SEC - Jas - U Flashcards

Question

Question 25: Oliver travels frequently for work. His organization wants to implement an additional authentication method that considers his geographic location before granting access to sensitive systems. Which factor of multifactor authentication is the organization planning to use? Something you are Somewhere you are Something you have Something you know

Answer 1

Something you are Correct answer Somewhere you are Something you have Your answer is incorrect Something you know Overall explanation OBJ 4.6: Somewhere you are uses a user's geographic location as an authentication element, often by verifying IP addresses or using GPS data. Something you are involves biometric factors such as fingerprints or retina scans, not geographic location. Something you have involves physical or digital possessions like security tokens or smartphones, not the user's location. Something you know typically involves knowledge-based factors like passwords or PINs, not geographic location. For support or reporting issues, include Question ID: 65445f49878b620a335d5172 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 2

Assignment Correct answer Sanitization Your answer is incorrect Inventory Enumeration Overall explanation OBJ 4.2: Sanitization is a crucial process that ensures any data present on an asset, whether it's hardware or storage media, is thoroughly removed or modified to the point of being irrecoverable. This process is essential when repurposing, transferring, or disposing of assets to prevent unauthorized individuals from accessing or retrieving sensitive information. Assignment pertains to determining which entities are allocated specific assets, not rendering data irretrievable. While inventorying involves maintaining records of assets, it doesn’t pertain to making data irretrievable. Enumeration involves listing and counting assets, not ensuring data is made unrecoverable. For support or reporting issues, include Question ID: 651dd2c5915e5062db9cd84e in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 3

Correct answer Committees Executive Teams Advisory Councils Your answer is incorrect Management Groups Overall explanation OBJ: 5.1 - Committees are specialized groups that include subject matter experts who support the governance board with expert analysis and recommendations. While Advisory Councils may also provide advice, they are not solely responsible for in-depth analysis and recommendations for the governance board. Executive Teams individuals are part of the governance board with ultimate decision-making authority but may not focus on specific issues like committees do. Management Groups typically handle day-to-day operational decisions rather than providing specialized support to the governance board. For support or reporting issues, include Question ID: 65485d359c51830a2f76886e in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 4

Correct answer Technical debt can increase the complexity of long term security issues, making automation and orchestration more difficult Addressing technical debt helps organizations to automate security operations more effectively, reducing the need for human intervention Your answer is incorrect Technical debt only applies to non-security-related IT systems such as outdated software and hardware and does not impact the security posture of an organization Considering technical debt allows organizations to prioritize cybersecurity investments based on the cost of eliminating debt Overall explanation OBJ 4.7: If unaddressed, technical debt can accumulate, leading to security vulnerabilities and increased system complexity, which can hinder automation and orchestration processes. Managing technical debt is about understanding and mitigating the risks associated with quick or temporary solutions rather than focusing solely on cybersecurity investments. While addressing technical debt supports system health, it does not directly reduce the need for human intervention in automation. Technical debt impacts both security and non-security systems, and accumulated debt in security systems can weaken the organization’s security posture. For support or reporting issues, include Question ID: 64c01bd1fc7ebfb983f27094 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 5

Ease of Deployment Patch Availability Correct answer Ease of Recovery Your answer is incorrect Microservices Overall explanation OBJ: 3.1 - Ease of recovery is vital in addressing how swiftly and efficiently a system can be restored after a disruption, especially when dealing with cloud-specific vulnerabilities. Microservices is an architectural style but does not directly address the restoration of systems after disruptions due to cloud-specific vulnerabilities. While patch availability is critical for addressing vulnerabilities, it doesn’t directly measure the system’s ability to recover from disruptions. Ease of Deployment considers how easily systems can be installed and implemented. It isn't a consideration that addresses recovery. For support or reporting issues, include Question ID: 65170f2af4240bff7735dcfa in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 6

IDS solution MFA Your answer is incorrect Antivirus scanning Correct answer Code signing Overall explanation OBJ 4.1: Code signing is a security technique that allows software developers to digitally sign their software updates before distribution. By using cryptographic signatures, code signing ensures the authenticity and integrity of the software updates. When customers receive the updates, their systems can verify the signature to confirm that the update came from a trusted source and that it has not been altered during transmission. Code signing is an effective way for the company to guarantee the legitimacy of its software updates and protect customers from potentially malicious or unauthorized modifications. Multi-factor authentication (MFA) is commonly used to enhance user authentication and access control. However, it is not directly related to verifying the authenticity and integrity of software updates when delivered to customers. Antivirus scanning does not directly address the authenticity and integrity of software updates; it focuses on identifying and removing existing malware but does not ensure that the software updates are legitimate and have not been tampered with during distribution. An Intrusion Detection System (IDS) is valuable for identifying potential security incidents; however, it primarily focuses on network-level security and does not directly address the authenticity and integrity of software updates. For support or reporting issues, include Question ID: 64ba80c0dd5c9e7e2c77d80f in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 7

Correct answer NGFW Stateful firewall Packet-filtering firewall Your answer is incorrect Proxy firewall Overall explanation OBJ 3.2: NGFWs (Next-generation firewalls) go beyond traditional firewalls by incorporating more advanced features like intrusion prevention, application awareness, and deep packet inspection. They provide enhanced visibility and can detect advanced threats, making them suitable for contemporary security challenges. Proxy firewalls act as intermediaries for requests from users seeking resources from other servers, filtering requests at the application layer. They don't inherently provide the advanced threat detection capabilities of NGFWs. This type of firewall examines packets and permits or denies based on rules set for the source and destination IP addresses, protocols, and port numbers. It doesn't include the advanced features of NGFWs. A stateful firewall keeps track of the state of active connections and decides on packet allowance based on the context of the traffic. However, it doesn't offer the deeper visibility and advanced features of an NGFW. For support or reporting issues, include Question ID: 652c83956a5bd9d4b846f339 in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 8

SLA RTO MTBF Your answer is correct RPO Overall explanation OBJ: 5.2 - RPO (Recovery point objective) defines the maximum acceptable amount of data loss measured in time, determining how old backup data can be to resume normal operations after a failure. MTBF (Mean time between failures) measures the average operational period between failures, relating to system reliability, not data recovery metrics. RTO (Recovery time objective) indicates the target amount of time to restore IT and business activities post-disaster, focusing on downtime rather than data loss. SLA (Service level agreement) details the agreed-upon level of service between a provider and client, without specific focus on data loss time frames. For support or reporting issues, include Question ID: 654972c623b1cc31a82e92db in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 9

Correct answer Application allow list Configuration Enforcement Least Privilege Your answer is incorrect Patching Overall explanation OBJ: 2.5 - Application allow list is a technique that can help enforce compliance with security standards and policies on a system or network by using a list of approved applications that are allowed to run and blocking all other applications that may violate the standards or policies. Application allow list involves using a list of applications that have been verified and authorized by the system or network administrator, and blocking all other applications that may not meet the security requirements or expectations of the system or network. Patching is a technique that can help prevent exploitation of known vulnerabilities on systems and devices by updating them with the latest security fixes and enhancements. Patching involves applying patches or updates to software and systems, but it does not use a list of approved applications that are allowed to run and block all other applications that may violate the standards or policies. Configuration enforcement is a mitigation technique that can help prevent unauthorized or improper changes that increase a system or device’s vulnerability to attack. By creating predefined security standards and policies, and enforcing them, configuration enforcement helps prevent the inadvertent or purposeful creation of vulnerabilities and security risks. This focuses on the configuration settings rather than the applications used within a system. Least privilege is a mitigation technique that limits users to the level of access and privilege they need to do their work. This can limit the extent of an attack by limiting the attacker’s access and privilege to those of the compromised user. Least privilege involves applying predefined rules and permissions, such as roles, groups, and functions and enforcing the rules and permissions through mechanisms such as passwords, tokens, and biometrics. This focuses on limiting the user policies rather than the application itself. For support or reporting issues, include Question ID: 64bedcb39848e1aa948b7206 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 10

Rely solely on the CSP's IAM for user management Correct answer Implementing MFA and using conditional authentication for risky logons Allow programmatic access without unique secret keys Your answer is incorrect Leave default settings on Google's firewall Overall explanation OBJ 4.1: Multi-factor authentication (MFA) combined with conditional authentication significantly bolsters the security against unauthorized access, especially in cloud environments. While CSP's IAM can provide fundamental user management, third-party solutions might offer advanced features tailored to specific organizational needs. Default settings might not cater to specific security needs, and leaving them unchanged can expose the system to vulnerabilities. Programmatic access without unique secret keys compromises security by not having an additional layer of protection against unauthorized interactions. For support or reporting issues, include Question ID: 652f3f86fd8d99be42f4c0f4 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 11

Correct answer To maximize access controls for the most secure areas. To increase the aesthetic appeal of the site. To reduce costs associated with security infrastructure. Your answer is incorrect To simplify the design layout of the site. Overall explanation OBJ: 5.1 - Organizing a site into distinct zones allows for specialized security measures to be applied where needed, ensuring that the most secure areas have the highest level of protection. While a zoned design may make certain aspects of a site's layout more understandable, its primary purpose is not for simplification but for security optimization. Physical security zones focus on safety and protection, not aesthetics. Zoning can help prioritize where resources are placed, but the main aim is to enhance security, not necessarily reduce costs. For support or reporting issues, include Question ID: 654491e23818ba1f4e84631b in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 12

Correct answer Configuration enforcement Patching Least Privilege Your answer is incorrect Encryption Overall explanation OBJ: 2.5 - Configuration enforcement is a mitigation technique that can help prevent unauthorized or improper changes that increase a system or device’s vulnerability to attack. By creating predefined security standards and policies, and enforcing them, configuration enforcement helps prevent the inadvertent or purposeful creation of vulnerabilities and security risks. Patching is a mitigation technique that can help prevent exploitation of known vulnerabilities on systems and devices by updating them with the latest security fixes and enhancements. Patching involves applying patches or updates to software and systems. It ensures that the software is the most secure version, but does not ensure that the settings comply with predefined security standards and policies. Encryption is a technique that can help protect data from unauthorized access or modification by transforming it into an unreadable format. Encryption involves using mathematical algorithms and secret keys to encrypt and decrypt data, but it does not ensure that they comply with predefined security standards and policies. OBJ: 2.4 - Least privilege is a mitigation technique that limits users to the level of access and privilege they need to do their work. This can limit the extent of an attack by limiting the attacker’s access and privilege to those of the compromised user. Least privilege involves applying predefined rules and permissions, such as roles, groups, and functions and enforcing the rules and permissions through mechanisms such as passwords, tokens, and biometrics. It ensures that users don't have greater access than their job requires, but it doesn't enforce security settings. For support or reporting issues, include Question ID: 64bee41f8c5f936b5239301f in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 13

Version control Approval process Correct answer Impact analysis Your answer is incorrect Backout plan Overall explanation OBJ: 1.3 - The process of evaluating and forecasting the outcomes of a proposed alteration involves a comprehensive analysis of how the change might ripple through an organization or system. This approach ensures that decision-makers are fully informed of potential ramifications, both positive and negative. By understanding these possible effects, an organization can better prepare, mitigate risks, and optimize the benefits. Such assessments often consider impacts on workflows, personnel, technology infrastructure, financial resources, and customer experiences. An approval process is a formalized procedure to ensure changes are reviewed and approved before implementation. A Backout plan is a strategy outlining the steps to revert changes if they lead to unforeseen complications or do not meet the desired outcomes. Version control is system that records changes to a file or set of files over time, allowing specific versions to be recalled later. For support or reporting issues, include Question ID: 64c137e23837c7dbc550d89a in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 14

Public key infrastructure Correct answer Key escrow Key generation Your answer is incorrect Key exchange Overall explanation OBJ: 1.4 - Key escrow is a system in which a copy of a cryptographic key is given to a third party. This allows for the recovery of keys if they are lost. Public key infrastructure (PKI) is a set of roles, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates and manage public-key encryption. Key generation is the process of generating keys in cryptography. It does not involve a third party having access to encrypted data. Key exchange is a method in cryptography by which cryptographic keys are exchanged between two parties, allowing use of a cryptographic algorithm. For support or reporting issues, include Question ID: 64c27848281353282d578ef4 in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 15

Permitting employees to install browser extensions from trusted sources to enhance their browsing experience Enforcing the use of HTTP for all web traffic to ensure compatibility with older browsers Your answer is incorrect Allowing unrestricted access to internal resources for users who are connected to the corporate network Correct answer Implementing SSL inspection to monitor and control encrypted web traffic Overall explanation OBJ 4.5: SSL inspection (TLS interception) allows a centralized proxy to decrypt and inspect HTTPS traffic, providing visibility to detect and block encrypted threats, enhancing protection against attacks and data exfiltration. Allowing unrestricted internal access bypasses these protections and increases the risks of unauthorized access. Enforcing HTTP is insecure due to unencrypted data; HTTPS should be required for confidentiality and integrity. Permitting employees to install browser extensions even from trusted sources can introduce vulnerabilities, potentially compromising security established by the centralized proxy. For support or reporting issues, include Question ID: 64c124458261794c6e7a2622 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 16

Brute force attack Time memory trade-off Your answer is correct Cryptographic collision Hash extension attack Overall explanation OBJ: 2.4 - A cryptographic collision occurs when two different sets of data produce the same hash output. This poses a risk as it undermines the reliability of the hashing algorithm, potentially allowing data manipulation without detection. In a hash extension attack, an attacker, knowing the hash of a given input, appends new data to produce a new hash without knowing the original data. It's about extending the original hash rather than finding collisions. In a brute force attack, an attacker attempts to find a matching hash value by trying all possible inputs until a match is found. While it involves hashes, it doesn't concern two different data sets producing the same hash. Time memory trade-off is a technique to speed up password cracking by precomputing the hash values of possible passwords and storing them. This doesn't involve two distinct data sets having the same hash value. For support or reporting issues, include Question ID: 6527f5ae9bdbe2fa8ec18b4b in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 17

Daily incremental backups Differential backups Weekly full backups Your answer is correct Continuous backups Overall explanation OBJ 3.4: Continuous backups allow near-instantaneous backup of changed data, ensuring minimal data loss during failures, especially crucial for high-volume transaction systems. Weekly full backups involve backing up the entire database every week, posing a risk of losing up to a week's worth of transactions if a failure occurs. Daily incremental backups capture all the changes made since the last backup, usually done at the end of the day, risking loss of a day’s transactions. Differential backups save data changed since the last full backup, often done weekly, leading to potential data loss of several days. For support or reporting issues, include Question ID: 652df3dc7586daa9b0968db2 in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 18

Patching Correct answer Disabling ports and protocols Removing unnecessary software Your answer is incorrect Changing Default Passwords Overall explanation OBJ: 2.5 - Disabling ports and protocols is a hardening technique that can help reduce exposure to potential attacks. This can be done on firewalls, switches, routers, and hosts to close or block any network ports or protocols that aren’t needed for the normal operation of the systems and devices. Ports are numerical identifiers that specify the destination or source of network traffic, and protocols are rules or standards that define how network traffic is formatted or transmitted. Patching is a mitigation technique that can help prevent exploitation of known vulnerabilities on systems and devices by updating them with the latest security fixes and enhancements. Patching involves applying patches or updates to software and systems. This doesn't involve turning off or blocking any network communication channels that are not needed or used. Removal of unnecessary software is a hardening technique that can help reduce the attack surface of systems and devices by removing unused or unneeded. The more software that is on a system, the more exposure there is to vulnerabilities. If the software is not needed or used, there is no purpose in having extra exposure to vulnerabilities. While this will harden the system, it doesn't alter the channels of communication. Default password changes is a hardening technique that can help prevent some password attacks on systems and devices. This is done by changing the default or factory-set passwords that may be easily cracked by automated tools or dictionaries because they are often reused or drawn from a small pool of passwords. Password managers, password generators, and security policies can be used to create and enforce the use of strong and unique passwords for each system and device. This will protect the system, but doesn't alter the channels of communication. For support or reporting issues, include Question ID: 64bee8688c5f936b5239302f in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 19

Reflected Amplified Your answer is incorrect Wireless Correct answer On-path Overall explanation OBJ: 2.4 - An on-path attack is a type of network attack that involves intercepting or modifying data in transit between two parties, such as by using a packet sniffer or a proxy server, or, in the case above, a rogue WAP. A reflected attack is a type of distributed denial-of-service (DDoS) attack that involves sending requests with spoofed source IP addresses to servers that redirect the responses to the target server, reflecting the traffic back to it. A wireless attack is a type of network attack that involves exploiting vulnerabilities or weaknesses in wireless networks or devices, such as encryption, authentication, or configuration. Although the attack took place through a wireless device, it wasn't due to specific vulnerabilities or weaknesses of the wireless devices and networks. An amplified attack is a type of DDoS attack that involves sending requests with spoofed source IP addresses to servers that generate large responses, amplifying the traffic sent to the target server. For support or reporting issues, include Question ID: 64bd6d5f7bc8dddbe8c6a8f2 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 20

Correct answer Mitigate Transfer Your answer is incorrect Accept Avoid Overall explanation OBJ: 5.2 - Mitigating the risk means implementing measures or controls to reduce the potential impact or likelihood of the risk event occurring. Accepting the risk means the organization acknowledges the risk and does not take any specific actions to mitigate it. In the scenario above, they do take some measures to reduce the impact, so they are not just accepting the risk. Transferring the risk involves shifting the financial burden of potential losses to a third party, such as an insurance company. There is no mention of bringing in a third party to accept some of the financial burden for a pandemic. Avoiding the risk involves eliminating the risk entirely by refraining from activities or situations that could expose the organization to potential threats. They are not avoiding the risk since they are taking actions to minimize the impact. If they were avoiding the risk, they would probably close the business since avoiding involves not undertaking the activity that is risky. For support or reporting issues, include Question ID: 64b9f2d33f4084e37d4f8fe5 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 21

Philosophical/political beliefs Correct answer Obtaining sensitive/confidential information Financial gain Your answer is incorrect Service disruption Overall explanation OBJ: 2.1 - A similarity between data exfiltration and espionage as motivations for threat actors is that both involve obtaining sensitive or confidential information from a system or network, such as trade secrets, intellectual property, or personal data. Philosophical/political beliefs is not a similarity between data exfiltration and espionage as motivations for threat actors, as data exfiltration can be done for various reasons or goals, while espionage can be done for obtaining strategic or tactical information from a rival entity. Financial gain is not a similarity between data exfiltration and espionage as motivations for threat actors, as data exfiltration can be done for monetary benefits, such as selling stolen data, while espionage can be done for strategic or tactical benefits, such as obtaining government secrets. Service disruption is not a similarity between data exfiltration and espionage as motivations for threat actors, as data exfiltration does not impair the availability or functionality of a system or network, while espionage can involve launching denial-of-service attacks, defacing websites, or deleting files. For support or reporting issues, include Question ID: 64b896d06ccfbae323bb6ac4 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 22

Correct answer Engaging penetration testers to mimic real-world hacking techniques Updating the application to its latest version post-integration Deploying a new intrusion detection system for the payment module Your answer is incorrect Ensuring two-factor authentication is enabled for application users Overall explanation OBJ 4.3: Penetration testing simulates actual cyber-attack scenarios, ensuring the payment gateway is resistant to known exploitation techniques. Intrusion detection monitors for attacks but doesn't actively identify potential vulnerabilities in new integrations. While updates are crucial, they don't inherently guarantee the security of newly integrated components. 2FA enhances user security, but it doesn't directly evaluate the robustness of the new payment gateway. For support or reporting issues, include Question ID: 6542c6afd6196a0af7d13765 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 23

Correct answer Exceptions and exemptions are official authorizations that allow specific deviations from established security policies or baseline controls Exceptions and exemptions allow systems to completely bypass all security policies for maximum efficiency Your answer is incorrect Exceptions and exemptions permit organizations to ignore all known vulnerabilities without any consequences from internal procedures but don't affect government compliance Exceptions and exemptions are designed to eliminate the need for regular audits by providing an all-access pass to privileged users Overall explanation OBJ 4.3: Exceptions and exemptions grant official permissions for particular deviations from security policies or baseline controls occurring under controlled conditions and ongoing monitoring. They are typically employed when compliance with a specific control isn't feasible but where alternate measures can manage associated risks. Exceptions and exemptions don't eliminate the necessity for regular audits. They provide authorized deviation from specific policies or controls but still require appropriate oversight. Although exceptions and exemptions allow for deviations from some security policies, they don't permit an entire bypass of all security measures. The process is managed and the security impact is assessed and accepted. Although exceptions and exemptions allow some deviations from specific security controls, they don't authorize organizations to ignore known vulnerabilities without mitigating actions or risk acceptances. For support or reporting issues, include Question ID: 64c19873dd32557d54e4c0fa in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 24

Correct answer Deploying UBA on all endpoint devices to monitor user interactions and application usage Configuring UBA to perform scheduled scans of all user accounts prevent any anomalies Your answer is incorrect Implementing UBA on the organization's perimeter firewalls to analyze incoming and outgoing network traffic Using UBA to monitor and analyze the activities of privileged users with elevated access rights only Overall explanation OBJ 4.5: Deploying User Behavior Analytics (UBA) on endpoints enables detailed monitoring of user interactions to detect insider threats and compromised accounts through behavior analysis. Endpoint-based UBA provides broader visibility than perimeter firewalls, which are less suited for tracking internal user activity. Monitoring all users, not just privileged ones, ensures potential threats from any account are detected. UBA is most effective with real-time alerts, as scheduled scans may miss active threats. Additionally, while UBA can detect anomalies, it does not prevent them. For support or reporting issues, include Question ID: 64c1262a52ce7fd0f0ee0407 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 25

Microservices Correct answer Responsibility matrix Hybrid considerations Your answer is incorrect Third-party vendors Overall explanation OBJ: 3.1 - A responsibility matrix is a document that defines the roles and responsibilities of different parties involved in a cloud service agreement, such as the cloud service provider, the cloud customer, and the cloud user. It clarifies who is accountable for what aspects of security, compliance, and operations in a cloud environment. Hybrid considerations refer to the factors that need to be taken into account when designing and deploying a hybrid cloud solution, which combines public and private cloud resources. They do not refer to a document that defines roles and responsibilities. Third-party vendors refer to external entities that provide services or products to an organization, such as cloud service providers, software developers, or consultants. They are not a document that defines roles and responsibilities. Microservices is a form of software architecture. It describes a highly decentralized system that doesn't depend on one type of platform to work. It isn't related to a cloud service agreement For support or reporting issues, include Question ID: 64bf74e434423bca4d0a1905 in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 26

Data exfiltration Espionage Service disruption Your answer is correct Political beliefs Overall explanation OBJ: 2.1 - Philosophical/political beliefs are motivations that drive a threat actor to conduct cyberattacks based on their moral principles or values, or their opinions or views on certain issues or causes. A hacktivist is motivated by philosophical/political beliefs, and usually target organizations or entities that they disagree with. Data exfiltration is the unauthorized transfer of data from a system or network to another location. A Hacktivist may conduct data exfiltration as part of their cyberattacks, but it is not their primary motivation. Their goal is to draw attention to actions they perceive as unethical and to promote their political and philosophical views. Service disruption is the act of interrupting or degrading the availability or performance of a system or network. A Hacktivist may conduct service disruption as part of their cyberattacks, but it is not their primary motivation. Their goal is to draw attention to actions they perceive as unethical and to promote their political and philosophical views. Espionage is the act of obtaining secret or confidential information without the permission of the holder of the information. A Hacktivist is unlikely to conduct espionage, as it may violate the laws or ethics of their profession or organization. Their goal is to draw attention to actions they perceive as unethical and to promote their political and philosophical views. For support or reporting issues, include Question ID: 64b890d775f3764616371b86 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 27

Content filtering Firewall rejection Your answer is correct Blocked content Malicious URL Overall explanation OBJ: 2.4 - Content blocking occurs when access to specific websites or links is denied based on company policies or security concerns. Tina's inability to access her usual third-party site despite being able to previously is indicative of this. Firewall rejection occurs when traffic is blocked by a firewall due to security rules. The scenario does not provide enough information to determine if a firewall was the reason Tina could not access the site. While the URL might be deemed risky or against company policy, there's no direct indication in the scenario that the URL is malicious. Content filtering refers to the practice of blocking or allowing content based on specific criteria, like harmful websites. While related, this term is broader, and the scenario specifically describes blocked content. For support or reporting issues, include Question ID: 6529e0286890f6360138c66b in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 28

Correct answer Bluetooth Ethernet Wi-Fi Your answer is incorrect Cellular Overall explanation OBJ: 2.2 - Bluetooth is a type of unsecure wireless network that uses short-range radio waves to connect devices without encryption or authentication, which can allow attackers to access nearby devices or intercept network traffic. Wi-Fi can be unsecure, but it doesn't use short-range radio waves. It uses it can be secured with encryption and authentication protocols such as WPA2 or WPA3. Cellular is a type of wireless network that can allow users to access the internet or make voice calls using cellular towers, not short-range radio waves. It can be secured with encryption and authentication protocols such as GSM or LTE. Ethernet is a type of wired network that can allow users to access the internet or other devices using cables. It can be secured with encryption and authentication protocols such as 802.1X or MAC filtering. For support or reporting issues, include Question ID: 64b9bccfb4d7b8f7551f6463 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 29

Fail-open Rate-based filtering Your answer is correct Fail-closed Passive mode Overall explanation OBJ 3.2: When security is paramount, as with sensitive data storage, a fail-closed mode ensures that all access requests are denied during system malfunctions, preventing any potential unauthorized access. Rate-based filtering involves limiting traffic based on a predefined rate, which would not be as useful in this scenario as fail-closed. In passive mode, the firewall monitors traffic without actively blocking or allowing it. This can be useful for observing traffic patterns but wouldn't be ideal for a mission-critical system where active protection is essential. Fail-open mode would allow all access requests during a malfunction. In a high-security environment, this could lead to unauthorized access to sensitive data. For support or reporting issues, include Question ID: 652c73f074644bf66062a2e8 in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 30

Phishing campaign Amplified DDoS attack Your answer is incorrect SQL injection Correct answer Reflected DDoS attack Overall explanation OBJ: 2.4 - In a reflected DDoS attack, the attacker sends requests to multiple third-party servers using a forged source IP address, which is the victim's IP. These servers then respond to the victim, thinking the requests originated there. The broad range of responding IP addresses and the nature of incoming traffic as "responses" indicates a reflected attack. A SQL injection attack attempts to execute malicious SQL codes in a web application's database, but it doesn't cause a widespread influx of response traffic. While an amplified DDoS attack also involves the use of forged IP addresses, it typically relies on a smaller set of servers to send an amplified amount of traffic to the victim. A phishing campaign is a method of trying to gather personal information using deceptive emails and websites. It doesn't result in an influx of unsolicited traffic responses. For support or reporting issues, include Question ID: 652972436fb1e3052b309220 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 31

Correct answer Secure erase Disk defragmentation Emptying the recycle bin Your answer is incorrect System restore Overall explanation OBJ 4.2: Secure erase involves overwriting data in a manner that ensures it's permanently removed and unrecoverable. It's the gold standard for data destruction on a storage device, ensuring utmost privacy and security. System restore reverts the system to a previously saved state. While it can undo recent changes and might remove some data, it doesn't guarantee the thorough deletion of all personal data and isn't designed for data erasure. Disk defragmentation is a process aimed at optimizing the storage by rearranging fragmented data on a disk. It helps improve system performance but doesn't focus on securely deleting data. Data remains intact post-defragmentation. While emptying the recycle bin removes files from visible access on a system, it doesn't guarantee their permanent deletion. Specialized tools can often recover such data, so it's not as secure as one might think. For support or reporting issues, include Question ID: 651ee8d6642153cd5e7a3cbb in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 32

Correct answer Host-based Firewall Intrusion Detection System Network Segmentation Your answer is incorrect Data Loss Prevention Overall explanation OBJ 2.5 - The most effective technique for inspecting and controlling network traffic on a per-application basis is a Host-based Firewall. Host-based firewalls monitor and manage network access specific to each application on a device, filtering incoming and outgoing traffic based on security rules for individual apps. In contrast, an Intrusion Detection System (IDS) identifies potential threats but doesn’t regulate traffic at the application level. Network Segmentation separates network areas without inspecting specific application traffic, and Data Loss Prevention (DLP) focuses on protecting sensitive data rather than managing application-level network flow. For support or reporting issues, include Question ID: 6722352eab565f74e2bc9143 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 33

Encryption Hashing Segmentation Your answer is correct Masking Overall explanation OBJ 3.3: Masking uses fictitious data, or obfuscates original data, to protect sensitive data, especially in non-production environments. Hashing transforms data into a string of fixed length; it doesn't use substitute fictitious data. Segmentation refers to dividing a network into smaller parts to control traffic and enhance security; it does not involve the substitution of data. Encryption involves converting data into a code to prevent unauthorized access but does not substitute dummy data. For support or reporting issues, include Question ID: 64c189d3eb612b1be38074ff in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 34

MOA SLA Correct answer SOW Your answer is incorrect MSA Overall explanation OBJ: 5.3 - A statement of work specifies the detailed scope of work, tasks, deliverables, timelines, and costs for a specific project or engagement with the vendor. A Memorandum of agreement (MOA) typically outlines a broader understanding or collaboration between parties, but it may not necessarily include specific services, timelines, and costs as in this context. A Service-level agreement (SLA) is a specific type of agreement that defines the level of service expected from the vendor, including performance metrics, response times, and other service-related terms. An MSA is a comprehensive contract that sets forth the general terms and conditions that will govern multiple future engagements between the parties. It may reference specific work orders or statements of work for individual projects. For support or reporting issues, include Question ID: 64bb3cf1eff2b06d2ceda190 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 35

Vulnerability scanners are responsible for monitoring user activities and detecting suspicious behavior on the network Vulnerability scanners continuously monitoring network traffic and identifying potential security breaches Your answer is correct Vulnerability scanners are critical in detecting and assessing security weaknesses in applications and systems Vulnerability scanners detect and mitigate many potential problems on a wide variety of devices Overall explanation OBJ: 4.4 - Vulnerability scanners are essential for detecting and assessing security weaknesses in systems and applications. By proactively addressing potential vulnerabilities, organizations can enhance their overall security posture and reduce the risk of exploitation. Vulnerability scanners are used to detect and assess security weaknesses in systems and applications. They do not monitor user activities or detect suspicious behavior. While monitoring network traffic is vital, vulnerability scanners are primarily focused on identifying security weaknesses. They don't run continuously. Vulnerability scanners detect potential problems, but they don't mitigate them. Once detected, security officials and others are responsible for mitigating the problems found by the vulnerability scanners. For support or reporting issues, include Question ID: 64c00308ce8cf0ea6a17dee4 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 36

Data Controller Data Owner Your answer is incorrect Data Processor Correct answer Data Custodian Overall explanation OBJ 5.1 - Emily’s role is most likely that of a Data Custodian. As a Data Custodian, she is responsible for ensuring the secure transmission of data and maintaining data integrity by monitoring for inconsistencies or potential issues. The Data Owner would set the data access policies and security requirements but would not be directly involved in system monitoring. The Data Controller defines data processing purposes, while the Data Processor handles data according to the controller’s instructions, without managing integrity protocols. For support or reporting issues, include Question ID: 67223eded2c288f9d7221583 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 37

Firewall VPN gateway IPS Your answer is correct UTM Overall explanation OBJ 3.2: UTM (unified threat management) consolidates various security functionalities into a single appliance. It provides comprehensive protection by merging multiple security features, including intrusion detection/prevention, firewall capabilities, content filtering, and anti-malware tools, into one solution. A firewall is specifically designed to block unauthorized access while permitting outward communication. It does not typically include features like antivirus or VPN on its own. A VPN gateway allows users to connect to a private network securely over the internet. It doesn't include other security functions like intrusion prevention or antivirus. While an IPS (intrusion prevention system) can detect and prevent network attacks in real-time, it doesn't inherently offer the broad spectrum of functionalities like gateway anti-virus and VPN that a UTM does. For support or reporting issues, include Question ID: 652c79f0c7a7b1e22ed067c1 in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 38

Netflow is a protocol used for secure data transmission and encryption between devices on a network Netflow is a type of firewall that inspects network traffic and blocks malicious packets to prevent cyber-attacks Your answer is incorrect Netflow is a hardware-based security appliance that monitors and filters network traffic to prevent unauthorized access Correct answer Netflow is a network tool that provides visibility into network traffic and helps identify potential security threats Overall explanation OBJ: 4.4 - Netflow is a network monitoring and analysis tool that provides visibility into network traffic, allowing administrators to understand and analyze the flow of data across the network. This helps identify potential security threats and abnormal behavior. Netflow is not a hardware-based security appliance but rather a network monitoring and analysis tool. Netflow is not a firewall, but it serves a different function related to network monitoring. While secure data transmission and encryption are essential, Netflow is not specifically a protocol used for these purposes. For support or reporting issues, include Question ID: 64bffec2c1d8f2a7e6236195 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 39

$15,000 $150 Correct answer $1,500 Your answer is incorrect $150,000 Overall explanation OBJ: 5.2 - The ALE is calculated by multiplying the SLE by the ARO. With an SLE of $15,000 and an ARO of 0.1, the ALE equals $1,500 ($15,000 * 0.1 = $1,500). This represents the expected yearly financial loss due to operational failures. $150 isn't correct. $15,000 isn't correct. $150,000 isn't correct. For support or reporting issues, include Question ID: 654977b94823b276876bb39f in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 40

Continuous integration automatically generates regular backups of critical data and encrypts them Continuous integration allows for real-time monitoring of network activities Correct answer Continuous integration makes collaboration of security teams and developers easier Your answer is incorrect Continuous integration automates the process of updating and patching software Overall explanation OBJ 4.7: Continuous integration promotes the seamless collaboration of security teams and developers by integrating code changes regularly into a shared repository. This practice helps in identifying and addressing security issues early in the development process, ensuring that security is prioritized throughout the software development lifecycle. By incorporating security from the outset, organizations can build more secure software and reduce the likelihood of vulnerabilities. Continuous integration is not specifically related to real-time monitoring of network activities. Continuous integration is more focused on the process of integrating code changes frequently into a shared repository to ensure that software development is consistent and streamlined. Continuous integration is not specifically focused on generating data backups. For support or reporting issues, include Question ID: 64c0141e19bb0459f332e373 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 41

Memory injection Race conditions Memory leaks Your answer is correct Time-of-use (TOU) Overall explanation OBJ: 2.3 - A Time-of-use (TOU) vulnerability arises when there's an opportunity for an attacker to manipulate a resource after its creation but before its use by an application. While memory injection deals with injecting malicious code into a system's memory, it's not related to manipulating temporary files between creation and use. Though race conditions refer to unexpected order and timing of events, the specific act of manipulating a temporary file between its creation and use is a classic TOU scenario. Memory leaks involve software not releasing memory that it no longer uses, potentially leading to reduced system performance, and doesn't concern data manipulation between creation and use. For support or reporting issues, include Question ID: 6526e89a09232ac131f5f5c7 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 42

Ethical belief Chaos Correct answer Financial gain Your answer is incorrect War Overall explanation OBJ: 2.1 - Threat actors motivated by financial gain primarily focus on obtaining valuable data, such as credit card information, with the intent of illegally monetizing it, often selling it on the dark web or using it for unauthorized transactions. Some hackers, often termed "hacktivists," are driven by a moral or ethical belief system, seeking to bring attention to perceived wrongs or injustices, rather than personal profit. Some attackers aim to create chaos by deploying disruptive malware or launching widespread attacks, not necessarily to gain personally but to observe the resultant disorder. This motivation is often associated with state-backed groups or nation-states that deploy cyberattacks as part of a broader strategy, often tied to geopolitical objectives. For support or reporting issues, include Question ID: 65259841ac14dc3f67592e53 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 43

A Physical Security Standard Incident response policy Your answer is incorrect Onboarding/Offboarding Procedure Correct answer AUP Overall explanation OBJ: 5.1 - An AUP (Acceptable Use Policy) defines the rules and guidelines for the appropriate and acceptable use of an organization's IT resources. It outlines the dos and don'ts for employees regarding the use of company devices, networks, software, and data. An incident response policy outlines the steps and procedures to be followed in response to security incidents or breaches. It provides guidance on detecting, reporting, and responding to incidents effectively, minimizing potential damage, and recovering from security breaches. The onboarding/offboarding procedure involves the processes and tasks related to welcoming new employees (onboarding) and handling the departure of employees (offboarding) within an organization. Signing an AUP might be part of the procedure and Toby is definitely completing these procedures, but the question asks what he is signing. The physical security standard deals with protecting the physical assets and facilities of an organization. This is not a document employees normally sign, rather it provides guidelines for security personnel. For support or reporting issues, include Question ID: 64b7578a249e6858ce581c52 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 44

Fail-closed mode Correct answer An active device A passive device Your answer is incorrect Fail-open mode Overall explanation OBJ 3.2: An active device interacts with network traffic and can take immediate actions, such as blocking or altering packets, when possible threats are identified. This fits the scenario described. In fail-closed mode, the system automatically denies all traffic to prevent potential security breaches when it cannot ascertain the safety of the traffic due to a system or connectivity failure. Fail-open mode allows traffic to continue in case of a device failure but does not involve interacting with network traffic to take immediate actions against potential threats. A passive, or tap/monitor, device inspects network traffic without directly interacting with it or taking immediate action against potential threats. For support or reporting issues, include Question ID: 64c177164b6d81f3ab26e47c in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 45

Access control list tampering Your answer is incorrect SQL injection Correct answer Privilege escalation Session hijacking Overall explanation OBJ: 2.4 - Privilege escalation attacks target vulnerabilities in systems to elevate a user's access rights beyond what they were originally assigned. In this scenario, Jamario's account, which typically had limited access, was somehow escalated to have higher permissions, enabling unauthorized modification of the database structures. An SQL injection attack allows an attacker to insert malicious SQL code into a query, which can then be executed by the database. While it can potentially lead to unauthorized data access, it doesn't revolve around changing a user's set permissions. ACL tampering involves altering an Access Control List to change the permissions on objects. Although it relates to permissions, it focuses on the direct manipulation of the ACL, not on escalating a user's role or permissions in a system. Session hijacking involves an attacker taking control of a user session after successfully stealing or predicting a valid session ID. It doesn't inherently grant elevated permissions within a system, but rather takes advantage of existing ones. For support or reporting issues, include Question ID: 6527f6b79bdbe2fa8ec18b50 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 46

Correct answer Federation Centralized access management Access delegation Your answer is incorrect RBAC Overall explanation OBJ 4.6: A federation allows different organizations to share digital identities, enabling single sign-on across them. While centralized access management manages access centrally, it doesn't necessarily mean sharing digital identities across different organizations. Access delegation is when one user gives another user permission to access their resources. Role-based access control (RBAC) is an approach where access decisions are based on roles within an organization, not inter-company identity sharing. For support or reporting issues, include Question ID: 65446336d47086123082fb09 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 47

Data Plane Implicit trust zones Correct answer Control Plane Your answer is incorrect Policy-driven access control Overall explanation OBJ: 1.2 - Within the Zero Trust framework, the Control Plane is responsible for making determinations on access requests. It processes these requests by referencing policies, verifying the identity of requestors, and considering any potential threats. Essentially, it's the brain behind who gets to access what, ensuring security decisions are informed and robust. While this is a component of Zero Trust, policy-driven access control is a specific strategy that ensures access is given based on clearly defined policies. It's more of a tactic used within the Control Plane, rather than a core component of the framework. Implicit trust zones are areas within a network where communication is allowed without exhaustive security checks. While they're a component of Zero Trust, they don't function in decision-making or data transmission in the same way as the Control or Data Planes. The Data Plane manages the transmission of data. It doesn't decide on access rights; rather, it ensures that once access has been granted by the Control Plane, data flows correctly and efficiently to the designated recipient. For support or reporting issues, include Question ID: 65245f47db866f2dfdab26cf in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 48

Full backups Differential backups Correct answer Snapshots Your answer is incorrect Incremental backups Overall explanation OBJ 3.4: Snapshots capture the state of a system at a particular instant without copying the entire data, enabling quick recovery points. Differential backups store all changes made since the last full backup. Full backups involve backing up the entire system data, regardless of changes made. Incremental backups record only the changes since the last backup, whether it was a full backup or an incremental backup. For support or reporting issues, include Question ID: 64c1a5a6f35deb7523e71f5b in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 49

The individual whose data is being processed. The organization that handles data retention and storage. Correct answer The entity responsible for determining why data is processed. Your answer is incorrect The external auditor responsible for privacy compliance checks. Overall explanation OBJ: 5.4 - The data controller is an entity or person who determines the purposes and means of processing personal data. They have overall responsibility for ensuring that data processing is carried out in compliance with applicable privacy laws and regulations. The role described here is an external auditor who may conduct audits and assessments to ensure that organizations are complying with privacy regulations. The organization that handles data retention and storage is more aligned with a data custodian. A data custodian is responsible for the storage, protection, and maintenance of data. They ensure that data is kept secure and accessible to authorized users as required. The individual whose data is being processed refers to the data subject. The data subject is the individual to whom the personal data belongs, the person to whom the data is collected and processed. For support or reporting issues, include Question ID: 64bf5f940620f92445ad7682 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 50

Correct answer Certificate Authority Root of Trust Registration Authority Your answer is incorrect Blockchain Overall explanation OBJ: 1.4 - Certificate Authorities (CAs) are trusted entities that issue and manage security credentials and public keys for message encryption. CAs issue a digital signature wrapper to secure public keys. Blockchain is a system that allows for transparent and public verification of transactions. It uses a peer to peer network that maintains a public ledger. This provides both integrity and permanency of records. It relies on peer-to-peer networks, not on digital signatures for authentication. A Registration Authority processes requests for digital certificates. They check credentials and authenticate the users' identity. A Certificate Authority may have Registration Authorities check credentials, but the Registration Authority doesn't issue certificates. Root of Trust (RoT) is a source that can always be trusted. It is the foundation of a cryptographic system and is the central point of the chain of trust within that system. It can be a piece of hardware (a Hardware Root of Trust) or software based. It is important in PKI, but it doesn't provide digital certificates. For support or reporting issues, include Question ID: 64c3df3bec55f15597b20773 in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 51

Operational Management Strategic Committees Policy Councils Your answer is correct Governance Board Overall explanation OBJ: 5.1 - Governance Boards are composed of executives, this entity is responsible for strategic decision-making and policy setting within an organization. While involved in strategic planning, Operational Management do not have the ultimate authority that a governance board holds. Policy Councils might influence policy development but does not set the overall strategic direction or hold ultimate decision-making authority like the governance board. Strategic Committees assist with decision-making but do not set the strategic direction or have final decision-making authority. For support or reporting issues, include Question ID: 65485da29c51830a2f768873 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 52

Self-signed certificate Wildcard certificate CSR Your answer is correct Third-party certificate Overall explanation OBJ: 1.4 - Dion Training should pursue a third-party certificate, which is signed and verified by a recognized external certificate authority. This validation provides a higher trust in public and external environments compared to self-signed certificates. Signed by its creator, a self-signed certificate might not be viewed as trustworthy in external environments due to a lack of third-party verification. A CSR (Certificate Signing Request) is a formal request to a CA for a digital certificate, not a certificate type in itself. A wildcard certificate secures multiple subdomains under one main domain but doesn't necessarily indicate external trust or CA verification. For support or reporting issues, include Question ID: 6524eff8b5ce7a64909dc78a in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 53

Correct answer White box Grey box Passive Your answer is incorrect Black box Overall explanation OBJ: 5.5 - A white box test, the tester possesses complete knowledge of the target environment, including its architecture, design, and source code. It offers a deep dive into the system to unearth vulnerabilities that might remain hidden in other types of tests. A grey box test gives the tester partial knowledge of the system. They have some information about the system's inner workings but don't have access to all data and documents. This testing approach strikes a balance, offering a view between an insider and an external attacker. A black box test is executed without any prior knowledge of the target environment. The tester approaches the system from an outsider's perspective, similar to an external attacker with no insight into the system's inner workings. A passive assessment involves observing and analyzing system operations without active engagement or intrusion. It's more about understanding system behaviors rather than identifying specific vulnerabilities. For support or reporting issues, include Question ID: 6522fbbd4f214736e0add604 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 54

Isolating the digital evidence storage system from network access Correct answer Documenting who has handled the evidence Drafting a comprehensive summary of findings after analyzing the evidence Your answer is incorrect Utilizing cryptographic hashes to confirm the integrity of stored evidence Overall explanation OBJ 4.8: To maintain the chain of custody, it's crucial to record each individual who has interacted with the evidence, ensuring its integrity and admissibility in court. Reporting findings is vital, but it doesn't directly address the process of maintaining a chain of custody for evidence. While it's necessary to protect evidence storage, this action is more about preservation rather than documenting the chain of custody. While ensuring the integrity of digital evidence is important, it pertains more to the preservation phase than directly to the chain of custody. For support or reporting issues, include Question ID: 6543f0377082bd446863b558 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 55

Digital Signatures Key Stretching Salting Your answer is correct Blockchain Overall explanation OBJ: 1.4 - Blockchain is a system that allows for transparent and public verification of transactions. It uses a peer to peer network that maintains a public ledger. This provides both integrity and permanency of records. Salting is a technique used in cryptography to add random data to the input of a hash function to increase security. This system does not allow for transparent and public verification of transactions. Digital signatures are a type of electronic signature that uses a specific type of encryption to ensure the authenticity and integrity of a digital message or document. This system does not allow for transparent and public verification of transactions. Key stretching is a method used to increase the time it takes to hash a password, making brute force attacks less effective. This system does not allow for transparent and public verification of transactions. For support or reporting issues, include Question ID: 64c3dd9646cada5acd7b5a98 in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 56

Ticket creation facilitates communication and coordination among IT teams Correct answer Ticket creation fosters more security team cohesion and makes collaboration within the team more effective Ticket creation enables accountability and better measurement of IT team performance Your answer is incorrect Ticket creation allows proper tracking and management of user issues, requests, or tasks Overall explanation OBJ 4.7: Ticket creation doesn't impact security team cohesion. Its primary purpose in IT operations centers around managing, tracking, and coordinating tasks, requests, and issues - not hiring or recruitment processes. Ticket creation in IT operations enables efficient tracking and management of issues, requests, or tasks raised by users, which is crucial in automation and orchestration. By logging tasks and progress via tickets, better accountability of IT team performance is achieved. Response times, issue resolution, and team productivity can be measured accurately. Tickets create a channel of communication between IT teams, helping in coordinating tasks and managing workloads efficiently. For support or reporting issues, include Question ID: 64c1a2f5f8db29bea1becee7 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 57

Vulnerability Assessment Pharming Your answer is correct Vishing Smishing Overall explanation OBJ: 5.6 - Vishing (voice phishing) is a form of social engineering where the attacker uses telephone services to trick individuals into providing personal information, such as passwords or credit card numbers. In Sasha’s case, the caller pretending to be from the IT department and requesting her username and password over the phone is a textbook example of vishing. Smishing refers to phishing attacks conducted through SMS text messages rather than voice calls. Attackers send deceitful text messages to trick individuals into disclosing personal information. Pharming involves redirecting users from legitimate websites to fraudulent ones designed to steal sensitive information. It's a technique used in cyberattacks that manipulate the DNS system or exploit vulnerabilities in browsers. A Vulnerability Assessment is a method to evaluate the security posture of a system, it is not a manipulation technique. For support or reporting issues, include Question ID: 64c34e6d84a7d77f398b887c in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 58

Defensive Known environment Correct answer Passive reconnaissance Your answer is incorrect Active reconnaissance Overall explanation OBJ: 5.5 - Passive reconnaissance refers to the process of collecting information about a target without directly interacting with its systems or networks. This phase involves gathering data from publicly available sources, such as WHOIS databases, social media platforms, and websites, without alerting the target about the potential upcoming attack. Passive reconnaissance aims to understand the target's environment and identify potential vulnerabilities or areas of interest for the subsequent stages of the test. Known environment involves testers having prior knowledge of the target environment, like network diagrams and IP addresses. While it offers context about the assessment boundaries, it isn't focused on the initial method of silently gathering data about the target. Active reconnaissance is a form of direct engagement with the target system, like port scanning. Such active interactions can be detected by the target system. It's the opposite of passive techniques where no direct engagement with the target is made, thus not fitting the query about methods that avoid direct interaction. The "defensive" approach in cybersecurity typically refers to the strategies and activities of Blue Teams. These teams focus on implementing and maintaining security measures to protect against cyber threats, monitoring networks for signs of breaches, and responding to any detected incidents. This approach is reactive and protective, aiming to shield an organization's assets. It doesn't align with the methodology of gathering information without directly interacting with the target. For support or reporting issues, include Question ID: 64c19b717094641fd6bc9bbd in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 59

Implicit deny Least privilege Correct answer Policy-driven access control Your answer is incorrect Role-based access control Overall explanation OBJ: 1.2 - Policy-driven access control is a part of Zero Trust Architecture in which user access and permissions are set based on organizational policies, roles, or requirements, ensuring that users have the right level of access that aligns with their job functions or responsibilities. Role-based access control permissions are assigned based on predefined roles in an organization, and individuals are then assigned to those roles. In least privilege, users are given the minimum levels of access necessary to perform their job functions. Implicit deny means that if a condition is not explicitly met, access is denied by default. Least privilege, Role-based access control permissions, and implicit deny can be part of any security architecture and are not specific to Zero Trust Architecture. For support or reporting issues, include Question ID: 6523910e707b96d3205a83a2 in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 60

Using default VLAN for all operations Enabling SNMP monitoring Implementing regular system backups on the switches Your answer is correct Disabling unused ports Overall explanation OBJ 4.1: By disabling unused ports, you limit the entry points for potential intruders, making it harder for unauthorized devices to connect to the network. While regular backups are crucial for data recovery and business continuity, they do not directly enhance the security of switches. Backing up a switch's configuration can be useful for recovery purposes, but it doesn't actively protect the switch from threats or unauthorized access. While SNMP can provide valuable insights and monitoring, it doesn't directly harden the switch's security against unauthorized connections like disabling unused ports does. Using a default VLAN can expose traffic and doesn't segregate sensitive data. This is less optimal compared to managing open ports. For support or reporting issues, include Question ID: 652f35a77d7a95707741eabc in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 61

Integration of multi-factor authentication for user access Creating a schedule for the creation of regular encrypted data backups Continuous security monitoring and intrusion detection systems Your answer is correct Strict adherence to AML/KYC regulations and secure data storage Overall explanation OBJ 3.3: A dual-focused approach where adherence to Anti-Money Laundering (AML) and Know Your Customer (KYC) regulations ensures the bank's practices are in line with legal requirements, while secure data storage measures guarantee customers' financial details remain confidential and protected from breaches. Creating a schedule for the creation of regular encrypted data backups ensures data remains recoverable in the event of losses and provides an added layer of security through encryption; this approach doesn't focus on the prevention of fraudulent activities or adherence to anti-money laundering regulations. While continuous security monitoring and intrusion detection systems actively observe, log, and notify on potential security threats, they do not offer a comprehensive approach towards meeting the specific requirements of financial regulations like AML/KYC. Though adding robustness to the authentication process by requiring users to provide multiple pieces of evidence to access financial data, this method doesn't directly address the regulatory needs of AML/KYC. For support or reporting issues, include Question ID: 652d69b293b3c17be3400943 in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 62

