SEC - Jas - U 2 Flashcards

Question

Question 25: When evaluating a new security tool for automation and orchestration in the organization's infrastructure, which factor primarily addresses the potential financial impact over the tool's lifecycle? ROI Operational Efficiency TCO CAPEX

Answer 1

ROI Operational Efficiency Correct answer TCO Your answer is incorrect CAPEX Overall explanation OBJ 4.7: The TCO (Total Cost of Ownership) not only includes the initial purchase price of the tool but also the ongoing expenses related to maintenance, updates, and other associated costs over its lifecycle. Operational efficiency refers to the effectiveness and productivity of operations but doesn't directly address the financial impact of a tool over its lifecycle. CAPEX (Capital Expenditure) pertains to the initial costs to purchase the asset or tool, not the ongoing or total costs throughout its lifecycle. While ROI (Return on Investment) evaluates the profitability or benefit of a particular investment, it doesn't primarily focus on the entire financial impact over a tool's lifecycle. For support or reporting issues, include Question ID: 6543cdb7991a76218e865559 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 2

Simulation exercises are theoretical exercises where incident response team members discuss and plan their responses to potential security incidents Simulation exercises involve conducting live cybersecurity attacks against an organization's systems to evaluate the effectiveness of their incident response team Your answer is correct Simulation exercises are interactive drills that involve practicing incident response procedures in a controlled environment Simulation exercises are meetings where incident response team members gather to share their experiences and lessons learned from past security incidents Overall explanation OBJ 4.8: Simulation exercises are interactive drills that involve practicing incident response procedures in a controlled environment. These exercises allow the incident response team to test and improve their capabilities in handling security incidents, identify weaknesses in their response plans, and enhance their coordination and communication during a simulated incident. The controlled environment ensures that the exercises do not impact production systems or networks. Simulation exercises are not meetings for sharing experiences and lessons learned from past security incidents. While lessons learned may be part of the exercise, the primary purpose of simulation exercises is to practice and refine the incident response process. While simulation exercises do involve theoretical discussions and planning, they go beyond just talking about incident response procedures. They typically include practical exercises and role-playing to enhance the team's ability to respond effectively to real incidents. Simulation exercises do not involve conducting live cybersecurity attacks against an organization's systems. They are not meant to create actual security incidents but rather to practice and improve the organization's response capabilities in a safe, controlled environment. For support or reporting issues, include Question ID: 64c15eb56ab51895b912b812 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 3

To conduct an internal assessment of the IT team's performance. To provide job opportunities for external vendors and internal customers. To streamline internal processes within the company. Your answer is correct Ensuring an objective and unbiased evaluation of security controls. Overall explanation OBJ: 5.5 - Independent third-party auditors are external to the organization, which allows for an impartial assessment, ensuring no internal biases affect the outcome. Job creation is not the primary purpose of these audits. While findings may indirectly reflect on the IT team's performance, third-party audits are designed to provide an unbiased evaluation of an organization's security, not specifically the IT team's effectiveness. While internal processes might be improved as a result of findings from third-party audits, it's not the main reason for their use. For support or reporting issues, include Question ID: 64c1aabe3c0620e9baa77d5f in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 4

Password brute-forcing Correct answer Credential replay Your answer is incorrect Password spraying Session hijacking Overall explanation OBJ: 2.4 - Credential replay attacks involve attackers reusing previously captured user credentials to gain unauthorized access. The old passwords being used in the attempts suggest that they might have been captured earlier and are now being replayed. Password brute-forcing is an attack method where numerous combinations are tried until the correct password is identified. The use of valid usernames and previously valid passwords does not fit this method. Session hijacking involves taking over an already established user session. Sophie's observations were about login attempts, not overtaking ongoing sessions. In password spraying, the attacker tries a few common passwords against many accounts. This scenario describes specific, formerly valid passwords being used, not common passwords against multiple accounts. For support or reporting issues, include Question ID: 652991b0e6732441ea7f234f in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 5

Private Correct answer Hashing Encryption Your answer is incorrect Tokenization Overall explanation OBJ 3.3: Hashing provides a one-way, irreversible technique for securing data, making it appropriate for securing passwords. In other words, a person who gains access to the hashed password won't be able to discover the original password Private data relates to data classification and privacy but neither elaborates a method to secure data like passwords. Encryption is the process of converting information or data into a code to prevent unauthorized access. It often uses an algorithm to replace the original data with other data. If a person figures out or acquires the algorithm, the data can be decrypted. While tokenization can provide security, it wouldn’t be the best choice for passwords since it is essentially reversible, providing a mapping back to the original data. A person who has access to the database where the token and the password that is linked to the token, can use the token to find the original password. For support or reporting issues, include Question ID: 64c197ef6bd44bdb096b83b8 in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 6

Correct answer Organized crime Hacktivist Insider threat Your answer is incorrect Unskilled attackers Overall explanation OBJ: 2.1 - Organized crime organizations are threat actors that are composed of groups or networks of criminals and are motivated primarily by financial gain. Organized crime can launch coordinated and profitable attacks against businesses, governments, or individuals. A hacktivist is a threat actor that is motivated by philosophical or political beliefs and often targets organizations or governments that they disagree with. Hacktivists are not motivated by financial gain but rather by social or political change. An insider threat is a threat actor that has legitimate access to an organization’s network, systems, or data and is motivated by revenge, greed, or ideology. Insider threats are not composed of groups or networks but rather of individuals within an organization. An unskilled attackers are threat actors that have little or no technical skills and are motivated by curiosity, boredom, or personal gain. Unskilled attackers are not composed of groups or networks but rather of individuals with low resources and capabilities. For support or reporting issues, include Question ID: 64b86046030c7ba35a5609dd in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 7

Correct answer SPF DMARC Your answer is incorrect IMAP DKIM Overall explanation OBJ 4.5: Jamario should implement SPF (Sender Policy Framework), as it lets him specify which mail servers are authorized to send emails on behalf of the company's domain. While DMARC (Domain-based Message Authentication, Reporting, and Conformance) uses the results of SPF and DKIM checks, it doesn't directly list authorized servers for a domain. IMAP (Internet Message Access Protocol) is utilized for retrieving emails from a server and isn't designed to specify authorized sending servers for a domain. DKIM (DomainKeys Identified Mail) provides validation of the domain name identity associated with a message through cryptographic authentication, but it doesn't dictate authorized servers. For support or reporting issues, include Question ID: 65433c17a25d7ae61173fe3c in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 8

Correct answer Independent assessments Internal penetration testing Evidence of internal audits Your answer is incorrect Right-to-audit clause Overall explanation OBJ: 5.3 - Independent assessments involve hiring an external third-party organization to evaluate and assess the vendor's security posture and controls. Penetration testing is a type of assessment that involves authorized simulated attacks on a vendor's systems and infrastructure to identify potential security weaknesses. It will test the security posture of a company, but an internal penetration test would not involve a third-party. Evidence of internal audits refers to documentation or proof that the vendor has conducted its internal security audits to assess and maintain the effectiveness of its security measures. It is an internal audit conducted by the vendor, not by a third party A right-to-audit clause is a provision in a vendor contract that grants the organization the authority to conduct audits on the vendor's security controls and practices. This allows the organization to do the audits. It doesn't involve a third-party. For support or reporting issues, include Question ID: 64bb3b44ef9efcf8d3fa32a1 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 9

CYOD Correct answer COPE Your answer is incorrect BYOD COBE Overall explanation OBJ 4.1: COPE stands for Corporate Owned Personally Enabled, which is a deployment model that involves the company providing devices to its employees and allowing them to use them for both work and personal purposes. This model can give the company full control over the security and management of these devices, as it can enforce security policies, install software updates, monitor usage, and wipe data remotely. COBE stands for Corporate Owned Business Only, which is a deployment model that involves the company providing devices to its employees and restricting them to work-related use only. This model can ensure the highest level of security and compliance for these devices, but it also reduces the productivity and satisfaction of the employees, as they have to carry multiple devices for different purposes. BYOD stands for Bring Your Own Device, which is a deployment model that allows employees to use their personal devices, such as laptops, smartphones, or tablets, to access the company’s network and applications. This model can reduce the costs and risks associated with managing and securing these devices, as the responsibility is shifted to the employees. CYOD stands for Choose Your Own Device, which is a deployment model that allows employees to choose from a list of approved devices provided by the company. This model can offer some flexibility and convenience to the employees while also enabling the company to enforce security standards and policies on these devices. For support or reporting issues, include Question ID: 64b887ea4cb3fde77262ba7d in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 10

ISO/IEC 27001 Correct answer FIPS PCI DSS Your answer is incorrect NIST Special Publication 800-63 Overall explanation OBJ: 5.1 - FIPS (Federal Information Processing Standards) are standards that provide important guidelines and requirements for cryptography used to secure federal information systems, except those related to national security. PCI DSS relates to the protection of cardholder data and is not focused on the cryptographic requirements for federal information systems. While ISO/IEC 27001 is an important standard for information security management systems, it does not set specific requirements for cryptographic modules within federal computer systems. This publication provides guidelines for digital identity but does not specify requirements for cryptographic modules within federal systems. For support or reporting issues, include Question ID: 6548502fc6ba39a276ae8881 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 11

Incremental backup Full backup Correct answer Journaling Your answer is incorrect Differential backup Overall explanation OBJ 3.4: Journaling is a form of backup that involves recording all transactions in a system, which can be used to restore the system to a previous state. Differential backups capture all changes made since the last full backup. Like incremental backups, differential backups are not done in real-time but at specific intervals, and they accumulate changes since the last full backup. A full backup involves making a complete copy of all data in the system. While comprehensive, it's typically scheduled to occur at regular intervals (e.g., nightly or weekly) and does not provide real-time replication of each transaction. Incremental backups save only the changes made since the last backup, whether that was a full or another incremental backup. This method doesn't replicate transactions in real-time but rather at scheduled intervals. For support or reporting issues, include Question ID: 64c19ec812b4631e4788b433 in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 12

Replay attack Correct answer Cryptographic downgrade attack Your answer is incorrect Brute force attack On-path attack Overall explanation OBJ: 2.4 - In a cryptographic downgrade attack, an adversary forces the communication between two parties to use a less secure protocol or cipher suite, which is easier to compromise. In this case, by allowing SSL 3.0, an older and flawed protocol, the web server can be manipulated by an attacker to use this outdated protocol, making the data transmission less secure. Brute force attacks involve trying many different passwords or encryption keys until the correct one is found. It doesn't specifically focus on exploiting vulnerabilities in encryption protocols. An on-path attack involves an attacker secretly intercepting and possibly altering the communication between two parties. While related, it doesn't specifically focus on downgrading encryption protocols. A replay attack involves capturing valid data transmission and then fraudulently repeating or delaying it. This doesn't concern the strength or type of encryption protocol being used. For support or reporting issues, include Question ID: 6527f8e0291a89bc5869331b in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 13

On-path Reflected Your answer is correct Amplified Out-of-cycle logging Overall explanation OBJ: 2.4 - An amplified attack is a type of distributed denial-of-service (DDoS) attack that involves sending requests with spoofed source IP addresses to servers that generate large responses, amplifying the traffic sent to the target server. An on-path attack is a type of network attack that involves intercepting or modifying data in transit between two parties, such as by using a packet sniffer or a proxy server. A reflected attack is a type of DDoS attack that involves sending requests with spoofed source IP addresses to servers that redirect the responses to the target server, reflecting the traffic back to it. There is no indication in the scenario that there is any redirection of responses. Out-of-cycle logging is an indicator of malicious activity that shows that an attacker or malware has generated or modified logs outside of the normal schedule or frequency, indicating a possible compromise or tampering. There is no indication in the scenario of any problems with the logs. For support or reporting issues, include Question ID: 64bcc97dd05f45402ccc6a26 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 14

File-level encryption Database encryption Correct answer Full-disk encryption Your answer is incorrect Partition encryption Overall explanation OBJ: 1.4 - Full-disk encryption is a security mechanism used to protect data by encrypting the entire hard drive or storage medium on which data is stored. This means that every bit of data, including the operating system, applications, and user files, is encrypted when the system is at rest. File-level encryption encrypts individual files or folders on a storage device, not the entire disk. Partition encryption encrypts a specific partition on a storage device, not the entire disk. Database encryption encrypts data at the database level, not the entire disk. For support or reporting issues, include Question ID: 64c27d66216b86411ab101bf in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 15

Independent third-party audit Correct answer Attestation Internal assessment Your answer is incorrect Regulatory examination Overall explanation OBJ: 5.5 - Attestation is the term that refers to the process of affirming the accuracy and completeness of compliance reports. It involves providing formal statements or declarations about the organization's compliance with specific regulations or standards. Attestation can be done internally by the organization's management or externally by a third-party auditor. An independent third-party audit involves an external and unbiased assessment conducted by an independent auditor or a third-party organization. The purpose of this audit is to provide an objective evaluation of the organization's compliance status. Independent third-party audits are often used to validate and verify compliance claims made by the organization and can offer more credibility to compliance reports. A regulatory examination is an external evaluation conducted by a government agency or a regulatory body to ensure that an organization is complying with specific regulations or industry standards. During a regulatory examination, the organization's compliance practices, controls, and processes are thoroughly reviewed to assess their alignment with the applicable rules and requirements. Internal assessment involves the organization's internal evaluation of its adherence to established compliance requirements. This process may include self-assessments, internal audits, and reviews conducted by the organization's compliance team to ensure that it meets the necessary regulatory and security standards. For support or reporting issues, include Question ID: 64c199891bfa7d3af0f5be4f in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 16

Providing employees with administrative access to their workstations to install software and updates without IT intervention Correct answer Implementing role-based access controls (RBAC) to restrict employees' access to only the resources and data necessary to perform their job functions Your answer is incorrect Granting employees access to all resources and data required for their current role and potential future roles Providing the privileges that are needed for the least important of their tasks, which ensures they will have the higher privileges they may need to complete tasks Overall explanation OBJ 4.6: Implementing role-based access controls (RBAC) aligns with the principle of least privilege. RBAC ensures that each employee is granted the minimum necessary privileges and permissions based on their job function, reducing the risk of unauthorized access to sensitive data and systems. Granting employees access to all resources and data beyond their current role would violate the principle of least privilege. It increases the attack surface and potential damage if their credentials are compromised or misused. Least Privilege focuses on the privileges an employee needs to complete assigned tasks. It doesn't rank the privileges or tasks to provide a bottom or lower level of privileges. Providing employees with administrative access on their workstations is not in line with the principle of least privilege. Administrative access should be limited to a select few individuals who require it to perform specific administrative tasks. For support or reporting issues, include Question ID: 64c156b393c27dd3aaef1f7e in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 17

Alert tuning will reduce the number of false negatives, enhancing the accuracy of alerting systems Alert tuning is primarily used for the visualization of the alerting system's user interface Correct answer Alert tuning helps in reducing false positives, enhancing the accuracy of the alerting systems Your answer is incorrect Alert tuning notifies security analysts of common alerts, although it can't provide resolutions for those alerts Overall explanation OBJ: 4.4 - One of the primary objectives of alert tuning is to reduce false positives, increasing the overall accuracy of the alerting system. Alert tuning works to reduce false positives, not false negatives. Reducing false positives can actually increase the instance of false negatives. The primary purpose of alert tuning is to enhance the efficiency and accuracy of the alerting system by reducing false positives and tailoring the system to an organization's specific requirements. Alert tuning is not concerned with improving the user interface aesthetics of the alerting system. Alert tuning allows security analysts to identify common alerts and resolve them, which allows security analysts to focus on more significant issues. For support or reporting issues, include Question ID: 64c19f4845e9d8860c404610 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 18

WPA WEP Your answer is incorrect AES Correct answer TKIP Overall explanation OBJ 4.1: TKIP stands for Temporal Key Integrity Protocol, and it is an encryption protocol that uses keys to encrypt each packet of data. TKIP was introduced by WPA to replace WEP, and it is compatible with older devices that do not support WPA2 or AES. WPA stands for Wi-Fi Protected Access, and it is a security standard that uses either TKIP or AES as the encryption protocol. WPA does not refer to a specific encryption protocol but rather a set of features and requirements that ensure wireless security. AES stands for Advanced Encryption Standard, and it is an encryption protocol that does not use keys to encrypt each packet of data. Instead, AES uses a symmetric-key algorithm that encrypts the entire data stream with a single key. AES is the most secure and efficient encryption protocol for wireless networks, but it requires devices that support WPA2/3. Older devices may not be compatible with AES. WEP stands for Wired Equivalent Privacy, and it is an encryption protocol that also uses keys to encrypt each packet of data. WEP was the first encryption protocol for wireless networks, but it has been deprecated and should never be used. For support or reporting issues, include Question ID: 64b9802da61c722f14d2c36b in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 19

Applications installed and subsequently uninstalled on the device over the past week Correct answer Unusual or unauthorized activities involving file access, and network connections The number of times the endpoint device has been restarted in the past month Your answer is incorrect The total number of files currently stored on the device Overall explanation OBJ 4.9: From an endpoint perspective, details regarding unusual or unauthorized activities, such as unexpected processes, unauthorized file access, and suspicious network connections, could provide critical evidence during a security investigation. While frequently restarting a device could be an indication of technical issues with the endpoint device, it is not directly useful for investigating a specific security incident unless correlated with other suspicious activities. Although tracking installed and uninstalled applications could be useful in some investigations, without contextual details (such as who made the changes and why), this data alone would not likely suffice to pinpoint a specific security incident. Simply having the total number of files on an endpoint would not provide useful information for a specific security investigation. It is the access and modification details of the files that would be more valuable, especially if suspicious activity is detected. For support or reporting issues, include Question ID: 64c170612e60209dbaac21fd in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 20

Environmental variables are factors that impact the physical security of an organization's premises Environmental variables are specific conditions that trigger an automated response when a vulnerability is detected in an organization's systems Your answer is incorrect Environmental variables are parameters used in vulnerability scanning tools to assess the security posture of an organization's network and infrastructure Correct answer Environmental variables refer to the unique characteristics of an organization's infrastructure that can affect vulnerability assessments and risk analysis Overall explanation OBJ 4.3: Environmental variables refer to the unique characteristics of an organization's infrastructure, business environment, and operational context that can impact vulnerability assessments and risk analysis. Understanding these variables is crucial to conducting effective vulnerability management and developing appropriate risk mitigation strategies. While vulnerability scanning tools may use various parameters, environmental variables refer to different aspects related to an organization's infrastructure and business environment. These variables are not specific conditions triggering automated responses; rather, they are factors related to an organization's infrastructure and business environment that impact vulnerability management processes. While physical security factors are important, environmental variables in this context have a different focus. For support or reporting issues, include Question ID: 64bff94c6d2c14dfab27f297 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 21

AV WCF Correct answer HIPS Your answer is incorrect IDS Overall explanation OBJ 2.5 - HIPS (Host-based Intrusion Prevention System), which monitors and blocks suspicious activities like unauthorized port openings in real time, preventing potential data exfiltration. IDS (Intrusion Detection System) only detects suspicious activity but does not prevent it. AV (Antivirus) helps detect malware but does not specifically monitor for unauthorized port access. WCF (Web Content Filtering) controls internet usage but doesn’t prevent unauthorized local actions on the system. For support or reporting issues, include Question ID: 672233be556839597288f3ee in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 22

Correct answer DLP systems are essential to the development of business systems that prevent malicious actors from accessing systems DLP tools ensure confidentiality and integrity of sensitive data by enforcing data security policies DLP solutions help to safeguard sensitive data from being unintentionally distributed Your answer is incorrect DLP systems have the capability to detect potential data breaches and take preventative action Overall explanation OBJ: 4.4 - Data Loss Prevention (DLP) tools do analyze data movement and usage within an organization to protect sensitive data. They prevent data loss, not access to systems. The primary purpose of DLP solutions is to safeguard sensitive data from unauthorized access and inadvertent distribution. DLP systems are capable of identifying potential data breaches and can take corrective and preventative actions, such as alerting administrators or blocking user actions. DLP tools do enforce data security policies and thereby help in maintaining the confidentiality and integrity of sensitive data within the organization. For support or reporting issues, include Question ID: 64c19e13f35deb7523e71f42 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 23

Correct answer To list all identified risks and their potential impacts To determine the risk tolerance level of an organization To assign probability values to identified risks Your answer is incorrect To provide a detailed analysis of risk impact on business operations Overall explanation OBJ: 5.2 - A risk register is a comprehensive document that lists all identified risks, their potential impacts, and other relevant information related to each risk. The risk register may not directly determine the risk tolerance level of an organization, but it provides crucial information to help decision-makers understand the risks and their potential impacts, which can contribute to determining risk tolerance. While the risk register includes information about the potential impacts of identified risks, it may not provide a detailed analysis of the impact on business operations. Instead, it acts as a repository of risk-related data. While probability values can be included in the risk register, their primary purpose is to list and track identified risks rather than assigning probability values. For support or reporting issues, include Question ID: 64b9ef9f3f4084e37d4f8fdb in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 24

Defensive Physical Correct answer Offensive Your answer is incorrect Integrated Overall explanation OBJ: 5.5 - Offensive penetration testing, also known as ethical hacking, aims to simulate real-world cyberattacks on an organization's systems and networks. The objective is to identify vulnerabilities and weaknesses that malicious hackers could exploit. Defensive penetration testing focuses on assessing an organization's ability to detect and respond to cyber threats. It involves testing the effectiveness of security monitoring and incident response capabilities. Integrated penetration testing is a comprehensive approach that combines multiple methods, such as physical, offensive, and defensive testing, to provide a holistic assessment of an organization's overall security posture. Physical penetration testing involves evaluating the security measures of an organization's physical premises, such as buildings, data centers, and facilities. The aim is to identify weaknesses related to access controls, surveillance systems, and other physical security aspects. For support or reporting issues, include Question ID: 64c19a9e7094641fd6bc9bb8 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 25

Blocking common passwords like dictionary words. Allowing users to decide when to change their password. Correct answer Enforcing specific password complexity rules. Your answer is incorrect Disallowing the use of the username within the password. Overall explanation OBJ: 5.1 - NIST's updated guidelines suggest that complexity rules should not be enforced, allowing users to choose their own passwords within certain broad parameters. Blocking common passwords like dictionary words is in line with the NIST guidelines, which recommend preventing the use of easily guessable passwords. NIST suggests that aging policies should not be enforced, giving users the autonomy to change their passwords based on their discretion, unless a compromise is detected. While NIST does deprecate some traditional elements of password policy, it still advocates for blocking passwords that repeat contextual information, such as the username. For support or reporting issues, include Question ID: 6544925d3818ba1f4e846320 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 26

They replace the need for any manual oversight in processes They slow down automation to ensure manual checks at every step They convert all manual processes to automated ones Your answer is correct They provide boundaries to ensure automated processes operate safely Overall explanation OBJ 4.7: Guardrails ensure that automated processes work within set parameters to prevent unintended outcomes or potential damage. Guardrails don't necessarily slow down processes; they provide safety mechanisms to ensure processes run correctly. Guardrails are about safety in automation, not about converting manual processes to automated ones. While guardrails help in safe automation, manual oversight, especially in complex systems, remains essential. For support or reporting issues, include Question ID: 64c01186b254165cbe231ee7 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 27

Enabling QoS to prioritize sensitive data packets during transmission Using a network hub instead of a switch to avoid data collisions during transmission Your answer is incorrect Setting up a VPN to route all data through a secure encrypted tunnel Correct answer Implementing SSL for encrypting data during transmission Overall explanation OBJ 4.5: Implementing Secure Sockets Layer (SSL) is an effective approach to enhance data security during transmission. SSL (and its successor, Transport Layer Security, or TLS) provides end-to-end encryption, ensuring that data is encrypted before leaving the sender and decrypted upon arrival at the receiver. This prevents unauthorized parties from intercepting and reading sensitive data as it travels over the network. Mandating the use of SSL and TSL in all data transmissions is relatively easy for an organization. Quality of Service (QoS) is used to prioritize network traffic and allocate bandwidth based on different criteria, such as application type or data type. While QoS can improve network performance and ensure timely delivery of sensitive data, it does not address the primary concern of encrypting the data during transmission. Network hubs are outdated and have largely been replaced by switches in modern network infrastructures. Using a hub instead of a switch does not contribute to data security during transmission. In fact, hubs are less secure since they broadcast data to all connected devices, allowing potential eavesdropping by unauthorized parties. A Virtual Private Network (VPN) establishes a secure encrypted tunnel between two endpoints, ensuring that data passing through the tunnel remains confidential and protected from eavesdropping or tampering. organizations will have much more difficulty guaranteeing that customers will use VPNs when connecting to the organizations' server. They can, however, control the use of SSL and TLS, so VPNs are not the most effective way to improve security in this circumstance. For support or reporting issues, include Question ID: 64c1295552ce7fd0f0ee0411 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 28

Correct answer Data encryption and digital watermarking Network monitoring and firewalls Password protection and read-only access Your answer is incorrect Version control and backup Overall explanation OBJ 3.3: Data encryption and digital watermarking the spreadsheet ensure unauthorized parties cannot view its content, and digital watermarking embeds a hidden mark to track and verify the document's authenticity and integrity. Password protection restricts access, and read-only access prevents modifications, but neither ensures data confidentiality from unauthorized decryption nor verifies its integrity against all forms of tampering. Network monitoring and firewalls protect against unauthorized access and attacks; they don't directly ensure the confidentiality or integrity of specific spreadsheet data. While version control and backup are crucial for maintaining data history and recovery, neither directly ensures the spreadsheet's confidentiality nor verifies its integrity. For support or reporting issues, include Question ID: 652d74f719d65e8fa8c4cf0e in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 29

Data that contains an individual's favorite movies, books, and hobbies Correct answer Personal data that includes religious beliefs and political opinions Data that relates to an individual's employment history and salary Your answer is incorrect Personal data that includes an individual's online purchase history Overall explanation OBJ 3.3: Under the EU's GDPR, sensitive personal data refers to specific categories of personal information that could harm an individual if made public. This includes, but is not limited to, religious beliefs, political opinions, trade union membership, gender, sexual orientation, racial or ethnic origin, genetic data, and health information. The intention behind categorizing such data as sensitive is to ensure its protection and prevent its misuse. While employment history and salary details are personal data, they are not specifically categorized as sensitive under the GDPR. However, they should still be protected, but they don't fall under the specially protected categories. Preferences like favorite movies or hobbies, while personal, are not considered as sensitive under the GDPR's specific criteria. Online purchase history is a form of personal data, but it isn't classified as sensitive in the context of the GDPR's specialized categories. For support or reporting issues, include Question ID: 64c18bc65739c7304716075b in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 30

Multi-Factor Authentication Policy Correct answer Account Lockout Policy Your answer is incorrect Password Complexity Policy Password Expiration Policy Overall explanation OBJ 2.4 - The account lockout policy is designed to lock a user's account after multiple failed login attempts, which explains why employees were unable to log in after the system detected several incorrect password entries during the night. A password complexity policy enforces rules for creating strong passwords but does not cause account lockouts. Multi-factor authentication (MFA) adds extra security layers but is not responsible for locking accounts after failed attempts. Similarly, a password expiration policy requires users to update their passwords periodically but does not automatically lock accounts after failed logins. For support or reporting issues, include Question ID: 67212b7f84b5580af615eca6 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 31

Correct answer Root of Trust Certificate Revocation Lists Your answer is incorrect Online Certificate Status Protocol Certificate Authorities Overall explanation OBJ: 1.4 - Root of Trust (RoT) is a source that can always be trusted. It is the foundation of a cryptographic system and is the central point of the chain of trust within that system. It can be a piece of hardware (a Hardware Root of Trust) or software based. It is important in PKI, but it doesn't provide digital certificates. Certificate Authorities (CAs) are trusted entities that issue and manage security credentials and public keys for message encryption. This does not describe the source that can always be trusted within a cryptographic system. Certificate Revocation Lists (CRLs) are lists of certificates that have been revoked by a Certificate Authority before their scheduled expiration date. This does not describe the source that can always be trusted within a cryptographic system. Online Certificate Status Protocol (OCSP) is an internet protocol used for obtaining the revocation status of a digital certificate. This does not describe the source that can always be trusted within a cryptographic system. For support or reporting issues, include Question ID: 64c3e37abcbff47f6a7e6737 in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 32

Disabling ports and protocols Patching Correct answer Encryption Your answer is incorrect Access control through permissions Overall explanation OBJ: 2.5 - Encryption is a mitigation technique that involves using mathematical algorithms to transform data into an unreadable format. Encryption can protect data from unauthorized access or modification, as only those who have the secret key or algorithm can decrypt the data. It will help protect data in transit. Patching is a mitigation technique that can help prevent exploitation of known vulnerabilities on systems and devices by updating them with the latest security fixes and enhancements. Patching involves applying patches or updates to software and systems. It won't protect data in transit. Disabling ports and protocols is a hardening technique that can help reduce exposure to potential attacks. This can be done on firewalls, switches, routers, and hosts to close or block any network ports or protocols that aren’t needed for the normal operation of the systems and devices. Ports are numerical identifiers that specify the destination or source of network traffic, and protocols are rules or standards that define how network traffic is formatted or transmitted. This will not protect data in transit. Access control through permissions is a mitigation technique that can help prevent unauthorized execution of programs or scripts on a system or device. This is achieved by defining permissions through policies and applying those policies to resources such as programs, scripts, files, folders, and databases. Users without the correct permissions, can’t access the resources. This won't protect data in transit. For support or reporting issues, include Question ID: 64beeeb613b78ab048d67eea in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 33

Correct answer Focuses on narrowing potential threat vectors. Defines data transmission protocols. Organizes data into implicit trust zones. Your answer is incorrect Manages cryptographic keys for secure data storage. Overall explanation OBJ: 1.2 - Threat scope reduction aims to minimize the possible avenues or channels that could be exploited by adversaries. By limiting these vectors, an organization reduces its attack surface and, therefore, its risk of exposure. Managing cryptographic keys is essential for ensuring data is stored securely, particularly when it comes to encryption. However, this process is more about data protection and confidentiality than reducing the scope or number of potential threats. Defining data transmission protocols specifies the rules for how data is transmitted across a network. While defining transmission protocols is crucial for data integrity and security, it does not inherently focus on reducing the scope of threats. Organizing data into trust zones involves segmenting the network or creating isolated environments based on levels of trust. While this can be a component of threat scope reduction, the term itself doesn't directly equate to reducing threat vectors. Implicit trust, especially, is generally avoided in Zero Trust models. For support or reporting issues, include Question ID: 652464ad3a93ce2d9f373a97 in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 34

Sanctions Correct answer Layoffs Reputational damage Your answer is incorrect Fines Overall explanation OBJ: 5.4 - Layoffs may result from non-compliance, but can occur for many other reasons.. They are not directly related to non-compliance with regulations. Reputational damage refers to the harm caused to an organization's reputation and brand image due to non-compliance incidents. Negative publicity and loss of trust from customers and partners can result from non-compliance. Fines are monetary penalties imposed by regulatory authorities for failing to comply with specific regulations. Organizations may face financial repercussions if they do not adhere to the required standards. Sanctions are punitive measures taken against an organization for non-compliance. They may include restrictions, limitations, or prohibitions on certain activities, contracts, or operations. For support or reporting issues, include Question ID: 64bf5d320620f92445ad7678 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 35

It automatically updates firewall rules It encrypts all data between the internal and external networks It compresses traffic to speed up the network Your answer is correct It creates an isolated zone Overall explanation OBJ 4.5: A screened subnet, often referred to as a DMZ (Demilitarized Zone), acts as a buffer between the untrusted external network (like the Internet) and the trusted internal network. By doing so, it prevents direct access to internal resources, adding an extra layer of security. While encryption is crucial for data security, a screened subnet itself doesn't encrypt data. Its primary purpose is to segregate network zones. A screened subnet doesn't automatically update firewall rules. Firewall configurations and updates are managed separately. Screened subnets are not designed for traffic compression. Their role is to enhance security by creating a separate network zone. For support or reporting issues, include Question ID: 654322536491794aff7fb0b0 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 36

Cost Technical debt Your answer is incorrect Ongoing supportability Correct answer Complexity Overall explanation OBJ 4.7: Complexity refers to the degree of intricacy in a system or process. In automation and orchestration, high complexity can lead to challenges in maintenance, understanding, and implementation. While high complexity can lead to increased costs, the term 'cost' encompasses a broader range of financial considerations, not just those associated with intricate systems. While technical debt can be a consequence of complexity, it more specifically refers to the implied cost of additional rework caused by choosing a quicker yet less optimal solution. Ongoing supportability relates to the ease with which a system can be maintained and supported over time, but it doesn't specifically address the intricacy or convolution of a system. For support or reporting issues, include Question ID: 654341fd263aeb5dbf217248 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 37

Implementing biometric authentication for all employees Disabling file sharing for all employees Your answer is incorrect Deploying next-generation firewalls with deep packet inspection Correct answer Implementing DNS filtering Overall explanation OBJ 4.5: DNS filtering is an effective security measure that blocks access to malicious or inappropriate websites by controlling DNS queries, preventing threats from reaching the network, and improving security. Biometric authentication strengthens user verification by using unique characteristics, like fingerprints or facial recognition, and offers greater security than traditional passwords; however, it does not proactively block malicious websites. Next-generation firewalls (NGFWs) with deep packet inspection add security by identifying and blocking malicious content at the application layer, though they don’t specifically block known harmful websites. While file sharing supports collaboration, it also presents security risks. Properly configured firewall rules can help control access, balancing security needs with the necessity of data sharing. For support or reporting issues, include Question ID: 64ba90f75522696b2bdef3d8 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 38

Embedded systems IoT Correct answer RTOS Your answer is incorrect ICS Overall explanation OBJ: 3.1 - A real-time operating system (RTOS) is an operating system that is designed to process data or events within a specified time frame or deadline. RTOS can provide predictability, reliability, and performance for time-sensitive applications, but also require more specialized hardware and software. Industrial control systems (ICS) are systems that monitor and control physical processes in industrial environments, such as power plants, factories, or water treatment facilities. Supervisory control and data acquisition (SCADA) is a type of ICS that uses computers and networks to remotely control and collect data from industrial devices and sensors. Internet of things (IoT) is a term that refers to the network of physical devices, vehicles, appliances, and other items that are embedded with sensors, software, and connectivity to exchange data and interact with other devices or systems. IoT can enable automation, efficiency, and convenience, but also pose security and privacy challenges. Embedded systems are systems that are integrated into larger systems or devices to perform specific functions or tasks. Embedded systems can have limited resources, such as memory, power, or processing speed, but also provide efficiency, functionality, and security. For support or reporting issues, include Question ID: 64bf70128d118a676363a463 in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 39

Correct answer Application allow list Access control lists Your answer is incorrect Segmentation Patching Overall explanation OBJ: 2.5 - Application allow list is a mitigation technique that can help enforce compliance with security standards and policies on a system or network. It does this by comparing applications to a list of applications that are allowed to run. These applications have been verified and authorized by the system or network administrator. Any application that is not on the list is not allowed to run. Segmentation is a mitigation technique that involves dividing a network into smaller segments. Each has its own security policies and controls. Segmentation can limit the scope of an attack by preventing the attacker from gaining access to an entire network because it will help isolate the compromised segment. This will not help you prevent unauthorized applications from running on your system. Access control lists (ACL) are a mitigation technique that involves using a list of rules to limiting access to resources on a network. ACLs can restrict access based on various criteria, such as IP addresses, port numbers, and protocols. Limiting IP addresses and other user criterial to a particular list will likely cause problems for new users and shrink your company's user base. Patching is a mitigation technique that can help prevent exploitation of known vulnerabilities on systems and devices by updating them with the latest security fixes and enhancements. Patching involves applying patches or updates to software and systems. You will need to keep your software up to date, but this won't prevent unauthorized software from being installed on your servers. For support or reporting issues, include Question ID: 64bef2050f6a8ad3be5d3c93 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 40

IDS Proxy server Correct answer IPS Your answer is incorrect WAF Overall explanation OBJ 3.2: An IPS actively analyzes network traffic for signs of malicious activity. If it detects any threats, it can take immediate action, such as dropping the malicious packets or blocking traffic from the offending IP address. While a WAF can inspect and block malicious web traffic, its scope is specifically geared towards web applications and doesn't necessarily cover all types of network traffic. An Intrusion Detection System (IDS) monitors traffic and can log and provide alerts; however, it does not actively prevent any potentially malicious content like an IPS would. A proxy server acts as an intermediary for requests from clients seeking resources from other servers. Its primary role is to forward web requests and may cache data, but it doesn't actively block malicious activities based on real-time traffic analysis. For support or reporting issues, include Question ID: 652c7548c7a7b1e22ed067b2 in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 41

Correct answer Installing the cable in a conduit buried underground Placing the cable in an on-ground pipe between buildings Running the connection on overhead poles Your answer is incorrect Securing the cable inside the building walls at both ends Overall explanation OBJ 3.2: Burying the connection underground within a protective conduit offers protection from environmental factors and unauthorized tampering. Overhead poles expose the connection to environmental factors, interference, and potential tampering, making it less secure. Securing the cable at each end offers some protection within the buildings, which is a good start, but it does not address the vulnerability of the cable for the majority of the distance between the buildings, leaving it exposed to potential damage or tampering along the way. An on-ground pipe leaves the cable vulnerable to environmental elements (e.g., flooding, heat), tampering, and physical damage, which could disrupt connectivity. For support or reporting issues, include Question ID: 652c721574644bf66062a2e3 in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 42

IMAP Correct answer SMTP HTTP Your answer is incorrect POP Overall explanation OBJ: 2.2 - Simple Mail Transfer Protocol (SMTP) port is a type of open service port that is commonly used for email servers. It is most commonly used to perform spamming, spoofing, or phishing attacks because it is used to send and email messages. Hypertext Transfer Protocol (HTTP) port is a type of open service port that is commonly used for web servers and can be exploited by attackers to perform injection attacks, such as SQL injection or cross-site scripting. It is the default port for HTTP, the protocol used to transfer web pages and data. Post Office Protocol (POP) port is a type of open service port that is commonly used for email clients. It is most commonly used to perform eavesdropping, data theft, or malware delivery attacks because it is used to retrieve email messages from a server. Internet Message Access Protocol (IMAP) port is a type of open service port that is commonly used for email clients. It is most commonly used to perform eavesdropping, data theft, or malware delivery attacks because it is used to retrieve email messages on a server. For support or reporting issues, include Question ID: 64b9ea100607a460c0b526d1 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 43

Trend analysis Correct answer Initial report Your answer is incorrect Forensic report Risk assessment Overall explanation OBJ: 5.6 - The first report made to highlight an incident or suspicious activity. It typically includes basic information and is used to alert relevant teams or departments. A risk assessment is a report identifying potential vulnerabilities and threats, assessing the potential impact and likelihood of them occurring. A forensic report is a detailed analysis typically made after an investigation, containing evidence, methodologies, and conclusions about a security incident. Trend analysis looks for patterns over time to make predictions about the future. David has provided the initial report of an incident. For support or reporting issues, include Question ID: 64c3501968c1ea425b0f0c6a in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 44

Change management Maintenance window Your answer is correct Downtime Service restart Overall explanation OBJ: 1.3 - Downtime is a period when a system is unavailable or its performance is degraded, often due to planned maintenance or unforeseen incidents. In the scenario, the server's unavailability during the upgrade process is a clear example of downtime. A service restart is the act of stopping and then starting a service, often to apply changes or updates. While this can lead to downtime, the scenario specifically mentioned a system upgrade, not just a service restart. Change management is a formalized procedure to ensure changes are reviewed and approved before implementation. This is a process but does not specifically define the time a system is unavailable. A maintenance window is a predefined time frame during which system changes or updates are applied to minimize disruption to business operations. This indicates when changes may occur but does not specifically define the period of system unavailability. For support or reporting issues, include Question ID: 64c147ffec13eb3da6e3e7e1 in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 45

Privilege escalation Buffer overflow Your answer is correct Replay Injection Overall explanation OBJ: 2.4 - A replay attack is a type of application attack that involves capturing and retransmitting data, such as authentication tokens or credentials, to impersonate a legitimate user or session. A buffer overflow attack is a type of application attack that involves sending more data than expected to a function, causing it to overwrite adjacent memory locations and execute arbitrary code. An injection attack is a type of application attack that involves inserting malicious code or commands into an application or database to execute unauthorized actions or access sensitive data. A privilege escalation attack is a type of application attack that involves exploiting a vulnerability or misconfiguration to gain higher privileges or access than intended on a system or application. For support or reporting issues, include Question ID: 64bccb7ad05f45402ccc6a35 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 46

Directly influences the hiring or firing decisions of HR Correct answer Enables batch modifications for services based on employee status Oversees the mentoring process for new hires Your answer is incorrect Manages interpersonal team dynamics during transitions and business peaks Overall explanation OBJ 4.7: Scripting can automate the process of enabling required services for new employees or disabling them for those leaving, ensuring consistent IT practices during transitions. Scripting aids in system management and automation, not in overseeing mentoring or training processes. Scripting automates technical tasks but doesn't influence human relationships or team dynamics. While scripting can streamline many IT-related processes, it doesn't play a role in HR's hiring or firing decisions. For support or reporting issues, include Question ID: 6543e15937ac18cc00032e35 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 47

Correct answer Watering hole Brand impersonation Your answer is incorrect Impersonation Business email compromise Overall explanation OBJ: 2.2 - Watering hole is a form of cyberattack that involves compromising a legitimate website that is frequented by a specific group of users, such as employees of a certain organization. The goal is to infect the users’ systems with malware when they visit the website. Brand impersonation is a form of cyberattack that involves creating fake websites, emails, or social media accounts that mimic legitimate ones. The goal is to deceive users into trusting the fake entity and revealing their information or performing malicious actions. Impersonation is a form of social engineering that involves pretending to be someone else in order to obtain information or access from a victim. Business email compromise is a form of cyberattack that involves compromising an email account of a person in authority, such as a CEO or a manager, and using it to send fraudulent requests or instructions to other employees or partners. The goal is to trick them into transferring money or disclosing confidential information. For support or reporting issues, include Question ID: 64ba1ce4adb7c15b51664d5e in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 48

Multi-factor Authentication Role-based Access Control Correct answer Default Credential Management Your answer is incorrect Encryption Overall explanation OBJ 2.5 - The best mitigation technique for preventing unauthorized access through widely known credentials is Default Credential Management. This involves replacing factory-set usernames and passwords, which are often publicly available and easily exploited by attackers. While Multi-factor Authentication adds security layers, it does not address the issue of default credentials. Role-based Access Control assigns permissions based on user roles, but it doesn’t mitigate risks related to factory-set credentials. Encryption protects data but does not directly prevent unauthorized access due to weak, default authentication settings. For support or reporting issues, include Question ID: 672235a0ab565f74e2bc9148 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 49

Reporting and monitoring Execution Your answer is correct Development Initial Overall explanation OBJ: 5.6 - The development phase in the security awareness program at Dion Training involves the creation and planning of phishing campaigns and training materials. During this phase, the cybersecurity team designs realistic phishing emails, identifies potential training topics, and develops educational materials to raise awareness among employees about phishing risks. The reporting and monitoring phase focuses on collecting data about employees' responses to phishing campaigns and their overall security awareness. It includes tracking metrics related to the number of reported suspicious emails and the success of the training materials. The execution phase comes after the development phase, where the cybersecurity team implements the planned phishing campaigns and training materials. They send simulated phishing emails to employees and analyze their responses to identify areas for improvement in the security awareness program. The term "initial" is not associated with a specific phase in the security awareness program. It does not describe any specific activities related to the creation and planning of phishing campaigns and training materials. For support or reporting issues, include Question ID: 64c351f284a7d77f398b888b in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 50

IDS WAF Your answer is incorrect Proxy Servers Correct answer Load balancer Overall explanation OBJ 3.2: A load balancer distributes network or application traffic across many servers. This optimizes the use of resources, maximizes throughput, and reduces latency. Web application firewalls (WAF) are used to prevent attacks on backend databases and web server based software. They can be deployed as appliances or plug-in software and protect against code injection, DoS, cross-site scripting and SQL injection. They don't distribute traffic across servers. A Proxy server acts as a filter or gateway between a client and servers. Cache engines provided by the proxy server speed up communications within a network. Proxy servers also offer security by analyzing traffic patterns and signatures associated with known attacks or malicious software. An intrusion detection system (IDS) monitors network traffic for malicious activities. It alerts to the potential activity but does not prevent it from passing through the network. In this way, it provides a layer of protection without slowing down network performance. For support or reporting issues, include Question ID: 64c16b466db7b8f0bdbe55eb in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 51

