicious behavior.

Explanation: Other factors like the beacon’s persistence (if it remains after a reboot of the system) and the beacon’s interval (the time elapsed between beaconing) are much better indicators for identifying a malicious beacon. Removing known traffic can minimize the amount of data to analyze, making it easier to detect malicious beacons without wasting time on non-malicious traffic.

Question 6

Selecting a Symmetric Stream Encryption Cipher

Which symmetric stream encryption cipher should be selected for a video streaming service to ensure strong digital encryption on both desktop and mobile devices?

AES

RC4

ChaCha

3DES

Answer 6

ChaCha

Explanation: ChaCha is a modern and efficient symmetric stream cipher that uses a 128-bit or 256-bit encryption key. It is widely used in combination with the Poly1305 hashing algorithm in the TLS implementation of the Google Chrome browser and the Android operating system. ChaCha is also used by OpenSSH and the random number generator in BSD operating systems as a replacement for the older RC4 algorithm.

RC4: A stream cipher previously used in WEP and many SSL/TLS implementations. It is considered extremely vulnerable to attack and should not be used in modern applications.

AES: The current standard for the U.S. federal government’s symmetric block encryption cipher. It can use key sizes of 128-bits, 192-bits, or 256-bits with a 128-bit block size.

3DES: Triple Digital Encryption Standard (3DES) was built as a temporary replacement for the older DES algorithm.

Question 7

What is the purpose of secure zones, and how do they align with Zero Trust principles?

Answer 7

Secure zones are designed to isolate critical assets and systems, allowing organizations to apply strict access controls that limit potential exposure to unauthorized users. This approach aligns with Zero Trust principles by ensuring sensitive areas of the network are protected.

Question 8

Which support resource should you request to provide a specially crafted XML file for a known-environment web application assessment?
* SOAP project file
* Architectural diagrams
* Authorization to use a fuzzer
* An XSD file

Answer 8

Request an** XSD file**.

Explanation: Since the scenario states you will create a specially crafted XML file for the assessment, knowing the XML file structure the web application expects is crucial. An XML Schema Definition (XSD) enables developers to define the structure and data types for XML documents. By obtaining the XSD file, you will know the exact format expected by the application, saving time and reducing expenses during the assessment.

• SOAP project file: Not relevant for crafting the XML file.

* Architectural diagrams: Useful but not essential for XML file structure.

• Authorization to use a fuzzer: Important for other tests but not necessary for crafting the XML file.

Question 9

Which term best defines the willingness of a company to accept a specific level of risk, such as $1,000,000 in Annual Loss Expectancy (ALE)?

Answer 9

Risk tolerance refers to the specific amount or level of risk that an organization is willing to accept or bear.

Explanation: In the context of the Development Group’s strategic planning for their SaaS application launch, risk tolerance is the term that describes the maximum acceptable loss they are willing to bear, which is pegged at $1,000,000 in Annual Loss Expectancy (ALE).

Question 10

What is the difference between risk appetite and risk tolerance?

Answer 10

Risk appetite is the overall amount of risk an organization is willing to pursue or retain to achieve its objectives. It is broader in nature and less specific than risk tolerance. Risk tolerance refers to the specific amount or level of risk that an organization is willing to accept or bear for a particular system or product. In this scenario, risk appetite is incorrect because it describes the general willingness to take risks, not the precise amount of risk acceptable for a particular system or product.

Question 11

Guest Wireless Device Authentication

Which of the following should be added to the Acceptable User Policy (AUP) to support the new requirement for sponsoring guest wireless devices before authentication?

A. Network authentication of all guest users should occur using the 802.1x protocol as authenticated by a RADIUS server

B. All guests must provide valid identification when registering their wireless devices for use on the network

C. Sponsored guest passwords must be at least 14 alphanumeric characters containing a mixture of uppercase, lowercase, and special characters

Answer 11

B. All guests must provide valid identification when registering their wireless devices for use on the network.

Explanation: Sponsored authentication of guest wireless devices requires a guest user to provide valid identification when registering their wireless device for use on the network. This requires that an employee validates the guest’s need for access, known as sponsoring the guest. While setting a strong password or using 802.1x are good security practices, these alone do not meet the sponsorship requirement. An open authentication standard only requires that the guest know the Service-Set Identifier (SSID) to gain access to the network. Therefore, this does not meet the sponsorship requirement.