Correct answer Key Stretching Salting Your answer is incorrect Digital Signatures Hashing Overall explanation OBJ: 1.4 - Key stretching is a method used that repeatedly hashing the password to make it more random and longer than it originally appeared. This should make the key more time consuming to break. Digital signatures are a type of electronic signature that uses a specific type of encryption to ensure the authenticity and integrity of a digital message or document. This method does not increase the time it takes to hash a password. Salting is a technique used in cryptography to add random data to the input of a hash function to increase security. Key stretching can use salting, but the description of the technique in the scenario is not salting. Hashing is the process of converting an input of any length into a fixed size string of text, using a mathematical function. Hashing is done once. Key stretching repeatedly hashes the string. For support or reporting issues, include Question ID: 64c3dd26cecafa5b2df5d311 in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 63

Rely solely on antivirus scans to detect changes in workstation configuration. Correct answer Implement playbooks to enforce and verify settings Use Windows Update without a validation process Your answer is incorrect Manually check each workstation at month-end for deviations from the baseline Overall explanation OBJ 5.1: Implementing playbooks, such as through programs like Ansible to enforce and verify settings, enforces desired configurations and can quickly bring non-compliant systems back to the desired state. Manually checking each workstation at month-end for deviations from the baseline is labor-intensive and might miss immediate vulnerabilities. While updates are crucial, deploying updates without validation could introduce incompatibilities or unforeseen issues. Antivirus scans are essential but don't specifically focus on ensuring baseline configurations remain consistent. For support or reporting issues, include Question ID: 652f314dbe817046eb8f5ed9 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 64

Correct answer SPF DKIM SMTP Your answer is incorrect DMARC Overall explanation OBJ 4.5: SPF (Sender Policy Framework) helps prevent email spoofing by enabling domain owners to define which servers can send emails on their behalf. DMARC (Domain-based Message Authentication, Reporting, and Conformance) utilizes the results from DKIM and SPF checks to determine the action to take with non-conforming messages, but it doesn't list authorized servers itself. DKIM (Domain Keys Identified Mail) provides a method to validate the domain name identity associated with a message through cryptographic authentication, but it doesn't specify server authorizations. SMTP (Simple Mail Transfer Protocol) is the protocol used for sending emails, but it doesn't dictate server authorizations for a specific domain. For support or reporting issues, include Question ID: 6543392aa25d7ae61173fe32 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 65

Correct answer Technical debt Cost Complexity Your answer is incorrect Single point of failure Overall explanation OBJ 4.7: Technical debt represents the future cost of rectifying present-day shortcuts or less optimal solutions. It can arise when known inefficiencies aren't addressed due to various constraints, like time. While complexity might become a result in this situation, it primarily denotes the intricacy of a system or process. While accumulating technical debt can lead to increased costs later on, the term 'cost' generally pertains to the financial considerations of a decision or action, not the implications of deferring system improvements. A single point of failure refers to a vulnerable component whose failure can disrupt an entire system, not the consequence of avoiding known system inefficiencies. For support or reporting issues, include Question ID: 6543cb47bda4108fb39c780f in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 66

Service-level agreement Supply chain analysis Your answer is correct Due diligence Non-disclosure agreement Overall explanation OBJ: 5.3 - Due diligence involves a comprehensive appraisal of a vendor to establish its assets and liabilities and evaluate its commercial potential, especially in terms of financial stability, reputation, and past track record. A service-level agreement is a contract between a service provider and the end user that defines the level of service expected from the service provider, not the evaluation process itself. A non-disclosure agreement is a legally binding contract that establishes a confidential relationship between a provider and the entity seeking services. It ensures that certain information remains confidential. A supply chain analysis focuses on examining the flow of materials, information, and finances as they move through the supply chain. While important, it doesn't cover the broad review inherent in due diligence. For support or reporting issues, include Question ID: 64bb3c4c99b63f15eee0ccf7 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 67

It allows organizations to track the physical location and status of hardware packages It insures that all software packages are up to date with the latest features and enhancements Your answer is incorrect It involves tracking the dependencies of software packages to ensure that all required components are up to date and compatible Correct answer It helps identify and address vulnerabilities in software packages Overall explanation OBJ 4.3: Package monitoring involves keeping track of software package versions and security patches, which helps identify potential vulnerabilities and ensures that appropriate actions are taken to mitigate risks. By promptly addressing vulnerabilities, organizations can reduce the risk of potential exploits and maintain a more secure environment. While updating software packages is essential for performance and functionality, package monitoring in the context of vulnerability management is not focused on general updates. The purpose of package monitoring is to keep track of software package versions and security patches, not tracking software package dependencies. Tracking the physical location and status of hardware packages is not the intended purpose of package monitoring. For support or reporting issues, include Question ID: 64bfd70627afd558bd9151f5 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 68

Correct answer Benchmarks compare a security performance to industry-standard metrics, identifying potential security weaknesses Benchmarks are firewall technologies that inspect network traffic and block malicious packets to prevent cyber-attacks Your answer is incorrect Benchmarks are cryptographic algorithms used to secure data transmission over the internet Benchmarks are intrusion detection systems that monitor and analyze network traffic for potential security breaches Overall explanation OBJ: 4.4 - Benchmarks refer to the process of comparing an organization's security performance against industry-standard metrics, best practices, or regulatory requirements to identify potential security weaknesses and deviations. While cryptographic algorithms are essential for securing data transmission over the internet, they are not referred to as Benchmarks. Benchmarks are not intrusion detection systems; rather, they involve comparing security performance against established standards. Benchmarks are not firewall technologies but rather a process of assessing an organization's security performance. For support or reporting issues, include Question ID: 64bfffaf22b117b12e6981b5 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 69

Birthday Downgrade Your answer is correct Spraying Brute force Overall explanation OBJ: 2.4 - A spraying attack is a type of password attack that involves trying common passwords against multiple accounts, hoping to find a match. A birthday attack is a type of cryptographic attack that involves finding two different inputs that produce the same output for a hashing algorithm. A brute force attack is a type of password attack that involves trying all possible combinations of characters until the correct password is found. The logs would show many log on attempts, but the passwords used are more likely to be sequential than to use common words and the attacker is more likely to focus on one computer rather than trying each password on all of the computers in the department. A downgrade attack is a type of cryptographic attack that involves forcing a communication channel to use a weaker encryption algorithm or protocol, making it easier to decrypt or intercept. It doesn't entail multiple password attempts. For support or reporting issues, include Question ID: 64bcc9e5d05f45402ccc6a2b in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 70

Political beliefs Financial Gain Service disruption Your answer is correct Espionage Overall explanation OBJ: 2.1 - Espionage is the act of obtaining secret or confidential information without the permission of the holder of the information. A nation-state threat actor may conduct espionage to gain strategic advantage, intelligence, or insight into their adversaries or competitors. Service disruption is the act of interrupting or degrading the availability or performance of a system or network. A nation-state threat actor may conduct service disruption as part of other activities, but it is rarely their primary motivation for attacking. Nation-state threat actors usually have extensive funding from the government or military organization that funds them, so they wouldn't have financial gain as their primary motivation for attacking. Political beliefs may be part of a motivation for a Nation-state actor, but they are much more likely to be motivated by a desire for data or a competitive advantage. For support or reporting issues, include Question ID: 64b88c9688b3fb59a48a1039 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 71

Environmental variables, like power supply and cooling, are crucial to ensure the longevity of hardware assets Correct answer Maintaining standard levels of environmental variables isn't necessary in most data center environments Your answer is incorrect Knowing the environmental variables helps in managing the needs of different hardware and software in a data center Environmental variables such as temperature and humidity can have significant impacts on hardware performance Overall explanation OBJ 4.3: The maintaining and monitoring of environmental variables are very important for maintaining an efficient data center environment. For instance, high-standard HVAC systems keeping a steady temperature and humidity and continuous power supply contribute to the operational efficiency and longevity of assets. Proper understanding of environmental variables assists in determining the specific requirements of different hardware and software, promoting effective asset management. Environmental variables like temperature and humidity can greatly affect the performance, efficiency, and life cycle of hardware assets in a data center. Environmental factors such as a consistent power supply and efficient cooling systems are crucial to minimizing hardware malfunction and maximizing asset longevity. For support or reporting issues, include Question ID: 64c19a0c1e0c5b8b7971dad8 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 72

Correct answer A legal hold is the process of securing and preserving evidence related to a security incident A legal hold determines the individuals responsible for the incident and helps in legal proceedings Your answer is incorrect A Legal Hold is the process of identifying and classifying laws that may have been broken during the incident A Legal Hold occurs when law enforcement issue a search warrant on a company for incidents that have occurred. Overall explanation OBJ 4.8: A legal hold is the process of securing and preserving evidence related to a security incident for potential use in legal proceedings. When a security incident occurs, it is essential to preserve all relevant data and evidence to support any potential investigation, legal actions, or regulatory requirements. Legal Hold ensures that data, logs, and other information related to the incident are not tampered with or deleted, allowing it to be used as evidence if needed. While identifying the individuals or groups responsible for an incident might be valuable for legal proceedings, a legal hold itself is primarily focused on preserving evidence and ensuring its integrity for potential legal actions. Legal holds aren't part of a search warrant process for law enforcement. They are a method for ensuring that evidence is preserved in case there is a legal proceeding. A legal hold is not related to the classification of laws that may have been broken; rather, it ensures that evidence is preserved in case there is a legal proceeding. For support or reporting issues, include Question ID: 64c162d48d1f702de4fdf19e in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 73

Qualitative risk analysis Annualized loss expectancy Risk Matrix Your answer is correct Quantitative risk analysis Overall explanation OBJ: 5.2 - In risk analysis, the quantitative method involves assigning numerical values to risks based on financial figures, such as costs or potential losses. This approach helps in assessing risks in monetary terms, making it easier to prioritize and compare risks based on their potential impact on the organization's financials. The annualized loss expectancy (ALE) is a quantitative metric that calculates the expected financial loss from a risk over a year. It is derived from the product of the single loss expectancy (SLE) and the annualized rate of occurrence (ARO). The qualitative risk analysis involves assigning subjective values to risks based on descriptive terms like "high," "medium," or "low." This method does not use numerical values but rather qualitative assessments. A risk matrix uses the likelihood of an event and the event’s impact on the project, stakeholders, or workflow to create a visual representation of the current risk posture or environment. Costs or potential losses are only one part of the matrix. For support or reporting issues, include Question ID: 64b9f1c3974c18fd63dd24b1 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 74

Correct answer Logical segmentation Containerization Software-defined networking (SDN) Your answer is incorrect High availability Overall explanation OBJ: 3.1 - Logical segmentation segments a larger network into distinct units, improving both traffic management and security. Software-defined networking (SDN) focuses on centralizing network control through software, not on segmenting networks. High availability ensures continuous operation of systems and networks but doesn't inherently divide a network. Containerization encapsulates applications and their environments but doesn't pertain to network segmentation. For support or reporting issues, include Question ID: 652c310e895352c4197a4f42 in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 75

Hardware Outputs Correct answer Process flow Your answer is incorrect Inputs Overall explanation OBJ: 5.3 - In a BPA (Business Process Analysis), process flow details each operational step, describing how the mission essential function is systematically executed. While inputs are crucial for starting the process, they do not constitute the sequential operational guide that is the process flow. Hardware identifies the physical infrastructure used in the process, not the step-by-step procedural narrative. Outputs relate to the final products or data produced by the function, which is the result of the process flow but not the description of the steps themselves. For support or reporting issues, include Question ID: 65497e37f0813714ed1d059f in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 76

Private key Key escrow Correct answer Public key Your answer is incorrect Wildcard certificate Overall explanation OBJ: 1.4 - The client would use the company's public key to encrypt the message. Only Dion Training, with the corresponding private key, can decrypt and read the message, ensuring confidentiality and demonstrating the importance of public-key cryptography. Key escrow refers to the secure storage of cryptographic keys, ensuring they can be accessed under specific conditions, but it's not directly used to encrypt or decrypt messages. A private key is kept secret by its holder and is used to decrypt messages that are encrypted with its corresponding public key. It's not used by external entities to encrypt messages to the key holder. A wildcard certificate secures multiple subdomains under a main domain but doesn't directly involve message encryption or decryption. For support or reporting issues, include Question ID: 65257f22f1de9bff7fa68806 in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 77

Correct answer Neutral Expansionary Risk-Averse Your answer is incorrect Conservative Overall explanation OBJ 5.2 - The business demonstrates a neutral risk appetite, as it aims for a balanced approach, weighing risk and reward without extreme caution or high-risk tolerance. Expansionary appetite would involve seeking aggressive growth despite risks, while conservative appetite would lean toward minimal risk. Risk-averse approaches are closely aligned with conservative stances, emphasizing avoidance of risk more than a neutral perspective would. For support or reporting issues, include Question ID: 672247623be32ad83a19dc8a in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 78

Customer testimonials External penetration test reports Your answer is incorrect Regulatory compliance certificates Correct answer Evidence of internal audits Overall explanation OBJ: 5.3 - Evidence of Internal Audits showcases a vendor's proactive approach to maintaining and enhancing their security measures. Such audits are conducted internally and reflect a rigorous self-assessment of security practices, vulnerabilities, and control mechanisms. By reviewing these, a company can gain insights into the vendor's commitment to security, how they address potential weaknesses, and their overall cybersecurity health. This evidence can be instrumental in gauging the reliability and trustworthiness of the vendor's internal security framework. While customer testimonials may provide feedback on the vendor's performance, they don't offer insights into the vendor's internal evaluations of their security measures. External penetration test reports show the results of external entities testing the vendor's defenses, not the vendor's own evaluations. Regulatory compliance certificates indicate compliance with specific regulations but don't provide detailed insights into internal evaluations. For support or reporting issues, include Question ID: 64bb437248f9d4fbc1cdd412 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 79

Reviewing event logs Segmentation Intrusive scanning Your answer is correct Rescanning Overall explanation OBJ 4.3: Rescanning involves running the vulnerability scan again after remediation efforts to confirm that identified vulnerabilities have been addressed properly and no longer pose a threat. While segmentation is a mitigation technique, it doesn't involve retesting systems for vulnerabilities. Intrusive scanning refers to aggressive scanning that might disrupt operations. While it can be part of a rescan, it's not the specific action of confirming remediation. Examining event logs can provide insights into system behaviors, but it is not the act of running the same tests to validate the remediation of vulnerabilities. For support or reporting issues, include Question ID: 6541d97e902ccdf6404e822d in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 80

Port 110 Port 161 Port 139 Your answer is correct Port 5060 Overall explanation OBJ: 2.5 - Session Initiation Protocol (SIP), port 5060, is used for signaling in Voice over IP (VoIP) services. Unauthorized access to this port can result in toll fraud or unauthorized call control. Simple Network Management Protocol (SNMP), port 161, is used for collecting and organizing information about managed devices, and it's unrelated to VoIP services. NetBIOS, port 139, is used for file and print sharing over local networks, not for VoIP signaling. Post Office Protocol (POP3), port 110, is used for retrieving emails from a mail server, unrelated to VoIP services. For support or reporting issues, include Question ID: 652b3568818ffad49a170582 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 81

Correct answer Non-human readable Geographically restricted Segmented Your answer is incorrect Critical Overall explanation OBJ 3.3: Non-human-readable data typically refers to information that requires a machine or specialized software to interpret. Being critical, data might have significant importance to the running of a business or organization, but it does not determine whether it's readable by humans. Geographic restrictions apply limitations based on data's location. This describes a security method, not the nature of data readability. Segmentation is a method of dividing a network into manageable parts. It's not a type of data. For support or reporting issues, include Question ID: 64c1972fdd32557d54e4c0f5 in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 82

Increased risk of malware infection on client devices Inability to support smartphones, tablets, and IoT devices Requires more storage space on the client device Your answer is correct Less detailed information about the client is available Overall explanation OBJ: 4.4 - Agentless posture assessment in NAC solutions, while beneficial for supporting a broad range of devices, often provides less granular data about the client compared to agent-based solutions. This can limit the depth of assessment and control. Agentless solutions don't require storage on the client device for an agent, so this isn't a disadvantage of agentless posture assessment. Agentless solutions are often chosen specifically because they can support a wider range of devices, including smartphones, tablets, and IoT devices. The presence or absence of an agent doesn't directly correlate with an increased risk of malware. Malware protection is more related to the specific security mechanisms in place. For support or reporting issues, include Question ID: 6542fac17a7f9376f6eca40c in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 83

Data at rest Correct answer Regulated Secret Your answer is incorrect Confidential Overall explanation OBJ 3.3: Regulated data implies that it's a category of data that adheres to specific compliance standards due to its sensitive nature. Confidential and secret data might require high standards for handling, but it does not specifically encompass data that adheres to regulatory compliance standards. Data at rest is a state of data, typically stored data. It doesn't designate whether the data adheres to specific compliance standards. For support or reporting issues, include Question ID: 64c196c9ecb41e3664cf3e58 in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 84

Financial gain Correct answer Revenge Blackmail Your answer is incorrect Espionage Overall explanation OBJ: 2.1 - Revenge is a powerful motivator where the individual, driven by feelings of anger, resentment, or betrayal, aims to retaliate against those they perceive as responsible for their grievances. In the context of cybersecurity, this could manifest in various ways, such as DDoS attacks, data tampering, or other malicious activities, with the intent of causing harm to the targeted entity. Espionage is typically driven by the need to gather secret or sensitive information for political, military, or economic advantage. It often involves stealthy techniques to infiltrate a system, gather intelligence, and exfiltrate the data without detection. Blackmail is a form of extortion where an attacker threatens to release sensitive or damaging information unless their demands, often financial, are met. This involves leveraging stolen or accessed data as a means to coerce the victim into compliance, making it different from acts purely driven by revenge. Motivated by the allure of monetary benefits, individuals or groups engaging in activities for financial gain often aim to steal, manipulate, or ransom data or services. This could involve ransomware attacks, data breaches with the intent to sell the data, or other financially motivated cybercrimes. For support or reporting issues, include Question ID: 6525a52eb511ef5634172a7b in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 85

Correct answer Honeyfile Honeynet Honeypot Your answer is incorrect Honeytoken Overall explanation OBJ: 1.2 - A honeyfile is a fake file or set of files designed to appear valuable or sensitive in order to attract attackers. A honeytoken is a fake piece of data, such as a username or password, designed to appear valuable or sensitive in order to attract attackers. A honeynet is a network of honeypots designed to simulate a real network and attract attackers. A honeypot is a cybersecurity mechanism that uses a manufactured attack target to lure cybercriminals away from legitimate targets and gather intelligence about their identity, methods, and motivations. For support or reporting issues, include Question ID: 64c04411e69668a02c0dfe0b in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 86

Legitimate use of a VPN. Correct answer Detection of impossible travel. Your answer is incorrect Multi-factor authentication failure. Scheduled system maintenance. Overall explanation OBJ: 2.4 - The activity logs show John accessing his account from geographically disparate locations in a short time frame – a feat that's physically impossible. Such patterns indicate potential unauthorized access or account compromise. System maintenance might result in irregularities in system behavior, but it wouldn't cause login attempts from various global locations in rapid succession. Using a VPN can change a user's apparent location, but the specific pattern and speed of these global logins are unusual and not characteristic of typical VPN use. While multi-factor authentication is crucial for account security, the scenario doesn't mention any failed authentication attempts using multiple factors. For support or reporting issues, include Question ID: 6529e47678c8fd0f1b752da8 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 87

Jump server Correct answer Proxy server IDS Your answer is incorrect Load balancer Overall explanation OBJ 3.2: A proxy server stands between the user's computer and the internet, intercepting requests and potentially reducing the public-facing attack surface by masking the internal server, meeting the scenario requirements. A jump server is used as a bridge to connect to other servers or networks in separate security zones, but not specifically for relaying requests for another server to reduce attack surfaces. An intrusion detection system (IDS) monitors network traffic for malicious activities. It alerts to the potential activity but does not prevent it from passing through the network. In this way, it provides a layer of protection without slowing down network performance. It will provide you with improved security, but won't reduce the attack surface. A load balancer distributes network or application traffic across many servers. This optimizes the use of resources, maximizes throughput, and reduces latency. It will not reduce the attack surface of a network. For support or reporting issues, include Question ID: 64c16da16ab51895b912b830 in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 88

Environmental attack Brute force Your answer is correct RFID cloning Malware Overall explanation OBJ: 2.4 - Radio Frequency Identification cloning involves copying the data from one RFID tag (like those found in many security pass cards) and then using a duplicate or "clone" to gain unauthorized access. The mysterious nighttime entries using legitimate employee credentials suggest this. This is a software-based threat and not relevant to the physical security scenario described. Environmental attacks focus on exploiting physical environmental factors, such as temperature, humidity, etc. There's no evidence pointing to this based on the scenario. Brute force attacks typically involve trying many combinations to gain unauthorized entry. This would not likely result in the logs showing authorized employees accessing the facility. For support or reporting issues, include Question ID: 65296a066fb1e3052b309211 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 89

It determines the relevance of the evidence to the case It grants forensic investigators immediate access to a crime scene It provides a platform for communication between IT and legal teams Your answer is correct It ensures a precise and unaltered copy of digital evidence is obtained Overall explanation OBJ 4.8: Acquiring evidence correctly guarantees the evidence remains unchanged, making it admissible and valuable in legal proceedings. While communication is key in forensics, the acquisition is more important because it deals with collecting evidence in its pristine form. Acquisition is about collecting evidence accurately, not determining its relevance to a particular case. Access might be necessary, but the acquisition phase is more about copying evidence without altering it. For support or reporting issues, include Question ID: 6543e8b0896f42788ac46b08 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 90

It would show too many unwanted technical details which could be confusing. Correct answer It might not reflect the current architecture, leading to overlooked vulnerabilities. Your answer is incorrect It would contain an outdated list of employees with data center access and their permissions. It would show the company's outdated expansion plans for the data center. Overall explanation OBJ: 1.3 - An outdated diagram won't include recent changes, potentially missing out on identifying some vulnerabilities. The diagram's main goal is to depict the current structure, not necessarily future plans. The amount of detail is unrelated to the diagram's timeliness. Architecture diagrams focus on the system's structure, not employee access. For support or reporting issues, include Question ID: 64c15363528e3065c1379718 in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 91

Enable Bluetooth discoverable mode Enforce screen lock after inactivity Correct answer Enforce full device encryption Your answer is incorrect Recommend users to use strong Wi-Fi passwords Overall explanation OBJ 4.1: Encrypting the entire device ensures that the data remains inaccessible even if the physical device is compromised. This is paramount for data protection. Enable Bluetooth discoverable mode makes pairing easier but increases vulnerability by allowing unsolicited connections. It doesn't contribute to overall security as much as the other answer options. A screen lock is essential to prevent unauthorized access, but a determined attacker could still extract data from the device directly. Strong Wi-Fi passwords protect against unauthorized network access but don't safeguard the device's stored data. For support or reporting issues, include Question ID: 652f33f17d7a95707741eab2 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 92

Bloatware Your answer is correct Fileless Malware Worm Spyware Overall explanation OBJ: 2.4 - Fileless malware operates in memory, often leveraging legitimate system tools to evade detection. It might adjust registry values for persistence and can run within its own process or use tools like PowerShell to achieve its objectives. Lucas's computer exhibits classic signs of a fileless malware attack. Bloatware refers to unnecessary or unwanted software that comes pre-installed on a device. Lucas's issue isn't related to pre-installed applications. While spyware covertly tracks user activities, Lucas's computer doesn't seem to be demonstrating tracking or monitoring as the primary concern. A worm self-replicates to spread across networks. There's no evidence in the scenario of self-replicating software causing Lucas's computer issues. For support or reporting issues, include Question ID: 65281e61304674464742f9e3 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 93

Correct answer Wireless network Phishing Supply chain Your answer is incorrect Default credentials Overall explanation OBJ: 2.2 - Attackers exploit vulnerabilities in remote access or wireless networks. By setting up rogue access points, spoofing legitimate resources, or cracking security protocols, they can intercept or gain unauthorized access. Phishing involves attackers trying to trick individuals into providing sensitive data by posing as a trusted entity, usually through emails or deceptive websites. The default credential threat vector involves the intruder seizing the command of a network device or application due to it remaining set with its factory-default password. Such default login details are often found in the product's installation guide or can be easily found out. Supply chain attacks involve compromising one part of an organization's supply chain to later attack the main organization. It doesn't directly relate to wireless networks. For support or reporting issues, include Question ID: 6525b7e83856455739a1582e in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 94

Security Checkpoint Intrusion Detection System Wire Fencing Your answer is correct Bollards Overall explanation OBJ: 1.2 - Bollards are specifically engineered as strong, fixed posts that can stop vehicles by acting as a robust physical barrier, making them ideal for preventing vehicular access to sensitive areas. A security checkpoint controls and monitors the access of individuals and vehicles into a secure area, it primarily functions as a screening point rather than a physical barrier. Security checkpoints might manage vehicle flow but do not necessarily stop a determined vehicle from breaching a perimeter if not combined with physical barriers. Wire fencing is used to delineate boundaries and can restrict pedestrian and smaller vehicles, however it is not strong enough to stop vehicles effectively, especially if the vehicle is determined to breach the perimeter. Intrusion Detection Systems primarily focus on detecting unauthorized entries or breaches within a building or area using sensors and alarms. It does not provide a physical barrier to stop vehicles; instead, it alerts security personnel of possible intrusions. For support or reporting issues, include Question ID: 65245928ae19f8bdaee92dc6 in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 95

Log aggregation is the collecting of data from a scan and making it available to security analysts Log aggregation is the analysis of wide varieties of log data to identify security breaches Correct answer Log aggregation collects and normalizes log data from various sources to make it easier to analyze Your answer is incorrect Log aggregation is the monitoring network traffic and identifying potential security breaches Overall explanation OBJ: 4.4 - Log aggregation is essential for collecting, normalizing, and centralizing log data from various sources, such as network devices, servers, and applications. This centralized approach enables comprehensive analysis and detection of security incidents, providing valuable insights into potential security threats and breaches. While log aggregation makes it easier for analysts to view the data, aggregation doesn't involve analysis, only collection and centralization. Logging is the collection of data from a scan and making it available to security analysts. Log aggregation is the collecting of log data from many sources and normalizing it so it can be more easily analyzed. Log aggregation doesn't involve the actual monitoring of network traffic. For support or reporting issues, include Question ID: 64c00395f467f5bbfbbf11c7 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 96

Creating disorder/chaos Data exfiltration Correct answer Service disruption Your answer is incorrect Espionage Overall explanation OBJ: 2.1 - A service disruption refers to the act of impairing or interrupting the availability or functionality of a system or network. Service disruption can be done for protest, sabotage, extortion, or diversion purposes. In this example, the Hacktivist is preventing the system from functioning. Espionage refers to the act of spying on another entity’s activities, operations, or secrets. Espionage can be done for political, military, economic, or competitive reasons. The Hacktivist in the example doesn't attempt to gain information or use it. Creating disorder/chaos refers to the act of causing disorder or confusion in a system or network. It is most often done for amusement, diversion, experimentation, or nihilism. The Hacktivist's actions may disrupt the company's business, but the main motivation is to prevent the company from providing a service. Data exfiltration refers to the act of stealing sensitive or confidential data from a system or network. Data exfiltration can be done for financial gain, espionage, blackmail, or other purposes. In the example, the Hacktivist doesn't take information. For support or reporting issues, include Question ID: 64b86349030c7ba35a5609e7 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 97

Worm Correct answer Logic bomb Your answer is incorrect Ransomware Trojan Overall explanation OBJ: 2.4 - A logic bomb is a type of malware that executes a malicious action when a specific condition or trigger is met, such as a date, time, or event. Ransomware is a type of malware that encrypts the data or files on a system and demands a ransom for their decryption or restoration. A Trojan is a type of malware that disguises itself as a legitimate or benign program, but performs malicious actions when executed. A worm is a type of malware that self-replicates and spreads to other systems or networks without user interaction. For support or reporting issues, include Question ID: 64bcce73f1dea48c270e0947 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 98

Sanitization refers to physically damaging the asset to render it unusable, while destruction involves completely eliminating all residual data Sanitization and destruction are synonyms and refer to the same process Correct answer Sanitization involves erasing data so it cannot be recovered; destruction is total physical demolition of the asset Your answer is incorrect Sanitization concerns the reuse of assets in an organization, and destruction involves transferring those assets to a different department Overall explanation OBJ 4.2: Sanitization involves the process of permanently erasing or de-identifying data on a device so it cannot be recovered, while destruction is about physically demolishing the asset, ensuring no data can be extracted from it. Sanitization and destruction involve methods of removing or totally destroying data or assets rather than internal asset redistribution in an organization. Sanitization does not refer to physically damaging the asset; instead, it has to do with removing or de-identifying data so it cannot be recovered. Destruction involves physical destruction of the asset itself. Sanitization and destruction refer to two different types of procedures in the disposal process and are not synonyms. For support or reporting issues, include Question ID: 64c1938ddd32557d54e4c0e6 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 99

Cross-site request forgery (CSRF) Cross-site scripting (XSS) Correct answer Structured Query Language injection Your answer is incorrect Directory traversal Overall explanation OBJ: 2.3 - Structured Query Language injection is a web-based attack that involves inserting malicious SQL statements into user input fields or URLs that are executed by the database server. It can allow an attacker to read, modify, delete, or execute commands on the database. Cross-site scripting (XSS) is a web-based attack that involves inserting malicious scripts into web pages that are executed by the browser of unsuspecting users. It can allow an attacker to steal cookies, session tokens, credentials, or perform other actions on behalf of the user. Cross-site request forgery (CSRF) is a web-based attack that involves tricking a user into performing an unwanted action on a website where they are already authenticated. It can allow an attacker to transfer funds, change passwords, or perform other actions without the user’s consent. Directory traversal is a web-based attack that involves exploiting a vulnerability in a web server or application to access files or directories that are outside the intended scope. It can allow an attacker to read, modify, delete, or execute files or directories on the server. For support or reporting issues, include Question ID: 64bc22aca1b9d558709b3f6d in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 100

Addition of multiple functions, including firewall, intrusion prevention, antivirus, and more Your selection is incorrect Increased focus on HTTP traffic, helping to prevent common web application attacks like cross-site scripting and SQL injections Your selection is correct Can be integrated with various other security products Correct selection Ability to conduct deep packet inspection and use signature-based intrusion detection Correct selection Application awareness that can distinguish between different types of traffic Improved awareness of connection states on layer 4 traffic Overall explanation OBJ 3.2: A Next Generation Firewall (NGFW) has several improvements over the company's previous stateful firewall, such as application awareness that can distinguish between different types of traffic, can conduct deep packet inspection and use signature-based intrusion detection, and has the ability to be integrated with various other security products. Tracking of connections and requests, allowing return traffic for outbound requests, and improving awareness of connection states on layer 4 were already features on the stateful firewall that was replaced. The addition of multiple functions, including firewall, intrusion prevention, antivirus, and more, is advancing into the area of a Unified Threat Management (UTM) firewall rather than a basic NGFW. Increased focus on HTTP traffic helping to prevent common web application attacks like cross-site scripting and SQL injections would be a description of a Web Application Firewall (WAF), not a NFGW. For support or reporting issues, include Question ID: 65432c686491794aff7fb0c9 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 101

File size Date and time of last modification Correct answer Users who have accessed the file Your answer is incorrect The file's creator Overall explanation OBJ 4.9: Metadata does NOT normally include information about users who have accessed the file, although it will have information about what IP addresses have accessed the file.The date and time of the last modification is an integral part of metadata. This can help establish timelines of activity and identify any unexpected changes, which is crucial during an investigation. File size is a common piece of metadata. This could potentially be useful in an investigation if, for example, a file's size significantly changes without a clear reason. The name of the user who created the file is often included as part of the file's metadata. This is crucial information during an investigation of unauthorized file access or alteration. For support or reporting issues, include Question ID: 64c1a8fcf35deb7523e71f6f in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 102

Directly managing IT teams to address every security incident in the organization. Correct answer Overseeing cybersecurity risks and ensuring regulatory compliance. Engaging in comprehensive policy negotiations with cybersecurity insurance providers. Your answer is incorrect Handling the execution and implementation of cybersecurity measures. Overall explanation OBJ: 5.5 - The audit committee plays a pivotal role in making sure that the organization meets necessary regulatory standards while also acknowledging the evolving cybersecurity landscape. The audit committee's emphasis is on strategic oversight and governance, rather than managing the minutiae of daily IT operations. While the audit committee provides oversight, they typically don't delve into the specifics of cybersecurity implementations. While insurance is essential, the audit committee's primary role isn't focused on detailed negotiations with insurance carriers. For support or reporting issues, include Question ID: 64c1ab973c0620e9baa77d64 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 103

Data classification Correct answer Just-in-time permissions Your answer is incorrect RBAC Mandatory access control Overall explanation OBJ 4.6: By granting access only when it's specifically needed and for a short duration, just-in-time permissions minimize the exposure of critical systems. MAC (Mandatory access control) assigns access based on labels and does not consider the specific timing or short duration for access needs. While RBAC (Role-based access control) assigns permissions based on job function, it does not consider the timing or duration of access needs. This method categorizes data based on its sensitivity, not the timing or duration of access. For support or reporting issues, include Question ID: 65445b6fc47e0cf3c470dd71 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 104

Correct answer Risk reporting Risk analysis Your answer is incorrect Risk assessment Risk identification Overall explanation OBJ: 5.2 - Risk reporting is the element of the risk management process that involves communicating risk-related information, including risk assessment results, to relevant stakeholders and management. Risk analysis involves analyzing risks in terms of their potential financial impact and other factors. This is done before reporting to the stakeholders. Risk assessment involves evaluating the identified risks to determine their potential impact and likelihood of occurrence. This is done before reporting to the stakeholders. Risk identification involves identifying potential risks and vulnerabilities within an organization's environment. This is done before reporting to the stakeholders. For support or reporting issues, include Question ID: 64b9f70d974c18fd63dd24c5 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 105

Damage proportion SLE Correct answer EF Your answer is incorrect Asset impact Overall explanation OBJ: 5.2 - The exposure factor (EF) is the fraction of the asset value that is at risk in the event of a security incident. Asset impact can refer to the general effect on an asset but doesn't provide a quantifiable percentage like the exposure factor does. This term might be used informally to describe a similar concept as EF, but it is not the standard term used in risk assessment. While SLE (Single loss expectancy) calculates the cost of a single occurrence of a risk event, it does not account for the frequency of that event over time, which is necessary to calculate ALE. For support or reporting issues, include Question ID: 65487b93acaa0dbbe5e8022e in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 106

It can filter traffic at a faster rate than gateway solutions It doesn’t require any updates or maintenance Your answer is incorrect It reduces the total cost of ownership (TCO) due to the absence of hardware Correct answer It allows for consistent policy enforcement regardless of the user's location Overall explanation OBJ 4.5: Agent-based web filters are installed directly on the end-user's device, ensuring that the filtering policy is enforced consistently, whether the user is on the corporate network or working remotely. The filtering speed is dependent on many factors, including the efficiency of the software, the hardware it's running on, and the network's overall capacity, not just on the type of filtering solution. All software, including agent-based web filters, requires updates to ensure they are effective against the latest threats and compatible with current systems. While there might be some cost savings without needing specific hardware, agent-based solutions also come with their own costs, such as licensing and maintenance. For support or reporting issues, include Question ID: 654325b46809155389722589 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 107

Continuous integration automates the building and testing of code, which enhances developer productivity Continuous integration can increase software quality by catching and fixing bugs quickly Your answer is correct Continuous integration may slow down the development process but it provides far more secure systems overall Continuous integration enables early detection of issues, making it easier to address them before they escalate Overall explanation OBJ 4.7: In fact, continuous integration speeds up the development process. By integrating the work often, problems are discovered early and can be fixed immediately, preventing them from slowing down the project in the later stages. Continuous integration involves automated processes like building and testing of code, thus relieving developers from manual, repetitive tasks and enabling them to focus on other aspects of their work. This consequently enhances their productivity. Continuous integration allows for the immediate detection of issues because code is integrated frequently. This immediate feedback makes it easier to address problems as they can be caught and fixed before further progress is made, improving overall security. The practice of making frequent commits and running automated tests means that errors are detected sooner. This early detection allows for quick fixes, thereby improving software quality. For support or reporting issues, include Question ID: 64c1a41ef35deb7523e71f56 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 108

Environmental attack RFID cloning Your answer is incorrect Phishing Correct answer Brute force Overall explanation OBJ: 2.4 - Brute force attacks involve trying multiple combinations until the correct one is found. The "maximum attempts reached" error suggests that someone or something has been trying numerous combinations on the safe's electronic keypad. Phishing is a method used to trick individuals into revealing sensitive information, typically online, and isn't relevant to this physical security scenario. An environmental attack refers to exploiting environmental factors, and there's no evidence of that in this situation. RFID cloning method involves copying RFID data to gain unauthorized access. It's not applicable in a scenario where a keypad is being used. For support or reporting issues, include Question ID: 65296ae86fb1e3052b309216 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 109

It guarantees that the security controls are impenetrable and all data is securely held. It certifies that the provider's services are the most cost-effective in the market. Your answer is incorrect It acknowledges the provider's marketing strategies are effective. Correct answer It assures that the provider's security controls comply with established standards. Overall explanation OBJ: 5.4 - Attestation provides clients with a level of assurance that the provider's security controls have been independently assessed and found to comply with specific security standards. The effectiveness of marketing strategies is outside the scope of security attestation. Attestation does not guarantee that security controls are infallible; it only verifies that they are implemented as per certain standards. Attestation focuses on the verification of security measures, not on evaluating cost-effectiveness. For support or reporting issues, include Question ID: 654983c35429895e833da5de in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 110

Correct answer Software authentication tokens Biometric authentication Your answer is incorrect Network location-based authentication Static password Overall explanation OBJ 4.6: Software authentication tokens generate time-sensitive codes on devices like smartphones, providing an added layer of security without the need for a physical device other than the user's own device. Biometric authentication leverages unique biological characteristics, such as fingerprints or facial recognition, but does not involve generating temporary codes. A static password is a fixed set of characters used for authentication and does not provide the dynamic, temporary nature of the described solution. Network location-based authentication validates users based on their network's location, not a temporary numeric code. For support or reporting issues, include Question ID: 65445e70fbad95d7ea4e4c49 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 111

Intrusion detection system Firewall Correct answer Risk assessments Your answer is incorrect Security Guards Overall explanation OBJ: 1.1 - Periodic evaluations, like risk assessments, are a managerial security control that involves regularly evaluating the threats to systems and networks. This can help the company identify potential threats and take steps to mitigate them. Security guards are considered operational controls, not managerial controls. Intrusion detection system is a technical security control that monitors network traffic for signs of security threats. Firewall is a technical security control that monitors and controls incoming and outgoing network traffic based on predetermined security rules. For support or reporting issues, include Question ID: 64bd55d28ecaa950633d569c in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 112

Policy-driven access control Correct answer Adaptive identity MAC Your answer is incorrect Security zones Overall explanation OBJ: 1.2 - Adaptive identity allows for more flexible and dynamic access control by using contextual data to make dynamic access control decisions. For example, the system might grant access to a sensitive resource based on the user’s location or the time of day. Policy-driven access control allows for more flexible and dynamic access control by using pre-defined policies to make access control decisions, but it does not necessarily adapt to changing user behavior and access patterns. MAC (Mandatory Access Control) is an access control system that is very rigid. Access is granted through a system of rules and categorization of data. It does not provide more flexible and dynamic access control. Security zones are used to segment a network into smaller, more manageable areas, but they do not necessarily provide more flexible and dynamic access control. For support or reporting issues, include Question ID: 64c03b8a3a8522a3b5997a5a in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 113

To recover lost data after an attack To prevent malware from executing Correct answer To detect and divert potential attackers Your answer is incorrect To block unauthorized access Overall explanation OBJ 1.2 - The primary purpose of a honeypot in a network environment is to detect and divert potential attackers by attracting them to a decoy system. This setup allows security teams to observe unauthorized activity and gather information without risking actual network resources. Unlike blocking unauthorized access, which actively prevents entry, a honeypot passively lures attackers. It does not prevent malware from executing, as it is meant for monitoring rather than directly stopping threats. Similarly, it does not serve to recover lost data after an attack, focusing instead on early detection and diversion. For support or reporting issues, include Question ID: 6720ff1fe8b5ca200ac63846 in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 114

SLE Correct answer ARO EF Your answer is incorrect ALE Overall explanation OBJ: 5.2 - ARO (Annualized rate of occurrence) quantifies the expected frequency of a risk occurring within a one-year time frame. While SLE (Single loss expectancy) calculates the cost of a single occurrence of a risk event, it does not account for the frequency of that event over time, which is necessary to calculate ALE. Exposure Factor (EF) determines the proportion of asset value lost per risk event, a component of SLE calculation, but not directly related to the annualized expected loss. Annualized Loss Expectancy (ALE) represents the yearly financial loss a company can expect from a specific risk, factoring in both the severity and frequency of the event. For support or reporting issues, include Question ID: 654879a9acaa0dbbe5e80224 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 115

Risk acceptance Risk deterrence Your answer is correct Risk appetite Risk tolerance Overall explanation OBJ: 5.2 - Risk appetite refers to an organization's willingness to take on risk in pursuit of its business objectives. It reflects the organization's strategic approach to risk and how much risk it is willing to undertake to achieve specific goals. Risk acceptance means that an organization understands the level of risk that in involved in an activity and is willing to accept the outcomes of taking the risk. The risk is either accepted or not, there aren't levels of risk acceptance. In this case they are not making a decision about a level of risk for a specific activity. Risk tolerance is the extent to which an organization is comfortable with the level of risk it is willing to take. It represents the organization's ability to withstand potential losses or disruptions. Risk deterrence involves taking measures to reduce or mitigate the impact of an event. In this case, they aren't evaluating the impact or taking measures to reduce the likelihood of a specific event. For support or reporting issues, include Question ID: 64b9f508974c18fd63dd24bb in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 116

Correct answer Self-signed certificate CSR Extended validation certificate Your answer is incorrect Root certificate Overall explanation OBJ: 1.4 - A self-signed certificate is generated and signed by the same entity and is not backed by a trusted certificate authority (CA). While it's cost-effective and good for internal uses, it may be viewed with skepticism by external systems since it lacks a third-party verification. An extended validation certificate offers the highest level of assurance for websites, with rigorous checks by CAs, but it is not self-signed. A root certificate is a top-level certificate in a certificate hierarchy and is used to validate the certificate of the issuing CA. It doesn't inherently indicate a lack of third-party trust. A CSR (Certificate Signing Request) is a message sent from an applicant to a certificate authority in order to apply for a digital identity certificate. It is not a type of certificate itself. For support or reporting issues, include Question ID: 6524e5389e22f124a23e7938 in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 117

Correct answer Physical Known environment Partially known environment Your answer is incorrect Integrated Overall explanation OBJ: 5.5 - Physical penetration testing involves evaluating an organization's physical security measures, such as access controls, surveillance systems, and security protocols, to identify vulnerabilities and potential breaches. Penetration testing in a partially known environment means that a some information has been given to the tester. There is no indication in the scenario that the tester has been given information Penetration testing in a known environment means that a significant amount of information has been given to the tester. This can include passwords, usernames, and other information. There is no indication in the scenario that the tester has been given information Integrated penetration testing refers to a comprehensive approach that combines different types of penetration tests to assess an organization's overall security posture. While physical security may be part of the assessment, it is not the main focus of this type of testing. For support or reporting issues, include Question ID: 64c1a87d3c0620e9baa77d4b in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 118

Allow their employees to write down their passwords as long as they keep them safe Encourage employees to use similar passwords for different platforms Your answer is correct Introduce a company-wide password manager Advise employees to regularly change passwords Overall explanation OBJ 4.6: A password manager securely stores and autofill's credentials, reducing the burden on employees to remember multiple strong passwords. Advising employees to regularly change passwords increases security but does not alleviate the primary issue of password recall. Encouraging their employees to write down their passwords is not recommended since they can be potentially found if not secured properly. Encouraging employees to use similar passwords for different platforms can lead to security vulnerabilities due to password reuse. For support or reporting issues, include Question ID: 654448f50c5ecc119a27011e in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 119

Layer 3 Layer 5 Correct answer Layer 4 Your answer is incorrect Layer 2 Overall explanation OBJ 3.2: Layer 4, or the transport layer, deals with protocols like TCP and UDP and is concerned with port numbers and connection-oriented communication. Network appliances operating at this layer filter and manage traffic based on source and destination IP addresses, as well as port numbers. Layer 2, the data link layer, deals with frames and MAC addresses. Switches typically operate at this layer. Layer 5, the session layer, establishes, maintains, and terminates connections between applications on different devices. It doesn't handle filtering based on IP addresses and port numbers. Layer 3, the network layer, is primarily focused on routing data and IP addressing. Devices at this layer, like routers, aren't primarily concerned with port numbers. For support or reporting issues, include Question ID: 652c848c3b1d2556f6cb6b7a in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 120

Isolation Correct answer Least Privilege Your answer is incorrect Application allow list Monitoring Overall explanation OBJ: 2.5 - Least privilege is a mitigation technique that limits users to the level of access and privilege they need to do their work. This can limit the extent of an attack by limiting the attacker’s access and privilege to those of the compromised user. Least privilege involves applying predefined rules and permissions, such as roles, groups, and functions and enforcing the rules and permissions through mechanisms such as passwords, tokens, and biometrics. Using least privilege, employees will have access to the patient data they need, but not to the data of other patients. Monitoring is a mitigation technique that can help detect and respond to potential threats or incidents on a network. By collecting and analyzing data about the activities and events on the network, security analysts can develop theories about the vulnerabilities and incidents that occur on the system. Monitoring involves using tools and techniques such as logs, alerts, and audits. Monitoring will allow you to know if the data is breached, but monitoring will not prevent unauthorized people from seeing patient data. An application allow list is a mitigation technique that can help enforce compliance with security standards and policies on a system or network. It does this by comparing applications to a list of applications that are allowed to run. These applications have been verified and authorized by the system or network administrator. Any application that is not on the list is not allowed to run. Limiting the applications that employees can use will not prevent them from seeing patient data. Isolation is a mitigation technique that can help prevent malware from spreading from one system or process to another by limiting their interaction and communication. Isolation involves sandboxing or simply disconnecting an infected system. This prevents potentially malicious programs or scripts from accessing the rest of the system or network. Patient data can't be isolated in this way because authorized people will need access to it. For support or reporting issues, include Question ID: 64bef17bcdab7c65df69bb3b in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 121

Correct answer Image backup Incremental backup Differential backup Your answer is incorrect File-level backup Overall explanation OBJ 2.2 - An image backup duplicates an OS installation, either from a physical hard disk or a VM's virtual hard disk. It offers a quick means to redeploy the system without reinstalling software and settings. File-level backup involves copying individual files and directories. It does not duplicate the entire OS installation like an image backup. Incremental backup saves only the changes made since the last backup, not the entire system configuration or OS installation. Differential backup saves all changes made since the last full backup but doesn't create a complete system image like the image backup. For support or reporting issues, include Question ID: 65263a9e8dac4f87323045ef in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 122

Ransomware Worm Correct answer Spyware Your answer is incorrect Trojan Overall explanation OBJ: 2.4 - Spyware is a type of malware that monitors the network traffic and captures sensitive information, such as passwords, credit card numbers, or personal details. A worm is a type of malware that self-replicates and spreads to other systems or networks without user interaction. Ransomware is a type of malware that encrypts the data or files on a system and demands a ransom for their decryption or restoration. A Trojan is a type of malware that disguises itself as a legitimate or benign program, but performs malicious actions when executed, such as creating a backdoor for remote access or control. For support or reporting issues, include Question ID: 64bcd4d64f97be0dbe753493 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 123

Correct answer Centralized Responsibility Matrix Decentralized Your answer is incorrect On-Premises Overall explanation OBJ: 3.1 - Centralized is an architecture model that involves using a single point of control or authority to manage a system or service. Centralized systems or services can have advantages such as simplicity, consistency, and security, but also disadvantages such as single point of failure, scalability issues, and lack of autonomy. A responsibility matrix is a document that defines the roles and responsibilities of different parties involved in a cloud service agreement, such as the cloud service provider, the cloud customer, and the cloud user. It clarifies who is accountable for what aspects of security, compliance, and operations in a cloud environment. It isn't an architecture model. On-premises is an architecture model that involves hosting and managing infrastructure on the organization’s own premises. It can be centralized or decentralized. Decentralized is an architecture model that involves using multiple distributed points of control or authority to manage a system or service. Decentralized systems or services can have advantages such as resilience, scalability, and autonomy, but also disadvantages such as complexity, inconsistency, and security challenges. For support or reporting issues, include Question ID: 64c050ab622fbc04cdbf2532 in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 124

It uses a 4-way handshake for initial authentication and key validation Correct selection It provides individualized data encryption even in open networks Correct selection It is the latest and most secure wireless security protocol Your selection is correct It utilizes a Diffie-Hellman key agreement Correct selection It prevents eavesdropping, forging, and tampering with management frames It encrypts the authentication process using TCP for enhanced security Overall explanation OBJ 4.1: WPA3 is the latest and most secure wireless security protocol; it utilizes a Diffie-Hellman key agreement; it provides individualized data encryption even in open networks; and it prevents eavesdropping, forging, and tampering with management frames. These were some of the additions to address flaws that were present in the previous WPA2 standard, which became an increasing security concern. The 4-way handshake was actually a part of the previous WPA2 standard, using a pre-shared key (PSK) that was replaced with the Diffie-Hellman key agreement. Enterprise Wi-Fi networks often use EAP-TLS (Extensible Authentication Protocol with TLS) for authentication (such as TACACS+), but this operates in conjunction with WPA3 and is not part of WPA3 itself. For support or reporting issues, include Question ID: 65262aa26f507d8e8ff08998 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 125

Employee retention reduces the need for automation and orchestration, leading to a more stable workforce High employee retention promotes a deeper understanding of automated security processes, improving response times Your answer is incorrect Employee retention reduces the likelihood of social engineering attacks because long term employees get more training to spot and avoid such attacks Correct answer Employee retention helps to maintain institutional knowledge and expertise in managing security automation Overall explanation OBJ 4.7: Employee retention enables the organization to retain experienced staff with valuable institutional knowledge, enhancing the management of security automation and orchestration. This accumulated expertise supports smoother operations and can improve response times in handling incidents. However, employee retention does not impact the prevention of social engineering attacks and is not directly related to the need for automation; the benefits of automation and orchestration remain essential regardless of retention rates. For support or reporting issues, include Question ID: 64c019867466b36c144bf8fb in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 126

Open service ports Correct answer Vulnerable software Your answer is incorrect Default credentials Unsecure networks Overall explanation OBJ: 2.2 - Vulnerable software is software that has known or unknown flaws that can be exploited by attackers to gain unauthorized access or cause harm. Outdated software may have unpatched vulnerabilities that can compromise the security of the system or the network. Default credentials are usernames and passwords that are set by default for certain devices or applications. Default credentials can be easily guessed by attackers and used to gain access to the system or the network. Open service ports are ports that are listening for incoming connections from other systems or devices. Open service ports can expose services that may have vulnerabilities or allow unauthorized access to the system. Unsecure networks are networks that do not have adequate security measures, such as encryption, authentication, or firewall, to protect the data transmitted over them. Public Wi-Fi hotspots are examples of unsecure networks that can be intercepted by attackers, however, in this case, you are using a VPN which provides security for the connection. For support or reporting issues, include Question ID: 64ba1a31b711a9b6c71715d2 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 127