Probability ARO Correct answer Likelihood Your answer is incorrect Risk frequency Overall explanation OBJ: 5.2 - Likelihood measures how probable it is that a risk will occur, which is crucial for risk analysis and management. Risk frequency could be seen as similar to likelihood but is less specifically defined in risk management terminology. Probability also indicates the chance of a risk occurring but does not necessarily tie it to a specific time frame as likelihood does within the context of risk assessment. While ARO (Annualized rate of occurrence) is a measurement of how often a risk event is expected to happen annually, it doesn't describe the general probability or frequency as broadly as the term likelihood does. For support or reporting issues, include Question ID: 65487af7acaa0dbbe5e80229 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 52

Source and destination IP addresses related to the alert The signature or behavior that triggered the alert Timestamps for when alerts were generated Your answer is correct The patch level of each of the targeted systems Overall explanation OBJ 4.9: IPS (Intrusion Prevention System) and IDS (Intrusion Detection System) logs typically do not capture the patch level of the targeted system. While the patch level can be important for understanding system vulnerabilities, it is not directly logged by IPS/IDS technology, which focuses on network behavior and traffic patterns. The source and destination IP addresses related to the alert are documented in the IPS/IDS logs. These details help in understanding the path and direction of the potential intrusion, which is fundamental for any network security investigation. Timestamps are an important element in IPS/IDS logs. They provide a chronological context that can be a significant factor when correlating events and investigating security incidents. One of the crucial pieces of information provided in IPS/IDS logs is the signature or behavior that led to the alert. Having these details is vital for effective incident response and threat mitigation. For support or reporting issues, include Question ID: 64c1a832f35deb7523e71f65 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 53

Correct selection Supports internal decision-making Your selection is incorrect Enhances marketing strategies Your selection is incorrect Improves product development Correct selection Adheres to regulatory requirements Facilitates team assignments Overall explanation OBJ: 5.6 - External compliance reporting is crafted to meet the mandatory disclosures and inform external stakeholders such as regulators and shareholders about the company's compliance status at a high level. Internal compliance reporting is designed to give detailed insights to internal stakeholders like executives and security analysts, assisting in strategic planning and operational improvements. While compliance can indirectly affect product development by ensuring that products meet legal standards, it is not the direct aim of either internal or external reporting. Compliance reporting does not primarily aim to enhance marketing strategies but rather to ensure transparency and accountability regarding compliance. The goal of compliance reporting is not directly linked to the facilitation of team assignments, which is more related to internal operational management than compliance reporting. For support or reporting issues, include Question ID: 64c3557168c1ea425b0f0c74 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 54

Correct answer Acceptance Mitigation Your answer is incorrect Avoidance Transference Overall explanation OBJ: 5.2 - The risk management strategy of Acceptance means acknowledging the existence of the risk but choosing not to take any action to mitigate it. Since no mitigation attempts are made, the company is using the acceptance risk management strategy. The risk management strategy of Avoidance involves eliminating the risk entirely by abstaining from activities or situations that may expose the organization to potential threats. The company is not avoiding the blizzard and its impacts, they are accepting the risk if a blizzard takes place. The risk management strategy of Mitigation involves taking proactive measures to reduce the likelihood or impact of a risk event. They are not taking any steps to reduce the likelihood of a blizzard, so they are not using the mitigation strategy. The risk management strategy of Transference involves shifting the risk to a third party, such as an insurance company, to handle potential losses. The company is not shifting the risk in this situation. It is simply accepting it. For support or reporting issues, include Question ID: 64b9f42b3f4084e37d4f8fef in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 55

IDS VPN Correct answer Implementing 802.1X Your answer is incorrect Stateful firewall Overall explanation OBJ: 3.2 - 802.1X is a standard for port-based network access control that allows a network device to be authenticated based on credentials provided by the device before it can access the network. A virtual private network (VPN) provides a secure connection between remote users and an organization's network that encrypts traffic and can require user authentication; it doesn't enforce device-level authentication for wired connections. A stateful firewall filters network traffic based on state, port, and protocol. While it offers advanced security features, it does not specifically authenticate devices before granting access. An Intrusion Detection System (IDS) monitors network traffic for signs of malicious or suspicious activity. While important for security, it doesn't enforce device authentication before granting network access. For support or reporting issues, include Question ID: 652c775ea67f751703997c9d in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 56

The IT team might have created a new account for a new employee and forgot to inform him. The database server accidentally skipped the backup on those nights due to low storage. Your answer is incorrect The backup process was paused by the IT department for maintenance purposes. Correct answer An attacker gained access, created the unauthorized account, and removed logs. Overall explanation OBJ: 2.4 - The combination of missing logs and an unauthorized account creation suggests malicious activity. Attackers remove evidence of their presence and actions by deleting or altering logs. Pausing a backup for maintenance is plausible, but it wouldn't result in the creation of an unauthorized account, nor would it typically remove logs. While the IT team creating a new account for a new employee and forgetting to inform him might explain the creation of a new account, it doesn't account for the missing logs. It's also a best practice for IT to notify of such changes. While low storage could prevent backups, it wouldn't delete logs or create unauthorized accounts. For support or reporting issues, include Question ID: 64bd6a2b37f9b1bab3d87220 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 57

Asymmetric encryption Digital certificates Correct answer Open public ledger Your answer is incorrect Hashing algorithms Overall explanation OBJ: 1.4 - An open public ledger, especially when associated with blockchain, is decentralized and distributed across a peer-to-peer network, ensuring no single entity has control over the entire transactional history. While digital certificates authenticate the identity of the certificate holder, they don't ensure a distributed transactional record. Hashing converts input data of any size into a fixed-length value, but doesn't specify how data is distributed. Asymmetric encryption involves using a pair of keys – a public key and a private key – for encryption and decryption, respectively. For support or reporting issues, include Question ID: 65244be9c232135cf418f242 in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 58

Deploying a network firewall Implementing a VPN solution Correct answer Implementing URL scanning Your answer is incorrect Increasing network bandwidth Overall explanation OBJ 4.5: URL scanning is a method that assesses URLs in real-time, helping organizations prevent access to malicious or inappropriate websites. More bandwidth might improve network speed, but it doesn't assist in assessing the safety of URLs. While a firewall can block certain IPs and ports, it doesn't inherently provide real-time scanning of individual URLs for content assessment. A VPN provides encrypted communication and can hide user activity, but it doesn't evaluate URLs for safety. For support or reporting issues, include Question ID: 6543291e6491794aff7fb0bf in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 59

Penetration testing Risk assessment Correct answer System/process audit Your answer is incorrect OSINT Overall explanation OBJ 4.3: A system/process audit is a thorough review of an organization's operations, ensuring adherence to specific standards and identifying potential areas for improvement. OSINT leverages publicly available data sources to gather intelligence on targets, providing valuable insights without breaching any laws. Penetration testing is a simulated cyberattack against a system to check for exploitable vulnerabilities, often involving a combination of tools and manual techniques. A risk assessment involves identifying, evaluating, and analyzing risks to an organization’s assets and operations with the aim of implementing measures to control and mitigate those risks. While risk assessments are crucial for understanding and mitigating potential risks and vulnerabilities within an organization, they do not specifically focus on ensuring that procedures, controls, and operations comply with established guidelines, standards, or regulations. For support or reporting issues, include Question ID: 653d463ec421a41924fc2696 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 60

Correct answer Tap/monitor mode Passive analysis In-line mode Your answer is incorrect Active analysis Overall explanation OBJ 3.2: Tap/monitor mode refers to a device that copies network traffic for analysis without interrupting or altering the data flow, allowing administrators to monitor and capture traffic in real time for diagnostic or security purposes. Passive analysis refers to monitoring without interference; however, it is a broader term that doesn't explicitly involve capturing or duplicating the traffic for analysis. Active analysis involves interacting with or potentially modifying the network traffic during the monitoring process, which could disturb the data flow, whereas the scenario requires a read-only, non-intrusive method of capturing traffic for analysis. In-line mode involves placing the device directly within the data path, meaning it actively processes or filters traffic as it passes through, which could disrupt or alter the flow of network traffic, contrary to the requirement of capturing traffic without interference. For support or reporting issues, include Question ID: 64c178b62e60209dbaac221b in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 61

Correct answer Trusted Platform Module (TPM) Secure enclave Your answer is incorrect Key management system Hardware security module (HSM) Overall explanation OBJ: 1.4 - TPM is a hardware-based storage system that contains keys, digital certificates, hashed passwords, and many other types of information used for authentication. It is embedded on device motherboards that use Windows operating systems. A secure enclave is a chip that is used only to secure encryption keys, hashes, and other important data. It is embedded in Apple and Android devices. An HSM is a physical computing device that safeguards and manages digital keys for strong authentication. It can be a external device or on an expansion card, but it is not embedded on the motherboard. A key management system is a process used to ensure that keys are kept secure by establishing standards of security. It is a set of policy decisions, not a device such as TPM or HSM. For support or reporting issues, include Question ID: 64c283a61bf94cbd1d438520 in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 62

Distributed denial-of-service attack (DDoS) Dictionary attack Your answer is incorrect Credential stuffing Correct answer Brute force attack Overall explanation OBJ: 2.4 - A brute force attack involves systematically trying every possible combination until the correct one is found. Enrique's observation of multiple failed login attempts across various user accounts with diverse password combinations and a spike in computational resource usage aligns with this attack type. It's especially significant if the attacker has access to high computational power. In a credential stuffing attack, an adversary uses previously stolen username-password pairs to gain unauthorized access. This type of attack does not typically involve a wide range of password combinations. A dictionary attack involves using a predefined list of words to guess a password or key. The wide variance in login attempts Enrique noticed goes beyond just dictionary words. A DDoS attack aims to overwhelm a system's resources by flooding it with unwanted requests, causing it to become unavailable to its intended users. While there's high resource usage, the specific pattern of failed logins doesn't fit this attack profile. For support or reporting issues, include Question ID: 6527fcadb1dec676712b18ae in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 63

Message-based Correct answer Supply chain Your answer is incorrect Unsupported systems and applications Default credentials Overall explanation OBJ: 2.2 - Supply chain attacks involve compromising a third-party entity that provides products or services to a target organization, such as vendors, suppliers, or managed service providers. The goal is to use the compromised entity to deliver malware or perform other malicious actions to the target organization. Message-based attacks use email or other electronic messages to trick victims into revealing sensitive information or performing malicious actions. Default credentials are usernames and passwords that are set by default for certain devices or applications. Default credentials can be easily guessed by attackers and used to gain access to the system or the network. Unsupported systems and applications are systems or applications that are no longer receiving security updates or patches from their developers. Unsupported systems and applications may have vulnerabilities that can be exploited by attackers to gain unauthorized access or cause harm. In this case, the software is being supported. For support or reporting issues, include Question ID: 64ba1ae4adb7c15b51664d59 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 64

Service-level agreement Non-disclosure agreement Your answer is incorrect Memorandum of understanding Correct answer Rules of engagement Overall explanation OBJ: 5.3 - Rules of engagement are a set of guidelines outlining the scope, limitations, and rules for conducting a specific security assessment, such as the assessment of the vendor's systems and networks. Setting the rules of engagement helps ensure that the penetration testing will go smoothly and not have to be interrupted because the testers or the vendors didn't understand what was going to take place. A Non-disclosure agreement (NDA) is a legal contract that ensures the protection of sensitive information and maintains confidentiality between the organization and the vendor. A vendor may request an NDA be prepared and signed, before penetration testing begins, however, it is not always the case. A Memorandum of understanding (MOU) is a formal agreement between two or more parties outlining their mutual understanding and cooperation on specific projects or initiatives. It isn't part of the required materials for a penetration test of a vendor's systems. A Service-level agreement (SLA) is a formal contract that defines the expected level of service between the organization and the vendor. It isn't part of the required materials for a penetration test of a vendor's systems. For support or reporting issues, include Question ID: 64bb3f5548f9d4fbc1cdd3fe in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 65

Database encryption Correct answer Volume encryption File-level encryption Your answer is incorrect Full-disk encryption Overall explanation OBJ: 1.4 - Volume encryption, like VeraCrypt, allows for the encryption of a specific volume or virtual drive. This means Kelly Innovations can encrypt just the virtual disk drive without affecting the entire physical disk. Full-disk encryption encrypts the entire physical drive, which might not be required if only a specific virtual volume needs protection. While database encryption encrypts entire databases, it doesn't target specific volumes or virtual drives. File-level encryption encrypts specific files or folders but doesn't cater to entire volumes or virtual drives. For support or reporting issues, include Question ID: 65258355d7819dc1960699b8 in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 66

Command injection Directory traversal Your answer is incorrect Cross-site request forgery (CSRF) Correct answer Code Injection Overall explanation OBJ: 2.4 - Code injection is an attack method in which malicious code is introduced into a vulnerable application. Strings like '', 'alert()', and 'document.cookie' are indicative of attempts to inject malicious scripts to exploit the application. It aims to execute unauthorized actions within the application, such as retrieving sensitive data. Directory traversal attacks focus on accessing files and directories stored outside the web root folder. The observed inputs, specifically oriented towards script execution, don't fall under this category. Command injection involves the execution of arbitrary commands on the host operating system. Although it's a form of injection attack, it's not usually indicated by script-related strings within application logs. CSRF attacks trick victims into executing unwanted actions on a website where they're authenticated. The attack usually involves a third party and doesn't typically involve direct code injections like the ones Jamario observed.. To report issues or get support, please include Question ID: 6527efd1fca22485d224f0f0 in your ticket.Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 67

Correct answer Hot site Clustering On-call staff Your answer is incorrect Onsite backup Overall explanation OBJ 3.4: A hot site would be ideal as it is a full-scale replication of the primary IT setup that can be activated immediately in the event of a system failure. Onsite backup shares the same premises as the primary system, and if there were a fault with the premises as indicated, it doesn't provide the required geographic redundancy. Clustering can improve system redundancy by linking multiple servers, but it is not an immediate full-scale stand-in for the main facility. Considering people is vital in capacity planning, but it doesn’t provide a direct solution to the requirements of immediate system recovery. For support or reporting issues, include Question ID: 64c1abdedbb568949fd76b2d in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 68

Correct answer Onsite backups Remote replication Offsite backups Your answer is incorrect Cloud storage Overall explanation OBJ 3.4: Storing backups onsite allows for rapid restoration of data, minimizing downtime, especially when immediate access to backup data is paramount. While cloud storage offers scalability and accessibility, the speed of recovery is often dependent on network bandwidth and may not always be the fastest option for immediate onsite recovery. While it involves a copy of data being stored in a different location, remote replication is more about real-time data mirroring than the backup strategy optimal for immediate recovery. Offsite backups may introduce longer restoration times due to the physical or network distance between the backup storage and primary site. For support or reporting issues, include Question ID: 652df1738571f35d53e52484 in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 69

To regulate the financial interests and stock trading within the payment card industry Correct answer To define the safe handling and storage of payment card information To enforce the mandatory disclosure of all financial transactions to the public Your answer is incorrect To ensure the safe transmission of personal identification numbers (PINs) to merchants Overall explanation OBJ 3.3: The Payment Card Industry Data Security Standard (PCI DSS) specifically addresses the protection of cardholder data. This includes the card number, expiry date, CVV, and other associated information. The standard provides guidelines to ensure that payment card information is stored, processed, and transmitted in a secure environment, reducing the risk of financial data breaches and fraudulent activities. While PCI DSS addresses the security of payment card data, PINs should never be transmitted to or handled by merchants, indicating that the standard's primary purpose is not the transmission of PINs. PCI DSS is about the protection of cardholder data. It does not mandate the public disclosure of all financial transactions. PCI DSS is focused on the security of payment card information, not on regulating financial interests or stock trading activities within the industry. For support or reporting issues, include Question ID: 64c1901cf6d924de79036974 in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 70

Key Management System Hardware Security Module (HSM) Your answer is correct Secure Enclave Trusted Platform Module (TPM) Overall explanation OBJ: 1.4 - Secure Enclave is a chip that is used only to secure encryption keys, hashes, and other important data. It is embedded in Apple and Android devices. Key Management System is a process used to ensure that keys are kept secure by establishing standards of security. It is a set of policy decisions, not a chip or device such as TPM, HSM, and Secure Enclave. TPM is a hardware-based storage system that contains keys, digital certificates, hashed passwords, and many other types of information used for authentication. It is embedded on device motherboards that use Windows operating systems. An HSM is a physical computing device that safeguards and manages digital keys for strong authentication. It can be a external device or on an expansion card, but it is not embedded on the motherboard. For support or reporting issues, include Question ID: 64c284444f0d49fd4b9ac1f8 in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 71

Correct answer Unified Extensible Firmware Interface (UEFI) Hardware Root of Trust (RoT) Trusted Platform Module (TPM) Your answer is incorrect Network Access Control (NAC) server Overall explanation OBJ: 2.3 - UEFI provides the code that allows a host system to boot an OS and can enforce various boot integrity checks. While RoT can provide attestation and verify the signatures of boot metrics and OS files, it doesn't provide the code to boot the OS. The NAC server checks the reports from systems attempting to join a network, ensuring their integrity. It doesn't facilitate booting the OS. TPM enhances security with hardware-based cryptographic functions but doesn't directly allow a host to boot to an OS. For support or reporting issues, include Question ID: 64bc6370f3af17340671e5c5 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 72

Correct answer Non-disclosure agreements Open source licensing strategy Use of public cloud storage solutions Your answer is incorrect Deployment of general data encryption Overall explanation OBJ 3.3: Non-disclosure agreements legally bind personnel to confidentiality and secure handling of proprietary data. The deployment of general data encryption makes data unreadable but doesn't secure proprietary secrets. Open source licensing strategy allows free use, modification, and distribution of a product's design or code. The use of public cloud storage solutions provides easy access and sharing but not inherent data security. For support or reporting issues, include Question ID: 652d5e450da6a8db7323fc61 in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 73

Correct answer Implement firmware validation and integrity checks. Use strong passwords for all software applications. Regularly update software applications and OS kernel. Your answer is incorrect Restrict physical access to server rooms. Overall explanation OBJ: 2.3 - By validating and ensuring the integrity of firmware, organizations can be confident that the firmware hasn't been altered or tampered with, thereby preventing potential security breaches at the hardware level. Limiting access to server rooms can prevent unauthorized tampering with physical hardware, but it won't help if the firmware was compromised before it even reached the server room. Regular software updates address vulnerabilities in software, not in firmware. It's essential to ensure software is secure, but it doesn't protect against compromised firmware in hardware. Passwords protect against unauthorized access to software interfaces. However, they don't address the underlying issue of potentially compromised firmware within the hardware. For support or reporting issues, include Question ID: 6527d7a1fd5e333574e799bc in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 74

Blue team Correct answer Black hat hacker Penetration tester Your answer is incorrect Ethical hacker Overall explanation OBJ: 2.1 - Black hat hackers are malicious attackers who exploit system vulnerabilities for personal gain, political beliefs, or the desire to cause chaos. They operate without authorization and often have criminal intentions. Ethical hackers are security professionals who have authorization to break into the systems they test. Their primary motivation is to discover vulnerabilities from a defensive perspective. Blue team is the name given to the defensive group in hacking simulations. Red team is the name given to the offensive group in these simulations. Penetration testers are cybersecurity experts hired to identify and exploit vulnerabilities in a controlled environment. Their actions are contractually bound, with the primary intent of improving security. For support or reporting issues, include Question ID: 65259c42ac14dc3f67592e58 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 75

Correct answer Reviewing event logs Threat modeling Your answer is incorrect Patch management Rescanning Overall explanation OBJ 4.3: Event logs can provide insight into system and process behaviors. By examining these logs, an organization can validate whether a vulnerability has been adequately addressed or if it's still causing issues. While it's about keeping systems updated, patch management itself doesn't involve examining logs to validate vulnerability remediation. Rescanning is about running the vulnerability scan again to identify remaining vulnerabilities but doesn't provide insights from system and network logs. Threat modeling is a process of understanding and mapping potential threats but doesn't validate vulnerability remediation through logs. For support or reporting issues, include Question ID: 6541d844088ddf36014e3780 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 76

Full backup Differential backup Correct answer Snapshot Your answer is incorrect Incremental backup Overall explanation OBJ 3.4: A snapshot captures the current state of a system at a particular moment and saves it as a standalone copy without reflecting subsequent changes. A full backup involves copying every piece of data in a system. Though thorough, it doesn't only capture data from a particular moment without subsequent changes. Incremental backups save only the changes made since the last backup, whether it was a full backup or another incremental backup; they don't provide a standalone representation of data from a specific point. Differential backups save changes made since the last full backup. Like incremental, they don't freeze data at a specific point in time as an independent duplicate. For support or reporting issues, include Question ID: 64c1a8df45e9d8860c404642 in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 77

Storing drives in a locked cabinet Reformatting the drives Correct answer Shredding the hard drives Your answer is incorrect Labeling the drives as "Obsolete" Overall explanation OBJ 4.2: Shredding the hard drives physically obliterating the drives ensures data cannot be recovered. Though stored safely, data remains on the drives even if the drives are in a locked cabinet. While reformatting will make it appear that the data is gone, it can be recovered. A label might deter some but does not delete the data. For support or reporting issues, include Question ID: 651eeb6ddc00b20009d74488 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 78

Implementing multi-factor authentication (MFA) Ensuring end-to-end encryption Your answer is incorrect Utilizing network-based intrusion detection systems Correct answer Relying solely on virtual private networks (VPNs) Overall explanation OBJ 3.2: VPNs enhance security; relying solely on them can limit connectivity options and might not address all security concerns, especially in diverse and dynamic remote working environments. Some remote connectivity options might not fully support robust end-to-end encryption, potentially leaving data transmissions vulnerable. Utilizing network-based intrusion detection systems is essential for monitoring network traffic, but their effectiveness might be limited based on the connectivity options available and the location of the traffic flow, especially for remote workers. MFA is a universal security principle and does not typically face limitations based on connectivity options; it adds an extra layer of security regardless of the connection method used. For support or reporting issues, include Question ID: 64c17afdebefb63210fa3792 in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 79

Biometric authentication Correct answer Passkey Your answer is incorrect OTP 2FA Overall explanation OBJ 4.6: The passkey enhances security by using public key cryptography and only shows proof of credential ownership when the phone is unlocked, eliminating the need for passwords on certain applications. Two-factor authentication (2FA) requires two types of credentials before granting access, like a password and a verification code. Biometric authentication uses unique physical characteristics, such as fingerprints or facial patterns, for user identification. A one-time password (OTP) is a password that is valid for only one login session or transaction, typically sent via SMS or email. For support or reporting issues, include Question ID: 6544508190190a8679d784c3 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 80

Correct answer DNS poisoning Phishing campaign Your answer is incorrect ARP spoofing Man-in-the-middle attack Overall explanation OBJ: 2.4 - DNS poisoning involves altering or adding records to a DNS server, which redirects the domain's legitimate traffic to a malicious IP address. Phishing campaign is an attempt to trick users into providing sensitive data by impersonating a trustworthy entity, not associated with DNS redirection. ARP spoofing targets the Address Resolution Protocol and tricks a network into sending data to a different MAC address, not directly related to domain redirection. Man-in-the-middle attack intercepts communication between two systems. While it could involve DNS, the given scenario specifically points towards DNS record manipulation. For support or reporting issues, include Question ID: 6529760f65f9a87367684862 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 81

Log aggregation can enhance security by consolidating logs from different sources for easier analysis Log aggregation aids in maintaining regulatory compliance by keeping a record of events that happened in the system Your answer is incorrect Log aggregation helps to detect unusual activity or behavior that may indicate a security breach Correct answer Log aggregation increases the complexity of managing and interpreting security logs Overall explanation OBJ: 4.4 - The primary purpose of log aggregation is to simplify the management and interpretation of security logs. It doesn't increase the complexity, rather it reduces it by consolidating logs from various sources, making them easier to analyze and interpret. Hence, this statement is NOT TRUE about the importance of log aggregation. Log aggregation can help in maintaining regulatory compliance by keeping a record of all system events, which might be a requirement for some regulations or standards Log aggregation enhances security by bringing together logs from different sources into a centralized location for easier analysis and monitoring. Detecting unusual activity that could indicate a security breach is one of the primary purposes of log aggregation. It helps in identifying patterns that could be missed if logs are analyzed separately. For support or reporting issues, include Question ID: 64c19bfb1dbd2f0d7852a79c in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 82

Cipher block Hash function Correct answer Encryption algorithm Your answer is incorrect Digital signature Overall explanation OBJ: 1.4 - An encryption algorithm provides a structured method for converting plaintext into ciphertext. A good algorithm ensures data remains confidential and secure from unauthorized access. Digital signatures validate the authenticity and integrity of a message or document, ensuring it hasn't been tampered with since being signed. A hash function takes input and returns a fixed-size string, typically used for verifying data integrity, but it does not encrypt data for the purpose of confidentiality. A cipher block refers to a fixed-size portion of data that an encryption algorithm processes. It doesn't define the mathematical method itself. For support or reporting issues, include Question ID: 6524e23a969268a2419116a5 in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 83

Account lockout Correct answer Impossible travel Your answer is incorrect Blocked content Concurrent session usage Overall explanation OBJ: 2.4 - Impossible travel is an indicator of malicious activity that involves detecting login attempts from locations that are geographically inconsistent or implausible, suggesting that an attacker has compromised the user credentials. Blocked content is an indicator of malicious activity that involves detecting attempts to access restricted or malicious websites or files, suggesting that an attacker is trying to compromise the system. Account lockout is an indicator of malicious activity that involves detecting multiple failed login attempts for a user account, suggesting that an attacker is trying to guess the password. While this is the basic problem, the additional information that the attempts have come from different countries indicates that the problem is more complex than just account lockout. Concurrent session usage is an indicator of malicious activity that involves detecting multiple active sessions for a user account, suggesting that an attacker has gained access to the account. In this case, the logins failed, so it isn't a concurrent session. For support or reporting issues, include Question ID: 64bcc6fcd05f45402ccc6a1c in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 84

Quarantining notifies security officials that a problem exists and must be addressed Quarantining plays a significant role monitoring potential security breaches Correct answer Quarantining isolates and contains infected devices to prevent further spread of threats Your answer is incorrect Quarantining is a method of identifying and assessing the severity of security incidents Overall explanation OBJ: 4.4 - Quarantine is essential for isolating and containing suspicious or infected devices to prevent further spread of threats in the network. By containing potential threats, organizations can mitigate the impact of security breaches and protect other devices from being compromised. Quarantining is a response to an actual incident, not monitoring of potential incidents. Quarantining is a response, not a notification. Quarantining takes place after the event has been identified and assessed. For support or reporting issues, include Question ID: 64c009a36a30e285d74863c2 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 85

Competitive relationships Financial interests Insider information Your answer is correct Personal relationships Overall explanation OBJ: 5.3 - Personal relationships as a conflict of interest concerns the vendor's personal connections with organizational decision-makers, which could bias evaluations and affect objective decision-making. Competitive relationships involve conflicts between vendors and do not relate to personal connections within the client organization. Financial interests can influence a vendor's recommendations, this option does not pertain to the influence from personal ties within the organization. Insider information refers to the misuse of privileged knowledge and does not directly relate to personal relationships affecting vendor assessments. For support or reporting issues, include Question ID: 65498040353ac46543a641b2 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 86

Correct answer Switches Routers Your answer is incorrect Hubs Bridges Overall explanation OBJ 4.1: Switches enhance network security by creating separate collision domains for devices on different switch ports, isolating network traffic and preventing unauthorized access to data. By forwarding data based on MAC addresses, switches ensure efficient, secure transmission within each department's network segment. Hubs, which operate at the physical layer (Layer 1), broadcast data to all connected devices, posing security risks due to lack of segmentation. Routers, while essential for connecting different networks at the network layer (Layer 3), are not designed for internal traffic isolation. Bridges connect network segments at the data link layer (Layer 2) but lack the advanced security and segmentation capabilities of switches. For support or reporting issues, include Question ID: 64ba8575c35e00fd62b8839b in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 87

Rule-based Role-based Correct answer Attribute-based Your answer is incorrect Discretionary Overall explanation OBJ 4.6: The access control mechanism in the large multinational corporation is "Attribute-Based Access Control" (ABAC), where permissions are dynamically evaluated based on attributes like job role, department, location, and time, enabling fine-grained, context-aware access. Unlike "Role-Based Access Control" (RBAC), which relies solely on predefined roles, ABAC considers multiple attributes. "Rule-Based Access Control" is broader, encompassing various mechanisms but lacking the dynamic attribute combination of ABAC. "Discretionary Access Control" (DAC) allows users to control access permissions directly, which does not apply here, as access is managed through automated attribute evaluations. For support or reporting issues, include Question ID: 64c13beb3837c7dbc550d8a4 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 88

IMAP Correct answer DMARC Your answer is incorrect SMTP POP3 Overall explanation OBJ 4.5: By implementing DMARC (Domain-based Message Authentication, Reporting, and Conformance), Sasha can set a policy for receivers on how to handle emails from her domain that don't pass SPF or DKIM checks. Additionally, DMARC provides feedback mechanisms for senders. POP3 (Post Office Protocol 3) is a protocol used for retrieving emails from a server, and it doesn't relate to specifying handling policies or feedback mechanisms for emails. IMAP (Internet Message Access Protocol) is utilized for retrieving emails from a server and isn't designed to specify authorized sending servers for a domain. SMTP (Simple Mail Transfer Protocol) is the standard for sending emails, but it doesn't inherently provide a cryptographic signing mechanism for email authenticity. For support or reporting issues, include Question ID: 65433c7ff3d6fa9edaff430c in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 89

It replaces the need for any form of user authentication It reduces the system's overall security It always eliminates the need for human intervention in any IT process Your answer is correct It ensures timely access to resources and enhances productivity Overall explanation OBJ 4.7: Automated user provisioning helps in granting immediate access rights, reducing waiting times, and hence improving productivity. While automation can help in provisioning, authentication remains a separate and crucial component of system security. While automation reduces human intervention, oversight and management are still needed, especially for exceptions and audits. Automated user provisioning, when done correctly, actually enhances security by ensuring standardized and consistent provisioning processes. For support or reporting issues, include Question ID: 64c00d3270ede148d464f97f in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 90

To outline the specific services to be provided by the vendor Correct answer To define the terms of a partnership between two organizations To ensure that the vendor's performance aligns with contractual requirements Your answer is incorrect To establish the rules of engagement for security assessments Overall explanation OBJ: 5.3 - The memorandum of agreement (MOA) is used to define the terms of a partnership between two organizations, including their roles, responsibilities, and overall objectives. While a memorandum of agreement (MOA) may include some details about the services to be provided, its primary purpose is broader and focused on defining the terms of the partnership. The establishment of rules of engagement for security assessments is usually addressed in a separate document, such as the rules of engagement document mentioned in the previous section. Ensuring that the vendor's performance aligns with contractual requirements is important, but it is not the primary purpose of a memorandum of agreement (MOA). Its main focus is on establishing the terms of the partnership. For support or reporting issues, include Question ID: 64bb414deff2b06d2ceda1a4 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 91

An executive's email being spoofed to request fund transfers. Receiving a fake bank call asking for account details. Correct answer Opening an Excel file that installs ransomware. Your answer is incorrect Typing a slightly incorrect URL and landing on a fake website. Overall explanation OBJ: 2.2 - Opening an Excel file that installs ransomware is a technique where attackers embed malicious software within seemingly innocent documents. When unsuspecting users open the file, the ransomware activates, potentially encrypting files and demanding a ransom for their release. Typing a slightly incorrect URL and landing on a fake website is a strategy called typosquatting or URL hijacking. Cybercriminals register domains with slight misspellings of popular websites. Unsuspecting users, making typographical errors when entering the URL, are directed to these malicious sites, which may steal data or spread malware. Receiving a fake bank call asking for account details is a form of vishing, where attackers impersonate legitimate entities over the phone to trick individuals into providing sensitive information. These scams often prey on the victim's trust and lack of awareness. An executive's email being spoofed to request fund transfers is often referred to as Business Email Compromise (BEC) or CEO fraud and involves attackers impersonating executives or high-ranking individuals to deceive employees into making unauthorized transactions or disclosing confidential data. For support or reporting issues, include Question ID: 652626963c19d031dd8303cb in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 92

Correct answer Reflected On-path Your answer is incorrect Wireless Amplified Overall explanation OBJ: 2.4 - A reflected attack is a type of distributed denial-of-service (DDoS) attack that involves sending requests with spoofed source IP addresses to servers that redirect the responses to the target server, reflecting the traffic back to it. A wireless attack is a type of network attack that involves exploiting vulnerabilities or weaknesses in wireless networks or devices, such as encryption, authentication, or configuration. An amplified attack is a type of DDoS attack that involves sending requests with spoofed source IP addresses to servers that generate large responses, amplifying the traffic sent to the target server. An on-path attack is a type of network attack that involves intercepting or modifying data in transit between two parties, such as by using a packet sniffer or a proxy server. For support or reporting issues, include Question ID: 64bccf10f1dea48c270e094c in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 93

Ransomware Worm Your answer is incorrect A RAT Correct answer Spyware Overall explanation OBJ: 2.4 - Spyware can perform various covert activities like tracking, taking screenshots, activating recording devices, and even redirecting DNS to farming sites. The employees' experiences align with the characteristics of spyware. A worm replicates itself to spread to other computers. There's no mention of self-replicating software in the described scenario. While a RAT (Remote Access Trojan) can give unauthorized access to a system, the specific symptoms described – especially the DNS redirection – are more consistent with spyware than a RAT. Ransomware locks files or systems and demands a ransom. The events at BetaEnterprises don't hint at any such file encryption or demands. For support or reporting issues, include Question ID: 65281bd5304674464742f9de in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 94

Spyware Virus Your answer is correct Rootkit Ransomware Overall explanation OBJ: 2.4 - Rootkits can conceal their presence by compromising system files and programming interfaces. The odd system files that resemble genuine executables are indicative of a rootkit's attempt to disguise its presence. Spyware is designed to monitor user behavior and capture data but doesn't typically hide processes or connections in the manner described. A virus attaches itself to a legitimate program and spreads, but the concealment tactics described are more in line with rootkits. Ransomware focuses on encrypting user files and demanding a ransom for their decryption. There's no mention of encrypted files or ransom demands. For support or reporting issues, include Question ID: 65283920b006700b029e0596 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 95

Integrated Offensive Correct answer Defensive Your answer is incorrect Physical Overall explanation OBJ: 5.5 - Defensive penetration testing, also known as "Blue Team" testing, assesses an organization's defensive capabilities and incident response procedures. The goal is to evaluate how well the organization can defend against simulated cyberattacks and respond effectively to mitigate the impact. Physical penetration testing involves assessing an organization's physical security measures, such as access controls, surveillance systems, and perimeter security. The goal is to identify vulnerabilities in the physical environment that could be exploited by attackers. "Integrated" is not a specific type of penetration testing. The term may suggest a combination of different penetration testing approaches, but it is not a well-defined category on its own. Offensive penetration testing is focused on simulating real-world cyberattacks on an organization's systems and networks. The penetration testers take on the role of attackers to identify and exploit vulnerabilities, ultimately testing the organization's ability to detect and respond to such threats. For support or reporting issues, include Question ID: 64c19c23c77246b95ca9f9b9 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 96

MTTR RTO Your answer is incorrect MTBF Correct answer RPO Overall explanation OBJ: 5.2 - The recovery point objective (RPO) is the maximum amount of data loss an organization is willing to tolerate. It defines the point in time to which systems and data must be recovered after a disruption. The mean time between failures (MTBF) is the average time interval between failures of a system or component. The mean time to repair (MTTR) is the average time taken to repair a system or component after a failure or disruption. The recovery time objective (RTO) is the maximum acceptable downtime for a system or process to be restored and functioning after a disruption. For support or reporting issues, include Question ID: 64b9f5fc974c18fd63dd24c0 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 97

Serverless computing Correct answer Containerization Logical segmentation Your answer is incorrect Software-defined networking Overall explanation OBJ: 3.1 - Containerization encapsulates an application with its environment, guaranteeing uniform behavior across systems. Logical segmentation focuses on dividing networks for traffic and security management, not on application encapsulation. Software-defined networking (SDN) centers on managing network control via software, not on packaging applications. Serverless computing eliminates the need to manage server infrastructure but doesn't bundle applications with their environments. For support or reporting issues, include Question ID: 652c3189b223687b417d07fd in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 98

Watering hole SMS Your answer is incorrect File-based Correct answer IM Overall explanation OBJ: 2.2 - An IM (Instant messaging) threat vector uses online chat platforms to deliver malicious messages or files. An SMS (Short Message Service) threat vector uses text messages to deliver malicious links or attachments to unsuspecting users. A file-based threat vector uses corrupted or malicious files to infect systems or networks. A watering hole threat vector uses compromised websites that are frequented by a specific target group to deliver malware or redirect traffic. For support or reporting issues, include Question ID: 64ba257dbcf4aeea94b9abb4 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 99

Log aggregation Systems monitoring Applications monitoring Your answer is correct Infrastructure monitoring Overall explanation OBJ: 4.4 - Infrastructure monitoring is focused on ensuring the foundational IT components, like servers, data centers, and networking equipment, are both functional and secure. While log aggregation collects logs for analysis, it's a tool or method used in monitoring but does not specify which component (system, application, or infrastructure) is being observed. Systems monitoring evaluates the hardware, operating systems, and essential services that applications run on but not the broader foundational structures of IT. Application monitoring pertains to overseeing individual software solutions and ensuring their security and performance. For support or reporting issues, include Question ID: 6542ef89a951cb8fa890b2a0 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 100

Data mirroring Onsite backups Correct answer Offsite backups Your answer is incorrect Differential backups Overall explanation OBJ 3.4: By storing data in a different geographical location, offsite backups provide an added layer of protection against regional disasters, ensuring data availability even if the primary site is compromised. Data mirroring involves creating an exact, real-time copy of data, typically within the same location or network environment. The effectiveness against disasters depends on the geographic distribution of mirrored sites, which makes this choice less likely than having a clearly defined offsite backup. Differential backups capture only the changes since the last full backup; they don't inherently provide geographical protection that would be required in this scenario. Onsite backups offer swift recovery times; however, in disaster-prone areas they are ineffective in that they are at risk of being affected by the same catastrophic event as the primary data center. For support or reporting issues, include Question ID: 652df29d8571f35d53e52489 in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 101

Board Centralized Your answer is correct Committee Hierarchical Overall explanation OBJ: 5.1 - A committee governance structure involves forming a group with representatives from different departments or units within the organization. This approach allows for a collective decision-making process, leveraging expertise and perspectives from various parts of the company. By pooling insights from diverse sectors, the committee can ensure that decisions are holistic, considerate of multiple facets of the business, and are thus more likely to contribute to effective and efficient operations. It promotes collaboration, shared responsibility, and balanced power distribution in organizational governance. A hierarchical structure relies on a strict top-down approach, where decisions are made at the higher levels and passed down to the lower levels for execution. This can sometimes lead to a disconnect between the decision-makers and those affected by the decisions on the ground. Board governance is typically associated with the oversight and decision-making of an organization's board of directors, which is responsible for high-level strategic decisions and governance oversight but may not involve decision-making power distribution across different departments or units. Centralized governance concentrates decision-making power in a single authority or department, where all major decisions are made by a central entity, often top-level management. For support or reporting issues, include Question ID: 64b894c088b3fb59a48a104d in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 102

To simulate real-world attacks and identify vulnerabilities To test an organization's offensive capabilities Correct answer To gather information without directly engaging the target Your answer is incorrect To test an organization's defensive capabilities Overall explanation OBJ: 5.5 - Passive reconnaissance involves gathering information about the target system or organization without directly interacting with it. This information can include publicly available data, domain information, and network details. To simulate real-world attacks and identify vulnerabilities does not accurately describe the purpose of passive reconnaissance. Simulating real-world attacks and identifying vulnerabilities are typically the objectives of offensive or offensive-oriented penetration testing. Penetration testing is the process of testing an organization's vulnerabilities in a simulated attack. Offensive capabilities are the abilities to launch an attack. Companies who engage in attacks are likely violating the law. The purpose of defensive penetration testing is to evaluate an organization's defensive capabilities against simulated cyberattacks. Passive reconnaissance is not directly related to this objective. For support or reporting issues, include Question ID: 64c19c8e1dbd2f0d7852a7a1 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 103

To maintain critical business operations during disruptions. To ensure data encryption is implemented. Your answer is correct To outline the steps for handling security incidents and breaches. To address the acceptable use of IT resources. Overall explanation OBJ: 5.1 - The primary purpose of an incident response policy is to outline the predefined steps and procedures for effectively identifying, containing, mitigating, and resolving security incidents and breaches. It helps ensure a structured and organized approach to handling such incidents to minimize their impact. While data encryption is an important security measure, it is not the primary purpose of an incident response policy. Incident response policies focus on providing guidelines and procedures for detecting, responding to, and recovering from security incidents and breaches. The acceptable use policy (AUP) specifically deals with defining the acceptable and appropriate use of IT resources within the organization by employees and users. It is not directly related to incident response. While maintaining critical business operations during disruptions is an essential aspect of business continuity planning, it is not the primary purpose of an incident response policy. The incident response policy focuses on the immediate response to security incidents and breaches, while business continuity policies address the broader aspect of keeping critical operations running during disruptions. For support or reporting issues, include Question ID: 64b89967ae2fd553d66a2420 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 104

NIST Special Publication 800-63 ISO/IEC 27002 ISO/IEC 27017 Your answer is correct ISO/IEC 27001 Overall explanation OBJ: 5.1 - ISO/IEC 27001 is an international standard that outlines the requirements for an information security management system, helping organizations to manage the security of assets such as financial information, intellectual property, employee details, or information entrusted by third parties. NIST SP 800-63 is a US government standard that provides digital identity guidelines and does not establish an ISMS framework. While ISO/IEC 27002 provides guidance on security controls for an ISMS, it does not provide the framework itself. ISO/IEC 27017 extends ISO/IEC 27001's framework specifically for cloud services but is not the foundational standard for an ISMS. For support or reporting issues, include Question ID: 65484cfbd368f5a99a797d05 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 105

Discontinue any prior password-related policies immediately without review. Correct answer Test the results of the newly implemented policy. Disregard any concerns or feedback from employees regarding the new policy. Your answer is incorrect Inform only the IT department about the change, and let them handle telling other departments. Overall explanation OBJ: 1.3 - Testing the results helps the organization verify that the policy is working as intended and that users are complying with the mandate. This will provide insights into any potential issues and areas for improvement. While it's essential to ensure there are no conflicting policies, immediately discontinuing prior policies without review can lead to potential security gaps and confusion among employees. Communication is vital when implementing new policies, especially those that affect multiple departments. Relying on word-of-mouth or assuming departments will learn of changes can lead to non-compliance and potential security risks. Employee feedback is crucial when rolling out new policies, as it can provide valuable insights and identify potential challenges in real-world applications. Ignoring concerns can lead to resistance to adoption and potential security vulnerabilities. For support or reporting issues, include Question ID: 6721035c6ecd963a7be80f53 in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 106

Correct answer Risk Report Risk Register Incident Response Plan Your answer is incorrect Risk Assessment Overall explanation OBJ 5.2 - A risk report summarizes the status of identified risks, including changes in impact and mitigation efforts, and is intended for leadership to inform decision-making. A Risk Register tracks risks but isn’t typically a summarized report for executives, a Risk Assessment identifies risks, and an Incident Response Plan addresses handling incidents, not risk status updates. For support or reporting issues, include Question ID: 672248eb3be32ad83a19dc95 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 107

IR Correct answer Microwave Fencing Your answer is incorrect Honeytoken Overall explanation OBJ: 1.2 - Microwave sensors use electromagnetic signals and measure their reflection to detect movement or the presence of objects. They are particularly useful in some security applications. Fencing is a barrier erected around a property, facility, or asset to prevent unauthorized entry or access. A honeytoken is a type of digital bait used to detect unauthorized system access or data usage. IR (Infrared) can be used for motion detectors, but it uses changes in heat or temperature patterns to detect motion. For support or reporting issues, include Question ID: 65245c4c51dc39e50c47fbe6 in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 108