Question 12

What is an overlay network, and how does it function?

Answer 12

Overlay networks use software to create and manage new virtual networks leveraging existing hardware. All network management and configuration are performed using software, and new virtual networking devices are defined within that software. This virtualized overlay moves the data across existing physical network devices, but that hardware is no longer directly configured or managed by administrators.

Question 13

What is an overlay network?

Answer 13

An overlay network uses software to create and manage virtual networks on top of existing physical infrastructure.

Question 14

How does an overlay network function?

Answer 14

It allows network management and configuration to be performed using software, moving data across existing physical network devices without directly configuring or managing the hardware.

Question 15

What are the benefits of using an overlay network?

Answer 15

Greater flexibility, easier management, and the ability to define and control virtual devices and paths without altering the physical infrastructure

Question 16

What is reverse engineering?

Answer 16

Reverse engineering is the process of analyzing a system’s or application’s structure to understand how it functions, especially when the source code is not available.

Question 17

Why might a company use reverse engineering for industrial espionage?

Answer 17

Reverse engineering allows a company to figure out how a competitor’s application works and potentially develop its own version.

Question 18

How can attackers/pentesters use reverse engineering?

Answer 18

Attackers/Pentesters might use reverse engineering to identify flaws or vulnerabilities in an application and exploit them as part of their attack.

Question 19

What is a BEC attack?
Business Email Compromise (BEC)

Answer 19

• A Business Email Compromise (BEC) is a form of cyberattack where the attacker targets a business by impersonating a high-level executive or taking over a high-level executive email account.
• e.g you take over a CEO email account and used that email to elicit action from employees
• The goal is to elicit action from employees, often involving financial transactions, by exploiting the trust and authority associated with the executive’s position.

Question 20

What is the key difference between HOTP and TOTP?

Answer 20

Explanation: The main difference is that TOTP tokens include expiration while HOTP tokens do not.

Practical Example: With TOTP, a one-time password is only valid for a certain period, like 30 seconds, enhancing security by limiting the time window for potential attacks.

Question 21

Does the HOTP token have an expiration?

Answer 21

Explanation: No, the HOTP token does not have an expiration.

The token could be a fob-type device or implemented as a smartphone app. The token does not have an expiration under HOTP, but an improved version known as TOTP does include token expirations

Practical Example: An employee’s physical token fob remains valid indefinitely until it’s manually deactivated.

Question 22

Which type of device attack allows complete control of a device without
the target device being paired with the attacker?

Answer 22

BlueBorne

Question 23

What is the primary function of an HSM?

Answer 23

It securely** generates, stores, and manages encryption keys** in a tamper-resistant environment. **Key Escrow & Backup** – Can securely store and recover lost or compromised keys.

Question 24

What security standards do HSMs comply with?

Answer 24

FIPS 140-2, Common Criteria, PCI DSS.

Question 25

Ano ang pinaka-main na advantage ng SED kumpara sa software-based encryption?

Answer 25

Ang SED ay gumagamit ng hardware-based encryption, kaya automatic, transparent, at walang impact sa performance.

Question 26

Ano mangyayari kapag nabura ang encryption key ng isang SED?

Answer 26

Hindi na mare-recover ang data kasi mawawala na ang access sa naka-encrypt na files (Crypto Erase)

Question 26

Kailangan pa bang mag-install ng special software para gumamit ng SED?

Answer 26

Hindi na! Ang encryption ay built-in sa drive, kaya hindi na kailangan ng extra software para gumana ito.

Question 27

Ano ang pinagkaiba ng SED at BitLocker?

Answer 27

**SED** → Automatic at hardware-based, walang performance impact. **BitLocker** → Software-based, gumagamit ng system resources kaya mas mabagal.