It provides methodologies to ensure consistent data protection during the investigation process It sets guidelines for selecting appropriate forensic software tools throughout the investigation It offers insights into the potential financial consequences of an incident being investigated Your answer is correct It aids in identifying, collecting, and producing electronically stored information for legal cases Overall explanation OBJ 4.8: E-discovery focuses on the systematic search of electronic data to identify pieces of evidence that can be produced in legal contexts. While data protection methodologies are essential in digital investigations, they are not the central aspect of e-discovery. Though understanding financial implications can be essential, e-discovery's main goal isn't centered around financial assessments. Tool selection is critical, but e-discovery specifically deals with the production of electronic evidence. For support or reporting issues, include Question ID: 6543eb4ca69e5671c3827c55 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 128

Asset inventory report SLA Your answer is correct Data destruction certification HCL Overall explanation OBJ 4.2: A data destruction certification is a formal document attesting that specific data sanitization processes were followed, ensuring that data on devices has been securely and irreversibly removed. The HCL provides a list of hardware devices known to be compatible with specific software or operating systems and does not relate to data destruction processes. An Asset Inventory Report provides a record of all the assets within an organization but does not attest to the secure removal of data from those assets. A SLA outlines the expected level of service between a provider and a client, including response times and uptime guarantees, but does not confirm the data destruction process. For support or reporting issues, include Question ID: 64be9b294a0dd75c4bddfc38 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 129

Enabling the DLP solution to block all email attachments and USB storage devices to prevent data leakage Your answer is incorrect Implementing DLP on endpoints with a focus on monitoring and preventing data transfers between internal users Using the DLP solution solely for monitoring purposes without implementing any preventive measures Correct answer Configuring the DLP solution to scan all outbound emails and files leaving the organization for sensitive information Overall explanation OBJ 4.5: Configuring DLP to scan outbound emails and files helps identify and prevent data loss, reducing the risk of breaches while supporting legitimate business needs. Blocking all email attachments and USB devices could limit data leakage but may disrupt necessary operations. The core value of DLP lies in preventing data loss in real-time, not just monitoring. While internal transfer monitoring can be beneficial, the priority here is preventing sensitive data from leaving via email or removable storage. For support or reporting issues, include Question ID: 64c12584d3b7c5521ae6f5c3 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 130

Email Voice call Correct answer File-based Your answer is incorrect Business email compromise Overall explanation OBJ: 2.2 - File-based threats arise when malicious content is embedded or attached in standard files, which, when opened or executed, compromises the security of the system. While emails can contain malicious attachments, the email itself is a message-based threat vector. Voice call is a method often used in vishing attacks, where attackers may pose as legitimate entities over the phone to deceive users into providing sensitive information or taking specific actions, but it doesn't involve file transfers or execution. A Business email compromise is an advanced phishing attack where an attacker impersonates a high-ranking official or department within a company, usually targeting those who have the ability to conduct financial transactions. It doesn't primarily concern file execution or transfer. For support or reporting issues, include Question ID: 652623b17d94fbceb5d12419 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 131

Correct answer Encryption and ACLs Storing in remote locations and changing locations frequently Using passwords for access Your answer is incorrect Regular backups Overall explanation OBJ 3.3: Data at rest, such as that found in databases, archived media, or configuration files, can be vulnerable to unauthorized access. To protect this data, organizations commonly employ encryption methods. This can range from whole disk encryption to database or individual file/folder encryption. Additionally, by setting up access control lists (ACLs), organizations can ensure that only authorized individuals can access or modify the stored data. While passwords provide a level of security, they are not comprehensive methods for protecting data at rest, especially when compared to encryption and ACLs. Storing data remotely might offer some physical security benefits, but it doesn't address the core concerns of unauthorized access or tampering. While regular backups are essential for data recovery, they do not inherently provide protection against unauthorized access or modification. For support or reporting issues, include Question ID: 64c189817afca4c13451de4d in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 132

The vendor's market reputation Scalability potential of the architecture Total cost of ownership (TCO) Your answer is correct Integration with existing security protocols Overall explanation OBJ: 3.1 - When deploying a new architectural model, ensuring it integrates seamlessly with the organization's existing security protocols and measures is paramount. If not, it can lead to security gaps and vulnerabilities. TCO provides an insight into the overall costs associated with an architecture model. However, while cost can influence the decision, it does not specifically address security implications tied to deployment ease. While scalability is essential for future growth, it doesn't directly impact the initial ease of deployment considerations concerning security. Although the reputation of a vendor can give insights about the reliability and quality of their products, it does not directly correlate with the ease of deployment considerations from a security perspective. For support or reporting issues, include Question ID: 64bf76e15ff7b41f675e4230 in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 133

Packet Sniffing On-path attack Correct answer Wiretapping Your answer is incorrect Port Mirroring Overall explanation OBJ: 2.2 - Wiretapping, in the context of a wired network, refers to the act of connecting directly to the network's physical infrastructure (cables) to monitor and capture data traffic. It is a direct method to eavesdrop on communications. Packet sniffing is the process of capturing data packets on a network. While a packet sniffer can be used maliciously, the act of packet sniffing itself doesn't specify the method of data capture or a direct connection to network cables. An on-path attack involves intercepting and potentially altering communication between two parties, it doesn't necessarily require direct access to the physical network cables. Port mirroring is a method used mainly for network troubleshooting and diagnostics. It allows a switch to send a copy of network packets to a network monitoring connection. While it can be used for nefarious purposes if misconfigured, it doesn't inherently imply malicious intent like wiretapping does. For support or reporting issues, include Question ID: 65262caf6f507d8e8ff089a2 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 134

Live drill Correct answer Tabletop exercise Your answer is incorrect Functional exercise Simulation Overall explanation OBJ 3.4: Tabletop exercises begin with a scenario, where participants discuss how they would respond. These are discussion-based and don’t require technology. In this case, the team is discussing solutions to a scenario, making it a tabletop exercise. Simulations, on the other hand, are team-based, with one team acting as intruders and the other responding to the threat. Moderators enforce the rules, and these exercises are more extensive than tabletop exercises. A functional exercise involves real-time simulations where teams actively use tools, processes, and communication, making it more hands-on compared to tabletop exercises. Lastly, a live drill involves real systems and environments in real-time to simulate events like a cyberattack, requiring immediate, hands-on responses. Since the Data Core team is only discussing the scenario, this is not a live drill, simulation, or functional exercise, but a tabletop exercise. For support or reporting issues, include Question ID: 64c19cf4f13766bcfbac4f63 in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 135

Antivirus Correct answer Sandboxing Encryption Your answer is incorrect Firewall Overall explanation OBJ 4.1: Sandboxing is a technique that isolates a software application from the rest of the system so that it can run and be tested in a safe and controlled environment. Sandboxing prevents the application from accessing or affecting other programs or data on the system and limits the resources and permissions it can use. If the application contains malware or other threats, they will be contained within the sandbox and will not harm the system. A firewall is a device that monitors and controls the incoming and outgoing network traffic based on predefined rules. Firewall protects the system from unauthorized or malicious network connections, but it does not prevent malware or other threats from running on the system. Antivirus is a technique that detects and removes malware or other threats from the system using signatures, heuristics, or behavioral analysis. Antivirus protects the system from known or suspected malware or other threats, but it may not be able to detect new or unknown threats. Encryption is a technique that transforms data into an unreadable format using a secret key so that only authorized parties can access or modify it. Encryption protects data from unauthorized access or tampering, but it does not prevent malware or other threats from running on the system. For support or reporting issues, include Question ID: 64b889c675f3764616371b59 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 136

Risk reporting Correct answer Risk register Your answer is incorrect Risk assessment Business impact analysis Overall explanation OBJ: 5.2 - The risk register is a comprehensive record that lists all identified risks, their potential impacts, assigned risk owners, and current risk status. It serves as a central repository for tracking and monitoring risks over time. Business impact analysis assesses the potential consequences of specific risks on critical business functions, helping prioritize risk response efforts. Risk reporting involves the regular communication and documentation of identified risks, their potential impact, and risk management strategies to relevant stakeholders. Risk assessment is the initial step in the risk management process, involving the identification, analysis, and evaluation of potential risks. For support or reporting issues, include Question ID: 64b9f337974c18fd63dd24b6 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 137

Creating separate user accounts in each system and maintaining them independently to avoid potential compatibility issues Your answer is incorrect Replacing all existing systems with new ones that are guaranteed to be compatible with the new IAM system Assigning different user roles in each system, ensuring no overlap in permissions or access rights Correct answer Implementing SSO to allow users to access multiple systems using a single set of credentials Overall explanation OBJ 4.6: Secure Sign-On (SSO) allows users to log in once and gain access to multiple systems that are integrated with the IAM system. This enhances the user experience, reduces the need for multiple credentials, and ensures a unified and secure authentication process. While replacing all existing systems may seem like a straightforward solution, it is often costly, time-consuming, and may disrupt business operations. Additionally, compatibility issues might still arise with the new systems. Assigning different user roles in each system does not address the interoperability requirement. It only focuses on permissions and access rights within individual systems, but it does not enable seamless access and management across the various systems. Managing separate user accounts for each system can lead to inefficiencies, increased administrative overhead, and potential discrepancies in user access across different systems. For support or reporting issues, include Question ID: 64c157fb528e3065c137971d in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 138

Correct answer Tokenization Data Masking Your answer is incorrect Encryption Steganography Overall explanation OBJ: 1.4 - Tokenization is the process of substituting a sensitive data element with a non-sensitive equivalent, referred to as a token. The token and the data it substitutes are stored in a secure database. If the original data is needed, it can be accessed using the token and querying the database. The token will be a different size and have a different structure than the original data so the token can’t be used to decipher the original data. Steganography is the practice of concealing a file, message, image, or video within another file, message, image, or video. It doesn't use a database Data masking is a method to de-identify some or all characters in a sequence, but not changing the total number of characters that a field should contain. The masked version will be structurally the same, but the data will be hidden. Changing the letters or numbers entered into a password field with dots is an example of data masking. Data that is masked will have the same number of characters as the original data, not a smaller set. Encryption is the process of converting information or data into a code to prevent unauthorized access. It often uses an algorithm to replace the original data with other data. If a person figures out or acquires the algorithm, the data can be decrypted. Encrypted data isn't stored in a database. For support or reporting issues, include Question ID: 64c3d5eececafa5b2df5d307 in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 139

Passive reconnaissance Network enumeration OSINT Your answer is correct Active reconnaissance Overall explanation OBJ: 5.5 - Active reconnaissance involves the attacker directly engaging with the target systems, like scanning ports or attempting direct network connections. It often leaves traces and can alert the target. In passive reconnaissance, the attacker indirectly gathers information without directly touching the target system. Common methods include studying publicly available information. Although it's an information-gathering technique, network enumeration typically occurs after reconnaissance and involves detailed identification of network resources that can be targeted for exploitation. While OSINT (Open-source intelligence) is a form of passive reconnaissance, it specifically involves collecting data from publicly available sources such as websites, forums, and social media. For support or reporting issues, include Question ID: 64c1abf93c0620e9baa77d69 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 140

Reduced monitoring endpoints Correct answer Granular access controls requirements Singular deployment cadence Your answer is incorrect Consolidation of data storage Overall explanation OBJ: 3.1 - As applications are broken down into microservices, each service might need specific access controls, potentially complicating the permissions landscape. Microservices can actually increase the number of endpoints that need to be monitored, rather than reducing them. Microservices allow for independent deployments, moving away from a singular deployment cadence which is more associated with monolithic structures. Microservices often distribute data storage needs across services, rather than consolidating them, making this option less relevant. For support or reporting issues, include Question ID: 652c463484c5639ae7b63f1b in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 141

Data redundancy testing Risk assessment Your answer is correct Recovery and restoration processes Business continuity planning Overall explanation OBJ 5.1 - This scenario illustrates the recovery and restoration processes within the organization’s disaster recovery policy. When the severe storm disrupts power, the IT team’s actions to activate backup systems at an alternate location and restore critical data are part of the recovery plan. These steps are essential for minimizing downtime and ensuring that critical operations can continue after an incident. Unlike risk assessment or data redundancy testing, recovery and restoration directly focus on restoring services and access following a disruption. For support or reporting issues, include Question ID: 67223a264ba26b3d1637fc1a in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 142

Data mirroring Correct answer Load balancing Clustering Your answer is incorrect Virtualization Overall explanation OBJ 3.4: Load balancing is the process of distributing network traffic across several servers to prevent any single server from becoming a bottleneck, thereby ensuring optimum resource utilization, maximizing throughput, and reducing latency. Virtualization allows for running multiple operating systems on a single physical machine; it's primarily used to optimize server utilization but does not inherently distribute incoming network traffic across servers. Clustering refers to the use of multiple servers that work together and can be seen as a single system. Clusters can provide fault tolerance, high availability, and scalability; however, their primary goal is not necessarily traffic distribution. Data mirroring involves creating identical data sets in two or more locations; it provides data redundancy and is generally used for disaster recovery rather than traffic distribution. For support or reporting issues, include Question ID: 64c1a7233c0620e9baa77d41 in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 143

IT support specialist Correct answer Asset inventory manager Mobile application developer Your answer is incorrect Network administrator Overall explanation OBJ 4.2: The asset inventory manager focuses on tracking and recording all organizational assets. Mobile application developers are more concerned with app functionality than hardware inventory. The network administrator role involves managing network health and connectivity, not inventorying smartphones. IT support specialists handle technical issues, not necessarily inventory tasks. For support or reporting issues, include Question ID: 651ee362dcae756d17d5574d in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 144

Correct answer Firmware vulnerability Side loading Legacy vulnerability Your answer is incorrect End-of-life vulnerability Overall explanation OBJ: 2.3 - A firmware vulnerability is an issue that involves the ability to modify or replace the software that controls the functionality of a hardware device. It can allow an attacker to alter the behavior, performance, or security of the device, or install malware, backdoors, or spyware on it. Side loading is a mobile device vulnerability that involves installing applications from sources other than the official app store, such as third-party websites, USB drives, or email attachments. It can expose the device to malware, spyware, or unauthorized access. End-of-life attack is a hardware vulnerability that involves exploiting hardware devices that are no longer supported or updated by the manufacturer. It can allow an attacker to compromise the security or functionality of the device, or use it as a gateway to access other systems or networks. A legacy vulnerability is a issue with hardware that involves exploiting devices that are outdated or obsolete, but still in use. It can allow an attacker to compromise the security or functionality of the device, or use it as a gateway to access other systems or networks. For support or reporting issues, include Question ID: 64bc218faba7f3fba667ceef in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 145

Increased work hours Correct selection Unusual data transfers Irregular system maintenance Your selection is incorrect Policy advocacy Correct selection Frequent unauthorized access Overall explanation OBJ: 5.6 - An employee is found attempting to access files and systems outside the scope of their job responsibilities on several occasions. Large amounts of data are being transferred to unknown external locations, especially during odd hours, suggesting potential data exfiltration. While important for security, performing assigned maintenance tasks is part of routine operations and not indicative of an insider threat. Working overtime by itself does not signal a threat; it could reflect dedication or increased workload and is not inherently suspicious. An employee who actively promotes security policies is showing commitment to the company’s safety, not an insider threat. For support or reporting issues, include Question ID: 6549cd4f4e3ef4759e7c0ddd in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 146

Uncontrolled cloud access. Lack of legacy protocol support Correct answer Inadequate buffer overflow protections Your answer is incorrect Overhead from virtualization Overall explanation OBJ: 3.1 - RTOSs prioritize performance, sometimes at the expense of security features like buffer overflow protections, potentially leaving the system susceptible to certain attacks. While cloud access can pose risks, it's not an inherent security implication of using an RTOS. RTOSs are designed for efficiency and generally don't involve the overheads from virtualization layers. RTOSs aren't primarily concerned with supporting legacy protocols, and this isn't a direct security risk associated with them. For support or reporting issues, include Question ID: 652c438f6000c2244d013a0d in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 147

Source and destination IP addresses Correct answer The content of secure encrypted communications The timestamp of the captured data Your answer is incorrect Protocols used in the captured data Overall explanation OBJ 4.9: The content of secure encrypted communications is not decipherable in packet captures unless you possess the keys to decrypt it. While you can see that data is being sent and received, the content of these communications is securely encrypted. Timestamps are also kept in packet captures. This offers a chronological context that can be crucial when tracing events during investigations and offers time-based correlation across different data sources. Protocols used in the captured data are also recorded in packet captures. This can help analysts determine what type of communication was happening during the event. Source and destination IP addresses are crucial parts of information that are recorded in packet captures. They can assist in determining the origin and destination of the network traffic, which aids in investigating potential breaches. For support or reporting issues, include Question ID: 64c1a95cf35deb7523e71f74 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 148

MTTR MTBF Your answer is correct RTO RPO Overall explanation OBJ: 5.2 - The Recovery Time Objective (RTO) is the maximum acceptable time allowed for the recovery of a system or process after a disruption. It defines the time frame within which critical systems and operations must be restored to normal functionality. The Recovery Point Objective (RPO) is the maximum amount of data that an organization can afford to lose during a disruption. It represents the point in time to which data must be recovered after recovery efforts are initiated. The Mean Time to Repair (MTTR) is the average time it takes to restore a failed system or component to a working state after a disruption. It measures the efficiency of the repair process. The Mean Time Between Failures (MTBF) is the average time elapsed between two consecutive failures of a system or component. It provides an indication of the system's reliability. For support or reporting issues, include Question ID: 64b9f3c43f4084e37d4f8fea in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 149

Classification helps in tracking the financial value of assets Classification allows organizations can track their physical location across multiple locations Correct answer Classification ensures that assets are labeled with appropriate access levels Your answer is incorrect Classification establishes accountability for asset usage Overall explanation OBJ 4.2: Classification ensures that assets are labeled with appropriate access levels, limiting unauthorized access to sensitive information. This process allows organizations to implement access controls, reducing the risk of data breaches and ensuring data security. Although classification documentation can support financial tracking and budget allocation, its main purpose is access control and data protection. Assigning classifications to individuals or departments may enhance accountability, but accountability alone is not the focus of classification. Similarly, classification is not centered on the physical organization of assets for audits or inventory; it is primarily concerned with access controls and protecting data. For support or reporting issues, include Question ID: 64bd92ebe95286472e079184 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 150

Residual Risk Analysis Quantitative Risk Assessment Correct answer Qualitative Risk Assessment Your answer is incorrect Threat Vector Analysis Overall explanation OBJ 5.2 - David is using a Qualitative Risk Assessment, as he is categorizing risks by likelihood and impact without applying numerical values, focusing instead on a priority ranking. Quantitative Risk Assessment would involve specific financial data, which David’s method lacks. Residual Risk Analysis assesses the risk that remains after mitigation, and Threat Vector Analysis centers on potential attack vectors rather than general risk categorization. For support or reporting issues, include Question ID: 672240d0059e10a8d42841f5 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 151

Correct answer Cloud IoT On-premises Your answer is incorrect Virtualization Overall explanation OBJ: 3.1 - Cloud is an architecture model that involves delivering computing services over the internet, such as servers, storage, databases, networking, software, analytics, and intelligence. Cloud can offer benefits such as scalability, flexibility, and cost-effectiveness, but it also introduces challenges such as security, privacy, and governance. IoT stands for Internet of Things, which is a network of physical devices that can communicate and exchange data over the internet. It does not refer to the delivery of computing services over the internet. On-premises is an architecture model that involves hosting and managing infrastructure on the organization’s own premises. It does not refer to the delivery of computing services over the internet. Virtualization is a technique that involves creating virtual versions of physical resources, such as servers, storage, or networks. It does not refer to the delivery of computing services over the internet. For support or reporting issues, include Question ID: 64c04870aa720bef4eafef15 in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 152

Digital watermarking Correct answer Blockchain Your answer is incorrect Public key infrastructure (PKI) Symmetric encryption Overall explanation OBJ: 1.4 - Blockchain employs an expanding list of transactional records, each referred to as a block, and each block validates the hash of the previous one. This process ensures that historical transactions remain untampered with. This form of encryption uses a single key to both encrypt and decrypt information, but it does not inherently create a linked chain of records as described. While PKI is a framework of encryption and cybersecurity that protects communications between the server (your website) and the client (the users), it doesn't work with transactional records like blockchain does. Digital watermarking embeds information in digital content but doesn't deal with securing transaction records in the manner described. For support or reporting issues, include Question ID: 65244cca4c4116404f67d29d in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 153

Permission restrictions Geographic restrictions Correct answer Infrastructure diversification Your answer is incorrect Data masking Overall explanation OBJ 3.4: Diversifying infrastructure ensures that organizations are not overly reliant on a single data center, network, or platform. By distributing their assets and systems across multiple locations or platforms, they can significantly reduce the risk of total service disruption if one component fails. Geographic restrictions primarily deal with ensuring data resides or is accessible only in certain locations due to legal or regulatory reasons. While it dictates where data can be, it doesn't inherently diversify infrastructure for resilience against disruptions. While data masking is an essential strategy for obfuscating sensitive information, it doesn't address the risk associated with centralized infrastructure or help in maintaining continuity during disruptions. Setting permission restrictions is crucial for controlling who can access specific resources. However, it doesn't offer a solution against the vulnerabilities of a single-point infrastructure failure. For support or reporting issues, include Question ID: 652ee4f0a5199fdd13f637ec in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 154

Data retention Continuous monitoring Data encryption Your answer is correct Informed consent Overall explanation OBJ: 5.1 - GDPR mandates that personal data can only be collected and processed with the individual's informed consent, which means the purpose for data collection must be clearly communicated in plain language. Continuous monitoring is crucial for cybersecurity but is not the primary tenet of GDPR's approach to personal data. While GDPR does address the retention of personal data, its primary focus is on ensuring data subjects give informed consent for data collection and processing. While encryption is essential for safeguarding data, GDPR's core principle revolves around the individual's right to understand and consent to how their data is used. For support or reporting issues, include Question ID: 654561b37dcb30bec4e75c3f in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 155

Endpoint security Virtualization isolation Correct answer Encryption during transmission Your answer is incorrect Access control policies Overall explanation OBJ: 3.1 - When integrating with external applications like Salesforce, it's crucial to consider the data encryption during transmission to assess and mitigate security risks. While crucial, endpoint security primarily safeguards the devices connected to a network, not focusing on the data transmission to external service providers. While Access Control Policies are important, they primarily govern who can access what within an environment and do not specifically address data transmission security to external providers. Virtualization isolation involves the segregation of virtual machines, but doesn’t specifically cater to data transmission security with third-party applications. For support or reporting issues, include Question ID: 65171dfb50fd765762f8e252 in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 156

Router Jump server Correct answer Proxy server Your answer is incorrect IPS Overall explanation OBJ 3.2: A proxy server sits between a client and the destination server, forwarding requests and responses on behalf of the client. By doing this, it can effectively mask the client's IP address, providing a level of privacy and anonymity. A jump server facilitates administrative access to an environment but isn't designed to forward and mask internet requests from clients to destination servers. Routers forward data packets between computer networks and direct traffic on the internet. Though they can be configured for certain security tasks, they don't inherently mask the origin of internet requests like a proxy server does. An Intrusion Prevention System (IPS) monitors and blocks malicious traffic; it does not act as an intermediary for general internet requests or mask the origin of those requests. For support or reporting issues, include Question ID: 652c75a274644bf66062a2f2 in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 157

Reconnaissance Vulnerability Assessment Spoofing Your answer is correct Impersonation Overall explanation OBJ: 2.2 - Impersonation involves the attacker pretending to be someone else – such as an IT support agent, coworker, or another trusted individual – to gain trust, and thereby, unauthorized access or confidential information. This technique leverages the human tendency to trust familiar or authoritative figures. Spoofing is a broader technique where attackers masquerade as a trusted entity by falsifying data, such as altering email headers or IP addresses. It's more about faking the source than the identity itself. A vulnerability assessment is not a social engineering technique but rather a proactive procedure conducted by cybersecurity professionals or IT teams to identify, rank, and report vulnerabilities within a system. Reconnaissance is the act of gathering preliminary information or intelligence on a target (usually a system or organization) before launching an attack. This is more about information gathering rather than deception. For support or reporting issues, include Question ID: 65262f54473db7e6ed1c00be in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 158

SLA MSA BPA Your answer is correct MOU Overall explanation OBJ: 5.3 - A Memorandum of understanding (MOU) is a formal agreement between two or more parties that outlines their mutual understanding and intentions to collaborate. It serves as a precursor to a legally binding contract and establishes a framework for future negotiations. A Master Service Agreement (MSA) is a comprehensive contract that sets forth the general terms and conditions that will govern multiple future engagements between the parties. It may reference specific work orders or statements of work for individual projects. A Service-level agreement (SLA) is a specific type of agreement that defines the level of service expected from the vendor, including performance metrics, response times, and other service-related terms. A Business partners agreement (BPA) is a contractual agreement between two business entities that outlines their collaborative efforts, roles, and responsibilities in a specific business venture or partnership. For support or reporting issues, include Question ID: 64bb3dadeff2b06d2ceda195 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 159

Vendor reputation and capabilities should be thoroughly evaluated to ensure they meet the necessary security standards The procurement process must consider compatibility with existing infrastructure to maintain a similar level of security across all assets Your answer is incorrect Procurement contracts should include clauses delineating liability if assets provided by vendors lead to a security breach Correct answer Once a vendor is selected for procurement, there is no ongoing need to periodically re-evaluate their suitability Overall explanation OBJ 4.2: Vendors should be continually evaluated for suitability, even after initial selection. As an organization's security requirements change, or if there are alterations in the vendor's business practices, re-evaluation is critical to verify whether the vendor remains the best choice for the company’s needs. Compatibility with existing infrastructure is considered during the procurement process to ensure all assets maintain a consistent level of security. Evaluating vendor reputation and capabilities is an integral part of the procurement process to ensure the selected vendor can meet the necessary security standards. Contracts should include clauses to cover any eventualities related to security breaches caused by assets provided by the vendor. For support or reporting issues, include Question ID: 64c192d38a3754c97798b03c in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 160

Key exchange attack Cipher Block Chaining (CBC) Attack Your answer is correct Cryptographic downgrade Data obfuscation Overall explanation OBJ: 2.4 - A cryptographic downgrade attack is where an attacker forces network participants to resort to a weaker encryption standard, making it easier to compromise the data. It deliberately reduces the security of encrypted communications. Data obfuscation involves disguising original data to protect it from unauthorized users, without altering the data itself. This practice doesn't focus on the encryption standards employed. In a key exchange attack, the attacker aims to intercept or manipulate the key exchange process, potentially gaining access to the shared secret key. While related to encryption, it doesn't focus on forcing weaker encryption protocols. A CBC attack is a type of side-channel attack targeting implementations of block ciphers in CBC mode. It doesn't involve forcing the use of outdated or weaker encryption standards. For support or reporting issues, include Question ID: 6527f529291a89bc58693316 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 161

Unskilled Attackers Hacktivist Organized crime organizations Your answer is correct Insider threat Overall explanation OBJ: 2.1 - An insider threat is a type of threat actor that is internal to an organization and has authorized access to at least some part of the organization's network, systems, or data. Insider threats are often current or former employees who abuse their access to leak information, sabotage operations, or collaborate with external actors. Unskilled Attackers are threat actors that have little or no technical skills and are motivated by curiosity, boredom, or personal gain. They are not part of the organization they attack and don't have authorized access to any part of the system they attack. A hacktivist is a type of threat actor that are not part of the organization that they attack. Because of this, they don't have authorized access to the organization they are attacking. Organized crime organizations are external threat actors. They break into the organization in order to gain money through ransom or other means. They don't have a authorized access to the systems they attack. For support or reporting issues, include Question ID: 64b85fc874a248bfc6c933b8 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 162

Fail-open TLS Correct answer Port security Your answer is incorrect Jump server Overall explanation OBJ 3.2: Port security, a feature of managed network switches, allows an organization to limit which devices can connect to a network based on their physical addresses (MAC addresses), thus meeting the requirements of this scenario. Fail-open is a failure mode that permits network traffic to continue even when a device fails. It doesn't directly control which devices can connect to a network. A jump server primarily provides secure access to devices in a different security zone but doesn't specifically control network connectivity based on devices' physical addresses. Transport Layer Security (TLS) is a protocol that encrypts communications over a network but doesn't inherently control access based on devices' physical addresses. For support or reporting issues, include Question ID: 64c1738a6ab51895b912b853 in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 163

Account recovery 2FA Correct answer Identity proofing Your answer is incorrect Access delegation Overall explanation OBJ 4.6: Identity proofing involves confirming the authenticity of an individual's claimed identity through various verification methods. Access delegation is the granting of specific access rights or permissions to another user or entity. Two-factor authentication (2FA) involves verifying identity using two separate factors, not necessarily confirming the claimed identity itself. Account recovery pertains to regaining access to an account after being locked out or forgetting credentials. For support or reporting issues, include Question ID: 65446281e1e34785e11df68c in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 164

Correct answer Linking a GPO to the organizational unit containing marketing department users Applying a local group policy on individual marketing department computers Creating a new domain for the marketing department Your answer is incorrect Linking a GPO to a site Overall explanation OBJ 4.5: Organizational units (OUs) in Active Directory allow administrators to group related accounts. By linking a GPO to an OU specific to the marketing department, Jason can enforce access rights exclusively for that department. While feasible, applying local group policies on each computer is not scalable and harder to manage compared to a centralized approach. Creating an entirely new domain for one department is excessive and inefficient. Domains typically represent larger administrative boundaries. Sites in Active Directory often represent physical or network locations, not specific departments or groups. For support or reporting issues, include Question ID: 6543361bcec496671af89915 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 165

Clustering Frequency Correct answer Load balancing Your answer is incorrect Geographic dispersion Overall explanation OBJ 3.4: Load balancing is the process of distributing network or application traffic across multiple servers to ensure no single server becomes a bottleneck, hence enhancing the reliability and availability of applications. Although clustering also promotes high availability, it functions by connecting multiple servers so they act as a single system, not by distributing traffic. Geographic dispersion helps in reducing risk by spreading infrastructure across several locations, but it doesn't participate in managing network and application traffic. In the context of backups, frequency generally refers to the regularity of backups executed. It doesn't relate to the distribution of network or application traffic. For support or reporting issues, include Question ID: 64c1a27dbbc49fb66931eaf9 in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 166

Logical segmentation SDN Correct answer Physical isolation Your answer is incorrect Decentralization Overall explanation OBJ: 3.1 - Physical isolation is a network design that involves using air-gapping, disconnecting cables, or locking devices to prevent unauthorized access or interference. It can offer benefits such as security, privacy, and reliability. Logical segmentation is a network design that involves dividing a network into smaller segments to improve performance and security, not using air-gapping, disconnecting cables, or locking devices. Software-defined networking (SDN) is a network technology that involves dynamically configuring and managing network devices and services through software, not using air-gapping, disconnecting cables, or locking devices. Decentralization is a network design that involves distributing the control and authority among multiple nodes or entities, not using air-gapping, disconnecting cables, or locking devices. For support or reporting issues, include Question ID: 64c0b528f821e282c5e2af93 in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 167

Database indexing Data mirroring Your answer is correct Application recovery Database defragmentation Overall explanation OBJ: 1.3 - Restoring an application or its supporting components (like databases) from a backup to ensure its functionality after disruptions, errors, or corruptions. Kevin's decision to restore the database from a backup to ensure CRM functionality is an example of application recovery. Data mirroring is a method of storing data in two places simultaneously for redundancy. While it can be a strategy for ensuring data availability, the scenario describes restoring from a backup, not mirroring. Database indexing involves creating indexes to improve database search speeds. It's a performance optimization technique and doesn't address the corruption mentioned in the scenario. Database defragmentation is the process of organizing the contents of a database to improve performance. While it can improve speed and efficiency, it doesn't address data corruption. For support or reporting issues, include Question ID: 6524325c420b8c1e79fec56c in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 168

IDS Correct answer 802.1X Fail-closed Your answer is incorrect Fail-open Overall explanation OBJ 3.2: 802.1x is a standard developed by the IEEE to govern port-based network access. When used with a RADIUS based authentication server it provides authentication services, checking user credentials to ensure that the user is a legitimate part of the organization and granting access to only those areas of the system that the user is allowed to access. An intrusion detection system (IDS) monitors network traffic for malicious activities. It alerts to the potential activity but does not prevent it from passing through the network. In this way, it provides a layer of protection without slowing down network performance. Fail-open refers to what happens when a network encounters errors and exceptions. Fail-open means that when errors occur or exceptions are encountered, the system continues allowing access rather than denying access. Fail-open allows a website to continue offering services even after an error has occurred. The emphasis is, therefore, keeping the website up while the error is addressed, hoping that the error is a minor issue. Fail-close refers to what happens when a network encounters errors and exceptions. Fail-close means that when errors occur or exceptions are encountered, the system denies further access. This prevents any further network traffic until the error or exception are dealt with. While this provides greater security, it means that a website can’t be accessed even if the error encountered is minor or doesn’t pose a security threat. For support or reporting issues, include Question ID: 64c16bdc6ab51895b912b82b in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 169

Correct answer An employee who typically accesses the network from 9 AM to 5 PM starts logging in frequently at 3 AM. An employee taking a longer lunch break than usual. Your answer is incorrect Receiving emails from the Human Resources that request employees fill out surveys about workplace satisfaction. Finding an unfamiliar USB drive plugged into the back of a workstation in the office. Overall explanation OBJ: 5.6 - A deviation from the user's regular login behavior stands out as atypical. Such inconsistencies, when compared to established patterns, can indicate unauthorized access or other anomalous activities. It's crucial to monitor and investigate these irregularities promptly as they may be indicative of a security breach, compromised credentials, or even an insider threat. Proactive responses to such patterns can aid in early detection and mitigation of potential security threats. While unusual, finding an unfamiliar USB drive plugged into the back of a workstation in the office is more about physical security and unauthorized devices than recognizing anomalous user behavior. While receiving emails with surveys could be suspicious, it is not unlikely that Human Resources would conduct a workplace satisfaction survey and that they would send an email request asking employees to fill it out. Something other than just what is described here would need to take place before the email would seem suspicious. While an employee taking a longer lunch break than usual is atypical behavior, it does not pertain to cybersecurity or IT systems and does not represent a potential security incident. For support or reporting issues, include Question ID: 64c354f984a7d77f398b8895 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 170

The details of the website purchases made by employees during lunchtime The number of software updates performed last month, when they were completed and what was installed Your answer is correct Connection details including source and destination IPs, timestamps, and ports used in the last week A summary of the amount of data bandwidth and throughput by each department over the previous week Overall explanation OBJ 4.9: Firewall logs contain records of all network traffic passing through the firewall. Such records include source and destination IP addresses, timestamps, and ports used. This information can be critical in identifying unauthorized or suspicious connections that may indicate a breach. While monitoring bandwidth usage is important for network management and troubleshooting, it is less likely to contribute valuable information about a specific security incident in the firewall logs. It would be difficult to link breach incidents directly to the volume of bandwidth use. Although this could potentially point to risky employee behavior, this doesn't provide enough pinpointed data about a specific security incident in the firewall logs. While maintaining updated software is crucial for securing a network environment, this information probably wouldn't be contained in the firewall logs. For support or reporting issues, include Question ID: 64c16f91fbaff7327d208b59 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 171

SNMP allows network administrators to monitor network performance, find and solve network problems, and plan for network growth Correct answer SNMP ensures secure communication among software applications and allows security analysts to monitor these communications Your answer is incorrect SNMP assists in collecting information from various network devices to ensure proper functioning and security SNMP makes it possible to manage network performance, control network configuration, and store data about network components Overall explanation OBJ: 4.4 - Simple Network Management Protocol (SNMP)'s main purpose is managing and monitoring network devices. It doesn't monitor communications among software applications. SNMP does aid in collecting data from different network devices to maintain proper functionality and security, making this statement true. SNMP does actually provide capabilities to handle network performance, control network configurations, and store data related to various network components, so this statement is true. SNMP does indeed allow network administrators to monitor performance, troubleshoot issues, and plan for future network growth. For support or reporting issues, include Question ID: 64c19ec41dbd2f0d7852a7ba in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 172

Cautious Neutral Conservative Your answer is correct Expansionary Overall explanation OBJ 5.2 - The organization exhibits an expansionary risk appetite, as it willingly accepts higher risks to achieve growth and innovation. A conservative risk appetite would prioritize minimal risk, favoring stability over growth. Neutral risk appetite balances risk and reward without actively seeking high-risk or highly conservative measures. A cautious approach also leans toward risk avoidance but not as strongly as a conservative stance. For support or reporting issues, include Question ID: 67224116059e10a8d42841fa in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 173

Responsible disclosure program CVSS Vulnerability prioritization Your answer is correct CVE Overall explanation OBJ 4.3: The CVE (Common Vulnerability Enumeration) provides a unique identifier for publicly disclosed security vulnerabilities and exposures. It ensures that the cybersecurity community speaks a consistent language when discussing specific vulnerabilities. While vulnerability prioritization determines the urgency of addressing vulnerabilities, it doesn't offer a naming system for them. A responsible disclosure program allows vulnerabilities to be reported directly to organizations. It helps in patching vulnerabilities but doesn't name them consistently. While the CVSS (Common Vulnerability Scoring System) rates the severity of vulnerabilities, it doesn't provide a standardized naming convention for them. For support or reporting issues, include Question ID: 6541ca6181573933758874d9 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 174

Sophistication Correct answer Capability Funding Your answer is incorrect Resources Overall explanation OBJ: 2.1 - Capability pertains to a threat actor's proficiency in devising new exploit techniques and tools. It can range from using commonly found attack tools to creating zero-day exploits in various systems. Those with the highest capabilities can even deploy non-cyber tools, such as political or military assets. While funding can boost a threat actor's capabilities by providing them the means to acquire resources, it doesn't specifically denote their expertise in developing unique exploits. Sophistication relates to the level of intricacy and advancement of a threat actor's methods and tools, but does not directly address their skill in crafting novel exploits. While resources can aid in bolstering a threat actor's capabilities, this term primarily refers to the tools and personnel that a threat actor can access or utilize. For support or reporting issues, include Question ID: 6525932337644af6982d9baf in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 175

Risk assessment Correct answer Risk identification Risk analysis Your answer is incorrect Risk register Overall explanation OBJ: 5.2 - Risk identification is the first step in the risk management process. It involves identifying potential threats and vulnerabilities that could pose a risk to an organization's assets or operations. A risk register is a tool used in the risk management process to document and track identified risks, but it is not the first step in the process. It comes after risk identification and analysis. Risk analysis is a subsequent step that follows risk identification. It involves evaluating the identified risks and their potential impact on an organization. Risk assessment is not the first step in the risk management process. It comes after risk identification and involves evaluating the identified risks to determine their potential impact and likelihood. For support or reporting issues, include Question ID: 64b9e0445e2d79ea63ce4d2d in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 176

Financial losses Data losses A large scale service disruption Your answer is correct A larger attack surface Overall explanation OBJ: 2.1 - Shadow IT is a type of threat actor that is the result of unauthorized or unapproved IT systems or devices within an organization. Shadow IT can introduce security risks because the unauthorized system or device may provide attackers with a way to gain access to an otherwise secure system. An unapproved system or device will only lead to financial losses if a threat actor can use it to gain access and then leverage the access to create financial losses. Therefore, financial losses aren't the main danger. In most cases, the unapproved system or device will not create any disruption to the services. The unapproved system or device will only lead to data losses if a threat actor can use it to gain access and then leverage the access to exfiltrate data. Therefore, data losses aren't the main danger. For support or reporting issues, include Question ID: 64b88daf75f3764616371b68 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 177

Hardware token Password vault Your answer is correct Passkey CAPTCHA Overall explanation OBJ 4.6: The passkey system boosts sign-in security. It operates on the principle of public key cryptography, and proof of credential ownership is given only when the user unlocks their device. A hardware token is a physical device that generates or stores credentials for user authentication. CAPTCHA is a test to determine whether the user is human, often using distorted images of letters and numbers. A password vault is a software program that stores and manages users' passwords in an encrypted format. For support or reporting issues, include Question ID: 654451154d2cce85a408dcad in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 178

Sensors Lighting Correct answer Video surveillance Your answer is incorrect Access badge Overall explanation OBJ: 1.2 - Video surveillance involves the use of cameras to monitor activities in a given area. This matches the system being used in the scenario. Lighting is used to illuminate areas, often to deter criminal activity or enhance safety. It does not involve the use of cameras to monitor activities. Sensors are designed to detect noise, motion, and the opening of windows and doors. They can be paired with video surveillance, but don't necessarily provide video evidence of intrusion. An access badge is a card that employees use to gain access to certain areas within a company building. It does not involve the use of cameras to monitor activities. For support or reporting issues, include Question ID: 64c3e5d7ba219e04cab0e4eb in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 179

Snapshots Correct answer Replication Differential backups Your answer is incorrect Journaling Overall explanation OBJ 3.4: Replication involves creating copies of data in real-time or near-real-time to another location. This ensures data availability even if one location fails and can also aid in load balancing. Differential backups store all changes made since the last full backup. They provide a medium between full and incremental backups but do not provide real-time data duplication. Snapshots capture the state of a system at a specific point in time. While they offer quick recovery options, they do not involve real-time duplication of data. Journaling monitors and records all transactions and changes to a system. It aids in recovery by using recorded logs, but it doesn't provide real-time data duplication to another location. For support or reporting issues, include Question ID: 652eb7904b55499a153f6902 in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 180

SDN Serverless computing Correct answer Virtualization Your answer is incorrect Microservices Overall explanation OBJ: 3.1 - Virtualization allows multiple operating systems and applications to run on a single physical server, sharing the machine's resources. Microservices breaks applications into small services that run independently, not about consolidating resources on one server. Serverless computing allows developers to build applications without managing server infrastructure, which is unrelated to using multiple operating systems on one server. Software-defined networking (SDN) manages network control through software but doesn't focus on running multiple operating systems on a single server. For support or reporting issues, include Question ID: 652c3297b223687b417d0802 in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 181

Correct answer MTBF MTTR Risk assessment Your answer is incorrect FMEA Overall explanation OBJ: 5.2 - MTBF (Mean time between failures) predicts the average time intervals between system failures, indicating the reliability of a system or component. Risk assessment involves the process of identifying risks, but it does not measure the average time between system failures. MTTR (Mean time to repair) indicates the typical time needed to fix a failed system, not the interval between failures. FMEA (Failure mode and effects analysis) is a proactive method to identify possible failures, separate from quantifying time between failures. For support or reporting issues, include Question ID: 6549734b23b1cc31a82e92e5 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 182

Port 443 Port 53 Port 21 Your answer is correct Port 1433 Overall explanation OBJ: 2.5 - Port 1433 is the default for Microsoft SQL Server. Organizations typically restrict or monitor access to this port to prevent unauthorized database operations. Domain Name System (DNS) uses port 53 for resolving domain names into IP addresses. It isn't associated with database operations. File Transfer Protocol (FTP) uses port 21 for unencrypted data transfers, not for database operations. Port 443 is used for secure web traffic through SSL/TLS. It's not directly related to database queries. For support or reporting issues, include Question ID: 652b3507818ffad49a17057d in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 183

Enrique Your answer is correct Jamario Susan David Overall explanation OBJ: 5.6 - Accessing unrelated departmental files and uploading significant data to an external source without a clear business reason is both risky and unexpected, indicating a possible security compromise. Though David observed the behavior and is vigilant about the team's activities, he did not directly exhibit any anomalous behavior. While a slower computer can be a sign of malware or other security concerns, it falls under the unintentional category, as Susan did not actively partake in any suspicious activity. Clicking on a suspicious link is risky, but Enrique took the correct action by immediately reporting it. However, his behavior was unintentional rather than unexpected. For support or reporting issues, include Question ID: 64c34da6257a09286523a439 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 184

The chain of custody is the process of systematically analyzing how the incident referred, linking the events from inception to the point of attack The chain of custody involves following the processes as they are laid out in the incident response plan from Preparation to Lessons Learned Your answer is incorrect The chain of custody determines the individuals or groups responsible for the incident and helps in legal proceedings Correct answer The chain of custody is the process of securing and preserving evidence related to a security incident for potential use in legal proceedings Overall explanation OBJ 4.8: The chain of custody is the process of securing and preserving evidence related to a security incident for potential use in legal proceedings. When handling digital evidence, it is crucial to maintain a clear and documented chain of custody. This ensures that the evidence is collected, stored, and transferred in a way that maintains its integrity and authenticity, making it admissible and reliable in legal proceedings. Following the Incident Response Plan is not the purpose of the chain of custody. The chain of custody is the process of securing and preserving evidence related to a security incident for potential use in legal proceedings While identifying the individuals or groups responsible for an incident might be valuable for legal proceedings, the chain of custody itself is primarily focused on the proper handling and documentation of evidence. The chain of custody is not related to the evaluation of incidents but rather to the proper handling of evidence. For support or reporting issues, include Question ID: 64c163242e60209dbaac21df in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 185

Information security policies Change management procedures Your answer is incorrect AUP Correct answer Physical security standards Overall explanation OBJ: 5.1 - These define how facilities should be protected against unauthorized access, which might include measures such as access control systems, surveillance cameras, and security personnel. An AUP outlines how organizational IT resources can be used by employees. It doesn't specifically address physical security standards. Change management procedures ensure that changes to IT systems and applications are done in a controlled manner. It doesn't directly dictate physical security measures. While information security policies play a vital role in the broader framework of security, they typically address all aspects of infosec, not just the physical. For support or reporting issues, include Question ID: 64b8979b6ccfbae323bb6ac9 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 186

Regulated Correct answer Critical General Data Your answer is incorrect Data at Rest Overall explanation OBJ 3.3: Critical data is of vital importance to an organization's operations and would have a significant impact if lost or compromised. Data at Rest refers to a state of data saved on non-volatile media rather than being a classification of data based on importance. Regulated data refers to data that falls under specific regulatory or legal mandates and must be handled in compliance with those regulations. While such data often requires stringent security measures, being regulated doesn't inherently indicate the operational criticality of the data to an organization. While the term sounds encompassing, "general data" typically refers to common or non-specific information that may or may not be vital to an organization's operations. It doesn't necessarily imply the urgency or importance associated with "critical data." For support or reporting issues, include Question ID: 64c19594ecb41e3664cf3e53 in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 187

Discretionary Attribute-based Your answer is incorrect Role-based Correct answer Rule-based Overall explanation OBJ 4.6: In this scenario, the large financial institution uses Rule-Based Access Control (RBAC), where access is determined by predefined rules and conditions without user or administrator discretion. Access decisions are strictly enforced based on these rules. Unlike Attribute-Based Access Control (ABAC), which dynamically evaluates multiple attributes, or Role-Based Access Control (RBAC), which relies solely on roles, Rule-Based Access Control uses a broader set of conditions. Discretionary Access Control (DAC) allows users to set access permissions, which is not applicable here, as access is determined solely by predefined conditions. For support or reporting issues, include Question ID: 64c13ee659b059a712065d0b in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 188

Correct answer Application rollback Patch management Dependency check Your answer is incorrect Application restart Overall explanation OBJ: 1.3 - Reverting an application to a previous state or version from a backup to correct issues caused by updates or changes. In this scenario, restoring the application from a backup taken two days earlier is an example of an application rollback and would be the most effective solution. Application restart involves stopping and then starting an application, often to apply changes or ensure updates have taken effect. While it may be a part of many troubleshooting processes, it wouldn't address the bug introduced by the update. Patch management is the process of managing updates for software applications. While the issue arose from an update, Jason is not suggesting another patch but is recommending reverting to a previous state. Dependency check refers to ensuring that all required components, libraries, or modules needed by an application are present. The scenario doesn't suggest any missing dependencies; rather, it's a problem with the application's function. For support or reporting issues, include Question ID: 64c14884ed0ab5f0782b2224 in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 189

Performing keyword searches on electronic documents to identify pertinent information Correct answer Generating and documenting cryptographic hashes of digital evidence to verify its integrity Recording the specific tools and methodologies used during the evidence collection phase Your answer is incorrect Drafting a comprehensive summary of findings and presenting it to stakeholders Overall explanation OBJ 4.8: The utilization of cryptographic hashes ensures that digital evidence remains unchanged, preserving its original state for analysis and potential court presentation. While searching is an essential part of forensics, this task is more associated with the e-discovery process. While reporting is critical, it isn't directly a part of the preservation activity. While it's important to document procedures, this activity is more closely tied to the acquisition phase of an investigation. For support or reporting issues, include Question ID: 6543ef5ba69e5671c3827c5a in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 190

Centralized Decentralized Your answer is incorrect Collaborative Correct answer Remote Overall explanation OBJ: 5.6 - A remote work setup is where employees work from remote locations, usually from home, requiring specific security measures to ensure safe access to company resources. A collaborative environment is setup prioritizing team collaborations, often involving open spaces and group project areas but not focused on location. A centralized work environment is a traditional setup where all employees work from a single location or office. A decentralized work environment is a system where different departments or teams work from separate, independent locations but not necessarily from home. For support or reporting issues, include Question ID: 64c350ec006636d14b20612c in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 191

Correct answer To identify potential security risks associated with the vendor's supply chain. To determine the vendor's customer satisfaction ratings so that only the best suppliers are chosen. Your answer is incorrect To assess the vendor's compliance with legal regulations, so the company will remain in compliance. To evaluate the vendor's financial stability so the supply chain won't be broken due to a bankruptcy or closing. Overall explanation OBJ: 5.3 - Supply chain analysis aims to identify potential security risks associated with the vendor's supply chain, such as vulnerabilities in the products, components, or services provided by third-party suppliers. Determining the vendor's customer satisfaction ratings is relevant for evaluating the quality of the vendor's products and services but will not provide Abdul's company with any information about security risks. Assessing the vendor's compliance with legal regulations is crucial for ensuring that the vendor adheres to applicable laws and regulations, but it is not the primary purpose of supply chain analysis. Evaluating the vendor's financial stability is essential for determining the vendor's ability to fulfill contractual obligations and continue providing services, but it doesn't address other aspects that may introduce security vulnerabilities. For support or reporting issues, include Question ID: 64bb3bf3eff2b06d2ceda186 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 192

Installing antivirus software on the company's network servers Enforcing full device encryption on all employee mobile devices Your answer is incorrect Requiring employees to use strong passwords for their personal email accounts Correct answer Enabling remote wiping of devices Overall explanation OBJ 4.1: Enabling the Mobile Device Management's (MDM's) ability to conduct a remote wipe of the device is the best solution to the issue of a lost or stolen device. A remote wipe of the data will restore the device to factory settings and prevent the data from being accessed, making it the best MDM feature to protect the data if the device is lost. Enforcing full device encryption on all employee mobile devices is a critical security technique for mobile device management. If someone finds the device and is determined to crack the password, this may slow down the process, but they likely will be able to decrypt the data eventually. Requiring employees to use strong passwords for their personal email accounts is a good practice for improving security. However, it does not ensure the protection of work-related data and access on the devices, where given time, even a strong password can be cracked. While installing antivirus software on network servers is essential for protecting against malware and other threats, it is not directly related to mobile device management. For support or reporting issues, include Question ID: 64b9d9689417ef12902edf60 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 193