Correct answer Data sovereignty Data integrity Your answer is incorrect Data replication Data obfuscation Overall explanation OBJ 3.3: Data sovereignty refers to the concept that data is subject to the laws and governance structures within the nation it is located in. Companies must manage and store data according to the specific laws and regulations of each country in which they operate. Data integrity pertains to the accuracy and consistency of data over its lifecycle. It does not focus on the location-specific rules for data storage. Data obfuscation involves disguising original data to protect the data subject's privacy and data security, not the geographic laws surrounding data. Data replication is the process of storing data in multiple locations for the sake of data recovery and backup. It does not pertain to the specific legalities of where data is stored. For support or reporting issues, include Question ID: 64c1994aa6883f9ee9f76eed in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 109

Cryptographic Misconfiguration Your answer is incorrect Supply Chain Correct answer Zero-Day Overall explanation OBJ 2.3 - In this case, the security researcher found a zero-day vulnerability. A zero-day vulnerability is a flaw in a system or software that is unknown to the vendor. It’s not a supply chain issue, which involves weaknesses in external components or providers, nor is it a misconfiguration, which involves setup errors. A Cryptographic flaw related to encryption. For support or reporting issues, include Question ID: 672123ff860f05343dd3a0fb in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 110

Implementing a patch management process Routinely auditing system configurations Your answer is correct Creating a standardized system image Using configuration management tools Overall explanation OBJ 4.1: By using a standardized image, Jamario ensures every workstation starts with the same software setup, simplifying deployment and ensuring consistency. While implementing a patch management process ensures that all systems are updated with the latest security patches, it doesn't guarantee a standardized software setup across all new workstations. Though they help in maintaining consistent configurations, using configuration management tools is more complex and might not be as efficient as deploying a standardized image for ensuring the initial setup is consistent across all workstations. Audits can detect deviations from the standard, but they reactively address inconsistencies rather than proactively ensuring uniform setup. For support or reporting issues, include Question ID: 652f2f002da211fe4dd8a22a in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 111

Fail-close SASE Your answer is correct Jump server IPS Overall explanation OBJ 3.2: A jump server is a network appliance. It uses one channel to funnel traffic through the firewall. Jump servers increase security by limiting the routes traffic can take into a system. Secure Access Service Edge (SASE) is a cloud-native architecture that combines WAN capabilities and network security services into a single cloud service. It doesn't act as a gateway to a perimeter network. Fail-close refers to what happens when a network encounters errors and exceptions. Fail-close means that when errors occur or exceptions are encountered, the system denies further access. This prevents any further network traffic until the error or exception are dealt with. While this provides greater security, it means that a website can’t be accessed even if the error encountered is minor or doesn’t pose a security threat. An intrusion prevention system (IPS) is for detecting and preventing potential threats; they are not designed to provide secure access to the perimeter network. For support or reporting issues, include Question ID: 64c1734a6ab51895b912b849 in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 112

Worms Correct answer Environmental Brute force Your answer is incorrect Ransomware Overall explanation OBJ: 2.4 - Environmental is a type of physical attack that involves exploiting natural or man-made disasters, such as fires, floods, earthquakes, or power outages, to compromise the physical security of a system or facility. Brute force is a type of attack that involves trying different combinations of keys, codes, or passwords to gain access to a locked area or device. While this may occur, it is not the most likely attack in the given scenario. A worm is a type of malware that self-replicates and spreads to other systems or networks without user interaction. While this may occur, it is not more likely n the given scenario. Ransomware is a type of malware that encrypts the data or files on a system and demands a ransom for their decryption or restoration. While this may occur, it is not more likely in the given scenario. For support or reporting issues, include Question ID: 64bcdae5fe82ec73b0475fdf in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 113

Technical Managerial Operational Your answer is correct Physical Overall explanation OBJ: 1.1 - Physical security controls are measures that involve protecting an organization’s physical assets. These controls can include security cameras, locks, bollards, fences, and security badges. Managerial security controls are measures that involve directing and overseeing the overall security of an organization. These controls can include risk assessments, security awareness training, incident response planning, and service acquisition. Operational security controls are measures that involve the day-to-day operations of an organization’s security. These controls can include backup and recovery procedures, configuration management, media protection, and log monitoring. Technical security controls are measures that are put in place to protect the confidentiality, integrity, and availability of a system or network. These controls can include firewalls, intrusion detection/prevention systems, encryption, and access controls. For support or reporting issues, include Question ID: 64bd6dc37904055c270a23da in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 114

Memory injection Correct answer Side loading Jailbreaking Your answer is incorrect Buffer overflow Overall explanation OBJ: 2.3 - Side loading is a mobile device vulnerability that results from installing applications from sources other than the official app store, such as third-party websites, USB drives, or email attachments. It can expose the device to malware, spyware, or unauthorized access. Memory injection is a technique that involves injecting code into a running process to alter its behavior or gain access to its memory. It can be used for malicious or legitimate purposes on mobile devices, such as debugging or hooking. Jailbreaking creates a vulnerability on mobile device by bypassing the restrictions imposed by the manufacturer or provider of a device, such as an iPhone or iPad, to gain root access and install unauthorized applications or customizations. It can expose the device to malware, spyware, or unauthorized access. Buffer overflow is a type of memory corruption that occurs when a program writes more data than the allocated buffer can hold, causing it to overwrite adjacent memory locations. It can lead to crashes, code execution, or privilege escalation. For support or reporting issues, include Question ID: 64bc2216aba7f3fba667cef4 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 115

The security classification status for each document The file extensions for the documents Your answer is incorrect The total word count of all documents Correct answer The timestamps of the documents Overall explanation OBJ 4.9: The metadata of creation, modification, and last accessed timestamps can provide crucial information about when the documents were created, altered, or accessed, which may reveal details of the breach. The security classification status is not found in the metadata of a document. Timestamps indicating when the documents were created, modified, or last accessed is more likely to provide you with information for your investigation. The file extensions are not part of the metadata and would not help you in your investigation. Timestamps indicating when the documents were created, modified, or last accessed is more likely to provide you with information for your investigation. While the word count may give an indication of the scale of the documents involved, it doesn't provide specific details related to a potential security breach. Timestamps indicating when the documents were created, modified, or last accessed is more likely to provide you with information for your investigation. For support or reporting issues, include Question ID: 64c1722e2e60209dbaac2211 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 116

Ease of Deployment Scalability Correct answer Resilience Your answer is incorrect Availability Overall explanation OBJ: 3.1 - Resilience in cloud architecture refers to the ability of the system to quickly recover from failures and maintain operational performance, crucial for ensuring availability during adverse conditions. Ease of Deployment means that new instances and the entire cloud environment can be easily created. Resilience is the ability to maintain operational performance and recover quickly from failures. Availability refers to guaranteeing a system will continue to operate so that the system can be used regardless of conditions. Resilience, like availability, refers to keeping a system functioning, but also directly addresses how quickly a system can recover after adverse conditions have led to a failure. Scalability means that the system can expand when more resources are needed without creating lags or problems for users. This expansion isn't consider an adverse condition. Increased business is seen as a positive attribute. Resilience is the ability of a system to quickly recover after failures due to adverse conditions. For support or reporting issues, include Question ID: 651707dd7ae092b7640ec669 in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 117

Correct answer Stakeholders Backout plan Your answer is incorrect Maintenance window Approval process Overall explanation OBJ: 1.3 - Stakeholders, who are individuals or entities that have an interest in a particular decision or project, often representing various departments or groups, and their feedback is critical for comprehensive decision-making. An approval process is a formalized procedure to ensure changes are reviewed and approved before implementation. A backout plan is a contingency plan detailing steps to revert changes in case of failure or unforeseen complications. A maintenance window is a pre-defined time frame during which changes or updates are implemented, often chosen to minimize business disruption. For support or reporting issues, include Question ID: 64c137913837c7dbc550d895 in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 118

It replaces the need for regular software updates and patches. It primarily focuses on the speed of software delivery over security. It only considers security during the testing and creation phases of software development. Your answer is correct It emphasizes the integration of security in software creation and maintenance. Overall explanation OBJ: 5.1 - The SDLC ensures that security is a focal point in all stages of software development, from design to maintenance. While certain SDLC models, like Agile, prioritize quick deliveries, they don't overlook security. SDLC integrates security throughout its phases, not just during testing. Even with a robust SDLC, software may still require updates and patches post-deployment. For support or reporting issues, include Question ID: 65448b4e20a8f3844e2903f6 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 119

Diffie-Hellman Correct answer ECC DSA Your answer is incorrect RSA Overall explanation OBJ: 1.4 - ECC (Elliptic curve cryptography) is a type of trapdoor function that is efficient with shorter key lengths. For instance, ECC with a 256-bit key provides roughly the same security as RSA with a 2048-bit key. The primary advantage is that ECC has no known shortcuts to cracking it, making it particularly robust. Diffie-Hellman is an algorithm primarily for secure key exchange, not directly comparable to the encryption efficiency offered by ECC's shorter key lengths. Digital Signature Algorithm (DSA) is an algorithm used for digital signatures, but it doesn't inherently offer the same efficiency in terms of key length as ECC. While a foundational asymmetric algorithm, RSA generally requires longer key lengths than ECC to achieve comparable security levels. For support or reporting issues, include Question ID: 6525864dd7819dc1960699c7 in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 120

Hybrid considerations Serverless architecture Correct answer Responsibility matrix Your answer is incorrect Third-party vendors Overall explanation OBJ: 3.1 - A responsibility matrix in cloud architecture is crucial for clearly defining the roles and responsibilities between the client and the cloud service provider, ensuring accountability and security compliance. Hybrid considerations are important for organizations using a mix of on-premises and cloud solutions, but they don’t specifically define roles and responsibilities between the client and provider. While managing third-party vendors is essential in cloud environments, it doesn’t delineate the specific roles and responsibilities between the client and the cloud service provider. Serverless architecture is a cloud-computing model focusing on applications’ runtime, not specifically on defining roles and responsibilities between parties involved. For support or reporting issues, include Question ID: 651716aa57a85df3e62f0adc in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 121

Correct answer SDN Physical isolation Hybrid considerations Your answer is incorrect Virtualization Overall explanation OBJ: 3.1 - Software-defined networking (SDN) is a network technology that separates the control plane from the data plane, allowing for more flexibility and automation in network management. The control plane provides the intelligence and logic for the network, while the data plane handles the actual traffic forwarding. Virtualization is a technology that allows creating multiple virtual machines or environments on a single physical device, not separating the control plane from the data plane. Physical isolation is a network design that separates a network from other networks or devices to prevent unauthorized access or interference, not separating the control plane from the data plane. Hybrid considerations are by using a combination of cloud and on-premises resources to deliver services and applications, not external entities that provide products or services to an organization. For support or reporting issues, include Question ID: 64c0aa83c494dbe8771d8053 in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 122

RTO MTTR Correct answer SLE Your answer is incorrect RPO Overall explanation OBJ: 5.2 - The single loss expectancy (SLE) is the measure of the potential financial loss associated with a specific risk event. The recovery point objective (RPO) is the maximum amount of data loss that an organization can tolerate after a disruption. It represents the point in time to which data must be recovered after a failure or disaster. The mean time to repair (MTTR) is the average time it takes to repair a system or component after a failure occurs. The recovery time objective (RTO) is the maximum allowable downtime for a system or process after a disruption, indicating the time it should take to recover and resume normal operations. For support or reporting issues, include Question ID: 64b9f168974c18fd63dd24ac in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 123

Encrypting data within the Virtual Machine. Correct answer Monitoring and promptly patching hypervisor software. Changing Virtual Machine usernames and passwords frequently. Your answer is incorrect Installing antivirus on each Virtual Machine. Overall explanation OBJ: 2.3 - Ensuring that the hypervisor software is always up-to-date with the latest patches and updates will help in safeguarding against vulnerabilities that can be exploited for VM escaping. While useful for guarding against malware on individual VMs, installing antivirus on each Virtual Machine doesn't address vulnerabilities at the hypervisor level that allow VM escaping. Encryption is vital for protecting data at rest. However, if an attacker gains access to the encryption keys, especially via VM escape, encrypted data can still be compromised. Regularly updating credentials can prevent unauthorized access at the VM level, but it does not address the core issue of vulnerabilities at the hypervisor level that might enable VM escaping. For support or reporting issues, include Question ID: 6527d2f87b75b14e42cb5013 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 124

Review Correct answer Development Your answer is incorrect Deployment Assessment Overall explanation OBJ: 5.6 - The Development phase is where an organization identifies its security needs and formulates policies and procedures to cater to those requirements, including setting guidelines on topics like phishing, password strategies, and insider risks. Deployment is the process of merely implementing existing security strategies or tools without being involved in their creation or formulation. The Review phase is where established policies and strategies are re-evaluated based on feedback or new threats, without necessarily creating new guidelines. The Assessment phase involves analyzing current security protocols to find gaps or vulnerabilities, without the intent of formulating new strategies. For support or reporting issues, include Question ID: 64c3514a006636d14b206131 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 125

Failed login attempts User account password changes Firewalls rule modifications Your answer is correct The antivirus signature database version Overall explanation OBJ 4.9: The antivirus signature database version is typically NOT maintained in OS-specific security logs. This information is specific to security software and, if needed, can be found in security software-specific logs. Failed login attempts are usually recorded in OS-specific logs. Monitoring failed logins is vital for detecting and responding to brute force or other unauthorized access attempts. User account password changes are often tracked and logged by the operating system. This audit trail can be critical for investigating potential insider threats or unauthorized access attempts. Firewall rule modifications are often tracked in OS-specific logs. Changes to firewall rules can have significant security implications, making tracking these changes very important for a security investigation. For support or reporting issues, include Question ID: 64c1a7e53c0620e9baa77d46 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 126

Partially known environment Correct answer Known environment Unknown environment Your answer is incorrect Reconnaissance Overall explanation OBJ: 5.5 - Penetration testing in a known environment means that a significant amount of information has been given to the tester. This can include passwords, usernames, and other information. Partially known environment penetration testing occurs in an environment where some information about the target systems is available to the tester, but not all details are known. It is likely that a tester in this environment would still need to complete the reconnaissance phase. Penetration testing in an unknown environment means that the tester is not given any information, so they must begin with reconnaissance. Reconnaissance is the initial phase of a penetration test, where information gathering and data collection occur without directly engaging the target. It is not a type of penetration testing, but rather a preparatory phase. For support or reporting issues, include Question ID: 64c1a7083c0620e9baa77d3c in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 127

SIEM Firewall Your answer is incorrect ACLs Correct answer MFA Overall explanation OBJ 3.2: MFA (Multi-factor authentication) mandates users to present two or more verification methods before they can access a resource. This means even if a malicious actor acquires a user's password, they would still need another form of verification, like a token or biometric data, to gain access. ACLs (Access control lists) determine which users or roles are allowed access to specific resources. They do not, however, provide multiple layers of verification before allowing access. Firewalls filter and control traffic entering or leaving a network based on specific rules. They are not designed to authenticate users with multiple verification methods. SIEM (Security Information and Event Management) platforms aggregate and analyze log and event data to identify and respond to security threats. While they can detect potential security incidents, they do not handle user access verification. For support or reporting issues, include Question ID: 652d471e9ec4626a916f940f in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 128

Correct answer APIs are primarily used to enhance the user interfaces of security applications, making training, daily use, and incident response significantly easier APIs create a standardized set of rules for how software components should interact, improving security and functionality Your answer is incorrect APIs can reduce the complexity of integration between different systems, thereby making automation processes more effective APIs allow different software applications to interact and share data, facilitating automation and orchestration Overall explanation OBJ 4.7: While APIs can influence some aspects of a user interface, they are not primarily used to enhance the physical appearance of software applications. Their main purpose is to facilitate interaction between different software components for improved functionality, automation, and orchestration. APIs can greatly simplify the integration of different systems, contributing to increased effectiveness of automation processes. APIs do establish a set of standardized rules for the interaction between software components, thereby improving both security and functionality. One of the main functions of APIs is to allow different software applications to communicate and share data, which is crucial for automation and orchestration. For support or reporting issues, include Question ID: 64c1a0cc12b4631e4788b442 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 129

Implementing robust firewall rules and intrusion detection systems Using encrypted drives Correct answer Using transport encryption protocols like IPSec Your answer is incorrect Setting up ACLs on network devices Overall explanation OBJ 3.3: Data in transit refers to data that is actively being sent across a network, such as website traffic or data synchronizing between cloud repositories. To protect this data from potential eavesdropping or interception, it's essential to encrypt it using protocols such as TLS (Transport Layer Security) or IPSec (Internet Protocol Security). These protocols ensure that data remains confidential and integrity is maintained as it moves across the network. ACLs (access control lists) define who can access certain resources on a network, but they don't encrypt the data itself. While firewall rules and intrusion detection systems can help protect against unauthorized access and potential breaches, they don't inherently encrypt data in transit. While encrypted drives protect data at rest, they do not specifically address the protection of data while it's in transit over a network. For support or reporting issues, include Question ID: 64c190838a3754c97798b02d in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 130

Reviewing a detailed log of who handled the evidence and when Correct answer Imaging a hard drive to create an exact byte-for-byte copy for analysis Searching through electronic records to identify relevant emails for a court case Your answer is incorrect Determining if cryptographic methods need to be employed to protect data during storage Overall explanation OBJ 4.8: During the acquisition phase, the goal is to obtain data in a way that doesn't alter the original evidence. Imaging a hard drive is standard practice to achieve this. Reviewing a detailed log of who handled the evidence and when relates to maintaining the chain of custody, which ensures the integrity and authenticity of digital evidence. Searching through electronic records to identify relevant emails for a court case is more aligned with e-discovery, where the aim is to locate specific electronic evidence. While safeguarding data is crucial, this activity is more relevant to the preservation stage. For support or reporting issues, include Question ID: 6543edc37f7f2e0793a45d68 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 131

Data retention Data processor Correct answer Data subject Your answer is incorrect Data controller Overall explanation OBJ: 5.4 - The Data Subject is an individual whose personal information is being collected, held, or processed by an organization or entity. The Data Processor is the entity that processes data on behalf of the controller. The Data Controller is the entity or person who determines the purposes and means of processing personal data. They have overall responsibility for ensuring that data processing is carried out in compliance with applicable privacy laws and regulations. Data Retention is the set of policies or regulations that dictate how long an entity must hold onto specific types of information. For support or reporting issues, include Question ID: 64bf5f0f0620f92445ad767d in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 132

Correct answer Misconfiguration Data corruption Data breach Your answer is incorrect DoS Overall explanation OBJ: 2.3 - Misconfigurations are human errors that occur when systems or services are set up with incorrect or insecure settings, like default passwords, open ports, or unnecessary permissions. It can expose systems or services to unauthorized access or attacks. It can cause security incidents such as data breaches if systems or services contain confidential data that is exposed to attackers. A data breach is a type of security incident that involves unauthorized access, disclosure, or theft of sensitive data. It can be caused by misconfiguration if systems or services contain confidential data that is exposed to attackers. Data corruption is a type of data loss that involves unintentional changes or errors in data due to hardware failure, software bugs, malware, human error, or power outage. It can be caused by misconfiguration if systems or services contain important data that is modified or deleted by attackers. Denial-of-service (DoS) is a type of network attack that involves overwhelming a system or service with excessive requests or traffic to prevent it from functioning properly. It can be caused by misconfiguration if systems or services are unable to handle the load or respond to legitimate requests. For support or reporting issues, include Question ID: 64bc36e07a1bdabd354cb78a in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 133

SASE IPS Correct answer IDS Your answer is incorrect 802.1X Overall explanation OBJ 3.2: A passive system like an IDS (Intrusion Detection System) does not interact with the network traffic and focuses on detection and monitoring. This would not disrupt the network flow. 802.1X is a network access control, not a system that describes interaction with network traffic. An inline system like an IPS (Intrusion Protection System) proactively interacts with network traffic to perform actions, such as blocking or altering packets, which is not what's described in the scenario. SASE (Secure Access Service Edge) is a network architecture that combines WAN capabilities with cloud-native security functions. But it doesn't specifically categorize network interaction. For support or reporting issues, include Question ID: 64c16d6155dd610fdb26f1a9 in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 134

Correct answer Network segmentation Endpoint protection Traffic monitoring Your answer is incorrect Firewall configuration Overall explanation OBJ 4.3: Network segmentation involves dividing a computer network into sub-networks. This limits the reach of potential malicious activities and ensures that compromised systems don't affect the entirety of the network. Endpoint protection refers to securing endpoints or entry points of end-user devices such as computers and mobile devices. It doesn't directly involve the division of a network. Configuring firewalls plays a crucial role in filtering and monitoring network traffic. However, by itself, it doesn't divide the network into separate segments. Monitoring network traffic can help detect and respond to malicious activities, but it doesn't involve creating boundaries within a network. For support or reporting issues, include Question ID: 6541d387088ddf36014e3771 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 135

Staff and other resources Inputs Correct answer Hardware Your answer is incorrect Process flow Overall explanation OBJ: 5.3 - The hardware aspect of a BPA focuses on identifying the specific technological resources, like servers or data centers, that perform the processing for a mission essential function. Process flow gives a sequential description of operational steps but does not specify the hardware used in the process. While staff and other resources includes the workforce and supplementary resources needed for the function, it does not refer to the technological processing equipment. Inputs pertain to the initial information sources needed for a function's execution, not the processing hardware. For support or reporting issues, include Question ID: 65497bf866eb6419b9e435d4 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 136

Correct answer Reduces repetitive and mundane tasks Directly increases salary packages Decreases the demand for cybersecurity professionals Your answer is incorrect Facilitates frequent role rotation among teams Overall explanation OBJ 4.7: By automating routine tasks, employees can focus on more challenging and fulfilling aspects of their roles, enhancing satisfaction and retention. Automation standardizes operations, but it doesn't directly promote or facilitate role rotation within cybersecurity teams. While automation can handle specific tasks, it doesn't reduce the overall demand for skilled professionals in cybersecurity. While automation might indirectly lead to operational savings, it doesn't directly influence individual employee salaries. For support or reporting issues, include Question ID: 6543ddf4364ba11565255b41 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 137

Potential for inflated operational expenses Correct answer Exposure to system-wide disruption Fear of vendor lock-in Your answer is incorrect Challenge in cross-platform compatibility Overall explanation OBJ 4.7: Reliance on a singular solution for multiple critical processes can create a single point of failure. If that tool or solution fails, it could disrupt many processes, compromising secure operations. Fear of vendor lock-in is a concern where an organization becomes overly reliant on a specific vendor's products, but it doesn't directly address the risk of system-wide disruption. The challenge in cross-platform compatibility pertains to integrating solutions across various platforms but doesn't directly address the risk posed by a failure in a critical singular solution. While relying on one solution might lead to financial concerns, it doesn't inherently imply a risk of system-wide disruptions. For support or reporting issues, include Question ID: 6543bf505f2bdcc3e78b7285 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 138

Installing antivirus software on all company computers Implementing a disaster recovery plan Monitoring network traffic for signs of malware activity Your answer is correct Restoring data from backup after a ransomware attack Overall explanation OBJ: 1.1 - Restoring data from backup after a ransomware attack is an example of a corrective control because it helps correct issues after a security incident has occurred by restoring data from backup. Installing antivirus software on all company computers is an example of a preventive control, which is used to prevent security incidents from occurring. Implementing a disaster recovery plan is an example of a recovery control, which is used to restore normal operations after a security incident has occurred. Monitoring network traffic for signs of malware activity is an example of a detective control, which is used to detect security incidents. For support or reporting issues, include Question ID: 64bd799279a4c3d4894757c5 in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 139

Correct answer Insider threat Shadow IT Organized crime Your answer is incorrect Hacktivist Overall explanation OBJ 2.1 - This scenario describes an insider threat, where an employee with authorized access to sensitive data intentionally misuses their privileges to share information for personal financial gain. Insider threats are particularly dangerous because they come from within the organization, involving trusted individuals who already have access to sensitive systems or data. Unlike external attackers, such as hacktivists or organized crime groups, insiders can bypass certain security measures due to their established permissions. Shadow IT refers to unauthorized systems or solutions used within a company, which does not apply here, as this incident involves deliberate misuse of access by an internal employee. For support or reporting issues, include Question ID: 6721160c503b8b40b95ad0ef in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 140

Correct answer Policy engine Policy enforcement point Your answer is incorrect Subject/System Policy administrator Overall explanation OBJ: 1.2 - The policy engine is responsible for making access control decisions based on pre-defined policies and contextual information about the subject/system. The policy enforcement point is responsible for enforcing the access control decisions made by the policy engine. The policy administrator is responsible for defining and managing the access control policies used by the policy engine. The subject/system refers to the entity (user or device) that is requesting access to a resource. For support or reporting issues, include Question ID: 64c03f9724120875cbeddc20 in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 141

Ransomware Bloatware Your answer is correct Trojan Worm Overall explanation OBJ: 2.4 - A Trojan is a type of malware that disguises itself as a legitimate or benign program, but performs malicious actions when executed, such as deleting files or encrypting data. Ransomware is a type of malware that encrypts the data or files on a system and demands a ransom for their decryption or restoration. Bloatware is a type of malware that installs several unwanted programs on a system that consume a lot of resources and slow down the performance, such as toolbars, adware, or trial software. A worm is a type of malware that self-replicates and spreads to other systems or networks without user interaction. For support or reporting issues, include Question ID: 64bcda44e96aa656728f473a in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 142

Bug bounties System/process audit Correct answer Vulnerability scanning Your answer is incorrect Penetration testing Overall explanation OBJ 4.3: Vulnerability scanning is a systematic method used to detect weaknesses, vulnerabilities, or known exploits in a system or network. It often utilizes automated tools to assess the security posture of the infrastructure. Unlike penetration testing, which involves actively exploiting vulnerabilities, vulnerability scanning is more about identifying and reporting potential issues. Bug bounty programs refer to programs where organizations reward individuals for finding vulnerabilities, and system/process audits involve reviewing processes and controls, not specifically scanning for vulnerabilities. For support or reporting issues, include Question ID: 653c72992a68cdda4f00191a in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 143

Restricting access to internal applications and resources solely based on the user's physical location or group identity Your answer is correct Use a protocol, such as SAML, to facilitate the exchange of identity information among organizations Creating separate user accounts for external partners within the organization's identity management system Sharing internal employee credentials with external partners to create more efficient access to all systems Overall explanation OBJ 4.6: Implementing a federation protocol like Security Assertion Markup Language (SAML) enables seamless user logins for internal employees and external partners, allowing secure authentication and authorization across organizations without separate accounts. SAML simplifies identity management, enhancing the user experience while maintaining centralized control. Sharing employee credentials with external partners risks unauthorized access and data breaches, violating least privilege. Location-based access control doesn’t meet the need for streamlined logins. Creating separate accounts for partners complicates management, leading to duplication and potential inconsistencies. A federation avoids these issues by securely exchanging identity information without additional accounts. For support or reporting issues, include Question ID: 64c12e226d5d20b6d8a8cbc7 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 144

Correct answer A race condition exploiting the delay between checking and acting on a condition A flaw allowing unauthorized database commands to run via injected queries An input validation issue that leads to execution of malicious code Your answer is incorrect An attack exploiting memory by overwriting buffers to execute code Overall explanation OBJ 2.3 - The Time-of-check to time-of-use (TOCTOU) vulnerability is best described as a race condition that exploits the delay between when a condition is checked and when an action is taken based on that check. During this gap, an attacker can manipulate the system state, for example, by changing permissions or file contents, to interfere with the intended process. This type of vulnerability differs from input validation issues, buffer overflow attacks, or injection flaws, which exploit weaknesses in handling inputs, memory, or database queries rather than timing-based opportunities. For support or reporting issues, include Question ID: 672121d31be698cab88b7856 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 145

Data Labeling Data Attestation Correct answer Data Inventory and Retention Your answer is incorrect Data Governance Overall explanation OBJ: 5.4 - Data Inventory and Retention involves tracking data throughout its existence within an organization. It helps in understanding what data is held, where it's stored, and ensuring it's retained or discarded appropriately, aligning with compliance and organizational needs. While Data Governance encompasses a set of processes ensuring that important data assets are formally managed throughout the enterprise, it's broader than simply inventorying or retaining data and deals with overall data strategy, quality, and protection. Data Labeling refers to assigning descriptors or labels to data to reflect its nature or sensitivity. It assists in understanding the type of data but doesn't necessarily determine its lifecycle or retention periods. Data Attestation requires data handlers or stakeholders to confirm the accuracy and integrity of data at various stages. While it aids in ensuring data quality, it doesn't revolve around tracking or discarding data based on its age or relevance. For support or reporting issues, include Question ID: 64c07a039e4f2185413d15a0 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 146

Segmentation divides an organization's workforce into different departments, each with its specific roles and responsibilities Segmentation categorizes vulnerabilities based on their severity levels to prioritize remediation efforts effectively Your answer is correct Segmentation isolates network resources and assets to contain potential security breaches Segmentation ensures regular, systematic backs up each part of the network and system Overall explanation OBJ 4.3: Segmentation refers to the isolation of network resources and assets to contain potential security breaches and limit the spread of threats. By implementing network segmentation, organizations can minimize the impact of security incidents, prevent lateral movement of attackers, and enhance overall network security. Segmentation in vulnerability management is not about dividing the workforce into departments but is related to network and resource isolation for security purposes. While prioritizing vulnerabilities based on severity is essential, segmentation primarily relates to network isolation to enhance security. While data backup is crucial for data integrity and availability, it does not specifically relate to segmentation, which deals with network isolation and security measures. For support or reporting issues, include Question ID: 64bfdacb78435ea1724a7eab in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 147

GDPR Correct answer Computer Security Act (1987) SOX Your answer is incorrect GLBA Overall explanation OBJ: 5.1 - This act specifically requires federal agencies to develop policies to secure computer systems that process sensitive or confidential information. GDPR (General Data Protection Regulation) is a European Union regulation that deals with the protection of personal data, and it doesn't pertain to US federal agencies' computer systems. GLBA (Gramm–Leach–Bliley Act) is focused primarily on financial institutions and requires them to ensure the security and confidentiality of customer data. While SOX (Sarbanes-Oxley Act) does emphasize transparency and accountability in financial reporting, it doesn't specifically target federal agencies' computer systems for confidential data. For support or reporting issues, include Question ID: 6545632d7dcb30bec4e75c49 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 148

Segmenting network zones Correct answer Acquiring cyber liability insurance Implementing multi-factor authentication Your answer is incorrect Regular backup of critical data Overall explanation OBJ 4.3: Cyber liability insurance is designed to help organizations cover the costs and potential legal consequences of cybersecurity breaches. This is especially beneficial in situations where vulnerabilities lead to data breaches. Regular backups ensure data availability in case of data loss scenarios, but they don't offer financial protection against the repercussions of breaches. Segmenting network zones can effectively reduce the spread of malicious activities within a network. However, it doesn't provide financial coverage against cyber incidents. While multi-factor authentication (MFA) strengthens access controls by requiring multiple forms of verification, it doesn't serve as a financial safeguard against cyber incidents. For support or reporting issues, include Question ID: 6541d312e009fceed4cafc86 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 149

GDPR Computer Security Act (1987) Correct answer SOX Your answer is incorrect FISMA Overall explanation OBJ: 5.1 - The Sarbanes-Oxley Act is a US legislation that mandates various practices to protect investors by improving the accuracy and reliability of corporate financial statements and disclosures. GDPR (General Data Protection Regulation) is a European Union regulation that pertains to the protection of personal data and its processing, ensuring that entities collect and use such data fairly and transparently. FISMA (Federal Information Security Management Act) aims to govern the security of data processed by federal government agencies, but it doesn't specifically focus on financial transparency and accountability. While this act focuses on the security of federal computer systems processing confidential information, it does not deal with financial reporting transparency. For support or reporting issues, include Question ID: 654561687dcb30bec4e75c3a in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 150

Correct answer Something you have Something you know Your answer is incorrect Somewhere you are Something you have had Overall explanation OBJ 4.6: One-time codes from an authenticator app on a smartphone represent "Something you have" in MFA, as they are generated on and accessible only from the specific device, providing a secure second factor. "Something you know" involves knowledge-based factors like a password, which doesn’t apply here, as the code is generated by the app. "Somewhere you are" refers to location-based authentication, which considers geographic location as an additional factor. For support or reporting issues, include Question ID: 64c131c06d5d20b6d8a8cbcc in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 151

Decommissioning Configuration enforcement Monitoring Your answer is correct Patching Overall explanation OBJ: 2.5 - Patching, the act of updating or fixing software to address vulnerabilities, ensures that systems are guarded against known threats. Configuration enforcement, ensuring that systems and applications run with the correct and secure settings, doesn't particularly address software vulnerabilities. Monitoring, the process of continuously observing and checking the operation of a system or network, ensures its functionality and security but not directly dealing with software updates. Decommissioning, the process of taking systems or components out of active service, is not focused on updating current systems. For support or reporting issues, include Question ID: 64bef3af0f6a8ad3be5d3c98 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 152

Lowered physical infrastructure costs Correct answer Efficiency in handling repetitive tasks Increased team communication Your answer is incorrect Enhanced protection from zero-day vulnerabilities Overall explanation OBJ 4.7: Automating routine processes can eliminate manual intervention, resulting in tasks being performed faster and with consistent precision. While automation might indirectly lead to infrastructure savings by optimizing tasks, it is not the direct consequence of automating operational tasks. While automation can aid in faster patching, it's not its primary function. Zero-day protection often involves other proactive measures. Although automation can streamline processes, it doesn't directly facilitate or enhance communication among team members. For support or reporting issues, include Question ID: 6543da7ba304121583907b7e in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 153

Something you are Correct answer Something you have Your answer is incorrect Somewhere you are Something you know Overall explanation OBJ 4.6: "Something you have" refers to possessing a physical object like a smart card, security token, or mobile device. "Something you know" involves knowledge, like a password, which is not used here. "Something you are" includes biometrics, such as a fingerprint scan, but no biometric data is involved in this scenario. "Somewhere you are" refers to location-based factors like geolocation or IP address. In this case, the smart card’s presence is the authentication factor. For support or reporting issues, include Question ID: 64c133126d5d20b6d8a8cbd1 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 154

ARP spoofing DNS poisoning Your answer is correct Domain hijacking Phishing campaign Overall explanation OBJ: 2.4 - Domain hijacking, also known as domain theft, refers to the act of changing the registration of a domain name without the permission of its original registrant. It results in the domain pointing to a different location, often with malicious intent. ARP spoofing is a type of attack where an attacker sends fake Address Resolution Protocol (ARP) messages onto a local network. This is unrelated to domain registration or DNS. A phishing campaign involves sending deceptive communications, often emails, to trick recipients into revealing sensitive information. It is not related to altering domain registration details. DNS poisoning involves altering or adding records to a DNS server, redirecting domain's traffic to a different IP address. While it can result in redirection, it doesn't involve changing the domain's registration details. For support or reporting issues, include Question ID: 652976883da03d15b9df1fb0 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 155

Digital signature Private ledger Correct answer Open public ledger Your answer is incorrect Symmetric key encryption Overall explanation OBJ: 1.4 - An open public ledger, like that used with blockchain, ensures that every transaction is viewable by everyone, thus promoting transparency and trust. While it authenticates the origin of a message, a digital signature doesn't provide the same level of transaction visibility as an open public ledger. Symmetric encryption, although secure, is about encrypting and decrypting data with a shared key and doesn't address the transparency of transactions. A private ledger is restricted and not viewable by everyone. For support or reporting issues, include Question ID: 64c3ddf0cecafa5b2df5d316 in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 156

Shift from using an IPS to using a firewall to block malicious IPs Correct answer Implementing behavior-based analysis on the IPS Your answer is incorrect Decrease the alerting threshold to prevent more malicious IPs from gaining access Increasing the frequency of signature updates to ensure the IPS is up-to-date Overall explanation OBJ 4.5: Behavior-based analysis in IDS/IPS enables detection of abnormal activities lacking specific signatures, identifying sophisticated, signatureless attacks. While signature updates help detect known threats, they may miss zero-day or modified threats. Relying only on firewall rules overlooks IDS/IPS’s role in alerting on intrusion attempts. Disabling signature-based detection removes IDS/IPS’s core function, and lowering alert thresholds may overwhelm the security team with false positives, diverting focus from real threats. Balancing false positives with accurate threat detection is essential. For support or reporting issues, include Question ID: 64c128499a41d8d9080483c0 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 157

Risk limit Correct answer Risk threshold Risk tolerance Your answer is incorrect Risk level Overall explanation OBJ: 5.2 - The $500,000 financial impact figure is an example of a risk threshold, as it is the specific point at which the company must act to mitigate risk. Risk level pertains to the severity of risk and does not describe the actionable limit set by the company. While risk limit is not a standard term, it could colloquially be used to describe a risk threshold, but in this context, the correct term is "risk threshold." Risk tolerance refers to the general level of risk the firm is willing to accept, not the precise financial impact threshold for action. For support or reporting issues, include Question ID: 65490890051528e2d9a12d3c in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 158

Correct answer BYOD CYOD Your answer is incorrect COBO COPE Overall explanation OBJ 4.1: BYOD stands for Bring Your Own Device, which is a deployment model that allows employees to use their personal devices, such as laptops, smartphones, or tablets, to access the company’s network and applications. This model can reduce the costs and risks associated with managing and securing these devices, as the responsibility is shifted to the employees. COBO stands for Corporate Owned Business Only, which is a deployment model that involves the company providing devices to its employees and restricting them to work-related use only. This model can ensure the highest level of security and compliance for these devices, but it also reduces the productivity and satisfaction of the employees, as they have to carry multiple devices for different purposes. CYOD stands for Choose Your Own Device, which is a deployment model that allows employees to choose from a list of approved devices provided by the company. This model can offer some flexibility and convenience to the employees while also enabling the company to enforce security standards and policies on these devices. COPE stands for Corporate Owned Personally Enabled, which is a deployment model that involves the company providing devices to its employees and allowing them to use them for both work and personal purposes. This model can give the company more control over the security and management of these devices, but it also increases the costs and risks associated with owning and maintaining them. For support or reporting issues, include Question ID: 64b887756c1e030e26f9d8a9 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 159

The total number of network connections made in the last month Correct answer Details of detected suspicious activities for the past two weeks Your answer is incorrect The list of permitted IP addresses for the organization's internal network The source IPs, destination IPs, port numbers, protocols used, and timestamps for all connections in the past 2 weeks Overall explanation OBJ 4.9: The details of specific suspicious activities such as source and destination IPs, port numbers, protocols, and timings can provide significant evidence for a security investigation. This information can help trace potential intruders and determine the methods they used for the breach. The source IPs, destination IPs, port numbers, protocols used, and timestamps for all connections in the past 2 weeks could be beneficial, but it is a lot of information to go through, and it will be easy to overlook events. You will be better served by looking at suspicious activities rather than all activities. While the list of permitted IPs is an important part of managing access and controlling a network, it doesn't provide immediate, incident-specific information for a security breach investigation. The sheer number of connections doesn't provide specific or actionable information about a potential security breach. Detailed log entries about anomalous or suspicious connections would be more useful. For support or reporting issues, include Question ID: 64c1713e2e60209dbaac2207 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 160

Risks that stem from third-party vendors and their supply chains Risks that come from the reduction in monitoring needed when using your own equipment Correct answer Vulnerabilities in local equipment and weak configurations on private networks Your answer is incorrect Vulnerabilities introduced by the possible lack of security protocols of the cloud provider Overall explanation OBJ: 3.1 - On-premises infrastructures imply that hosts, servers, routers, switches, access points, and firewalls are locally managed within the organization's physical boundaries. This places the onus of security squarely on the organization, making it responsible for identifying and mitigating software vulnerabilities, strengthening weak configurations, and addressing any issues tied to third-party components. Without stringent monitoring and maintenance, these systems can be susceptible to various threats, emphasizing the criticality of comprehensive risk management. On-premises systems require increased monitoring, not reduced monitoring. Organizations need to be vigilant in assessing, monitoring, and updating their systems, since they are entirely responsible for security. A reduction in monitoring would actually increase risks, not describe them accurately. Supply chain risks are a valid concern, however they are not specific to on-premises infrastructure. These risks can affect any system, whether cloud-based or on-premises, depending on the third-party software, hardware, or services integrated into the infrastructure. On-premises security responsibility rests primarily with the organization, not a cloud provider. For support or reporting issues, include Question ID: 64c0a84fe16c685b341111d3 in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 161

Password spraying Correct answer Brute force attack Dictionary attack Your answer is incorrect Credential stuffing Overall explanation OBJ 2.4 - This is a brute force attack, where the attacker attempts to access a user’s account by systematically trying every possible combination of characters until the correct password is found. Unlike other methods, brute force attacks do not rely on common or previously used passwords but rather on generating and testing all possible combinations, making it a time-consuming but thorough approach. This differs from password spraying, which tests a few common passwords across multiple accounts, and a dictionary attack, which uses a list of likely passwords to guess one account’s password. Credential stuffing uses stolen credentials from other breaches and does not involve guessing each possible character combination. For support or reporting issues, include Question ID: 67212c9d84b5580af615ecb0 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 162

Cross-site request forgery (CSRF) Correct answer Misconfiguration SQL injection Your answer is incorrect Buffer overflow Overall explanation OBJ 2.3 - This scenario highlights misconfiguration as the primary vulnerability. Leaving unnecessary services running on a database server increases the attack surface, making the system more susceptible to potential threats. This oversight, due to a lack of review after deployment, is a common misconfiguration issue. Proper configuration management includes disabling any unnecessary features or services to minimize vulnerabilities. Unlike SQL injection, CSRF, or buffer overflow, which exploit specific code or input handling weaknesses, misconfiguration refers to insecure settings that expose the system to attacks. For support or reporting issues, include Question ID: 672122b2860f05343dd3a0f3 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 163

It grants forensic investigators immediate access to a crime scene Correct answer It preserves potential evidence for future litigation It provides a platform for communication between IT and legal teams Your answer is incorrect It mandates the periodic review of security policies Overall explanation OBJ 4.8: A legal hold is an official directive to preserve potential evidence relevant to litigation, ensuring that it isn't altered or destroyed. Although collaboration is vital, a legal hold's primary purpose is not for communication. Regular review of security policies is essential, but mandating the periodic review of security policies is not the primary reason for a legal hold. While investigators need access, granting forensic investigators immediate access to a crime scene is not the focus of a legal hold. For support or reporting issues, include Question ID: 64c16c0d2e60209dbaac21e9 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 164

File-based Unsecure networks Your answer is correct Removable device Default credentials Overall explanation OBJ: 2.2 - A removable device threat vector uses portable devices such as USB drives or external hard drives to introduce malware or compromise systems. An unsecure network threat vector uses wireless, wired, or Bluetooth networks that are not protected or encrypted to intercept or modify traffic. The attack does not involve any network communication or connection. A file-based threat vector uses corrupted or malicious files to infect systems or networks. The file itself is not the threat vector, but the removable device that contains it. A default credentials threat vector uses weak or common passwords or usernames to access systems or accounts. The attack does not involve any authentication or authorization process. For support or reporting issues, include Question ID: 64ba262ebcf4aeea94b9abb9 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 165

Correct answer Enforces security controls for the safe transport and storage of data. Develops and oversees the execution of the organization's IT strategy. Determines how personal data should be processed and for what purposes. Your answer is incorrect Identifies the classification and sensitivity of organizational data. Overall explanation OBJ: 5.1 - The custodian ensures that data is managed securely in line with the guidelines provided by the data owner and controller. Developing and overseeing the execution of the organization's IT strategy is generally done by IT leadership or the governance board, rather than the custodian. How personal data should be processed and for what purposes are decisions typically made by the controller, not the custodian. The responsibility of data classification usually lies with the data owner. For support or reporting issues, include Question ID: 6548699508900a3da5d9c12c in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 166

Authentication Confidentiality Correct answer Integrity Your answer is incorrect Availability Overall explanation OBJ: 1.2 - Integrity ensures that information remains accurate and reliable over its entire life cycle, safeguarding against unauthorized alterations. Authentication confirms the identity of a user or system before granting access to resources. Confidentiality protects information from unauthorized access and disclosure. Availability ensures that systems and data are available to authorized users when they need them. For support or reporting issues, include Question ID: 65246caa94078e888faec857 in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 167