Question 28

Which of the following is a form of testing that involves submitting input to an application while it is running? * Interactive application security testing (IAST) * Static application security testing (SAST) * Dynamic application security testing (DAST) * Code signing

Answer 28

Explanation: Interactive application security testing (IAST) is a form of testing that involves submitting input to an application while it is running. It can be automated with a dynamic testing tool, or it can be performed manually by a technician.

Question 29

Your organization is subject to the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA). Which of the following must your organization carry out either manually or with automated tools? * Data inventory * Scrubbing * Fuzzing * Data encryption

Answer 29

Data inventory Explanation: Data inventory and mapping is a process typically carried out using software tools to enumerate all the data, regardless of where it might be stored or which department uses it.

Question 30

Which storage model uses a flat structure in which files are broken into parts and spread out across hardware? * File storage * Object storage * Blob storage * Block storage

Answer 30

* Object storage Explanation: Object storage uses a flat structure in which files are broken into parts and spread out across hardware. Object storage uses volumes that work as self-contained repositories.

Question 31

You recently learned about a program that can overlay virtual objects into a room to help in planning a server installation project. Which of the following technologies does this program used? * Virtual reality (VR) * Situational reality (SR) * Augmented reality (AR) * Object overlay technology

Answer 31

* Augmented reality (AR) Explanation: Virtual reality (VR) immerses users in a fully artificial digital environment, whereas augmented reality (AR) overlays virtual objects on the real-world environment.

Question 32

Which of the following is a process in which multiple parties collectively compute a function and receive its output without learning the inputs from any other party? * Secure function evaluation (SFE) * Private function evaluation (PFE) * Distributed consensus * Private information retrieval (PIR)

Answer 32

* Secure function evaluation (SFE) Explanation: Secure function evaluation (SFE) is a process in which multiple parties collectively compute a function and receive its output without learning the inputs from any other party. It allows for two parties to each contribute a value to a computation and generate the same answer without knowing the value the other party contributes. This can be done using fully homomorphic encryption.

Question 33

Which groups primarily threaten the financial services sector and are expanding the scope of their attacks? * Unwitting insider groups * Insider threat groups * Competitor groups * Organized crime groups

Answer 33

* Organized crime groups Explanation: Organized crime groups primarily threaten the financial services sector and are expanding the scope of their attacks. They perpetrate well-funded attacks.

Question 34

Your team lead approaches you and asks to review the logs for a specific workstation that is under scrutiny for potential breach of acceptable use policy (AUP). Why type of logs would you, as an analyst, review for patterns of access to individual objects? * System logs * Audit trails * Network access control lists * Firewall logs

Answer 34

* Audit trails Explanation: An analyst would look at audit trails to review patterns of access to individual objects. Audit trails must be monitored, and automatic notifications should be configured to help the analyst gain value from large amounts of data.

Question 35

A junior analyst asks you if they should reboot a system that potentially has malware running in the background. What activity do you need to do first to gather any incriminating evidence before rebooting? * Nothing; you can reboot * Create a memory snapshot * Conduct a virus scan * Log in as an admin and look at access logs

Answer 35

* Create a memory snapshot Explanation: Performing a memory dump or creating a memory snapshot is a crucial step as there could still be incriminating evidence on a system.

Question 36

As part of media analysis, investigators want to analyze the slack (marked as empty or reusable) space on a drive to see whether any old (marked for deletion) data can be retrieved. What type of analysis are the investigators performing? * Steganalysis * Disk imaging * Slack space analysis * Content analysis