Expansionary Neutral Risk tolerance Your answer is correct Conservative Overall explanation OBJ: 5.2 - The financial institution's approach to prioritizing predictability and regulatory stability suggests a conservative risk appetite. Risk tolerance refers to the general level of risk the firm is willing to accept, not the precise financial impact threshold for action. An expansionary risk appetite involves embracing higher risks for potential higher returns, which is not the case here. An organization with a neutral risk appetite would take a more balanced approach than the one described. For support or reporting issues, include Question ID: 65490d3cbfa0006491c3f167 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 194

Correct answer DAC ABAC RBAC Your answer is incorrect MAC Overall explanation OBJ: 1.2 - Discretionary Access Control (DAC) is an authorization model where the owner of the resource decides who is allowed to access it. Attribute Based Access Control (ABAC) determines access through a combination of contexts and system wide attributes. Mandatory Access Control (MAC) is an authorization model where access to resources is determined by a set of rules defined by a central authority. Role-Based Access Control (RBAC) is an authorization model that assigns permissions to roles, rather than individual users. For support or reporting issues, include Question ID: 64c032bc355a049eedb94c9f in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 195

Decommissioning Correct answer Ownership Acquisition Your answer is incorrect Monitoring Overall explanation OBJ 4.2: Ownership helps in determining who is responsible for the asset, ensuring clear lines of accountability, and often helps in deciding the access rights. Decommissioning pertains to the process of retiring assets and doesn't directly associate assets with specific entities. Acquisition refers to the process of obtaining assets, not the association of assets with individuals or departments. Monitoring involves keeping an eye on the performance and status of assets rather than establishing responsibility. For support or reporting issues, include Question ID: 651dcf5c915e5062db9cd844 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 196

Inventory practices include tracking but are not limited to: physical location, configuration, and authorized users of the assets An up-to-date inventory supports efficient asset management by monitoring the life cycles of all assets Your answer is incorrect Well-maintained inventory can help identify unauthorized devices on the network, enhancing the security posture Correct answer Inventory management is a one-time process, needing few updates after initialization Overall explanation OBJ 4.2: Inventory management is not a one-time process. It requires constant updates and monitoring to maintain its accuracy and effectiveness. An accurate inventory can help identify unauthorized devices on the network, thus enhancing security. Good inventory practices include tracking the assets' physical location, configuration, and authorized users, among other things. An up-to-date inventory does support efficient asset management by tracking asset life cycles. For support or reporting issues, include Question ID: 64c190c68a3754c97798b032 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 197

Assesses and manages risks related to data security and compliance. Sets the strategic direction and policies for organizational data management. Correct answer Processes personal data for controllers and ensures implementation of security measures. Your answer is incorrect Directly responsible for classifying data and defining access permissions. Overall explanation OBJ: 5.1 - The processor is tasked with handling personal data in accordance with the controller's directions and must secure the data as per the established standards. Directly responsible for classifying data and defining access permissions typically fall under the purview of the data owner, not the processor. Setting the strategic direction and policies for organizational data management is generally associated with the data owner or governance board, not the processor. While the processor may contribute to assessing and managing risks related to data security and compliance, it is not their primary function; instead, it is more closely related to the roles of security and compliance committees. For support or reporting issues, include Question ID: 6548691008900a3da5d9c127 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 198

Generators Power strips Correct answer UPS Your answer is incorrect Voltage regulators Overall explanation OBJ 3.4: A UPS (Uninterruptible Power Supply) provides immediate power protection from input power interruptions by supplying short-term battery power. This ensures that devices can either be properly shut down or switched to an alternative power source like a generator. Generators provide long-term power backup when there's an outage, converting fuel into electricity. They take a few moments to start up and do not provide instant power like a UPS. Power strips provide multiple outlets for devices but do not offer any backup power during an outage. They might offer surge protection but cannot replace the function of a UPS. Voltage regulators ensure a consistent voltage supply to devices but do not provide any backup power during an outage. They stabilize voltage levels but won't keep systems running if power is interrupted. For support or reporting issues, include Question ID: 652ebea19485c3c2c899a4de in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 199

Accelerating hardware upgrades Enhancing user authentication protocols Facilitating remote team collaborations Your answer is correct Enforcing consistent baselines across devices Overall explanation OBJ 4.7: Automated tools can apply predefined configurations across multiple devices, ensuring uniformity and adherence to security standards. Automation of configurations doesn't primarily focus on team collaborations. Collaboration tools and platforms serve this purpose. Automation can assist in software configurations and updates, but it doesn't directly speed up physical hardware upgrades. While automation can streamline authentication processes, its primary role in terms of configurations isn't to enhance authentication methods. For support or reporting issues, include Question ID: 6543dbcff8d6606ee217bf06 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 200

SQL injection in the mobile app Correct answer Misconfiguration of security settings Your answer is incorrect Insecure network configuration Buffer overflow on the mobile device Overall explanation OBJ 2.3 - The most probable cause of this vulnerability is misconfiguration of security settings. By bypassing the Mobile Device Management (MDM) controls, the employee altered the security settings on their mobile device, weakening its defenses. This misconfiguration allowed the unauthorized installation of a game, which likely introduced the Trojan or exposed the device to further exploitation. Unlike insecure network configuration, SQL injection, or buffer overflow, which involve network or code-based vulnerabilities, this issue stems from a user-driven misconfiguration that circumvented MDM protections and compromised the device’s security posture. For support or reporting issues, include Question ID: 67212335826fd0821496dafd in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 201

Client host Authentication server Correct answer Policy administrator Your answer is incorrect Policy enforcement point Overall explanation OBJ: 1.2 - The policy administrator is responsible for defining and managing the access control policies used by the policy engine. An authentication server is primarily tasked with validating a user's credentials and ensuring that a user is who they claim to be. It plays a critical role in access control by authenticating users before they gain access to resources. However, it doesn't define or manage security policies directly. Policy enforcement should take place long before it reaches the client host. The policy enforcement point is responsible for enforcing the access control decisions made by the policy engine. For support or reporting issues, include Question ID: 64c040363a8522a3b5997a5f in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 202

Incident logs Correct answer Audit trails Operational history Your answer is incorrect Event monitoring Overall explanation OBJ: 5.1 - Audit trails are detailed records that log sequential activities within a system, providing crucial data for detecting, examining, and understanding the nature of security breaches. While incident logs are related, they typically refer to records of incidents that have already been identified, rather than the broader spectrum of activity that audit trails encompass. Event monitoring is a process that involves real-time tracking of system events, which may utilize audit trails, but it is not synonymous with the comprehensive recording function of audit trails. Operational history refers to the record of all operations within a system, but it lacks the specific security context implied by audit trails. For support or reporting issues, include Question ID: 654856dd387ddf73d92efffa in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 203

Failover Functional exercise Your answer is incorrect Tabletop exercise Correct answer Simulation Overall explanation OBJ 3.4: Simulations are often team-based, where one team works as the intruders while the other team responds to the threat. There are often moderators who set the rules and ensure that teams abide by them. These types of exercises require more planning and can cost more than tabletop exercises. Failover isn't a method of testing security measures; they are meant to keep an organization running after a significant failure and are meant to be temporary means to prevent complete failure. Functional exercises focus on testing operational responses in real-time, often involving actual systems, tools, and communications without direct competition between teams. In a functional exercise, participants respond to scenarios as they would in a real event, but there is typically no adversarial "red team" versus "blue team" setup A tabletop exercise begins with a scenario and is strictly discussion-based; they don’t require technology to complete. People taking part in a tabletop present ideas about how they would deal with the scenario. While the exercises will be done around a table, the exercise itself is a simulation because there are teams and more than just discussion. For support or reporting issues, include Question ID: 64c1a3d9f35deb7523e71f51 in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 204

NetFlow helps provide an understanding of network traffic flow, enhancing security by identifying unusual patterns NetFlow can identify the source and destination of traffic, making it easier to spot potential threats NetFlow can help with capacity planning and understanding network performance issues Your answer is correct NetFlow can interpret traffic flow patterns and identify the type of network attack that is occurring Overall explanation OBJ: 4.4 - NetFlow allows for the visualization of flow patterns. It is up to the security analyst to interpret the data and identify a type of network attack. The ability to identify the source and destination of traffic is a core aspect of NetFlow. This information can be critical in identifying potential threats and sources of security breaches. NetFlow can assist with capacity planning and diagnosing network performance problems, making this statement true. NetFlow does indeed provide critical insights into network traffic, helping security teams identify unusual traffic patterns that could signify a potential security issue. For support or reporting issues, include Question ID: 64c19e701dbd2f0d7852a7b5 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 205

Use a different programming language. Correct answer Implement stringent input validation and sanitation. Enable firewalls and intrusion detection systems. Your answer is incorrect Upgrade to the latest version of the application. Overall explanation OBJ 2.3 - By validating and sanitizing user inputs, Jason can ensure that malicious inputs don't reach memory operations, thus preventing memory injection attacks. While upgrading to the latest version of the application might address some vulnerabilities, it doesn't guarantee that memory injection vulnerabilities, especially those tied to custom code, will be resolved. While some programming languages might be less susceptible to memory injection, simply changing languages without addressing the root issue might not eliminate the vulnerability. While firewalls and intrusion detection systems are essential, they work at the network level and may not detect or prevent application-level vulnerabilities like memory injection. For support or reporting issues, include Question ID: 6526ebb6ba58cadc95917494 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 206

Correct answer Insecure Interfaces and APIs Buffer overflow Side loading Your answer is incorrect Cross-site scripting (XSS) Overall explanation OBJ: 2.3 - Insecure Interfaces and APIs are a type of vulnerability that arises when the interaction between users and cloud services through interfaces and APIs is not secure, exposing systems to potential unauthorized access and manipulation of data. Cross-site scripting (XSS) is a security vulnerability typically found in web applications, enabling attackers to inject malicious scripts into websites viewed by other users, potentially leading to a variety of malicious activities. Side loading refers to the practice of installing applications on a device without using the official app store, which can lead to various security concerns, including the installation of malicious software. Buffer overflows occur when a program writes more data to a block of memory, or buffer, than it was allocated for, which can lead to various issues, including the potential execution of arbitrary code. For support or reporting issues, include Question ID: 64bc4ec78c17497e81f54060 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 207

RSA Correct answer AES SHA Your answer is incorrect HMAC Overall explanation OBJ: 5.1 - AES (Advanced Encryption Standard) is a symmetric encryption standard used to protect data at rest and in transit, ensuring confidentiality and security. HMAC (Hash-Based Message Authentication Code) is a specific construction for creating a message authentication code (MAC) involving a cryptographic hash function in combination with a secret key, rather than for encryption purposes. SHA (Secure Hash Algorithm) is a set of cryptographic hash functions designed to ensure data integrity, not to encrypt data. RSA (Rivest-Shamir-Adleman) is an asymmetric encryption standard typically used for secure data transmission, not specifically for data at rest. For support or reporting issues, include Question ID: 654858ff53400a500d01c27f in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 208

Correct answer Encryption and digital signing Backup and compression Firewalls and IDS Your answer is incorrect Regular patching and updates Overall explanation OBJ 3.3: Encrypting ensures that unauthorized parties cannot understand the content of the OS files, while digitally signing them verifies the integrity of the files, ensuring they haven't been tampered with. While backups are crucial for data recovery and compression can reduce storage space, neither directly ensures the confidentiality nor verifies the integrity of OS files. Firewalls and intrusion detection systems (IDS) protect against unauthorized access and attacks; they do not directly ensure the confidentiality or verify the integrity of specific OS files. Regular patching and updates is vital for system security and addressing known vulnerabilities; however, it doesn't specifically protect the integrity and confidentiality of OS files in transit or storage. For support or reporting issues, include Question ID: 652d70a2b0db1f4c5f8ba30f in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 209

Implementing port forwarding for remote access to internal servers Correct answer Allowing any outgoing traffic to any destination Your answer is incorrect Closing unused and unnecessary ports and protocols Enabling stateful Inspection for packet filtering Overall explanation OBJ 4.5: Allowing any outgoing traffic to any destination is NOT recommended for enhancing security. Limiting unrestricted outbound traffic is crucial for security, as it may carry sensitive data and allow unauthorized communication with potentially harmful external servers. Controlling outbound traffic helps prevent data leaks and ensures only necessary communication is permitted. Enabling stateful inspection in firewalls is recommended, as it tracks active connections and allows only legitimate packets, thereby blocking unauthorized traffic. Closing unused ports and protocols further reduces the attack surface, preventing threats from exploiting open ports. Although port forwarding can allow remote access to internal servers, it should be used cautiously and only for essential services to avoid introducing security risks. For support or reporting issues, include Question ID: 64ba8ee9d2f6d67975818db4 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 210

Allowing the departing employee to determine which company assets they'd like to keep. Giving departing employees a list of all internal systems to include on their resume. Correct answer Disabling user accounts. Your answer is incorrect Have a security guard walk the employee off of the premises. Overall explanation OBJ: 5.1 - Disabling the user account and privileges ensures that departing employees no longer have access to company systems, and that the company retains access to necessary files. Allowing the departing employee to determine which company assets they'd like to keep can result in a significant security risk and loss of assets. While having a security guard escort the employee off the premises may be helpful, this isn't a vital part of the offboarding process. Giving departing employees a list of all internal systems to include on their resume could be a security risk if it fell into the wrong hands. Proper offboarding procedures prioritize the protection of internal systems and information. For support or reporting issues, include Question ID: 654498a64ff4a550f0eb01fa in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 211

Communication encryption Key exchange Symmetric encryption Your answer is correct Asymmetric encryption Overall explanation OBJ: 1.4 - Asymmetric encryption, also known as public-key cryptography, involves two keys: a public key and a private key. The public key is used to encrypt data, while the private key is used to decrypt it. Only the corresponding private key can decrypt data encrypted with its associated public key, ensuring secure communication and data integrity. Communication encryption encrypts data while it is being transferred from one location to another, but it doesn't use different keys for encryption and decryption. Symmetric encryption uses the same key for both encryption and decryption, but it doesn't use different keys for encryption and decryption. Key exchange involves the exchange of cryptographic keys between two parties, but it doesn't use different keys for encryption and decryption. For support or reporting issues, include Question ID: 64c281b7216b86411ab101dd in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 212

PDUs Dual power supplies in all servers Correct answer UPS with a backup power generator Your answer is incorrect Component-level battery backups Overall explanation OBJ: 3.1 - An Uninterruptable Power Supply (UPS) with a backup power generator combines battery power for immediate response with extended power generation for longer outages, allowing critical systems to remain operational during extended outages. Dual Power Supplies in servers can provide redundancy within devices for better reliability but doesn't address complete power source failures for extended periods. Component-level battery backups ensure specific components, like disk drives, continue operations during brief interruptions but not designed to keep entire systems up during extended blackouts. Managed Power Distribution Units (PDUs), offer protection against power quality issues but relies on an external power source, making it ineffective during prolonged outages. For support or reporting issues, include Question ID: 64c04a2daa720bef4eafef1a in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 213

Misinformation/disinformation Watering hole Correct answer Brand impersonation Your answer is incorrect Pretexting Overall explanation OBJ: 2.2 - Brand impersonation is the most common type of human vector/social engineering attack that involves mimicking the appearance or identity of a trusted entity to deceive users into trusting a fake website, email, or message. It can be used to lure users into clicking on malicious links, downloading malware, or revealing sensitive information. Watering hole is a type of human vector/social engineering attack that involves compromising a website that is frequented by a specific group of users and injecting malicious code or links into it. It does not necessarily involve mimicking the appearance or identity of a trusted entity. Misinformation/disinformation is a type of human vector/social engineering attack that involves spreading false or misleading information to influence people’s beliefs or actions. It does not necessarily involve mimicking the appearance or identity of a trusted entity. Pretexting is a type of human vector/social engineering attack that involves creating a false scenario or reason to justify the request or communication. It does not necessarily involve mimicking the appearance or identity of a trusted entity. For support or reporting issues, include Question ID: 64b9e62c4ab8b237e348e56a in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 214

The amount of free storage space left on the server and whether the amount has changed recently Correct answer Records of failed and successful system and user level authentications Your answer is incorrect Information about the number of users added to the server in the past year Information about the latest patches and software updates installed on the server Overall explanation OBJ 4.9: Authentication logs can provide key evidence of unauthorized access attempts, timing of the event, and potential insider threats. They can identify when, and possibly how, the breach occurred, making it invaluable information for a breach investigation. The amount of free storage space left on the server and whether the amount has changed recently is a system performance metric that, while important for system and network management, doesn't provide valuable information for a specific security breach investigation. Knowing the number of users added over a period of time can provide general information about server usage, but it isn't directly relevant when investigating a specific security breach unless tied with more specific details like unauthorized user creation. While the patch management details are important when checking for vulnerabilities in an OS, this information alone wouldn't be enough to help in a specific security investigation as it doesn't provide concrete details about the breach. For support or reporting issues, include Question ID: 64c170c9fbaff7327d208b68 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 215

Maintenance window Approval process Correct answer Backout plan Your answer is incorrect Standard operating procedure Overall explanation OBJ: 1.3 - A backout plan is crucial when deploying updates or changes to a system. It provides a predefined strategy to revert changes and restore a system to its prior state if complications arise, ensuring system stability and minimizing downtime. A standard operating procedure is a set of detailed instructions that describes how specific routine tasks should be carried out. A maintenance window is a predetermined time frame in which updates, patches, or changes are made to minimize the impact on users and business operations. An approval process is a sequence of steps where a change or update is reviewed and authorized by specific personnel or departments before deployment. For support or reporting issues, include Question ID: 6524cefe9eb2e17ced10c455 in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 216

Server IP address where the application is hosted User IDs related to specific application transactions Correct answer The physical location of the user accessing the application Your answer is incorrect Timestamps of application activity Overall explanation OBJ 4.9: Application logs do NOT typically capture the physical location of the user accessing the application. While IP addresses can give a rough estimate of geographic location, accurate physical location (e.g., GPS coordinates or exact address) is not recorded in standard application logs. The IP address of the server hosting the application frequently shows up in application logs. This information can be useful for understanding network-level behaviors associated with the application. Timestamps of application activity are crucial for investigations. They enable the analysis of event occurrence sequence, making it possible to identify patterns and reconstruct the timeline of events. User IDs related to specific transactions do appear in application logs. This piece of information can help to identify the user who performed a specific action in the application, useful for incident response. For support or reporting issues, include Question ID: 64c1a60745e9d8860c404624 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 217

Rainbow table attack Correct answer Password spraying Dictionary attack Your answer is incorrect Brute force attack Overall explanation OBJ 2.4 - This scenario describes a password spraying attack. In a password spraying attack, the attacker attempts to gain access by trying a small number of commonly used passwords (such as "password123" or "welcome") across multiple accounts. By using different usernames with each attempt, the attacker avoids triggering account lockouts, as the attempts are spread out across various accounts rather than focusing on one. This contrasts with a brute force attack, which typically targets one account with many password attempts, potentially causing account lockouts. A dictionary attack also focuses on one account, using a list of possible passwords, while a rainbow table attack involves precomputed hash values to decrypt passwords, rather than directly attempting logins across accounts. For support or reporting issues, include Question ID: 67212bd884b5580af615ecab in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 218

Attack surface management TLS Correct answer Security zones Your answer is incorrect Layer 7 Firewall Overall explanation OBJ 3.2: Security zones allow an organization to segregate a network into different areas to control and restrict access based on business needs, making it the most suitable consideration in this scenario. Although a Layer 7 firewall provides robust firewall protection, these firewalls do not dynamically create or handle security zones to control access based on business needs. Managing the attack surface encompasses reducing potential points of access for threats and does not directly speak to setting distinctions between internal access requirements or zones. Transport Layer Security (TLS) is a protocol used for secure communication over a network and does not specifically manage distinctions between internal access requirements or zones. For support or reporting issues, include Question ID: 64c176ebfbaff7327d208b86 in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 219

Qualitative Risk Assessment Residual Risk Analysis Your answer is correct Quantitative Risk Assessment Threat Modeling Overall explanation OBJ 5.2 - Sarah is conducting a Quantitative Risk Assessment, as she is estimating financial impacts and probability, which involves assigning numerical values to risks. Qualitative Risk Assessment, in contrast, focuses on descriptive measures, categorizing risks without financial values. Residual Risk Analysis refers to assessing the remaining risk after controls are applied, and Threat Modeling is focused on identifying potential attack paths rather than quantifying risks. For support or reporting issues, include Question ID: 67224089059e10a8d42841f0 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 220

Data in Transit Data at Rest Data Sovereignty Your answer is correct Data in Use Overall explanation OBJ 3.3: Data in Use refers to active data that is currently being processed or manipulated by a computer. Data at Rest indicates data that is not currently being processed or moved, typically stored data. Data sovereignty governs the jurisdiction and legalities of data based on its geographical location, not its active usage. Data in Transit involves data that is active or moving through a network; it doesn’t specifically refer to data being processed by a computer. For support or reporting issues, include Question ID: 64c18d768a3754c97798b01e in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 221

Telnet SSH VNC Your answer is correct RDP Overall explanation OBJ: 2.2 - Remote Desktop Protocol (RDP) port is a type of open service port that is commonly used for remote desktop servers and can be exploited by attackers to perform screen capture, keystroke logging, or malware delivery attacks. It is the default port for RDP, the protocol used to remotely control a Windows based system’s desktop. Virtual Network Computing (VNC) port is a type of open service port that is commonly used for remote desktop servers and can be exploited by attackers to perform screen capture, keystroke logging, or malware delivery attacks. It is the default port for VNC, the protocol used to remotely view and interact with a system’s desktop. It is not specific to Windows-based systems. Telnet port is a type of open service port that is commonly used for remote access servers and can be exploited by attackers to perform eavesdropping, data theft, or brute force attacks. It is the default port for Telnet, the protocol used to access remote systems without encryption. Telnet is cross-platform, not Windows based. Secure Shell (SSH) port is a type of open service port that is commonly used for remote access servers and can be exploited by attackers to perform on-path attacks, such as session hijacking or replay. It is the default port for SSH, the protocol used to securely access remote systems. SSH is cross-platform, not Windows based. For support or reporting issues, include Question ID: 64b9eac70607a460c0b526d6 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 222

WPA Correct answer AES Your answer is incorrect WEP TKIP Overall explanation OBJ 4.1: AES is currently the most secure and widely adopted encryption protocol for wireless networks. Its strong encryption algorithms and extensive testing demonstrate its effectiveness against various attacks. AES is the recommended choice for ensuring robust security in wireless communication. WEP is an outdated encryption protocol that has been widely exploited and rendered highly insecure. Its weak key management and static keys make it vulnerable to various attacks, and it can be cracked relatively easily. It should be avoided in modern network environments due to its lack of security. While TKIP was an improvement over an older encryption protocol, it is still considered weak and has known vulnerabilities. Due to its security limitations, using TKIP is not advisable, especially when more secure alternatives like AES are available. TKIP is the best choice for devices that are not compatible with AES. Despite being an enhancement over the previous protocol, WPA has some known vulnerabilities, particularly when using its pre-shared key (PSK) mode. Depending solely on WPA might not provide the level of security required to safeguard modern wireless networks. For support or reporting issues, include Question ID: 64b9889fc54c322b53986aac in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 223

Correct answer Guard rails are primarily focus on providing baseline security for servers rooms and sever systems Guard rails contribute to the safety of automation and orchestration by preventing unintended actions Your answer is incorrect Guard rails function as boundaries in automation workflows to ensure they remain within designed parameters Guard rails enforce policies that help to avoid errors in automated processes Overall explanation OBJ 4.7: In this context, guard rails are not primarily for server rooms and servers. Rather, they are parameters or rules defined in automation workflows to ensure these workflows stay within the designed scope and maintain operational security. Guard rails help maintain the safety of automation processes by providing mechanisms to prevent unintended actions, potentially averting any disruptions or security risks. In the context of automation and orchestration, guard rails do act as enforcers of certain policies to prevent errors or deviations. Guard rails do serve as boundaries, helping to ensure automation practices remain within defined parameters, which improves their efficiency and safety. For support or reporting issues, include Question ID: 64c1a204f35deb7523e71f4c in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 224

Separation of duties Correct answer Least privilege Discretionary access control Your answer is incorrect Job rotation Overall explanation OBJ 2.5 - This scenario applies the principle of least privilege, ensuring that Sofia has the minimum access required to perform her job functions. By allowing her to view payroll records but restricting her from modifying them or accessing other sensitive areas, the IT team limits her access rights to only what is necessary for her role as an HR manager. This principle minimizes potential security risks by reducing access to sensitive data and system areas, thereby preventing unauthorized actions or accidental modifications. For support or reporting issues, include Question ID: 672237f1ab565f74e2bc9186 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 225

Correct answer Bases access decisions on predefined security policies. Contains potential threats by segmenting the network. Ensures secure data transfer post-access decision. Your answer is incorrect Relies on continuous user behavior assessment. Overall explanation OBJ: 1.2 - Policy-driven access control in the Zero Trust approach emphasizes making access determinations rooted in established and well-defined security policies. This ensures consistency and adherence to security best practices when granting or denying access. Network segmentation is a strategy that isolates different parts of a network to contain potential threats or breaches. While it can be a component of a Zero Trust approach, it doesn't directly align with the concept of making access decisions based on specific policies. Relying on continuous user behavior assessment involves evaluating the actions and patterns of users consistently to detect anomalies or potentially malicious activities. While behavior assessment can be part of a comprehensive security strategy, Policy-driven access control specifically centers around using defined policies for granting or denying access. Ensuring secure data transfer post-access decision deals with securing data during its transmission after an access decision has been made. While ensuring secure data transfer is crucial for protecting information in transit, it doesn't directly correlate with making access decisions based on preset policies. For support or reporting issues, include Question ID: 652466edc39f70b2f9c4ee45 in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 226

The right of data controllers to erase data at any time The right of organizations to retain or delete data as needed The right of data processors to access personal data Your answer is correct The right of data subjects to request their personal data be erased Overall explanation OBJ: 5.4 - In privacy compliance, the "right to be forgotten" refers to the right of individuals (data subjects) to request the deletion or erasure of their personal data from the data controller's records and public dissemination. Data processors are entities that process data on behalf of data controllers. The "right to be forgotten" does not refer to their right to access personal data. Data controllers cannot unilaterally erase data at any time. They must comply with data protection laws and fulfill data subjects' requests for erasure as outlined in the "right to be forgotten." The "right to be forgotten" grants data subjects the right to have their personal data deleted under certain conditions, indicating that organizations cannot retain or delete data if it is no longer necessary for the purposes it was collected. For support or reporting issues, include Question ID: 64bf60270620f92445ad7687 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 227

Correct answer Vulnerability management Intrusion detection system Firewall Your answer is incorrect Encryption Overall explanation OBJ: 1.1 - Vulnerability management is a operational security control that involves identifying, assessing, and remediating vulnerabilities in systems and networks. It can help prevent security breaches by ensuring that vulnerabilities are addressed in a timely manner. Firewall is a technical security control that monitors and controls incoming and outgoing network traffic based on predetermined security rules. Encryption is a technical security control that involves encoding data to prevent unauthorized access. Intrusion detection system is a technical security control that monitors network traffic for signs of security threats. For support or reporting issues, include Question ID: 64bd54e9bd16ca9d7eab8119 in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 228

Insider threat Business partner Correct answer External threat actor Your answer is incorrect Contractor Overall explanation OBJ: 2.1 - An external threat actor does not have any authorized access to the system and may use various methods, such as malware or social engineering, to infiltrate the system. Insider threats usually have authorized access and use that access to exfiltrate data or create chaos. An external threat actor is unlikely to have authorized access. A business partner could have specific permissions or access rights due to collaborative projects or ventures, classifying them as an internal threat actor. A contractor, although not a regular employee, may have been granted specific permissions or access for a particular project, making them an internal threat actor. For support or reporting issues, include Question ID: 6525a70dbee4873dc798d5be in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 229

Potential gaps in maintaining data integrity Challenges in upholding data confidentiality Issues related to system scalability and slow authentication Your answer is correct Compromised availability leading to operational disruptions Overall explanation OBJ 4.7: A single point of failure can jeopardize the entire system's uptime, introducing potential security risks and halting processes. Data integrity ensures data remains accurate and consistent over its lifecycle, but it doesn't directly link to concerns of single points of failure. Upholding data confidentiality is a primary security concern, but it isn't directly related to the risks of single points of failure. Scalability ensures systems can handle growth, but it isn't focused on the immediate availability risks associated with single points of failure. For support or reporting issues, include Question ID: 6543d17f1e9434bc2b5cc871 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 230

Static access tokens Correct answer Ephemeral credentials Your answer is incorrect Time-of-day restrictions Principle of least privilege Overall explanation OBJ 4.6: Ephemeral credentials are temporary and designed for short-lived purposes, thus reducing the risk of those credentials being misused or compromised. While the principle of least privilege ensures minimal access rights, it does not provide short-lived credentials. Static access tokens are long-lived and don't automatically expire after a short task, posing a higher security risk. While time-of-day restrictions limit access based on specific times, it doesn't ensure credentials are temporary. For support or reporting issues, include Question ID: 65445c7b2e9f4a1681606ddb in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 231

Hardware malfunction. User-initiated large data transfer. Your answer is correct Malicious activity. Scheduled backup activity. Overall explanation OBJ: 2.4 - Sudden spikes in server resource use, especially when traced to an unfamiliar process, can indicate malicious activity, such as a malware infection or a rogue application. A malfunctioning hardware component might cause various system issues, but the scenario specifically mentions an unfamiliar process consuming resources. Large data transfers can tax server resources, but the focus of this scenario is on an unrecognized process causing the spike in utilization. While scheduled backups can consume resources, the scenario doesn't specify any backup process or schedule. For support or reporting issues, include Question ID: 6529e4d378c8fd0f1b752dad in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 232

Voice call IM Correct answer SMS Your answer is incorrect File-based Overall explanation OBJ: 2.2 - An SMS (Short Message Service) threat vector uses text messages to deliver malicious links or attachments to unsuspecting users. An IM (Instant messaging) threat vector uses online chat platforms to deliver malicious messages or files. A file-based threat vector uses corrupted or malicious files to infect systems or networks. A voice call threat vector uses phone calls to impersonate legitimate entities or individuals and trick users into revealing sensitive information or performing malicious actions. For support or reporting issues, include Question ID: 64ba21f0b711a9b6c71715e1 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 233

Regulated Correct answer Confidential Public Your answer is incorrect Geographic restrictions Overall explanation OBJ 3.3: Confidential data is information that is restricted and should be kept secret; hence, its access is limited to specific people or systems. Data under non-disclosure agreements (NDAs) typically falls under this classification. Geographic restrictions relate to restrictions put in place on where data can be transferred or stored based on geographical boundaries. It does not classify the nature of the data itself, like "confidential.". Public data is accessible to everyone, a stark contrast with the confidentiality required by data under non-disclosure agreements (NDAs). Regulated data is subject to specific regulations or laws. While some data under NDAs (non-disclosure agreements) may be regulated, it is not the best choice of the available options. For support or reporting issues, include Question ID: 64c19454ecb41e3664cf3e4e in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 234

The spike in outbound traffic to the unfamiliar IP address. Multiple failed login attempts from a foreign IP. Your answer is incorrect The increase in CPU usage during the missing log period. Correct answer The sudden two-hour gap in the logs. Overall explanation OBJ: 2.4 - A missing log is a strong sign of an attacker's presence since they often remove or alter logs to hide their actions. Given the context of the other anomalies, this is the most direct indicator of malicious activity. While a spike in outbound traffic can indicate data exfiltration, it could also be a result of legitimate but unrecorded processes or activities. Alone, it's concerning but may not directly indicate malicious activity. While failed login attempts could indicate a brute-force attack, most advanced security systems have measures against such obvious tactics. The use of valid usernames is concerning but might be explained by prior data leaks or breaches. While an increase in CPU usage can suggest unexpected activities (like crypto mining or running unauthorized processes), it's not definitive without more information. Alone, it's an anomaly but not necessarily malicious. For support or reporting issues, include Question ID: 6527dddb7b75b14e42cb5026 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 235

To prove to third party auditors that a company is complying with its internal processes To request additional information from agencies that are in charge of compliance Correct answer To provide compliance updates to the organization's management Your answer is incorrect To report compliance status to the public Overall explanation OBJ: 5.4 - The primary purpose of internal compliance reporting is to provide updates on compliance status, identify potential issues, and inform the organization's management about its adherence to regulatory requirements and policies. Internal compliance reporting is for the use of the company itself and is not meant to be shown to third party auditors. External compliance reporting would provide information to third party auditors. Internal compliance reporting is not intended for public disclosure; it is focused on internal communications within the organization. Internal compliance reporting provides information about what exists to a company's managers. It doesn't involve requesting information. For support or reporting issues, include Question ID: 64bf6085402d8b511311a748 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 236

Correct answer Serverless IaC SDN Your answer is incorrect Virtualization Overall explanation OBJ: 3.1 - Serverless is an architecture model that allows running code without managing any underlying infrastructure. It can offer benefits such as flexibility, scalability, cost-efficiency, and security. Infrastructure as code (IaC) is a method of managing and provisioning IT infrastructure through code, not running code without managing any underlying infrastructure. Software-defined networking (SDN) is a network technology that involves dynamically configuring and managing network devices and services through software, not creating multiple isolated environments on a single physical device. Virtualization is a technology that allows creating multiple virtual machines or environments on a single physical device, not running code without managing any underlying infrastructure. For support or reporting issues, include Question ID: 64c0bccd2c315b52a9fec7a1 in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 237

The total number of transactions processed by the application in the previous 2 days Details of the users currently online using the spreadsheet application and its macros Your answer is correct Details of failed logins, including timestamps, usernames, and originating IP addresses for the past week The number of updates performed on the application in the last two months Overall explanation OBJ 4.9: These kinds of details are essential when investigating a security breach. Multiple failed login attempts, especially from the same IP address, can indicate a potential brute force or password-guessing attack. Username information can help pinpoint potential targets or malicious actors within the organization. The number of updates performed on the application in the last two months may be useful to ensure the application is up-to-date with bug fixes and security improvements, but it is not directly insightful for investigating a specific security breach. A specific patch applied or missed may be relevant, but the total number of updates is not particularly informative in this context. The total number of transactions does not provide concrete and specific information to investigate a suspected security breach. The information is too generic, as it does not give any details about potentially problematic transactions. While the details of current users could indicate abnormal activity if it varies significantly from the norm, it isn't specific enough to provide valuable information for investigating a specific security incident, especially if the event occurred a few days ago. For support or reporting issues, include Question ID: 64c1700afbaff7327d208b63 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 238

Data Use Agreement (DUA) Business Partnership Agreement (BPA) Your answer is incorrect Memorandum of Understanding (MOU) Correct answer Service Level Agreement (SLA) Overall explanation OBJ 5.3 - A Service Level Agreement (SLA) defines the expectations between an organization and a third-party provider, specifying performance metrics, confidentiality, and security requirements. An MOU is less formal, a BPA governs business partnerships, and a DUA focuses on specific data usage conditions. For support or reporting issues, include Question ID: 67224acb695df40191ab31ef in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 239

Both require additional software installed on network devices to monitor network traffic, but Agentless NACs collect more data Correct answer Agent based NACs use additional software to authenticate users, while Agentless NACs use network level protocols to authenticate users Your answer is incorrect Both involve monitoring network traffic without the need for additional software, but Agent-based NACs collect more data Agent based NACs use network level protocols to authenticate users, while Agentless NACs use additional software to authenticate users Overall explanation OBJ: 4.4 - Both forms of NAC authenticate users and grant access. Agent-based NACs use a software component installed on a central server to monitor network traffic, while agentless involves monitoring network devices directly through the use of network-level protocols without the need for additional software. Both forms of NAC authenticate users and grant access. Agent-based NACs use a software component installed on a central server to monitor network traffic, while agentless involves monitoring network devices directly through the use of network-level protocols without the need for additional software. Agentless NACs don't require additional software. There isn't a difference in the amount of data they collect. Agent-based NACs require additional software. There isn't a difference in the amount of data they collect. For support or reporting issues, include Question ID: 64c001fef467f5bbfbbf11c2 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 240

PLC – Firmware Tampering Correct answer HMI – Unauthorized Access Your answer is incorrect Data historian – Data Integrity DCS – System Availability Overall explanation OBJ 4.1: The Human-Machine Interface (HMI) is a critical component in an ICS that allows operators to interact directly with the system. Its security is paramount to prevent unauthorized access and potential manipulation of the system. The data historian captures and archives all information from the control loop. While data integrity is a significant concern for historians, it doesn't focus on direct operator interaction. A Distributed Control System (DCS) manages process automation within a single site. Although ensuring system availability is vital, it isn't centered around direct operator interactions. Programmable Logic Controllers (PLC) are embedded devices within ICSs connecting to actuators and sensors. While firmware tampering is a potential security concern, PLCs aren't the primary interface for operator interactions. For support or reporting issues, include Question ID: 6531599fc69fcd6a370dfe07 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 241

Correct answer End-of-life vulnerability Hardware cloning Legacy vulnerability Your answer is incorrect Hardware tampering Overall explanation OBJ: 2.3 - End-of-life vulnerability can allow a hardware attack that involves exploiting vulnerabilities in devices that are no longer supported or updated by the manufacturer. It can allow an attacker to compromise the security or functionality of the device, or use it as a gateway to access other systems or networks. Hardware tampering is a hardware attack that involves physically altering or damaging hardware devices to compromise their functionality, performance, or security. It can allow an attacker to install malware, backdoors, spyware, or vulnerabilities on the device. A legacy vulnerability may allow an attack that involves exploiting vulnerabilities in devices that are outdated or obsolete, but still in use. It can allow an attacker to compromise the security or functionality of the device, or use it as a gateway to access other systems or networks. Hardware cloning is a hardware attack that involves creating unauthorized copies of hardware devices to counterfeit their functionality, performance, or security. It can allow an attacker to sell fake products, steal intellectual property, or bypass authentication mechanisms. For support or reporting issues, include Question ID: 64bc23600a2ef89a3e3426ad in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 242

Server clustering Data deduplication RAID Your answer is correct Full disk encryption Overall explanation OBJ 3.3: Full disk encryption (FDE) ensures that all data stored on a physical disk is encrypted, making it unreadable without the proper decryption key. This is the ideal solution for protecting data in the event of physical server theft or compromise, as the data remains unreadable without the decryption key. Server clustering is a technique used to provide system continuity by distributing workloads across multiple servers. This ensures availability and fault tolerance but does not specifically secure data against unauthorized access on compromised physical servers. Data deduplication is a method of reducing storage needs by eliminating duplicate data. Each unique chunk of data is saved only once, with subsequent duplicates just referenced back to the unique chunk. Deduplication does not provide encryption or protection against data readability. A redundant array of independent disks (RAID) is a data storage virtualization technology that combines multiple physical disk drive components into one or more logical units. While it provides data redundancy and performance benefits, RAID itself does not offer encryption or protection against unauthorized data access on compromised servers. For support or reporting issues, include Question ID: 64c1985decb41e3664cf3e5d in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 243

Corrective Control Detective Control Correct answer Deterrent Control Your answer is incorrect Directive Control Overall explanation OBJ: 1.1 - Deterrent controls are meant to discourage potential attackers or unauthorized behavior. Requiring badges acts as a reminder, hence serving as a deterrent. Corrective controls restore systems or operations to their desired state post-incident. They don't act as a discouragement. Detective controls aim to detect incidents after they've occurred. They don't discourage potential incidents. Directive controls ensure consistent behavior within an organization. They don't primarily act to discourage undesired behaviors. For support or reporting issues, include Question ID: 6524502be5200826ece65962 in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 244

Archiving is crucial for providing historical context to help in future data analysis and investigations Archiving can improve system performance by moving less frequently accessed data off primary systems Your answer is correct Archiving speeds up searches for older data, making the retrieval of data faster and more effective Archiving helps organizations store data safely for long-term retention and regulatory compliance Overall explanation OBJ: 4.4 - Archiving doesn't function primarily as a method for searching older data. Enhanced searching could be built into the way archives are stored, but it isn't a feature of archiving. One important role of archiving is to ensure long-term, secure storage of critical data repositories, which aids in maintaining regulatory compliance. Archiving can help improve system performance by moving rarely accessed data off the primary system, reducing data clutter, and improving overall efficiency. Archiving provides a historical context to data, which can be very useful for data analysis, audits, and investigations in the future. For support or reporting issues, include Question ID: 64c19feaf35deb7523e71f47 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 245

Correct answer Email Database manipulation Wireless networks Your answer is incorrect Supply chain Overall explanation OBJ: 2.2 - Attackers often send malicious file attachments or links through email. Through social engineering techniques, they persuade or deceive users into interacting with these malicious contents, leading to potential system compromise. While databases are a target, they are typically exploited using code injections rather than relying on user interaction with emails. In Wireless networks vectors, attackers primarily focus on intercepting or accessing wireless communications, exploiting weak security protocols, or setting up rogue access points. Supply chain attacks focus on infiltrating the target organization by first compromising a trusted third-party supplier, not by sending emails to individuals. For support or reporting issues, include Question ID: 6525b7233856455739a15829 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 246

Pretexting Impersonation Business email compromise Your answer is correct Typosquatting Overall explanation OBJ: 2.2 - Typosquatting is a type of human vector/social engineering attack that involves creating a fake website or domain name that resembles a legitimate one, but with slight spelling or punctuation differences. Pretexting is a type of human vector/social engineering attack that involves creating a fabricated scenario or pretext to justify the request for confidential information or action from the target. Business email compromise is a type of human vector/social engineering attack that involves compromising or spoofing a legitimate business email account to request fraudulent payments or transfers from unsuspecting employees or customers. Impersonation is a type of human vector/social engineering attack that involves pretending to be someone else, such as an authority figure or a trusted person, to persuade users to share confidential information or perform certain actions. For support or reporting issues, include Question ID: 64b9bef7576619c476e54e53 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 247

Correct answer Phishing campaign Vishing Whaling Your answer is incorrect Spear phishing Overall explanation OBJ: 5.6 - Phishing campaign is a structured attempt, often used as a training or assessment tool within organizations, to simulate real phishing threats to gauge how individuals respond. Spear phishing is a targeted phishing attempt directed at specific individuals or companies. In this case, Jamario sent the email to all employees. Whaling is a high-level phishing attacks aimed at senior executives and other high-profile targets. In this case, Jamario sent the email to all employees. Voice phishing, or vishing, is where the attack comes over the phone, often from attackers claiming to be trusted entities. In this case, Jamario sent emails. For support or reporting issues, include Question ID: 64c34f11006636d14b206127 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 248

Trojan Worm Your answer is correct Rootkit Ransomware Overall explanation OBJ: 2.4 - A rootkit is a type of malware that hides itself and other malicious programs from detection and allows an attacker to gain persistent access and control over a system. Because this attack has resulted in the attacker to gain privileges of a local administrator, this isn't just any Trojan or hidden program. It is most likely the result of a rootkit. Ransomware is a type of malware that encrypts the data or files on a system and demands a ransom for their decryption or restoration. Attackers will not hide the fact that they have gained access if their goal is to collect ransom. A Trojan is a type of malware that disguises itself as a legitimate or benign program, but performs malicious actions when executed. While Trojans are hidden, they don't usually provide the attacker with administrator level privileges. A worm is a type of malware that self-replicates and spreads to other systems or networks without user interaction. For support or reporting issues, include Question ID: 64bcc827d05f45402ccc6a21 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 249

Correct answer Likelihood Confidence level Risk rating Your answer is incorrect EF Overall explanation OBJ: 5.2 - Likelihood is used in qualitative risk analysis to subjectively describe how probable a risk event is, often expressed in terms such as "low," "medium," or "high." While a confidence level might inform the use of "high" in different contexts, it doesn't specifically refer to the qualitative measure of risk probability. A risk rating incorporates both likelihood and impact to give an overall score to a risk but is not the term used to express the chance of occurrence alone. The exposure factor (EF) is the fraction of the asset value that is at risk in the event of a security incident. For support or reporting issues, include Question ID: 6548fbbe7c24a94af8cddbf0 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 250

E-discovery requires the finding and recognizing potential threats or breaches in the security infrastructure to prevent incidents E-discovery dictates the steps in preserving evidence in its original state to maintain its integrity for future forensic or legal needs Your answer is incorrect E-discovery is a step in the process of documenting the details of a security incident, its impact, and potential remedies Correct answer E-discovery involves examining drives to find data that is electronically stored to use them for evidence Overall explanation OBJ 4.8: E-discovery is an essential component of incident response and primarily relates to the collection and handling of electronic data. It is designed to be used as evidence in legal cases and includes in its scope anything that is stored electronically - emails, documents, databases, presentation files, voicemails, video/audio files, social media posts, and more. Although the process of preserving evidence is essential during an incident response phase, it is principally linked to the Preservation phase and not specifically E-discovery. While identifying and recognizing threats or breaches is critical, it principally manifests in the Detection and Analysis phase, not E-discovery. Documenting the details of an incident, its impacts, and potential remedies typically occurs during the reporting phase, and not in the process of E-discovery. For support or reporting issues, include Question ID: 64c16d6955dd610fdb26f1ae in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 251

Proprietary/third-party Dark web Information-sharing organization Your answer is correct OSINT Overall explanation OBJ 4.3: OSINT (open-source intelligence) leverages publicly available data sources to gather intelligence on targets, providing valuable insights without breaching any laws. Proprietary/third-party information is sourced from private or commercial databases, often available to paying subscribers or specific organizations. Information-sharing organizations are entities that facilitate the sharing of threat and vulnerability information among different organizations. The dark web is a part of the internet that isn't indexed by traditional search engines, often associated with illicit activities and hidden services. For support or reporting issues, include Question ID: 653d37579c8ec66c1662c999 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 252

Facilitating personal interviews between IT and new hires Directly improving the onboarding training content Generation of hard-copy user manuals for each new hire Your answer is correct Automating the provisioning of account credentials Overall explanation OBJ 4.7: Using scripting, IT can automatically create user accounts, set default passwords, and assign appropriate access rights based on the role of the new employee. While scripting can automate various processes, it doesn't directly enhance the quality or content of training materials. While scripting can perform many tasks, producing physical manuals typically isn't within its domain of automation. Scripting aids in automation, but it doesn't replace or facilitate human-to-human interactions such as interviews. For support or reporting issues, include Question ID: 6543e089ce1a7f5ce187d0d2 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 253

NAC ensures all network traffic is encrypted, protecting sensitive data from unauthorized access Correct answer NAC enables the organization to enforce security policies and controls for all devices connecting to the network Your answer is incorrect NAC automatically applies all security patches to devices on network related software, ensuring up-to-date security NAC allows employees to access the network remotely, improving productivity and collaboration Overall explanation OBJ 4.5: Network Access Control (NAC) enforces security policies for all devices connecting to the network by verifying compliance before granting access, helping to block unauthorized or insecure endpoints. NAC does not focus on encrypting network traffic or enabling remote access; its primary role is to control network access based on device compliance with security policies. While some NAC solutions check software updates and patch compliance, the main purpose remains controlling network access. For support or reporting issues, include Question ID: 64c0a01d2f60ec9fbc7f5b6c in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 254

Correct answer Public Key Infrastructure Key Escrow Key Exchange Your answer is incorrect Key Generation Overall explanation OBJ: 1.4 - PKI (Public Key Infrastructure) set of roles, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates and manage public-key encryption. Key escrow is a system in which a copy of a cryptographic key is given to a third party. This allows the third party to access the encrypted data under certain circumstances. It does not involve managing digital certificates or public-key encryption. Key exchange is a method in cryptography by which cryptographic keys are exchanged between two parties, allowing use of a cryptographic algorithm. It does not involve managing digital certificates or public-key encryption. Key Generation is the process of creating secure pairs of keys, a fundamental aspect of securing data, but does not involve the comprehensive management of digital certificates or public-key encryption. For support or reporting issues, include Question ID: 64c27a4e765533fcb52d9f36 in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 255

In-line devices SD-WAN Remote access Your answer is correct Attack surface Overall explanation OBJ 3.2: Minimizing the attack surface - the sum of points where an unauthorized user can try to enter data or extract data from an environment - is a key strategy being focused on in the scenario. A software-defined wide area network (SD-WAN) connects enterprise networks over large geographic distances much the way a regular WAN does. However, by making use of software rather than hardware as the basis of the network, SD-WANs offer faster speeds at lower costs. The software basis of the WAN allows for less complicated management and greater security. It isn't an infrastructure consideration. Remote access allows users to access systems or networks from different locations. It expands rather than minimizing security issues. An in-line device interacts with network traffic and might prevent certain threats, but it does not directly pertain to the overall strategy of minimizing paths of potential threats. For support or reporting issues, include Question ID: 64c177514b6d81f3ab26e481 in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 256

Correct answer Data Masking Encryption Your answer is incorrect Tokenization Steganography Overall explanation OBJ: 1.4 - Data masking is a method to deidentify some or all characters in a sequence, but not changing the total number of characters that a field should contain. The masked version will be structurally the same, but the data will be hidden. Changing the letters or numbers entered into a password field with dots is an example of data masking. Encryption is the process of converting information or data into a code to prevent unauthorized access. It often uses an algorithm to replace the original data with other data. If a person figures out or acquires the algorithm, the data can be decrypted. It does not involve substituting data with other characters as placeholders. Steganography is the practice of concealing a file, message, image, or video within another file, message, image, or video. It does not involve substituting data with other characters as placeholders. Tokenization is the process of substituting a sensitive data element with a non-sensitive equivalent, referred to as a token. The token and the data it substitutes are stored in a secure database. If the original data is needed, it can be accessed using the token and querying the database. The token will be a different size and have a different structure than the original data so the token can’t be used to decipher the original data. It does not involve substituting data with other characters as placeholders. For support or reporting issues, include Question ID: 64c3d5b8db2705b2e1e1abfc in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 257

Injection Correct answer Buffer overflow Your answer is incorrect Privilege escalation Replay Overall explanation OBJ: 2.4 - A buffer overflow attack is a type of application attack that involves sending more data than expected to a function, causing it to overwrite adjacent memory locations and execute arbitrary code. An injection attack is a type of application attack that involves inserting malicious code or commands into an application or database to execute unauthorized actions or access sensitive data. A privilege escalation attack is a type of application attack that involves exploiting a vulnerability or misconfiguration to gain higher privileges or access than intended on a system or application. A replay attack is a type of application attack that involves capturing and retransmitting data, such as authentication tokens or credentials, to impersonate a legitimate user or session. For support or reporting issues, include Question ID: 64bcc87cf1dea48c270e0942 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 258

Playbook Business Continuity Plan Your answer is correct Risk Register Incident Response Plan Overall explanation OBJ 5.2 - A risk register is used to identify, document, and track potential risks, including their likelihood, impact, and mitigation steps. It enables proactive management of risks in projects or operations. A Business Continuity Plan focuses on maintaining operations, an Incident Response Plan on handling incidents, and a Playbook on specific response actions. For support or reporting issues, include Question ID: 6722487b3be32ad83a19dc8f in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 259