Business email compromise Pretexting Correct answer Impersonation Your answer is incorrect Misinformation/disinformation Overall explanation OBJ: 2.2 - Impersonation is a type of human vector/social engineering attack that involves pretending to be someone else to gain trust or access. It can be used to deceive users into revealing sensitive information, performing malicious actions, or granting privileges. Pretexting is a type of human vector/social engineering attack that involves creating a false scenario or reason to justify the request or communication. It can be used to deceive users into revealing sensitive information, performing malicious actions, or granting privileges. Misinformation/disinformation is a type of human vector/social engineering attack that involves spreading false or misleading information to influence people’s beliefs or actions. It does not necessarily involve pretending to be someone else. Business email compromise is a type of human vector/social engineering attack that involves compromising an email account of an organization and using it to send fraudulent emails to trick recipients into transferring money or revealing sensitive information. It does not necessarily involve pretending to be someone else. For support or reporting issues, include Question ID: 64b9c44d4f2514373b39a046 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 168

The number of users logged into the system at any given time Correct answer Real-time data of suspicious activities Your answer is incorrect The total number of users logged into the system at any given time The count of malware blocked over the past year Overall explanation OBJ 4.9: Real-time data linked to suspicious activities can provide a clear pathway to investigate the incident. Information such as the source and destination IP, along with the anomaly scores, can help identify possible threat actors or affected systems. The total number of users logged into the system at any given time can help with resource planning and identification of abnormal behavior if there's a spike in count, but it does not provide actionable insights for a specific security incident. While such graphical trends provide a broader view of network activity and can help identify anomalies over time, they do not specifically aid in investigating a security breach. While the count of malware blocked over the past year can showcase the effectiveness of security tools, it doesn't provide specific insights about the incident under investigation. For support or reporting issues, include Question ID: 64c173c3fbaff7327d208b7c in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 169

Correct answer Decentralized governance Board governance Your answer is incorrect Centralized governance Committee governance Overall explanation OBJ: 5.1 - In this type of governance structure, decision-making power is distributed among different departments or units within an organization. Each department or unit has a degree of autonomy and authority to make decisions related to their specific areas of responsibility. Committee governance involves decision-making by a group of individuals or committees who collectively address specific issues or areas of concern. Committees are formed to discuss, analyze, and make decisions based on their expertise or mandate. In a centralized governance structure, decision-making power is concentrated in a single central authority or entity within the organization. This central authority is responsible for making decisions that impact the entire organization or multiple departments. Board governance refers to a governing body that oversees and guides the strategic direction of an organization. The board of directors, often composed of key stakeholders and executives, is responsible for making high-level decisions that affect the overall direction and performance of the organization. For support or reporting issues, include Question ID: 64b75800527f0f59c61e820e in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 170

Correct answer Decides on access based on policies and threats. Employs security decisions based on user behavior. Ensures efficient transmission of approved data. Your answer is incorrect Limits potential damage zones in a network. Overall explanation OBJ: 1.2 - The Control Plane within the Zero Trust model is fundamentally responsible for deciding on access based on policies and threats, which is a dynamic and multifaceted task. While it does consider user behavior as part of its decision-making process, employing security decisions based on user behavior is only one aspect of its function. Although the Control Plane's decisions can indirectly limit potential damage zones by enforcing segmented access to network resources, its primary role should not be confused with the outcomes of its policy enforcement. The Control Plane does not directly ensure the efficient transmission of data — this is a misconception, as that is the role of the Data Plane. For support or reporting issues, include Question ID: 652460a451dc39e50c47fbeb in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 171

Virtualization Correct answer Power Ease of Deployment Your answer is incorrect RTOS Overall explanation OBJ: 3.1 - Ensuring adequate power is vital as it affects the operational continuity and reliability of the connected devices, preventing disruptions and downtimes. While virtualization is a significant technology, it is not a direct consideration for the continuous operation of devices. RTOS is crucial for managing real-time applications in IoT but doesn’t specifically address the considerations for the continuous operation of devices. Ease of Deployment addresses the ability to quickly install and implement a system. It doesn't address continuous operation of devices. For support or reporting issues, include Question ID: 65170d85f4240bff7735dcf5 in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 172

Maintenance window Impact analysis Allow list Your answer is correct Deny list Overall explanation OBJ: 1.3 - A deny list is a list specifying entities that are explicitly denied access or permissions. A Maintenance window predefined time frame during which system changes or updates are applied to minimize disruption to business operations. An allow list is a list specifying entities, such as IP addresses, that are explicitly granted access or permissions. Impact analysis is the process of assessing and predicting the potential consequences of a proposed change. For support or reporting issues, include Question ID: 64c147931b8d06cdea91cbeb in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 173

Internal/external Correct answer Resources/funding Level of sophistication/capability Your answer is incorrect Motivations Overall explanation OBJ: 2.1 - Resources/funding refers to the amount of money, equipment, or personnel that a threat actor has at their disposal. Actors with higher levels of resources/funding can launch attacks that are greater in scope and duration and will have a greater impact than actors with low levels of resources/funding. Internal/external refers to whether the actor has access inside or outside of an organization’s network or physical perimeter. Internal/external often refers to the amount of access, visibility, and trustworthiness the actor has. Internal actors tend to have greater access, are less visible, and are trusted by the organization they are attacking. Level of sophistication/capability refers to the amount of technical skills, knowledge, or experience that a threat actor has. Actors with higher levels of sophistication/capability can launch attacks that are more complex, stealthier, and effective than actors with lower levels of sophistication/capability. Motivations refer to the goals, intentions, or reasons that a threat actor has for launching an attack. The motivations of an attack will influence the target and method actors choose and also influences the outcome of an attack. For support or reporting issues, include Question ID: 64b85eda030c7ba35a5609d3 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 174

Firewalls IPSs Your answer is correct Network sensors VPNs Overall explanation OBJ 3.2: Network sensors actively monitor and analyze network traffic for suspicious activity and anomalies, making them a crucial tool for Dion Training to detect potential threats in real-time and secure their infrastructure effectively. Virtual private networks (VPNs) are primarily used to create a secure connection to another network over the Internet, ensuring secure communication, but they do not actively monitor and analyze network traffic for threats. Intrusion Prevention Systems (IPS) do analyze network traffic to prevent vulnerability exploitation, but they are more focused on preventing known threats rather than real-time analysis and detection of new, unknown threats. While firewalls are essential for controlling incoming and outgoing network traffic based on an organization’s previously established security policies, they are not specialized in analyzing traffic patterns for malicious activity. For support or reporting issues, include Question ID: 64c1729efbaff7327d208b72 in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 175

Time-memory trade-off Correct answer Birthday attack Your answer is incorrect Ciphertext-only attack Padding oracle attack Overall explanation OBJ: 2.4 - Given Jamario's discovery of two different files with the same digital signature, a birthday attack is probable. Attackers can exploit hash function collisions, making two different inputs produce the same hash value, which can then be used to forge digital signatures. This type of attack targets the padding of a cryptographic message. It doesn't deal with hash function collisions or identical digital signatures. In a ciphertext-only attack, the attacker has access only to the encrypted message. The goal is to derive the plaintext or the key. It isn't directly related to hash collisions or identical digital signatures. A time-memory trade-off involves using more memory to decrease the time required to find a solution, often used in password cracking. It doesn't concern hash collisions or digital signature forgeries. For support or reporting issues, include Question ID: 6527fa37291a89bc58693320 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 176

Clustering Cold Warm Your answer is correct Hot Overall explanation OBJ 3.4: A hot site is fully equipped and can provide immediate backup and recovery capabilities. A warm site partially replicates an organization's IT infrastructure, and while it can be made fully operational quickly, it doesn't provide the immediate recovery capabilities of a hot site. A cold site is a backup or redundant data center that requires substantial time to become operational and therefore may not guarantee immediate recovery. Clustering can aid in high availability by connecting multiple servers; it does not inherently provide immediate recovery capabilities like a hot backup site. For support or reporting issues, include Question ID: 64c1a6b745e9d8860c40462e in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 177

Correct answer Platform diversity Data security Load balancing Your answer is incorrect Parallel processing Overall explanation OBJ 3.4: Multi-cloud systems increase platform diversity. Using different cloud providers and different platforms makes a system less vulnerable to platform-specific attacks. In the event that one platform is made less secure or less functional, a different platform can be used. Parallel processing involves using multiple CPUs to process different parts of a bigger task. It requires the task to be broken into separate parts. The benefits of parallel processing include greater speed and greater fault tolerance. Load balancing distributes network or application traffic across many servers, which optimizes the use of resources, maximizes throughput, and reduces latency. Even though multi-cloud systems can enhance data security, it can also make security systems more difficult to manage or more complex; however, the primary reason for multi-cloud implementation is to increase platform diversity. For support or reporting issues, include Question ID: 64c19e0512b4631e4788b42e in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 178

Enforcing complex passwords for all user accounts and implementing a daily password rotation policy based on the user's local time zone Your answer is incorrect Assigning temporary user accounts with basic access and fixed time restrictions for all employees during business hours only Correct answer Integrating SSO with RBAC and applying time-based policies to restrict access to specific resources Implementing two-factor authentication for all user accounts and allowing users to choose their time restrictions based on their personal schedules Overall explanation OBJ 4.6: Integrating single sign-on (SSO) with role-based access control (RBAC) allows centralized control over user access, enabling time-based policies to restrict resource access during non-business hours while ensuring password standards. Assigning temporary accounts with business-hour restrictions increases administrative overhead and is less effective for securing access outside regular hours. Although complex passwords and daily rotations are good practices, rotating based on users’ local time zones adds unnecessary complexity and may hinder effective time-of-day restrictions, especially in multiple time zones. Two-factor authentication is valuable, but allowing users to set personal access times risks inconsistency and security gaps; a centralized, standardized approach is preferable. For support or reporting issues, include Question ID: 64c1554b98c27fada861a9c6 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 179

Technical debt can lead to higher costs in the future, due to increased maintenance or refactoring needs Correct answer Technical debt is a measure of the RTO of security systems and security departments as costs accumulate over time Your answer is incorrect Technical debt refers to the implied cost of additional work caused by choosing a quick solution instead of the best approach that would take longer Management of technical debt is important as it can impact the efficiency of automation and orchestration processes Overall explanation OBJ 4.7: Technical debt does not refer to a monetary debt or return on investment for security systems or security departments accumulated over time. It refers to additional work or complexity that builds up when we take short cuts or adopt temporary fixes instead of implementing the most appropriate yet time-consuming solution. Ignoring technical debt can indeed lead to higher costs and possible future vulnerabilities, as it often requires more significant software changes or maintenance in the long term. Proper management of technical debt is essential, as high technical debt can negatively impact the efficiency and effectiveness of automation and orchestration activities. Technical debt refers to the future cost incurred due to a choice of faster, yet inferior or incomplete solutions at the current moment. For support or reporting issues, include Question ID: 64c1a27dbbc49fb66931eaf4 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 180

Correct answer OCSP CRLs CAs Your answer is incorrect RoT Overall explanation OBJ: 1.4 - Online Certificate Status Protocol (OCSP) is an internet protocol used for obtaining the revocation status of a digital certificate. Since she has the name, she can quickly look up the certificate to see if it has been invalidated. Certificate Revocation Lists (CRLs) are lists of certificates that have been revoked by a Certificate Authority before their scheduled expiration date. This will work, but she will have to scan through the entire list. Since she has the name, her best bet is to use the Online Certificate Status Protocol, not the CRL. Certificate Authorities (CAs) are trusted entities that issue and manage security credentials and public keys for message encryption. Contacting the CA to check on the certificate's validity isn't a very fast way to find out if the certificate is invalid. Root of Trust (RoT) is a source that can always be trusted within a cryptographic system. This does not describe the internet protocol used for obtaining the revocation status of a digital certificate. For support or reporting issues, include Question ID: 64c3e3470c38f531900ca755 in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 181

Hardcoded software limitations Limits on permissions for role based access Vulnerabilities of all cloud native environments Your answer is correct Vulnerabilities in redundancy mechanisms Overall explanation OBJ: 3.1 - While high availability systems prioritize uptime, they can sometimes introduce risks such as vulnerabilities in their failover and redundancy systems. Embedded systems' primary concerns revolve around their inability to quickly update or patch, which doesn't relate to uptime concerns. Vulnerabilities of all cloud native environments refers to cloud-native applications, which are tailored for cloud platforms and don't inherently carry risks associated with constant uptime. Limits on permissions for role based access refers to Role-Based Access Control (RBAC), which manages system access based on user roles within an organization and isn't directly tied to uptime issues. High availability wouldn't produce limits on permissions for role based access. For support or reporting issues, include Question ID: 652c38dda1185bf748180223 in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 182

Correct answer Data backup and restore capabilities Integration with third-party tools Patch availability Your answer is incorrect Architecture's market popularity Overall explanation OBJ: 3.1 - Ease of recovery heavily relies on an architecture's capability to backup and restore data efficiently. If the system cannot restore data quickly after a breach or failure, it poses significant security and operational risks. Although integration with external tools can enhance functionality, it doesn't directly indicate the architecture's ability to recover swiftly after a security issue. The popularity of an architecture in the market might suggest its reliability but doesn't necessarily correlate with its ease of recovery from a security incident. Patch availability refers to the ability to obtain and apply security updates or fixes for software or systems, which is an important aspect of maintaining security and functionality. Some factors that can affect patch availability are vendor support, compatibility, and testing. This is an important consideration, but doesn't directly address ease of recovery. For support or reporting issues, include Question ID: 64bf7961cb1c7a74be71f9d0 in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 183

File-level encryption Wildcard certificate Correct answer Partition encryption Your answer is incorrect Full-disk encryption Overall explanation OBJ: 1.4 - Partition encryption, like LUKS (Linux Unified Key Setup) on Linux systems, allows the encryption of a particular partition or volume. It's ideal for Dion Training's need to secure a specific section of their server's hard drive. Full-disk encryption encrypts the entire hard drive, which might be overkill if only a specific section needs encryption. While file-level encryption can encrypt specific files or folders, it doesn't necessarily target entire sections or partitions of a hard drive. A wildcard certificate secures multiple subdomains of a main domain but is unrelated to disk encryption. For support or reporting issues, include Question ID: 6525823eb000367051dfcfad in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 184

Time and date of system and application events User login activities Files and applications accessed Your answer is correct Amount of available storage space on the device Overall explanation OBJ 4.9: Endpoint logs typically do not monitor or record the amount of available or used storage space on a device. While this information could be useful for understanding system performance, it is not typically relevant or captured for security investigations. User login activities are usually captured in endpoint logs. This includes when and by whom a system is accessed, failed access attempts, and logout times; these are crucial when investigating potential unauthorized access or insider threats. Files and applications accessed are commonly logged and can provide insights when investigating events such as unauthorized access, data exfiltration, or malware infection. Time and date of system and application events are essential components of log data. They help establish timelines for events, correlate incidents across multiple systems, and identify unusual patterns of activity. For support or reporting issues, include Question ID: 64c1a788f35deb7523e71f60 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 185

Detective Control Corrective Control Correct answer Directive Control Your answer is incorrect Deterrent Control Overall explanation OBJ: 1.1 - Directive controls guide actions and ensure consistent behavior or actions within an organization. Detective controls identify and react to incidents after they've occurred. They don't guide actions or behaviors. Corrective controls bring a system or environment back to its desired state post-incident. They don't act to guide consistent actions. Deterrent controls discourage undesired behaviors. They don't provide step-by-step instructions. For support or reporting issues, include Question ID: 65245140b892c402e38056c3 in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 186

Correct answer User provisioning automates the creation and destruction of new virtual machines as employees are hired and leave User provisioning streamlines user access to the resources they need to perform their job Your answer is incorrect User provisioning allows for the immediate deactivation of user's network access when they no longer serve their role User provisioning helps in reducing administrative overhead by automating routine user account processes Overall explanation OBJ 4.7: User provisioning focuses on creating accounts and access for employees. It incorporates the processes of creation, modification, deactivation, deletion of user accounts, and maintenance of user roles. It ensures users have correct, timely access with the right privileges. While users may lead to the creation of virtual machines, that takes place after the user's accounts are created and isn't part of provisioning. User provisioning allows user access to be well-aligned with their tasks. This can ensure seamless operations and reduced downtime by ensuring users have the resources they need, when they need them. Instant deactivation of network access when a user's role ends prevents unauthorized and potentially dangerous access. User provisioning automates routine user management activities; hence, the administrative workload is considerably reduced. This simplification allows resources to be directed towards other important areas. For support or reporting issues, include Question ID: 64c1a38dbbc49fb66931eb03 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 187

Corrective Control Directive Control Deterrent Control Your answer is correct Detective Control Overall explanation OBJ: 1.1 - A detective control is designed to detect and react to incidents that have occurred. Surveillance cameras don't prevent the incident but help in identifying the events after they've happened. Directive controls guide consistent behavior or actions within an organization. They don't detect events after they've happened. Corrective controls act to bring the system back to its desired state after an incident. They don't typically involve detecting the incident itself. A deterrent control is intended to discourage potential attackers from malicious activities. While surveillance cameras might act as a mild deterrent, their primary function is to detect incidents post-factum. For support or reporting issues, include Question ID: 65244fcc4c4116404f67d2a2 in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 188

Correct answer SLA SOW Your answer is incorrect MOU MSA Overall explanation OBJ: 5.3 - The Service-Level Agreement (SLA) is the document that precisely defines the agreed-upon service levels and performance metrics that the vendor is expected to meet. It outlines the specific services to be provided, performance expectations, response times, and remedies for not meeting the agreed-upon levels. The Work Order (WO) or Statement of Work (SOW) is a document that provides detailed instructions and requirements for specific tasks or projects to be carried out by the vendor. It may include information on deliverables, timelines, and costs, but it does not focus on service levels and performance metrics. The Master Service Agreement is a comprehensive document that establishes the overall framework for a long-term business relationship between Magnetic Island and the vendor. It outlines the general terms and conditions, but it does not specifically detail the service levels and performance metrics. The Memorandum of Understanding (MOU) outlines the terms of a partnership between two organizations and how they will collaborate on specific projects or initiatives. While it may establish the overall collaboration, it does not include service levels and performance metrics. For support or reporting issues, include Question ID: 64bb440248f9d4fbc1cdd417 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 189

SPF TLS DKIM Your answer is correct DMARC Overall explanation OBJ: 2.2 - Domain-based Message Authentication, Reporting, and Conformance (DMARC) is a protocol that leverages SPF and DKIM techniques to provide domain owners the ability to protect their domain from unauthorized use, or spoofing. It also offers a way for domain owners to get feedback on how receivers view emails coming from their domain. DomainKeys Identified Mail (DKIM) allows senders to associate a domain name with an email, thus vouching for its authenticity. Transport Layer Security (TLS) is a protocol for encrypting data sent over the internet. While it can be used to secure email transmissions, it does not specifically address email spoofing. Sender Policy Framework (SPF) allows domain administrators to define which mail servers are allowed to send email on behalf of their domains. For support or reporting issues, include Question ID: 652639b9737099cb81638909 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 190

Defining roles and responsibilities for the treatment of particular problems Classifying events based on their severity and impact to the organization Correct answer Getting the systems and services back to normal Your answer is incorrect Analyzing the evidence to determine the root cause of the incident Overall explanation OBJ 4.8: The recovery phase in the incident response process involves restoring affected systems and services to their normal operation after an incident. During this phase, the incident response team works to repair and recover any damage caused by the incident, ensuring that business operations can resume as usual. Developing an incident response plan, defining roles and responsibilities, and conducting regular training and drills belong to the "Preparation" phase of the incident response process. This phase ensures that the organization is ready to respond effectively to incidents, but it does not directly involve the recovery of affected systems. Analyzing the evidence and determining the root cause of the incident falls under the "Analysis" phase of the incident response process. This phase aims to understand how the incident occurred and what vulnerabilities were exploited. Identifying and classifying incidents based on their severity and impact on the organization is part of the "Detection" phase in the incident response process. This phase involves recognizing that an incident has occurred and understanding its potential implications. For support or reporting issues, include Question ID: 64c15c8f6ab51895b912b803 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 191

Correct answer Virtualization ICS Containerization Your answer is incorrect SDN Overall explanation OBJ: 3.1 - Virtualization is a technology that allows creating multiple isolated environments on a single physical device. It can offer benefits such as resource optimization, isolation, flexibility, and security. Software-defined networking (SDN) is a network technology that involves dynamically configuring and managing network devices and services through software, not creating multiple isolated environments on a single physical device. Industrial control systems (ICS) are systems that are designed to monitor and control physical processes in industrial environments, such as power plants, factories, or water treatment facilities, not creating multiple isolated environments on a single physical device. Containerization is a technology that allows running applications in isolated environments called containers, not creating multiple isolated environments on a single physical device. For support or reporting issues, include Question ID: 64c0bb1f2c315b52a9fec79c in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 192

Phishing Correct answer Pretexting Tailgating Your answer is incorrect Cloning Overall explanation OBJ: 2.2 - Pretexting is where attackers fabricate a scenario (a pretext) to deceive their target into providing information. This could involve posing as an HR representative needing to confirm some details, a survey agent, or any other invented role that would seem plausible to the victim. Phishing involves attackers sending deceptive emails (or other forms of communication) to a broad audience, enticing recipients to click on malicious links, download malware, or provide sensitive information. The attacker's goal is to trick recipients into believing the message is from a trusted source. Tailgating, also known as "piggybacking," is a method where unauthorized individuals follow authorized personnel into secure locations by exploiting their courtesy or distraction. It relies on physical access rather than fabricated stories. Cloning refers to the duplication of items such as badges, access cards, or even digital identities. It's about copying something authentic to gain unauthorized access, rather than fabricating a scenario. For support or reporting issues, include Question ID: 65262fba310422845dfcc3dc in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 193

Routine backups Patent filing Correct answer Data encryption Your answer is incorrect Trademark registration Overall explanation OBJ 3.3: Data encryption is the strategy of modifying the data so that it is unreadable without the correct key and ensures only authorized personnel can access it. Securing a trademark provides protection against unauthorized use of logos, symbols, or brand names. Patent filing is a process to get legal protection for an invention, ensuring others can't produce, sell, or use it without permission. While routine backups ensure data availability, they don't necessarily restrict who can access the data. For support or reporting issues, include Question ID: 652d5c570da6a8db7323fc5c in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 194

Developing an incident response plan, defining roles and responsibilities, and conducting regular training and drills Examining and analyzing incidents based on their severity and impact to the organization Taking immediate actions to contain the incident and prevent further damage Your answer is correct Evaluating the evidence and determining the root cause of the incident Overall explanation OBJ 4.8: The "Analysis" phase in the incident response process involves analyzing the evidence collected during the investigation to determine the root cause of the incident. This includes examining logs, system files, network traffic, and other relevant data to understand how the incident occurred, what systems were affected, and what vulnerabilities or weaknesses were exploited. Developing an incident response plan, defining roles and responsibilities, and conducting regular training and drills belong to the "Preparation" phase of the incident response process. This phase ensures that the organization is ready to respond effectively to incidents, but it does not directly involve the analysis of specific incidents. Taking immediate actions to contain the incident and prevent further damage falls under the "Containment" phase of incident response. While containment is an essential step, it is not specific to the "Analysis" phase. Identifying and classifying incidents based on their severity and impact on the organization is part of the "Detection" phase in the incident response process. This phase involves recognizing that an incident has occurred and understanding its potential implications. For support or reporting issues, include Question ID: 64c15b4b6ab51895b912b7fe in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 195

Trojan Correct answer Bloatware Ransomware Your answer is incorrect Worm Overall explanation OBJ: 2.4 - Bloatware is a type of malware that comes pre-installed with other software. It is often unwanted programs that consume a lot of resources and slow down the performance. Types of Bloatware include toolbars, adware, or trial software. Ransomware is a type of malware that encrypts the data or files on a system and demands a ransom for their decryption or restoration. A Trojan is a type of malware that disguises itself as a legitimate or benign program, but performs malicious actions when executed, such as creating a backdoor for remote access or control. It could be the cause, but a Trojan wouldn't necessarily be using a lot of resources because this would signal its presence. A worm is a type of malware that self-replicates and spreads to other systems or networks without user interaction. For support or reporting issues, include Question ID: 64bcd936e96aa656728f4735 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 196

Correct answer Automation Configuration Management Orchestration Your answer is incorrect Artificial Intelligence (AI) Overall explanation OBJ: 5.4 - Automation is the utilization of technology to execute tasks without the need for continuous human input, enhancing efficiency and accuracy in various processes. Configuration Management is the process of systematically handling changes to a system in a way that it maintains integrity over time, not necessarily implying an automated process. Artificial Intelligence is a branch of computer science focused on creating machines capable of intelligent behavior, but not specifically limited to task execution. Orchestration is the coordinated execution of multiple automated tasks in a specific order to achieve a complex outcome or process. For support or reporting issues, include Question ID: 64bf6153402d8b511311a74d in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 197

Correct answer Implementing time-of-day restrictions Mandating multifactor authentication Your answer is incorrect Implementing data masking protocols IDS Overall explanation OBJ 4.6: Implementing time-of-day restrictions ensures that access to systems or resources is only available during specified times, mitigating risks associated with unauthorized access attempts during off-hours. Mandating multifactor authentication requires two or more verification methods - something you know, something you have, or something you are. Implementing data masking protocols protects sensitive data by replacing, encrypting, or scrambling original data to protect it from unauthorized access. An intrusion detection system (IDS) monitors and analyzes network traffic for signs of malicious activity or policy violations. For support or reporting issues, include Question ID: 6544571719baf4b5aef6fdf7 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 198

Correct answer Utilization of a compromised third-party library in the final software product. Faulty power supply in a computer system that disrupts work frequently. Unmonitored physical access to data centers. Your answer is incorrect Physical tampering with a server's hard drive when penetration testing is conducted. Overall explanation OBJ: 2.3 - If a third-party software component is insecure, it can pose risks to the entire software that incorporates it. A faulty power supply in a computer system that disrupts work frequently is a hardware issue, unrelated to software vulnerabilities. While unmonitored physical access to data centers poses a risk, it's not specific to software supply chain vulnerabilities. Physical tampering with a server's hard drive when penetration testing is conducted is a direct physical attack on hardware, not a software vulnerability. For support or reporting issues, include Question ID: 6527d6857b75b14e42cb5018 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 199

Surge protectors Correct answer Generators UPS Your answer is incorrect Power inverters Overall explanation OBJ 3.4: Generators convert fuel into electricity and are designed to provide power backup for extended periods during outages. They can sustain operations until regular power is restored. Power inverters convert direct current (DC) to alternating current (AC) for use with appliances. While they can change the type of current, they don't provide backup power on their own during outages. A UPS (Uninterruptible Power Supply) offers immediate short-term power protection from input power interruptions, typically from batteries, ensuring devices can either be shut down properly or switched to a generator. They can't provide power for long durations. Surge protectors protect devices from voltage spikes but do not provide any power backup. They ensure equipment safety from electrical surges but don't aid during power outages. For support or reporting issues, include Question ID: 652ebfc3f05482e511d028ab in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 200

Facilitates migration to non-digital operations Correct answer Enables consistent security standards during scaling Replaces the need for human security analysts Your answer is incorrect Promotes decentralization of data storage Overall explanation OBJ 4.7: Automation and orchestration ensure that as new systems and services are added, they adhere to established security baselines, ensuring uniformity. Automation and orchestration are digital-centric tools and don't promote a shift away from digital operations. While automation assists in many tasks, so far it has not negated the crucial role of human judgment and expertise in security operations. While automation can streamline data operations, its primary role isn't to promote data decentralization. For support or reporting issues, include Question ID: 6543de728c77ab9c8faa1709 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 201

Your answer is incorrect BYOD COBO COPE Correct answer CYOD Overall explanation OBJ 4.1: CYOD stands for Choose Your Own Device, which is a deployment model that allows employees to choose from a list of approved devices provided by the company. This model can offer some flexibility and convenience to the employees, as they can select the device that best suits their needs and preferences. BYOD stands for Bring Your Own Device, which is a deployment model that allows employees to use their personal devices, such as laptops, smartphones, or tablets, to access the company’s network and applications. This model can reduce the costs and risks associated with managing and securing these devices, as the responsibility is shifted to the employees. COBO stands for Corporate Owned Business Only, which is a deployment model that involves the company providing devices to its employees and restricting them to work-related use only. This model can ensure the highest level of security and compliance for these devices, but it also reduces the productivity and satisfaction of the employees, as they have to carry multiple devices for different purposes. COPE stands for Corporate Owned Personally Enabled, which is a deployment model that involves the company providing devices to its employees and allowing them to use them for both work and personal purposes. This model can give the company full control over the security and management of these devices, as it can enforce security policies, install software updates, monitor usage, and wipe data remotely. For support or reporting issues, include Question ID: 64b888656c1e030e26f9d8ae in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 202

Correct answer State-sponsored actor Insider threat Black hat hacker Your answer is incorrect Cyber mercenary Overall explanation OBJ: 2.1 - Often tied to a country's intelligence or military agencies, state-sponsored actors conduct cyber operations to advance national objectives or disrupt adversaries. Insider threats are current or former employees who compromise their organization's cyber security, either accidentally or with malicious intent. Cyber mercenaries are hackers-for-hire, who may work for any entity or individual that pays them, regardless of the task's legality. Black hat hackers are individuals who hack for personal gain or malicious intent without necessarily having any political or state-driven goals. For support or reporting issues, include Question ID: 65259d18ac14dc3f67592e5d in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 203

Correct answer Adware Worm Your answer is incorrect Spyware Cryptominer Overall explanation OBJ 2.4 - The most likely type of malware causing these symptoms is adware. Adware is designed to deliver unwanted advertisements and redirect users to specific websites, often as a way to generate revenue for the attacker. After Diego downloaded the supposed productivity tool, the adware embedded itself in his system, resulting in pop-ups and frequent browser redirections. Unlike spyware, which secretly monitors user activity, cryptominers, which use system resources to mine cryptocurrency, or worms, which self-replicate to spread, adware specifically aims to disrupt the user experience with ads and redirections. For support or reporting issues, include Question ID: 67212ebf84b5580af615ecc4 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 204

Correct answer On-path attack MAC spoofing Your answer is incorrect Packet sniffing Port scanning Overall explanation OBJ: 2.4 - An on-path attack, also known as a man-in-the-middle attack, occurs when an attacker intercepts communications between two parties to capture or manipulate the data. The high number of ARP requests suggests the attacker might be trying to reroute traffic to gain access to information. Port scanning is an activity where an attacker probes a server for open ports to find potential vulnerabilities. It does not involve ARP requests or traffic interception. Packet sniffing involves capturing packets of data as they traverse a network. While it can be a part of on-path attacks, it does not specifically involve the alteration of ARP messages. MAC spoofing is a type of attack, where the attacker uses the MAC address of an authorized machine or device in order to gain access to a system. For support or reporting issues, include Question ID: 6529870db4696c549a659d88 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 205

Internal Correct answer Confidential Public Your answer is incorrect Unclassified Overall explanation OBJ 4.2: The confidential level is designated for data that requires stringent protection measures. Access to confidential data is strictly controlled and is only granted to individuals who have been vetted and given explicit permission. Its compromise might result in severe consequences for the organization. "Unclassified" data does not fit into any of the aforementioned categories and generally does not have special handling requirements. It lacks specific protective measures, making it an unsuitable label for any data that requires protection from unauthorized access. Data labeled as internal is meant for company use and may be shared among employees. While it is more protected than public data, it does not have the rigorous access controls that confidential data demands. Sensitive client data may be at risk if labeled as internal. Data labeled as public is accessible by anyone, both within and outside the organization. It is general information that does not require any special protection. Using this classification for sensitive data would expose it to unnecessary risks. For support or reporting issues, include Question ID: 651ee2eedcae756d17d55748 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 206

Supply chain analysis Independent assessments Evidence of internal audits Your answer is correct Right-to-audit clause Overall explanation OBJ: 5.3 - A right-to-audit clause is a provision in a vendor contract that grants the organization the authority to conduct audits on the vendor's security controls and practices. Independent assessments involve hiring a third-party organization to evaluate and assess the vendor's security measures and controls. In this case, the organization is doing its own audits, so it isn't an independent assessment. Evidence of internal audits refers to documentation or proof that the vendor has conducted its internal security audits to assess and maintain the effectiveness of its security measures. These audits would be done by the vendor, not by the organization using the vendor. Supply chain analysis is the process of assessing and understanding the security risks associated with a vendor's supply chain and the potential impact on the organization's security. It is more specific than a right-to-audit clause, which allows a broad range of audits. For support or reporting issues, include Question ID: 64bb3af699b63f15eee0ccf2 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 207

Differential backups Correct answer Full backups Incremental backups Your answer is incorrect Snapshots Overall explanation OBJ 3.4: Full backups are a complete copy of all data, and a single set can restore the entire system. While less frequent than incremental backups, differential backups require the last full backup plus the latest differential backup for a complete restore. Incremental backups capture only the data that has changed since the last backup, so multiple sets might be needed alongside a full backup for a complete restore. Snapshots are efficient for quick rollbacks; however, they may not represent a complete backup set for total system recovery. For support or reporting issues, include Question ID: 652dffb2bceb2655f8a32ca0 in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 208

Enable SNMP with public community strings for monitoring Enforce SSL/TLS 1.0 for all server communications Allow ICMP echo requests to all servers Your answer is correct Disable TCP/UDP ports like 23 and 135 Overall explanation OBJ 4.1: Limiting unnecessary ports reduces the exposure of servers to potential vulnerabilities associated with these services. Using public community strings is insecure as it could allow unauthorized access or information disclosure. Allowing unrestricted ICMP (pings) could expose the servers to potential threats like a ping flood. Using older SSL/TLS versions is not recommended due to known vulnerabilities. For support or reporting issues, include Question ID: 652f305a2da211fe4dd8a22f in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 209

Correct answer Patching is the process of identifying and fixing security vulnerabilities in software, firmware, and operating systems to prevent potential exploits Patching refers to the process of securing physical entry points to an organization's premises Your answer is incorrect Patching refers to regularly updating hardware components to ensure optimal performance and prevent system downtime Patching involves installing special, custom made features on software interfaces to enhance user experience and aesthetics Overall explanation OBJ 4.3: Patching is the process of identifying and fixing security vulnerabilities in software, firmware, and operating systems. Regularly applying patches helps prevent potential exploits and ensures the system remains secure against known vulnerabilities. Patching focuses on software updates to address security issues. It will update software that is used by hardware, but it doesn't update hardware components. Patching is not related to securing physical entry points; instead, it focuses on software and firmware updates to address security vulnerabilities. Patching is not about installing special, custom-made feature software interfaces but rather updating software to address security vulnerabilities. For support or reporting issues, include Question ID: 64bfd969994ad44054334347 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 210

Correct answer Independent third-party audit Attestation Regulatory examination Your answer is incorrect Assessment Overall explanation OBJ: 5.5 - An independent third-party audit is the best choice for thorough assessment of an organization's security measures and procedures. The term "assessment" is broad and can refer to various types of evaluations. In this context, it may include security assessments, but it does not specifically imply a comprehensive review. Attestation refers to the process of affirming the accuracy and completeness of compliance reports. It is not directly related to a comprehensive review of security controls and practices. The regulatory examination involves an evaluation conducted by a government or regulatory agency to ensure compliance with specific regulations. While it may include aspects of security controls and practices, it is not exclusively focused on a comprehensive review. For support or reporting issues, include Question ID: 64c1a44845e9d8860c40461a in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 211

Patching Disabling Ports and Protocols Decommissioning Your answer is correct Removal of unnecessary software Overall explanation OBJ: 2.5 - Removal of unnecessary software is a hardening technique that can help reduce the attack surface of systems and devices by removing unused or unneeded. The more software that is on a system, the more exposure there is to vulnerabilities. If the software is not needed or used, there is no purpose in having extra exposure to vulnerabilities. Patching is a mitigation technique that can help prevent exploitation of known vulnerabilities on systems and devices by updating them with the latest security fixes and enhancements. Patching involves applying patches or updates to software and systems. Patching software is good to do, but if you aren't using the software, removing it is more effective than patching it. Decommissioning is a mitigation technique that can help reduce the risk of data breaches or theft by properly disposing of systems and devices that are no longer needed or used. Decommissioning involves following a set of procedures to erase or destroy any sensitive data stored on the systems and devices, and to physically dispose of them in a safe and environmentally friendly manner. It is used for hardware that is no longer needed, not for unneeded software. Disabling ports and protocols is a hardening technique that can help reduce exposure to potential attacks. This can be done on firewalls, switches, routers, and hosts to close or block any network ports or protocols that aren’t needed for the normal operation of the systems and devices. Ports are numerical identifiers that specify the destination or source of network traffic, and protocols are rules or standards that define how network traffic is formatted or transmitted. This is a good practice, but doesn't involve removing software from the system. For support or reporting issues, include Question ID: 64beec1d13b78ab048d67ee5 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 212

Correct answer Data Owner End User Data Controller Your answer is incorrect Data Processor Overall explanation OBJ: 5.1 - A data owner is typically an individual or a functional role within an organization that is responsible for the data's classification, and ensuring it is in line with the organization's security policy. End users access and use the data but do not typically have responsibilities for classifying it or ensuring its alignment with organizational policies. A data controller determines the purposes and means of processing personal data, but the classification and alignment with organizational policies is typically under the purview of the data owner. Data processors process data on behalf of the data controller and don't decide on data classifications. For support or reporting issues, include Question ID: 65456ac3afae31330ea11d9b in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 213

Deploying a VPN for all company devices Implementing an advanced intrusion detection system Correct answer Implementing content categorization Your answer is incorrect Mandating periodic cybersecurity training Overall explanation OBJ 4.5: By employing content categorization, organizations can identify and restrict access to websites that fall under non-work-related categories, such as gaming. While VPNs can encrypt internet traffic and mask user locations, they don't inherently categorize or restrict access to specific types of web content. Intrusion detection systems monitor network traffic for malicious activities, but they don't categorize websites based on their overall content theme. While training raises awareness about safe online practices, it doesn't proactively categorize or block specific website themes. For support or reporting issues, include Question ID: 65432a9f680915538972258e in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 214

Assign a unique secret key for programmatic access Correct answer Using the CSP root user for daily logon activity Use MFA for all interactive logons at workstations Your answer is incorrect Transfer the generated secret key immediately to the host Overall explanation OBJ 4.1: Using the root user for daily tasks is a high-risk practice because it gives complete control over all resources in the cloud account, making it a lucrative target for attackers. Using multi-factor authentication provides an additional layer of security by ensuring that users provide two or more verification factors to gain access. Delaying the transfer of a generated secret key might expose the key to risks, but immediate transfer ensures that the key is securely stored and ready for use. Unique secret keys for programmatic access are crucial for ensuring that interactions with the cloud are secure and authenticated. For support or reporting issues, include Question ID: 652f4053fd8d99be42f4c0f9 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 215

Correct selection Stronger passwords Your selection is incorrect SSO feature Your selection is incorrect Automated data backup Local storage Correct selection Verified access Overall explanation The password manager generates robust, random passwords for each account, enhancing security by reducing the risk of breaches. OBJ: 5.6 - It verifies website certificates, ensuring Jason’s login credentials are only used on legitimate sites, protecting against phishing. While convenient, single-sign-on is a separate functionality and not a direct benefit of using a password manager in this context. Password managers do not inherently back up data. Local storage is an option for users with specific needs, yet not directly benefiting Jason in the scenario described. For support or reporting issues, include Question ID: 65231f5da252d0971d755b32 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 216

Correct answer Firmware vulnerability End-of-life hardware Legacy hardware Your answer is incorrect Hardware failure Overall explanation OBJ: 2.3 - A firmware vulnerability is a weakness in the low-level software that controls hardware devices, which can be exploited by an attacker to gain unauthorized access or cause harm. Hardware failure can affect the availability and functionality of hardware devices, but it does not directly relate to low-level software vulnerabilities. Legacy hardware refers to outdated hardware devices that may be vulnerable to known attacks, but this does not directly relate to low-level software vulnerabilities. End-of-life hardware refers to hardware devices that are no longer supported by the vendor and may be vulnerable to known attacks, but this does not directly relate to low-level software vulnerabilities. For support or reporting issues, include Question ID: 64bc5657a7a0a4fb0fc86737 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 217

Scalability Availability Performance Your answer is correct Responsiveness Overall explanation OBJ: 3.1 - Responsiveness is the ability of a system to provide timely and accurate feedback to user requests. It can affect user satisfaction, performance, and efficiency. Scalability relates to growth and the system's capacity to manage it, not directly to the speed of feedback. Availability is the ability of a system to remain operational and accessible at all times, not providing timely and accurate feedback to user requests. Performance is somewhat related because it deals with the overall effectiveness of the system, however it is a broader term that encompasses various aspects including speed, scalability, and reliability, rather than specifically focusing on timely and accurate feedback like responsiveness does. For support or reporting issues, include Question ID: 64c0a66bc494dbe8771d804e in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 218

Risk from device discovery Correct answer Risk from malicious peripheral devices Risk from Bluejacking Your answer is incorrect Risk from Bluesnarfing Overall explanation OBJ 2.2 - Peripherals with malicious firmware can pose significant risks when connected. They have the potential to launch highly effective attacks. The crafting of such malicious peripherals requires extensive resources, making the risk less frequent but impactful. Bluesnarfing is the act of exploiting Bluetooth vulnerabilities to gain unauthorized access to data on another person's device. It doesn't specifically refer to the risk of connecting to malicious peripherals. Device discovery makes a Bluetooth device visible to others nearby. While it can increase the risk of unwanted connections, it doesn't involve the specific threat of malicious firmware in peripherals. Bluejacking involves sending unsolicited messages to Bluetooth devices. It's a form of spam and doesn't refer to the risk of connecting to malicious devices. For support or reporting issues, include Question ID: 6525bc5a8df7b33c1cfa404a in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 219

Correct answer WAF NetFlow Antivirus software Your answer is incorrect HIDS Overall explanation OBJ: 4.4 - A web application firewall (WAF) specifically protects web applications by filtering and monitoring HTTP traffic, providing defenses against web-specific attacks such as SQL injection. A host-based intrusion detection system (HIDS) monitors the internals of a computing system; it isn't explicitly designed to combat web application-specific threats. NetFlow collects IP traffic information and monitors network flow data but doesn't specifically target web application vulnerabilities. While antivirus software can detect malware and malicious files, it isn't particularly tailored to protect against web application-specific threats like SQL injection. For support or reporting issues, include Question ID: 6542f3b81051691b93d0b93f in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 220

Alerting Infrastructure monitoring Applications monitoring Your answer is correct Systems monitoring Overall explanation OBJ: 4.4 - Systems monitoring relates to overseeing the health and security of hardware components, operating systems, and services, ensuring they function as expected and are free from threats. Alerting involves generating notifications or alarms in response to predefined conditions or threats but doesn't necessarily define what is being monitored. While applications monitoring does provide insights into software behaviors, it primarily concentrates on the performance and security of individual software programs rather than the underlying system. Infrastructure monitoring delves into the broader aspects of IT, looking at network traffic, server health, and other foundational components but not specifically at the computer's operating system or hardware components. For support or reporting issues, include Question ID: 6542ee54bb8c8edc0e1869c6 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 221

Isolating the evidence that reveals what has caused the incident by considering the affected system Referring often to the incident response plan and training employees Determining the impact of the event so that it doesn't happen again Your answer is correct Mitigate the impact of the incident by preventing any other devices from being affected Overall explanation OBJ 4.8: The containment phase in the incident response process involves taking immediate actions to isolate and mitigate the impact of the incident, preventing it from spreading further. This may include isolating affected systems, disabling compromised accounts, blocking malicious traffic, or implementing other measures to stop the incident's progression and limit its damage. Developing an incident response plan, defining roles and responsibilities, and conducting regular training and drills belong to the Preparation phase of the incident response process. This phase ensures that the organization is ready to respond effectively to incidents, but it does not involve immediate actions to contain the incident. Identifying and classifying incidents based on their severity and impact to the organization is part of the Detection phase in the incident response process. This phase involves recognizing that an incident has occurred and understanding its potential implications. Preventing future events is part of the "Lessons Learned" phase Analyzing the evidence and determining the root cause of the incident falls under the Analysis phase of the incident response process. This phase comes after containment and aims to understand how the incident occurred and what vulnerabilities were exploited. For support or reporting issues, include Question ID: 64c15baa528e3065c1379722 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 222