Answer 36

* Slack space analysis Explanation: Investigators can perform many types of media analysis, depending on the media type: Disk imaging: This involves creating an exact image of the contents of a hard drive. **Slack space analysis**: This involves analyzing the slack (marked as empty or reusable) space on a drive to see whether any old (marked for deletion) data can be retrieved. Content analysis: This involves analyzing the contents of a drive and giving a report detailing the types of data, by percentage. Steganalysis: This involves analyzing the graphic files on a drive to see whether the files have been altered or to discover the encryption used on the file. Data can be hidden within graphic files. Slack Space Analysis: Simplified Overview Slack Space: Slack space is the unused portion of a storage block that exists because data written to the drive does not perfectly align with the block's size. For example, if a file only needs part of a block, the remaining space in that block becomes slack space. This space can sometimes contain remnants of old or deleted data. Slack Space Analysis: Slack space analysis involves examining this "empty" or "reusable" space to determine if any recoverable data is present. It is often used in forensic investigations to retrieve data that has been marked for deletion but not yet overwritten. Key Uses: Digital Forensics: Analysts use slack space to uncover old or deleted information, such as files, fragments, or sensitive data that may be relevant to an investigation. Data Recovery: Slack space analysis can sometimes help restore lost or accidentally deleted files. Security Audits: Ensures sensitive data remnants in slack space are securely wiped to prevent unauthorized access. Practical Example: A forensic investigator analyzing a compromised computer may perform slack space analysis to retrieve portions of deleted emails or documents, uncovering valuable evidence that aids in the investigation. Risks of Slack Space: Privacy Concerns: Sensitive data remnants can be exploited if not securely deleted. Security Risks: Attackers may use slack space to hide malicious code or tools.

Question 37

You are in charge of ensuring that all company-owned mobile devices receive a required update to increase data speed. What is this update called? * Preferred roaming list (PRL) * Product release information (PRI) * Firmware * Data update

Answer 37

* Product release information (PRI) Explanation: A product release information (PRI) is a connection between a mobile device and a radio (cell tower). From time to time, a PRI may need to be updated; updates may add features or increase data speed.

Question 38

You are troubleshooting an industrial control system and trying to connect to the protocol that covers functions such as control, safety, synchronization, motion, configuration, and information. Which of the following best represents the protocol described above? * Remote terminal units (RTUs) * Modbus * Common Industrial Protocol (CIP) * Supervisory control and data acquisition (SCADA)

Answer 38

* Common Industrial Protocol (CIP) Explanation: Once known as Control and Information Protocol, Common Industrial Protocol (CIP) is a suite of messages and services for the collection of manufacturing automation applications. It covers functions such as control, safety, synchronization, motion, configuration, and information.

Question 39

Which of the following SCADA systems typically have digital or analog I/O and are not in a form that can be easily communicated over long distances? * Sensors * Programmable logic controllers (PLCs) * Remote terminal units (RTUs) * Telemetry system

Answer 39

* Sensors SCADA is a system that operates with coded signals over communication channels to provide control of remote equipment. It includes the following components: **Sensors**: Sensors typically have digital or analog I/O and are not in a form that can be easily communicated over long distances. Remote terminal units (RTUs): RTUs, which include telemetry hardware, connect to sensors and convert sensor data to digital data. Programmable logic controllers (PLCs): PLCs connect to sensors and convert sensor data to digital data; they do not include telemetry hardware. Telemetry system: This type of system connects RTUs and PLCs to control centers and the enterprise.

Question 40

Which of the following certificates is for organizations that must provide proof of identity? * Class 3 certificate * Class 1 certificate * Class 4 certificate * Class 2 certificate

Answer 40

* Class 2 certificate Explanation: Security professionals should know the types of certificates and use the proper type for each job. VeriSign first introduced the following digital certificate classes: Class 1 certificate: For individuals and intended for email. These certificates get saved by web browsers. No real proof of identity is required. Class 2 certificate: For organizations that must provide proof of identity. Class 3 certificate: For servers and software signing in which independent verification and identity and authority checking are done by the issuing CA. Class 4 certificate: For online business transactions between companies. Class 5 certificate: For private organizations or government security.

Question 41

Which of the following is the order in which a firewall examines a rule set? * The source of the traffic; the destination of the traffic; the action to take on the traffic * The action to take on the traffic; the source of the traffic; the destination of the traffic; the type of traffic * The source of the traffic; the type of traffic; the destination of the traffic; the action to take on the traffic * The type of traffic; the source of the traffic; the destination of the traffic; the action to take on the traffic

Answer 41

Explanation: A firewall device examines rules starting at the top of the rule set, in this order: * The type of traffic * The source of the traffic * The destination of the traffic * The action to take on the traffic