Malicious update End of Life vulnerability Your answer is correct Side loading Jailbreaking Overall explanation OBJ: 2.3 - Side loading is an authorized or unauthorized installation of an application on a mobile device from a source other than the official app store. Side loading can enable users to access apps that are not available or approved by the manufacturer or carrier, but also expose them to malware or spyware. Elvi performed side loading by downloading and installing the app from a source other than the official app store. End-of-life vulnerabilities refer to software devices that are no longer supported by the vendor and may be vulnerable to known attacks. In this case, the iPhone is new, so it is unlikely to have any End of Life software on it. Malicious update is an unauthorized replacement of a legitimate update for an application or system with a malicious one. Malicious update can enable attackers to compromise the application or system, steal data, or perform other malicious actions. Elvi's didn't come as the result of an update. Jailbreaking is an unauthorized modification of a mobile device that allows users to bypass restrictions imposed by the manufacturer or carrier. Jailbreaking can enable users to install custom firmware, access root privileges, or run unauthorized apps. There is no indication that Elvi has performed jailbreaking, as he did not bypass the security or modify the operating system or applications. For support or reporting issues, include Question ID: 64bc62082c983e5716c68d52 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 260

Business partner Correct answer External threat actor Cybercriminal Your answer is incorrect Internal threat actor Overall explanation OBJ: 2.1 - External threat actors operate without any prior permissions or authorized access to the system and can launch their attacks from virtually anywhere. While a cybercriminal can be an external threat, this term doesn't specify their method or position relative to the target, making it broader than the specific "external threat actor" definition. An internal threat actor has been granted permissions or access within a system, such as an employee or contractor. Business partners typically have authorized access due to collaborative efforts, making them internal threat actors. For support or reporting issues, include Question ID: 6525a814bee4873dc798d5c3 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 261

Tokenization Correct answer Data Masking Key stretching Your answer is incorrect Steganography Overall explanation OBJ 3.3: Data masking is an obfuscation type that redacts the data by substituting the data with a character like an X or a *. The structure of the string is not changed, so, for example, a 10-digit phone number would appear with 10 Xs. In steganography, data is embedded in a picture or some other source. In tokenization, the data is replaced with a token that has a different structure. The token is used to point to the data. Key stretching is not a data obfuscation technique. It is a technique used to protect passwords. For support or reporting issues, include Question ID: 652d75ebb145bd8c769eef14 in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 262

TLS AH Your answer is correct SD-WAN SASE Overall explanation OBJ 3.2: SD-WAN (Software-defined wide area network) provides centralized network management, flexible routing, and traffic management capabilities. It can be hosted both on-premises and in the cloud, giving it an edge for comprehensive WAN optimization. AH (Authentication header) is a protocol component of IPSec that offers packet integrity but does not specifically cater to WAN optimization or management. While SASE offers both network security and WAN capabilities, its primary selling point is as a cloud-based solution that integrates both. It doesn't focus solely on WAN performance optimization. TLS (Transport Layer Security) operates at the application layer and is primarily used for securing application-level communication. It doesn't offer WAN optimization or centralized network management. For support or reporting issues, include Question ID: 652d426f9ec4626a916f9405 in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 263

Third-party certificate Correct answer Wildcard certificate Self-signed certificate Your answer is incorrect CSR (Certificate Signing Request) Overall explanation OBJ: 1.4 - Dion Training should consider a wildcard certificate, which can be used to secure multiple subdomains under a single main domain. It offers a convenient and cost-effective way to manage certificates for subdomains. A CSR is a formal message to a CA for a digital certificate. It's a request, not a type of certificate. While it is signed and verified by an external CA, a third-party certificate doesn't specify the number or type of domains covered and hence wouldn't inherently secure multiple subdomains. A self-signed certificate is signed by its creator and doesn't inherently cover multiple domains or subdomains. For support or reporting issues, include Question ID: 6524efa6d2f0e5af813c0a73 in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 264

Correct answer Message-based Agentless File-based Your answer is incorrect Image-based Overall explanation OBJ: 2.2 - Message-based attack vectors include email, SMS messages, and Instant Messaging. Agentless software is software that does not require installation or configuration on the user’s computer. It runs on a remote server and communicates with the user’s computer via a web browser or other interface. There is not software in this scenario, so Agentless can't be the correct answer. File-based attacks use malicious files, such as executables, documents, or archives, to infect systems with malware or perform other malicious actions. This scenario has a link, not an executable or document to click on. Image-based attacks have malicious code embedded in within the image's headers. The code infects the system when the image is downloaded. For support or reporting issues, include Question ID: 64ba21f5bcf4aeea94b9abaf in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 265

Requiring remote users to use a specific browser Setting up strict firewall rules for outbound traffic Your answer is correct Implementing an agent-based web filter Deploying a VPN for remote users Overall explanation OBJ 4.5: Agent-based web filters are installed directly on user devices, allowing for consistent enforcement of web filtering policies no matter where the device connects from. While firewalls can control outbound traffic, they primarily operate at the network perimeter and may not be effective for users outside the corporate network. While VPNs can securely connect remote users to a corporate network, they do not inherently provide detailed web content filtering. Browser choice doesn't ensure that web content adheres to corporate policies, nor does it consistently block malicious or unwanted content. For support or reporting issues, include Question ID: 654327407acefad87de0567e in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 266

Formal data retention policies help organizations decide when data assets should be backed up, archived, or purged Data retention is a critical governance factor that organizations need to adhere to while managing their information systems and data assets Correct answer Data retention implies storing all data indefinitely as it might be needed at some point Your answer is incorrect Data retention periods should account for business needs as well as any legal, regulatory, or contractual requirements Overall explanation OBJ 4.2: Indefinite storage is not the purpose of data retention. Instead, data retention policies establish specific time frames to retain data, after which it should be safely destroyed or sanitized to protect sensitive information and optimize system performance. Formal data retention policies guide decisions about backup, archiving, and purging data assets. Adherence to data retention requirements is indeed a critical governance factor in managing information systems and data assets. Data retention periods should consider business, legal, regulatory, and contractual requirements to ensure the availability of necessary data and compliance with all obligations. For support or reporting issues, include Question ID: 64c192657b602e39a4a6d8c5 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 267

Boundary White box Black box Your answer is correct Grey box Overall explanation OBJ: 5.5 - For a grey box test, the tester has limited information about the target system. This might include specific details about its architecture or certain user credentials. This type of test represents a middle ground, providing a blend of both internal and external perspectives on potential vulnerabilities. In a white box test, the tester possesses complete knowledge of the target environment, including its architecture, design, and source code. It allows for an in-depth examination of the system to find vulnerabilities that might be overlooked in other test types. Boundary testing focuses on the system's input and output data limits. Testers will try to use values at, just below, or just above these boundaries to see if the system behaves unexpectedly or reveals vulnerabilities. A black box test is executed without any prior knowledge of the target environment. The tester approaches the system from an outsider's perspective, mimicking an external attacker with no insight into the system's design or functionality. For support or reporting issues, include Question ID: 6522fc452f6ac4dfe2eaa39d in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 268

Insurance has no impact on vulnerability response and remediation processes Insurance determines the lifespan of hardware or software assets Correct answer Insurance can provide financial support in mitigating the aftermath of a security breach Your answer is incorrect Insurance affects the actual security measures implemented to prevent vulnerabilities Overall explanation OBJ 4.3: Cybersecurity insurance helps an organization cover the recovery expenses after a security breach, including legal fees, notification costs, fines, settlements, and many other unforeseen costs related to the incident. Insurance does impact the vulnerability response and remediation processes, not directly by preventing or addressing vulnerabilities but by providing financial aid in the aftermath of a security breach. Insurance does not directly determine the lifespan of hardware or software assets. It might provide financial aid in case of asset loss due to a security incident, but it does not influence the actual longevity of the assets. While insurance companies may give guidelines or requirements for achieving certain security standards, they do not dictate the actual security measures implemented by a company. For support or reporting issues, include Question ID: 64c19acc1dbd2f0d7852a797 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 269

IaC Air-gapped network Virtualization Your answer is correct Serverless architecture Overall explanation OBJ: 3.1 - Serverless architecture abstracts the infrastructure layer, allowing developers to focus on writing code while the cloud provider manages everything else. Virtualization refers to creating virtual versions of computing resources, such as servers or storage and does not automatically manage the execution or scaling of applications like serverless architecture does. Air-gapping refers to a network that is physically isolated from unsecured networks like the internet, typically used for high-security environments, which does not relate to managing code execution or infrastructure automatically. IaC (Infrastructure as Code) involves managing and provisioning infrastructure through code, but developers still need to define the infrastructure themselves. For support or reporting issues, include Question ID: 652c2e138a65c3f3ceb96e22 in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 270

Statement of Work Vendor monitoring Correct answer Vendor assessment Your answer is incorrect Vendor selection Overall explanation OBJ: 5.3 - A vendor assessment involves evaluating the security measures and vulnerabilities of a vendor's systems and infrastructure to ensure they meet the organization's security requirements. A Statement of Work (SOW) sets the expectations for work to be completed by a third-party. It doesn't normally include an evaluation of the third-party's vulnerabilities and security measures. Vendor selection is the process of choosing a vendor based on various criteria, but it does not specifically focus on evaluating the vendor's security measures and vulnerabilities. Vendor monitoring involves continuous evaluation and oversight of a vendor's performance, including its security practices, throughout the duration of the business relationship, but it is not specifically focused on the initial assessment of security measures and vulnerabilities. For support or reporting issues, include Question ID: 64bb3a402ba0110d21b8b278 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 271

Patching Isolation Encryption Your answer is correct Decommissioning Overall explanation OBJ: 2.5 - Decommissioning is a technique that can help reduce the risk of data breaches or theft by securely disposing of systems and devices that are no longer needed or used. Decommissioning involves following a set of procedures to erase or destroy any sensitive data stored on the systems and devices, and to physically dispose of them in a safe and environmentally friendly manner. Encryption is a technique that can help protect data from unauthorized access or modification by transforming it into an unreadable format. Encryption involves using mathematical algorithms and secret keys to encrypt and decrypt data, but they do not securely dispose of systems and devices that are no longer needed or used. Encryption will help prevent data breaches for unused devices, but decommissioning destroys the data instead of just masking it, so decommissioning is a better choice for unused devices. Patching is a technique that can help prevent exploitation of known vulnerabilities on systems and devices by updating them with the latest security fixes and enhancements. Patching involves applying patches or updates to software and systems to devices still in use. It does little to protect data on devices that are no longer in use. Isolation is a mitigation technique that can help prevent malware from spreading from one system or process to another by limiting their interaction and communication. Isolation involves sandboxing or simply disconnecting an infected system. This prevents potentially malicious programs or scripts from accessing the rest of the system or network. This mitigation technique will help protect systems that are still in use, but for devices that are no longer used, decommissioning provides much more protection from data breaches. For support or reporting issues, include Question ID: 64bee4929848e1aa948b721a in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 272

Authorization Accounting Correct answer Non-repudiation Your answer is incorrect Confidentiality Overall explanation OBJ: 1.2 - Non-repudiation ensures that a sender or receiver of a message cannot deny having sent or received that message, typically using cryptographic evidence. Authorization determines what actions, rights, or functions are permitted to a user or system. Confidentiality ensures that data or information is not made available or disclosed to unauthorized individuals or systems. Accounting involves tracking user activities and resource usage for audit or billing purposes. For support or reporting issues, include Question ID: 652458d8ae19f8bdaee92dc1 in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 273

Correct answer A criminal syndicate An independent black hat hacker An open-source development community Your answer is incorrect A security researcher Overall explanation OBJ: 2.1 - Large organized crime rings have the financial means to hire and maintain a team of skilled individuals for sophisticated cyber operations. Though they have deep knowledge in cybersecurity, security researchers typically operate independently or within institutions, focusing on studying and mitigating threats. While skilled, independent black hat hackers operate on their own and may not have the substantial resources a larger organization might. While a collective of talented coders and developers, the main intent of an open-source development community is on collaborative software development and not cyber-attacks. For support or reporting issues, include Question ID: 6525afa08df7b33c1cfa4045 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 274

Enumeration identifies potential vulnerabilities in hardware, software, and data assets Enumeration identifies and counts all hardware, software, and data assets in an organization Your answer is correct Enumeration aids inventory by tracking equipment and access controls to hardware, software, and data assets Enumeration ranks and prioritizes all hardware, software, and data assets based on their value to the organization Overall explanation OBJ 4.2: Enumeration in hardware, software, and data asset management involves assigning unique identifiers, access controls, and attributes to each asset. This process allows for granular control over access permissions, ensuring only authorized users can interact with assets. Enumeration supports data confidentiality, integrity, and availability by preventing unauthorized access and ensuring proper resource management. While it involves creating an asset inventory, enumeration goes beyond listing items, focusing on specific attributes and security measures. Unlike simply prioritizing assets by criticality, enumeration involves detailed identification and categorization rather than solely addressing vulnerabilities. For support or reporting issues, include Question ID: 64be955dba597730164583dc in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 275

Correct answer Requiring that all employees read and sign an AUP Reviewing log files for signs of unauthorized access Implementing multi-factor authentication when single-factor authentication fails Your answer is incorrect Conducting regular security awareness training for employees Overall explanation OBJ: 1.1 - An Acceptable Use Policy (AUP) is an example of a directive control because it helps direct employee behavior by specifying what actions are allowed and not allowed when using company resources. Reviewing log files for signs of unauthorized access is an example of a detective control, which is used to detect security incidents. Conducting regular security awareness training for employees is an example of a preventive control, which is used to prevent security incidents from occurring. Implementing multi-factor authentication when single-factor authentication fails is an example of a compensating control, which provides additional security when another control fails. For support or reporting issues, include Question ID: 64bd7a6b79a4c3d4894757ca in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 276

Utilization of VPNs for email transmission Correct answer Implementation of end-to-end encrypted email Deployment of regular data backups to secure cloud storage Your answer is incorrect Conducting regular user cybersecurity training Overall explanation OBJ 3.3: Implementation of end-to-end encrypted email ensures emails are decipherable only by the intended recipient, safeguarding sensitive content. Deployment of regular data backups to secure cloud storage provides email storage solutions but doesn't inherently secure email transmissions. Utilization of VPNs for email transmission secures transmission of data over networks but isn't specialized for email content encryption. Conducting regular user cybersecurity training educates users about best practices but doesn't directly protect email content. For support or reporting issues, include Question ID: 652d661736163d371aee560a in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 277

Biometric scanners Smart cards Software tokens Your answer is correct Physical security keys Overall explanation OBJ 4.6: Physical security keys are hardware tokens that can be used as a part of multi-factor authentication, often plugged into a USB port. Software tokens are digital or virtual tokens generated by software, not a physical device. Biometric scanners read biological data, like fingerprints or retinas, not something inserted into a USB port. Although similar, smart cards often require a card reader and may contain additional personal data. For support or reporting issues, include Question ID: 654460c4878b620a335d5177 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 278

Correct answer Policy Enforcement Point Policy Administrator Subject Your answer is incorrect Policy Engine Overall explanation OBJ: 1.2 - The Policy Enforcement Point (PEP) is responsible for ensuring that security policies are enforced when a user or device tries to access resources on the network. It acts as a gatekeeper, verifying the identity and context of the access request against the policies set by the organization before allowing or denying access. The Policy Engine is responsible for making decisions based on the security policies defined. It evaluates the information it receives from the Policy Enforcement Point but does not directly interact with users or devices attempting to access the network. In security terms, the subject typically refers to the user or device attempting to access the network. It is the entity being verified, not the component doing the verifying. The policy administrator involves managing and updating the security policies, it does not perform real-time verification of users or devices attempting to access the network. For support or reporting issues, include Question ID: 64c040853a8522a3b5997a64 in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 279

IPS VPN Your answer is correct NGFW SD-WAN Overall explanation OBJ 3.2: A Next-Generation Firewall (NGFW) provides advanced, integrated security features like intrusion prevention systems (IPS) and user identity tracking, making it an optimal choice to address sophisticated threats. A software-defined wide area network (SD-WAN) connects enterprise networks over large geographic distances much the way a regular WAN does. However, by making use of software rather than hardware as the basis of the network, SD-WANs offer faster speeds at lower costs. The software basis of the WAN allows for less complicated management and greater security. This won't provide the features indicated in the scenario. A Virtual Private Network (VPN) provides a secure method for remote operations by creating an encrypted connection over the internet. It establishes a secure tunnel so that data can be securely transferred even over insecure networks. It doesn't provide intrusion prevention or other features required by the scenario. Intrusion Prevention Systems (IPS) will prevent unauthorized users from accessing the system; however, it will not necessarily provide application-aware filtering or track user identities. For support or reporting issues, include Question ID: 64c1713b6ab51895b912b83f in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 280

Anomalous behavior recognition Reporting and monitoring Phishing Your answer is correct Insider threat Overall explanation OBJ: 5.6 - Insider threat awareness involves educating employees about the risks posed by individuals within the organization who may intentionally or unintentionally harm the company. This practice helps employees identify signs of potential malicious behavior within their ranks. Phishing campaigns are designed to test employees' ability to recognize and respond to phishing attempts. While they contribute to security awareness, they don't focus specifically on internal threats. Anomalous behavior recognition is about recognizing unusual actions that may indicate security threats. While it plays a part in overall security awareness, it doesn't specifically concentrate on educating employees about internal threats. While reporting and monitoring are crucial security awareness practices, they mainly focus on the overall security posture and detecting potential incidents. It doesn't specifically address educating employees about internal threats like malicious employees. For support or reporting issues, include Question ID: 64c353dd006636d14b206140 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 281

Risk tolerance is the level of uncertainty associated with a specific vulnerability, measured through the likelihood of occurrence and potential impact Risk tolerance involves an organization's willingness to implement expensive comprehensive security controls to eliminate all vulnerabilities and potential risks Your answer is correct Risk tolerance refers to an organization's willingness to accept the potential impact of a vulnerability and its associated risks without mitigating them Risk tolerance is the practice of conducting regular vulnerability scans and penetration tests to identify and remediate security weaknesses Overall explanation OBJ 4.3: Risk tolerance refers to an organization's willingness to accept the potential impact of a vulnerability and its associated risks without taking any immediate mitigation measures. Organizations with high risk tolerance might choose not to address certain vulnerabilities if the potential impact is deemed acceptable. While vulnerability scans and penetration tests are essential activities in vulnerability management, risk tolerance is about an organization's willingness to accept risks, not about conducting vulnerability assessments. While implementing security controls is essential for vulnerability management, risk tolerance is about an organization's preparedness to accept certain risks rather than eliminating all vulnerabilities. While risk tolerance involves evaluating the likelihood and impact of a vulnerability, it is not solely about measuring uncertainty but rather about an organization's readiness to accept risks. For support or reporting issues, include Question ID: 64bffb84a8f260640a09a625 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 282

Correct answer Human resource capacity planning Employee onboarding Personnel training Your answer is incorrect Role-based access control Overall explanation OBJ 3.4: Human resource capacity planning involves forecasting the organization's future staffing needs based on current workforce efficiency, project implementations, and workload demands. It ensures the right number of people are in the right jobs at the right time. While essential for skill development, personnel training focuses on enhancing the abilities of current staff rather than forecasting future staffing requirements based on workload demands. Employee onboarding refers to the process of integrating new employees into the organization but does not inherently focus on aligning staffing needs with future workloads. While role-based access control involves assigning access to individuals based on their job role, it doesn't address forecasting or analyzing future staffing needs in relation to project workloads. For support or reporting issues, include Question ID: 64c1a9b2f35deb7523e71f79 in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 283

Correct answer Compliance Reporting Risk Management Configuration Management Your answer is incorrect Incident Response Overall explanation OBJ 5.4 - Compliance reporting involves submitting documentation that proves an organization’s adherence to regulatory or industry standards. This process ensures that required security practices are being followed and that the organization remains in good standing with regulatory bodies. For support or reporting issues, include Question ID: 67224be6dbfc5a71d6d19c6a in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 284

To ensure physical security of data storage devices Correct answer To analyze data on behalf of the data controller To manage and control access to data Your answer is incorrect To establish data ownership and control over access to the data Overall explanation OBJ: 5.1 - The primary responsibility of a data processor is to process and manipulate data on behalf of the data controller. The data processor acts under the direction and authority of the data controller and carries out specific data processing activities as instructed. While ensuring physical security is important, it is typically the responsibility of both the data controller and the data processor to protect data storage devices and data assets. However, it is not the core responsibility of the data processor in the context of data processing activities. Data ownership and control typically fall under the purview of the data controller, who is responsible for determining the purpose and means of data processing. Access control is usually shared between the data processor and the data controller. Access control is generally a shared responsibility between the data controller and data processor. While the data processor may implement access controls based on the data controller's requirements, the ultimate responsibility for access control lies with the data controller. For support or reporting issues, include Question ID: 64b88d6388b3fb59a48a103e in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 285

Deploying local firewalls at each branch Increasing the frequency of software updates Adopting a cloud-based storage solution Your answer is correct Implementing a centralized proxy Overall explanation OBJ 4.5: A centralized proxy allows for the uniform application of web filtering policies across multiple branches and provides consolidated reporting, making management more efficient and streamlined. Local firewalls can control traffic at each location, but they don't provide the centralized management and reporting that Jason is seeking. Cloud-based storage solutions focus on storing and managing data and don't address the need for centralized web filtering or reporting. While regular updates are essential for security, they don't necessarily provide a standardized web filtering approach or consolidated reporting. For support or reporting issues, include Question ID: 6543279e6491794aff7fb0ba in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 286

Correct answer Alerting provides real-time notifications of security incidents and potential threats Alerting monitors user activities and detecting suspicious behavior on the network Alerting is the constant monitoring of networks to prevent unauthorized access Your answer is incorrect Alerting is the assessing network traffic and identifying potential security breaches Overall explanation OBJ: 4.4 - Alerting is essential for providing real-time notifications of security incidents and potential threats. These timely alerts enable security teams to respond promptly and implement mitigation measures, reducing the impact of security breaches and potential damages. Alerting isn't the act of monitoring, it is the act of notifying. Alerting isn't the act of assessing, it is the act of notifying. For support or reporting issues, include Question ID: 64c00419ce8cf0ea6a17dee9 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 287

SPF Correct answer S/MIME DMARC Your answer is incorrect TLS Overall explanation OBJ: 2.2 - S/MIME (Secure Multipart Internet Message Extensions) leverages email certificates to both sign and encrypt email content, ensuring both authenticity and confidentiality. Transport Layer Security primarily encrypts the communication path between servers, but it doesn't use individual email certificates for signing and encrypting content within the email. Sender Policy Framework verifies the legitimacy of the sender's IP against a list of approved IPs for the domain, but doesn't use email certificates for content encryption or signature. Domain-based Message Authentication, Reporting & Conformance (DMARC) focuses primarily on the authenticity of the domain from which emails originate, rather than on using certificates to sign and encrypt the email content itself. For support or reporting issues, include Question ID: 6526382c737099cb81638904 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 288

Source IP address of the traffic Destination port the traffic was trying to reach Timestamps of firewall log entries Your answer is correct Open ports on the destination device Overall explanation OBJ 4.9: Firewall logs typically do NOT contain information about open ports on the destination device. Firewalls focus on network information. They are likely to show the port that was used by the destination device, but not a list of open ports on the device. The destination port is another vital data point captured in firewall logs. This can provide insights into the services being accessed or targeted by the traffic and can reveal potential vulnerabilities or unauthorized activities. Timestamps are a critical component of firewall log entries. They provide context and sequence to the events logged, which is essential for determining the timeline of a potential security incident. The source IP address of the traffic is important to determine where the traffic has come from. For support or reporting issues, include Question ID: 64c1a5a43c0620e9baa77d37 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 289

Correct answer Impact EF Damage proportion Your answer is incorrect ARO Overall explanation OBJ 5.2 - Impact refers to the consequences a risk event has on an organization, affecting various areas such as operations, finance, and reputation. Damage proportion might be used informally to describe a similar concept as EF, but it is not the standard term used in risk assessment. The exposure factor (EF) is the fraction of the asset value that is at risk in the event of a security incident. ARO quantifies the expected frequency of a risk occurring within a one-year timeframe. For support or reporting issues, include Question ID: 65487c13acaa0dbbe5e80233 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 290

Use Wi-Fi Enhanced Open because it uses the Dragonfly handshake. Connect without hesitation because the splash page uses HTTPS. Your answer is incorrect Transfer confidential files over email since the splash page is secure. Correct answer Establish a VPN connection after associating with the open hotspot. Overall explanation OBJ: 2.4 - Establishing a VPN connection after associating with the open hotspot is recommended for open networks. Establishing a VPN would create an encrypted tunnel, ensuring Benjamin's communications are secure even on the open Wi-Fi network. While Wi-Fi Enhanced Open provides encryption, Benjamin doesn't control the hotel's network setup and can't choose this option. While HTTPS is secure, it doesn't guarantee that other communications on the network will be encrypted. Just because the splash page is secure doesn't mean email transfers will be. Without additional security measures, it isn't recommended to transfer confidential files over open networks. For support or reporting issues, include Question ID: 64bd70b6c6ca7ebece11e3d2 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 291

Ransomware Phishing attack Correct answer Supply chain attack Your answer is incorrect Distributed denial of service (DDoS) Overall explanation OBJ: 2.2 - A supply chain attack type of attack targets vulnerabilities in the supply chain – such as third-party vendors or suppliers – to infiltrate a primary organization. By targeting less secure entities within the supply chain, attackers can sometimes find an indirect route to their main objective. A Distributed denial of service (DDoS) attack overwhelms a system, service, or network with traffic, causing it to become slow or unavailable to legitimate users. Ransomware is a type of malicious software designed to block access to a computer system until a sum of money is paid. A Phishing attack involves sending deceptive messages with the aim of tricking recipients into revealing sensitive information or performing a malicious action. For support or reporting issues, include Question ID: 652620e87b95ff91e3f56bc3 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 292

Penetration testing refers to the process of installing security patches and updates to protect against known vulnerabilities Penetration testing focuses on creating backups of critical data and testing data restoration procedures to ensure business continuity Your answer is incorrect Penetration testing involves monitoring network traffic to detect and prevent potential intrusions by unauthorized users Correct answer Penetration testing includes conducting simulated cyberattacks on systems and applications to identify and address security vulnerabilities Overall explanation OBJ 4.3: Penetration testing involves simulating cyberattacks on systems and applications to identify security weaknesses and vulnerabilities. By performing these simulated attacks, organizations can proactively address potential threats and strengthen their security posture. While data backups and testing data restoration procedures are essential for business continuity, they are not the main components of penetration testing. While monitoring network traffic is a valid security practice, penetration testing specifically involves conducting simulated cyberattacks to identify vulnerabilities. While installing security patches and updates is important for vulnerability management, it is not the primary focus of penetration testing. For support or reporting issues, include Question ID: 64bfd80178435ea1724a7ea6 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 293

File encryption Volume encryption Full-disk encryption Your answer is correct Database level encryption Overall explanation OBJ: 1.4 - Database level encryption ensures that the entire content of the database is encrypted, making the data unreadable without the correct decryption key. File encryption encrypts individual files, but for a database with many records, this might not be efficient or suitable. Volume encryption secures a particular volume or partition, but it may not provide the granularity and efficiency needed for large databases. While full-disk encryption secures the entirety of the disk's data, it doesn't specifically cater to the unique structure and needs of a database. For support or reporting issues, include Question ID: 64c27ece216b86411ab101ce in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 294

SASE Proxy server Correct answer IDS Your answer is incorrect UTM Overall explanation OBJ: 3.2 - An IDS (Intrusion Detection System) is specially designed to monitor network traffic, detect potential security incidents, and send alerts, making it the most suitable option in this scenario. A UTM combines multiple security features and network services into one device but would not primarily detect and alert about possible security incidents. A proxy server serves as an intermediary for requests between a client and server but does not primarily detect and alert about possible security incidents. A SASE (Secure Access Service Edge) combines WAN capabilities with cloud-native security functions but does not primarily serve to detect and alert about suspicious activities. For support or reporting issues, include Question ID: 64c16eee55dd610fdb26f1b3 in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 295

Correct answer Threat Hunting allows the identifying and mitigating of security threats before they cause damage Threat Hunting determines the individuals or groups responsible for the incident and helps in legal proceedings Your answer is incorrect Threat hunting is the process of identifying and classifying incidents based on their severity and impact to the organization Threat hunting involves removing the root cause of the incident from affected systems and networks to prevent its recurrence Overall explanation OBJ 4.8: Threat hunting is a proactive approach to identifying and mitigating security threats before they cause damage or lead to incidents. It involves actively searching for signs of potential threats or malicious activities in the organization's network and systems, even when there is no known incident or alert triggered. Threat hunting allows organizations to detect and address threats early, reducing the likelihood of successful attacks and minimizing potential damage. Removing the root cause of the incident to prevent recurrence is part of the "Eradication" phase in the incident response process, not the primary purpose of Threat Hunting. While identifying the individuals or groups responsible for an incident might be valuable for legal proceedings, threat hunting is primarily focused on proactive detection and mitigation of security threats, not on attributing incidents to specific individuals. Identifying and classifying incidents based on their severity and impact is typically part of the "Detection" phase in the incident response process. Threat hunting goes beyond just identifying known incidents. For support or reporting issues, include Question ID: 64c162368d1f702de4fdf199 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 296

OSINT uses proprietary software to eliminate vulnerabilities in an organization's network infrastructure OSINT allows organizations to track and monitor the physical location and status of hardware assets Your answer is incorrect OSINT helps organizations assess and analyze vulnerabilities in operating systems Correct answer OSINT uses public information to discover vulnerabilities in an organization's network infrastructure Overall explanation OBJ 4.3: OSINT stands for Open-Source Intelligence, which involves gathering information from publicly available sources to gain insights and assess potential risks. While tracking and monitoring hardware assets is essential, OSINT primarily focuses on gathering intelligence from publicly available sources to assess security risks. While assessing vulnerabilities in operating systems is essential, OSINT is not limited to this specific activity. OSINT is open-source, not proprietary software. For support or reporting issues, include Question ID: 64bfdcd478435ea1724a7eb0 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 297

To match them with recent modifications in business operations. To develop new products and services. Your answer is incorrect To keep the diagrams and specifications of each piece of equipment updated. Correct answer To ensure they remain relevant and compliant with evolving regulations. Overall explanation OBJ: 1.3 - Regular updates ensure alignment with current business practices and any regulatory changes. While ensuring alignment with changes in business operations is essential, there is less emphasis on security in this process. Updating diagrams refers process revising visual representations IT systems or processes order reflect changes or updates. Policies and procedures relate to how operations are conducted, not product development. For support or reporting issues, include Question ID: 64c153b593c27dd3aaef1f74 in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 298

Virtual machine (VM) escape Buffer overflow Correct answer TOCTOU Your answer is incorrect Memory Injection Overall explanation OBJ: 2.3 - A TOCTOU attack exploits a race condition that occurs when a process checks the state or value of a resource before using it, leaving a small gap between the check and when the actual use of the resource takes place. If an attacker can make the change during the gap, this attack can lead to incorrect or unauthorized actions based on outdated information. It can lead to incorrect or unauthorized actions based on invalid assumptions. Virtual machine (VM) escape is a different type of security vulnerability. A VM escape occurs when a user or process running within a virtual machine is able to break out and interact with the host system, potentially compromising it. This is a serious security concern because virtual machines are designed to be isolated from the host system and from each other. Buffer overflow is a type of memory corruption that occurs when a program writes more data than the allocated buffer can hold, causing it to overwrite adjacent memory locations. It can lead to crashes, code execution, or privilege escalation. A memory injection attack occurs when an attacker inserts malicious code or data into the memory space of a running process. This can be used to escalate privileges, execute commands, or change the way the application behaves. For support or reporting issues, include Question ID: 64bc3d0a37c5041eb9099346 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 299

Correct answer NGFW Fail-closed system SSH Your answer is incorrect SASE Overall explanation OBJ 3.2: A NGFW (Next-Generation Firewall) integrates multiple security functions into one solution, offering protection against advanced threats, making it the suitable choice in this scenario. Secure Shell protocol (SSH) allows for secure remote login and other secure network services over an insecure network, but it is not a firewall solution. SASE (Secure Access Service Edge) combines wide-area networking and network security services into a single cloud-based service, but it isn't specifically designed to defend against advanced, sophisticated threats. Fail-closed is a failure mode that does not allow traffic to pass in the event of a device failure. It's not a firewall solution and does not specifically aid in protecting against advanced threats. For support or reporting issues, include Question ID: 64c17e6545dff9a6cc8dcc3e in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 300

Encryption Correct answer Monitoring Permissions Your answer is incorrect Isolation Overall explanation OBJ: 2.5 - Monitoring is a mitigation technique that can help detect and respond to potential threats or incidents on a network. By collecting and analyzing data about the activities and events on the network, security analysts can develop theories about the vulnerabilities and incidents that occur on the system. Monitoring involves using tools and techniques such as logs, alerts, and audits. Access control through permissions is a mitigation technique that can help prevent unauthorized execution of programs or scripts on a system or device. This is achieved by defining permissions through policies and applying those policies to resources such as programs, scripts, files, folders, and databases. Users without the correct permissions, can’t access the resources. They do not detect and respond to potential threats or incidents on a system or network by collecting and analyzing data about the activities and events on the system or network. Isolation is a mitigation technique that can help prevent malware from spreading from one system or process to another by limiting their interaction and communication. Isolation involves sandboxing or simply disconnecting an infected system. This prevents potentially malicious programs or scripts from accessing the rest of the system or network. While isolation is a response to a malware attack, it doesn't collect data. Encryption is a technique that can help protect data from unauthorized access or modification by transforming it into an unreadable format. Encryption involves using mathematical algorithms and secret keys to encrypt and decrypt data, but they do not detect and respond to potential threats or incidents on a system or network by collecting and analyzing data about the activities and events on the system or network. For support or reporting issues, include Question ID: 64bee2468c5f936b5239301a in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 301

Correct answer Disabling ports Encryption Monitoring Your answer is incorrect Segmentation Overall explanation OBJ: 2.5 - Disabling ports is the act of turning off specific communication points in a system to reduce potential vulnerabilities or halt unauthorized access. Encryption is the process of converting data into a code to prevent unauthorized access. It doesn't deal with turning off specific entry or exit points in a system. Monitoring is the continuous observation and checking of a system or network to ensure its functionality and security. It is not directly related to shutting off communication points. Segmentation is the dividing a network into different parts or segments for security and performance enhancement, but not specifically about shutting off communication points. For support or reporting issues, include Question ID: 652a06cb0f712805cf8eb37c in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 302

Correct answer Encryption Digital signatures Checksums Your answer is incorrect Password protection Overall explanation OBJ 3.4: Given the need to transport backups and remain compliant with privacy regulations, encrypting backups would ensure that even if the data is intercepted, it remains unreadable to unauthorized entities. While digital signatures can verify the authenticity of data, they don't protect the actual data from being read if intercepted during transportation. While password protection adds a layer of security, it doesn't provide the robust protection that encryption offers, especially for sensitive data. Checksums are useful for detecting errors in data but won't prevent unauthorized access to the contents of the backup. For support or reporting issues, include Question ID: 652df96012f48af2cc40e3ff in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 303

Correct answer SDN Containerization Logical segmentation Your answer is incorrect Virtualization Overall explanation OBJ: 3.1 - Software Defined Networking (SDN) separates network control from the physical infrastructure, centralizing management and offering flexibility. Logical segmentation divides a network into separate units for better traffic management and security but doesn't decouple control from hardware. Containerization packages applications with their environment for consistent behavior but is unrelated to network control. Virtualization refers to creating virtual versions of physical resources, such as servers or storage, but does not specifically address network control being managed independently of hardware. For support or reporting issues, include Question ID: 652c30a6e0af1b70771153ad in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 304

Correct answer MTBF MTTR Operating time Your answer is incorrect Failure rate Overall explanation OBJ: 5.2 - MTBF (Mean time between failures) represents the typical interval between failures for a system or component, used as a reliability indicator. Operating time simply tracks the duration that a system or component has been in use, without measuring time between failures. MTTR (Mean time to repair) measures the average time required to repair a system or component, not the time between failures. Failure rate quantifies how often a system or component fails, which is different from the average time interval between failures. For support or reporting issues, include Question ID: 65496fc423b1cc31a82e92d1 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 305

Phishing File-based Spear Phishing Your answer is correct Vishing Overall explanation OBJ: 2.2 - Vishing is a specific type of voice call attack where attackers often use phone calls combined with other methods to deceive. File-based pertains to threats arising from malicious content within standard files but doesn't involve voice communication. Spear Phishing is a targeted phishing attack. Phishing is a broader term that involves deceptive attempts to obtain sensitive information, often via email, but not specifically limited to voice calls. For support or reporting issues, include Question ID: 652623fa7b95ff91e3f56bcd in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 306

Correct answer End-of-life vulnerability Supply Chain vulnerability Legacy vulnerability Your answer is incorrect Firmware vulnerability Overall explanation OBJ: 2.3 - End-of-life refers to hardware that is no longer supported by the manufacturer, often leading to unpatched and exploitable vulnerabilities. Firmware vulnerabilities are related to the permanent software programmed into the read-only memory, not the discontinued support of hardware components. Legacy hardware denotes older systems or components still in use, which can be vulnerable, but doesn’t necessarily mean they are unsupported or at their end-of-life. Supply Chain vulnerabilities refer to vulnerabilities in the supply chain related to third-party service providers, not to using unsupported hardware components. For support or reporting issues, include Question ID: 6515db0623d84a06dc8771be in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 307

Vendor assessment Supply chain analysis Vendor monitoring Your answer is correct Penetration testing Overall explanation OBJ: 5.3 - Penetration testing is the practice of conducting authorized simulated attacks on a vendor's network or systems to identify potential security weaknesses and vulnerabilities. Supply chain analysis involves examining the security of companies and suppliers for a vendor. It wouldn't normally include an active engagement with a vendors' system. Vendor assessment involves evaluating various aspects of a vendor's capabilities, including security measures, to determine if they meet the organization's requirements. This is usually done through methods other than a formal penetration test. Vendor monitoring involves continuously tracking and evaluating a vendor's performance and compliance with the agreed-upon terms and security standards. It doesn't involve an active engagement of their third-party system. For support or reporting issues, include Question ID: 64bb3aa1ef9efcf8d3fa329c in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 308

Inventory Enumeration Sanitization Your answer is correct Classification Overall explanation OBJ 4.2: Classification helps in determining how an asset should be handled, protected, and managed based on its assigned category. Enumeration involves listing or counting assets, not categorizing them. Inventory is the act of listing assets and their details, not determining their category. Sanitization is the act of ensuring data is irretrievably removed or safe to transfer, not the categorization of assets. For support or reporting issues, include Question ID: 651dcfc0915e5062db9cd849 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 309

Image-based software Unsupported systems and applications Your answer is correct Client-based software Agentless software Overall explanation OBJ 2.2 - This software runs directly on your computer, classifying it as client-based software that relies on your system to receive updates and patches directly from the vendor. This setup introduces a potential attack vector if the vendor’s update process is compromised. Unsupported systems refer to outdated software without updates, which isn’t applicable here, as the vendor maintains the software. Image-based software typically involves deploying from pre-configured images, unrelated to this scenario. Agentless software refers to remote management without installed agents, which also doesn’t apply, as this software is directly installed on your computer. For support or reporting issues, include Question ID: 64b8c4610a0aedbe4ca93b53 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 310

Correct answer Service downtime or restart Improved connection speeds Reduced encryption requirements Your answer is incorrect Increased bandwidth Overall explanation OBJ 1.3 - When a firewall's configuration is updated, it often results in service downtime or a restart, which can temporarily disrupt network availability. This is because changes to firewall settings usually require the firewall to reload its configuration, which may interrupt its normal operation for a short period. This downtime allows the firewall to apply new rules and settings securely. Such updates do not typically affect bandwidth, connection speeds, or encryption requirements, as those are influenced by other factors in the network setup. For support or reporting issues, include Question ID: 672110bbd248d95fc8ca817f in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 311

Automated compliance checks. Correct answer Taking steps to meet legal and other requirements. Conducting internal audits on a regular basis. Your answer is incorrect Reviewing third-party vendor agreements. Overall explanation OBJ: 5.4 - Due diligence/care refers to the diligent and proactive efforts made by an organization to meet and maintain compliance requirements. This includes implementing necessary policies, procedures, and controls to align with regulatory mandates. Reviewing third-party vendor agreements is part of the vendor management process. It involves carefully examining the contractual agreements with external vendors to verify that they comply with required security and privacy standards. Conducting internal audits is a process where the organization assesses its own practices, processes, and controls to ensure compliance with relevant regulations. Internal audits are systematic and objective evaluations conducted by internal personnel or teams. Automated compliance checks involve using software tools and systems to monitor and evaluate an organization's adherence to regulatory requirements. These tools automatically scan and analyze various aspects of the organization's operations to identify potential compliance issues. For support or reporting issues, include Question ID: 64bf5d7f402d8b511311a73e in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 312

SSH key authentication Filesystem quotas Correct answer SELinux Your answer is incorrect Chroot environment Overall explanation OBJ 4.5: Security-Enhanced Linux (SELinux) is a Linux kernel security module that provides a mechanism for supporting access control policies, ensuring processes have only the permissions they require and no more. A chroot environment restricts a process's view of the file system but doesn't offer the same comprehensive policy-based control as SELinux. While SSH key authentication enhances secure remote access, it doesn't provide granular control over processes and their behaviors. Filesystem quotas manage disk usage limits for users but don't regulate process behaviors or privileges. For support or reporting issues, include Question ID: 65433662cec496671af8991a in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 313

Password standard Physical security standard Access control standard Your answer is correct Encryption standard Overall explanation OBJ: 5.1 - The encryption standard defines the methods and protocols for encrypting sensitive data to protect it from unauthorized access. Encryption transforms data into an unreadable format using cryptographic algorithms, and it can only be decrypted with the appropriate encryption key. These are used to protect data in transit The access control standard defines the rules and procedures for managing user access to systems, applications, and data within an organization. It involves identifying users, authenticating their identity, and determining the level of access they should have based on their roles and responsibilities. The password standard outlines the requirements and best practices for creating and managing passwords. It includes guidelines such as password complexity, minimum length, and expiration policies to ensure that passwords are strong and secure. The physical security standard outlines the measures and procedures to protect physical assets, facilities, and equipment from unauthorized access, theft, and damage. It includes security measures such as access controls, surveillance systems, and security personnel to safeguard physical resources. For support or reporting issues, include Question ID: 64b758fd527f0f59c61e8213 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 314

Informational Correct answer High Your answer is incorrect Low Critical Overall explanation OBJ 4.3: CVSS scores are calculated using a formula that provides a numerical result but also include the categories of Low, Medium, High, and Critical. Low is anything that results in a score of less than 4.0. Medium is a score of 4-6.9. High is 7.0-8.9. Critical is a score higher than 9. Because the vulnerability would have severe consequences, it is either "High" or "Critical". Because it would require a lot of expertise to exploit, it isn't Critical. As a result, the answer "High" is the most appropriate answer. High vulnerabilities have the potential to cause a significant impact if exploited. Even if the exploitation requires expertise, the severe consequences merit a high classification. Vulnerabilities that are hard to exploit and have minimal consequences are classified as low. The most severe vulnerabilities are classified as critical. They can cause extensive damage, are easily exploitable, or concern highly sensitive systems or data. Informational vulnerabilities do not pose a direct risk but are typically findings to provide a comprehensive view of the assessment. For support or reporting issues, include Question ID: 6541cd81daf67f8b06f11090 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 315

Correct answer Reporting to the IT department. Forwarding the email to colleagues to check if they received a similar one. Ignoring and deleting the email. Your answer is incorrect Clicking on the link to verify authenticity. Overall explanation OBJ: 5.6 - Susan identified the potential threat and promptly alerted the appropriate personnel within her organization. While ignoring can prevent immediate harm, reporting helps the organization identify and address potential security threats. Sharing the email further can expose more people to potential threats. Clicking on the link to verify authenticity could potentially expose her to malware or phishing sites and isn't a recommended action. For support or reporting issues, include Question ID: 64c34ecc84a7d77f398b8881 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 316

Correct answer Concurrent session usage Impossible travel Your answer is incorrect Blocked content Resource consumption Overall explanation OBJ: 2.4 - Concurrent session usage is an indicator of malicious activity that shows that an attacker or malware has compromised an account and is using it simultaneously with the legitimate user, creating multiple sessions from different locations or devices. Blocked content is an indicator of malicious activity that shows that an attacker or malware has tried to access or deliver content that is prohibited by the system’s security policy, such as malicious websites, files, or emails. Resource consumption is an indicator of malicious activity that shows that an attacker or malware has used a lot of system resources, such as CPU, memory, disk space, or bandwidth, affecting the performance or availability of the system. Impossible travel is an indicator of malicious activity that shows that an attacker or malware has used an account from two different locations or devices within a short time span, indicating a possible compromise or impersonation. For support or reporting issues, include Question ID: 64bd6e557b384f16f9130843 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 317

Increase cybersecurity training for employees Conduct a penetration test Correct answer Implement an vulnerability exception Your answer is incorrect Migrate all data to another system Overall explanation OBJ 4.3: Exceptions in vulnerability response and remediation allow organizations to delay or avoid certain remediation actions due to specific reasons, often with an understanding of the associated risks. While important, training doesn't act as a substitute for addressing a known vulnerability. Migrating all data to another system is a drastic measure and doesn't specifically address the identified vulnerability in the original system. Penetration testing helps identify vulnerabilities, but doesn't provide an alternative to the remediation of an already identified vulnerability. For support or reporting issues, include Question ID: 6541d601088ddf36014e377b in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 318

Service Disruption Financial Gain Blackmail Your answer is correct Philosophical Beliefs Overall explanation OBJ 2.1 - The primary motivation for this attack is philosophical beliefs. Hacktivist groups often act based on political or ideological motivations, aiming to promote or protest certain causes. In this case, the group is protesting government policies they believe infringe on civil liberties. This type of motivation differs from financial gain, as there is no monetary incentive, and it is also distinct from service disruption and blackmail, as the intent is not merely to disrupt or extort but to make a public statement aligned with their beliefs. For support or reporting issues, include Question ID: 672117b6503b8b40b95ad0f9 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 319

Incremental backups Replication Snapshots Your answer is correct Journaling Overall explanation OBJ 3.4: Journaling keeps track of all transactions and changes that occur within a system. In the event of a crash or failure, this record allows for precise recovery to the moment before the disruption. Snapshots provide a way to capture the system's state at a specific moment in time. They can be used for quick recoveries but don't track continuous transactional changes like journaling. Incremental backups save only the changes made since the last backup, whether it's a full or incremental one. They help in faster recovery but don't maintain a continuous transactional log. Replication ensures that data is duplicated in real-time or near real-time to a secondary location. While it offers high availability, it does not maintain a transactional log for recovery to a specific point. For support or reporting issues, include Question ID: 652eb8214b55499a153f6907 in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 320

Geographical distribution Correct answer Resource allocation and scalability Deployment frequency of instances Your answer is incorrect Cost-effectiveness of the service Overall explanation OBJ: 3.1 - Compute considerations encompass the ability of an architecture to allocate resources efficiently and scale as needed. Efficient resource management is vital for handling varying workloads, especially during high-demand scenarios, which can also be targets for attacks. Although cost considerations are essential, they don't specifically address the compute capacity and efficiency of an architecture from a security perspective. While frequent deployments might suggest active development and possibly security updates, it does not directly relate to the compute capabilities of an architecture. While distributing resources geographically can enhance availability and potentially security, it doesn't inherently convey the compute strengths or weaknesses of an architecture model. For support or reporting issues, include Question ID: 64bf7c585ff7b41f675e423a in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 321

Weekly full backups Daily incremental backups Your answer is incorrect Differential backups Correct answer Continuous backups Overall explanation OBJ 3.4: Due to the frequent changes and the unpredictability of software builds, continuous backups would ensure that all versions of the software are retained, allowing Mary to revert quickly. Saving data changed since the last full backup wouldn’t be efficient given the multiple changes throughout the day. With software builds changing rapidly, a weekly backup could result in significant data and version losses. Capturing all the changes made since the last backup at the end of the day might not be sufficient, as several versions could be lost. For support or reporting issues, include Question ID: 652df5cc8571f35d53e52493 in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 322

Anomalous behavior recognition Correct answer Phishing campaigns Reporting and monitoring Your answer is incorrect User guidance and training Overall explanation OBJ: 5.6 - This security awareness practice involves conducting simulated email attacks, often referred to as phishing simulations, to educate employees about recognizing and responding to phishing attempts. In these simulated attacks, employees receive fake phishing emails designed to mimic real-world phishing attempts. The goal is to test employees' ability to identify phishing emails, avoid falling for deception, and report suspicious messages. User guidance and training in security awareness refer to the process of providing employees with information, policies, and best practices related to cybersecurity. This practice includes educating employees through policy handbooks, training sessions, and situational awareness exercises to promote a security-conscious culture. Anomalous behavior recognition is a security awareness practice that focuses on educating employees about recognizing unusual or unexpected behavior that may indicate a security threat. It involves teaching employees to identify risky, unexpected, or unintentional actions that deviate from normal patterns of behavior within the organization. Reporting and monitoring are key aspects of security awareness practices. It involves encouraging employees to report suspicious activities, potential security incidents, or phishing attempts. Monitoring is performed to assess the effectiveness of security awareness initiatives and to identify potential weaknesses or areas for improvement. For support or reporting issues, include Question ID: 64c34ce02549c64ca9a2b9cb in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 323

The website's SSL/TLS certification status Correct answer Assessment of a website's trustworthiness Popularity and frequency of website visitation Your answer is incorrect The loading speed and mobile optimization of a website Overall explanation OBJ 4.5: A web reputation score provides an evaluation of a site based on various criteria to gauge its reliability and potential security risks. Popularity and frequency of website visitation mainly reflect how often users visit a site or how well-known it is, rather than its inherent safety. While SSL/TLS certifications are an aspect of website security, they are just one of many factors that can influence a website's reputation. The loading speed and mobile optimization of a website relate to the user experience and the performance of a website, not necessarily its security or trustworthiness. For support or reporting issues, include Question ID: 65433595952dd00fd38e23ce in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 324

Security Awareness Training Correct answer Restoring Data from Backups Motion Sensor Lighting Your answer is incorrect Implementing a Firewall Overall explanation OBJ 1.1 - Restoring data from backups is a corrective control because it addresses data loss by bringing the system back to its original state after an incident. In contrast, security awareness training is a preventive control, aiming to stop incidents before they happen by educating users. Implementing a firewall is also preventive, serving as a barrier to unauthorized access. Motion sensor lighting, meanwhile, acts as a deterrent control intended to discourage unauthorized access rather than to correct issues after they occur. For support or reporting issues, include Question ID: 6720fbe36c5aab4d75b9be3c in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 325