Correct answer Requiring multi-factor authentication if single-factor authentication fails Conducting regular security awareness training for employees Installing antivirus software on all company computers Your answer is incorrect Monitoring network traffic for signs of malware activity Overall explanation OBJ: 1.1 - Requiring multi-factor authentication if single-factor authentication fails is an example of a compensating control because it provides additional security when another control fails by requiring multiple factors for authentication. Monitoring network traffic for signs of malware activity is an example of a detective control, which is used to detect security incidents. Installing antivirus software on all company computers is an example of a preventive control, which is used to prevent security incidents from occurring. Conducting regular security awareness training for employees is also an example of a preventive control, which is used to prevent security incidents from occurring. For support or reporting issues, include Question ID: 64bd7a2faac07618aa4142b4 in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 223

The guidelines for tagging and recording the company's physical assets What to do in the event of a security breaches Your answer is incorrect Guidelines about the length and strength of passwords Correct answer Whether computers can be used for personal online shopping Overall explanation OBJ: 5.1 - The primary purpose of an Acceptable Use Policy (AUP) is to define and communicate the acceptable and appropriate ways employees can use company IT resources, including computers, networks, internet access, software, and data. It outlines the do's and don'ts to ensure that employees use IT resources responsibly and securely Acceptable Use Policy (AUP) primarily focuses on defining the acceptable and appropriate use of IT resources, not the management of physical assets. This will more likely be handled in a password policy or set of guidelines, not in an Acceptable Use Policy (AUP). Incident response and handling security breaches are usually covered under an Incident Response Policy, which is a different policy from the Acceptable Use Policy (AUP). For support or reporting issues, include Question ID: 64b8942888b3fb59a48a1048 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 224

Legal information is vital during courtroom trials so it must be protected while the trial is occurring All employees of an organization should access legal data to offer complete transparency Correct answer If legal data leaks it can result in legal liabilities and harm an organization's reputation Your answer is incorrect Like all other data, legal data is important to organizations and businesses Overall explanation OBJ 3.3: Unauthorized exposure of legal documents can lead to breaches of confidentiality and damage the organization's public image. Legal data is crucial for many situations, even outside court disputes. Unlimited employee access can lead to internal data leaks or misuse. Legal information is not like all other data. It often has confidentiality clauses that need strict protection. For support or reporting issues, include Question ID: 64c192de8a3754c97798b041 in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 225

Strengthens encryption. Aids in password recovery. Prevents malware infection. Your answer is correct Reduces exposure to outdated sensitive data. Overall explanation OBJ: 2.2 - By excluding frequently updated user data files from system image backups, organizations can reduce the risk of exposing or restoring potentially outdated sensitive data that might have been amended or deleted in the main system. Encryption strength is not directly related to the content of the backup. Whether user data is included or not doesn't influence the encryption mechanism itself. While it's always good to ensure backups are free from malware, the specific exclusion of user data from image backups isn't primarily for this reason. Excluding user data from backups doesn't have a direct impact on password recovery processes or tools. Their primary security advantage lies in managing data exposure risks. For support or reporting issues, include Question ID: 65263b82aadf4c0783144ba5 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 226

Correct answer Internal compliance audit Your answer is incorrect Business continuity plan Threat intelligence briefing Vulnerability assessment report Overall explanation OBJ: 5.5 - Internal compliance audit a thorough review conducted within an organization to verify that it is adhering to its own internal security and regulatory standards. It serves as evidence of the company's security measures and can pinpoint any deviations or shortcomings. Threat intelligence briefing involves information about the latest threats in the cybersecurity landscape. While important, it doesn't provide detailed evidence about an organization's internal compliance with its security measures. A business continuity plan is a strategic document outlining how an organization will continue its operations during an unplanned disruption. It doesn't periodically assess or document the company's adherence to its security and regulatory standards. While a vulnerability assessment report identifies potential vulnerabilities in an organization's system, it doesn't provide a comprehensive overview of adherence to internal protocols or regulatory standards. For support or reporting issues, include Question ID: 64c1a81f45e9d8860c40463d in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 227

A false positive refers to an unauthorized access that goes undetected, while a false negative is an authorized action mistakenly flagged as a security threat A false positive occurs when a security incident is incorrectly identified as non-threatening, while a false negative happens when a security incident is correctly identified and addressed Your answer is correct A false positive is a security alert that incorrectly indicates a potential threat, whereas a false negative is a security alert that inaccurately dismisses a legitimate threat A false positive is a security event that is correctly identified and addressed, while a false negative is an overlooked security incident that is actually harmful Overall explanation OBJ 4.3: A false positive is a security alert that incorrectly identifies a legitimate action as a potential threat, while a false negative is a security alert that mistakenly dismisses a real threat, leaving the system vulnerable to harm. In reality, a false positive refers to a situation where a security system mistakenly identifies a legitimate action as a threat, while a false negative occurs when a security system fails to detect an actual threat. A false positive is when a legitimate action is mistakenly flagged as a security threat, and a false negative is when a security incident goes undetected. A false positive refers to a situation where a legitimate action is mistakenly identified as a threat and may lead to unnecessary alarms and investigation efforts. On the other hand, a false negative occurs when a security system fails to detect an actual security incident, leaving the system vulnerable to potential harm. For support or reporting issues, include Question ID: 64bec8e5ce611970ea7bca99 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 228

UI AC Correct answer AV Your answer is incorrect S Overall explanation OBJ 4.3: The AV (Attack Vector) metric indicates the context by which the vulnerability exploitation occurs, such as local, adjacent, or network-based. The UI (User Interaction) metric describes whether or not the vulnerability requires user involvement to be exploited. Scope (S) describes the impact of the exploit on other resources, not the method of exploitation. While AC (Attack Complexity) indicates the conditions beyond the attacker's control that must exist in order to exploit the vulnerability, it doesn't specify the method of attack. For support or reporting issues, include Question ID: 6542d4f698ddb5af76a3f2fe in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 229

Dictionary attack Correct answer Birthday attack Your answer is incorrect Rainbow table attack Sybil attack Overall explanation OBJ: 2.4 - A birthday attack involves exploiting collisions in hash functions, where two different inputs produce the same hash value. Enrique's observation of two distinct documents having the same MD5 hash suggests the potential for this attack, especially given MD5's known vulnerabilities. A Sybil attack involves an attacker creating multiple fake identities in a network to subvert its functionality. It doesn't relate to hash function collisions. Rainbow table attacks involve pre-computed tables for reversing cryptographic hash functions. While it is used to retrieve the original input from its hash, it doesn't focus on generating collisions. A dictionary attack entails trying every word in a predefined list (or dictionary) to guess a password or encryption key. It doesn't concern hash collisions. For support or reporting issues, include Question ID: 6527f96d9bdbe2fa8ec18b55 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 230

They speed up data recovery processes by allowing faster incremental and differential backups They enhance system performance by regular data deletion They reduce storage costs over time by ensuring that too much data isn't kept Your answer is correct They ensure compliance with legal and regulatory requirements Overall explanation OBJ 4.2: A proper data retention policy helps organizations maintain and dispose of data in accordance with laws, regulations, and industry standards, preventing potential legal consequences. Removing extraneous data can enhance system efficiency; however, it isn't the most relevant choice among the given alternatives. While a data retention policy can lead to cost savings by disposing of unnecessary data, its primary purpose is not usually financial. Data retention policies may streamline data structures, but the primary goal isn't necessarily to speed up recovery processes. For support or reporting issues, include Question ID: 64be9bad4a0dd75c4bddfc3d in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 231

Vulnerable Software Supply Chain Unsecure Networks Your answer is correct Unsupported Systems Overall explanation OBJ 2.2 - Unsupported systems and applications no longer receive security updates or patches from developers, leaving them vulnerable to attacks. These outdated systems can be exploited by attackers to gain unauthorized access or cause harm. Supply chain attacks occur when a third-party provider (such as a vendor or supplier) is compromised, allowing attackers to deliver malware or carry out other malicious actions targeting the organization. Vulnerable software contains flaws, whether known or unknown, that attackers can exploit. Outdated software often has unpatched vulnerabilities, which can compromise system or network security. Unsecure networks lack proper security measures like encryption, authentication, or firewalls to protect transmitted data. Public Wi-Fi hotspots are a common example of unsecure networks that attackers can intercept. For support or reporting issues, include Question ID: 672118addf9777a078da40b7 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 232

Matrix structure Flat organization Hierarchical management Your answer is correct Decentralized governance Overall explanation OBJ: 5.1 - In decentralized governance, decision-making is distributed among various departments or sectors, promoting responsiveness and specialization. Hierarchical management implies a top-down approach to decision-making and does not necessarily allow for autonomy in separate departments. While matrix structure involves multiple reporting lines, it does not solely define the decision-making autonomy of departments. Flat organization refers to an organization with few or no levels of middle management between staff and executives, which affects management layers but not necessarily decision-making distribution. For support or reporting issues, include Question ID: 65485c549c51830a2f768869 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 233

SD-WAN Transport Layer Security Your answer is incorrect SASE Correct answer VPN Overall explanation OBJ 3.2: A VPN provides a secure method for remote operations by creating an encrypted connection over the internet. It establishes a secure tunnel so that data can be securely transferred even over insecure networks. An SD-WAN connects enterprise networks over large geographic distances much the way a regular WAN does. However, by making use of software rather than hardware as the basis of the network, SD-WANs offer faster speeds at lower costs. The software basis of the WAN allows for less complicated management and greater security. It is suited for communications to many locations, not specifically to a limited number of remote locations. Service Edge (SASE) is a form of cloud architecture that combines a number of services as a single service. By providing services like software-defined wide-area network (SD-WAN), firewalls as a service, secure web gateways, and zero-trust network access, SASE will reduce cost and simplify management while improving security. The integrated nature of the architecture means the technologies used will work together efficiently. This is far more technology than the scenario indicates is needed. Transport Layer Security (TLS) is a protocol that is used to authenticate certificates and encrypt data for privacy and data integrity as it moves across networks; it doesn't provide the comprehensive remote access a VPN offers. For support or reporting issues, include Question ID: 64c16b936ab51895b912b826 in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 234

Correct answer Fines Loss of license Sanctions Your answer is incorrect Reputational damage Overall explanation OBJ: 5.4 - In the context of non-compliance, fines are financial penalties imposed by regulatory authorities for failing to adhere to specific rules, regulations, or laws. Organizations that do not comply with relevant regulations may be subject to fines as a punitive measure. Reputational damage refers to the harm or negative perception that an organization may suffer due to its actions or non-compliance. While it can be a consequence of non-compliance, it does not directly involve financial penalties. The loss of a license refers to the revocation of an organization's permission to operate or conduct specific business activities. While it can be a consequence of severe non-compliance, it is not directly related to the financial penalties imposed by regulatory authorities. While sanctions can be a consequence of non-compliance in certain contexts, they typically refer to penalties imposed for violations of international laws or trade agreements rather than financial penalties related to non-compliance with regulations. For support or reporting issues, include Question ID: 64c074229e4f2185413d1596 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 235

Both motivations are primarily driven by the individual’s worldview and beliefs. Philosophical and ethical motivations both derive from an individual's moral stance. Ethical motivations relate to legality; philosophical motivations to individual beliefs. Your answer is correct Philosophical motivations stem from deep beliefs; ethical motivations from moral perceptions. Overall explanation OBJ: 2.1 - Philosophical motivations stem from deep beliefs; ethical motivations from moral perceptions accurately highlights the core difference, focusing on foundational beliefs versus moral judgments. Ethical motivations relate to legality; philosophical motivations to individual beliefs incorrectly frames ethical motivations around legality, missing the broader scope of moral principles that guide ethical motivations beyond just legal considerations. Both motivations are primarily driven by the individual’s worldview and beliefs oversimplifies the distinction, suggesting a uniform influence of worldview and beliefs on both motivations, without addressing the unique attributes of each. Philosophical and ethical motivations both derive from an individual's moral stance presents a misleading equivalence, implying a similar root in morality for both motivations, which doesn't account for the deeper, belief-based nature of philosophical motivations. For support or reporting issues, include Question ID: 64b89bb425a204762239ab1c in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 236

Correct answer Security groups allow for centralized management of user access and permissions Security groups automatically create encrypted backups of sensitive data to protect against data breaches Your answer is incorrect Security groups facilitate the integration of security tools and systems for a unified defense strategy Security groups automate software deployments and updates across an organization's network Overall explanation OBJ 4.7: Security groups play a vital role in centralized management of user access and permissions. By grouping users with similar roles or access requirements, security administrators can efficiently assign permissions and access controls to these groups rather than individually managing each user account. This simplifies the administration process and ensures that users have the appropriate level of access, reducing the risk of unauthorized access and enhancing overall security. Automated data backups are essential for data protection, but that is not the primary purpose of security groups. Security groups are concerned with managing user access and permissions, not automatically creating encrypted backups of data. While security groups can be part of an integrated security strategy, their primary purpose is not about facilitating integration between security tools but rather managing user access and permissions. Security groups are more focused on managing user access and permissions rather than automating software deployment. For support or reporting issues, include Question ID: 64c011f3b254165cbe231eec in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 237

SPF encrypts email messages to protect sensitive information from unauthorized access during transmission Correct answer SPF helps prevent email spoofing by verifying the authorized email servers for the sender's domain Your answer is incorrect SPF allows users to digitally sign their emails, ensuring the authenticity and integrity of the messages SPF automatically quarantines suspicious emails, reducing the risk of malware infections Overall explanation OBJ 4.5: Sender Policy Framework (SPF) prevents email spoofing by allowing domain owners to specify authorized mail servers for sending emails. The recipient’s mail server can verify the sender’s SPF record to confirm the email’s legitimacy, helping to combat phishing and spoofing attacks. SPF does not handle message encryption, digital signatures, or quarantining emails; its primary role is to authenticate authorized email servers to prevent spoofing. For support or reporting issues, include Question ID: 64c09ea81742ec31d70d5751 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 238

MTBF Correct answer MTTR Recovery time Your answer is incorrect Repair rate Overall explanation OBJ: 5.2 - MTTR (Mean time to repair) accurately reflects the average time taken to repair a system or component following a failure. MTBF (Mean time between failure) relates to the time span between system failures, not the time needed for repair. Recovery time includes the total time for a system to be brought back to full functionality, extending beyond just repair efforts. Repair rate may indicate the frequency of repairs but does not provide a measure of the average repair time. For support or reporting issues, include Question ID: 6549707e23b1cc31a82e92d6 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 239

Implements encryption and secures data both at rest and in transit. Outlines the purposes, conditions, and methods of personal data processing to comply with GDPR. Correct answer Ensures data protections, level of access permissions, and security measures. Your answer is incorrect Provides detailed recommendations on specific security controls to be included in the ISMS. Overall explanation OBJ: 5.1 - The owner's role is accountable for the data's security and compliance with the organization's strategic objectives. Providing detailed recommendations on specific security controls to be included in the ISMS is typically associated with specialized committees or the ISO/IEC 27002 standard, not directly with the owner. Outlines the purposes, conditions, and methods of personal data processing to comply with GDPR pertain to the controller role, not the owner. While the owner is responsible for the level of security, the actual implementation of encryption is usually handled by IT or security teams. For support or reporting issues, include Question ID: 6548640249208af1cc4e7fbe in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 240

Samantha consented to the processing and use of her personal data in the past. The website has already taken steps to anonymize Samantha's personal data. Your answer is correct The data is necessary for the website to exercise the right of freedom of expression. The personal data is no longer relevant to the original purposes for processing. Overall explanation OBJ: 5.4 - The data is necessary for the website to exercise the right of freedom of expression could potentially be a legitimate ground for the website to refuse Samantha's request if they can demonstrate that the data in question is crucial for such purposes. Previous consent does not invalidate a request for erasure under the right to be forgotten, as individuals are allowed to withdraw their consent at any time under the GDPR. The personal data is no longer relevant to the original purposes for processing actually supports Samantha's request for erasure, as the GDPR stipulates that data should be deleted when it's no longer necessary for the purposes it was collected for. If Samantha's personal data had been anonymized, it would no longer be considered personal data under the GDPR, and the right to be forgotten would not apply. For support or reporting issues, include Question ID: 6549837a5429895e833da5d9 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 241

Hashing Correct answer Tokenization Your answer is incorrect Non-human readable Obfuscation Overall explanation OBJ 3.3: Tokenization is the process of substituting a sensitive data element with a non-sensitive equivalent, referred to as a token. The token and the data it substitutes are stored in a secure database. If the original data is needed, it can be accessed using the token and querying the database. The token will be a different size and have a different structure than the original data, so the token can’t be used to decipher the original data. Hashing is the process of converting an input of any length into a fixed-size string of text using a mathematical function. The process explained above doesn't indicate that a mathematical function is being used. Non-human-readable data refers to a form of data that needs a computer or special software to interpret. In the scenario provided, both sets of data are human-readable. Obfuscation is the hiding or camouflaging of information to prevent access to it. Obfuscation doesn't involve an additional database of linked sensitive and non-sensitive data. For support or reporting issues, include Question ID: 64c199c91dbd2f0d7852a792 in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 242

Correct answer SD-WAN IDS EAP Your answer is incorrect Remote access Overall explanation OBJ 3.2: An SD-WAN is a virtual WAN architecture allowing enterprises to leverage any combination of transport services, making it ideal for the expansion of infrastructure across geographical locations with broad network requirements. Extensible Authentication Protocol (EAP) provides an authentication framework for wireless networks; it isn't primarily designed to cater for the extensive geographical expansion of network infrastructure. An Intrusion Detection System (IDS) primarily monitors the network for potential incidents and sends alerts, which doesn't directly relate to expanding infrastructure across different geographical locations. Remote access enables users to access systems or networks from a different location, but it doesn't primarily address the needs of an extensive geographic network infrastructure expansion. For support or reporting issues, include Question ID: 64c16fe8fbaff7327d208b5e in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 243

Key management system Secure enclave Trusted Platform Module (TPM) Your answer is correct Hardware security module (HSM) Overall explanation OBJ: 1.4 - An HSM is a physical computing device that safeguards and manages digital keys for strong authentication. It can be a external device or on an expansion card. It is not embedded on the motherboard. TPM is a hardware-based storage system that contains keys, digital certificates, hashed passwords, and many other types of information used for authentication. It is embedded on device motherboards that use Windows operating systems. Key management system is a process used to ensure that keys are kept secure by establishing standards of security. It is a set of policy decisions, not a chip or device such as TPM, HSM, or Secure Enclave. Secure enclave is a chip that is used only to secure encryption keys, hashes, and other important data. It is embedded in Apple devices. For support or reporting issues, include Question ID: 64c283de1bf94cbd1d438525 in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 244

To establish the groundwork for future contractual negotiations. Correct answer To obtain detailed insights into the vendor’s security posture and risk management. To assess the effectiveness of a vendor’s marketing and promotional tactics. Your answer is incorrect To facilitate a comparative analysis of the financial aspects of vendor proposals. Overall explanation OBJ: 5.3 - To obtain detailed insights into the vendor’s security posture and risk management is the primary goal of a questionnaire in the vendor assessment process, ensuring that the organization can ascertain the vendor's adherence to security policies, disaster recovery plans, and compliance with regulations. Evaluating marketing strategies is not the purpose of security questionnaires; these tools are meant to delve into the vendor's security controls and procedures to manage and mitigate risks. While financial considerations are important in vendor assessments, the questionnaires are tailored to extract security-related information rather than to compare costs directly. Contract negotiations indeed require understanding of a vendor's practices, but questionnaires are specifically employed to gain a comprehensive understanding of their security and risk management, not as a basis for contract terms. For support or reporting issues, include Question ID: 654981e23752e5af82a03a3c in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 245

Policy engine Intrusion detection system (IDS) Policy administrator Your answer is correct Policy Enforcement Point Overall explanation OBJ: 1.2 - The policy enforcement point is responsible for enforcing the access control decisions made by the policy engine. The policy administrator is responsible for defining and managing the access control policies used by the policy engine. The policy engine is responsible for making access control decisions based on pre-defined policies and contextual information about the subject/system. An intrusion detection system (IDS) primarily focuses on detecting suspicious activities or potential breaches within a network by monitoring network traffic. While it plays a vital role in a security infrastructure, it does not enforce policies directly like a Policy Enforcement Point would. Instead, its function is to alert administrators about potential threats. For support or reporting issues, include Question ID: 64c03fde70f3f547abb57520 in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 246

Correct answer Board Your answer is incorrect Centralized Committee Government Overall explanation OBJ: 5.1 - The Board of Directors, also known as the Board, is responsible for overseeing the overall direction and governance of the organization. Part of their responsibility includes setting and approving the organization's security strategy, ensuring it aligns with the business objectives, and providing guidance to ensure effective security measures are in place. A government entity is a governmental organization or agency that may have regulatory oversight over specific industries or sectors. While they may provide guidelines or regulations related to security, they are not directly responsible for overseeing the internal security strategy of a private organization like SecureTech Solutions. A centralized entity refers to a single centralized authority within an organization responsible for making decisions and implementing policies. While this concept can be applied to certain aspects of security management, it is not the primary entity responsible for overseeing the organization's security strategy. A committee is a group of individuals assigned specific tasks or responsibilities within an organization. While committees may play a role in executing certain security initiatives, they are not primarily responsible for overseeing the organization's security strategy at a higher level. For support or reporting issues, include Question ID: 64b899fa6ccfbae323bb6ad3 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 247

Correct answer IoT Serverless technology Embedded system Your answer is incorrect ICS Overall explanation OBJ: 3.1 - IoT stands for Internet of Things, which is a network of physical devices that can communicate and exchange data over the internet, such as smart appliances, sensors, or wearables. IoT devices can offer convenience, efficiency, and automation, but they also pose security risks, such as data breaches, unauthorized access, or malware infections. Industrial control systems (ICS) are systems that monitor and control industrial processes, such as power generation, water treatment, or manufacturing. They are not necessarily connected to the internet or part of an IoT network for the use cases provided. Serverless is an architecture model that involves running code without provisioning or managing servers, which is not a function of the example provided. Embedded systems are computer systems that are integrated into larger devices or machines, such as cars, medical devices, or cameras. They are not necessarily connected to the internet or part of an IoT network. For support or reporting issues, include Question ID: 64c04a9376e0933137d05e8e in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 248

Load balancing Correct answer Data replication Incremental backup Your answer is incorrect Differential backup Overall explanation OBJ 3.4: Replication involves making routine copies of data, which ensures data safety and helps in quick recovery if original data is lost or damaged. Incremental backups don't make copies of all data. They select only files that have been changed since the last full or incremental backup. Differential backups don't make copies of all data; they select only files that have been changed since the last full backup. Load balancing does not involve creating data copies for backup purposes; it is about evenly distributing workloads across multiple resources. For support or reporting issues, include Question ID: 64c19d4ef13766bcfbac4f68 in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 249

To dictate the types of passwords users must set for their accounts. Correct answer To manage who or what is allowed to access company resources. To detail the company's software update protocols. Your answer is incorrect To describe the organization's hiring and onboarding procedures. Overall explanation OBJ: 5.1 - At its core, an access control policy seeks to manage and regulate access to the organization's resources based on roles, responsibilities, and requirements. While password requirements might be a component of some access control policies, the primary aim is broader than just password rules. To describe the organization's hiring and onboarding procedures typically falls under HR policies rather than access control, which focuses on resource access. Software update protocols would more likely be under a patch management or IT maintenance policy, not specifically access control. For support or reporting issues, include Question ID: 6544945d740cd21cc514e663 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 250

CVSS is a list of unique identifiers for publicly known vulnerabilities, while CVE is a scoring system used to rate the severity of vulnerabilities CVSS is an international database for storing hardware, software, and data asset information, while CVE is a security protocol used for mitigating known vulnerabilities Your answer is incorrect CVSS is a government organization responsible for tracking and managing vulnerabilities, while CVE is a metric used to quantify the potential impact of a vulnerability Correct answer CVSS provides a standardized system for rating vulnerabilities, while CVE is a database for storing known vulnerabilities Overall explanation OBJ 4.3: CVSS stands for Common Vulnerability Scoring System and is used to rate the severity of vulnerabilities based on specific criteria. On the other hand, CVE refers to Common Vulnerabilities and Exposures, which is a database of publicly known vulnerabilities identified by unique identifiers. The combination of CVSS and CVE facilitates effective hardware, software, and data asset management by providing standardized severity ratings and easy reference to known vulnerabilities. CVSS is not a government organization but rather a scoring system for rating vulnerabilities. Similarly, CVE is not a metric used to quantify the potential impact of a vulnerability but rather a system to assign unique identifiers to publicly known vulnerabilities. CVSS is not an international database for storing asset information but a scoring system for vulnerability severity. Similarly, CVE is not a security protocol for mitigating vulnerabilities but rather a database for tracking known vulnerabilities. CVSS is not a list of unique identifiers; instead, it is a scoring system used to rate the severity of vulnerabilities. CVE, on the other hand, refers to a database of known vulnerabilities with unique identifiers. For support or reporting issues, include Question ID: 64becc4b42d441579f9982a7 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 251

Correct answer Legacy platform Deprecated system Outdated firmware Your answer is incorrect End-of-life hardware Overall explanation OBJ: 2.3 - A legacy platform is one that is no longer supported with security patches by its developer or vendor, rendering it vulnerable to potential security threats as it becomes unpatchable. Outdated firmware refers specifically to the software embedded within hardware devices and not to broader systems like databases or applications. While "deprecated" might mean that a system is not recommended for use, it doesn't necessarily mean it's unsupported by its developer or vendor. While end-of-life hardware might not receive physical updates or replacements, it doesn't specifically address the lack of software or security support. For support or reporting issues, include Question ID: 6527ce82dcb87516d1b088e7 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 252

Correct answer Brute force Your answer is incorrect Malware infection Environmental attack RFID cloning Overall explanation OBJ: 2.4 - A brute force attack involves systematically attempting all possible password combinations until the correct one is found. The mass lockout due to numerous incorrect login attempts suggests a brute force attack on the company's user accounts. While malware can pose various threats, the specific pattern of numerous incorrect login attempts across different user accounts is not its usual modus operandi. RFID cloning involves duplicating RFID data to gain unauthorized access. It doesn't typically result in multiple incorrect login attempts on computer workstations. An environmental attack focuses on disrupting or exploiting the physical environment of systems. It doesn't align with the pattern of multiple failed login attempts. For support or reporting issues, include Question ID: 65296cda6fb1e3052b30921b in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 253

DKIM automatically encrypts email messages, ensuring that sensitive information remains confidential during transit DKIM blocks spam and malicious emails from reaching the recipients, reducing the risk of phishing attacks Your answer is incorrect DKIM provides real-time tracking and reporting of email delivery, allowing administrators to monitor email traffic Correct answer DKIM validates the integrity of email messages, verifying that they have not been altered or tampered with during transmission Overall explanation OBJ 4.5: Domain Keys Identified Mail (DKIM) adds a digital signature to email headers, allowing the receiver's mail server to verify that messages haven’t been tampered with, thus preventing email tampering and impersonation. DKIM does not encrypt messages or block spam; its primary purpose is to verify message integrity and authenticate the sender's domain, rather than providing real-time tracking or delivery reporting. For support or reporting issues, include Question ID: 64c09df9793730bebcdcb1b8 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 254

Correct answer UI PR AC Your answer is incorrect AV Overall explanation OBJ 4.3: The UI (User Interaction) metric specifies whether an attack can be executed solely by the attacker or if it necessitates user involvement to succeed. The AC (Attack Complexity) metric describes the conditions that must be met for an exploit to work but doesn't revolve around user behavior. The Privileges Required (PR) metric measures the level of privileges an attacker must have to exploit the vulnerability, not user interaction. AV (Attack Vector) specifies the context of the exploit, like local or network-based, rather than user involvement. For support or reporting issues, include Question ID: 6542d54ee26be93f8a8f5870 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 255

Unsupported systems and applications Default credentials Your answer is correct Open service ports Watering Hole Overall explanation OBJ: 2.2 - Open service ports are ports that are listening for incoming connections from other systems or devices. Open service ports can expose services that may have vulnerabilities or allow unauthorized access to the system. In this case, port 8080 is used by the local web server and may have been compromised by an attacker who accessed it remotely. Unsupported systems and applications are systems or applications that are no longer receiving security updates or patches from their developers. Unsupported systems and applications may have vulnerabilities that can be exploited by attackers to gain unauthorized access or cause harm. A watering hole is a form of cyberattack that involves compromising a legitimate website that is frequented by a specific group of users, such as employees of a certain organization. The goal is to infect the users’ systems with malware when they visit the website. Default credentials are usernames and passwords that are set by default for certain devices or applications. Default credentials can be easily guessed by attackers and used to gain access to the system or the network. For support or reporting issues, include Question ID: 64ba1e9bf40009f7ec301d3f in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 256

Espionage Correct answer Disruption Your answer is incorrect Financial Gain Exfiltration Overall explanation OBJ: 2.1 - Reed's actions are designed to create disruption. While the password will likely eventually be cracked, it will take some time and disrupt the company for at least a little while. Most espionage is conducted by nation-state actors. While it can be used by businesses to gain an advantage in the marketplace, there is no indication that Reed is attempting to help another business with the data he is taking. For support or reporting issues, include Question ID: 65231e4da252d0971d755b2d in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 257

Full-disk encryption Partition encryption Correct answer File-level encryption Your answer is incorrect Volume encryption Overall explanation OBJ: 1.4 - File-level encryption can be used on specific files and folders. Partition encryption encrypts a specific partition on a storage device, not individual files or folders. Full-disk encryption encrypts the entire disk, not just individual files or folders. Volume encryption encrypts a defined, formatted block of storage, which could span across multiple partitions, not individual files or folders. For support or reporting issues, include Question ID: 64c27e8e216b86411ab101c9 in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 258

Correct answer Right-to-audit clause Evidence of internal audits Your answer is incorrect Independent assessments Supply chain analysis Overall explanation OBJ: 5.3 - The right-to-audit clause in a vendor contract grants Zenith the authority to conduct audits and assessments of the vendor's security controls and practices. This clause ensures that Zenith can verify the vendor's compliance with security requirements and industry standards. Independent assessments involve engaging a third-party security firm or auditor to evaluate the vendor's security posture. While this option is related to security assessments, it does not specifically address the clause in the vendor contract that grants Zenith's right to perform assessments themselves. Supply chain analysis is a process of evaluating the security risks associated with the vendor's supply chain and their third-party vendors. While important for assessing overall security risks, it does not address the specific clause in the contract allowing Zenith to perform security assessments on the vendor's systems and networks. Evidence of internal audits refers to documentation provided by the vendor, showing the results of their own internal security assessments. While this information may be useful to Zenith, it does not grant Zenith the authority to conduct its own independent assessments. For support or reporting issues, include Question ID: 64bb42f548f9d4fbc1cdd40d in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 259

Generating random access tokens for users and sharing them directly with third-party applications for data access Your answer is incorrect Requesting users to share their account credentials directly with third-party applications for data access Correct answer Implementing a central OAuth authorization server to handle user authentication and issue access tokens to third-party applications Providing third-party applications with unrestricted access to user account data without authentication or authorization Overall explanation OBJ 4.6: A central OAuth authorization server offers secure, standardized access to user account data by acting as an intermediary, authenticating users, and issuing access tokens to authorized applications. OAuth allows users to grant limited data access without sharing credentials directly, supporting secure "authorization delegation." Access tokens should be issued by the authorization server rather than shared directly with third-party applications. Unrestricted access to account data without authentication is insecure and violates access management principles. OAuth ensures third-party applications only access necessary data, reducing the risk of unauthorized access, unlike asking users to share account credentials directly. For support or reporting issues, include Question ID: 64c12c7a6d5d20b6d8a8cbbd in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 260

DKIM SPF Correct answer DMARC Your answer is incorrect IMAP Overall explanation OBJ 4.5: DMARC (Domain-based Message Authentication, Reporting, and Conformance) defines a policy on how receivers should handle emails that don't meet SPF or DKIM checks and offers reporting capabilities for senders about these messages. SPF (Sender Policy Framework) allows domain owners to specify which mail servers are allowed to send emails for them but doesn't provide direct feedback mechanisms for failed checks. While DKIM (Domain Keys Identified Mail) validates the authenticity of emails using cryptographic signatures, it doesn't establish policies or provide feedback mechanisms for messages that fail the checks. IMAP (Internet Message Access Protocol) is a protocol used for retrieving emails from a mail server and isn't related to specifying email handling policies or feedback mechanisms. For support or reporting issues, include Question ID: 65433a85263aeb5dbf217243 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 261

Use public VM images purchased from the cloud marketplace Correct answer Implement a golden image with pre-configured security settings for VM deployment Have the security team set each VM manually with desired security configurations Your answer is incorrect Use cloud service defaults and not allow any modification Overall explanation OBJ 4.1: A 'golden image' ensures consistency and saves time by providing a standardized configuration for each VM deployed. Default settings may not be tailored to specific organizational security needs. Public images may not be updated or secured according to the organization's standards. While having the security team set each VM manually with desired security configurations might ensure each VM is configured, it's time-consuming and prone to human error. For support or reporting issues, include Question ID: 652f30b67d7a95707741eaad in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 262

Correct answer Tabletop exercises are interactive discussions and role-playing exercises used to test and improve incident response plans and team coordination Tabletop exercises are physical simulations used to physically practice incident response procedures in real-world scenarios Your answer is incorrect Tabletop exercises are formal meetings where incident response team members discuss their favorite strategies for handling incidents Tabletop exercises are hands-on drills that involve directly confronting live cybersecurity threats and attacks in a controlled environment Overall explanation OBJ 4.8: Tabletop exercises are interactive discussions and role-playing exercises used to test and improve incident response plans and team coordination. During these exercises, participants simulate the steps they would take in response to various incident scenarios, identify potential weaknesses in their response plans, and practice their decision-making and communication skills. Tabletop exercises provide a valuable opportunity for incident response teams to enhance their preparedness and effectiveness in handling real incidents without the actual risks associated with live attacks. Tabletop exercises are not physical simulations where incident response procedures are physically practiced in real-world scenarios. They are theoretical exercises that involve discussions and role-playing, not live simulations. Tabletop exercises are not about discussing personal preferences or strategies; instead, they focus on testing and improving incident response plans and coordination. Tabletop exercises do not involve directly confronting live cybersecurity threats and attacks. They are theoretical exercises designed to simulate incidents and allow incident response teams to discuss and practice their responses in a controlled, safe environment. For support or reporting issues, include Question ID: 64c15f61e86d2721bec33fb4 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 263

Buffer underflow Memory leak Memory fragmentation Your answer is correct Buffer overflow Overall explanation OBJ: 2.3 - Buffer overflow is a type of memory corruption that occurs when a program writes more data than the allocated buffer, the area of memory set aside to temporarily hold user input, can hold. This causes the application to overwrite adjacent memory locations. It can lead to crashes, code execution, or privilege escalation. Memory fragmentation is a type of memory issue that occurs when a program allocates and frees memory in an irregular or inefficient manner, causing the available memory to be divided into small and non-contiguous blocks. It can lead to memory wastage, allocation failure, or reduced performance. Memory leak is a type of memory issue that occurs when a program fails to release or free the memory that it has allocated, causing it to consume more and more memory over time. It can lead to performance degradation, resource exhaustion, or out-of-memory errors. Buffer underflow is a type of memory corruption that occurs when a program reads more data than the allocated buffer can provide, causing it to read from invalid memory locations. It can lead to crashes, data leakage, or undefined behavior. For support or reporting issues, include Question ID: 64bc4639dc603a642627e834 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 264

Correct answer Restricting registry editing capabilities Implementing stricter firewall rules Your answer is incorrect Enabling antivirus auto-updates Mandating regular password changes Overall explanation OBJ 4.1: By limiting the ability to edit the system registry, Susan and David can prevent unauthorized modifications to core configurations and uphold their secure baseline. Regular password changes enhance user security but don't prevent unauthorized changes to system files. Though vital for defending against malware, enabling antivirus auto-updates doesn't specifically prevent alterations to system files. Firewalls control network traffic but aren't primarily focused on protecting core system files from alteration. For support or reporting issues, include Question ID: 652f2d5a2da211fe4dd8a225 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 265

Availability Responsiveness Ease of Recovery Your answer is correct Scalability Overall explanation OBJ: 3.1 - Scalability in a microservices architecture is pivotal, as it allows the system to adapt and efficiently handle growth and increased demand, ensuring sustained performance and resource optimization. While responsiveness is crucial for user experience, it doesn’t directly measure the system’s ability to adapt to growth and increased demand. Ease of recovery is vital for system resilience, but it doesn’t directly address the architecture's capacity to handle increased load or demand. High availability ensures the system remains accessible, but scalability is what allows the system to efficiently accommodate more users or workloads as it grows. For support or reporting issues, include Question ID: 65170ac51796470bb3cfdf6c in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 266

Correct answer Asset management IP schema planning Naming conventions Your answer is incorrect RFID tracking Overall explanation OBJ 4.2: An asset management process focuses on keeping an inventory of all critical systems and components in an organization, allowing personnel to make informed decisions to reach business objectives. It often involves the use of software suites and hardware solutions, and the data stored typically includes type, model, serial number, location, and more. IP schema planning refers to the structured planning and documentation of the IP address space into subnets. It aims for consistency in addressing, aiding in firewall ACL application, and ensuring configuration errors are minimal. RFID tracking uses chips to program asset data and scanners to update an asset's location, making it primarily about theft prevention and real-time location tracking rather than holistic asset management. While standard naming conventions do provide a more consistent environment, making errors easier to spot and automation simpler, it doesn't fully encapsulate the broad spectrum of tasks under asset management. For support or reporting issues, include Question ID: 651dc77383d6528aa5c011f2 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 267

Data classifications Data states Your answer is incorrect Geolocation Correct answer Data sovereignty Overall explanation OBJ 3.3: Data Sovereignty is the concept that the laws of the country in which the data is collected will control the ways in which the data can be used, processed, and stored. Countries may set regulations about information that is collected within the country. They can also set regulations about how businesses store and use Personal Identifying Information about citizens of their country, even when the businesses are located in other countries. For example, if a business will be collecting information about citizens of the European Union (EU), the business must obey the EU’s laws regarding the storage, use, and processing of that data. Geolocation restrictions prevent access if the access request comes from beyond the restricted zone. It does not concern where data is stored or processed. Data classifications deal with the sensitivity levels of data, such as confidential, secret, and restricted. It isn't concerned with countries' laws. Data states are the different stages of the data lifecycle. They include data in use, data at rest, and data in transit. For support or reporting issues, include Question ID: 64c18a58f6d924de7903696f in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 268

Correct answer permit tcp any host 10.0.0.0 0.0.0.255 eq 8080 deny tcp host 10.0.0.7 eq 8080 any Your answer is incorrect permit tcp host 10.0.0.6 eq 8080 any permit tcp host 10.0.0.5 eq 8080 any Overall explanation OBJ 4.5: 'permit tcp any host 10.0.0.0 0.0.0.255 eq 8080' allows any external IP to access the company's internal application on port 8080 if it belongs to the 10.0.0.x range. This is why Reed can access the application. 'permit tcp host 10.0.0.6 eq 8080 any' specifically permits Sasha's IP to access port 8080, so it's not the problematic rule. Even though 'deny tcp host 10.0.0.7 eq 8080 any' denies Reed's IP from accessing port 8080, there must be another rule permitting him. This alone wouldn't be the cause of the problem. 'permit tcp host 10.0.0.5 eq 8080 any' specifically permits Jamario's IP to access port 8080, so it's not the problematic rule. For support or reporting issues, include Question ID: 65431c5aede28e8696a1675b in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 269

BPA MSA Your answer is incorrect SLA Correct answer SOW Overall explanation OBJ: 5.3 - A Work Order (WO) or Statement of Work (SOW) is the correct document for the ABC Company's needs. It provides detailed instructions and requirements for specific tasks or projects to be carried out by a vendor, making it suitable for the software development project. A Business Partners Agreement (BPA) is a type of agreement that outlines the terms and conditions of a partnership between two organizations, not the specific instructions and requirements for a particular project. A Master Service Agreement (MSA) establishes the overall framework for a long-term business relationship between an organization and a vendor. While it may touch on project details, it does not provide the detailed instructions and requirements needed for a specific software development project. A Service-level Agreement (SLA) typically outlines specific performance metrics, service levels, and responsibilities for ongoing services, but it does not provide detailed instructions and requirements for specific tasks or projects like software development. For support or reporting issues, include Question ID: 64bb40c1eff2b06d2ceda19f in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 270

Focuses on dynamic security decisions. Decides on access using identity verification. References policies to decide on access. Your answer is correct Oversees data conveyance post-access approval. Overall explanation OBJ: 1.2 - The Data Plane within the Zero Trust framework oversees data conveyance post-access approval, a role that is distinct from the Control Plane, which is in charge of making access decisions. The Control Plane is responsible for referencing policies to decide on access, underscoring the clear division of responsibilities in the Zero Trust model. The Control Plane enforces policy and decides on access. The Control Plane focuses on dynamic security decisions. For support or reporting issues, include Question ID: 652460ffdb866f2dfdab26d4 in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 271

Implement a captcha on the login page Switch to a different hashing algorithm for storing passwords Your answer is correct Advise employees to use longer passwords Ask employees to change passwords monthly Overall explanation OBJ 4.6: A longer password with a mix of uppercase and lowercase letters, numbers, and symbols significantly improves security by increasing potential combinations. While captchas can deter bots, they don't address the core issue of users choosing weak passwords. While using a strong hashing algorithm is important, it doesn't guarantee the strength of the actual passwords used by employees. While regular changes can help, without guidelines on password strength, users might still choose weak passwords. For support or reporting issues, include Question ID: 6544448acc07d4b90a7fd3cd in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 272

Reed Correct answer Susan Kelly Innovations, LLC Your answer is incorrect The Kelly Innovations, LLC IT department Overall explanation OBJ 4.2: Although the company owns the laptop, Susan is responsible for its security while in her possession. The IT department ensures overall system security, but individual users are responsible for the assets they're given. Kelly Innovations, LLC formulates policies, but it's up to users to adhere to them. Managers, such as Reed, oversee teams and workflows, but the direct security of an asset falls on the user. For support or reporting issues, include Question ID: 651ee1f8dcae756d17d55743 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 273

Correct answer Partially known environment Reconnaissance Your answer is incorrect Unknown environment Known environment Overall explanation OBJ: 5.5 - Penetration testing in a partially known environment involves evaluating an organization's security measures in an environment where the testers have some knowledge about the systems and networks but lack complete information. Reconnaissance is the initial phase of a penetration test, where information gathering and data collection occur without directly engaging the target. It is not specific to testing in a partially known environment. Penetration testing in an unknown environment involves assessing security measures in an environment where the testers have no prior knowledge or information about the systems and networks. This is more typical for external testing or red team exercises. Penetration testing in a known environment refers to assessing security measures in an environment where the testers have full knowledge and information about the systems and networks. This type of testing is usually conducted within the organization's primary infrastructure. For support or reporting issues, include Question ID: 64c1ab39086115a48f03b4ad in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 274

Dictionary Correct answer RFID cloning Impersonation Your answer is incorrect Brute force Overall explanation OBJ: 2.4 - RFID cloning is a type of physical attack that involves copying the data from an RFID tag, such as an access card or badge, and using it to create a duplicate tag that can be used for unauthorized access. A dictionary attack is a password attack in which an attacker uses common passwords to try to gain access to a computer. Having a lost ID badge doesn't make this type of attack more likely. Brute force is a type of physical attack that involves trying different combinations of keys, codes, or passwords to gain access to a locked area or device. Having a lost ID badge doesn't make this type of attack more likely. Someone finding the card could potentially try to use it to impersonate Claudius physically, but the immediate and most direct risk involves the technical exploitation of the card itself (like RFID cloning), in hopes the access information it contains remains unchanged. Some may even attempt to return the badge after cloning it, to improve the likelihood of this. Thus, while related, impersonation isn't the primary concern from just losing a physical card, unless the finder also attempts to mimic Claudius' identity in more extensive ways, which typically would require additional information beyond just possessing the access card. For support or reporting issues, include Question ID: 64bcdc0ffe82ec73b0475fe4 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 275

Disaster Recovery Plan Cloud Backup Your answer is incorrect Redundant Servers Correct answer Version Control Overall explanation OBJ: 1.3 - Version control allows for tracking, managing, and restoring different versions of software code, providing a safeguard against data loss. While it can provide backup for data, cloud backups don't necessarily track the different versions of the code or manage collaborative changes. A disaster recovery plan is a comprehensive strategy for dealing with various types of unforeseen disasters but doesn't specifically handle code versioning. Redundancy ensures availability and reduces downtime but doesn't inherently track the various iterations of software code. For support or reporting issues, include Question ID: 67210f80d248d95fc8ca8175 in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 276

Holds ultimate decision-making authority and sets strategic data management policies. Ensures secure generation and management of encryption keys. Correct answer Identifies purposes and conditions of data processing and ensures compliance with legal standards. Your answer is incorrect Assists with the implementation and monitoring of security incident management procedures. Overall explanation OBJ: 5.1 - The controller is responsible for defining how personal data is handled and ensuring it meets GDPR and other regulatory requirements. Holds ultimate decision-making authority and sets strategic data management policies is more indicative of the role of a governance board or an owner. Key management and secure generation are technical processes often overseen by IT security, not the controller. While the controller may be involved in incident management, it is not their primary role; instead, it typically pertains to security teams and the custodian. For support or reporting issues, include Question ID: 6548646049208af1cc4e7fc3 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 277

L2TP Correct answer TLS FTP Your answer is incorrect SNMP Overall explanation OBJ: 1.4 - TLS (Transport Layer Security) is a cryptographic protocol designed to provide communications security over a computer network, such as the internet. It is widely used for web browsers and other applications that require data to be securely exchanged over a network. L2TP (Layer 2 Tunneling Protocol) is a tunneling protocol used to support virtual private networks, but it does not provide encryption on its own and is often used with IPsec. SNMP (Simple Network Management Protocol) is primarily used for managing devices on IP networks, but it is not designed to provide end-to-end encryption for communications. FTP (File Transfer Protocol) is used for transferring files, and while it can work securely with SSL/TLS (FTPS), it's not primarily known for encrypted communications. For support or reporting issues, include Question ID: 64c2827091f0e62370d2e247 in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 278

Attestation Assessment Independent third-party audit Your answer is correct Regulatory examination Overall explanation OBJ: 5.5 - A regulatory examination is a specific type of external evaluation conducted by a government agency or regulatory body to assess an organization's compliance with specific regulations and legal requirements. Regulatory examinations are typically performed to ensure that the organization is adhering to the relevant laws and industry standards. An independent third-party audit is an external evaluation conducted by an impartial entity that is not affiliated with the organization being assessed. The third-party auditor evaluates the organization's processes, controls, and compliance with applicable regulations. This type of audit provides an objective assessment and helps ensure transparency and credibility. Attestation is the process of providing a formal statement of verification or confirmation. However, in the context of compliance evaluation, attestation typically involves a written statement from an external entity confirming that an organization has met specific compliance requirements. This statement could be from a third-party assessor, auditor, or the organization's management itself. An assessment, in a general sense, refers to the process of evaluating or appraising something. However, in the context of compliance evaluations, the term "assessment" may not be as specific as "regulatory examination" or "independent third-party audit," which are more commonly used to describe formal evaluations for compliance purposes. For support or reporting issues, include Question ID: 64c19be37094641fd6bc9bc2 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 279

Ease of Deployment Responsiveness Correct answer Scalability Your answer is incorrect Containerization Overall explanation OBJ: 3.1 - Scalability is an architectural feature that involves creating multiple instances of a system or service to handle increased demand or workload. Scalability allows for greater performance, availability, and responsiveness of a system or service. Responsiveness is an architectural feature that involves ensuring that a system or service responds quickly and efficiently to user requests or inputs. Responsiveness does not refer to the creation of multiple instances of a system or service, but rather to the optimization of latency and throughput. Ease of deployment refers to the simplicity and speed of launching a system or service into production, which is an important consideration for designing and deploying applications and systems. Some factors that can affect ease of deployment are automation, configuration management, testing, and documentation. Containerization is a method that involves packaging an application and its dependencies into a lightweight and portable unit, which can run on any platform that supports containers. Containerization can improve performance, scalability, and security of applications, but it's purpose isn't specifically to deal with increasing or decreasing demand. For support or reporting issues, include Question ID: 64c04e6ce3b8196ab2e42f48 in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 280

Password manager Correct answer Default credentials Two-factor authentication Your answer is incorrect Biometric authentication Overall explanation OBJ: 2.2 - Default credentials is a weak authentication method that involves using the factory-set username and password for a system or device. It can be easily guessed, cracked, or found online by attackers. Password manager is a type of software application that helps users create, store, and manage their passwords for various accounts. It is more secure than default credentials, as it allows users to use strong and unique passwords without having to remember them. Biometric authentication is a type of authentication method that involves using a person’s physical or behavioral characteristics, such as fingerprint, face, voice, etc. It is more secure than default credentials, as it is harder to forge, steal, or lose. Two-factor authentication is a type of authentication method that involves using two pieces of evidence to verify a person’s identity, such as a password and a code sent to their phone. It is more secure than default credentials, as it adds an extra layer of protection. For support or reporting issues, include Question ID: 64b9e8544ab8b237e348e56f in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 281

Correct answer Minimizing co-channel and adjacent channel interference Operating exclusively in 5 GHz band Your answer is incorrect Utilizing unique service set identifiers (SSIDs) Increasing the number of access points Overall explanation OBJ 3.2: Avoiding co-channel interference (CCI) and adjacent channel interference (ACI) is crucial for optimal wireless network performance. By carefully selecting and spacing channels, the company can reduce errors, re-transmissions, and bandwidth loss, securing and enhancing the network's efficiency. While the 5 GHz band is less crowded and offers more channels, exclusively operating in this band does not prevent interference if channel spacing is not correctly managed. While having unique SSIDs helps in identifying different networks, it does not directly address interference issues or optimize the performance of the wireless network. Merely increasing the number of WAPs without proper channel management could exacerbate interference issues, reducing the overall performance and security of the wireless network. For support or reporting issues, include Question ID: 64c17863c3176036d49cab3b in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 282

$500,000 $125 $5,000 Your answer is correct $1,250 Overall explanation OBJ: 5.2 - To compute the ALE, multiply the SLE by the ARO. An SLE of $25,000 and an ARO of 0.05 leads to an ALE of $1,250 ($25,000 * 0.05 = $1,250), indicating the expected annual cost of e-commerce system downtimes. For support or reporting issues, include Question ID: 654978b04823b276876bb3a4 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 283

Network sensors Firewall logs DLP system Your answer is correct IDS/IPS Overall explanation OBJ 3.2: Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) are designed to monitor network traffic for any malicious activity. If suspicious behavior is detected, they can raise alerts for administrators or even take automatic actions to block or mitigate the threat. Network sensors passively analyze network traffic but do not react to potential malicious traffic. The sensors might provide some minor details to help with the investigation if they retain logs, but would not be nearly as robust as IPS/IDS-specific logs and alerts. A firewall mainly blocks or allows traffic based on predefined rules set on IP, port, and protocol. While it can restrict access and provide some details, it does not analyze traffic behavior for potential malicious activity nor keep as detailed logs as an IPS/IDS would. DLP (Data loss prevention) systems primarily focus on preventing unauthorized data transfer or leakage of sensitive information. They are not designed to analyze and respond to unexpected surges in network traffic. For support or reporting issues, include Question ID: 652d46a5e2af24ea6b2c369a in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 284

HMAC AES 3DES Your answer is correct RSA Overall explanation OBJ: 2.5 - RSA (Rivest–Shamir–Adleman) is an asymmetric encryption algorithm that uses two keys. A message that's encrypted with the public key can only be decrypted with the private key, and vice versa. HMAC (Hash-Based Message Authentication Code) is a specific construction for creating a message authentication code (MAC) involving a cryptographic hash function, but not a form of asymmetric encryption. AES (Advanced Encryption Standard) is a symmetric encryption method where the same key is used for both encryption and decryption, not involving distinct public and private keys. 3DES (Triple Data Encryption Standard) is an evolved form of the older Data Encryption Standard (DES) which uses symmetric key algorithms for the encryption of electronic data, not involving public and private keys. For support or reporting issues, include Question ID: 652b31cc818ffad49a170573 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 285

Database encryption File-level encryption Correct answer Record-level encryption Your answer is incorrect Volume encryption Overall explanation OBJ 1.4: - With this encryption type, each individual record (in this case, each credit card entry) is encrypted separately. This ensures that even if some records are compromised, others remain safe. It provides granular control and heightened security for sensitive data like credit card details. Database encryption encrypts the entire database, which may not provide the granularity and individualized protection that Kelly Innovations is seeking for each credit card record. Volume encryption encrypts an entire volume or virtual drive, which isn't focused on individual records within a database. File-level encryption targets specific files or folders, not individual records within a database. For support or reporting issues, include Question ID: 6525845dd7819dc1960699c2 in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 286

Correct answer DMARC prevents email spoofing and phishing attacks by verifying the authenticity of the sender's domain and email messages DMARC ensures encryption of email messages, protecting sensitive information from unauthorized access during transit Your answer is incorrect DMARC analyzes email attachments and either passes the email on to its intended recipient or quarantines the whole email until it can be manually checked DMARC provides an alerting mechanism and tracks email delivery statuses to make it easier to respond to phishing and spoofing attacks once they happen Overall explanation OBJ 4.5: DMARC helps prevent email spoofing and phishing by verifying the sender’s domain authenticity, ensuring emails come from legitimate sources rather than malicious actors. While DMARC enables monitoring and reporting, its primary purpose is email authentication, not tracking delivery status or encrypting messages. It doesn’t handle attachments or quarantine but complements other security measures to reduce malware risks, focusing specifically on combating spoofing and phishing. For support or reporting issues, include Question ID: 64c09d3c2f60ec9fbc7f5b67 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 287

Full-disk encryption Correct answer File-level encryption Private key Your answer is incorrect Partition encryption Overall explanation OBJ: 1.4 - Technologies like EFS (Encrypted File System) on Windows or GPG (Gnu Privacy Guard) for various platforms allow for the encryption of specific files or folders. This means Kelly Innovations can choose which documents to encrypt and which to leave in plain text. Full-disk encryption encrypts the entire drive indiscriminately, making it unsuitable for selective encryption. A private key is a cryptographic key that is used for decryption or signing, not for specifying encryption granularity on a drive. While it secures an entire partition, partition encryption may not provide the granularity needed for individual file encryption within a shared space. For support or reporting issues, include Question ID: 6525828ed062735cf1d02166 in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 288

Organized crime Correct answer Unskilled attacker Your answer is incorrect Hacktivist Nation-state actor Overall explanation OBJ: 2.1 - An unskilled attacker is one that lacks technical expertise or sophistication. Unskilled attacker often use a tool that automate the exploitation process, requiring minimal user input, such as a script or an exploit kit. A hacktivist is one that uses cyberattacks to express dissent or support for a cause or movement. A hacktivist may use a tool that automates the exploitation process and requires minimal user input, but they may also use more creative or symbolic tools depending on their message. A nation-state threat actor is one that represents the interests of a sovereign country. A nation-state threat actor may use a tool that automates the exploitation process and requires minimal user input, but these types of tools are often easy to detect. Non-state actors are much more likely to use more advanced or customized tools which are much harder to detect. Organized crime is a group of individuals that operates in a coordinated and structured manner to engage in illegal activities for profit or power. Organized crime may use a tool that automates the exploitation process and requires minimal user input, but they have the funding and expertise to use more sophisticated or targeted tools which are less likely to be detected. For support or reporting issues, include Question ID: 64b86fe9046c85d5452b658a in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 289

Correct answer Hashing Digital Signatures Key Stretching Your answer is incorrect Salting Overall explanation OBJ: 1.4 - Hashing is the process of converting an input of any length into a fixed size string of text, using a mathematical function. This matches the method being used in the scenario. Salting is a technique used in cryptography to add random data to the input of a hash function to increase security. This method does not convert an input of any length into a fixed size string of text. Key stretching is a method used that repeatedly hashing the password to make it more random and longer than it originally appeared. This should make the key more time consuming to break. Since the scenario indicates that the hashing will only take place once, key stretching isn't the technique being used. Digital signatures are a type of electronic signature that uses a specific type of encryption to ensure the authenticity and integrity of a digital message or document. This method does not convert an input of any length into a fixed size string of text. For support or reporting issues, include Question ID: 64c3dc5ccecafa5b2df5d30c in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 290

Ad hoc risk assessment Continuous risk assessment Correct answer Recurring risk assessment Your answer is incorrect One-time risk assessment Overall explanation OBJ: 5.2 - Recurring risk assessment involves conducting risk assessments at regular intervals to adapt to changing threats and vulnerabilities over time. Ad hoc risk assessment refers to conducting risk assessments on an as-needed basis or when specific events trigger the need for assessment. It is not specifically focused on keeping up with changing threats and vulnerabilities. One-time risk assessment is conducted only once and does not involve periodic evaluations of risks. It may be suitable for specific projects or situations but is not focused on continuous monitoring. Continuous risk assessment involves ongoing and real-time monitoring of risks as part of the organization's daily operations. It aims to quickly identify and address emerging risks. While it is beneficial, it may not specifically involve periodic assessments at regular intervals. For support or reporting issues, include Question ID: 64b9e1914ab8b237e348e560 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 291

Increases the number of security audits Facilitates more frequent staff training Improves threat intelligence research Your answer is correct Enhances real-time threat response capabilities Overall explanation OBJ 4.7: By automating detection and orchestrating responses, organizations can address threats almost immediately, reducing the window of vulnerability. Automation aids in efficient audit logging and monitoring, but it doesn't directly increase the frequency of comprehensive security audits. While automation can free up staff time, its direct role isn't to facilitate training frequency. While automation can aggregate and analyze data, its primary benefit in countering threats isn't in researching threat intelligence. For support or reporting issues, include Question ID: 6543dd728c77ab9c8faa1704 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 292

Risk acceptance Quantitative risk analysis Correct answer Qualitative risk analysis Your answer is incorrect Risk matrix Overall explanation OBJ: 5.2 - Qualitative risk analysis involves using subjective measures such as descriptive terms (e.g., high, medium, low) to assess risks based on their impact and likelihood. Quantitative risk analysis involves assigning numerical values to risks, such as monetary values, to quantify the potential impact of risks. A risk matrix uses the likelihood of an event and the event’s impact on the project, stakeholders, or workflow to create a visual representation of the current risk posture or environment. Assessments of the severity of an event's impact will be part of it, but it isn't the only part of the matrix. Risk acceptance means that an organization understands the level of risk that in involved in an activity and is willing to accept the outcomes of taking the risk. The risk is either accepted or not, there aren't levels of risk acceptance. For support or reporting issues, include Question ID: 64b9e2eb5e2d79ea63ce4d32 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 293

Correct answer Installing barbed wire fences around the perimeter of the company’s property Reviewing log files for signs of unauthorized access Conducting regular security awareness training for employees Your answer is incorrect Implementing an incident response plan Overall explanation OBJ: 1.1 - Installing barbed wire fences around the perimeter of the company’s property is an example of a deterrent control because it helps deter potential attackers by making it more difficult to access the company’s property. Implementing an incident response plan is an example of a recovery control, which is used to restore normal operations after a security incident has occurred. Reviewing log files for signs of unauthorized access is an example of a detective control, which is used to detect security incidents. Conducting regular security awareness training for employees is an example of a preventive control, which is used to prevent security incidents from occurring. For support or reporting issues, include Question ID: 64bd79e2772708d7e5a42580 in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 294

Risk acceptance Risk threshold Your answer is correct Business impact analysis Change Management Overall explanation OBJ: 5.2 - Business impact analysis (BIA) is the process of assessing the potential impact of identified risks on various business operations. It helps in identifying critical processes and setting recovery objectives. Risk acceptance means that an organization understands the level of risk that in involved in an activity and is willing to accept the outcomes of taking the risk. The risk is either accepted or not, there aren't levels of risk acceptance. The risk threshold is an organization's predetermined level of acceptable risk exposure. It represents the point beyond which risk is considered unacceptable and requires action. The change management procedure outlines the steps and guidelines for managing changes to IT systems within an organization. It includes processes for requesting, evaluating, approving, implementing, and reviewing changes to minimize the risk of disruptions and ensure that changes are carried out in a controlled and coordinated manner. For support or reporting issues, include Question ID: 64b9f7f3974c18fd63dd24ca in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 295

Correct answer To provide historical insights into security incidents for future investigations To analyze real-time threats and mitigate them instantly To maintain compliance with regulations without needing long-term data storage Your answer is incorrect To provide an external backup in case of system crashes Overall explanation OBJ: 4.4 - Archiving in the context of security is essential for maintaining a record of all system logs. This not only ensures that historical data is available for audits or investigations but also provides valuable insights into past incidents, aiding in enhancing security measures. Compliance with regulations often requires long-term data storage, so this statement is contradictory. While backups are essential for system recovery, archiving in the security context goes beyond this and is centered around preserving logs and alerts for investigative and compliance purposes. While real-time threat analysis is crucial in security, archiving is more focused on preserving past data for future reference and not immediate threat mitigation. For support or reporting issues, include Question ID: 6542fa35a6d39f1f7b7a979b in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 296

Incident report Policy review Your answer is correct Recurring report Threat intelligence briefing Overall explanation OBJ: 5.6 - A recurring report is a report generated at regular intervals, such as weekly, monthly, or quarterly, to keep stakeholders updated on ongoing security metrics, trends, and concerns. A policy review is a periodic assessment of the organization's security policies to ensure they remain current and effective. An incident report is a detailed account of a specific security breach or event, outlining what occurred, its impact, and the steps taken in response. A threat intelligence briefing is a specialized report highlighting current and emerging threats, often sourced from external threat intelligence providers. For support or reporting issues, include Question ID: 64c3508884a7d77f398b8886 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 297

Correct answer Security officer Security owner Your answer is incorrect Data controller Security custodian Overall explanation OBJ: 5.1 - The security officer, also known as the Chief Information Security Officer (CISO) or Information Security Manager, is a senior-level role responsible for leading and overseeing the organization's information security program. They are tasked with defining, implementing, and enforcing information security policies and procedures throughout the organization. The security officer collaborates with various stakeholders, including management, IT teams, and compliance personnel, to ensure that security measures align with the organization's objectives and industry best practices. The security custodian is a role responsible for the day-to-day management and implementation of security controls. They work under the guidance of the security officer or security owner to ensure that security measures are correctly applied. However, they do not have the primary responsibility for defining and establishing organization-wide security policies and procedures. The data controller is responsible for determining the purposes and means of processing personal data. While they may have some influence over data security policies related to the data they manage, their role is more focused on data governance and compliance with data protection regulations. The security owner is an individual or entity responsible for the overall security of a specific asset or resource within the organization. They may have authority over the security of a particular system or data repository, but their role is not primarily focused on defining and implementing organization-wide security policies and procedures. For support or reporting issues, include Question ID: 64b88ff075f3764616371b7c in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 298

Correct answer Restricted Public Encrypted Your answer is incorrect Human-readable Overall explanation OBJ 3.3: Restricted data refers to data that has limited access due to its sensitive nature or specific entity protocols. Only certain individuals with the correct privileges can access this data. Public data is information that can be openly accessed by anyone, which contradicts the requirement of limited access. Encryption is a method to secure data by converting it into a cryptic format, rather than a type of data classification. Human-readable is a data type that can be understood directly by people. It does not imply any specific access restrictions. For support or reporting issues, include Question ID: 64c193448a3754c97798b046 in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 299

Blue team Correct answer Black box Grey box Your answer is incorrect White box Overall explanation OBJ: 5.5 - A black box test is executed without any prior knowledge of the target environment. The tester simulates an external attacker's perspective, assessing the system's vulnerabilities as if they have no insider information about the system's architecture or design. A white box test, the tester has complete knowledge of the system's architecture, design, and source code. It aims to identify vulnerabilities that may not be apparent in a black box test. A blue team is the defensive team trying to detect and respond to penetration attempts by a red team. It's more about the organization's response to attacks rather than the vulnerabilities themselves. A grey box test is a mix of both black and white box testing. The tester has partial knowledge of the system but doesn't have full access to all data and documents, providing a balanced perspective between an insider and an external attacker. For support or reporting issues, include Question ID: 64c1a90d3c0620e9baa77d55 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 300

Incident Response Logging Correct answer Internal Compliance Reporting Security Awareness Training Your answer is incorrect Risk Assessment Analysis Overall explanation OBJ: 5.4 - Internal Compliance Reporting involves providing detailed assessments and evidence to stakeholders, such as senior management or board members, about how the organization is meeting its required security and regulatory standards, highlighting potential areas of concern. Risk Assessment Analysis involve identifying potential threats and vulnerabilities to determine the risks they pose to an organization. While integral to security, they don't specifically detail the organization's ongoing adherence to standards and controls. While Security Awareness Training plays a vital role in enhancing an organization's security posture, this pertains to educating employees about security threats and best practices, rather than providing regular reports on compliance status. Incident Response Logging refers to the documentation and tracking of security incidents and breaches. Although it can be part of compliance requirements, it focuses more on the actual incidents than on the overarching adherence to standards. For support or reporting issues, include Question ID: 64c07c7b9e4f2185413d15aa in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 301

EDR provides comprehensive authentication and encryption on host devices, limiting unauthorized users from viewing company data Correct answer Using EDR provides advanced behavioral analysis and threat intelligence to detect and respond to cyber threats on endpoints Your answer is incorrect EDR provides real-time monitoring and reporting of network traffic, enabling administrators to track data usage and bandwidth consumption Implementing EDR allows the organization to enforce security policies and controls on all endpoints, reducing the risk of unauthorized access Overall explanation OBJ 4.5: Endpoint Detection and Response (EDR) uses advanced behavioral analysis and threat intelligence to detect and respond to cyber threats on endpoints, enabling proactive defense against sophisticated attacks. While EDR may offer limited network monitoring, its primary role is detecting security events on endpoints, not monitoring network traffic or providing authentication and encryption. Its focus is on threat detection and response rather than enforcing security policies. For support or reporting issues, include Question ID: 64c0a1642f60ec9fbc7f5b71 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 302

Risk Transference Ease of Deployment Correct answer Scalability Your answer is incorrect Responsiveness Overall explanation OBJ: 3.1 - In a serverless architecture, scalability is essential for cost optimization as it allows the architecture to handle increased load efficiently, only utilizing and charging for the resources used. Risk transference involves shifting risk to another entity and doesn’t directly affect the cost optimization of a serverless architecture. Responsiveness is crucial for user experience but doesn’t directly contribute to cost optimization in serverless architectures. While ease of deployment is an advantage of serverless architecture, it doesn’t directly address cost optimization through resource utilization. For support or reporting issues, include Question ID: 6517085a7890ba61c0f863bc in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 303

Isolation Patching Your answer is correct Least privilege Access control Overall explanation OBJ: 2.5 - Least privilege is a technique that can help you apply the minimum level of access or privileges required for users or processes to perform their tasks, such as doctors, nurses, patients, etc. Least privilege involves restricting access or privileges based on predefined rules and permissions, such as roles, groups, functions, etc., and enforcing them through mechanisms such as passwords, tokens, biometrics, etc. Least privilege can also help you limit the damage caused by malicious or compromised users or processes by preventing them from accessing or modifying resources that are not relevant or necessary for their tasks. Patching is a technique that can help you prevent exploitation of known vulnerabilities on systems and devices by updating them with the latest security fixes and enhancements. Patching involves applying patches or updates to software and systems, but they do not apply the minimum level of access or privileges required for users or processes to perform their tasks. Access control is a technique that can help you assign different levels of access or privileges to users or processes based on their roles, groups, or functions. Access control involves using policies such as access control lists (ACLs) or permissions to specify what actions users or processes can perform on resources such as files, folders, databases, etc., but they do not apply the minimum level of access or privileges required for users or processes to perform their tasks. Isolation is a technique that can help you separate systems or processes from each other to prevent interference or contamination. Isolation involves creating separate environments for running different systems or processes, such as virtualization, sandboxing, containers, etc., but they do not apply the minimum level of access or privileges required for users or processes to perform their tasks. For support or reporting issues, include Question ID: 64bef7b136353eb8396bb461 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 304

Enhancing server performance by reducing overhead Correct answer Reducing the attack surface and preventing unauthorized access Your answer is incorrect Facilitating faster remote access for system administrators Increasing system availability during peak traffic Overall explanation OBJ 2.5 - The primary security benefit of Sarah's actions is reducing the attack surface and preventing unauthorized access. By disabling unnecessary services, blocking unused ports, enforcing strict software allow lists, and restricting remote access, Sarah minimizes the potential entry points and vulnerabilities that attackers could exploit. These hardening techniques limit exposure to unauthorized access and help secure the web servers against various threats. Increasing system availability, enhancing performance, and facilitating remote access are not the primary security outcomes of these measures. For support or reporting issues, include Question ID: 67223643ab565f74e2bc914d in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 305

Denial of service (DoS) On-path attack Correct answer Supply chain attack Your answer is incorrect XSS Overall explanation OBJ 2.2 - Instead of attacking the primary target directly, threat actors in a supply chain attack attempt to compromise organizations through vulnerabilities in their suppliers or third-party vendors. A notorious instance is the Target data breach that occurred through its HVAC supplier. Denial of service (DoS) aims to make a machine or network resource unavailable by overwhelming it with traffic or exploiting certain vulnerabilities. In an on-path attack, the attacker secretly intercepts and possibly alters the communication between two parties. In a Cross-site scripting (XSS), attackers inject malicious scripts into websites, which are then executed by the unsuspecting user's browser. For support or reporting issues, include Question ID: 67211a7f5e44c612d89c046d in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 306

Development Process Deployment Process Testing Process Your answer is correct Approval process Overall explanation OBJ: 1.3 - The approval process ensures that proposed changes in an organization are properly evaluated and authorized, helping to manage risks and align with business goals. Testing Processes focuses mainly on checking the functionality and is typically done after a change is approved. Development Processes are centered on creating new tools or systems and do not include reviewing or approving changes. Deployment Processes handle the actual implementation of changes and occur after the approval process, without involving the initial evaluations or approvals. For support or reporting issues, include Question ID: 6524cf50dc068c9eb2021265 in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 307

War Correct answer Data exfiltration Disruption Your answer is incorrect Revenge Overall explanation OBJ: 2.1 - Data exfiltration is the unauthorized act of transferring sensitive data from a target's network to a location controlled by the attacker. Organized crime groups often engage in this activity to obtain valuable data, which they can then monetize by selling it on the black market or using it for other malicious purposes. Revenge stems from a desire to retaliate against perceived wrongs or grievances. Someone motivated by revenge might target an organization that they feel has wronged them in some way. Disruption centers on causing disorder, confusion, or disruption in the target's operations. While it might overlap with other motivations, the primary aim is to create disturbances rather than to extract specific value from the stolen data. War, in a cyber context, refers to state-sponsored attacks that are aimed at achieving political, military, or ideological goals. While they can involve data theft, they are broader in scope and are driven by larger geopolitical strategies. For support or reporting issues, include Question ID: 6525a2e0bee4873dc798d5b9 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 308

Risk metrics Correct answer Key risk indicators Risk threshold Your answer is incorrect Risk parameters Overall explanation OBJ: 5.2 - The number of unauthorized login attempts is a KRI, as it is a predictive metric indicating the potential for a security breach. A risk threshold would be the point at which the organization decides the risk is too high, not the metric itself. Risk parameters are specific variables within risk assessment processes, not metrics indicating potential risk. Risk metrics are measures of risk, but KRIs specifically are used to predict and monitor potential risk exposures. For support or reporting issues, include Question ID: 65490811758b8cedfaaa63af in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 309

Tabletop exercises are live simulations that involve directly confronting cybersecurity threats, while simulations are theoretical exercises conducted through discussions and planning Correct answer Tabletop exercises are theoretical exercises conducted through discussions and planning, while simulations are interactive drills that involve practicing incident response procedures in a controlled environment Your answer is incorrect Tabletop exercises involve hands-on drills in a controlled environment, while simulations are physical simulations used to physically practice incident response procedures in real-world scenarios Tabletop exercises are interactive discussions and role-playing exercises, while simulations are formal meetings where incident response team members discuss and plan their responses to potential security incidents Overall explanation OBJ 4.8: Tabletop exercises are theoretical exercises conducted through discussions and planning, while simulations are interactive drills that involve practicing incident response procedures in a controlled environment. Tabletop exercises typically include discussions and role-playing to test the incident response plans and team coordination, while simulations involve hands-on practice to enhance the team's response capabilities in a simulated incident scenario. Simulations are not formal meetings for discussion and planning; they are interactive drills that involve practicing incident response procedures. Tabletop exercises are not hands-on drills, and simulations are not physical simulations used to physically practice incident response procedures. Tabletop exercises are theoretical exercises conducted through discussions and planning, while simulations are interactive drills that involve practicing incident response procedures in a controlled environment. For support or reporting issues, include Question ID: 64c1616b975546a47ba37750 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 310

SPF SMTP Your answer is correct DKIM DMARC Overall explanation OBJ 4.5: By implementing DKIM (DomainKeys Identified Mail), Kelly Innovations LLC can sign emails originating from their domain cryptographically. This allows receivers to verify that an email claiming to be from the domain genuinely is. SMTP (Simple Mail Transfer Protocol) is the standard for sending emails, but it doesn't inherently provide a cryptographic signing mechanism for email authenticity. DMARC (Domain-based Message Authentication, Reporting, and Conformance) uses the results of DKIM and SPF checks, but on its own, it doesn't cryptographically sign emails. While SPF (Sender Policy Framework) is valuable in identifying which servers are authorized to send emails on behalf of a domain, it doesn't cryptographically sign the emails for this assurance. For support or reporting issues, include Question ID: 65433b38a25d7ae61173fe37 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 311

Insider Threat Advanced Persistent Threat (APT) Your selection is correct Script kiddie Your selection is correct Unskilled attacker Sophisticated cybercriminal Overall explanation A script kiddie, similar to an unskilled attacker, tends to rely on pre-made scripts and tools available online, highlighting their reliance on basic methods without much customization. OBJ: 2.1 - An unskilled attacker, often lacking specialized knowledge or resources, typically leans on readily available commodity attack tools found on the web or dark web. Their dependence on such tools underscores their limited capability. Advanced Persistent Threats (APTs) represent highly skilled and well-funded groups, often backed by nation-states. They possess the capability to craft zero-day exploits and deploy sophisticated cyber espionage tools, far surpassing the use of common commodity tools. Insiders, be they disgruntled employees or careless staff, may pose security risks, but they typically leverage their internal access and knowledge, rather than relying heavily on external commodity tools. While these individuals or groups have more advanced methods compared to unskilled attackers, they often use a mix of customized and readily available tools, depending on their objectives and resources. For support or reporting issues, include Question ID: 652595b937644af6982d9bb9 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 312

Motivation Level of resources/funding Level of knowledge Your answer is correct Source of access Overall explanation OBJ: 2.1 - The primary difference between an external and an internal threat actor is the source of access. An external threat actor is outside of the organization that they are attacking or exploiting. They have to gain unauthorized access to the organization’s systems or data. An internal threat actor is part of the organization that they are attacking or exploiting. They have legitimate access to the organization’s systems or data. Motivation is not the primary difference between an external and an internal threat actor, as they can have the same motivations such as ethical concerns and financial gain. Level of knowledge is not the primary difference between an external and an internal threat actor, as both can have varying levels of knowledge about an organization’s systems or data. Level of resources/funding is not the primary difference between an external and an internal threat actor, as both can have varying amounts of money, equipment, or personnel available to conduct attacks. For support or reporting issues, include Question ID: 64b89aaeae2fd553d66a2425 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 313

Digital signature Symmetric encryption Hash function Your answer is correct Trapdoor function Overall explanation OBJ: 1.4 - The RSA algorithm uses a trapdoor function, where encryption is easy to perform using the public key, but reversing the process (decryption) without the private key is challenging. RSA's principle is that certain mathematical operations are easy to perform, but their inverse operations are difficult without specific knowledge. A hash function is a process that converts an input (often a long string) into a fixed-size value, commonly used for verifying data integrity but not specifically tied to RSA's public key cryptography. Symmetric encryption is a type of encryption where the same key is used for both encryption and decryption, unlike RSA which uses a pair of public and private keys. A digital signature is a means to verify the authenticity of a digital message or document, using a combination of hashing and encryption, but it isn't the mathematical property of RSA. For support or reporting issues, include Question ID: 652585fcf1de9bff7fa68815 in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 314

The dark web is a secure network used by cybersecurity professionals to conduct vulnerability assessments and penetration testing on hardware and software assets Correct answer The dark web is an encrypted network that facilitates anonymous communication and is commonly associated with illegal activities Your answer is incorrect The dark web is a portion of the internet that is primarily used for finding tools and techniques for penetrating systems The dark web refers to a section of the internet where people can find ways to attack system by using search engines like Google and Bing Overall explanation OBJ 4.3: The dark web is an encrypted network that allows anonymous communication and is commonly associated with illegal activities, such as the sale of drugs, stolen data, and various other illicit goods and services. Understanding the dark web is essential for vulnerability management to be aware of potential threats and risks related to hardware, software, and data asset management. The dark web does contain tools and techniques for penetrating systems; however, it is used by many people for many reasons. While cybersecurity professionals may use various networks and tools for vulnerability assessments and penetration testing, the dark web is not a secure network specifically designed for these purposes. It is primarily associated with illegal activities and not intended for legitimate cybersecurity assessments. The dark web is not part of the public internet and is not accessible through search engines like Google and Bing. It requires specialized software and configurations to access. For support or reporting issues, include Question ID: 64bfd8c1994ad44054334342 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 315

Correct answer The bug bounty program encourages ethical hackers to identify and report security vulnerabilities The bug bounty program primarily involves discovery and reporting of worms and viruses that can infect systems Your answer is incorrect The bug bounty program helps organizations track and manage hardware and software assets The bug bounty program is responsible for conducting regular penetration testing on an organization's network to identify and remediate security weaknesses Overall explanation OBJ 4.3: A bug bounty program encourages ethical hackers and security researchers to actively search for and responsibly report security vulnerabilities in an organization's systems and software. By doing so, organizations can proactively address potential threats before they can be exploited by malicious actors, ultimately enhancing their overall security posture. While penetration testing is important for identifying and remediating security weaknesses, it is not synonymous with a bug bounty program. While tracking and managing hardware and software assets is essential, the bug bounty program's primary focus is on security vulnerability identification and management. While bug bounties can reveal worms and viruses, their primary use is to discover vulnerabilities in systems and software that malicious actors can exploit. For support or reporting issues, include Question ID: 64bfdbc7994ad4405433434c in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 316

Correct answer Sanitization erases all data from a storage device, rendering it unrecoverable Sanitization updates software applications regularly to fix bugs and security vulnerabilities Sanitization cleans physical hardware components to remove dust and dirt and keep the system functional Your answer is incorrect Sanitization creates multiple data backups to ensure data redundancy and availability Overall explanation OBJ 4.2: Sanitization is essential in hardware, software, and data asset management for securely handling data, especially when devices are decommissioned or reused. This process ensures sensitive data is wiped, preventing unauthorized access and data breaches. While updating software applications is vital for security, it does not involve data sanitization. Similarly, creating data backups supports data management but isn’t the same as sanitization. Additionally, while cleaning physical hardware is important for maintenance, sanitization specifically addresses data security needs by securely erasing information. For support or reporting issues, include Question ID: 64be985470fbaa88423591a9 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 317

Correct answer Brand Impersonation Watering Hole Your answer is incorrect On-Path Attack Phishing Attack Overall explanation OBJ 2.2 - Brand impersonation is a type of cyberattack where fake websites, emails, or social media accounts are created to closely mimic legitimate ones. The attacker’s goal is to deceive users into trusting the fake entity, leading them to reveal sensitive information or perform harmful actions. While this may seem similar to phishing, phishing generally involves broader tactics like sending deceptive emails to directly request personal data. In contrast, a watering hole attack targets specific groups by compromising websites that those users frequent, aiming to install malware. An on-path attack (formerly known as man-in-the-middle) focuses on intercepting and potentially altering communications between two parties, rather than tricking users with a fake website. For support or reporting issues, include Question ID: 67211989df9777a078da40bc in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 318

The identification of the individual responsible for the cyberattack. A formal meeting with the organization's board of directors to discuss the threat. Correct answer A SIEM report and query designed to detect the incident. Your answer is incorrect A call to senior cybersecurity analysts to confirm the threat. Overall explanation OBJ: 5.1 - The initiation point in a playbook is usually a report from a SIEM system, which helps in identifying the threat, followed by steps for containment and eradication. While communication with stakeholders is essential during significant incidents, the immediate response, as guided by a playbook, focuses on handling the threat directly. Attribution, while important, comes later in many cybersecurity investigations. A playbook's primary goal is to detect, contain, and eradicate the threat. While collaboration is essential, the playbook is primarily designed to guide junior analysts through standard operating procedures without relying on senior intervention for each threat. For support or reporting issues, include Question ID: 65449a234ff4a550f0eb0204 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 319

Ethical Hacking Financial Gain Your answer is correct Espionage Revenge Overall explanation OBJ 2.1 - The motivation driving the threat actors in this scenario is espionage. Espionage involves the theft of sensitive information, such as trade secrets or proprietary designs, typically to gain a competitive or strategic advantage. Here, the competitor's objective is to use the stolen information to create similar products, which provides an unfair market advantage. Unlike actions motivated purely by financial gain, espionage focuses on acquiring specific, valuable data to undermine a competitor's position. Revenge does not apply, as the motivation is competitive rather than retaliatory, and ethical hacking is irrelevant, as it involves legally authorized testing, not illegal theft of information. For support or reporting issues, include Question ID: 672116fc503b8b40b95ad0f4 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 320

Blue Team sets the rules of the simulation and monitors the exercise, while Red Team performs offensive attacks to identify vulnerabilities. Both Blue Team and Red Team perform the same activities and compete to see which team can get further into the systems. Your answer is correct Red Team performs offensive attacks to identify vulnerabilities, while Blue Team defends and assesses security measures against simulated attacks. Blue Team performs offensive attacks to identify vulnerabilities, while Red Team defends and assesses security measures against simulated attacks. Overall explanation OBJ 4.3: The Red Team plays the role of attackers, performing offensive attacks to identify vulnerabilities, while the Blue Team takes on the defensive role, defending and assessing security measures against simulated attacks. Although the Red Team performs offensive attacks to identify vulnerabilities, the Blue Team does not set the rules of the simulation. Rather, the White Team plays the rule-setters in the exercise. The Blue Team is responsible for the defensive aspect, while the Red Team performs offensive attacks. The teams perform distinct activities. Only the Red Team tries to penetrate the system. For support or reporting issues, include Question ID: 64c00813203fae615de070e2 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 321

Incremental backup Synchronized backup Correct answer Offsite backup Your answer is incorrect Local backup Overall explanation OBJ 3.4: Offsite backups involve taking data copies and storing them in a different physical location from where the original data resides, providing protection against local disasters. Synchronized backups refer to the continuous updating of backup copies as changes occur in real-time, but the location isn't necessarily offsite. Incremental backups save only the changes made since the last backup. The location could be local or offsite, but the method itself doesn't specify the location. Local backups involve making copies of data and storing them on the same network or premises, which doesn't provide offsite protection. For support or reporting issues, include Question ID: 64c1a9f93c0620e9baa77d5a in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 322

Correct answer Public Critical Regulated Your answer is incorrect Confidential Overall explanation OBJ 3.3: Public data is information that can be freely distributed and accessed without any restrictions. Court records or government reports are typically categorized as public data unless redacted as confidential information. Critical data refers to essential data to an organization or business for its operation, not necessarily indicating the scope of accessibility or distribution. Confidential data, contrary to public data, is not openly accessible and is expected to be protected from unauthorized access or exposure. Regulated data refers to data subject to specific legal guidelines or restrictions. It doesn't inherently mean the data is open to public access. For support or reporting issues, include Question ID: 64c1940bdd32557d54e4c0eb in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 323

Managing software update cycles Overseeing software patch processes Correct answer Verifying products' security compliance Your answer is incorrect Implementing network partitions Overall explanation OBJ 4.2: Before procuring, it's vital to ensure hardware, software, or data assets align with established security standards to prevent vulnerabilities. Though important, implementing network partitions deals with enhancing network security and performance, not directly with procuring new assets. While vital, overseeing software patch processes pertains to updating existing software, not to the acquisition of new assets. Managing software update cycles refers to how often software receives updates, not directly to the acquisition of new assets. For support or reporting issues, include Question ID: 64bd8de24c977764efbbe654 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 324

Enumeration process involves the documentation of the physical location of the server in a data center Correct answer Enumeration can replace the need for routine security audits making them redundant. Enumeration helps in creating a comprehensive catalogue of all assets on a network enhancing organizational efficiency Your answer is incorrect Enumeration assists in the detection of unauthorized devices attempting to connect to the network Overall explanation OBJ 4.2: Enumeration is an important part of an overall asset tracking process, but it does not replace other aspects of system security, such as regular security audits. These audits provide essential checks on system integrity and security effectiveness beyond what enumeration alone can provide. Accurate enumeration does enable a complete listing of all assets on a network, which can boost efficiency. By enumerating all legitimate assets, unauthorized devices can often be detected when they attempt to connect to the network. As part of the enumeration process, capturing details like the physical location of a server can be crucial to effective asset management and security. For support or reporting issues, include Question ID: 64c1910fecb41e3664cf3e44 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 325

Insider Threat Correct answer State Actor Competitor Your answer is incorrect Hacktivist Overall explanation OBJ: 2.1 - State actors are individuals or groups supported by a government, aiming to gather intelligence or disrupt a rival nation’s activities. The desire for political secrets aligns with the motives of a state actor. Hacktivists act primarily to promote a political agenda or social change, rather than to acquire state secrets. Insider Threat refers to individuals within the organization who abuse their access. The scenario doesn’t indicate that the attacker is an insider. A competitor is typically another company in the same industry seeking a commercial advantage, not political secrets. For support or reporting issues, include Question ID: 64b8610100fdb7079191f3af in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 326

Adaption Correct answer Implementation Your answer is incorrect Feedback Development Overall explanation OBJ: 5.6 - The correct answer is Implementation because Sasha is actively conducting training sessions and distributing awareness materials, which are key activities in this phase. Development refers to creating policies and training content, which has already been done. Adaption involves modifying the program to fit the organization's needs, which isn’t happening here. Feedback is also incorrect because while Sasha set up monitoring tools, this phase focuses on gathering and analyzing results after implementation. For support or reporting issues, include Question ID: 64c3533a68c1ea425b0f0c6f in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 327

Patching Correct answer Host-based Firewall Host-based Intrusion Prevention Your answer is incorrect Encryption Overall explanation OBJ: 2.5 - Using a Host-based firewall is a hardening technique that can help protect a system or device from unauthorized or malicious network traffic. Host-based firewalls by use software to filter and control incoming and outgoing network traffic by using predefined rules and policies. The policies and rules are based on criteria such as source and destination IP address, port number, protocol. Host-based firewall involves installing software on a system or device. Using a Host-based Intrusion Prevention System (HIPS) is a hardening technique that can help prevent attacks from occurring. It is software that is installed on a system or device to detect and prevent unauthorized actions like file modifications and registry changes. A HIPS may include a firewall, but will contain other features as well. Patching is a mitigation technique that can help prevent exploitation of known vulnerabilities on systems and devices by updating them with the latest security fixes and enhancements. Patching involves applying patches or updates to any software and systems. Encryption is a mitigation technique that involves using mathematical algorithms to transform data into an unreadable format. Encryption can protect data from unauthorized access or modification, as only those who have the secret key or algorithm can decrypt the data. Encryption will not stop data from entering a host machine. For support or reporting issues, include Question ID: 64bee5b59848e1aa948b721f in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 328