Something you have Something you know Something you do Your answer is correct Somewhere you are Overall explanation OBJ 4.6: Somewhere you are considers the geographical location or network from which an access request originates. Something you do relates to behavioral attributes, like signature patterns or keystrokes. Something you know pertains to knowledge-based information, like passwords or PINs. Something you have pertains to having a physical device or token Lily might possess, not her location. For support or reporting issues, include Question ID: 65446118878b620a335d517c in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 326

Password vaulting Correct answer Ephemeral credentials Your answer is incorrect Static access tokens PKI Overall explanation OBJ 4.6: Ephemeral credentials are temporary and are typically generated on-the-fly for a specific purpose, reducing the risk of credential misuse or compromise. Password vaulting involves storing passwords securely, usually with encryption, and doesn't directly provide time-bound access. While Public Key Infrastructure (PKI) provides a framework for secure communications and digital signatures, it does not inherently offer temporary or short-lived credentials. Static access tokens are persistent and do not change unless manually revoked or reset, making them more susceptible to compromise if not properly managed. For support or reporting issues, include Question ID: 6544590bc47e0cf3c470dd67 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 327

Correct answer Inability to Patch Ease of Recovery Risk Transference Your answer is incorrect Ease of Deployment Overall explanation OBJ: 3.1 - In Industrial Control Systems (ICS), the inability to patch is a significant concern due to several inherent challenges. Many ICS components are designed to be immutable for stability in critical processes, rendering modifications or updates impossible. Additionally, these systems often rely on continuous operation and use proprietary, sometimes legacy, components, making downtime for updates impractical and vendor-dependent patch availability challenging. This inability to apply timely security updates leaves ICS environments vulnerable to known exploits, potentially compromising system integrity, safety, and production. Risk transference refers to the sharing or moving of risk to another party. Having older components in a system may create a need for risk transference, but risk transference is a solution to a security concern that is not as much of a factor as an Inability to Patch. Ease of Deployment refers to how easy it is to install and implement a system, which may affect older components, but is not a security concern. Ease of Recovery considers how easily a system can be put back online after failure. While older components might impact the ease of recovery, it will probably not be the result of not allowing modifications. For support or reporting issues, include Question ID: 651711201796470bb3cfdf71 in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 328

Correct answer Implementing a policy for longer passwords Regularly updating firewall rules Using encrypted communication channels Your answer is incorrect Switching to biometric authentication Overall explanation OBJ 4.6: Longer passwords inherently increase the number of potential combinations, making brute force attacks more time-consuming and less likely to succeed. While biometrics can improve security, it doesn't directly address the issue of weak passwords susceptible to brute force attacks. Updating firewall rules is essential for network security but doesn't directly affect the strength of passwords. Encrypting data during transmission is crucial but won't prevent brute force attacks on weak passwords. For support or reporting issues, include Question ID: 654442770c5ecc119a270114 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 329

Risk limit Risk tolerance Correct answer Risk threshold Your answer is incorrect Risk level Overall explanation OBJ: 5.2 - A risk threshold is the limit of acceptable risk that an organization establishes, which once exceeded, triggers a response to reduce the risk to an acceptable level. Risk limit is not a commonly used term within risk management to define a predefined level of acceptable risk. Risk tolerance refers more broadly to an organization's or individual's willingness to take on risk, not the specific predefined level for taking action. Risk level refers to the severity or high/low ranking of risk, not the predefined acceptance level. For support or reporting issues, include Question ID: 654903d17939ad97e063adba in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 330

Correct answer Contracting a cybersecurity firm for targeted vulnerability assessments Subscribing to a threat intelligence feed for real-time updates Checking the system's current performance metrics post-fix Your answer is incorrect Training the in-house IT team about buffer overflow prevention Overall explanation OBJ 4.3: A specialized assessment by a third-party can evaluate specific fixes, such as those for buffer overflows, ensuring they've been effectively addressed. While threat intelligence is valuable, it isn't a direct method to validate remediation of specific vulnerabilities. Training is essential but does not directly measure the effectiveness of applied fixes for existing vulnerabilities. Performance metrics might indicate system health, but they do not directly review the remediation of buffer overflow issues. For support or reporting issues, include Question ID: 6542c720d6196a0af7d1376a in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 331

Correct answer Compute Resources Containerization Air-Gapping Your answer is incorrect Ease of Deployment Overall explanation OBJ: 3.1 - Compute resources, encompassing CPU, memory, and storage, are fundamental in virtualized environments, acting as the backbone that ensures virtual machines (VMs) operate efficiently and meet the demands of various applications and services. Ease of Deployment assesses how straightforward a system can be set up but does not directly ensure sufficient resources for virtual machines in virtualization. While air-gapped systems offer high security, they don’t directly impact the allocation of resources to virtual machines for efficient performance. Containerization is a lightweight, standalone, executable software package but doesn’t directly measure resource allocation to virtual machines. For support or reporting issues, include Question ID: 651712181796470bb3cfdf76 in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 332

Compensating controls are deployed to slow down the performance of the system and therefore deter potential hackers Compensating controls are designed to provide companies methods for not mitigating vulnerabilities Your answer is incorrect Compensating controls are used to increase the complexity of the system, making intrusion attempts more difficult Correct answer Compensating controls provide alternative security measures when primary controls are not feasible or effective Overall explanation OBJ 4.3: Compensating controls are designed to provide alternative security measures when the primary controls cannot be deployed or are not effective. These controls help mitigate the risks posed by vulnerabilities and enhance the overall security posture. While compensating controls can add layers that might increase the complexity for potential intruders to navigate, their primary aim is not to make the system more complex but to provide alternative, effective security measures when primary controls fail or are not feasible. Slowing down the system performance is not an objective of compensating controls and would generally be seen as counterproductive. The purpose of compensating controls is to maintain security, not to impact system performance negatively. Compensating controls are not designed to provide companies with methods for not mitigating vulnerabilities. Instead, they are implemented as additional protections to improve security when primary controls are lacking or ineffective. For support or reporting issues, include Question ID: 64c197e66bd44bdb096b83b3 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 333

Correct answer Amplified DDoS attack Malware infection Your answer is incorrect Reflected DDoS attack Brute force attack Overall explanation OBJ: 2.4 - By exploiting vulnerabilities in certain protocols, attackers can send a small request to a server, prompting it to reply with a much larger response, creating an amplified DDoS attack. The attacker uses a forged source IP (the victim's IP), causing the server's amplified response to flood the victim. The fact that the incoming requests to the website have IP addresses different from the originating ones hints at an amplification tactic. While malware can result in various forms of attack, the specific pattern of a massive amount of traffic originating from a few IPs indicates a DDoS amplification. In reflected DDoS attacks, the attacker sends requests to third-party servers with a forged source IP address (the victim's IP), causing those servers to send responses to the victim. While it involves using a victim's forged IP, the sheer volume from just a few addresses suggests amplification more than reflection. In a brute force attack, the attacker attempts multiple logins to gain unauthorized access and is not associated with overwhelming traffic from a few IP addresses. For support or reporting issues, include Question ID: 65297153b63e63ed7ed4fa22 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 334

Structured Query Language injection (SQLi) Your answer is incorrect Malicious update Buffer overflow Correct answer Cross-site scripting (XSS) Overall explanation OBJ: 2.3 - XSS is a web-based vulnerability that occurs when an attacker injects malicious code into a web page that is then executed by the browser of a user who visits the page. The code can steal cookies, session tokens, or other sensitive information from the user or the web server. Kelsi has likely encountered an XSS vulnerability that allowed the attacker to steal her credit card information and make unauthorized transactions. Buffer overflow is an application-based vulnerability that occurs when a program does not properly check the size of the input data and tries to store more data than the memory allocated to it can hold. The excess data can overwrite the adjacent memory and cause the program to crash or execute arbitrary code. It isn't likely that Kelsi has encountered a buffer overflow vulnerability, as she checked the information she entered and it was correct. SQLi is a web-based vulnerability that occurs when an attacker injects malicious SQL statements into a database query that is then executed by the database server. The statements can manipulate or extract data from the database, or execute commands on the server. Kelsi has not encountered an SQLi vulnerability, as she did not enter any information in SQL. Malicious update is an application-based attack that involves replacing a legitimate update for a program with a malicious one. The attacker can compromise the program, steal data, or perform other malicious actions. Kelsi has not encountered a malicious update, as she did not update any program, but rather entered her credit card information on a web page. For support or reporting issues, include Question ID: 64bc65e44124bfda963fb4d2 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 335

Correct answer CCPA PCI DSS GLBA Your answer is incorrect FISMA Overall explanation OBJ: 5.1 - The CCPA (California Consumer Privacy Act) is a state legislation that provides comprehensive data protection rights to consumers, much like the GDPR. It's considered "horizontal" as it applies across sectors. FISMA (Federal Information Security Management Act) governs the security of data processed by federal government agencies, but it doesn't have the broad, cross-sector personal data protections seen in GDPR or CCPA. GLBA (Gramm–Leach–Bliley Act) is more of a "vertical" regulation as it targets a specific sector, the financial services industry, rather than applying broadly across various industries. PCI DSS (Payment Card Industry Data Security Standard) is an industry-mandated standard for the safe handling and storage of credit card information, not a horizontal personal data regulation. For support or reporting issues, include Question ID: 6545639b7dcb30bec4e75c4e in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 336

Sanctions Loss of license Correct answer Reputational damage Your answer is incorrect Fines Overall explanation OBJ: 5.4 - Reputational damage refers to the potential harm or negative impact on Horizon's reputation due to its failure to comply with data protection regulations. As a result of the data breach, customers may come to believe that Horizon doesn't know enough about cybersecurity to protect its customers and/or prevent a breach. Its reputation in the cybersecurity training industry may be tarnished. Loss of license could be a consequence of non-compliance in certain industries. However, in this scenario, Horizon did not commit the negligence, so they are not likely to lose any licenses they may have. Sanctions are also potential penalties for non-compliance, but they are typically more severe and may include restrictions or limitations on the company's operations. However, in this scenario, Horizon did not commit the negligence, so they are not likely to face sanctions unless they are located in a country that has laws regarding sanctions for any data breach regardless of responsibility. Fines are penalties imposed by regulatory authorities for non-compliance with data protection regulations. However, in this scenario, Horizon did not commit the negligence, so they are not likely to face fines unless they are located in a country that has laws regarding fines for any data breach regardless of responsibility. For support or reporting issues, include Question ID: 64c07b3d6eac6c96dcf007a1 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 337

Soft power Cyber diplomacy Counterintelligence operations Your answer is correct Hybrid warfare Overall explanation OBJ: 2.2 - Hybrid warfare is a strategy where state actors use a mix of espionage, disinformation, hacking, and soft power to achieve their objectives, offering a multifaceted approach to conflict. Cyber diplomacy deals with the management of international relations in the digital realm, not necessarily the multifaceted approach of hybrid warfare. While soft power is a component of hybrid warfare, by itself, it refers to using diplomatic and cultural assets to influence but doesn't include espionage or hacking. Counterintelligence operations focus on preventing adversaries from obtaining secret information and do not encompass a broad range of strategies like hybrid warfare. For support or reporting issues, include Question ID: 652634ad310422845dfcc3e1 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 338

Correct answer Ownership establishes accountability, reducing insider threat risks Ownership ensures easy asset identification during audits and reduces unauthorized access risk Ownership facilitates physical security by determining asset location, preventing theft Your answer is incorrect Ownership documentation aids in budget allocation for security measures Overall explanation OBJ 4.2: Assigning ownership to individuals or departments is crucial for accountability, as it encourages responsible asset use and reduces insider threat risks by making individuals accountable for security measures. Physical security is related to asset location, but it isn’t the main purpose of ownership in security accountability. Asset identification supports inventory management but doesn’t directly enhance security or accountability. Budget allocation through ownership documentation is essential for financial planning but does not address security implications directly. For support or reporting issues, include Question ID: 64bd9108a01760b80375f835 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 339

Expansionary Correct answer Conservative Neutral Your answer is incorrect Aggressive Overall explanation OBJ 5.2 - The company’s approach aligns with a conservative risk appetite, as it prioritizes stability and compliance over expansion. An expansionary appetite would seek high-risk growth opportunities, which contradicts the company’s cautious stance. A neutral risk appetite would balance growth and stability, while an aggressive appetite would also lean toward high-risk, high-reward strategies, unlike the company’s conservative focus. For support or reporting issues, include Question ID: 672247253be32ad83a19dc85 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 340

Unskilled Attackers Correct answer Hacktivists Nation-state Actors Your answer is incorrect Insider Threats Overall explanation OBJ: 2.1 - A hacktivist is a threat actor that is motivated by philosophical or political beliefs and often targets organizations or governments that they disagree with. Hacktivists may use methods such as defacement, denial-of-service, or data leakage to achieve their goals. They hope defacement and data leaks will discredit the target organizations or governments. Denial-of-service attacks will prevent the organizations and governments from communicating and functioning. Nation-state Actors are a type of threat actor that is sponsored by a government or a military and are motivated by gaining information through espionage, conducting warfare, or gaining influence. Nation-state Actors may target other countries, organizations, or individuals that pose a threat to or have different interests than the government that sponsors the Nation-state Actors. Insider Threats are threat actors that have authorized access to an organization’s network, systems, or data. They are often current or former employees who are motivated by revenge, greed, or ideology. Insider Threats may abuse their privileges, leak information, sabotage operations, or collaborate with external actors in order to undermine an organization. Unskilled Attackers are threat actors that have little or no technical skills and are motivated by curiosity, boredom, or personal gain. Unskilled Attackers may use tools or scripts developed by others to launch attacks without understanding how they work. For support or reporting issues, include Question ID: 64b85e9174a248bfc6c933b3 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 341

An exposure factor refers to the time required to detect and respond to a security incident An exposure factor evaluates the level of vulnerability in an organization's network infrastructure Correct answer An exposure factor helps organizations assess the monetary impact of a security breach Your answer is incorrect An exposure factor measures the likelihood of a vulnerability being exploited Overall explanation OBJ 4.3: An exposure factor measures the proportion of an asset’s value that would be lost if a vulnerability is exploited. It is essential for organizations to assess the potential impact of specific vulnerabilities and prioritize remediation efforts accordingly. A higher exposure factor indicates a greater potential loss and may require urgent attention. It is important to note that the exposure factor does not evaluate the likelihood of exploitation, the level of vulnerability, or the time required for incident response. Instead, it quantifies the monetary impact of a potential security breach, playing a crucial role in risk management calculations like Annualized Loss Expectancy (ALE). For support or reporting issues, include Question ID: 64bfde5578435ea1724a7eb5 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 342

Port 80 Correct answer Port 25 Port 22 Your answer is incorrect Port 3389 Overall explanation OBJ: 2.5 - Simple Mail Transfer Protocol (SMTP) is used for email transmission. Disabling this port on machines not intended for mail services can help prevent potential mail relay attacks. Hyper Text Transfer Protocol (HTTP) is used for transferring web pages on the internet. It's unrelated to mail transport services. This port is associated with the Secure Shell (SSH) protocol used for secure logins, file transfers, and port forwarding. It's not directly related to mail transport services. Remote Desktop Protocol (RDP) is used for connecting and controlling remote Windows machines. Disabling it prevents unauthorized remote access but isn't directly related to email transmission. For support or reporting issues, include Question ID: 652b3454eb7890e0e1edc15f in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 343

Conduct a vulnerability assessment to check the security of the newly set up Wi-Fi network Check for and install the latest updates for the network routers and access points Your answer is correct Design a set of security configurations including encryption settings, firewalls, and access controls Set up system logs for future auditing and incident detection Overall explanation OBJ 4.1: During the establish phase of secure baselines, a set of initial configurations which include security controls such as encryption, firewalls, and access controls are designed and implemented. This baseline scenario ensures a specific standard of security is adhered to when the system is set up. Conducting a vulnerability assessment is an essential process to identify any potential weaknesses, but it is generally executed after establishing a secure baseline to test its effectiveness and is part of the evaluate/assess phase. Checking for and installing the latest updates is important for keeping the network secure, but it is part of the operation/maintenance phase rather than establishing a secure baseline. While setting up logs is a crucial part of maintaining security, this step is usually associated with the operation/maintenance phase and ongoing security processes. For support or reporting issues, include Question ID: 64c17ac12e60209dbaac2225 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 344

Risk metrics Risk threshold Correct answer Key risk indicators Your answer is incorrect Risk parameters Overall explanation OBJ: 5.2 - KRIs are metrics that provide early warnings of increasing risk exposures, enabling organizations' leadership to manage these risks proactively. Risk metrics are quantitative measures of risk but do not specifically refer to the predictive indicators used for monitoring potential risks. Risk parameters are specific variables used within risk assessment processes, not predictive indicators. A risk threshold is the defined level of risk an organization is willing to accept, not a predictive indicator. For support or reporting issues, include Question ID: 654903747939ad97e063adb5 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 345

Correct answer False positive Penetration testing False negative Your answer is incorrect Package monitoring Overall explanation OBJ 4.3: A false positive occurs when a security measure mistakenly identifies a legitimate action as malicious or a threat, potentially leading to unnecessary corrective actions or alerts. A false negative arises when a security system fails to detect a genuine threat or malicious action, allowing potentially harmful activities to continue without intervention. Penetration testing is a simulated cyberattack against a system to identify exploitable vulnerabilities, using both automated tools and manual techniques. Package monitoring involves keeping track of software packages for updates or changes, ensuring they're secure and don't contain vulnerabilities, crucial in environments with many dependencies. For support or reporting issues, include Question ID: 6541c682aa9d07484f12ad06 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 346

Parameter tampering Denial of service (DoS) Your answer is correct Buffer overflow Cross-site scripting (XSS) Overall explanation OBJ: 2.4 - Buffer overflow attacks occur when an application receives more data than it's allocated to handle, causing the excess data to overflow into adjacent memory locations. This can lead to application crashes or potentially allow an attacker to execute arbitrary code. DoS attacks aim to make a system or network resource unavailable by overwhelming it with traffic. While it can cause system disruptions, it doesn't operate through buffer overflows. Cross-site scripting attacks involve embedding malicious scripts into web content. These scripts are executed by unsuspecting users but are unrelated to overflowing application memory buffers. Parameter tampering focuses on altering existing data parameters to change the application's expected behavior. While it involves meddling with data input, it doesn't directly cause memory overflows, as seen in Enrique's observations. For support or reporting issues, include Question ID: 6527f2721e1f5a429569b17e in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 347

Educate employees about best practices for avoiding phishing Develop security policies and handbooks Your answer is correct Send out simulated phishing emails to employees Analyze data and results from phishing campaigns Overall explanation OBJ: 5.6 - During the execution phase, the cybersecurity team at the Johnson Group will send out simulated phishing emails to employees as part of their planned phishing campaigns. This practice aims to raise employees' awareness about potential phishing attempts and help them recognize and respond appropriately to such threats. Password management training is an essential component of the security awareness program, but it falls under the user guidance and training phase. In the execution phase, the focus is on implementing the planned activities, such as phishing campaigns, rather than specific training topics. After executing the phishing campaigns, the cybersecurity team will analyze the data and results to evaluate the effectiveness of the program. They will review how employees responded to the simulated phishing emails and use this information to identify areas for improvement and further training. The development of security policies and handbooks was part of the earlier phase in the security awareness program. It involved creating materials to educate employees about security policies and procedures. For support or reporting issues, include Question ID: 64c3528b006636d14b206136 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 348

Correct answer Software enumeration Risk assessment Network mapping Your answer is incorrect Patch management Overall explanation OBJ 4.2: Software enumeration focuses on identifying and cataloging every software component present on a particular system. It aids in understanding the software landscape and helps in making informed decisions related to software asset management. Network mapping is the process of creating a visual representation or layout of the network infrastructure. While it provides a detailed overview of network connections and devices, it does not concern itself with listing individual software. Patch management centers around the practice of updating software components with patches to address vulnerabilities or bugs. It ensures that software is up-to-date and secure but does not involve creating a list of software installations. A comprehensive evaluation of potential threats and vulnerabilities in a system or process. While it may take into account the software present, its primary goal isn't to list them but to assess potential risks associated with them. For support or reporting issues, include Question ID: 651ee4e11f74c79745701b06 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 349

Correct answer High availability Scalability Responsiveness Your answer is incorrect Ease of recovery Overall explanation OBJ: 3.1 - High availability refers to the characteristic of a system or service that ensures minimal downtime or disruption. Ease of recovery refers to the ability to restore a system or service to its normal state after a failure or disruption. It does not refer to the characteristic of a system or service that ensures minimal downtime or disruption in the event of a failure. Scalability refers to the ability of a system or service to handle increased workload without degrading performance or reliability. It does not refer to the characteristic of a system or service that ensures minimal downtime or disruption in the event of a failure. Responsiveness refers to the speed at which a system or service responds to user requests or inputs. It does not refer to the characteristic of a system or service that ensures minimal downtime or disruption in the event of a failure. For support or reporting issues, include Question ID: 64bf7cdd36d60a80485bad43 in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 350

SDNs Serverless Microservices Your answer is correct Embedded systems Overall explanation OBJ: 3.1 - Embedded systems are computer systems that are integrated into larger devices or machines, such as cars, medical devices, or cameras. Embedded systems can perform specific functions with minimal user interaction, but they also pose security risks such as firmware vulnerabilities, outdated software, or physical tampering. Microservices is an architecture model that involves deploying applications as independent services that communicate with each other. It does not refer to computer systems that are integrated into larger devices or machines. Serverless is an architecture model that involves running code without provisioning or managing servers. It does not refer to computer systems that are integrated into larger devices or machines. Software-defined networking (SDN) is an architecture model that involves using software to dynamically configure and manage network resources. It does not refer to computer systems that are integrated into larger devices or machines. For support or reporting issues, include Question ID: 64bf79195ff7b41f675e4235 in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 351

Recurring One-time Correct answer Ad hoc Your answer is incorrect Continuous Overall explanation OBJ: 5.2 - Ad hoc assessments are performed as necessary, often triggered by specific events or detected threats, providing flexibility in the risk management process. While one-time assessments provide a comprehensive snapshot at a specific point, they are not typically conducted in response to immediate or new threats. Continuous assessments offer real-time monitoring but are part of an ongoing process rather than an as-needed response to particular events. Recurring assessments happen at regular intervals and, although they help maintain security posture, they are not specifically designed to respond to sudden incidents. For support or reporting issues, include Question ID: 6548742d758b2ddd586d0fc9 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 352

Rootkit Your answer is correct Fileless Malware Adware Ransomware Overall explanation OBJ: 2.4 - Fileless malware is characterized by its evasion techniques, utilizing legitimate system processes and tools, and running directly in memory without writing files to the disk. The evidence of command line tasks and unauthorized WMI queries, combined with the absence of suspicious files, points towards Vanessa's workstation being compromised by fileless malware. Rootkits aim to provide unauthorized access to a computer or areas of its software. While they can be stealthy, the primary symptoms Vanessa described don't match the typical signs of a rootkit infection. Adware primarily focuses on delivering unwanted advertisements to users. There's no indication in the scenario that Vanessa is being bombarded with ads. Ransomware typically locks up files or systems and demands payment for their release. Vanessa hasn't mentioned any encryption or ransom demands related to her workstation. For support or reporting issues, include Question ID: 652820a1d631f5bd4a085cf4 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 353

Voltage regulator Correct answer UPS Onsite/offsite backups Your answer is incorrect Power strip Overall explanation OBJ 3.4: An uninterruptible power supply (UPS) is a device that provides emergency power to a load when the input power source fails, thus ensuring continuous operation. While onsite and offsite backups ensure data preservation, they don't guarantee power supply during a power loss. A voltage regulator ensures that the voltage supplied to a device remains constant, even if there are fluctuations in the power source. However, it does not provide backup power during an outage. A power strip allows for multiple devices to be plugged in simultaneously; it does not provide any form of power backup or protection against outages. For support or reporting issues, include Question ID: 64c19f6612b4631e4788b43d in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 354

445 25 Correct selection 21 Your selection is incorrect 443 Correct selection 80 22 Overall explanation OBJ 4.5: Port 21 is used for the File Transfer Protocol (FTP); opening this port will allow users to transfer files to and from the server. Port 80 is the standard port for serving HTTP web pages; opening this port allows users to access web pages on the server using their browsers. Port 25 is used for the Simple Mail Transfer Protocol (SMTP); this would be necessary if users were to send emails through the server. Port 445 is associated with the Server Message Block (SMB) protocol, which enables sharing of network resources like files and printers. While port 443 is used for serving secure web pages over HTTPS, Jamario's scenario does not specify the need for HTTPS. Therefore, it's not essential for the tasks mentioned. Port 22 is for secure shell (SSH) access; Jamario's scenario does not mention the need for remote secure access to the server. Thus, it's not a required port for the specified tasks. For support or reporting issues, include Question ID: 654320346491794aff7fb0aa in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 355

Implementing a standalone DLP system Correct answer Implementing a SWG Your answer is incorrect Using only a NGFW Using a content filter Overall explanation OBJ 4.5: Secure web gateways (SWGs) are tailored to handle user traffic and can filter URLs based on content blacklists. They also provide threat analysis and integrate features like DLP and CASB to guard against various unauthorized egress threats. Data loss prevention (DLP) systems are focused on preventing data breaches, but they don't offer a broad range of filtering and threat analysis features. Content filters can block specific URLs; however, they might lack comprehensive threat analysis and other integrated functionalities. While next-generation firewalls (NGFWs) offer advanced features, they might not be optimized for high throughput in handling user traffic like web browsing or email, potentially affecting availability. For support or reporting issues, include Question ID: 65432d157acefad87de05683 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 356

Hash key Symmetric key Correct answer Public key Your answer is incorrect Digital signature Overall explanation OBJ: 1.4 - A public key is used in asymmetric encryption. It can be freely distributed and used by others to encrypt messages, which can then only be decrypted by the corresponding private key. A hash key is used in hash functions to map data of arbitrary size to fixed-size values. It is not used for encryption or decryption. A symmetric key is used in symmetric encryption where the same key is used for both encryption and decryption. It does not involve a pair of keys for encryption and decryption. A digital signature is a mathematical scheme for verifying the authenticity of digital messages or documents. It is not a key used for encryption or decryption. For support or reporting issues, include Question ID: 64c277402c244b55867c6520 in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 357

Data retention policy Correct answer Business continuity policy Acceptable use policy Your answer is incorrect Incident response policy Overall explanation OBJ 5.1 - A business continuity policy outlines strategies and procedures to ensure that essential business functions continue during unexpected disruptions. It focuses on maintaining operations and minimizing downtime rather than addressing specific security incidents or acceptable system use. For support or reporting issues, include Question ID: 67223d434ba26b3d1637fc71 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 358

Integrity Correct answer Availability Confidentiality Your answer is incorrect Authorization Overall explanation OBJ: 1.2 - Availability guarantees that resources, like systems or data, are accessible to authorized entities when they need them. Integrity confirms that information remains reliable and unaltered from its original state unless a change has been authorized. Confidentiality restricts information access and disclosure, ensuring only authorized access. Authorization defines the levels of access or permissions granted to users or systems once they have been authenticated. For support or reporting issues, include Question ID: 6720fc9f6c5aab4d75b9be46 in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 359

Correct answer Complexity of interactions Dependence on physical hardware Lack of horizontal scalability Your answer is incorrect Monolithic deployment patterns Overall explanation OBJ: 3.1 - Microservices involve multiple small services communicating with each other. This inter-service communication can introduce complexities and potential vulnerabilities if not properly secured. By design, microservices move away from monolithic architectures. This isn't a direct security concern for microservices. Microservices are typically decoupled from the physical hardware layer, focusing more on the application logic. Dependence on physical hardware isn't a primary security implication. One of the strengths of microservices is their ability to scale horizontally. Hence, lack of scalability isn't a primary security concern. For support or reporting issues, include Question ID: 652c44f96000c2244d013a12 in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 360

Incremental backups Continuous backups Your answer is incorrect Differential backups Correct answer Snapshots Overall explanation OBJ 3.4: Snapshots capture the state of a system at a particular point in time and use less storage than full backups. They're ideal for quick rollbacks, especially after major updates. While they record changes since the last backup, incremental backups are not as efficient as snapshots for rapid rollback after a software update. Differential backups store all changes made since the last full backup, potentially using more storage space than a snapshot. Though they capture every change, continuous backups often use more storage and might be overkill for this particular scenario. For support or reporting issues, include Question ID: 652eb3455e6f50137d374bcb in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 361

Attestation is a process where users are required to provide biometric authentication, such as fingerprints or retina scans, to access sensitive data Attestation is a procedure where employees must sign a document to acknowledge their acceptance of the company's security policies Your answer is incorrect Attestation is an audit performed by external regulatory agencies to assess the overall security posture of the financial institution Correct answer Attestation is a process where data owners periodically review, validate and confirm the access rights of all users Overall explanation OBJ 4.6: In the context of identity and access management (IAM), attestation refers to a periodic review process where data owners or managers validate and confirm the access rights of all users. This helps ensure that users have the appropriate permissions necessary for their job roles and that any unnecessary or inappropriate access is promptly revoked. External audits by regulatory agencies are separate from the internal attestation process. They assess the organization's compliance with relevant regulations but do not specifically address the accuracy of user access rights. While acknowledging acceptance of security policies is important, it is not the primary purpose of attestation. This statement describes a general acceptance process, not specific to validating access rights. While biometric authentication is a valid security measure, it is not the purpose of attestation. Attending to biometric authentication would focus on the method of user verification, not on verifying access rights. For support or reporting issues, include Question ID: 64c1584ae86d2721bec33f97 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 362

Correct answer RTO BCP MTTR Your answer is incorrect RPO Overall explanation OBJ: 5.2 - RTO (Recovery time objective) sets the goal for the time taken to recover business operations after an outage, essential for continuity planning. MTTR (Mean time to repair) is the average repair time for a failed system or component, not the timeframe for full business recovery. BCP (Business continuity planning) is the overarching process that includes recovery time objectives, but it is not a time-specific recovery target. RPO (Recovery point objective) assesses the maximum tolerable data age for recovery purposes, unrelated to the duration for restoring operations. For support or reporting issues, include Question ID: 6549730723b1cc31a82e92e0 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 363

SNMP is an intrusion detection system that monitors and analyzes network traffic for potential security breaches SNMP is a security protocol used to encrypt network traffic and protect sensitive data from unauthorized access Your answer is correct SNMP is a network protocol that enables the sending and receiving alerts about performance and status SNMP is a firewall technology that inspects network traffic and blocks malicious packets to prevent cyber-attacks Overall explanation OBJ: 4.4 - SNMP is a network monitoring and management protocol that enables devices to send and receive alerts and data about their performance and status. It allows network administrators to monitor network devices, identify potential issues, and proactively address them. While intrusion detection systems are important for monitoring network traffic for security breaches, SNMP is not an intrusion detection system but a network management and monitoring protocol. While security protocols are crucial for encrypting network traffic and protecting sensitive data, SNMP's primary focus is not on encryption but on network monitoring and management. SNMP is not a firewall technology but rather a protocol used for network management and monitoring purposes. For support or reporting issues, include Question ID: 64bffe1dc1d8f2a7e6236190 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 364

Identifying single points of failure helps in centralizing control of security systems for better orchestration Single points of failure represent an entry point into a system so being aware of them will prevent more failures throughout the system Your answer is correct Mitigating single points of failure is crucial to maintain the availability and reliability of automated security operations Addressing single points of failure ensures that automated security processes do not replace human decision-making Overall explanation OBJ 4.7: Single points of failure can lead to system outages and compromise the availability and reliability of automated security operations. By identifying and mitigating these single points of failure, organizations can enhance the resilience of their automated systems, ensuring continuous and reliable security operations. Single points of failure can exist in both traditional and automated security models. They are a concern in any system where the failure of a critical component could lead to widespread disruption or compromise. Single points of failure are vulnerabilities that can disrupt the entire system if they fail, and their existence has nothing to do with whether human decision-making is replaced or not. The concept of single points of failure is about identifying critical components or processes that, if disrupted, can cause the entire system to fail. It is not about centralizing control for better orchestration. For support or reporting issues, include Question ID: 64c01a748fd12d0a4bc0ba91 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 365

Multi cloud systems Correct answer Onsite High availability Your answer is incorrect Offsite Overall explanation OBJ 3.4: Onsite backup involves storing copies of data within the onsite enterprise infrastructure, which can assist in rapid restoration if the primary data is compromised. High availability pertains to a system's ability to consistently perform its function over a defined period and does not refer to onsite backup. Offsite backup involves storing data at a different geographical location, which does not correspond with the concept of onsite backup. A multi-cloud system involves using multiple cloud computing and storage services in a single network architecture and is not synonymous with onsite backup. For support or reporting issues, include Question ID: 64c1ab29086115a48f03b4a8 in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 366

Supply chain disruption Correct answer Zero-day Hardware incompatibility Your answer is incorrect Service disruption Overall explanation OBJ: 2.3 - Zero-day vulnerabilities are vulnerabilities in software that are unknown to the vendor and can be exploited by attackers. If a software provider fails to identify and patch zero-day vulnerabilities in its software, its customers may be at risk of attack. Supply chain disruption can affect the delivery of software by a software provider, but it is not a vulnerability that can be exploited by an attacker. Hardware incompatibility can affect the functionality of software provided by a software provider, but it is not a vulnerability that can be exploited by an attacker. Service disruption can affect the availability of software provided by a software provider, but it is not a vulnerability that can be exploited by an attacker. For support or reporting issues, include Question ID: 64bc4ffe8c17497e81f54065 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 367

Worm Correct answer Keylogger Your answer is incorrect Trojan Adware Overall explanation OBJ: 2.4 - Keyloggers are designed to surreptitiously monitor and record every keystroke a user makes, aiming to capture sensitive information like passwords. The fact that Martin's password was sent back to him suggests it was intercepted by such a tool. Adware mainly focuses on presenting unwanted ads. There's no indication that Martin was bombarded with advertisements. While Trojans can perform a variety of malicious actions, simply capturing and sending a password in this manner is not their primary function. Worms typically focus on network propagation and exploit vulnerabilities to spread. They don't typically capture and transmit personal data like keyloggers. For support or reporting issues, include Question ID: 65283899048e82f56bcefa09 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 368

Antivirus software Correct answer RTOS Your answer is incorrect Biometric authentication Network firewalls Overall explanation OBJ 4.1: A Real-Time Operating System (RTOS) is a specialized operating system designed to manage real-time applications with strict timing requirements. For critical infrastructure devices, where timely and predictable responses are crucial, a RTOS can enhance security by ensuring that the embedded systems operate efficiently and securely. By using a RTOS, the company can minimize potential vulnerabilities and improve the overall security of their computing resources. Network firewalls are essential for protecting network communications; however, they focus on network-level security and may not directly address the security concerns within the embedded systems. Biometric authentication can enhance security in certain scenarios; however, it is typically used to control user access and may not directly address the security of the computing resources in the embedded systems. Antivirus software is designed to detect and remove known malware and viruses from a system. While it is essential for general-purpose computers like laptops and desktops, embedded systems typically have specialized operating systems tailored for specific functions. For support or reporting issues, include Question ID: 64ba7c44269feb19bcf9f696 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 369

Backup processing Correct answer Parallel processing Batch processing Your answer is incorrect Stream processing Overall explanation OBJ 3.4: Utilizing a parallel processing approach allows different recovery strategies to be assessed at the same time, enabling faster and more comprehensive analysis of their effectiveness post-breach. While stream processing processes data in real-time as it's received, stream processing is more about handling data on the fly rather than evaluating multiple recovery strategies concurrently. Batch processing runs a series of jobs all at once without manual intervention but doesn't inherently involve simultaneous computation on multiple fronts like parallel processing. Backup processing involves using a secondary system or application to take over processes if the primary system fails. It's vital for recovery but doesn't simulate multiple recovery strategies simultaneously. For support or reporting issues, include Question ID: 652dee278571f35d53e5247f in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 370

The personal preferences of the forensic analyst The geographical location of the incident Correct answer The intended audience of the report Your answer is incorrect The software tools used in the investigation Overall explanation OBJ 4.8: Understanding the audience, whether it's legal professionals, executives, or technical teams, determines the report's depth, language, and emphasis. An objective, standardized approach is favored in digital forensics over individual preferences in reporting. While important for internal records and repeatability, the specific tools used don't typically define reporting requirements. While the location might influence some elements of a case, it doesn't typically dictate the structure or content of the report itself. For support or reporting issues, include Question ID: 6543e5ea37ac18cc00032e4d in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 371

Patching Least Privilege Configuration Enforcement Your answer is correct Access control list (ACL) Overall explanation OBJ: 2.5 - Access control lists (ACL) are a mitigation technique that involves using a list of rules to limiting access to resources on a network. ACLs can restrict access based on various criteria, such as IP addresses, port numbers, applications, and protocols. If a user isn't on the list, they can't view files form the server. Least privilege is a mitigation technique that limits users to the level of access and privilege they need to do their work. This can limit the extent of an attack by limiting the attacker’s access and privilege to those of the compromised user. Least privilege involves applying predefined rules and permissions, such as roles, groups, and functions and enforcing the rules and permissions through mechanisms such as passwords, tokens, and biometrics. Least privilege does limit access, but it does so by establishing permissions, not using a list of acceptable IP address, port numbers, applications, and protocols. Patching is a technique that can help prevent exploitation of known vulnerabilities on systems and devices by updating them with the latest security fixes and enhancements. Patching involves applying patches or updates to software and systems, but it does not use a list of rules to prevent unauthorized access to resources on a web server. Configuration enforcement is a mitigation technique that can help prevent unauthorized or improper changes that increase a system or device’s vulnerability to attack. By creating predefined security standards and policies, and enforcing them, configuration enforcement helps prevent the inadvertent or purposeful creation of vulnerabilities and security risks. For support or reporting issues, include Question ID: 64bed895d2c4285263fe3592 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 372

Inventory facilitates the physical organization of assets Inventory documentation helps in tracking the financial value of assets Correct answer Inventory enables organizations to maintain up-to-date records Your answer is incorrect Inventory identifies individuals responsible for asset handling Overall explanation OBJ 4.2: Inventory enables organizations to maintain accurate records of hardware, software, and data assets, facilitating timely patch management by helping administrators identify assets needing updates. Timely patching is crucial for mitigating security risks from unpatched vulnerabilities. Although inventory documentation can support financial tracking and budgeting, its primary role in asset tracking is for security monitoring and management. While inventory records may aid in identifying responsible individuals, accountability is not the main focus of inventory in the security context. Inventory also doesn’t emphasize the physical organization of assets for audits; its purpose is to maintain current records for effective security tracking. For support or reporting issues, include Question ID: 64be93fc6ce159f23ee3e363 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 373

Correct answer Business email compromise Voice call Watering hole Your answer is incorrect Impersonation Overall explanation OBJ: 2.2 - Attackers in business email compromises often impersonate key individuals within a company, aiming to deceive others into taking actions like transferring funds or sharing confidential information. A watering hole involves compromising websites frequently visited by a target group. The term "impersonation" is broader and can refer to any act where an attacker pretends to be someone they're not. A voice call involves attackers using phone calls for deceit, not specifically limited to email communication within businesses. For support or reporting issues, include Question ID: 652624787d94fbceb5d1241e in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 374

Correct answer Brute force attack Phishing attack Your answer is incorrect Replay attack Password spraying Overall explanation OBJ: 2.4 - A Brute force attack is where every possible character combination is tried until the correct password or key is unlocked. Jamario's observation of rapid, varied login attempts from a single IP, coupled with intense processing demand on the server, is indicative of this type of attack. A replay attack involves capturing valid data transmission and then fraudulently repeating or delaying it. It doesn't match Jamario's observations of varied login attempts. A phishing attack tries to trick users into revealing sensitive information, usually by masquerading as a trustworthy entity. Jamario's observations of rapid, varied login attempts do not fit this profile. Password spraying involves trying a single password against multiple usernames, rather than multiple passwords against one username. Jamario observed multiple varied login attempts from one IP, which doesn't align with this attack. For support or reporting issues, include Question ID: 6527fd42b1dec676712b18b3 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 375

Consent management General Data Protection Regulation (GDPR) Data encryption Your answer is correct National legal implications Overall explanation OBJ: 5.4 - National legal implications are laws and regulations set at the country level that outline the requirements and boundaries for data protection and privacy. Data encryption is a method used to protect data from unauthorized access by converting it into a code. Consent management is a process that ensures organizations obtain and manage the consent of individuals before collecting or processing their personal data. The GDPR is a regulation enacted by the European Union to ensure data protection and privacy for all its citizens. For support or reporting issues, include Question ID: 64bf61030620f92445ad768c in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 376

Business email compromise Managed service providers Phishing Your answer is correct Default credentials Overall explanation OBJ: 2.2 - Default credentials specifically denotes the risk associated with using factory-set login details, making systems susceptible to unauthorized access as attackers often have knowledge of such credentials. Managed service providers are third-party organizations managing services for others. The associated risks are not centered around using pre-configured login details but can include a variety of other vulnerabilities and misconfigurations. Business email compromise is centered around manipulating business email systems to achieve unauthorized financial gain or access sensitive data. It doesn’t primarily involve exploiting systems with unchanged login information. Phishing attacks aim to deceive individuals into disclosing sensitive information through seemingly legitimate communication methods, such as emails or messages, rather than exploiting default system credentials. For support or reporting issues, include Question ID: 64b9be0e576619c476e54e4e in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 377

Resource provisioning contributes to operational efficiency by avoiding over-provisioning or under-provisioning of resources Resource provisioning reduces the risk of resource-related security vulnerabilities by assigning appropriate permissions Your answer is incorrect Resource provisioning allows for punctual adjustment of resources depending on the changing needs of an organization Correct answer Resource provisioning ensures employees have accounts when they are hired and those accounts are deprovisioned when they leave Overall explanation OBJ 4.7: The statement refers to user provisioning, not resource provisioning. Resource provisioning involves both hardware and software resources, ensuring that all necessary tools and infrastructure are available for users and processes. By managing access to resources and assigning appropriate permissions, resource provisioning helps mitigate security vulnerabilities that could arise as a result of unrestricted or wrong access to resources. Resource provisioning allows for timely allocation and de-allocation of resources based on the varying needs of an organization, ensuring efficiency and reducing waste. Resource provisioning helps to balance provided resources against actual needs, mitigating the issues of over-provisioning, such as waste of resources, and under-provisioning, which can cause service disruption. For support or reporting issues, include Question ID: 64c1a3ccbbc49fb66931eb0d in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 378

Correct answer Revenge Financial Gain Your answer is incorrect Blackmail Ethical Considerations Overall explanation OBJ: 2.1 - Revenge is the desire to harm or punish someone or something that has caused injury or offense. Sarah wants to reveal the device's data so her company will lose money which will harm the company. She does this because she feels the company hasn't treated her well. Blackmail is the act of demanding money or other benefits from someone in return for not revealing compromising or damaging information about them. Sarah published the data without giving the company an opportunity to prevent her from revealing them, so blackmail wasn't her motivation. Sarah published the information on the internet. She didn't try to sell it to another company or try to make any money from the data, so financial gain isn't her primary motivation for taking the data. Sarah didn't feel that the product or its production was unethical. She didn't steal and publish the data to prevent the company from acting in an unethical manner. Her goal was the harm the company, so ethical considerations weren't a motivation. For support or reporting issues, include Question ID: 64b88edb6ccfbae323bb6ab5 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 379

Vishing Correct answer Phishing Your answer is incorrect Spear Phishing Whaling Overall explanation OBJ 5.6 - Aisha is likely facing a phishing attack. Phishing attacks use broad, non-specific messages and rely on urgency, such as "Account suspension pending!" to manipulate users into clicking links and entering sensitive information. The attacker’s goal is to collect personal details by creating a sense of panic. Unlike spear phishing, which targets specific individuals, phishing generally casts a wider net. Whaling focuses on high-profile targets, and vishing involves voice-based scams. For support or reporting issues, include Question ID: 67224db6479b62d99d374372 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 380

Correct answer To avoid inconsistencies that lead to security and stability issues To guarantee that repeated calls to the infrastructure result in varied outcomes Your answer is incorrect To speed up the deployment process of new systems To reduce the need for manual configuration and patch installations Overall explanation OBJ: 3.1 - Snowflake systems represent unique configurations that can cause drift in platform environments. This can result in unpatched vulnerabilities and systems that don't behave as expected due to minor configuration variances. Snowflake systems may lead to the need for manual configuration and patch installation, but this is not as important as avoiding inconsistencies that create instability and a lack of security. Snowflake systems can lead to varied outcomes in calls to the infrastructure, but this isn't a significant a problem as the inconsistencies snowflake systems cause. While it may end up increasing deployment speeds, the primary reason for eliminating snowflake systems isn't tied directly to deployment speed. For support or reporting issues, include Question ID: 64c0a7f92f95486ca131c309 in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 381

Layer 4 Firewall Correct answer Web Application Firewall (WAF) Unified Threat Management (UTM) Your answer is incorrect Network Intrusion Prevention System (IPS) Overall explanation OBJ 3.2: A WAF is designed to filter, monitor, and block HTTP traffic to and from a web application, making it the most appropriate choice for temporary mitigation against a known vulnerability. UTMs provide multiple security features and network services into a single device but are not specifically designed for filtering application layer traffic. A Layer 4 firewall operates at the transport layer and isn't primarily meant to understand or filter Layer 7 (application) traffic. A network IPS detects and prevent threats, however it doesn't focus on filtering application layer traffic. For support or reporting issues, include Question ID: 64c16ced55dd610fdb26f1a4 in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 382

Session token prediction Your answer is correct Cross-site request forgery Session hijacking Unsecured network sniffing Overall explanation OBJ: 2.4 - Cross-site request forgery (CSRF or XSRF) exploits applications that use cookies to authenticate users and track sessions. In this type of attack, a victim is tricked into performing unwanted actions on a web application in which they're authenticated, without the victim necessarily having to click a link. The attacker sends an HTTP request to the victim's browser, spoofing an action on the target site, such as changing account settings. Session hijacking involves taking over a user's session, typically by obtaining their session cookie. While it can result in unauthorized changes, it doesn't typically involve the victim being on an external site before the unexpected change. A session token prediction attack focuses on identifying potential weaknesses in the generation of session tokens. If an attacker can predict the session token, they can take over a session. This type of attack is more about guessing session values rather than inducing unintended changes on behalf of authenticated users. Attackers can sniff network traffic to obtain session cookies sent over an unsecured network. This would lead to session hijacking, but it does not directly cause unintended changes on a user's account as described in the scenario. For support or reporting issues, include Question ID: 64bd71743c9ea72186320c48 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 383

Data deduplication Correct answer Data masking Your answer is incorrect Data encryption Checksum validation Overall explanation OBJ 3.3: Data masking conceals original data with modified content (characters or other data) but retains the data's original structure. This ensures that sensitive information is not exposed, but the data remains usable for testing and analysis. While data encryption protects data by making it unreadable without the decryption key, it doesn't retain the data's structure in a form that's useful for analysis. Checksum validation ensures data integrity by checking for errors in data but doesn't hide or protect the actual content. Data deduplication eliminates redundant copies of data, optimizing storage. It doesn't obfuscate or protect the content of the data. For support or reporting issues, include Question ID: 652de8ed8571f35d53e5247a in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 384

Detection, Eradication, Containment, Preparation, Recovery Containment, Preparation, Detection, Eradication, Recovery Preparation, Detection, Eradication, Containment, Recovery Your answer is correct Preparation, Detection, Containment, Eradication, Recovery Overall explanation OBJ 4.8: Preparation begins the process by creating an efficient incident management plan. Detection is identifying potential security incidents. Containment prevents the spread of the incident. Eradication eliminates the cause of the incident. Finally, recovery restores the systems back to their normal state. For support or reporting issues, include Question ID: 64c16e916ab51895b912b83a in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 385

Hardware cloning Hardware tampering Your answer is incorrect Firmware vulnerability Correct answer End-of-life Overall explanation OBJ: 2.3 - End-of-life is a type of vulnerability that occurs when a manufacturer no longer supports or updates software. It can allow an attacker to compromise the security or functionality of the device, or use it as a gateway to access other systems or networks. Hardware cloning is a type of hardware vulnerability in which an attacker can make unauthorized copies of hardware devices to counterfeit their functionality, performance, or security. It can allow an attacker to sell fake products, steal intellectual property, or bypass authentication mechanisms. Hardware tampering a type of hardware vulnerability in which an attacker can physically alter or damage hardware devices to compromise their functionality, performance, or security. It can allow an attacker to install malware, backdoors, spyware, or vulnerabilities on the device. Firmware vulnerabilities involves modifying or replacing the software that controls the functionality of a hardware device. It can allow an attacker to alter the behavior, performance, or security of the device, or install malware, backdoors, or spyware on it. For support or reporting issues, include Question ID: 64bc351a7a1bdabd354cb785 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 386

Conducting a thorough site survey Installing CCTV cameras in all office areas Your answer is incorrect Implementing biometric authentication for all employees Correct answer Conducting a vulnerability assessment and penetration testing Overall explanation OBJ 4.1: Performing a vulnerability assessment and penetration testing is a crucial security technique during a site survey. This process helps identify potential weaknesses and security flaws in the computing resources and the network infrastructure of the new office. The results of this assessment will aid in developing a robust security plan to protect the computing resources effectively. Site surveys are used to install Wi-Fi systems where they consider how signals might be blocked by things like solid walls and other forms of interference. They are used to determine where WAPs should be placed to provide the strongest, most reliable signal. Biometric authentication is more of an access control measure and does not address potential vulnerabilities or risks specific to the new office's computing resources. Installing CCTV cameras is a valid security measure for physical security, but it doesn't directly address computing resource security during a site survey. It mainly helps with monitoring and recording activities within the office premises, but it doesn't assess the security posture of the IT infrastructure. For support or reporting issues, include Question ID: 64b9d7a5eef725ae5880c29e in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 387

Downgrade Brute force Correct answer Collision Your answer is incorrect Spraying Overall explanation OBJ: 2.4 - A collision attack is a type of cryptographic attack that involves finding two different inputs that produce the same output for a hashing algorithm, compromising its integrity and uniqueness. A brute force attack consists of entering all possible options for a password until the password is discovered. In this case, the attack is specific to a hashed value, so it isn't a brute force attack. A downgrade attack is a type of cryptographic attack that involves forcing a communication channel to use a weaker encryption algorithm or protocol, making it easier to decrypt or intercept. In this scenario, there is no indication of any change in the channel or encryption algorithm. A spraying attack is a type of password attack that involves trying common passwords against multiple accounts, hoping to find a match. For support or reporting issues, include Question ID: 64bcc5392b7b93bd3fe763a6 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 388

Annualized loss expectancy (ALE) Qualitative risk analysis Your answer is incorrect Single loss expectancy (SLE) Correct answer Quantitative risk analysis Overall explanation OBJ: 5.2 - Quantitative risk analysis involves calculating the financial impact of specific risk events by considering both the probability of occurrence and the potential loss in monetary terms. ALE is the expected financial loss that an organization may experience annually due to a specific risk, considering the SLE and the annual rate of occurrence (ARO). Qualitative risk analysis involves assigning subjective values to risks based on descriptive terms such as "high," "medium," or "low" without precise financial figures. SLE is the measure of the potential financial loss associated with a specific risk event. For support or reporting issues, include Question ID: 64b9f6653f4084e37d4f8ff4 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 389