Resource scaling Data synchronization and consistency Correct answer Network connectivity and integration Your answer is incorrect Multi-factor authentication Overall explanation OBJ: 3.1 - When integrating cloud provider services with on-premises servers, it becomes imperative to ensure effective communication between the two, known as network connectivity and integration. Consider it akin to a collaborative project; if team members in different locations cannot interact efficiently, complications arise. Similarly, for systems and servers, robust communication is essential for sharing data and resources, ensuring seamless operation. Resource scaling is important for managing different workloads but isn’t the key to integrating different computing environments seamlessly. Multi-factor authentication is more about securing access and doesn’t directly tackle the integration of diverse environments. Data synchronization and consistency is crucial for maintaining uniform data across environments but doesn’t directly address the operational integration between cloud providers and on-premises servers. For support or reporting issues, include Question ID: 65172245a16b06d9a8464f6d in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 329

Deploying antivirus software on all company workstations and other devices Requiring frequent password resets for all employees Implementing a VPN for any remote access to company devices Your answer is correct Turning off all unused services and closing unnecessary ports Overall explanation OBJ 4.1: Deactivating unused services and closing ports minimizes potential entry points for attackers, thus effectively reducing the attack surface by limiting exposed system components. Regularly changing passwords enhances security against potential unauthorized access but doesn't directly affect the attack surface related to system configurations or open services. VPNs secure remote connections by encrypting data in transit. However, while they enhance the security of data communication, they don't necessarily reduce the attack surface of the underlying systems. While antivirus software provides protection against malware and certain threats, it doesn't directly reduce the attack surface. It's an essential layer of defense but doesn't minimize system exposure by itself. For support or reporting issues, include Question ID: 652f2cad2da211fe4dd8a220 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 330

NGFW Sensors Your answer is incorrect Jump servers Correct answer TLS Overall explanation OBJ 3.2: The Transport Layer Security (TLS) protocol is designed to provide privacy and data integrity between two communicating applications. It's notably used for web browsers and other applications that require data to be securely exchanged over a network, thus suitable for such a situation. A next generation firewall (NGFW) is an integrated network platform that includes standard firewall capabilities and other network device filtering functionalities, but it's not specifically used to ensure secure, private communications between devices. A jump server is used as an intermediary for managing devices in a separate security zone but is not particularly utilized for ensuring secure, private communications between devices. Sensors monitor and collect data from the environment. However, they don't provide secure and private communications between devices. For support or reporting issues, include Question ID: 64c1717cfbaff7327d208b6d in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 331

Correct answer Implementing NDAs for employees and contractors Relying primarily on verbal communication in transferring secrets Using a four letter password for files containing secrets Your answer is incorrect Publishing only partial information on company websites Overall explanation OBJ 3.3: Trade secrets are valuable assets for companies, often comprising proprietary processes, formulas, or strategic plans that give them a competitive edge. Safeguarding these secrets requires both technical and legal measures. Technically, strict access controls ensure that only authorized personnel can access or view these secrets. Legally, having employees and partners sign nondisclosure agreements (NDAs) ensures they are bound to confidentiality and can be held accountable if they disclose the secrets. While passwords provide a level of protection, simple passwords like ones containing only four letters can be easily cracked, making them insufficient for safeguarding valuable trade secrets. While keeping trade secrets off of written or digital mediums and communicating them only verbally might seem secure, it does not guarantee confidentiality, as information can still be leaked or forgotten without proper documentation and security measures. Revealing even a part of the trade secret on public platforms could lead to competitors piecing together the entire secret or gaining an undue advantage. For support or reporting issues, include Question ID: 64c1876fb73cbc7bec077187 in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 332

IPSec is exclusive to IPv4 Correct answer IPSec operates at the network layer (Layer 3) of the OSI model Your answer is incorrect IPSec provides only confidentiality IPSec primarily functions at the application layer (Layer 7) of the OSI model Overall explanation OBJ 3.2: By operating at the network layer, Internet Protocol Security (IPsec) offers flexibility since it can secure traffic without needing to configure specific application support. It encompasses both data packet encryption (for confidentiality) and packet signing (for integrity/anti-replay). IPSec was an integral part of IPv6 and remains compatible with it, even though its mandatory use has been revised. TLS operates at the application layer; IPSec functions at the network layer. While confidentiality is one of the components offered by IPSec (especially with ESP), it also provides integrity and anti-replay features. For support or reporting issues, include Question ID: 652d419f0ebb63f4d75907bb in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 333

Permissions Correct answer Isolation Hardening Your answer is incorrect Segmentation Overall explanation OBJ: 2.5 - Isolation is a mitigation technique that can help prevent malware from spreading from one system or process to another by limiting their interaction and communication. Isolation involves sandboxing or simply disconnecting an infected system. This prevents potentially malicious programs or scripts from accessing the rest of the system or network. Hardening is a technique that can help reduce the exposure of systems and devices to potential attacks by disabling unused features and services. Hardening involves removing unnecessary features and services, changing default settings, and applying security configurations to systems and devices. Hardening is preventative and takes place before malware is on the system. Isolation is most important when malware is on the system. Access control through permissions is a mitigation technique that can help prevent unauthorized execution of programs or scripts on a system or device. This is achieved by defining permissions through policies and applying those policies to resources such as programs, scripts, files, folders, and databases. Users without the correct permissions, can’t access the resources. While this prevents unauthorized use of resources, it doesn't prevent malware from spreading from one system or process to another. Segmentation is a mitigation technique that involves dividing a network into smaller segments. Each has its own security policies and controls. Segmentation can limit the scope of an attack by preventing the attacker from gaining access to an entire network because it will help isolate the compromised segment. Segmentation is preventative and takes place before malware is on the system. Isolation is most important when malware is on the system. For support or reporting issues, include Question ID: 64bedda19848e1aa948b720b in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 334

On-path Correct answer Downgrade Your answer is incorrect Brute force Wireless Overall explanation OBJ: 2.4 - A downgrade attack is a type of cryptographic attack that involves forcing a communication channel to use a weaker encryption algorithm or protocol, making it easier to decrypt or intercept data. A brute force attack is a type of password attack that involves trying all possible combinations of characters until the correct password is found. A wireless attack is a type of network attack that involves exploiting vulnerabilities or weaknesses in wireless networks or devices, such as encryption, authentication, or configuration. Although there are wireless devices on the network, the scenario doesn't provide evidence that the attacker made use of any wireless vulnerabilities. An on-path attack is a type of network attack that involves intercepting or modifying data in transit between two parties, such as by using a packet sniffer or a proxy server. While an On-path attack could easily be the result of this attack, the question asks about how the attacker gained access to the data, not the type of attack that could have resulted. For support or reporting issues, include Question ID: 64bccc57d05f45402ccc6a3a in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 335

Correct answer A SIEM is a security solution that uses a combination of tools to provide a more complete view of an organization's security posture A SIEM is a firewall technology that analyzes network traffic and blocks suspicious connections to protect against cyber threats Your answer is incorrect A SIEM is an intrusion detection system that monitors and analyzes network traffic for potential security breaches A SIEM is a network protocol used for secure data transmission between remote devices, ensuring data confidentiality Overall explanation OBJ: 4.4 - A SIEM is a security solution that combines log management, event correlation, and real-time monitoring to provide a comprehensive view of an organization's security posture. It enables security teams to detect and respond to security incidents effectively. While intrusion detection systems are valuable for monitoring network traffic for security breaches, a SIEM is not an intrusion detection system itself but rather a security solution focused on log management and event correlation. A SIEM is not a network protocol for data transmission; rather, it serves a different purpose related to security information and event management. While firewalls are essential for network security, a SIEM is not a firewall technology but a different security solution. For support or reporting issues, include Question ID: 64bfff3ac1d8f2a7e623619a in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 336

SSL/TLS encryption Correct answer Geofencing VPNs Your answer is incorrect MAC address filtering Overall explanation OBJ 3.3: Geofencing sets up virtual boundaries, or "fences," around specific geographic locations. Access to the data can be restricted based on whether a user's device is inside or outside these virtual boundaries. Virtual private networks (VPNs) can securely connect remote users to a corporate network; however, they don't inherently restrict access based on physical location. MAC address filtering restricts access based on device MAC addresses and doesn't consider geographic location. SSL/TLS encryption provides secure data transmission over networks but doesn't restrict access based on location. For support or reporting issues, include Question ID: 652de79d7586daa9b0968d9b in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 337

Data transmitted over an unsecured network between the vendor's sales department and companies. Use of outdated third-party software libraries that is not effectively secured. Correct answer Compromised firmware in a device that allows unauthorized remote access. Your answer is incorrect Incorrect configurations in server security settings that are difficult to change. Overall explanation OBJ: 2.3 - Attackers can inject malicious code into a device's firmware during its manufacture or update, granting them unauthorized remote access. Data transmitted over an unsecured network between the vendor's sales department and companies is more of a network vulnerability than a direct hardware one. While a concern, incorrect configurations in server security settings that are difficult to change is not specific to hardware supply chain vulnerabilities. Use of outdated third-party software libraries that is not effectively secured relates to a software, not hardware, vulnerability wherein outdated components can be exploited. For support or reporting issues, include Question ID: 6527d6060fab27c56fc03f15 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 338

Correct answer Snapshots Full backups Differential backups Your answer is incorrect Incremental backups Overall explanation OBJ 3.4: Snapshots capture the state of a system at a particular instant without copying the entire data, enabling quick recovery points. Incremental backups record only the changes since the last backup, whether it was a full backup or an incremental backup. Full backups involve backing up the entire system data, regardless of changes made. Differential backups store all changes made since the last full backup. For support or reporting issues, include Question ID: 652eb4284a0fcbbed2d5dcc4 in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 339

Correct answer SAML Kerberos Your answer is incorrect LDAP OAuth Overall explanation OBJ 4.6: Security Assertion Markup Language (SAML) allows identity providers and service providers to exchange authentication and authorization data, facilitating single sign-on (SSO) for users across multiple applications. While it provides token-based authentication, OAuth is primarily for authorizing access to APIs and is not typically used solely for user authentication across various services. Lightweight Directory Access Protocol (LDAP) is mainly used for accessing and maintaining directory information services over an IP network. Kerberos is a network authentication protocol that uses tickets to allow nodes to securely identify each other on an unsecured network. For support or reporting issues, include Question ID: 64c12d846d5d20b6d8a8cbc2 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 340

Password spraying uses complex algorithms to decrypt hashed passwords, while brute force attacks rely on guessing passwords in a list Password spraying targets a specific user with all possible combinations, while brute force attacks only use weak, common passwords Your answer is correct Brute force attacks attempt every possible password for a single account, while password spraying tries common passwords on many accounts Brute force attacks attempt multiple common passwords across accounts, while password spraying focuses on cracking a single account Overall explanation OBJ 2.4 - The key difference between a brute force attack and a password spraying attack is that brute force attacks focus on a single account, trying every possible password combination until the correct one is found. This approach is exhaustive and can trigger account lockouts due to the high number of attempts on one account. In contrast, password spraying targets multiple accounts by using a few common passwords across them, minimizing the chances of triggering lockouts. Unlike brute force attacks, which aim to cover all possible combinations for one account, password spraying is designed to test popular passwords across many accounts, making it less likely to be detected through account lockout mechanisms. For support or reporting issues, include Question ID: 67212d5784b5580af615ecb5 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 341

Time-stamping Digital certificate rotation Correct answer Decentralization Your answer is incorrect Homomorphic encryption Overall explanation OBJ: 1.4 - One of the most important characteristics of blockchain is its decentralized nature, distributing the ledger across a peer-to-peer network, thus eliminating a single point of failure. Digital certificate rotation is the practice of changing digital certificates at regular intervals. While blockchain blocks often include time stamps, this feature doesn't protect against a singular point of compromise. Homomorphic encryption allows for computations on ciphertext, without the need for decryption first. For support or reporting issues, include Question ID: 65244d5248e159caf38c9edd in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 342

IaC Correct answer Air-gapped network Hybrid cloud Your answer is incorrect Serverless architecture Overall explanation OBJ: 3.1 - An air-gapped network is completely isolated from unsecured networks, particularly the public internet, offering a significant layer of protection. Serverless architecture is about abstracting infrastructure considerations for developers, not isolating networks. While hybrid cloud involves combining private and public cloud resources, it doesn't entail complete physical isolation like an air-gapped network. Infrastructure as Code (IaC) focuses on infrastructure management through code, it doesn't specifically deal with network isolation. For support or reporting issues, include Question ID: 652c2c818a65c3f3ceb96e1d in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 343

Defense and military organizations National cybersecurity agencies Correct answer Data protection authorities Your answer is incorrect Regulatory agencies Overall explanation OBJ: 5.1 - Data protection authorities are dedicated to ensuring the protection of personal data and the enforcement of data protection laws. National cybersecurity agencies are focused on the broader scope of national infrastructure and cybersecurity, rather than just personal data protection. Although regulatory agencies may oversee compliance in certain sectors, they are not exclusively focused on personal data protection. Defense and military organizations focus on national security and defense rather than the specific protection of personal data rights. For support or reporting issues, include Question ID: 65486d4077938b42a5227098 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 344

Nation-state actors Correct answer Shadow IT Hacktivist Your answer is incorrect Unskilled attackers Overall explanation OBJ: 2.1 - Shadow IT is a type of threat actor that is the result of unauthorized or unapproved IT systems or devices within an organization. Shadow IT can introduce security risks and compliance issues for an organization, but the damage is usually unintentional. It results from employees or insiders who bring in equipment or alter systems for their own convenience and without getting permission. An unskilled attacker is a type of threat actor that has little or no technical skills and has low resources/funding and low level of sophistication/capability. Unskilled attackers often launch simple and opportunistic attacks using tools or scripts developed by others. The damage they do might be minor, but they do intend to do damage. Nation-state actors are a type of threat actor that is sponsored by a government or a country's military. They normally have high resources/funding and high level of sophistication/capability. Nation-state actors can launch advanced and persistent attacks against other countries, organizations, or individuals. They create harm on purpose. A hacktivist is a threat actor that is motivated by philosophical or political beliefs and often targets organizations or governments that they disagree with. Hacktivists may use unauthorized or unapproved IT systems or devices but the harm they cause is done on purpose For support or reporting issues, include Question ID: 64b862d6030c7ba35a5609e2 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 345

They need a more comprehensive system of ensuring all software was updated and patched against sophisticated attacks coming from a variety of locations simultaneously Correct answer Company security data was spread across a number of applications and tools, preventing the security team from seeing such a sophisticated attack Your answer is incorrect Their EDR, like most EDRs, doesn't provide real-time monitoring and reporting of attacks Their current EDR didn't have the ability to isolate an attacked endpoint and prevent the spread of malware Overall explanation OBJ: 4.5: Extended Detection and Response (XDR)'s primary significance is its ability to integrate and correlate security data from endpoints, networks, and cloud environments to detect and respond to sophisticated multi-vector threats, aligning with XYZ Corp's goal to combat advanced cyberattacks. While some XDR solutions may offer software update features, its focus is not on patch management but on enhancing threat detection and response. Though it can aid in enforcing security policies, XDR’s main purpose is to address multi-vector threats across the IT environment. For support or reporting issues, include Question ID: 64c0a2252f60ec9fbc7f5b76 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 346

User error Correct answer Malicious activity Scheduled maintenance Your answer is incorrect Phishing attempt Overall explanation OBJ: 2.4 - Unauthorized attempts to access or duplicate sensitive information typically suggest a deliberate attempt to breach data, which is indicative of malicious activity. Scheduled maintenance activities are planned and authorized events and would not involve unauthorized attempts to access data. A phishing attempt usually involves tricking individuals into providing sensitive data through deceptive emails or websites, rather than direct unauthorized attempts to access files in the system. While user error can result in accidental access violations, repeated unauthorized attempts to read or copy a file suggest intentional actions rather than mistakes. For support or reporting issues, include Question ID: 6529e03247b8d2d3e065582f in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 347

Correct answer Honeynet Honeytoken Honeyfile Your answer is incorrect Honeypot Overall explanation OBJ: 1.2 - A honeynet is a network of honeypots designed to simulate a real network and attract attackers. A honeyfile is a fake file or set of files designed to appear valuable or sensitive in order to attract attackers. A honeypot is a cybersecurity mechanism that uses a manufactured attack target to lure cybercriminals away from legitimate targets and gather intelligence about their identity, methods, and motivations. A honeytoken is a fake piece of data, such as a username or password, designed to appear valuable or sensitive in order to attract attackers. For support or reporting issues, include Question ID: 64c043a9b9b8dfce880c3865 in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 348

SIM swapping Keylogging Correct answer Jailbreaking Your answer is incorrect Side loading Overall explanation OBJ: 2.3 - Jailbreaking is a mobile device vulnerability that involves bypassing the restrictions imposed by the manufacturer or provider of a device, such as an iPhone or iPad, to gain root access and install unauthorized applications or customizations. It can expose the device to malware, spyware, or unauthorized access. Keylogging involves the recording of keys as a victim presses them through the use malicious software. SIM swapping is a mobile device attack that involves transferring the phone number and associated services of a victim to a new SIM card controlled by the attacker. It can allow the attacker to intercept calls, messages, or verification codes from the victim. Side loading is a mobile device vulnerability that involves installing applications from sources other than the official app store, such as third-party websites, USB drives, or email attachments. It can expose the device to malware, spyware, or unauthorized access. For support or reporting issues, include Question ID: 64bc23f8fbce11332c04cd55 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 349

Correct answer Operational security Access control Data loss prevention Your answer is incorrect Data masking Overall explanation OBJ: 5.6 - Operational security is a risk management process that encourages managers to view information protection from an adversary's perspective. Data masking is a method for creating a sanitized version of data with fictitious yet realistic information. Access control determines who is allowed to access a resource and what actions they can perform with it. Data loss prevention is a set of tools and processes designed to detect a potential data breach and prevent them by monitoring and controlling data transfers. For support or reporting issues, include Question ID: 65231fdbb571cc93082ae5f6 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 350

Data Sovereignty Correct answer Permission restrictions Segmentation Your answer is incorrect Obfuscation Overall explanation OBJ 3.3: Implementing permission restrictions would allow a company to dictate who has access to specific documents, ensuring that members of a team only have access to the documents they need. Segmentation is the dividing of a network into subnetworks to improve security. It doesn't divide employees into sets of roles for the purpose of access. Obfuscation is the hiding or camouflaging of information to prevent access to it. In this case, the data is available to be viewed by the people who have access to it. Data sovereignty is the concept that the laws of the country in which the data is collected will control the ways in which the data can be used, processed, and stored. Countries may set regulations about information that is collected within the country. They can also set regulations about how businesses store and use personal identifying information (PII) about citizens of their country even when the businesses are located in other countries. For example, if a business will be collecting information about citizens of the European Union (EU), the business must obey the EU’s laws regarding the storage, use, and processing of that data. For support or reporting issues, include Question ID: 64c198941dbd2f0d7852a78d in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 351

Real-time network traffic log Patch installation history for the past month Correct answer Comprehensive vulnerability assessment report Your answer is incorrect List of users with administrative privileges Overall explanation OBJ 4.3: A comprehensive vulnerability assessment report provides an in-depth overview of identified vulnerabilities, their potential impact, and recommended remediation steps. While useful for monitoring, network traffic logs primarily capture routine activity and anomalies, not detailed vulnerability findings. Patch installation history for the past month provides a history of updates but doesn't directly address the vulnerabilities or their implications found during the assessment. While a list of users with administrative privileges information is important for security considerations, it doesn't directly relate to the results of the vulnerability assessment. For support or reporting issues, include Question ID: 6542d39d2613f53458af4006 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 352

Correct answer Decommissioning Segmentation Monitoring Your answer is incorrect Configuration Enforcement Overall explanation OBJ: 2.5 - Decommissioning is a mitigation technique that can help reduce the risk of data breaches or theft by properly disposing of systems and devices that are no longer needed or used. Decommissioning involves following a set of procedures to erase or destroy any sensitive data stored on the systems and devices, and to physically dispose of them in a safe and environmentally friendly manner. The servers will have to be disposed of in a way that protects the data on them. Segmentation is a mitigation technique that involves dividing a network into smaller segments. Each has its own security policies and controls. Segmentation can limit the scope of an attack by preventing the attacker from gaining access to an entire network because it will help isolate the compromised segment. This technique is most helpful for networks that are active. The servers should be decommissioned, not segmented. Configuration enforcement is a mitigation technique that can help prevent unauthorized or improper changes that increase a system or device’s vulnerability to attack. By creating predefined security standards and policies, and enforcing them, configuration enforcement helps prevent the inadvertent or purposeful creation of vulnerabilities and security risks. This will not help you protect the data on the old servers. Monitoring is a mitigation technique that can help detect and respond to potential threats or incidents on a network. By collecting and analyzing data about the activities and events on the network, security analysts can develop theories about the vulnerabilities and incidents that occur on the system. Monitoring involves using tools and techniques such as logs, alerts, and audits. Monitoring would need to be done if you don't decommission the servers, but decommissioning is the far better choice. For support or reporting issues, include Question ID: 64beefbe0f6a8ad3be5d3c8e in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 353

CSR Third-party certificate Wildcard certificate Your answer is correct Self-signed certificate Overall explanation OBJ: 1.4 - The company is using a self-signed certificate, which is generated and signed by the same entity. It's not backed by a trusted certificate authority, making it more suited for internal uses and not recommended for external environments due to the potential lack of trust. A third-party certificate is signed and verified by an external certificate authority and is generally used in public and external environments due to the inherent trust it carries. A CSR (Certificate Signing Request) is a formal message sent to a certificate authority to request a digital identity certificate. It is not a type of certificate in itself. A wildcard certificate is used to secure multiple subdomains under a single domain. It doesn't necessarily indicate internal use or a lack of trust. For support or reporting issues, include Question ID: 6524ef55b5ce7a64909dc785 in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 354

Masking Tokenization Your answer is correct Segmentation Obfuscation Overall explanation OBJ 3.3: Network segmentation divides a network into smaller parts or sections to reduce congestion, enhance security, and improve performance. It's a strategy to restrict access to certain parts of the network. Tokenization is the process of substituting a sensitive data element with a non-sensitive equivalent, referred to as a token. The token and the data it substitutes are stored in a secure database. If the original data is needed, it can be accessed using the token and querying the database. The token will be a different size and have a different structure than the original data, so the token can’t be used to decipher the original data. Data masking is a method to de-identify some or all characters in a sequence without changing the total number of characters that a field should contain. The masked version will be structurally the same, but the data will be hidden. Changing the letters or numbers entered into a password field with dots is an example of data masking. Data that is masked will have the same number of characters as the original data, not a smaller set. Obfuscation is the hiding or camouflaging of information to prevent access to it. It's a method of maintaining privacy and confidentiality of data, not a network management strategy. For support or reporting issues, include Question ID: 64c18b108a3754c97798b019 in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 355

Remote hacker Business visitor Phishing attacker Your answer is correct Employee Overall explanation OBJ: 2.1 - An employee inherently has authorized access within the organization's system, and any misuse, intentional or unintentional, of their access can pose an internal threat. While a business visitor might access an organization's premises, they don't typically have digital permissions or access rights within the company's IT systems. An individual using phishing techniques attempts to trick others into providing sensitive data, but this attacker typically does not have authorized access within the organization. A remote hacker tries to breach security from an external position, seeking unauthorized access to a system. For support or reporting issues, include Question ID: 6525abf68bd120f8e8a566c8 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 356

Correct answer Resource reuse CPU starvation Time-of-check (TOC) Your answer is incorrect Race condition Overall explanation OBJ: 2.3 - Resource reuse is a type of vulnerability that involves accessing or modifying data or communications from other virtual machines by exploiting the shared CPU between them. It can allow an attacker to execute malicious code or commands on other virtual machines. CPU starvation is a type of performance issue that occurs when a process or thread does not receive enough CPU time to perform its tasks. It can affect the responsiveness and functionality of the process or thread. Race condition is a situation where the outcome of a process depends on the timing or order of execution of other processes. It can cause errors, inconsistencies, or security breaches, depending on the nature and importance of the resource. Time-of-check (TOC) is a type of race condition that occurs when a process checks the state or value of a resource before using it, but another process changes it in between. It can lead to incorrect or unauthorized actions based on outdated information. For support or reporting issues, include Question ID: 64bc3286bb23266b36c2494c in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 357

Motion Ultrasonic Microwave Your answer is correct Pressure Overall explanation OBJ: 1.2 - Pressure sensors measure the force or load applied to them and can be used in security systems to detect the presence or absence of objects. Ultrasonic sensors send out sound waves which are reflected back. This allows them to determine movement. Microwave sensors send out microwave pulses which are reflected back when they reach obstacles. Motion detectors are triggered by movement. They usually use microwave radio reflection or infrared light. For support or reporting issues, include Question ID: 65245bfc51dc39e50c47fbe1 in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 358

Encryption Protocols Network Segmentation Correct answer Patch Availability Your answer is incorrect Device Configuration Standards Overall explanation OBJ: 3.1 - Ensuring that patches are available and can be applied to IoT devices is crucial for closing security vulnerabilities that could be exploited. This involves having a system in place to regularly update firmware and software, addressing newly discovered vulnerabilities swiftly. Standardizing device configurations can enhance security by ensuring consistent settings across devices, but does not directly address the issue of vulnerabilities in the software itself which would require patches. Segmenting networks can limit the spread of attacks within networks by restricting devices to communicate only within defined network segments. This does not prevent the exploitation of vulnerabilities within those segments or address the underlying vulnerabilities of the devices. Implementing strong encryption protocols secures data in transit and at rest, protecting sensitive information from being intercepted or accessed by an unauthorized entity. However, encryption does not mitigate software vulnerabilities that could be exploited to gain unauthorized access or control of the device. For support or reporting issues, include Question ID: 651709461796470bb3cfdf67 in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 359

Correct answer Global Local/regional Your answer is incorrect Data Localization National Overall explanation OBJ: 5.4 - Global implications refer to the legal consequences of privacy compliance that apply internationally, considering the impact on data protection and privacy regulations across multiple countries. National implications are legal consequences that are limited to the borders of a specific country. Data localization refers to laws or regulations that dictate the storage and processing of data within the territorial boundaries of a specific country. It focuses primarily on local data handling requirements. Local/regional implications refer to legal consequences that are specific to a particular country or region. For support or reporting issues, include Question ID: 64c076281e270317e6ff2310 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 360

Correct answer permit tcp any host 192.168.1.0 0.0.0.255 eq 22 permit tcp any eq 22 host 192.168.1.100 Your answer is incorrect deny tcp any any eq 22 permit tcp host 192.168.1.100 eq 22 any Overall explanation OBJ 4.5: 'permit tcp any host 192.168.1.0 0.0.0.255 eq 22' allows any external IP to SSH into any IP in the 192.168.1.x range, which would include Sasha's address. This is likely the problematic rule. 'deny tcp any any eq 22' denies any SSH traffic, so it wouldn't be the reason Sasha can still SSH. 'permit tcp host 192.168.1.100 eq 22 any' permits only Susan's IP address to initiate an SSH connection, so it's not the source of the issue. 'permit tcp any eq 22 host 192.168.1.100' is meant to permit traffic to Susan's IP address on port 22, but it incorrectly allows any source IP to initiate the connection. For support or reporting issues, include Question ID: 65431aedb496ed4c62e3f141 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 361

Correct answer Acquisition involves obtaining a clean copy of the data from a device so it can be used as evidence Acquisition involves acquiring individual testimony of all people who could be impacted by an incident Your answer is incorrect Acquisition means new security controls are purchased or otherwise obtained to prevent future incidents Acquisition involves evaluating details about the incident to determine financial and legal consequences Overall explanation OBJ 4.8: Acquisition involves identifying and gathering evidence related to the security incident. This may include collecting logs from affected systems, taking disk images, or other procedures to catalogue everything that may be used as evidence in a court proceeding. While documenting the incident's components for potential financial or legal consequences is vital, it is not the meaning of acquisition. New security controls may be needed after an incident, but it is not what acquisition means in terms of incident response. While acquiring testimony may be important in investigating an incident, it is not what acquisition means in terms of incident response. For support or reporting issues, include Question ID: 64c16b5c6ab51895b912b821 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 362

SOX GDPR Computer Security Act (1987) Your answer is correct HIPAA Overall explanation OBJ: 5.1 - HIPAA (Health Insurance Portability and Accountability Act) sets the standard for protecting sensitive patient data and mandates specific practices and measures for health institutions. This act is aimed at securing federal computer systems processing confidential information, not specifically at health-related data. SOX (Sarbanes-Oxley Act) primarily deals with financial transparency and accountability, without a focus on patient health data. GDPR (General Data Protection Regulation), an EU regulation, focuses broadly on personal data protection but is not specific to the health sector or patient information. For support or reporting issues, include Question ID: 654563dc7dcb30bec4e75c53 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 363

Role-Based Correct answer Mandatory Your answer is incorrect Rule-based Discretionary Overall explanation OBJ 4.6: The access control mechanism used in the secure government facility is "Mandatory Access Control" (MAC). In MAC, access is strictly enforced based on predefined rules, with no user or administrator discretion to alter policies, ensuring high security. "Role-Based Access Control" (RBAC) grants access based on user roles, which is not the case here. "Discretionary Access Control" (DAC) allows resource owners to set access permissions, but this scenario enforces strict, non-discretionary policies. "Rule-Based Access Control" can allow exceptions, whereas MAC does not, making it the most precise description of the scenario’s security approach. For support or reporting issues, include Question ID: 64c139ef22b3af538ad05a2a in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 364

Correct answer Confirming understanding and adherence to compliance requirements. Automating the compliance and assessment reporting process. Assessing the potential fines for non-compliance. Your answer is incorrect Determining the data retention period for compliance documents for an organization. Overall explanation OBJ: 5.4 - Attestation and acknowledgement are processes that ensure individuals or entities recognize and agree to comply with specified rules or standards. Attestation and acknowledgement do not relate to the evaluation of potential consequences specifically. While automation can assist in various compliance tasks, attestation and acknowledgement primarily involve a declaration or confirmation, not automation. While data retention is an element of compliance, attestation and acknowledgement focus on affirming one's understanding and commitment to compliance mandates. For support or reporting issues, include Question ID: 64bf5df1402d8b511311a743 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 365

Differential backups Monthly full backups Correct answer Continuous backups Your answer is incorrect Daily incremental backups Overall explanation OBJ 3.4: Financial data is both sensitive and frequently updated. Continuous backups would ensure that every transaction is immediately backed up, minimizing potential data loss and maintaining compliance. Differential backups could pose a risk, especially if the backup is done weekly, as several days' worth of financial data could be lost. Given the sensitivity and frequency of financial data updates, waiting a month for a full backup would be inadequate and might breach compliance regulations. Though daily incremental backups capture daily changes, in the event of a failure, a day's worth of financial transactions could be lost, potentially harming compliance standing. For support or reporting issues, include Question ID: 652df6f47586daa9b0968db7 in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 366

It enables faster data processing and response times. It increases the load on the network, causing slowdowns. Correct answer It allows unauthorized access points into the network. Your answer is incorrect It automatically strengthens the firewall configuration. Overall explanation OBJ 2.2 - Open service ports that are not actively in use can pose a security risk by providing unauthorized access points into the network. Attackers can scan for these open ports to find vulnerabilities or unused services, which they may exploit to gain unauthorized access or launch attacks. Closing unused ports is a recommended practice to reduce the attack surface and help protect the network from external threats. For support or reporting issues, include Question ID: 67211fe31be698cab88b7851 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 367

RSA ECC Diffie-Hellman Your answer is correct AES Overall explanation OBJ: 2.5 - AES (Advanced Encryption Standard) is a symmetric encryption algorithm where the same key is used for both the encryption and decryption processes. RSA (Rivest–Shamir–Adleman) is an asymmetric encryption technique that involves two distinct keys - one private and one public, not using the same key for encryption and decryption. Diffie-Hellman is an asymmetric key exchange method used to securely exchange cryptographic keys over a public channel, not a symmetric encryption method. In ECC (Elliptic Curve Cryptography), public and private key pairs are generated based on elliptic curve mathematics. The public key is used for encryption, and the corresponding private key is used for decryption. For support or reporting issues, include Question ID: 652b328a818ffad49a170578 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 368

Bug bounty programs Dynamic analysis SOCs Your answer is correct Information-sharing organizations Overall explanation OBJ 4.3: Information-sharing organizations are entities that enable various groups to share data about threats and vulnerabilities, enhancing collective defense against cyber risks. Bug bounty programs are an initiative where organizations reward individuals for discovering and reporting software bugs. Security Operation Centers (SOCs) are crucial entities within organizations that continuously monitor and analyze an organization's security posture while preventing, detecting, analyzing, and responding to cybersecurity incidents. While SOCs play a vital role in organizational security, their primary function is not to facilitate the distribution and exchange of threat and vulnerability information among different organizations. Dynamic analysis evaluates software during its runtime, aiming to uncover vulnerabilities that might not be visible in a static state. For support or reporting issues, include Question ID: 653d3b0c7983ad99ad8aa9f3 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 369

Isolate the database in a demilitarized zone (DMZ) Correct answer Apply regular security patches and updates to third-party software Your answer is incorrect Monitor for unusual activity using a host-based firewall Implement multifactor authentication (MFA) for all database users Overall explanation OBJ 2.5 - Applying regular security patches, especially for third-party software, is essential for preventing vulnerabilities from being exploited. While Implementing multifactor authentication (MFA) adds an extra layer of login security, it wouldn’t prevent the exploitation of a software vulnerability. Monitoring with a host-based firewall can detect suspicious activity but cannot patch vulnerabilities in software. Isolating the database in a DMZ improves network security but does not address vulnerabilities within third-party plugins. Regular patching is the most effective hardening step Lucas could have taken to prevent this breach. For support or reporting issues, include Question ID: 672236cdab565f74e2bc9152 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 370

Data Processor Correct answer Data Owner Data Controller Your answer is incorrect Data Custodian Overall explanation OBJ 5.1 - The Data Owner is responsible for setting data access policies, including determining who can access specific information based on their role or department. This role involves deciding on access privileges, data classification, and ensuring appropriate usage within the organization. The Data Processor handles data processing tasks as directed, the Data Controller oversees the purposes and methods of processing, and the Data Custodian enforces access policies but does not define them. For support or reporting issues, include Question ID: 67223f63d2c288f9d7221588 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 371

Risk register Risk assessor Your answer is correct Risk owner Risk indicator Overall explanation OBJ: 5.2 - Sarah exemplifies a risk owner, as she is tasked with the ongoing management and mitigation of risks pertaining to the data management platform. A risk assessor might be a role that Sarah takes on when evaluating risks, but it does not encapsulate her comprehensive management responsibilities. A risk indicator would be a metric Sarah might monitor to assess risk levels, not her position. A risk register would be the tool Sarah uses to track and assess the risks, not her role. For support or reporting issues, include Question ID: 654907a5758b8cedfaaa63aa in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 372

Salting Correct answer Digital Signatures Key Stretching Your answer is incorrect Private Keys Overall explanation OBJ: 1.4 - Digital signatures are a type of electronic signature that uses a specific type of encryption to ensure the authenticity and integrity of a digital message or document. It combines hashing with public key encryption. Private keys are used with asymmetric encryption. Hashing is not a part of the creation of private keys. Key stretching is a method used to increase the time it takes to hash a password, making brute force attacks less effective. Salting is a technique used in cryptography to add random data to the input of a hash function to increase security. For support or reporting issues, include Question ID: 64c3dcef46cada5acd7b5a93 in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 373

Layer 4 firewall 802.1x Correct answer Layer 7 firewall Your answer is incorrect VPN Overall explanation OBJ 3.2: A layer 7 firewall operates at the application layer and can make more granular decisions about the traffic based on the application payload, which makes it the most effective choice in this scenario. A layer 4 firewall operates at the transport layer, which provides less granularity for blocking or allowing traffic based on the application payload. 802.1x is a standard developed by the IEEE to govern port-based network access. When used with a RADIUS-based authentication server, it provides authentication services, checking user credentials to ensure that the user is a legitimate part of the organization and granting access to only those areas of the system that the user is allowed to access. A VPN provides a secure method for remote operations by creating an encrypted connection over the internet. It establishes a secure tunnel so that data can be securely transferred even over insecure networks. For support or reporting issues, include Question ID: 64c17a7c2e60209dbaac2220 in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 374

Correct answer SIEM Antivirus software WAF Your answer is incorrect IDS Overall explanation OBJ: 4.4 - Security Information and Event Management (SIEM) tools are essential for consolidating and analyzing logs and alerts from various sources within an environment. These tools are known for their agentless capabilities, where they can collect and process logs without needing a dedicated agent on the source system, providing flexibility in diverse infrastructure setups. A web application firewall (WAF) is designed to filter and monitor HTTP traffic to and from a web application, preventing web-based attacks. It doesn't specifically provide agentless monitoring/alerting at a better capacity of the options that are available. While an intrusion detection system (IDS) can detect malicious activities, it typically requires agents or sensors to capture traffic or system activities. Antivirus software is geared towards detecting and removing malicious software from a system and typically requires an agent for operation. For support or reporting issues, include Question ID: 6542fd657a7f9376f6eca411 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 375

Correct answer Enumeration Disposal Monitoring Your answer is incorrect Classification Overall explanation OBJ 4.2: Enumeration involves systematically counting or listing assets, ensuring they are all accounted for and no unauthorized assets are present. Classification involves determining the categories of assets, not systematically counting or verifying them. Disposal pertains to retiring or getting rid of assets, not counting or verifying them. While monitoring involves overseeing assets, it doesn't necessarily mean systematically counting or verifying them. For support or reporting issues, include Question ID: 651dd21a44a3366ebbac7f24 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 376

Correct answer Sanitization only applies to hardware that contains data and it's not a necessity when disposing of software instruments Data sanitization involves completely and irreversibly removing data from various types of media storage devices Your answer is incorrect Data sanitization techniques include deletion, overwriting, degaussing, encryption, and physical destruction Sanitization processes must be verifiable and provide an assurance that the data is unrecoverable Overall explanation OBJ 4.2: Although sanitization is critical when dealing with hardware that contains data, it also applies to software and data assets. It helps ensure sensitive data is thoroughly removed or de-identified, eliminating the risk of unauthorized access or use. The goal of data sanitization is the complete and permanent removal of data from storage media. A good sanitization process is both verifiable and assures that the data is entirely unrecoverable. Sanitization techniques encompass several methods, including deletion, overwriting, degaussing, encryption, and physical destruction. For support or reporting issues, include Question ID: 64c1915becb41e3664cf3e49 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 377

Static analysis and dynamic analysis are two terms that are used interchangeably to refer to the same process of vulnerability scanning Static analysis relies on automated tools to detect vulnerabilities, whereas dynamic analysis involves manual examination by security analysts Your answer is incorrect Static analysis focuses on identifying vulnerabilities in hardware components, while dynamic analysis is used to evaluate software vulnerabilities Correct answer Static analysis involves assessing software and code without executing the application, while dynamic analysis assesses the software's behavior during runtime Overall explanation OBJ 4.3: Static analysis is a technique used to examine software and code without executing the application. It involves reviewing the source code and identifying potential vulnerabilities and security flaws before the software is deployed. On the other hand, dynamic analysis evaluates the software's behavior during runtime, simulating real-world usage and interactions. By executing the application and analyzing its runtime behavior, dynamic analysis helps identify vulnerabilities that may not be apparent during static analysis. Static analysis and dynamic analysis are distinct methods used in vulnerability management, each serving different purposes in evaluating software security. They are not interchangeable terms and represent unique processes for assessing vulnerabilities. Both static analysis and dynamic analysis can leverage automated tools or involve manual examination by security analysts to detect vulnerabilities. However, the key distinction between the two lies in their approach to analyzing software behavior. The primary focus of both static analysis and dynamic analysis lies in evaluating software vulnerabilities. While hardware vulnerabilities are also significant for security, these analyses are specific to software and code examination. For support or reporting issues, include Question ID: 64be9fa8d1d5835ed1bc7401 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 378

Correct answer HIDS WAF SIEM Your answer is incorrect NIDS Overall explanation OBJ: 4.4 - Host-based intrusion detection system (HIDS) monitors and analyzes the internals of a computing system, looking for unauthorized activity or policy violations, making it apt for systems monitoring. Web application firewalls (WAF) are specifically designed to monitor HTTP traffic to and from web applications, making them ideal for application-based security, not necessarily system-level monitoring. Security information and event management (SIEM) aggregates log data from various sources and uses this data for alerting, but it doesn't strictly focus on the internals of a computing system. Network intrusion detection system (NIDS) monitors and analyzes traffic on a network, focusing on the infrastructure, not the internals of a specific computing system. For support or reporting issues, include Question ID: 6542f2a0c8db08c2a0e441e6 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 379

Exposure factor is typically expressed as a percentage or a ratio of exposure Exposure factor refers to the proportion of an asset's value likely to be destroyed or degraded if a particular security incident or threat event occurs An exposure factor of 100% implies that an asset becomes completely useless after a particular security incident or threat event Your answer is correct Exposure factor is calculated by multiplying the asset's total value by the yearly rate of occurrence Overall explanation OBJ 4.3: The exposure factor is not calculated by multiplying the asset's total value by the yearly rate of occurrence. It is an estimate of the potential damage to an asset if a given threat exploits a vulnerability, and it is not directly connected to the asset’s total value or frequency of threat events. An exposure factor of 100% suggests that a security incident or threat event would render the asset entirely unusable or worthless. The exposure factor is the proportion of an asset's value estimated to be affected or jeopardized during a particular security incident or threat event. The exposure factor is usually expressed as a percentage, representing the portion of the asset's value likely to be lost in an incident. For support or reporting issues, include Question ID: 64c199ac1bfa7d3af0f5be54 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 380

Antivirus is crucial for detecting unknown vulnerabilities through continuous scanning of a system Antivirus is essential for monitoring network traffic and identifying potential security breaches Your answer is incorrect Antivirus is responsible for preventing worms and viruses from infecting the computer, but rarely prevents other malware attacks Correct answer Antivirus plays a significant role in identifying and removing malicious software to prevent malware infections Overall explanation OBJ: 4.4 - Antivirus is crucial for identifying and removing malicious software, such as viruses, worms, and Trojans, to prevent malware infections and potential security breaches. Antivirus software will identify and remove many forms of malicious software, not just viruses and worms. Unknown vulnerabilities are not known so there is no way to scan for them. Antivirus software scans for known malware. While monitoring network traffic is vital, Antivirus serves a more specific purpose related to malware detection and removal. For support or reporting issues, include Question ID: 64c0029137e6f9b745e2dcb9 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 381

The IPS is scanning encrypted traffic only The system is only updated with old signatures Signature databases are stored in volatile memory Your answer is correct The signatures require tuning Overall explanation OBJ 4.5: When signatures are overly broad or not precisely defined, they might incorrectly match legitimate network traffic, leading to false positives. While outdated signatures might miss newer threats, they aren't typically the cause of false positives. Instead, they might lead to false negatives. Signature-based detection works by inspecting traffic patterns, whether encrypted or not. However, the encrypted nature of traffic isn't the primary reason for false positives in signature-based detection. Where the signature database is stored does not influence the accuracy of the detection. It's the quality and precision of the signatures that matter most. For support or reporting issues, include Question ID: 6543247f6809155389722584 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 382

Correct answer UTM IPS Your answer is incorrect 802.1x Proxy server Overall explanation OBJ 3.2: Unified Threat Management (UTM) devices provide comprehensive security features and network services in a single device, combining multiple security functions to holistically manage threats, ideal for an enterprise with multiple vulnerabilities. While proxy servers can serve as intermediaries between users and the internet, they do not consolidate multiple security functions into a single solution. 802.1x is a standard developed by the IEEE to govern port-based network access. When used with a RADIUS-based authentication server, it provides authentication services, checking user credentials to ensure that the user is a legitimate part of the organization and granting access to only those areas of the system that the user is allowed to access. While IPS systems detect and prevent threats, they do not specifically consolidate multiple security functions into a single solution. For support or reporting issues, include Question ID: 64c16e3efbaff7327d208b4f in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 383