It provides automatic backup for the servers It enables servers to bypass firewall rules It increases the processing speed of the servers Your answer is correct If compromised, it prevents access to the internal network Overall explanation OBJ 4.5: By placing externally accessible servers in a screened subnet, even if they are compromised, the attacker doesn't get immediate access to the sensitive internal network. This provides an added layer of security. Contrarily, servers in a screened subnet are subjected to specific firewall rules to manage and control both incoming and outgoing traffic. While network design can influence performance, the main purpose of a screened subnet is security, not necessarily performance enhancement. Screened networks themselves don't offer automatic backups. Backup solutions are implemented separately. For support or reporting issues, include Question ID: 654322fb6491794aff7fb0b5 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 390

Correct answer Overseeing an organization's internal controls and financial reporting Confirm the CEO's hunches about weak areas of security Give approval to the audits completed by the CEO Your answer is incorrect Completing external auditing of security controls for organizations Overall explanation OBJ: 5.5 - The audit committee is responsible for overseeing and evaluating an organization's internal controls, financial reporting, and compliance processes. This includes assessing the effectiveness of security controls and regulatory compliance. Audit committees are independent entities within an organization. Their job is to evaluate and oversee internal controls from an objective, unbiased viewpoint. While their conclusions may confirm someone's hunches about weaknesses, the conclusions should be reached independently, not as directed by the CEO or anyone else. Audit committees are internal to an organization. External auditing is conducted by external, third-party entities. Audit committees act independently and produce audits. They do not approve audits produced by the CEO or another governance organization. For support or reporting issues, include Question ID: 64c1a69745e9d8860c404629 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 391

Providing the employee with resources that will be needed to complete the job. Introducing the employee to company protocols and policies. Secure transmission of credentials to the employee so access is granted. Your answer is correct Automatically assigning all possible privileges to the user for a trial period. Overall explanation OBJ: 5.1 - Automatically assigning all possible privileges to the user for a trial period can expose the organization to unnecessary risks. Privileges should be assigned based on role necessity and the principle of least privilege. Securing transmission of credentials to the employee so access is granted refers to creating and sending an initial password or issuing a smart card securely, ensuring the user has secure access to necessary systems. Providing the employee with resources that will be needed to complete the job is about provisioning computers or mobile devices for the user or agreeing to the use of bring-your-own-device handsets, ensuring the user has the tools they need while maintaining security standards. Training is vital to ensure that new employees are aware of security protocols and policies, ensuring that they understand and follow security guidelines. For support or reporting issues, include Question ID: 6544978f4ff4a550f0eb01f5 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 392

It restricts resources to only pre-defined configurations It decreases the flexibility and adaptability of cloud systems Correct answer It helps in rapid scaling of resources based on demand Your answer is incorrect It ensures only one user can access a resource at a time Overall explanation OBJ 4.7: Automating resource provisioning allows for on-the-fly adjustments, enabling an environment to quickly adapt to workload needs. While templates might be used, automation can also provision custom configurations as per the defined policies. Resource provisioning is about providing resources efficiently, not limiting their access to one user. Automation in resource provisioning increases flexibility and adaptability. For support or reporting issues, include Question ID: 64c00d3cb254165cbe231ee2 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 393

Continuous backup Correct answer Parallel processing Cluster computing Your answer is incorrect Failover systems Overall explanation OBJ 3.4: By concurrently leveraging multiple computational resources, parallel processing can efficiently evaluate the efficacy of various restoration protocols after a security compromise. Cluster computing primarily enhances performance and availability rather than specifically testing different restoration protocols at once. Failover systems provide a standby operational mode and can seamlessly take over functions in case of system failure. However, they don't inherently allow for the simultaneous testing of diverse recovery protocols. Continuous backup involves regularly saving data changes, ensuring data integrity, and minimizing loss; it doesn't evaluate multiple restoration methods at the same time. For support or reporting issues, include Question ID: 64c1a4fd45e9d8860c40461f in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 394

Correct answer IPSec Jump server SASE Your answer is incorrect EAP Overall explanation OBJ 3.2: Internet Protocol Security (IPSec) is a collection of standards that work on the transport layer of the OSI model. It is used to ensure that data is securely transmitted. Commonly used in VPNs, IPSec provides authentication and integrity of data as it is transmitted. Secure Access Service Edge (SASE) is a form of cloud architecture that combines a number of services as a single service. By providing services like Software-defined wide are network (SD-WAN), firewalls as a service, secure web gateways, and zero-trust network access, SASE will reduce cost and simplify management while improving security. The integrated nature of the architecture means the technologies used will work together efficiently. A Jump server is a network appliance. It uses one channel to funnel traffic through the firewall. Jump servers increase security by limiting the routes traffic can take into a system. The Extensible Authentication Protocol (EAP) is a framework that is used for authentication. It allows for the use of many authentication methods to establish point-to-point communications. For support or reporting issues, include Question ID: 64c16c912e60209dbaac21ee in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 395

To gauge the success of an organization's security training. Correct answer To assess vulnerabilities across physical, software, and network layers. To focus only on vulnerabilities of the external network. Your answer is incorrect To evaluate solely the software layer's vulnerabilities. Overall explanation OBJ: 5.5 - Integrated tests provide a comprehensive evaluation, covering various security domains from physical infrastructure to software applications and network configurations, ensuring a multi-faceted approach to uncovering potential vulnerabilities. To evaluate solely the software layer's vulnerabilities highlights only one domain, neglecting the comprehensive nature of integrated testing. Focusing only on vulnerabilities of the external network is a narrower perspective, akin to external penetration tests. While gauging the success of an organization's security training, this isn't the central focus of integrated penetration tests. For support or reporting issues, include Question ID: 64c1aa34f35deb7523e71f7e in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 396

Intelligence agencies Correct answer Regulatory agencies Law enforcement agencies Your answer is incorrect Data protection authorities Overall explanation OBJ: 5.1 - Regulatory agencies have the authority to create and enforce rules and standards that organizations in various sectors must follow to ensure security and compliance. Law enforcement agencies enforce laws and investigate crimes but do not typically set industry standards. Intelligence agencies collect and analyze information related to national security but do not establish security standards for industries. While data protection authorities enforce regulations around personal data, they do not broadly set security standards across multiple sectors. For support or reporting issues, include Question ID: 65486cc5ea158b207b7a4537 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 397

Risk identification Correct answer Risk analysis Your answer is incorrect Risk register Risk assessment Overall explanation OBJ: 5.2 - Risk analysis is a crucial part of the risk management process where the financial impact of specific risks is determined through quantitative and qualitative methods. It includes calculating the expected financial loss for a particular risk over a given period. Risk assessment involves evaluating and prioritizing identified risks based on their potential impact and likelihood of occurrence. Risk identification is the initial step in the risk management process, where potential risks are identified and documented within the organization's environment. The risk register is a comprehensive record of all identified risks, along with their potential impacts and mitigation strategies. For support or reporting issues, include Question ID: 64b9f5a33f9a38782a01fe61 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 398

Correct answer Implement a policy discouraging password reuse Training users on the dangers of phishing emails Your answer is incorrect Conducting more frequent security audits Increasing the frequency of password expiration Overall explanation OBJ 4.6: By using different passwords for different platforms, the risk of a single compromised password leading to multiple breaches is minimized. While educating users about phishing is essential, it doesn't directly prevent them from reusing passwords on multiple platforms. While increasing the frequency of password expiration can help in some scenarios, it doesn't necessarily deter users from reusing passwords across platforms. Regular audits are crucial for cybersecurity, but they don't directly address the issue of password reuse. For support or reporting issues, include Question ID: 6544433f0c5ecc119a270119 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 399

Nation-state Unskilled attacker Ethical hacker Your answer is correct Insider threat Overall explanation OBJ: 2.1 - An insider threat is a threat actor who has legitimate access to an organization’s systems or data and abuses it for malicious purposes, such as revenge, blackmail, or data theft. They are most likely to be motivated by revenge if they perceive that the organization or an individual within it has wronged them in some way, such as firing them, demoting them, or insulting them. An unskilled attacker is a threat actor who has little or no technical skills and relies on automated tools or scripts to launch attacks, usually for personal gain or amusement. They are not likely to be motivated by revenge, but rather by selfish or malicious motives. An ethical hacker is someone who uses hacking skills for legitimate purposes, such as testing the security of systems or networks. They are not threat actors at all, but rather security professionals who follow ethical principles and legal guidelines. They are not motivated by revenge at all. A nation-state is a threat actor who acts on behalf of a government or a political entity, usually for espionage, sabotage, or warfare purposes. They are not likely to be motivated by revenge, but rather by strategic or tactical objectives. For support or reporting issues, include Question ID: 64b89b32ae2fd553d66a242a in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 400

Designing GPOs so that each has no more than 5 users so that monitoring the members of each group is easier and more customizable Your answer is incorrect Implementing Group Policy Preferences to enforce security settings, allowing end-users to modify configurations as needed Creating a single, comprehensive GPOs with all security settings applied uniformly across all departments and computers Correct answer Designing multiple GPOs, each tailored to the specific security requirements of individual departments, and applying them accordingly Overall explanation OBJ 4.5: Creating tailored Group Policy Objects (GPOs) for each department allows for targeted security management, meeting each department's specific needs while maintaining central control. While group policy preferences offer flexibility, they can introduce security risks, as group policy’s purpose is to enforce consistent security across the organization. Using a single GPO may seem simpler but could lead to conflicts, as departments have unique requirements. Applying a uniform policy may hinder efficiency, making granular, flexible GPOs essential. Additionally, limiting monitoring groups to five users is not an effective use of group policies. For support or reporting issues, include Question ID: 64c127a07cca0b9bd329d33b in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 401

Backout plan Approval process Restricted activities Your answer is correct Allow list Overall explanation OBJ: 1.3 - An allow list is a list specifying entities, such as IP addresses, that are explicitly granted access or permissions, while all others are implicitly denied. Restricted activities are specific actions that are not permitted to be performed due to policies or security reasons. An approval process is a formalized procedure to ensure changes are reviewed and approved before implementation. A backout plan is a strategy outlining the steps to revert changes if they lead to unforeseen complications or do not meet the desired outcomes. For support or reporting issues, include Question ID: 65242355f624fd072bce9dd1 in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 402

Correct answer Intellectual property Regulated Human-readable Your answer is incorrect Legal information Overall explanation OBJ 3.3: Intellectual property refers to creations of the mind like inventions, literature & artistic works, designs, symbols, and names and images used in commerce, which includes things like trade secrets and patents. Regulated data is any data that falls under regulatory laws and guidelines. While it could involve intellectual property, it does not specifically pertain to trade secrets or patents. While legal information might involve intellectual property, it is a broader category of data and does not specifically pertain to trade secrets and patents. Human-readable refers to information that can be understood by a human without using a device, it is not a type of data classification like intellectual property. For support or reporting issues, include Question ID: 64c188da23d39e627921d046 in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 403

Correct answer Third-party certificate Public key A CRL Your answer is incorrect Private key Overall explanation OBJ: 1.4 - A third-party certificate is signed and verified by a recognized external certificate authority. This validation provides higher trust in public and external environments compared to self-signed certificates. A private key is a cryptographic key used for decrypting or signing data. It isn’t a certificate type. A certificate revocation list (CRL) is a list that keeps track of certificates that have been revoked by the certificate authority before their expiration date. It isn’t a certificate type. A public key is used in asymmetric encryption, it's paired with a private key but isn't a type of certificate on its own. For support or reporting issues, include Question ID: 6524e5949e22f124a23e793d in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 404

Hashing Key Stretching Digital Signatures Your answer is correct Salting Overall explanation OBJ: 1.4 - Salting is a technique used in cryptography to add random data to the input of a hash function to increase security. This matches the technique being used in the scenario. Key stretching is a method used that repeatedly hashing the password to make it more random and longer than it originally appeared. This should make the key more time consuming to break. It doesn't necessarily add data to the input, but it can. The key difference between key stretching and regular hashing or salting is the number of times the hashing is done. Hashing is the process of converting an input of any length into a fixed size string of text, using a mathematical function. Hashing doesn't add data to the input before completing the conversion. Digital signatures are a type of electronic signature that uses a specific type of encryption to ensure the authenticity and integrity of a digital message or document. This technique does not involve adding random data to the input of a hash function. For support or reporting issues, include Question ID: 64c3dcb246cada5acd7b5a8e in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 405

Insider information Competitive relationships Correct answer Financial interests Your answer is incorrect Personal relationships Overall explanation OBJ: 5.3 - A conflict of interest under "Financial Interests" arises when a vendor stands to gain financially from recommending certain products or services, which may lead to biased advice not aligned with the organization's needs. While personal relationships can influence decision-making, it does not specifically involve financial gain from product or service recommendations. Competitive relationships refer to a vendor's ties with other vendors or businesses that could affect their impartiality, not direct financial rewards from recommendations. Having insider information can give a vendor an unfair advantage, but this type of conflict involves the misuse of proprietary or confidential data rather than financial incentives related to product suggestions. For support or reporting issues, include Question ID: 65497f8f353ac46543a641ad in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 406

Risk identification Continuous Ad hoc Your answer is correct One-time Overall explanation OBJ: 5.2 - One-time assessments are thorough evaluations conducted at a particular point, designed to establish a baseline or assess the state of risk at a specific time. Risk identification involves the process of recognizing potential risks but does not pertain to the comprehensive evaluation at a particular point in time. Ad hoc risk assessments are conducted as needed and are not necessarily comprehensive or scheduled to assess the introduction of new systems or for an independent review. Continuous assessments are ongoing and provide real-time risk analysis, unlike one-time assessments which are static and occur once. For support or reporting issues, include Question ID: 65487489758b2ddd586d0fce in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 407

Implement a two-factor authentication for all platforms Advise employees to use a passphrase instead of a password Your answer is correct Introduce unique password requirements for each platform Educate employees about the risks of password reuse Overall explanation OBJ 4.6: Diverse requirements discourage employees from reusing passwords. Passphrases are secure, but employees might still reuse them across platforms. While 2FA increases security, it doesn't prevent users from reusing passwords. Educating employees is key, but without a structural change, employees might continue their existing habits. For support or reporting issues, include Question ID: 654446e6cc07d4b90a7fd3d2 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 408

Threat Scope Reducer Correct answer Policy Enforcement Point Identity Provider Your answer is incorrect Policy Engine Overall explanation OBJ 1.2 - The Policy Enforcement Point (PEP) is the component in Zero Trust responsible for enforcing access policies by allowing or denying access to resources, based on decisions from the Policy Engine. The Policy Engine itself makes these access decisions but does not directly enforce them. The Identity Provider manages user identities and authentication but does not handle access control. The "Threat Scope Reducer" is not a component within Zero Trust architecture, so it does not play a role in enforcing policies. For support or reporting issues, include Question ID: 6720feb5e8b5ca200ac63841 in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 409

Patching Correct answer Encryption Isolation Your answer is incorrect Segmentation Overall explanation OBJ: 2.5 - Encryption is a technique that involves using mathematical algorithms to transform data into an unreadable format. Encryption can protect data from unauthorized access or modification, as only those who have the secret key or algorithm can decrypt the data. Segmentation is a mitigation technique that involves dividing a network into smaller segments. Each has its own security policies and controls. Segmentation can limit the scope of an attack by preventing the attacker from gaining access to an entire network because it will help isolate the compromised segment. It does not transform data into an unreadable format. Isolation is a mitigation technique that can help prevent malware from spreading from one system or process to another by limiting their interaction and communication. Isolation involves sandboxing or simply disconnecting an infected system. This prevents potentially malicious programs or scripts from accessing the rest of the system or network. It does not transform data into an unreadable format. Patching is a mitigation technique that can help prevent exploitation of known vulnerabilities on systems and devices by updating them with the latest security fixes and enhancements. Patching involves applying patches or updates to software and systems. It does not transform data into an unreadable format. For support or reporting issues, include Question ID: 64bed3405b3ee05be3201ba8 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 410

Fencing Video surveillance Correct answer Access badges Your answer is incorrect Access control vestibules Overall explanation OBJ: 1.2 - An access badge is a card that employees use to gain access to certain areas within a company building. This matches the system being implemented in the scenario. Fencing involves the use of barriers to prevent or control access to a property. It does not involve the use of cards to gain access to certain areas. Access control vestibules are designed to control the flow of people into a building so that security can more easily be controlled. Video surveillance involves the use of cameras to monitor activities in a given area. It does not involve the use of cards to gain access to certain areas. For support or reporting issues, include Question ID: 64c3e5a236bc29dc2e8730b1 in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 411

Physical Correct answer Operational Technical Your answer is incorrect Managerial Overall explanation OBJ: 1.1 - Operational security controls are measures that involve the day-to-day operations of an organization’s security. These controls can include backup and recovery procedures, configuration management, media protection, and log monitoring. Physical security controls are measures that involve protecting an organization’s physical assets. These controls can include security cameras, locks, and security badges. Managerial security controls are measures that involve directing and overseeing the overall security of an organization. These controls can include risk assessments, security awareness training, incident response planning, and service acquisition. Technical security controls are measures that are put in place to protect the confidentiality, integrity, and availability of a system or network. These controls can include firewalls, intrusion detection/prevention systems, encryption, and access controls. For support or reporting issues, include Question ID: 64bd6d3b7bc8dddbe8c6a8ed in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 412

Trusted Platform Module (TPM) Hardware Security Module (HSM) Correct answer Key Management System Your answer is incorrect Secure Enclave Overall explanation OBJ: 1.4 - Key Management System is a process used to ensure that keys are kept secure by establishing standards of security. It is a set of policy decisions, not a chip or device such as TPM, HSM, and Secure Enclave. Secure Enclave is a chip that is used only to secure encryption keys, hashes, and other important data. It is embedded in Apple and Android devices. TPM is a hardware-based storage system that contains keys, digital certificates, hashed passwords, and many other types of information used for authentication. It is embedded on device motherboards that use Windows operating systems. An HSM is a physical computing device that safeguards and manages digital keys for strong authentication. It can be a external device or on an expansion card, but it is not embedded on the motherboard. For support or reporting issues, include Question ID: 64c284124f0d49fd4b9ac1f3 in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 413

Correct answer Ensuring consistent endpoint security Your answer is incorrect Utilizing network segmentation Implementing robust password policies Monitoring real-time network traffic Overall explanation OBJ 3.2: The varied security postures of remote devices might present challenges, as the TLS VPN primarily secures the communication tunnel, not the endpoints. Essential for detecting anomalies, but monitoring network traffic effectively can be challenging as TLS VPNs secure the communication channel, potentially limiting visibility into the transmitted data. Network segmentation is crucial, but the effectiveness of its implementation might not be directly influenced by the chosen TLS VPN solution for remote access. While important, password policies are a universal consideration and are not particularly limited by the chosen TLS VPN remote access solution. For support or reporting issues, include Question ID: 64c17d212e60209dbaac222a in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 414

They provide mitigation techniques for vulnerabilities Correct answer They offer a standardized way to share vulnerability data They assign severity scores to vulnerabilities Your answer is incorrect They track software versions and updates Overall explanation OBJ 4.3: CVEs allow cybersecurity professionals to talk about vulnerabilities in a consistent manner, ensuring everyone is on the same page. While CVEs detail vulnerabilities, they don't typically prescribe specific mitigation methods. Those come from other sources like vendor advisories. Severity scores, like those from CVSS, evaluate the risk of vulnerabilities, whereas CVEs simply identify them. CVEs identify vulnerabilities but don't serve as a versioning or software update system. For support or reporting issues, include Question ID: 6542d66c98ddb5af76a3f303 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 415

Distributed Denial of Service (DDoS) attack. Port scanning activity. Your answer is incorrect Traffic redirection efforts. Correct answer Attempted access to blocked ports. Overall explanation OBJ: 2.4 - Organizations often block specific ports to prevent unauthorized or potentially harmful traffic. The described situation where there are multiple attempts to access these blocked ports indicates an effort to breach or probe the network's defenses. Traffic redirection refers to diverting network traffic to a different destination than the intended one. The scenario doesn't suggest any redirection, only attempts to access blocked ports. While the rapid succession of attempts from various IPs might hint at a DDoS, this scenario specifically mentions attempts on blocked ports, not necessarily an attempt to overwhelm the server with traffic. Port scanning is a method used to identify open ports on a network. While the scenario describes something similar, it specifically mentions attempts to access blocked ports, making this option less precise. For support or reporting issues, include Question ID: 6529e16b1f6f8a7219af58d3 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 416

Correct answer Database encryption Record-level encryption Volume encryption Your answer is incorrect Partition encryption Overall explanation OBJ: 1.4 - Technologies like Transparent Data Encryption (TDE) in SQL Server provide the capability to encrypt entire databases. This is ideal for Dion Training, as they can encrypt and decrypt the whole collection of student records efficiently during database operations. While volume encryption secures an entire volume or virtual drive, it may not provide the tailored efficiency needed for database operations. Record-level encryption encrypts individual records within a database, which might introduce inefficiencies when querying large numbers of records. Partition encryption encrypts specific partitions on a disk but isn't tailored for database operations. For support or reporting issues, include Question ID: 6525840ad7819dc1960699bd in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 417

Correct answer Apply a preset configuration template that includes security updates, and standard configurations Install development software without any further system-level modifications Your answer is incorrect Immediately hand over the servers to the development team for software installation and configuration Begin networking with other servers without applying any configurations Overall explanation OBJ 4.1: Apply a preset configuration template that includes security updates, and standard configurations is the best practice for applying secure baselines. A preset configuration template consists of standard configurations, patches, and security updates that conform to the organization’s security policy and sets a firm security foundation for each server. Handing over the servers to the developers before applying any security configurations or patches can leave the servers vulnerable to security threats. Networking other servers without applying any configurations can lead to security holes; a newly set-up server should have a security baseline applied to it first before networking begins. Installing any software before applying security updates, patches, and configurations can expose the servers to risks. For support or reporting issues, include Question ID: 64c17ba6d169150d1528ed2b in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 418

Zero trust model Correct answer Embedded system Microservice architecture Your answer is incorrect High availability system Overall explanation OBJ: 3.1 - Because the software is hardcoded, embedded systems often lack the flexibility for timely updates or patches, potentially leaving them vulnerable to undiscovered or unaddressed threats. While high availability ensures system uptime, it doesn't inherently present a concern of inflexible or hardcoded software. A zero trust model is a security model that doesn't inherently relate to hard-coded software or the inability to patch devices. Microservices allow for independent deployment of services, making them easier to patch or update, which contrasts the issue presented. For support or reporting issues, include Question ID: 652c37cce0af1b70771153bc in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 419

On-path attack Drive-by download Your answer is correct Supply chain Bluesnarfing Overall explanation OBJ: 2.2 - This scenario depicts a supply chain compromise where the threat originated from a supplier. By introducing the backdoor at the production level, attackers ensured widespread distribution of the vulnerability, making it a potent and stealthy attack. Bluesnarfing refers to exploiting vulnerabilities in Bluetooth connections to steal data from another device. It doesn't involve compromising products at the supply level. In an on-path attack, an unauthorized intermediary intercepts communication between two parties, potentially altering it. While deceptive, it doesn't stem from supply chain vulnerabilities. Drive-by download involves automatically downloading malicious software onto a user's system without their knowledge, typically when visiting a compromised website. It doesn't relate to supply chain threats. For support or reporting issues, include Question ID: 65261fd87b95ff91e3f56bbe in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 420

Introduce account lockouts after a few incorrect attempts Implement a password history policy Your answer is incorrect Use a password complexity checker Correct answer Implement a maximum password age Overall explanation OBJ 4.6: Implementing a maximum password age ensures that passwords, and by extension, accounts, expire after a set period if not updated. Implementing a password history policy prevents reusing old passwords but doesn't mandate password changes after a certain time. Introducing account lockouts after a few incorrect attempts helps against brute force attacks but doesn't directly address account dormancy. Using a password complexity checker ensures strong passwords but doesn't ensure timely password updates. For support or reporting issues, include Question ID: 65444942d7728cf5f6ef529e in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 421

By opening only emails from trusted senders and people they know. By clicking on links in suspicious emails to verify their authenticity and find the attacker. By immediately replying to any email that requests sensitive information. Your answer is correct By verifying the sender's email address and looking for signs of deception. Overall explanation OBJ: 5.6 - Employees should carefully examine the sender's email address for any misspellings or unusual characters that may indicate a phishing attempt. They should also look for signs of deception, such as urgent requests for personal information, generic greetings, or unusual email content. Clicking on links in suspicious emails is risky and can lead to malware infections or other security issues. Instead of clicking on links directly, employees should hover their mouse over the link to see the actual URL and verify if it matches the expected destination. By opening only emails from trusted senders is not a recommended practice for recognizing phishing attempts. Phishing emails often impersonate trusted senders, so blindly opening all emails from known sources can lead to falling victim to phishing attacks. Employees should never reply to emails that request sensitive information without verifying the legitimacy of the request through other means, such as contacting the sender directly through a known and trusted communication channel. For support or reporting issues, include Question ID: 64c34d53257a09286523a434 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 422

Maintain a log of all physical accesses to server rooms. Correct answer Regular security test of third-party software products. Use encrypted communication for all internal chats. Your answer is incorrect Limit the number of hardware vendors for an organization. Overall explanation OBJ: 2.3 - Assessing third-party software components can identify and address vulnerabilities. It ensures that any integrated third-party software is vetted and secure, mitigating potential software supply chain risks. Encrypting internal communications protects data in transit and ensures that sensitive internal conversations remain confidential. Yet, it doesn't specifically mitigate vulnerabilities that could exist within third-party software components. Limiting hardware vendors can reduce the potential hardware-related vulnerabilities by streamlining procurement. However, it doesn't directly address vulnerabilities that could be embedded within third-party software components. Monitoring and logging physical access can deter unauthorized tampering and provide an audit trail in the event of an incident. However, it doesn't directly prevent vulnerabilities in the software supply chain. For support or reporting issues, include Question ID: 6527d8757b75b14e42cb501d in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 423

Disk encryption Correct answer Secure boot with signature verification RBAC with MFA Your answer is incorrect Network segmentation Overall explanation OBJ 3.3: Secure boot with signature verification ensures that a device only runs software or firmware signed by a trusted entity, preventing unauthorized or malicious firmware images from being loaded. Network segmentation limits exposure and access to parts of the network but does not validate the integrity or authenticity of firmware images directly. Disk encryption secures data at rest; it doesn't specifically verify the authenticity or integrity of firmware images. While role-based access control (RBAC) limits access based on user roles and multi-factor authentication (MFA) ensures proper authentication, it doesn't directly ensure the firmware's authenticity or prevent tampering. For support or reporting issues, include Question ID: 652d7485397fc3821ab4aaec in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 424

It allows investigators to prioritize evidence collection It provides legal teams with a roadmap for case strategy It allocates budgetary resources for the forensic investigation Your answer is correct It maintains the integrity of digital evidence over time Overall explanation OBJ 4.8: Preserving evidence ensures that it remains unchanged and is kept in a state where its authenticity is intact for the duration of the investigation and any subsequent legal proceedings. While prioritization is a part of investigation processes, preservation itself is about safeguarding evidence once collected. Preservation is about ensuring evidence remains unchanged, not about strategizing for a legal case. While resources are necessary, preservation focuses on keeping evidence secure and unaltered. For support or reporting issues, include Question ID: 6543e953896f42788ac46b0d in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 425

File is immediately forwarded to a threat intelligence platform Correct answer Access to the original file is denied to the user File is permanently deleted Your answer is incorrect Access to all files in the directory is restricted Overall explanation OBJ: 4.4 - When a file is quarantined, it is isolated, ensuring the user, or possibly any user, cannot access it. This can be achieved by encrypting the file or moving it to a designated quarantine zone in the file system. While some quarantined files may be analyzed further, quarantine in itself doesn't imply immediate forwarding to another platform. While quarantine can be a preliminary step before deciding to delete a file, they are not synonymous. Quarantine involves isolating the file without removing it completely. Quarantining specifically targets the suspicious or malicious file, not all files in its directory. For support or reporting issues, include Question ID: 6542da63044af8880896de1f in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 426

Allowing all users to access all resources unless explicitly denied. Correct answer Assigning permissions to job functions rather than individual users. Granting temporary permissions that expire after a set period. Your answer is incorrect Setting user permissions based on their seniority in the company. Overall explanation OBJ: 5.1 - RBAC (Role-based access control) is centered on the idea that permissions are attached to roles, and users are assigned to these roles, thereby inheriting the role's permissions. While seniority might influence the roles assigned to users, RBAC is fundamentally about roles, not hierarchy. Granting temporary permissions that expire after a set period is more related to temporary or just-in-time permissions and not the foundational concept of RBAC. Allowing all users to access all resources unless explicitly denied is more akin to the "permissive by default" approach, which is not the foundation of RBAC. For support or reporting issues, include Question ID: 65449503740cd21cc514e668 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 427

SCAP is an intrusion detection system that monitors and analyzes network traffic for potential security breaches SCAP is a network protocol used for secure data transmission between remote devices, ensuring data confidentiality Your answer is correct SCAP is a cybersecurity framework that enables automated vulnerability assessment and compliance checking SCAP is a firewall technology that analyzes network traffic and blocks suspicious connections to protect against cyber threats Overall explanation OBJ: 4.4 - SCAP (Security Content Automation Protocol) is a cybersecurity framework that combines various security standards, enabling automated vulnerability assessment, and compliance checking. It provides a structured approach for evaluating and managing security vulnerabilities and configurations. While intrusion detection systems are valuable for monitoring network traffic for security breaches, SCAP is not an intrusion detection system itself but rather a cybersecurity framework focused on security automation. SCAP is not a network protocol for data transmission; rather, it serves a different purpose related to security automation. While firewalls are essential for network security, SCAP is not a firewall technology but a cybersecurity framework. For support or reporting issues, include Question ID: 64bfff9722b117b12e6981b0 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 428

Risk acceptance Risk avoidance Risk mitigation Your answer is correct Risk transference Overall explanation OBJ: 3.1 - Risk transference is a method that involves transferring some or all of the risk associated with an activity or asset to another party, such as an insurance company or a vendor. It can reduce the potential impact or liability for the original party. Risk acceptance is a method that involves acknowledging the existence of a risk and deciding not to take any action to address it, not transferring it to another party. Risk mitigation is a method that involves reducing the impact or likelihood of a risk by implementing controls or countermeasures, not transferring it to another party. Risk avoidance is a method that involves eliminating the possibility of a risk by avoiding the activity or asset that causes it, not transferring it to another party. For support or reporting issues, include Question ID: 64c0ac777dbcd3f7f7e6d17c in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 429

Encryption Segmentation Hashing Your answer is correct Masking Overall explanation OBJ 3.3: Masking uses fictitious data or obfuscates original data to protect sensitive data, especially in non-production environments. Hashing transforms data into a string of fixed length; it doesn't use substituted fictitious data. Segmentation refers to dividing a network into smaller parts to control traffic and enhance security; it does not involve the substitution of data. Encryption involves converting data into a code to prevent unauthorized access but does not substitute dummy data. For support or reporting issues, include Question ID: 64c189d3eb612b1be38074ff in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 430

Correct answer Shadow IT Unskilled Actor Your answer is incorrect Nation-state Actor Insider Threat Overall explanation OBJ: 2.1 - Shadow IT is a type of threat actor that is the result of unauthorized or unapproved IT systems or devices within an organization. In this case, the device may introduce security risks and compliance issues for an organization, but the employee wasn't intending any harm to the company. An insider threat is a type of threat actor that has authorized access to an organization’s network, systems, or data and has variable resources/funding and level of sophistication/capability depending on their role and position. Insider threats can abuse their authorized access, leak information, sabotage operations, or collaborate with external actors. They intend to harm the company by their actions. Nation-state actors are a type of threat actor that is sponsored by a government or a country's military. They normally have high resources/funding and high level of sophistication/capability, but they are not a part of the organization they attack. An unskilled threat actor is one that lacks technical expertise or sophistication. Unskilled attackers often launch simple and opportunistic attacks using tools or scripts developed by others. The employee in this case may be unskilled but the employee didn't attach the device to cause problems for the company. For support or reporting issues, include Question ID: 64b86cba381e518e73f4166c in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 431

Increase the ventilation in the data center by installing more air filters Your answer is incorrect Install additional cooling units in the areas that are noted to give off more heat after the device has been set up Correct answer Create a heat map before installing the device in the data center Reinforce the data center doors to improve security and limit airflow Overall explanation OBJ 4.1: Creating a heat map is crucial in this scenario. Heat maps provide a visualization of temperature and airflow within the data center facility. Maintaining an optimal temperature is essential to prevent overheating and potential hardware failures, which can lead to data loss or downtime. Adding filters might improve airflow slightly but doesn’t address where cooling is needed most. A heat map provides targeted information for effective airflow management. Adding cooling units after installation may help, but it’s reactive and likely will incur additional cost and time that could have been avoided if planned properly. Creating a heat map beforehand ensures optimal device placement for cooling without requiring additional units. While securing the data center is important, it doesn’t address the airflow needs for temperature control of the new device. For support or reporting issues, include Question ID: 64b9d81b22afb1a52015a41e in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 432

Correct answer Validating and sanitizing user input for both search and comments Limiting user access to product pages using strong authentication Your answer is incorrect Implementing a WAF to monitor and filter network traffic Enabling HTTPS on the web server to secure data transmission Overall explanation OBJ 4.1: Validating and sanitizing user input for both search queries and comments is a crucial security technique to prevent SQL injection (SQLi) and cross-site scripting (XSS) attacks. For SQLi protection, input validation ensures that user-supplied search queries do not include malicious SQL commands that could manipulate the database or expose sensitive information. For XSS protection, sanitization ensures that user-provided comments do not contain malicious scripts that could be executed on other users' browsers, potentially stealing sensitive information or performing unauthorized actions. HTTPS encrypts data during transmission, but it does not protect against attacks that exploit improper handling of user input in the application; therefore, it does not directly address the concerns of SQL injection and cross-site scripting. Implementing a web application firewall (WAF) is a valuable security measure to monitor and filter incoming and outgoing traffic to identify and block potential attacks. However, while a WAF can help in detecting and blocking certain types of attacks, it is not a substitute for proper input validation and sanitization. For support or reporting issues, include Question ID: 64b9dcb25e2d79ea63ce4d28 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 433

Correct answer SRTP ICMP DHCP Your answer is incorrect ARP Overall explanation OBJ: 1.4 - SRTP (Secure Real-time Transport Protocol) provides encryption, message authentication, and integrity for voice communications over IP. It's designed to protect Real-time Transport Protocol (RTP) and RTP Control Protocol (RTCP) traffic. DHCP (Dynamic Host Configuration Protocol) is used for assigning dynamic IP addresses to devices on a network. It does not encrypt voice traffic. ARP (Address Resolution Protocol) is used for mapping a 32-bit IP address to a MAC address within a local network, not for encrypting voice traffic. ICMP (Internet Control Message Protocol) is mainly used by operating systems of networked computers to send error messages indicating, for instance, that a requested service is not available. It doesn't handle voice encryption. For support or reporting issues, include Question ID: 64c2817b91f0e62370d2e238 in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 434

DLP is a cybersecurity tool that focuses on identifying and blocking malicious software and viruses to prevent data breaches Correct answer DLP is a set of techniques and tools for preventing unauthorized transmission of data Your answer is incorrect DLP is a network security technology that monitors and analyzes network traffic to detect and prevent DDoS attacks DLP is a data encryption technique used to secure sensitive information stored in databases and cloud environments Overall explanation OBJ: 4.4 - DLP involves a set of techniques and tools designed to detect and prevent the unauthorized transmission of sensitive data outside an organization's network, helping to protect valuable data from being leaked or exposed to unauthorized entities. DLP is not primarily focused on monitoring network traffic for DDoS attacks but is related to data protection. While cybersecurity tools are essential for data protection, DLP specifically focuses on preventing data loss and unauthorized data transmission. While data encryption is an important security measure, DLP is not specifically focused on encrypting data in databases and cloud environments but on preventing data loss. For support or reporting issues, include Question ID: 64bffd6e328e44d52a80415a in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 435

Correct answer Implementing a least-privilege principle and patch management Setting up a guest account for all users and guests Increasing server storage capacity and the number of servers Your answer is incorrect Identify all software and hardware that is approaching end of life Overall explanation OBJ 4.1: Ensuring users only have necessary access limits potential threats. Regularly updating the server software also plays a key role in mitigating vulnerabilities. Identifying all software and hardware that is approaching end of life is a good later step, however, it would not come before addressing software and hardware that is already at end of life or ensuring good patch management and implementing least privilege. While increasing storage can enhance server performance, it doesn't directly improve server security. Guest accounts can introduce more vulnerabilities. It might provide unnecessary access to unauthorized users, which isn't a best practice. For support or reporting issues, include Question ID: 653b40ca28a32dc6b6b55ebd in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 436

Correct answer To establish guidelines for safeguarding data To define acceptable usage of IT resources To explain what employees can do with information after they leave the company Your answer is incorrect To outline the steps for incident response Overall explanation OBJ: 5.1 - The primary purpose of an information security policy is to establish guidelines and principles for safeguarding an organization's information assets, including sensitive data, intellectual property, and critical systems. It outlines the security controls and practices that must be followed to protect the confidentiality, integrity, and availability of information within the organization. A company may have an employee sign a Non-disclosure Agreement (NDA) when they leave, but this is not a purpose of the information security policy. The primary purpose of an information security policy is not to define acceptable usage of IT resources. That role is fulfilled by the Acceptable Use Policy (AUP) which specifically outlines the rules and guidelines for the appropriate and permitted use of an organization's IT resources. Incident response policies focus on providing a structured approach to identifying, responding to, and mitigating security incidents. It is not the primary purpose of an information security policy. For support or reporting issues, include Question ID: 64b7589d249e6858ce581c57 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 437

Vendor's market presence Integration capabilities Correct answer Availability of skilled personnel Your answer is incorrect Tool popularity in the market Overall explanation OBJ 4.7: Having team members with the necessary expertise to manage, troubleshoot, and update the tool is vital to ensure its ongoing supportability and secure operations. A vendor's market status might provide insights into the tool's reliability, but it doesn't directly address the tool's supportability. While a tool's market popularity might hint at its effectiveness, it doesn't directly ensure the tool's ongoing supportability in a specific organizational environment. Although integration capabilities can enhance the functionality of a tool, they don't primarily address the tool's ongoing support considerations. For support or reporting issues, include Question ID: 6543ceb1939f54c93a842db0 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 438

Correct answer Crypto-malware ransomware Screen-locking ransomware Your answer is incorrect Adware Rootkit Overall explanation OBJ: 2.4 - Crypto-malware targets user data by encrypting files and demanding a ransom in return for the decryption key. The symptoms at Dion Consultants – encrypted files with a ransom demand and a countdown timer – are consistent with this type of ransomware. A rootkit is a set of software tools that enables unauthorized access to a computer. While a rootkit can be part of a larger malware package, the specific events don't match the primary behavior of a rootkit. Adware is software that displays unwanted ads on a user's device. This scenario does not describe symptoms of adware. Screen-locking ransomware locks users out of their device and displays threatening messages. The users still had access to their systems but were facing encrypted files, making this type inconsistent with the situation. For support or reporting issues, include Question ID: 65280db7f0e250503c04157e in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 439

Serverless Virtualization Decentralized Your answer is correct Hybrid Overall explanation OBJ: 3.1 - Hybrid is an architecture model that involves using a combination of cloud and on-premises resources to deliver services and applications. It can offer benefits such as flexibility, scalability, cost-efficiency, and security. Serverless is an architecture model that involves running code without provisioning or managing servers, not using a combination of cloud and on-premises resources. Decentralized is a network design that distributes the control and authority among multiple nodes or entities, not using a combination of cloud and on-premises resources. Virtualization is a technology that allows creating multiple virtual machines or environments on a single physical device, not using a combination of cloud and on-premises resources. For support or reporting issues, include Question ID: 64c0a6dce0d07147c9406797 in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 440

Generation and distribution of keys Storage and rotation of keys Procedures for revoking compromised keys Your answer is correct Regularly updating software to support new encryption methods Overall explanation OBJ: 5.1 - While important, software updates for new encryption methods are not part of Key Management. Procedures for revoking compromised keys are a critical part of key management, ensuring that compromised keys are invalidated to prevent unauthorized access. Generation, distribution, storage, and rotation of keys are all aspects of key management, which involves the careful handling of cryptographic keys within a cryptosystem. For support or reporting issues, include Question ID: 65485a195d49723152c5fdee in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 441

Certification of disposal mitigates the risk of unauthorized access or recovery of sensitive data from discarded assets Certification of disposal verifies that the appropriate sanitization and destruction methods have been applied to the assets Correct answer Certification is not necessary if the destruction process was overseen by a staff member Your answer is incorrect Certificates of disposal should include details of the disposal method, date and time, and responsible personnel Overall explanation OBJ 4.2: Even if the destruction process was overseen by a staff member, certification is still a necessary step to formally document and confirm asset disposal. This provides an audit trail, reduces legal risk, and adds an additional layer of data security. Certificates of disposal should indeed contain specific details about the disposal method, the date and time of destruction, and the personnel involved. One primary purpose of certification in the disposal process is to act as verification that suitable sanitization and destruction methods have been applied. Through the certification of disposal, firms can significantly reduce the risk of unauthorized data access or recovery from discarded assets. For support or reporting issues, include Question ID: 64c19210dd32557d54e4c0e1 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 442

Sanction Fee Deductible Your answer is correct Fine Overall explanation OBJ: 5.4 - A fine is a specific monetary penalty levied by an official entity, such as a regulatory body or court, as punishment for an offense or violation. It is typically imposed to deter individuals or organizations from breaching regulations, standards, or contractual agreements. The amount can vary based on the severity and nature of the infraction. A fee refers to a charge or payment for specific services rendered by professionals or organizations. Unlike fines, fees are not penalties; they are agreed-upon costs for services such as consultations, applications, or usage of facilities. A deductible is an agreed-upon amount that an insured individual must pay out-of-pocket before an insurance company will cover the remaining costs of a claim. It represents a portion of the financial responsibility that falls on the policyholder and can vary based on the terms of the insurance policy. A sanction is a broader term that encompasses various penalties or restrictions imposed on individuals or entities for non-compliance or misconduct. While it can include fines, sanctions may also involve trade restrictions, asset freezes, or other punitive measures intended to enforce rules and regulations. For support or reporting issues, include Question ID: 6522188a545597207fc73b43 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 443

Correct answer Identifying and classifying incidents based on their severity and impact to the organization Determining how long it will take to get affected systems and services to their normal operation after an incident Your answer is incorrect Limiting contact of the affected device with other devices and looking for the problem on the affected device Analyzing the evidence and determining the root cause of the incident Overall explanation OBJ 4.8: The detection phase in the incident response process involves identifying and classifying incidents based on their severity and impact to the organization. This phase includes using various security monitoring tools, such as intrusion detection systems (IDS) and security information and event management (SIEM) solutions, to detect unusual activities, anomalies, or signs of a potential security incident. Restoring affected systems and services to their normal operation is part of the recovery phase in the incident response process. It occurs after the incident has been contained and mitigated. Analyzing the evidence and determining the root cause of the incident falls under the Recovery and Lessons Learned phase of the incident response process. This phase takes place after the incident has been contained, eradicated, and the organization is working to recover and learn from the incident. Limiting contact with the affected device is part of the containment phase. For support or reporting issues, include Question ID: 64c15aed6ab51895b912b7f9 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 444

Spyware Worm Your answer is correct Ransomware Adware Overall explanation OBJ 2.4 - The malware that most likely infected Ahmed’s system is ransomware. Ransomware works by encrypting files on an infected system and demanding payment for the decryption key. In this scenario, Ahmed unknowingly triggered the ransomware by opening a malicious email attachment labeled “urgent patient records.” Once activated, the ransomware encrypted his files and spread through the network, affecting other systems. Unlike worms, which replicate themselves to spread but don’t typically demand payment, adware, which displays unwanted ads, or spyware, which silently collects information, ransomware’s main characteristic is to lock users out of their data until a ransom is paid. For support or reporting issues, include Question ID: 67212dfd84b5580af615ecba in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 445

Data encryption Antivirus software Correct answer Network segmentation Your answer is incorrect VPN (Virtual Private Network) Overall explanation OBJ 2.5 - Network segmentation because it involves dividing the network into smaller, isolated sections to limit the spread of a breach if one segment is compromised. Data encryption protects data from being readable if intercepted but doesn’t isolate network components. Antivirus software protects against malware but doesn't prevent breaches from spreading across a network. VPN secures data in transit but does not isolate network components. For support or reporting issues, include Question ID: 67212fde213784ce43e5d67c in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 446

Disabling ports and protocols Isolation Removal of unnecessary software Your answer is correct Host-based intrusion prevention system (HIPS) Overall explanation OBJ: 2.5 - Using a Host-based Intrusion Prevention System (HIPS) is a hardening technique that can help prevent attacks from occurring. It is software that is installed on a system or device to detect and prevent unauthorized actions like file modifications and registry changes. Because it can detect and prevent attempts to write data, it can detect and prevent a buffer overflow attack. Removal of unnecessary software is a hardening technique that can help reduce the attack surface of systems and devices by removing unused or unneeded. The more software that is on a system, the more exposure there is to vulnerabilities. If the software is not needed or used, there is no purpose in having extra exposure to vulnerabilities. This will not prevent a buffer overflow attack Disabling ports and protocols is a hardening technique that can help reduce exposure to potential attacks. This can be done on firewalls, switches, routers, and hosts to close or block any network ports or protocols that aren’t needed for the normal operation of the systems and devices. Ports are numerical identifiers that specify the destination or source of network traffic, and protocols are rules or standards that define how network traffic is formatted or transmitted. This will not prevent a buffer overflow attack. Isolation is a mitigation technique that can help prevent malware from spreading from one system or process to another by limiting their interaction and communication. Isolation involves sandboxing or simply disconnecting an infected system. This prevents potentially malicious programs or scripts from accessing the rest of the system or network, but cannot prevent a buffer overflow attack. For support or reporting issues, include Question ID: 64bee6b58c5f936b52393024 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 447

To share compliance information with the organization's management. Correct answer To report compliance status to the public and stakeholders. To conduct audits for compliance purposes. Your answer is incorrect To request acknowledgement from data subjects for compliance purposes. Overall explanation OBJ: 5.4 - External compliance reporting involves disclosing the company's compliance status, activities, and efforts to the public, stakeholders, regulatory authorities, and other external entities. This transparency fosters trust and accountability. Requesting acknowledgment from data subjects is more aligned with obtaining consent for data processing rather than external compliance reporting. Internal audits are conducted within the organization to assess compliance with policies and procedures. External compliance reporting is not aimed at sharing compliance information within the organization's management. For support or reporting issues, include Question ID: 64c075a31e270317e6ff230b in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 448

Correct answer Root Cause Analysis helps to understand how the incident occurred and how to prevent similar incidents in the future Root Cause Analysis helps determining how severe and incident would be and how it would impact the organization Your answer is incorrect Root Cause Analysis determines the individuals or groups responsible for the incident and helps in legal proceedings Root Cause Analysis involves removing the root cause of the incident from affected systems and networks to prevent its recurrence Overall explanation OBJ 4.8: Root Cause Analysis is crucial in incident response as it helps to understand how the incident occurred, what vulnerabilities were exploited, and how to prevent similar incidents in the future. By identifying the root cause, organizations can address underlying weaknesses in their security measures and implement necessary improvements to enhance their overall security posture. While identifying the individuals or groups responsible for the incident might be valuable for legal proceedings, Root Cause Analysis is primarily focused on understanding how the incident occurred and how to prevent similar incidents in the future. Removing the root cause of the incident to prevent recurrence is part of the eradication phase in the incident response process, not the primary purpose of Root Cause Analysis. Root Cause Analysis is not primarily focused on identifying and classifying incidents based on their severity and impact. That activity is part of the Detection phase in the incident response process. For support or reporting issues, include Question ID: 64c161e48d1f702de4fdf194 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 449

Correct answer Jump server Firewall VPN Your answer is incorrect Proxy server Overall explanation OBJ 3.2: A jump server, also known as a jump host, acts as an intermediary server through which administrators can connect to other servers. This layer provides a controlled means of access, reducing the exposure of the underlying infrastructure. A proxy server primarily serves as an intermediary for requests from clients seeking resources from other servers. While it does act as a go-between, its main focus isn't for administrative access but rather to control and optimize internet usage. Virtual Private Networks (VPNs) are more about securing connections, whereas a Jump server is specifically designed for controlled administrative access and centralized management of servers. A firewall filters incoming and outgoing network traffic based on an organization's previously configured policies. It is not designed to provide an intermediary access point for administrators. For support or reporting issues, include Question ID: 652c74d474644bf66062a2ed in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 450

Capability Resources Correct answer Sophistication Your answer is incorrect Funding Overall explanation OBJ: 2.1 - Sophistication refers to the intricacy and advancement of a threat actor's tactics, techniques, and procedures. More sophisticated threat actor groups possess customized attack tools and have access to skilled personnel, such as strategists and hackers. Capability pertains to a threat actor's ability to devise new exploits and tools. It doesn't necessarily denote the intricacy of their methods. Funding is the financial backing for threat actors, enabling them to secure resources. It doesn't signify the complexity of their operations. Resources refer to tools and personnel that a threat actor can deploy. It doesn't indicate the complexity of their methods. For support or reporting issues, include Question ID: 6525942b37644af6982d9bb4 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 451

Switches Bridges Your answer is incorrect Hubs Correct answer Routers Overall explanation OBJ 4.1: Routers are designed to securely direct data between different networks, including office locations, by operating at the network layer (Layer 3) of the OSI model. They can implement access control policies and use routing protocols to ensure data confidentiality, making them ideal for securely connecting office locations and managing inter-network traffic. Switches and bridges operate at the data link layer (Layer 2) and are suitable for internal network traffic but lack the routing capabilities and access controls needed for secure inter-office data transmission. Hubs operate at the physical layer (Layer 1), broadcasting data to all connected devices without security features, making them unsuitable for secure data transmission across locations. For support or reporting issues, include Question ID: 64ba862c8d7e744880c59591 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 452

Correct answer MSA MOU SOW Your answer is incorrect SLA Overall explanation OBJ: 5.3 - A Master Service Agreement (MSA) is precisely designed to establish the overall framework for a long-term business relationship between an organization and a vendor. It provides a foundation for future agreements and contracts by outlining general terms, conditions, and responsibilities. A Memorandum of Understanding (MOU) is a non-binding document used to express mutual understanding and intentions between parties. It is not typically suitable for establishing a formal framework for a long-term business relationship. A Service-level Agreement (SLA) typically outlines specific performance metrics, service levels, and responsibilities for ongoing services, rather than establishing an overall framework for a long-term relationship. A Work Order (WO) or Statement of Work (SOW) is a document used to specify the specific tasks, deliverables, and timelines for a particular project or service. It is not intended to establish an overall framework for a long-term relationship. For support or reporting issues, include Question ID: 64bb403a48f9d4fbc1cdd403 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 453

Correct answer Least Privilege Implicit Trust Trust but Verify Your answer is incorrect Role-based Access Control Overall explanation OBJ 1.2 - In a Zero Trust model, access is granted based on the principle of least privilege, meaning users receive only the minimum access necessary to perform their tasks, with no entity trusted by default and access continually verified. In contrast, implicit trust does not align with Zero Trust, as it assumes trust without continuous verification. Role-based access control assigns permissions based on roles rather than strictly minimizing access, which may grant unnecessary privileges. "Trust but verify" partially aligns but still implies some initial trust, whereas Zero Trust requires verification at all times without assumption of trust. For support or reporting issues, include Question ID: 6720fe24e8b5ca200ac6383c in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 454

Correct answer Responsibilities for software updates Exit strategies Profit-sharing arrangements Your answer is incorrect Ownership of intellectual property Overall explanation OBJ 5.3: A Business Partnership Agreement (BPA) or Joint Venture Agreement (JV) primarily focuses on essential aspects of the business relationship between two entities, including profit-sharing arrangements, ownership of intellectual property, and strategies for ending the partnership if necessary. These elements help to clarify roles, responsibilities, and financial distributions between the partners. However, software update responsibilities are generally a part of technical support or service-level agreements (SLAs) and are not a common component of BPAs . For support or reporting issues, include Question ID: 65497c8766eb6419b9e435d9 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 455

An email from a coworker asking to review an attached invoice. Spotting a pop-up on a website asking for credit card details. Correct answer A CEO's request to finance to wire money urgently. Your answer is incorrect Receiving spam email about a lottery win. Overall explanation OBJ: 2.2 - A CEO's request to finance to wire money urgently is a classic example of a business email compromise (BEC). In this type of attack, cybercriminals impersonate executives or other key personnel in an organization. They craft persuasive emails directed towards employees, often in financial departments, tricking them into transferring money or revealing confidential data. A pop-up on a website asking for credit card details is type of threat is a web-based scam designed to trick users into divulging their personal or financial information. These malicious pop-ups can appear on compromised websites or be the result of malware on a user's system. An email from a coworker asking to review an attached invoice might seem like a potential business email compromise, especially if the coworker doesn't typically send invoices. However, it's more indicative of a spear phishing attempt or malicious attachment scheme. The emphasis here is on the malicious payload in the attachment, rather than a deceptive request for funds or information typically seen in BEC. Receiving spam email about a lottery win is a widespread form of email spam that casts a wide net, hoping to lure in gullible recipients. These messages often promise large financial rewards or incredible offers, but they don't typically target businesses specifically. For support or reporting issues, include Question ID: 652628b4723d18e5d53a3714 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 456

Implementing multi-factor authentication Correct answer Mandating increased complexity in passwords Your answer is incorrect Switching to a different encryption algorithm for stored passwords Increasing the frequency of mandatory password changes Overall explanation OBJ 4.6: By forcing users to incorporate a variety of characters, the predictability of passwords is decreased, making them harder to crack. Frequent password changes can lead to user fatigue and might not ensure complexity in chosen passwords. While important for overall security, changing encryption algorithms won't necessarily make individual passwords more complex. Though MFA greatly improves account security, it doesn't guarantee that the password component is complex. For support or reporting issues, include Question ID: 654442e2d7728cf5f6ef528f in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 457

Increased compatibility with modern systems Automatic compliance with new security policie Correct answer Elevated risk of security vulnerabilities Your answer is incorrect Faster system performance Overall explanation OBJ 1.3 - Failing to update legacy applications in a secure environment can lead to an elevated risk of security vulnerabilities. These outdated applications often have unpatched weaknesses that attackers can exploit, potentially compromising the entire system’s security. Unlike updated applications, legacy ones lack compatibility with modern security standards and may not support new protective measures, making them high-risk. This lack of updates does not improve performance, nor does it automatically align with current security policies, as legacy software often falls behind in meeting modern compliance requirements. For support or reporting issues, include Question ID: 67211017d248d95fc8ca817a in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 458

Obtaining an ISO 27001 certification Correct answer Implementation of GDPR-compliant data handling practices Adoption of local server storage systems Your answer is incorrect Utilization of end-to-end encrypted email platforms Overall explanation OBJ 3.3: Implementation of GDPR-compliant data handling practices ensures adherence to the European Union's privacy standards and respects client data rights. While GDPR is a European Union law, it applies to all businesses that handle European Union citizens' data. A multinational law firm is likely to have at least some interactions with European Union citizens, it is best to implement GDPR-compliant data handling practices. The protections within the GDPR are enforced by the EU's Data Protection Authorities and non-compliance can result in fines. This means that it is far more likely that compliance will be ensured. The ISO 27001 certification is an international standard for information security management but doesn't guarantee that the clients' data will be protected. ISO 27001 doesn't have an enforcement arm or any penalty for non-compliance. Utilization of end-to-end encrypted email platforms provides secure email communication but lacks a comprehensive approach to data handling compliance. Adoption of local server storage systems allows in-house storage of data but lacks robust international data protection mechanisms. For support or reporting issues, include Question ID: 652d64d836163d371aee5605 in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 459

Correct answer All content available on the Dark Web is illegal and harmful The Dark Web often serves as a marketplace for illicit activities due to its anonymity Specialized software, such as Tor, is typically required to access the Dark Web Your answer is incorrect The Dark Web is part of the Deep Web that is intentionally hidden and is inaccessible through standard web browsers Overall explanation OBJ 4.3: While the Dark Web does contain a lot of illegal activity and content, it isn't accurate to claim that all content on the Dark Web is illegal or harmful. The Dark Web also hosts legal and innocuous content. Specialized software like Tor is typically required to access the Dark Web, providing anonymity to its users. The Dark Web is a subset of the Deep Web, intentionally hidden and usually inaccessible through standard web browsers. The Dark Web is often associated with illicit activities due to the anonymity it can offer to its users. For support or reporting issues, include Question ID: 64c0080d6a30e285d74863bd in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 460

Correct answer Workforce multiplier enables organizations to rapidly scale their security capabilities using a combination of human and automated resources Leveraging the workforce multiplier allows organizations to replace manual security tasks with automated processes, improving efficiency Your answer is incorrect The workforce multiplier limits the scope of security incidents by rapidly deploying virtual firewalls, preventing them from affecting a large number of users The workforce multiplier reduces the need for highly skilled and credentialed cybersecurity professionals, resulting in cost savings for the organization Overall explanation OBJ 4.7: The workforce multiplier refers to the ability to scale and amplify the effectiveness of the security team by combining the efforts of human professionals with automation and orchestration. This combination allows the organization to handle a larger volume of security tasks and incidents, thus enhancing their security capabilities. The workforce multiplier is not about reducing the need for skilled cybersecurity professionals. Instead, it is focused on augmenting the capabilities of the existing workforce with automation and orchestration, allowing them to accomplish more tasks efficiently. The workforce multiplier does involve automating certain security tasks, which can lead to improved efficiency. However, it is not just about replacing manual tasks but also about leveraging automation to enhance the overall capabilities of the security team. The workforce multiplier is not about limiting the scope of security incidents or deploying virtual firewalls. For support or reporting issues, include Question ID: 64c01b078fd12d0a4bc0baa0 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 461

Attempting to escalate their privileges on the system. Your answer is correct Attempting to access files outside of intended directories. Attempting to exploit a buffer overflow vulnerability. Attempting to inject malicious scripts into the system. Overall explanation OBJ: 2.4 - This scenario is a classic example of directory traversal. The described activities are consistent with an attacker trying to move up the directory structure and access files or directories they shouldn't. This often involves navigating directories in ways the system didn't intend. Injection attacks usually involve inputting malicious data into a system with the intent that it will be executed. The scenario described does not suggest data is being executed or run; rather, it's an attempt to navigate to unintended areas. Buffer overflow attacks involve overloading a system's memory buffer to cause it to crash or to insert malicious code. The activities described in the scenario are more about navigating the file system than overwhelming it. Privilege escalation attacks aim to gain elevated access to resources that are normally protected from an application or user. While this might be an outcome or a motive, the method described here doesn't necessarily represent this type of attack. For support or reporting issues, include Question ID: 6527e516fca22485d224f0dd in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 462

Increase password complexity requirements Correct answer Set a password expiration policy Your answer is incorrect Implement biometric authentication Mandate periodic security training Overall explanation OBJ 4.6: By regularly forcing users to change their passwords, this method ensures that even if passwords are compromised, they are only valid for a limited period. Although secure, implementing biometric authentication does not address the issue of stale passwords. Training is beneficial but doesn't enforce password changes directly. While increasing password complexity requirements improves password strength, it doesn't encourage regular changes. For support or reporting issues, include Question ID: 6544483cd7728cf5f6ef5299 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 463

Disaster recovery planning System hardening Correct answer Technology forecasting Your answer is incorrect Patch management Overall explanation OBJ 3.4: Technology forecasting focuses on predicting the future needs of technology infrastructure. By understanding growth trends and user demands, organizations can proactively scale and adapt their systems to meet the rising challenges without sacrificing performance. Patch management is the process of applying updates to software and systems, which often fix security vulnerabilities or enhance performance but do not directly forecast infrastructure growth needs. While vital for ensuring system continuity after adverse events, disaster recovery planning primarily revolves around data restoration and system failover rather than accommodating future workload increases. System hardening emphasizes enhancing the security of systems by reducing vulnerabilities and potential attack vectors. Hardening it is crucial for maintaining the integrity and confidentiality of data, but it doesn't directly address scalability. For support or reporting issues, include Question ID: 64c1a39abbc49fb66931eb08 in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 464

Correct answer 2022-12345 2022-Vulnerability Name 10.0-AV:N/AC:L/PR:N/UI:N Your answer is incorrect 22-0123 Overall explanation OBJ 4.3: A CVE identifier follows a format of "CVE" followed by a year and a sequence of numbers. 2022-12345 is a correct representation of a CVE identifier. 10.0-AV:N/AC:L/PR:N/UI:N represents a CVSS scoring vector, detailing the metrics of a vulnerability. It is not a CVE identifier. 22-0123 format is incorrect. While 2022-Vulnerability Name contains elements of a CVE identifier, it doesn't follow the standardized format used in the cybersecurity industry. For support or reporting issues, include Question ID: 6542d6c298ddb5af76a3f308 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 465

Disabling ports and protocols Device Isolation Installation of endpoint protection Your answer is correct Default password changes Overall explanation OBJ: 2.5 - Default password changes is a hardening technique that can help prevent some password attacks on systems and devices. This is done by changing the default or factory-set passwords that may be easily cracked by automated tools or dictionaries because they are often reused or drawn from a small pool of passwords. Password managers, password generators, and security policies can be used to create and enforce the use of strong and unique passwords for each system and device. Installation of endpoint protection includes installing antivirus, anti-malware, and firewall software on systems or devices. This software helps protect systems and devices from known vulnerabilities. It may detect attempts to crack passwords, but changing the default passwords of devices is more effective in preventing dictionary attacks. Device isolation is a mitigation technique that can help prevent malware from spreading from one system or process to another by limiting their interaction and communication. Isolation involves sandboxing or simply disconnecting an infected system. This prevents potentially malicious programs or scripts from accessing the rest of the system or network. It will make the system inaccessible, but doesn't specifically prevent dictionary attacks. Disabling ports and protocols is a hardening technique that can help reduce exposure to potential attacks. This can be done on firewalls, switches, routers, and hosts to close or block any network ports or protocols that aren’t needed for the normal operation of the systems and devices. Ports are numerical identifiers that specify the destination or source of network traffic, and protocols are rules or standards that define how network traffic is formatted or transmitted. This is a good hardening technique, but won't help prevent dictionary attacks. For support or reporting issues, include Question ID: 64beeb4ff8527afa826c3ba6 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 466

Injection Buffer overflow Replay Your answer is correct Privilege escalation Overall explanation OBJ: 2.4 - A privilege escalation attack is a type of application attack that involves exploiting a vulnerability or misconfiguration to gain higher privileges or access than intended on a system or application. A buffer overflow attack is a type of application attack that involves sending more data than expected to a function, causing it to overwrite adjacent memory locations and execute arbitrary code. An injection attack is a type of application attack that involves inserting malicious code or commands into an application or database to execute unauthorized actions or access sensitive data. A replay attack is a type of application attack that involves capturing and retransmitting data, such as authentication tokens or credentials, to impersonate a legitimate user or session. For support or reporting issues, include Question ID: 64bccd782b7b93bd3fe763ab in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 467

Correct answer Vendor monitoring Vendor selection Vendor assessment Your answer is incorrect Compliance Reporting Overall explanation OBJ: 5.3 - The practice of continuously evaluating a vendor's security performance and compliance with contractual requirements after the vendor has been selected. The process of evaluating a vendor's security measures and vulnerabilities to ensure they meet the organization's requirements. It is generally done before choosing a vendor or on a periodic basis (once a year, once every two years, etc.) and not on a continual basis. Continual evaluations are referred to as monitoring, not assessing. The process of evaluating and selecting vendors based on their ability to meet security and performance requirements. This is done at the time the vendor is chosen and not on a continual basis. Compliance reporting involves showing that a company is complying with laws and regulations that apply to the company. In this case, Trent is evaluating security levels in a contract, not laws and regulations. For support or reporting issues, include Question ID: 64bb3e4c99b63f15eee0cd01 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 468

Correct answer Change management Backout Plan Ownership Your answer is incorrect Impact analysis Overall explanation OBJ: 1.3 - Change management is the process for reviewing and authorizing changes to IT systems in order to ensure that all changes are properly reviewed and authorized before being implemented. An example of this process might be that all changes are reviewed by a change advisory board and approved by a senior manager before being implemented. Ownership refers to the individual or group responsible for managing a particular IT system or component. A Backout Plan is designed to address a situation in which change has begun, but cannot be completed. It is part of Change Management. Impact analysis is the process of assessing the potential impact of a change on the IT systems and the business. For support or reporting issues, include Question ID: 64c136931628abf48a217244 in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 469

Patching Correct answer Monitoring Hardening techniques Your answer is incorrect Segmentation Overall explanation OBJ: 2.5 - Monitoring, the continuous observation and checking of system or network operations, often involves tools like Nagios or Splunk to ensure its functionality and security. Dividing a network into different parts or segments for security and performance enhancement, but not specifically using observation tools like Nagios or Splunk. Implementing hardening techniques to secure a system, which might include many methods, doesn't inherently imply the use of Nagios or Splunk. Patching is the act of updating or fixing software to address vulnerabilities, but it is not particularly about continuous observation using specific tools. For support or reporting issues, include Question ID: 652a01ed2581316a0499f7d6 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 470

QR code scanners Biometric cards Correct answer Physical security keys Your answer is incorrect Software-based certificates Overall explanation OBJ 4.6: Physical security keys are hardware devices, often in the form of USB sticks or NFC devices, that provide strong two-factor authentication. While software-based certificates can enhance security, they are digital certificates stored on devices and not physical keys. While QR codes can be used for authentication, they don't involve inserting or tapping a device. Biometric cards use a person's unique biological characteristics for access but are not typically inserted or tapped on devices. For support or reporting issues, include Question ID: 65445edc7212fab5e7fd6427 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 471

Smishing Phishing IM Your answer is correct Vishing Overall explanation OBJ: 2.2 - Vishing is a type of message-based attack that involves sending fraudulent voice calls to trick recipients into revealing sensitive information or performing certain actions. Phishing is a type of message-based attack that involves sending fraudulent emails to trick recipients into revealing sensitive information or clicking on malicious links. Smishing is a type of message-based attack that involves sending fraudulent text messages to trick recipients into revealing sensitive information or clicking on malicious links. IM is a type of message-based attack that involves sending fraudulent instant messages to trick recipients into revealing sensitive information or clicking on malicious links. For support or reporting issues, include Question ID: 64b9b6b4e049cd39a39ae396 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 472

Correct answer Theft of user session data Alteration of database record Execution of unauthorized commands on the server Your answer is incorrect Denial of service for legitimate users Overall explanation OBJ 2.3 - A common consequence of a Cross-site scripting (XSS) attack is the theft of user session data. In an XSS attack, malicious scripts are executed within a user’s browser, allowing attackers to access session cookies, tokens, or other sensitive data associated with the user’s session. This stolen data can then be used to hijack the user’s session or impersonate them. Unlike alteration of database records or execution of unauthorized commands on the server, which involve direct server manipulation, XSS targets client-side data. Denial of service is also unrelated, as XSS does not aim to disrupt access for legitimate users but rather to capture sensitive information from them. For support or reporting issues, include Question ID: 672129a9778e02cc991bb83b in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 473

Correct answer To manage and control access to data To ensure the integrity and confidentiality of data To process and manipulate data on behalf of the data controller Your answer is incorrect To establish data ownership and control Overall explanation OBJ: 5.1 - Data custodians/stewards are responsible for managing and controlling access to data based on the permissions and access rights defined by the data owner or data controller. They ensure that only authorized individuals can access and use specific data. Data processors are responsible for processing and manipulating data on behalf of the data controller. They perform tasks according to the instructions given by the data controller, whereas data custodians/stewards focus on data access management and data security. While data custodians/stewards play a role in safeguarding data integrity and confidentiality, their primary responsibility is managing access to data. The responsibility for ensuring data integrity and confidentiality may be shared among different roles within an organization's data governance structure. Data ownership and control typically lie with the data owner, who is responsible for making decisions about how data is used and managed. Data custodians/stewards are not primarily responsible for establishing data ownership and control. For support or reporting issues, include Question ID: 64b8924788b3fb59a48a1043 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 474

Correct answer Data exfiltration Disruption/chaos Ethical motivations Your answer is incorrect Service disruption Overall explanation OBJ: 2.1 - Data exfiltration refers to the act of stealing sensitive or confidential data from a system or network. Data exfiltration can be done for financial gain, espionage, blackmail, or other purposes. If an attacker is motivated by wanting to cause disruption or chaos, she will want to create fear or panic. She might also want to slow down or stop interactions between an organization and its clients. Stealing information is less likely to cause these problems than attacks such as denial of services or ransomware. Service disruption refers to the act of impairing or interrupting the availability or functionality of a system or network. Service disruption can be done as a form of protest, sabotage, or diversion of resources or it can be used to gain money through ransom. Attackers with ethical motivations will attack an organization that acts unjustly or improperly. There are many ways in which the attackers can publicize the unjust or improper actions, but data exfiltration is not as likely as defacement or other actions. For support or reporting issues, include Question ID: 64b85f1837e6a96ba23d244d in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 475

Typo squatting Correct answer Smishing Phishing Your answer is incorrect Vishing Overall explanation OBJ: 2.2 - Smishing is a form of social engineering that uses SMS messages to trick users into revealing sensitive information or clicking on malicious links. Vishing is a form of social engineering that uses voice calls to trick users into revealing sensitive information or performing actions. Typo squatting is a form of cyberattack that involves registering domain names that are similar to legitimate ones, but with typos or misspellings, to deceive users or redirect traffic. Phishing is a form of social engineering that uses email messages to trick users into revealing sensitive information or clicking on malicious links. For support or reporting issues, include Question ID: 64ba19b2adb7c15b51664d54 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 476

Business continuity planning Network segmentation policy Correct answer Change management practices Your answer is incorrect Incident response protocol Overall explanation OBJ: 5.1 - Effective change management emphasizes the controlled and planned implementation of changes. Trying a trial run for major changes before a full-scale rollout helps in gauging potential impacts and ensures smoother transitions. Business continuity planning refers to the processes and procedures an organization implements to ensure that essential functions can continue during and after a disaster. While it might involve change implementation, its primary focus isn't on trialing those changes. While network segmentation divides a network into multiple segments for security and performance benefits, it does not dictate procedures for implementing changes or trying them out before full-scale deployment. While incident response deals with managing and responding to security incidents, it doesn't inherently involve trialing changes before implementation. For support or reporting issues, include Question ID: 65448e2b32fb2f43cec1821b in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 477

Control Plane Correct answer Data Plane Threat scope reduction Your answer is incorrect Adaptive identity Overall explanation OBJ: 1.2 - The Data Plane within the Zero Trust model oversees the conveyance of data. Once the Control Plane grants access, the Data Plane steps in to make certain that data is transmitted efficiently and arrives at its intended destination. Though it's an aspect of Zero Trust, threat scope reduction revolves around limiting the potential damage zones in a network, ensuring that a breach in one area doesn't compromise the entire system. It doesn't specifically focus on data transmission. An element of Zero Trust, adaptive identity employs dynamic security decisions based on user behavior and contextual information. While it aids the Control Plane in making decisions, it doesn't manage data transmission like the Data Plane. The Control Plane in the Zero Trust framework doesn't manage data transmission. Instead, it's tasked with deciding on access requests, referencing policies, identity verification, and threat analysis. For support or reporting issues, include Question ID: 65245f9aad40d9f61ab27775 in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 478

Correct answer Alternative measures to mitigate risk when standard controls are not feasible Standard regulations that all businesses must adhere to Software patches and updates applied to fix known vulnerabilities Your answer is incorrect Primary tools for risk management and vulnerability assessment Overall explanation OBJ 4.3: Compensating controls are security measures that are put in place as alternatives to the primary recommended controls that, for some reason, cannot be implemented. Software patches and updates are applied to fix known vulnerabilities; patches are direct solutions to vulnerabilities and not alternative measures. Compensating controls are situational and not universally mandatory across all businesses. Primary tools for risk management and vulnerability assessment are essential for a holistic security approach, but they don't specifically refer to the concept of compensating controls. For support or reporting issues, include Question ID: 6541d539088ddf36014e3776 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 479

Correct answer Clustering Hot site Your answer is incorrect Parallel processing Load balancing Overall explanation OBJ 3.4: Clustering involves combining a number of servers into one node. Different servers can be assigned different tasks to provide greater fault tolerance. For example, each server can handle one part of a complex website. If one server goes down, the task that the server performs may be unavailable, but the rest of the website will still function. Hot sites are ready for immediate use in that the transition can be quick. Devices and data at the hot site are often continuously updated but don't involve division of tasks among servers. Load balancing distributes network or application traffic across many servers, which optimizes the use of resources, maximizes throughput, and reduces latency. In load balancing, the servers are all performing the same duty; they aren't set up to each handle a particular task. Parallel processing involves using multiple CPUs to process different parts of a bigger task. The benefits of parallel processing include greater speed and greater fault tolerance. For support or reporting issues, include Question ID: 64c1a7ac45e9d8860c404633 in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 480

Tokenization Obfuscation Correct answer Hashing Your answer is incorrect Encryption Overall explanation OBJ 3.3: Hashing transforms data into a fixed-size representation. Importantly, hashing is a one-way function, meaning that it's not designed to be reversible. Tokenization replaces sensitive data with non-sensitive substitutes, known as 'tokens'. Though it secures data, it does not provide a fixed-size representation. Encryption transforms data into a form that is unreadable without a decryption key. However, unlike hashing, it is intentionally designed to be reversible. Obfuscation involves making data difficult to understand or interpret. However, unlike hashing, obfuscation does not provide a fixed-size representation. For support or reporting issues, include Question ID: 64c187f9cace0fc2bac30263 in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 481

Somewhere you are Correct answer Something you are Your answer is incorrect Something you have Something you know Overall explanation OBJ 4.6: The MFA factor used in this scenario is "Something you are," which includes biometric authentication, like a fingerprint scan. Biometric factors rely on unique physical traits for authentication, offering a strong and convenient form of MFA. "Something you have" involves physical tokens like a smart card or mobile device, which is not used here. "Something you know" involves knowledge-based factors, such as a password, also not applicable in this scenario. "Somewhere you are" is location-based, considering geographic location as an additional factor. For support or reporting issues, include Question ID: 64c1313a52ce7fd0f0ee041b in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 482

Correct answer Password standard Access control standard Your answer is incorrect Encryption standard Physical security standard Overall explanation OBJ: 5.1 - The password standard defines the guidelines and requirements for creating and managing strong and secure passwords within an organization. It typically includes rules regarding password complexity, length, expiration, and how often users should change their passwords. This will help ensure credentials are protected. The physical security standard deals with protecting the physical assets and facilities of an organization. It is not directly related to password management or guidelines for creating secure passwords. The access control standard focuses on the rules and procedures for granting and revoking access to resources and systems within an organization. While access control measures can contribute to password security, the standard itself does not specifically address password-related guidelines. The encryption standard outlines guidelines for the proper use of encryption techniques to protect sensitive data in storage or transmission. While encryption plays a crucial role in data security, it does not specifically address password-related guidelines. For support or reporting issues, include Question ID: 64b890bd75f3764616371b81 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 483

Security awareness training Correct answer Security badges Firewall Your answer is incorrect Intrusion prevention system Overall explanation OBJ: 1.1 - Security badges are a physical security control that involves issuing badges to authorized personnel. These badges can be used to control access to the building and prevent unauthorized entry. Security awareness training is a managerial security control that involves educating employees about security threats and how to avoid them. Firewall is a technical security control that monitors and controls incoming and outgoing network traffic based on predetermined security rules. Intrusion prevention system is a technical security control that monitors network traffic for signs of security threats. For support or reporting issues, include Question ID: 64bd580e3ee21b197bf153c7 in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 484

Phishing scammer Correct answer Nation-state actor Ransomware gang Your answer is incorrect Distributed denial-of-service (DDoS) Attacker Overall explanation OBJ: 2.1 - With funding and resources from government agencies, nation-state actors have the means to develop and deploy advanced cyber-attack techniques. Distributed denial-of-service (DDoS) Attacker are primarily concerned with overwhelming a system with traffic, not necessarily with crafting advanced exploits. Ransomware gangs deploy ransomware to extort money, but their focus is more on widespread attacks rather than specific, sophisticated exploits. Phishing scammers focus on deceitful communications to trick individuals into providing sensitive information. For support or reporting issues, include Question ID: 6525ae8f8df7b33c1cfa403b in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 485

Faster encryption and decryption Correct answer Increased difficulty for brute-force attacks Improved compatibility with legacy systems Your answer is incorrect Simplified key management Overall explanation OBJ 1.4 - The primary security advantage of using a longer key length in encryption is the increased difficulty for brute-force attacks. With a longer key, the number of possible key combinations grows exponentially, making it significantly harder for attackers to try all combinations to break the encryption. This added complexity strengthens the security of the encrypted data. In contrast, longer key lengths do not speed up encryption or decryption processes and may reduce compatibility with older systems that cannot handle high-bit encryption. Additionally, a longer key does not simplify key management, as managing large keys can be more complex. For support or reporting issues, include Question ID: 672111d5d248d95fc8ca8184 in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 486

Parameter tampering Buffer overflow Your answer is correct SQL injection Cross-site scripting (XSS) Overall explanation OBJ: 2.4 - A SQL injection is a type of injection attack wherein an attacker introduces malicious SQL statements into an input field, aiming to run arbitrary commands on a database. Characters like '=', '%20', and 'OR' are frequently seen in these attacks. If the input is not adequately sanitized, this can lead to unauthorized access to or manipulation of data. Parameter tampering involves altering parameters to manipulate the application's data processing. Though it involves modifying data input, it doesn't align with the observed malicious database queries indicative of SQL injections. Cross-site scripting attacks involve embedding malicious scripts in web pages, which are later executed by unsuspecting users. While it involves injecting malicious code, the objective and behavior of XSS differ significantly from direct database attacks like SQL injections. Buffer overflow attacks happen when data exceeds the buffer's capacity, causing it to overflow into adjacent buffers, thereby corrupting or overwriting the valid data they contain. It's about excess data, not necessarily the content of the data, making it distinct from injection attacks. For support or reporting issues, include Question ID: 6527ef1bfca22485d224f0eb in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 487

Frequent backup of workload data. Limiting the number of virtual machines. Correct answer Ensuring isolation between different instances. Your answer is incorrect Implementing strong user authentication. Overall explanation OBJ: 3.1 - As the cloud provides resources abstracted from physical hardware, maintaining strict isolation between different workload instances ensures that one instance's vulnerabilities or threats don't compromise another. Breaching this isolation could allow lateral movement within the cloud environment. Restricting the number of VMs might conserve resources, but it doesn't directly address the inherent security implications of on-demand compute allocation in a cloud environment. Backup strategies are crucial for data integrity and recovery, but they don't address the specific security concerns introduced by the dynamic resource allocation of compute components. While essential for security, user authentication is more about controlling access than directly dealing with the compute resource's dynamic allocation in the cloud. For support or reporting issues, include Question ID: 64c0492e76e0933137d05e89 in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 488

Biometric authentication Physical security keys Your answer is incorrect Static passwords Correct answer Software authentication tokens Overall explanation OBJ 4.6: Software authentication tokens generate a dynamic and temporary code, often used for two-factor authentication, and can be produced by an app on a device. Biometric authentication relies on unique physical or behavioral attributes, like fingerprints or voice patterns, for verification. While physical security keys offer strong security, they are hardware devices rather than software applications. Static passwords are predefined passwords and do not change dynamically like the tokens. For support or reporting issues, include Question ID: 65446079fbad95d7ea4e4c4e in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 489

Increase the password expiration time frame Encourage employees to document their passwords Your answer is incorrect Deploying a stateful firewall Correct answer Adopt a company-approved password manager Overall explanation OBJ 4.6: Password managers securely store multiple credentials and provide users with the convenience of remembering just one strong master password, reducing the likelihood of unsafe password practices. Encouraging employees to document their passwords poses a significant security risk, as physical or digital lists can be easily lost or accessed by unauthorized individuals. While increasing the password expiration time frame might reduce the frequency of password resets, it doesn't address the core issue of managing multiple passwords. Deploying a stateful firewall would not address the issue of password fatigue among employees. A stateful firewall monitors and tracks the state of active connections and determines which network packets to allow through the firewall based on established rules and the context of the traffic (e.g., TCP handshake completion). For support or reporting issues, include Question ID: 65444c320c5ecc119a270128 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 490

Correct answer MTTR RTO MTBF Your answer is incorrect RPO Overall explanation OBJ: 5.2 - The mean time to repair (MTTR) refers to the measure of the time taken to repair a system or process after it experiences a failure or disruption. It is the average time it takes to restore functionality. The recovery time objective (RTO) is the measure of the maximum time it takes to recover a system or process after a disruption. It represents the time within which normal operations need to be restored. The mean time between failures (MTBF) is the measure of the average time between two consecutive failures of a system or component. It represents the average reliability or time between incidents. The recovery point objective (RPO) is the measure of the maximum amount of data loss an organization is willing to tolerate in the event of a disruption. It determines the point in time to which data must be restored after recovery. For support or reporting issues, include Question ID: 64b9f7683f4084e37d4f8ff9 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 491

Certificate Authorities Correct answer Certificate Revocation Lists Your answer is incorrect Online Certificate Status Protocol Root of Trust Overall explanation OBJ: 1.4 - Certificate Revocation Lists (CRLs) are lists of certificates that have been revoked by a Certificate Authority before their scheduled expiration date. Since he doesn't know the name of the certificate, using this list is his best option in the scenario. Online Certificate Status Protocol (OCSP) is an internet protocol used for obtaining the revocation status of a digital certificate. If Timothy knew the name of the certificate, then this would be his best bet for getting the information. However, in the scenario, he doesn't have the name. Root of Trust (RoT) is a source that can always be trusted. It is the foundation of a cryptographic system and is the central point of the chain of trust within that system. It can be a piece of hardware (a Hardware Root of Trust) or software based. It is important in PKI, but it doesn't provide digital certificates. It won't help in this scenario. Certificate Authorities (CAs) are trusted entities that issue and manage security credentials and public keys for message encryption. The CAs publish the Certificate Revocation Lists, but they if they are contacted and asked about a certificate, they will likely refer you to the CRL. This means that the CRL is the best option in this scenario. For support or reporting issues, include Question ID: 64c3e30d36bc29dc2e8730ac in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 492

Troll Whistleblower Grey hat hacker Your answer is correct State-sponsored Advanced Persistent Threat Overall explanation OBJ: 2.1 - State-sponsored Advanced Persistent Threats, backed by nation states, not only utilize sophisticated cyber tools but also have potential access to political or military assets. A troll engages in online disruptions, often seeking emotional reactions but not necessarily having high-end capabilities. A whistleblower is an individual who exposes confidential or classified information, often for ethical reasons. Grey hat hackers operate between ethical and malicious intent, often seeking vulnerabilities but not for malevolent purposes. For support or reporting issues, include Question ID: 6525af1f8df7b33c1cfa4040 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 493

Cold site Hot site Your answer is incorrect Environmentally friendly Correct answer Warm site Overall explanation OBJ 3.4: Warm sites have much of the necessary equipment in place, though data still needs to be loaded. They take longer to prepare than hot sites but are quicker than cold sites. Hot sites are fully equipped and continuously updated for immediate use, while cold sites are mostly empty, often leased, and require significant setup time. Initially, the site was a cold site, but with added equipment to speed up occupancy, it is now a warm site. 'Environmentally friendly' refers to reducing a site's environmental impact, not its operational readiness. For support or reporting issues, include Question ID: 64c19c7c7094641fd6bc9bc7 in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 494

Correct answer Preservation is the process of carefully handling evidence to maintain its integrity for future forensic analysis Preservation is the process of keeping security controls up to date to prevent future incidents Your answer is incorrect Preservation is the process of recognizing potential threats protect an organization's infrastructure Preservation is the process of documenting the details of a security incident, its impact, and potential remedies Overall explanation OBJ 4.8: Preservation is all about maintaining the integrity of potential evidence. It involves collecting information in a controlled way, keeping a record of how that information was handled, and safeguarding it from tampering. All of these steps are crucial for any subsequent forensic analysis or legal proceedings that might arise from the incident. Documenting the details of a security incident, its impact, and proposed remediation are important for incidents, but they aren't part of preservation. Preservation involves ensuring that evidence is properly labeled and stored so they can be used in legal proceeding Security controls might need to be changed to prevent future incidents, so keeping them up to date doesn't make much sense here. Preservation involves ensuring that evidence is properly labeled and stored so they can be used in legal proceeding. Recognizing potential threats or breaches is helpful in developing an incident response plan, but preservation involves ensuring that evidence is properly labeled and stored so they can be used in legal proceeding. For support or reporting issues, include Question ID: 64c16cca2e60209dbaac21f3 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 495

Backout Plan Version Control Correct answer Impact Analysis Your answer is incorrect Approval Process Overall explanation OBJ: 1.3 - Impact analysis is the process of assessing and predicting the potential consequences of a proposed change, taking into account various aspects of an organization or system. An approval process is a formalized procedure to ensure changes are reviewed and approved before implementation. A backout plan is a strategy outlining the steps to revert changes if they lead to unforeseen complications or do not meet the desired outcomes. Version control is a system that records changes to a file or set of files over time, allowing specific versions to be recalled later. For support or reporting issues, include Question ID: 672103b46ecd963a7be80f58 in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 496

Burning in municipal incinerators Degaussing Your answer is correct Pulverizing with industrial machinery Shredding to Level 1 Overall explanation OBJ 4.2: While simply hitting a hard drive with a hammer might damage it, a significant amount of data can still be recoverable. Industrial machinery is designed to destroy drives thoroughly, leaving no data intact. Degaussing methods expose hard disks to powerful electromagnetics, disrupting data storage patterns. However, not all types of drives, like SSDs and optical media, can be degaussed, limiting its applicability. While shredding can be an effective method, reducing drives or paper to 12mm strips (Level 1) might still leave data recoverable. More thorough shredding or additional measures would be required for complete data destruction. Incineration can be effective, but using municipal incinerators might leave some remnants of the drives, making this method less secure. For support or reporting issues, include Question ID: 64be994fb93f88c546196915 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 497

Ensure the integrity and confidentiality of data Processes and manipulates data on behalf of the data controller Your answer is correct Makes decisions about how data is used and accessed Manages access control Overall explanation OBJ: 5.1 - The primary responsibility of a data owner is to establish data ownership and control within the organization. Data owners are accountable for specific sets of data and have the authority to make decisions regarding how the data is used, accessed, and protected. Ensuring the integrity and confidentiality of data is an important objective for various roles within data management, including data custodians, data stewards, and data processors, but it is not the primary responsibility of a data owner. The responsibility of processing and manipulating data typically falls under the purview of data processors who handle data on behalf of the data controller but not the data owner. While managing and controlling access to data is an essential responsibility, it is primarily associated with the role of a data custodian or data steward, not the data owner. For support or reporting issues, include Question ID: 64b8955588b3fb59a48a1052 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 498

Security Awareness Training Vulnerability Scanning Your answer is incorrect Compliance Auditing Correct answer Penetration Testing Overall explanation OBJ 5.5 -This scenario describes penetration testing, where an organization hires an external team to simulate an attack with the goal of identifying and exploiting vulnerabilities. This process involves actively attempting to breach security defenses, giving insight into potential weaknesses that attackers could exploit. Unlike vulnerability scanning, which passively detects vulnerabilities without exploitation, penetration testing involves simulated real-world attacks. Compliance auditing focuses on adherence to standards, and security awareness training educates employees on security practices, neither of which involve simulating attacks on the network. For support or reporting issues, include Question ID: 67224cb9f473465b2fce3fa0 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 499

Logging Auditing Your answer is correct Monitoring Patching Overall explanation OBJ 4.1: Monitoring is a technique that involves continuously observing and measuring the status and activity of the network and systems, using tools such as network analyzers, performance monitors, or intrusion detection systems. Monitoring can provide real-time data and alerts about the performance, availability, and security of the network and systems and enable the company to detect and respond to any incidents or anomalies that may occur. Logging is a technique that involves recording and storing the events and actions that occur on the network and systems, using tools such as event logs, syslog servers, or security information and event management (SIEM) systems. Logs can be used by monitoring systems that will detect and respond to security incidents, but logs don't actually do the detecting and responding. Patching is a technique that involves updating and fixing the software and firmware on the network and systems, using tools such as patch management systems, update servers, or configuration management systems. Auditing is a technique that involves periodically reviewing and verifying the compliance and effectiveness of the network and systems, using tools such as vulnerability scanners, penetration testers, or audit reports. Auditing is for compliance, while monitoring is for detecting and responding to security incidents. For support or reporting issues, include Question ID: 64b88ac175f3764616371b5e in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 500

Biometric authentication PIN-based authentication Your answer is incorrect Cognitive authentication Correct answer Hardware token-based authentication Overall explanation OBJ 4.6: Hardware token-based authentication involves using a physical device (often a USB token) to gain access, eliminating the need for traditional passwords. A PIN (Personal Identification Number) is still a form of password; it's just numeric. Biometric authentication uses unique biological traits of a user, like fingerprints or facial recognition, to grant access. Cognitive authentication requires users to answer knowledge-based questions, and doesn't involve any hardware devices. For support or reporting issues, include Question ID: 65444d35d7728cf5f6ef52a8 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 501

Remote access Correct answer In-line device Your answer is incorrect Fail-closed system Network tap Overall explanation OBJ 3.2: An in-line device actively evaluates network traffic as it passes through, allowing it to reject or modify packets according to predefined security policies. This setup is ideal for actively enforcing security rules and blocking malicious traffic in real-time. A network tap passively copies traffic for analysis without modifying or blocking packets, which does not align with the CSO's requirement for active traffic evaluation and control. Remote access allows users to connect to a network or a device from a distant location, but it does not pertain to actively interacting with network traffic to reject or modify packets. "Fail closed" refers to how a system behaves during failure (i.e., blocking all traffic if the system fails), rather than actively monitoring and modifying traffic under normal conditions. For support or reporting issues, include Question ID: 64c17922fbaff7327d208b92 in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 502

Air-gapped network Microservices Correct answer IaC Your answer is incorrect Serverless architecture Overall explanation OBJ: 3.1 - Infrastructure as code (IaC) allows infrastructure to be provisioned and managed using code, making it easier to manage, replicate, and scale. A serverless architecture reduces the complexity of deploying code into production, but it doesn't involve defining the underlying infrastructure as code. Microservices is about designing software applications as suites of independently deployable services, but it doesn't directly address infrastructure provisioning through code. An air-gapped network is a security measure that involves physically isolating a computer or network and ensuring it doesn't connect to unsecured networks, especially the public internet. It doesn't deal with infrastructure management methodologies. For support or reporting issues, include Question ID: 652c2d7ac7148f8ae09f1d91 in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 503

A listing of all junior analysts and their assigned tasks in the cybersecurity team. A manual guide on installing and setting up SIEM systems. A documentation of all cyberattacks that an organization has faced over the years. Your answer is correct A data-driven standard operating procedure (SOP) for responding to cyberthreats. Overall explanation OBJ: 5.1 - A playbook, also known as a runbook, guides junior analysts through steps to detect and handle cyberthreats such as phishing, SQL injection, and others, starting with a SIEM report. A playbook is not a personnel roster; it's a guideline to address specific cyberthreat scenarios effectively. While historical records are crucial, a playbook is a proactive tool designed to guide the response to specific types of cyber threats. While SIEM systems are essential in cybersecurity, a playbook specifically details the response process to certain cyberthreats and not the setup of the SIEM system. For support or reporting issues, include Question ID: 654499c34ff4a550f0eb01ff in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 504

Software-defined networking (SDN) Air-gapped Physical isolation Your answer is correct Logical segmentation Overall explanation OBJ: 1.3 - Logical segmentation is a technique of dividing a network into smaller subnetworks or segments based on criteria such as function, location, or security level. This provides better performance, security, and manageability of the network. An air-gapped network is a network that is physically isolated from other networks and the internet. This provides a high level of security, but also limits the functionality and connectivity of the network. Physical isolation is a general term that refers to separating network devices or components by physical means, such as cables, switches, routers, or firewalls. This can provide some level of security and performance benefits, but does not necessarily imply logical segmentation. Software-defined networking (SDN) is a paradigm that decouples the control plane from the data plane in a network, allowing for centralized and dynamic management of network resources and policies. This provides greater flexibility, efficiency, and automation of the network. For support or reporting issues, include Question ID: 64bf6eff2a521b7ff425872d in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 505

Backup duplication Correct answer Encrypting backups Your answer is incorrect File compression Scheduled backups Overall explanation OBJ 3.4: Encrypting backups ensures that even if attackers access backup data, they cannot easily decipher its contents. This would be especially crucial if ransomware encrypted the primary data, making the backups a critical recovery point. While file compression saves storage space, it doesn't provide protection against ransomware deciphering the backup files. While duplicating backups can add redundancy, without encryption, they remain vulnerable to unauthorized access and potential tampering by attackers. Merely scheduling backups does not prevent the contents from being accessed if not encrypted. For support or reporting issues, include Question ID: 652dfa007586daa9b0968dbc in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 506

CI/CD Scrum methodology Correct answer SDLC Your answer is incorrect RAD Overall explanation OBJ: 5.1 - The SDLC (Software Development Life Cycle) methodically divides the software creation and maintenance process into specific phases. By doing so, it ensures that security considerations are integrated and prioritized from the start of software development through its maintenance. CI/CD (Continuous Integration and Continuous Delivery) focuses on the frequent delivery of applications to customers by introducing automation into the stages of app development. Although it can incorporate security elements, its primary goal isn't to segment software creation and maintenance like the SDLC. While RAD (Rapid Application Development) emphasizes fast prototyping and speedy software delivery, it does not inherently focus on segmenting software creation into discrete security-focused phases as the SDLC does. While Scrum is an Agile framework used in software development that emphasizes collaboration and adaptability, it doesn't divide software creation and maintenance into discrete security-focused phases in the same manner as the SDLC. For support or reporting issues, include Question ID: 65448dc567a810f9292411f3 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 507

Policy review Threat intelligence Vulnerability assessment Your answer is correct Risk identification Overall explanation OBJ: 5.2 - Risk identification is the proactive process of recognizing and recording potential threats that could adversely affect an organization. Threat intelligence involves the collection and analysis of information about current and potential attacks that threaten the security of an organization but does not directly refer to the broader process of risk identification. A vulnerability assessment is a specific method used within risk identification to determine the weaknesses within an organization's IT infrastructure. Policy review is an activity that may be part of risk identification but does not encompass the entire scope of identifying a range of potential risks. For support or reporting issues, include Question ID: 6548756a758b2ddd586d0fd3 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 508

Board governance Committee governance Decentralized governance Your answer is correct Centralized governance Overall explanation OBJ: 5.1 - Centralized governance involves decision-making authority concentrated in a single authority or department within an organization. In this structure, key decisions are made at the top level and are then disseminated throughout the organization. Committee governance involves decision-making authority vested in committees, which are groups of individuals formed to address specific tasks or issues within the organization. It does not necessarily involve a single authority or department with centralized decision-making power. Decentralized governance involves distributing decision-making power among different departments or units within the organization, rather than being concentrated in a single authority. Board governance typically refers to the governing body of an organization, composed of members who represent various stakeholders. The board's role is to oversee the organization's activities, but it may not always involve centralized decision-making power. For support or reporting issues, include Question ID: 64b88cda6ccfbae323bb6ab0 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 509

Correct answer Knowledge-based authentication Location-based authentication Possession-based authentication Your answer is incorrect Biometric authentication Overall explanation OBJ: 1.2 - A username and password are examples of knowledge-based authentication, which is a common method for authenticating people. Possession-based authentication refers to the use of a physical object, such as a smart card or token, for authentication. Biometric authentication refers to the use of a biometric characteristic, such as a fingerprint or facial recognition, for authentication. Location-based authentication uses the location where a person is when accessing a site and uses this in order to authenticate the user. For support or reporting issues, include Question ID: 64c02e8dbd666fdab8550a7a in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 510

Correct answer Copyright protection Conducting periodic security audits Implementation of end-to-end encryption Your answer is incorrect Activation of two-factor authentication Overall explanation OBJ 3.3: Copyright protection provides a legal framework to shield creators' original works from unauthorized use, duplication, or distribution. By obtaining copyright protection, creators can also license their works, allowing them to stipulate how, where, and by whom their creations can be used. Activation of two-factor authentication requires users to provide two different types of identification to access a system, adding an extra layer of security. It might prevent unauthorized access to digital assets but does not inherently protect a creator's rights to their intellectual property or their ability to monetize it. Implementation of end-to-end encryption does not relate to the ownership or rights associated with intellectual creations; its primarily about data privacy and security during transmission. Conducting periodic security audits might uncover vulnerabilities or non-compliance; however, they don't directly ensure protection of intellectual creations from unauthorized reproduction or use. For support or reporting issues, include Question ID: 652d5f0091dd86b199a08808 in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 511

Enable Telnet for remote management Frequently change router IP addresses to avoid detection Enable SNMPv1 for backward compatibility Your answer is correct Implement ACLs to filter traffic Overall explanation OBJ 4.1: Access control lists (ACLs) are used to define and control the traffic allowed into and out of a network, thereby enhancing the security of the router by specifying which traffic is to be allowed or denied. SNMPv1, while providing compatibility, lacks encryption and uses community strings that can be easily compromised compared to its successors. Regularly changing IP addresses might complicate tracking for attackers but also adds complexity for administration and isn't as effective as using ACLs to manage traffic. Telnet transmits data, including credentials, in plaintext, making it vulnerable to eavesdropping compared to more secure alternatives like SSH. For support or reporting issues, include Question ID: 652f3a717d7a95707741eac1 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 512

Correct answer Enforcing baselines helps to standardize configurations across systems, enabling efficient automation and reducing the risk of security incidents Baselines eliminate the need for continuous monitoring of systems because these things are all either automated or orchestrated, thereby freeing up resources Your answer is incorrect Enforcing baselines allows for the almost complete automation of incident response, reducing the need for large security teams and incident response teams Baselines set the initial targets for automating threat hunting and penetration testing, thereby reducing dependence on human input Overall explanation OBJ 4.7: Enforcing baselines maintains a standard, secure configuration across systems, crucial for efficient automation and reducing security risks by minimizing configuration drift. While baselines aid in anomaly detection, continuous monitoring remains necessary to ensure systems stay compliant and to catch potential incidents. Baselines focus on maintaining security consistency, not on active threat hunting. Although automation can support incident response, enforcing baselines doesn’t replace the need for human intervention in determining appropriate responses to incidents. For support or reporting issues, include Question ID: 64c0154819bb0459f332e378 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 513

Correct answer Keylogger Ransomware Trojan Your answer is incorrect Worm Overall explanation OBJ: 2.4 - A keylogger is a type of malware that records the keystrokes of the user and sends them to a remote server, allowing an attacker to capture sensitive information such as passwords, credit card numbers, or personal details. A worm is a type of malware that self-replicates and spreads to other systems or networks without user interaction. A Trojan is a type of malware that disguises itself as a legitimate or benign program, but performs malicious actions when executed. Ransomware is a type of malware that encrypts the data or files on a system and demands a ransom for their decryption or restoration. For support or reporting issues, include Question ID: 64bccb05d05f45402ccc6a30 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 514

Data encryption Correct answer Data obfuscation Your answer is incorrect RBAC IDS Overall explanation OBJ 3.3: Data obfuscation alters data to make it unreadable but retains its format and structure, ensuring the marketing team can carry out analytics without viewing the actual content. An intrusion detection system (IDS) monitors the network for malicious activity but does not alter or protect the content of the data itself. Though data encryption renders data unreadable to unauthorized users, decrypting it would provide the actual content, which is not desired for the marketing team. Role-based access control (RBAC) restricts access based on user roles; it doesn't change the data itself, allowing those with access to view actual customer details. For support or reporting issues, include Question ID: 652d7de5d98dfb435efcb2be in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 515

Correct answer Cross-site scripting (XSS) Firmware vulnerability Virtual machine (VM) escape Your answer is incorrect SQL Injection Overall explanation OBJ 2.3 - Cross-site scripting (XSS) is a web-based attack that involves inserting malicious scripts into web pages that are executed by the browser of unsuspecting users. It can allow an attacker to steal cookies, session tokens, credentials, or perform other actions on behalf of the user. Virtual machine (VM) escape is a type of attack that involves breaking out of a virtualized environment and gaining access to the underlying host system or other virtual machines. It can allow an attacker to compromise the security and isolation of the virtualization platform. SQL (Structured Query Language) injection is a web-based attack that involves inserting malicious SQL statements into user input fields or URLs that are executed by the database server. It can allow an attacker to read, modify, delete, or execute commands on the database. Firmware is a type of software that is embedded in hardware devices and controls their functionality. It is not a web-based attack, but it can be vulnerable to attacks such as malicious updates or backdoors. For support or reporting issues, include Question ID: 64bc1e33b4b485f3a23a3e63 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 516

To compare multiple vendors' suppliers to ensure they are all diligent in analyzing their own supply chains. To ensure that the chosen vendor is the best choice among the list of possible vendors To assess the vendor's ability to provide the goods or services when they have promised Your answer is correct To ensure that the vendor's practices align with the organization's requirements Overall explanation OBJ: 5.3 - Due diligence includes assessing the vendor's security practices and confirming that they meet the organization's security requirements and standards. Due diligence involves examining the vendors' security practices and ensuring that they comply with a company's own practices. It doesn't normally extend to evaluating a vendors' suppliers' supply chains. It is important to make the best choice of vendors, however that isn't what due diligence means. Due diligence may include checking their performance history and reputation with previous clients to gauge their track record. Due diligence in the vendor selection process involves evaluating the financial stability and reliability of the vendor to ensure they are capable of fulfilling their obligations. For support or reporting issues, include Question ID: 64bb3ca1eff2b06d2ceda18b in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

SEC - Jas - U Flashcards

(540 cards)