Batteries Correct answer Generators Renewable energy sources Your answer is incorrect Microgrids Overall explanation OBJ 3.4: Generators, especially those using diesel, propane, or natural gas, are vital in providing long-term power, ensuring that security systems and critical operations remain active during power disruptions. Solutions like Tesla's Powerpack and other batteries offer alternative power storage. However, in comparison to traditional generators, they might not have the extended longevity or immediate response capabilities during emergencies. While microgrids use the battery resources of a data center for power storage, they primarily focus on creating local energy grids that can disconnect from the traditional grid and operate autonomously. Solar, wind, and other renewable energy sources are sustainable power options. Although they contribute to the overall power grid, they don't typically offer immediate backup during power disruptions like generators. For support or reporting issues, include Question ID: 64c1a1ae45e9d8860c404615 in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 384

Data User Correct answer Data Controller Data Owner Your answer is incorrect Data Broker Overall explanation OBJ: 5.1 - The data controller is the entity that determines the purposes, conditions, and means of processing personal data. They make decisions about how and why data is processed. A data broker collects and sells data to other organizations, but they do not typically decide the purposes and means of data processing for another organization. While data owners are responsible for the data's classification and ensuring it meets organizational policies, they do not typically decide on the purposes and means of data processing. Data users access and use the data but typically don’t decide on its processing purposes and means. For support or reporting issues, include Question ID: 65456b1fafae31330ea11da0 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 385

Correct answer Allow list Restricted activities Version control Your answer is incorrect Deny list Overall explanation OBJ: 1.3 - An allow list is a list specifying entities, such as IP addresses, that are explicitly granted access or permissions, while all others are implicitly denied. Version control is a system that records changes to a file or set of files over time, allowing specific versions to be recalled later. A deny list is a list specifying entities that are explicitly denied access or permissions. Restricted activities are specific actions that are not permitted to be performed due to policies or security reasons. For support or reporting issues, include Question ID: 64c1475db89ab9e8c9e514ba in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 386

Credential stuffing Dictionary attack Your answer is correct Horizontal password attack Vertical password attack Overall explanation OBJ: 2.4 - In a horizontal password attack, an attacker targets multiple accounts by trying a few common passwords across them. Enrique's observation of the same set of simple passwords being tried across a wide range of user accounts fits this profile. It's a method to bypass account lockout policies that would trigger if too many failed attempts are made on a single account. In a credential stuffing attack, an adversary uses previously stolen username-password pairs to gain unauthorized access. Enrique's observations of the same set of simple passwords being tried on different accounts don't align with this attack. A dictionary attack involves using a predefined list of words to guess a password or key. While simple passwords were used in Enrique's observations, the method of targeting multiple accounts with the same passwords differentiates this from a typical dictionary attack. A vertical password attack involves targeting a single user account and trying a large number of password combinations until the correct one is found. Enrique's observations do not match this pattern since multiple accounts were targeted with only a few passwords. For support or reporting issues, include Question ID: 6527fed69bdbe2fa8ec18b5a in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 387

To allow the organization to perform penetration testing on the vendor's systems Correct answer To protect sensitive information and maintain confidentiality To establish rules of engagement for the vendor's security assessments Your answer is incorrect To ensure the vendor meets specific service-level requirements Overall explanation OBJ: 5.3 - To protect sensitive information and maintain confidentiality is the primary purpose of a non-disclosure agreement (NDA). It is a legally binding contract that ensures the vendor keeps sensitive information confidential and doesn't disclose it to unauthorized parties. The rules of engagement define the scope, limitations, and rules for security assessments like penetration testing, but they are typically included in a separate document. To ensure the vendor meets specific service-level requirements is more aligned with a service-level agreement (SLA), which defines the level of service expected from the vendor, including performance metrics. The right-to-audit clause, not the non-disclosure agreement (NDA), typically grants the organization the right to perform audits or penetration tests on the vendor's systems. For support or reporting issues, include Question ID: 64bb3d6599b63f15eee0ccfc in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 388

Correct answer Critical Medium Your answer is incorrect Informational Low Overall explanation OBJ 4.3: A critical classification is assigned to vulnerabilities that, if exploited, would cause significant damage, have a high likelihood of being exploited, or expose sensitive data. These should be addressed immediately. Informational vulnerabilities are typically findings that don't pose any immediate risk but are documented to provide a complete view of the assessment. Low vulnerabilities have minimal potential damage and are less likely to be exploited. They are of lesser priority compared to other classifications. Medium vulnerabilities pose a moderate risk and usually have some mitigating factors that lessen their potential impact or likelihood of exploitation. For support or reporting issues, include Question ID: 6541cc89daf67f8b06f1108b in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 389

A cryptographic primitive Encryption Firewalls Your answer is correct Digital signatures Overall explanation OBJ: 1.2 - Digital signatures are a method used to provide non-repudiation by using cryptographic techniques to verify the authenticity of a message or document. Firewalls are used to protect networks by controlling incoming and outgoing traffic, but they do not provide non-repudiation. A Cryptographic primitive is a single occurrence of encryption, like one hash or one symmetric key. It is used for encryption. Non-repudiation requires multiple cryptographic primitives. Encryption is used to protect the confidentiality of information by making it unreadable to unauthorized users, but it does not provide non-repudiation. For support or reporting issues, include Question ID: 64c02ce4bd666fdab8550a75 in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 390

Dion Training's IT team Correct answer NexTech Solutions' development team Your answer is incorrect Dion Training's management team NexTech Solutions' sales team Overall explanation OBJ: 2.3 - Given that the vulnerability was a result of misconfigured server setup based on specifications provided by NexTech Solutions, NexTech Solutions' development team are responsible for introducing it. NexTech Solutions' sales team is responsible for selling the service. Salesmen rarely have an in-depth understanding of development or have input into development. They may be responsible for relaying information to customers, but they aren't responsible for coding and setting configuration standards. Dion Training's management team might oversee partnerships and overall operations, but they don't deal with the technical specifications of server setups. While Dion Training's IT team may be responsible for internal systems and setups, the server misconfiguration was based on specifications provided by NexTech Solutions. For support or reporting issues, include Question ID: 64bc557a201c5bcd5511b48d in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 391

Data Processor Data Subject Your answer is correct Data Controller Data Custodian Overall explanation OBJ: 5.4 - A Data Controller is an individual or entity that determines the purposes and means of processing personal data. They have primary responsibility for ensuring the data's protection and compliance with privacy regulations. A Data Subject is an identifiable person whose personal data is being processed by a data controller or processor. The Data Custodian typically responsible for ensuring the safety and maintenance of data assets through its various stages of storage, but doesn't decide on processing methods. A Data Processor is an individual or entity that processes personal data on behalf of the data controller, without deciding the purposes or means of the processing. For support or reporting issues, include Question ID: 64c073784a3e7f77a149c91e in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 392

Determine the software's compatibility with existing systems Check for discounts or bulk pricing Correct answer Verify the legitimacy of the software vendor Your answer is incorrect Collaborate with the IT department for installation Overall explanation OBJ 4.2: Before making any purchases, it's essential to ensure the vendor is reputable to avoid acquiring counterfeit or malicious software. Financial considerations, while valid, come after ensuring security. While collaboration is crucial, the first step should be to ensure the vendor's legitimacy. Compatibility is important, but first, you need to ensure you're buying from a reputable source. For support or reporting issues, include Question ID: 64bea22db5d5c5c37720922b in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 393

Malicious update Race condition Your answer is incorrect Memory injection Correct answer Buffer overflow Overall explanation OBJ: 2.3 - Buffer overflow is an application-based attack that exploits a vulnerability in a program that does not properly check the size of the input data. The attacker can overwrite the memory allocated to the program and execute arbitrary code on the system. The security analyst is potentially able to perform a buffer overflow attack by injecting a long string of characters into one of the input fields and causing an error message that reveals some memory information. Race condition is an application-based situation where two or more processes access or modify a shared resource at the same time, resulting in inconsistent or unpredictable outcomes. The security analyst is not causing a race condition by injecting random data into one of the input fields, as he does not have control over the ordering of the processes. A Malicious update is an application-based attack that involves replacing a legitimate update for a program with a malicious one. The attacker can compromise the application, steal data, or perform other malicious actions. The security analyst is not able to perform a malicious update by injecting random data into one of the input fields, as he does not have access to the update server or the update file. Memory injection is an application-based attack that exploits a vulnerability in the memory of a process or application on a system. The attacker can execute malicious code, bypass security controls, or escalate privileges. The security analyst is not able to perform memory injection by injecting random data into one of the input fields, as he does not have control over what code is executed. For support or reporting issues, include Question ID: 64bc63132c983e5716c68d57 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 394

Correct answer TLS handshake details and DNS query responses Your answer is incorrect ICMP echo request and reply messages ARP cache content HTTP GET and POST requests Overall explanation OBJ 4.9: Examining the TLS handshake details can help in verifying if the secure connection was established using strong cryptographic algorithms, and it can also reveal the certificate information to check for any anomalies or unauthorized certificates. Analyzing DNS query responses is crucial to understand which domain names were resolved and to identify any potential malicious or unauthorized domain interactions. Both of these details are vital for investigating the incident, especially given the nature of the communication to a sensitive server over a secure port and the observed abnormal DNS requests. The Address Resolution Protocol (ARP) cache stores IP-to-MAC address mappings for local network devices. While ARP spoofing can be a security concern, examining the ARP cache may not provide direct insights into the suspected breach involving secure TCP communication and DNS irregularities in this specific scenario. ICMP echo requests and replies, commonly known as ping messages, are used to check the availability of a network device. While they can be helpful for basic network diagnostics, they are less likely to provide in-depth information about a security incident, especially in the context of unauthorized access and abnormal DNS requests on specific TCP ports. HTTP GET and POST requests are used to retrieve or submit data over the web. Given that the incident involves communication on port 443, which is commonly used for HTTPS rather than HTTP, and there are specific concerns about DNS requests, focusing on HTTP GET and POST requests might not yield the most valuable information for this particular investigation. Additionally, encrypted HTTPS traffic would require proper decryption before any HTTP methods could be analyzed, adding an extra layer of complexity. For support or reporting issues, include Question ID: 64c1740dfbaff7327d208b81 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 395

Proxy server Fail-open Your answer is correct Fail-closed SASE Overall explanation OBJ 3.2: Fail-close refers to what happens when a network encounters errors and exceptions. Fail-close means that when errors occur or exceptions are encountered, the system denies further access. This prevents any further network traffic until the error or exception are dealt with. While this provides greater security, it means that a website can’t be accessed even if the error encountered is minor or doesn’t pose a security threat. Secure Access Service Edge (SASE) is a form of cloud architecture that combines a number of services as a single service. By providing services like software-defined wide area network (SD-WAN) firewalls as a service, secure web gateways, and zero-trust network access, SASE will reduce cost and simplify management while improving security. The integrated nature of the architecture means the technologies used will work together efficiently. It may have the capability of implementing a fail-close response, but that is not its primary purpose. Fail-open refers to what happens when a network encounters errors and exceptions. Fail-open means that when errors occur or exceptions are encountered, the system continues allowing access rather than denying access. Fail-open allows a website to continue offering services even after an error has occurred. The emphasis is, therefore, keeping the website up while the error is addressed, hoping that the error is a minor issue. A proxy server acts as a filter or gateway between a client and servers. Cache engines provided by the proxy server speed up communications within a network. Proxy servers also offer security by analyzing traffic patterns and signatures associated with known attacks or malicious software. It won't respond to an error or exception by stopping all traffic. For support or reporting issues, include Question ID: 64c16e0f6ab51895b912b835 in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 396

$3,000 Correct answer $60,000 $30,000 Your answer is incorrect $600,000 Overall explanation OBJ: 5.2 - The correct answer is found by multiplying the Single Loss Expectancy (SLE) by the Annual Rate of Occurrence (ARO). Since the loss is $300,000 and it occurs twice every ten years, the ARO is 0.2 (twice every ten years is the same as once every five years, or 0.2 times per year). Therefore, $300,000 (SLE) times 0.2 (ARO) equals $60,000, which is the Annual Loss Expectancy (ALE). For support or reporting issues, include Question ID: 654977154823b276876bb39a in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 397

Correct answer The data controller and the data processor. The data owner and data custodian. The data custodian and the data controller. Your answer is incorrect The data owner and the data processor. Overall explanation OBJ: 5.4 - Scherazade is the data controller because the data controller determines how and why the data is collected and used. Sahra is the data processor because the data processor follows the data controller's directions for using the data that is collected. The data owner is the person who is ultimately responsible for the confidentiality, integrity, and availability of the data. The data custodian handles the management of the system used to store and collect the data. The data owner is the person who is ultimately responsible for the confidentiality, integrity, and availability of the data. For support or reporting issues, include Question ID: 64c07d604a3e7f77a149c923 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 398

Session timeouts Network segmentation Correct answer Time-of-day restrictions Your answer is incorrect DLP Overall explanation OBJ 4.6: Setting specific time frames for access ensures that systems are only available during designated times, reducing unauthorized access risks outside of those times. While session timeouts limit the duration of a user's active session, they do not confine access to specific times of day. Data loss prevention (DLP) focuses on monitoring and controlling data transfer, not time-based access controls. Network segmentation divides the network into smaller segments, but it doesn't restrict access based on time. For support or reporting issues, include Question ID: 65445976c47e0cf3c470dd6c in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 399

Correct answer Impersonation Phishing Your answer is incorrect Vishing Tailgating Overall explanation OBJ: 2.2 - Impersonation involves an attacker pretending to be a trusted individual, in this case, Enrique from IT, to gain unauthorized access or information. This aligns with the described scenario, where the caller uses a false identity to obtain a password. Phishing is a broad method of tricking individuals into providing sensitive information, typically through deceptive emails or websites. However, this scenario is more about a phone call than an email or website deception. Tailgating involves unauthorized individuals gaining physical access to restricted areas by closely following authorized personnel. This scenario doesn't involve any physical security breach. Vishing, or voice phishing, involves attackers using the telephone to deceive their victims into providing sensitive information. While the scenario involves a phone call, the main element is the impersonation of a known entity, rather than a cold-call phishing attempt. For support or reporting issues, include Question ID: 652631083d13a24d30b0cf20 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 400

Correct answer Passphrases with a minimum of 15 characters, changed annually Minimum 8 characters, must include a number and uppercase letter Require 16 characters, upper/lowercase, numbers, change only after a breach Your answer is incorrect Require 12 characters, upper/lowercase, numbers, symbols, and change every 90 days Overall explanation OBJ 4.6: Long passphrases with a minimum of 15 characters offer adequate security and are more user-friendly. Adding annual password changes helps to balance security and proper user compliance. This method also best aligns with NIST best practices regarding passwords. “Requiring 12 characters, upper/lowercase, numbers, symbols, and changing every 90 days" may seem strong due to its complexity and frequent updates. However, frequent mandatory password changes have led to poor user behavior, such as reusing similar passwords or writing them down, which undermines security. A "minimum 8 characters, must include a number and uppercase letter" policy meets basic complexity standards but is insufficient due to the shorter length, making passwords easier to compromise via modern attack methods. "Requiring 16 characters, upper/lowercase, numbers, and change only after a breach" ensures robust password strength but unnecessarily prioritizes complexity over usability. It also relies heavily on timely breach detection that may go unnoticed for a very long time, if ever caught, where having the annual change requirement would address this issue. For support or reporting issues, include Question ID: 64c138c93837c7dbc550d89f in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 401

HIPAA FISMA CCPA Your answer is correct PCI DSS Overall explanation OBJ: 5.1 - PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment. FISMA (Federal Information Security Management Act) is focused on the security of federal data but doesn't specifically address the handling of credit card information. HIPAA (Health Insurance Portability and Accountability Act) is specific to the health industry and focuses on the protection of sensitive patient health information, not credit card transactions. While the CCPA (California Consumer Privacy Act) is focused on consumer privacy rights and data protection, it doesn't specifically cater to credit card transactions or define standards for financial information storage. For support or reporting issues, include Question ID: 654561fc7dcb30bec4e75c44 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 402

Speed and productivity issues Correct answer Legacy protocols without encryption Over-reliance on sandboxing Your answer is incorrect Frequent patching Overall explanation OBJ: 3.1 - Many SCADA systems utilize legacy communication protocols that lack modern security features, making them vulnerable to unauthorized interception or tampering. SCADA systems tend to have infrequent updates as a vulnerability, not frequent patching. Frequent patching would be a good thing and is not a security concern. Sandboxing is a method to run untrusted codes. This concern isn't directly associated with the innate vulnerabilities in SCADA systems. While speed and productivity issues could be a concern with operations, it is not a security vulnerability with regards to SCADA systems. For support or reporting issues, include Question ID: 652c42d36000c2244d013a08 in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 403

Correct answer Isolate the network it uses. Implement multi-factor authentication (MFA). Upgrade the system hardware. Your answer is incorrect Regularly backup the systems. Overall explanation OBJ: 2.3 - Legacy platforms that can't be patched should be isolated to prevent potential intrusions, ensuring they remain inaccessible to attackers. While MFA is a strong security measure for user access, it doesn't safeguard an unpatched operating system from all types of vulnerabilities. While backups are crucial for data recovery, they don't provide real-time protection against threats targeting an unpatched operating system. While upgrading hardware might improve performance or compatibility, it doesn't address the core issue of an unsupported operating system. For support or reporting issues, include Question ID: 6527cf1b7b75b14e42cb5006 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 404

DDoS attack Correct answer Malicious code propagation Your answer is incorrect Network sniffing Zero-day exploit Overall explanation OBJ: 2.4 - Malicious code propagation involves spreading malware or unwanted software within a network. The unusual encrypted traffic alongside the SMB protocol requests suggests that the workstation might be infected and trying to spread the malware or extract data. Malicious code propagation involves spreading malware or unwanted software within a network. The unusual encrypted traffic alongside the SMB protocol requests suggests that the workstation might be infected and trying to spread the malware or extract data. A Distributed Denial of Service (DDoS) attack floods a network or service with unnecessary requests to cause a disruption. The activity described is more about data extraction and propagation than causing a denial of service. A zero-day exploit takes advantage of a software vulnerability that is unknown to the software's vendor. While the activity could be caused by a zero-day, the description fits more with malicious code propagation. For support or reporting issues, include Question ID: 65298e7f44a8b65c25db755f in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 405

Data masking Data encryption Access Control Lists (ACLs) Your answer is correct Geographic restrictions Overall explanation OBJ 3.3: Geographic restrictions pertain to policies that limit where data can be stored or accessed based on geography. Data encryption secures data through encryption algorithms, but it is not related to physical location. Access control lists (ACLs) manage permissions for users but do not enforce restrictions based on geographical location. Data masking replaces sensitive data with fictitious data, but it's unrelated to where the data is stored. For support or reporting issues, include Question ID: 64c1962a6bd44bdb096b83ae in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 406

Logical Segmentation Responsibility Matrix Resilience Your answer is correct Risk Transference Overall explanation OBJ: 3.1 - Understanding risk transference is essential when considering hybrid cloud architectures, as it helps determine how certain responsibilities and risks can be shifted to cloud providers, mitigating potential liabilities. While the Responsibility Matrix outlines the roles of a company and the cloud provider, it is not a measure of how risk is specifically transferred between entities. Resilience refers to the ability of a system to recover quickly from disruptions and maintain continuous operation, it does not specifically address the shifting of risks or uncertainties to other entities. Logical segmentation is crucial for network security in hybrid cloud considerations, but it does not directly assess how risk is transferred between entities. For support or reporting issues, include Question ID: 65170c487ae092b7640ec66e in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 407

Service level agreement Maintenance window Impact analysis Your answer is correct Standard operating procedure Overall explanation OBJ: 1.3 - A standard operating procedure (SOP) provides clear, concise instructions on how to perform specific tasks or activities in a consistent manner. It ensures that operations run smoothly and meet compliance standards. Impact analysis is an assessment to determine the potential consequences of a change. It does not offer step-by-step guidance for routine processes. An SLA (Service level agreement) is a contract between a service provider and its customers that specifies the performance and quality metrics of their relationship. It doesn't provide step-by-step instructions for routine activities. A maintenance window refers to a designated period of time during which system maintenance can occur with the least impact to users. It doesn't provide instructions for routine operations. For support or reporting issues, include Question ID: 6524d2f55aa43bae85dcdf83 in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 408

Likelihood Exposure factor Probability Your answer is correct Impact Overall explanation OBJ: 5.2 - Impact specifically refers to the magnitude of the consequences if a risk event occurs, typically assessed in terms of financial loss, operational disruption, or other forms of damage. Similar to probability, likelihood assesses the chance of a risk event happening but does not directly quantify the severity of the event's consequences. The exposure factor (EF) is a component used to calculate the Single loss expectancy (SLE) by representing the percentage of loss an asset would suffer from a risk event. It does not, by itself, quantify the overall severity of potential consequences. While probability quantifies the likelihood of a risk event occurring, it does not measure the severity of the consequences of the event. For support or reporting issues, include Question ID: 6548fd5c7c24a94af8cddbfa in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 409

Deterrent Detective Correct answer Preventive Your answer is incorrect Corrective Overall explanation OBJ 1.1 - Preventive controls are intended to stop an incident or unauthorized access before it occurs by blocking or restricting certain actions. Examples include firewalls, access control systems, and security policies. For support or reporting issues, include Question ID: 6720f9a283057c2f9c0122a8 in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 410

Data retention policy Purchase order SLA Your answer is correct Certificate of sanitization Overall explanation OBJ 4.2: A certificate of sanitization serves as a formal assurance that a device has undergone a thorough data cleansing process, ensuring all information has been securely and permanently erased. It is essential for maintaining data privacy, especially when disposing of or repurposing equipment. A service level agreement (SLA) is a formal contract that sets out terms and conditions between a service provider and a client. While it might specify various services, including data-related ones, it isn't a confirmation of data removal from a device. A purchase order is typically used to authorize the purchase of goods or services. While it's an essential record in procurement processes, it doesn't have any relevance to the secure erasure of data from devices. A data retention policy defines the duration for which data should be stored and when it should be disposed of. While it addresses data management, it doesn't certify the secure erasure of data from a device. For support or reporting issues, include Question ID: 651ef006c2263a829f0fa688 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 411

Organized crime organizations Insider threat Nation-state actors Your answer is correct Unskilled attacker Overall explanation OBJ: 2.1 - An unskilled attacker is a type of threat actor that has little or no technical skills and has low resources/funding and low level of sophistication/capability. Unskilled attackers often launch simple and opportunistic attacks using tools or scripts developed by others. Organized crime is a type of threat actor that is composed of groups or networks of criminals. They usually have moderate to high levels of resources and funding and moderate levels of sophistication and capability. Organized crime organizations can launch coordinated and profitable attacks against businesses, governments, or individuals. Nation-state actors are a type of threat actor that is sponsored by a government or a country's military. They normally have high resources/funding and high level of sophistication/capability. Nation-state actors can launch advanced and persistent attacks against other countries, organizations, or individuals. An insider threat is a type of threat actor that has authorized access to an organization’s network, systems, or data and has variable resources/funding and level of sophistication/capability depending on their role and position. Insider threats can abuse their authorized access, leak information, sabotage operations, or collaborate with external actors. For support or reporting issues, include Question ID: 64b862084bcef25bbedbaa3e in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 412

Incident response policy Disaster recovery policy Acceptable use policy (AUP) Your answer is correct Business continuity policy Overall explanation OBJ: 5.1 - The business continuity policy outlines the procedures and strategies that an organization should follow to ensure the continuous operation of critical business functions during disruptions or disasters. It includes plans for maintaining essential services, data, and systems to minimize downtime and resume operations as quickly as possible. The incident response policy provides guidelines and procedures for detecting, responding to, and mitigating security incidents and breaches. It focuses on the actions to be taken when a security event occurs to contain the incident and prevent further damage. Cyber attacks would be part of this, but they are planning for a broader picture so the correct answer is a business continuity plan. The acceptable use policy (AUP) sets the rules and guidelines for the proper use of an organization's IT resources and facilities by its employees and users. It defines what is considered acceptable behavior when using company assets and systems to ensure their appropriate and secure use. However, the AUP does not directly address strategies for ensuring business continuity during disruptions. The disaster recovery policy specifies the steps and protocols to recover IT infrastructure and systems after a major disaster or disruptive event. It involves restoring critical data and services to resume business operations following a catastrophic incident. This will help them with a disaster, but they are planning for broader threats. For support or reporting issues, include Question ID: 64b893356ccfbae323bb6aba in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 413

Correct answer Implementing LDAPS to secure communication with the LDAP directory Your answer is incorrect Storing sensitive user information, such as passwords and personal details, in plaintext within the LDAP directory Configuring LDAP for allowing users to manage their own accounts and access permissions Deploying LDAP over an unencrypted connection (LDAP://) to ensure seamless integration with legacy applications Overall explanation OBJ 4.6: Using strong encryption like LDAPS (LDAP over SSL/TLS) secures communication with the LDAP directory, protecting sensitive data, such as user credentials, during transmission. LDAPS enhances security and data integrity, making it ideal for safeguarding data in transit. Allowing users to manage their own accounts can reduce administrative overhead but, without proper monitoring and controls, may introduce security risks. A self-service portal with access controls can be beneficial, but granting full control risks unauthorized access or privilege escalation. Storing sensitive information, especially passwords, in plaintext is insecure; passwords should be encrypted using one-way hashing with salt. Unencrypted LDAP connections risk exposure to eavesdropping; therefore, LDAP communication should always be encrypted to protect data in transit. For support or reporting issues, include Question ID: 64c12bbf6d5d20b6d8a8cbb8 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 414

Weak cipher suites should be replaced with host-based firewalls File integrity monitoring is insufficient without encryption Your answer is incorrect IP-allow lists should be combined with remote access controls Correct answer Hardening is ineffective without ongoing maintenance and patch management Overall explanation OBJ 2.5 - This scenario emphasizes that hardening is ineffective without ongoing maintenance and patch management. While Nina implemented key hardening measures—like file integrity monitoring, disabling weak cipher suites, and using IP allow lists—failing to apply critical OS patches left the server vulnerable to known exploits. Patch management is a crucial part of hardening, as it addresses security weaknesses in software and the operating system. Without regular patch updates, systems remain susceptible to new threats, undermining the overall security achieved through initial hardening efforts. For support or reporting issues, include Question ID: 67223756ab565f74e2bc9181 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 415

Correct answer Reducing false positives and improving accuracy Transforming all alerts into high-priority ones Increasing the volume of alerts to cover all potential threats Your answer is incorrect Monitoring only the external network perimeter Overall explanation OBJ: 4.4 - Alert tuning involves refining the criteria and thresholds for alerts to make them more accurate and actionable, which helps in reducing irrelevant or false positive alerts. Alert tuning is about refining the criteria of alerts, not limiting the scope of monitoring. Merely increasing the volume of alerts without ensuring their accuracy can overwhelm analysts and might not improve security posture. Not all alerts are of equal importance. Alert tuning helps in prioritizing and categorizing them based on their severity and potential impact. For support or reporting issues, include Question ID: 6542dad7044af8880896de24 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 416

Situational awareness Operational security Your answer is correct Policy handbook Insider threat training Overall explanation OBJ: 5.6 - A Policy handbook is a document provided to employees to familiarize them with the company's security standards, practices, and expected behaviors. Operational security refers to the process of identifying and protecting critical information from adversaries. It's a concept, not a tangible resource. While it's crucial for employees to understand potential insider threats, it is a specific training, not a comprehensive document outlining various company practices. While important, situational awareness is more about being aware of one's surroundings and understanding potential threats, rather than a printed or digital resource. For support or reporting issues, include Question ID: 64c34e27006636d14b206122 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 417

Correct answer IoT Virtualization Containerization Your answer is incorrect Air-gapped networks Overall explanation OBJ: 3.1 - Internet of Things (IoT) refers to interconnected devices, such as smart thermostats and lights, that can be managed remotely, often in real-time. Air-gapped networks are isolated from external networks and are unrelated to interconnected smart devices in this scenario. Virtualization allows multiple operating systems to run on a single server but doesn't involve centralization of smart home devices. Containerization bundles applications with their environment but doesn't deal with interconnected devices like IoT in homes. For support or reporting issues, include Question ID: 652c330db223687b417d0807 in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 418

SQL injection On-path browser attack XSS Your answer is correct Supply chain compromise Overall explanation OBJ: 2.2 - A supply chain compromise occurs when a component or product within the supply chain is tampered with or altered to include malicious elements. When these compromised products are integrated or used, they can introduce vulnerabilities or backdoors. A Cross-Site Scripting attack exploits a type of security vulnerability in web applications that enables attackers to inject malicious scripts into websites viewed by other users. In a SQL injection attack technique where an attacker inserts malicious SQL code into a query. This can be used to dump database contents, bypass logins, or corrupt data. An on-path browser attack, an attacker effectively "hijacks" a user's web browser session by infecting it with malware to steal data or perform fraudulent transactions. For support or reporting issues, include Question ID: 6526221c7b95ff91e3f56bc8 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 419

Correct answer Permission restrictions Data classifications Masking Your answer is incorrect Obfuscation Overall explanation OBJ 3.3: Permission restrictions pertain to how access to data can be controlled based on user roles and responsibilities, allowing organizations to define who can view or manipulate data. Obfuscation is a technique that involves making data difficult to understand. It generally does not involve assigning permissions based on roles or responsibilities. Data classifications deal with the sensitivity levels of data, such as confidential, secret, and restricted. It isn't concerned with countries' laws. Data masking is a method to de-identify some or all characters in a sequence without changing the total number of characters that a field should contain. The masked version will be structurally the same, but the data will be hidden. Changing the letters or numbers entered into a password field with dots is an example of data masking. For support or reporting issues, include Question ID: 64c18cbdeb612b1be3807504 in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 420

Risk matrix Risk appetite Correct answer Risk tolerance Your answer is incorrect Risk management Overall explanation OBJ 5.2 - The 10% fluctuation is an example of the firm's risk tolerance, which specifies the risk tolerance, which is the acceptable variance in the high-risk portfolio's performance before triggering action. Risk management is the overarching process of identifying, assessing, and responding to risks, which includes setting risk tolerance but is not represented by the 10% fluctuation itself. While the firm's decision to have a high-risk investment portfolio at all does reflect its risk appetite, the question specifically refers to the acceptable variance, which is the risk tolerance. A risk matrix is a visual tool used to determine the severity and likelihood of risks, not the acceptable variance in investment performance. For support or reporting issues, include Question ID: 65490ac7051528e2d9a12d46 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 421

Correct answer Content of encrypted data packets Source IP and port Destination IP and port Your answer is incorrect Timestamp of the network traffic Overall explanation OBJ 4.9: Network logs do not, as a standard, reveal the content of encrypted data packets. Encryption secures the content of the data traffic, rendering it unreadable without the correct decryption keys. It's important to note that decryption for inspection purposes may have legal implications and should adhere to organizational policies and compliance rules. Network logs typically contain timestamps for all network traffic. This allows for a timeline to be constructed when investigating incidents, helping to identify patterns and link related events. Source IP and port comprise crucial parts of network log data. They help determine the origin of the traffic, which can be particularly helpful when investigating security incidents. Destination IP and port are critical pieces of network log data. Among other things, they can reveal the target of specific network traffic, which is useful for identifying potential threats or intrusions. For support or reporting issues, include Question ID: 64c1a8873c0620e9baa77d50 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 422

Proper ownership identification Sanitization of assets Your answer is correct Inventory management Proper classification of assets Overall explanation OBJ 4.2: Inventory management involves maintaining a thorough record of all assets, ensuring details like location, status, and associated personnel are readily available. While proper ownership identification relates to determining responsibility for an asset, it doesn't inherently involve maintaining detailed records of every asset's status and location. Proper classification of assets involves categorizing assets, not maintaining detailed records of them. Sanitization of assets pertains to making data on an asset irretrievable or safe for transfer, not maintaining records of assets. For support or reporting issues, include Question ID: 651dd1a744a3366ebbac7f1f in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 423

Correct answer Third-party audit Regulatory examination Attestation Your answer is incorrect Assessment Overall explanation OBJ: 5.5 - An independent third-party audit involves an external evaluation by an independent entity to assess an organization's compliance with regulatory requirements. In this case, the cybersecurity firm is conducting an independent audit to assess DionTraining's compliance. A regulatory examination involves an evaluation carried out by a government agency to ensure that an organization is meeting specific regulatory requirements. In this scenario, the evaluation is being conducted by an external third-party firm, not a government agency. While assessments can be part of the evaluation process, the term assessment is too general to specify the type of external evaluation being conducted by the cybersecurity firm in this scenario. Attestation refers to the process of affirming the accuracy and completeness of compliance reports. While important in the context of compliance, this is not the type of external evaluation conducted by an external third-party cybersecurity firm. For support or reporting issues, include Question ID: 64c1a7d345e9d8860c404638 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 424

File-level encryption Full-disk encryption Database encryption Your answer is correct Partition encryption Overall explanation OBJ: 1.4 - Partition encryption matches the encryption affects a section of a storage device. File-level encryption encrypts individual files or folders on a storage device, not a specific partition. Database encryption encrypts data at the database level, not a specific partition. Full-disk encryption encrypts all data on a physical or logical disk, not just a specific section of a storage device. For support or reporting issues, include Question ID: 64c27e143d11f0f1612db0fb in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 425

Replication Correct answer Frequency Load balancing Your answer is incorrect Journaling Overall explanation OBJ 3.4: Frequency refers to how often data backups are carried out. Regular backups at set intervals are crucial to minimize the potential loss of data. Replication is the copying of data from one system to another. The regularity with which this is done isn't an important part of replication. While load balancing is a technique for distributing workloads across multiple computers or networks, it doesn't relate to how frequently backups are created. Journaling entails verifying and logging data, not the regularity of backups. For support or reporting issues, include Question ID: 64c1aa7645e9d8860c404651 in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 426

Correct answer Restricting incoming traffic to specific necessary ports and sources Allowing incoming traffic from any source that doesn't use port 443 Your answer is incorrect Creating firewall rules that prioritize network performance Enabling port forwarding for internal servers to the public IP addresses Overall explanation OBJ 4.5: Restricting incoming traffic to specific, necessary ports and sources is a best practice to enhance security. By defining firewall rules that allow only essential services and traffic from trusted sources, the organization can minimize the attack surface and reduce the risk of unauthorized access and potential threats. This approach follows the principle of least privilege, where only the minimum required access is granted, thereby enhancing the overall security of the enterprise network. Firewall rules that prioritize network performance usually increase, rather than decrease, attack surfaces. This isn't an appropriate way to enhance security. Enabling port forwarding for internal servers to public IP addresses may be necessary for specific services, but it should be done with caution. Port forwarding must be done selectively and only for specific services that require external access. In many cases, it can introduce security risks if not properly configured and controlled. Therefore, while port forwarding may be a valid configuration, it is not the most appropriate firewall rule modification for enhancing security in this scenario. Allowing incoming traffic from any other ports will prevent a lot of traffic from coming into YoYoDyne and dramatically reduce their attack surfaces. However, it will prevent a lot of legitimate traffic as well, which isn't an appropriate way to reduce attack surfaces for a business. For support or reporting issues, include Question ID: 64ba8d27c35e00fd62b883a0 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 427

SQL injection Correct answer Cross-site scripting (XSS) Buffer overflow Your answer is incorrect Cross-site request forgery (CSRF) Overall explanation OBJ 2.3 - This scenario describes a Cross-site scripting (XSS) vulnerability. In an XSS attack, malicious scripts are injected into a website, and when a user visits the compromised site, the script is executed within their browser without their knowledge. This allows the attacker to collect sensitive information, such as cookies and session tokens, which can be used to impersonate the user or gain unauthorized access. Unlike SQL injection, which targets a database, or buffer overflow, which exploits memory, XSS specifically targets users by running unauthorized scripts in their browsers. Cross-site request forgery (CSRF) also differs, as it involves tricking users into unknowingly submitting requests, rather than executing scripts within the browser. For support or reporting issues, include Question ID: 67212708826fd0821496db02 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 428

Correct answer Data processor Data custodian Data controller Your answer is incorrect Data subject Overall explanation OBJ: 5.4 - A data processor is an entity that processes personal data on behalf of the data controller. In this scenario, Carla is processing the data at the direction of her supervisor, who is the data controller. This means she would be considered the data processor. The data controller is the entity that determines the purposes and means of processing personal data. In this scenario, Carla's supervisor is the data controller since the supervisor determines what is done with the data. Carla only follows the supervisor's directions. A data custodian is typically an individual or entity responsible for managing the system where the data is stored. The data custodian would be unlikely to be analyzing data. A data subject is an individual to whom the personal data belongs, and they have certain rights regarding the processing of their data. The subject doesn't play a role in the storage, collecting, and analyzing of data. For support or reporting issues, include Question ID: 64c076e89e4f2185413d159b in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 429

Correct answer A caller posing as tech support to obtain passwords. Being redirected to a fake login page from an email. Downloading a trojan from a compromised software update. Your answer is incorrect Clicking on a disguised link in a text message. Overall explanation OBJ: 2.2 - A caller posing as tech support to obtain passwords, known as Vishing (voice phishing), involves attackers impersonating legitimate organizations or authorities over a phone call. The aim is to deceive individuals into sharing sensitive information, like passwords or financial data, by exploiting their trust. Being redirected to a fake login page from an email is a classic example of a Phishing email, where a seemingly legitimate message contains links that redirect users to counterfeit login pages. Designed to closely mimic genuine web pages, these fraudulent sites capture the entered credentials for malicious use. Clicking on a disguised link in a text message is a tactic common to Smishing, a subset of phishing attacks. Attackers send deceptive text messages with malicious links or content, tricking the recipient into taking an action that could lead to data theft or malware infection. Trojans are malicious software that pretends to be legitimate. When a user unwittingly downloads and installs it, often from what seems to be a genuine software update prompt, the Trojan can execute its malicious function, providing attackers with unauthorized access or delivering other types of malware. For support or reporting issues, include Question ID: 652627424c6f47b9a3d6fef3 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 430

Correct answer Session management Session cookies Token handling Your answer is incorrect Timeout policies Overall explanation OBJ: 5.1 - Session management refers to the protocols that maintain the security of user interactions on the web, including the secure creation and transfer of unique identifiers or "cookies," and setting inactivity limits to automatically terminate the session if the user is inactive for a certain period. Token handling involves managing security tokens within a system, but on its own, it doesn't cover all aspects of what is required to maintain the security of user interactions, including setting inactivity limits. While session cookies are a part of what is managed, this term alone does not encompass the full scope of practices like setting inactivity limits. Timeout policies contribute to these practices by defining when an inactive session should end, but they do not include the secure transmission and generation of identifiers. For support or reporting issues, include Question ID: 654852afa7608715859d469e in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 431

Deploying state-of-the-art network intrusion detection systems. Migrating all organizational data to a secure cloud platform. Your answer is correct Regularly reviewing security advisories and applying patches. Adopting a comprehensive organizational password policy. Overall explanation OBJ: 2.4 - Consistently monitoring advisories and applying necessary security patches ensures systems remain safeguarded against known vulnerabilities. While cloud platforms have their benefits, solely migrating doesn't address the need for ongoing system updates and security patching. A rigorous password policy can deter unauthorized access, but it doesn't keep systems updated against known vulnerabilities. Detecting potential malicious activities is crucial, but it doesn't substitute the need to stay informed and updated on system vulnerabilities. For support or reporting issues, include Question ID: 6529ee903f0ae342ad3c78cc in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 432

Avoidance Mitigation Correct answer Transference Your answer is incorrect Acceptance Overall explanation OBJ: 5.2 - Risk transference involves passing the risk to a third party, such as an insurance company, to handle potential losses. Risk mitigation involves taking actions to reduce the impact or likelihood of a risk to an acceptable level. Risk avoidance means taking actions to eliminate or remove the risk altogether, thus preventing its occurrence. Risk acceptance involves acknowledging the risk and accepting the potential consequences without taking further action to mitigate it. Exemption and exception are subcategories of risk acceptance. For support or reporting issues, include Question ID: 64b9ef333f4084e37d4f8fd6 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 433

WEP Satellite Correct answer Cellular Your answer is incorrect Bluetooth Overall explanation OBJ 4.1: Cellular networks, such as GSM, provide secure, encrypted communication and are accessible in many remote areas, making them ideal for mobile field teams who need reliable connectivity. It is true that satellite can offer coverage in remote areas, but it’s often slower, more expensive, and can be impacted by weather, making it less reliable than cellular connections for regular, encrypted data transmission. Bluetooth is a short-range technology designed for local connections within a limited area, which is insufficient for the needs of mobile teams working across larger, remote areas. Wired Equivalent Privacy (WEP) is an outdated and insecure encryption standard for Wi-Fi networks. It lacks the reliability and security required for remote communication. For support or reporting issues, include Question ID: 64b88f1075f3764616371b77 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 434

Potential for over-provisioning resources Having to implement a shared responsibility model Correct answer Need for in-house disaster recovery planning Your answer is incorrect Creating vendor lock-in issues Overall explanation OBJ: 3.1 - With on-premise infrastructure, the organization must create and maintain its disaster recovery procedures, rather than relying on a cloud provider's solutions. Having to implement a shared responsibility model is more associated with cloud providers where security responsibilities are split between the provider and the customer. Vendor lock-in concerns arise more commonly with cloud services, where migration between providers can be challenging. Over-provisioning is a financial concern rather than a security one, and it can occur both in on-premise and cloud environments. However, it's not a primary security consideration for on-premise setups. For support or reporting issues, include Question ID: 652c3647a1185bf74818021e in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 435

Logical segmentation Physical isolation Your answer is incorrect Serverless Correct answer Air-gapped Overall explanation OBJ: 3.1 - Air-gapped is an architecture model that involves isolating a system from any external network connections or communications. Air-gapped systems are often used for highly sensitive or classified data, as they provide a high level of security and protection from network-based attacks. Logical segmentation is a technique of dividing a network into smaller subnetworks or segments based on criteria such as function, location, or security level. This provides better performance, security, and manageability of the network. Devices that are logically segmented are still on the network. Serverless is an architecture model that involves running applications without provisioning or managing servers. Serverless does not imply that the system is isolated from any network, but rather that the cloud provider handles the server management and allocation. Physical isolation is an architecture model that involves separating a system from other systems or devices by physical means, such as locks, barriers, or guards. Physical isolation does not necessarily imply that the system is disconnected from any network, but rather that it is inaccessible by unauthorized physical access. For support or reporting issues, include Question ID: 64c04e157376f98d869ac6fb in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 436

Shadow IT Organized crime organizations Correct answer Insider threat Your answer is incorrect Nation-state Overall explanation OBJ: 2.1 - An insider threat is a threat actor that has authorized access to an organization's systems or data and uses it for malicious purposes. They usually are employees or contractors of the organization so they have some degree of permission or privilege which gives them access the organization's systems or data. Shadow IT is a threat actor that involves the use of unauthorized devices, applications, or services within an organization's network. They are likely to have legitimate access level than unauthorized access level, as they usually involve the employees or contractors of the organization, but their actions do not intend harm to the organization. They may increase their organization's attack surface, but they are not attacking the system. Organized crime organizations are a threat actor that is composed of groups or networks that engage in illegal activities for profit. They are less likely to have authorized access to the organizations they attack than insider threats. A nation-state is a threat actor that is sponsored by a government or a political entity, and usually targets other governments, entities, or groups that pose a threat or challenge to their interests or objectives. They are more likely to have unauthorized access level than legitimate access level, as they usually act on behalf of a foreign country or region, and try to bypass the security measures of their targets. For support or reporting issues, include Question ID: 64b8931875f3764616371b8b in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 437

Service Disruption Your answer is incorrect Philosophical/Political Beliefs Financial Gain Correct answer Espionage Overall explanation OBJ 2.1 - Veridian’s primary motivation is espionage because they are seeking to covertly obtain sensitive government information to gain an advantage in political negotiations, specifically regarding resources. Espionage involves gathering classified data for strategic purposes, which is exactly what Veridian intends. While Sarah may be motivated by financial gain, Veridian’s interest in the data is not driven by financial gain, philosophical beliefs, or a desire to disrupt services. For support or reporting issues, include Question ID: 672114ce503b8b40b95ad0e5 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 438

Just-in-time permissions allow users to escalate their privileges instantly through a set of templates and disk images, preventing making mistakes or improper group assignments Just-in-time permissions grant users permanent access to resources and data right when they are hired, avoiding delays from orientation and other onboarding Your answer is correct Just-in-time permissions provide users with access to resources and data only when needed and for a limited time, reducing the exposure to potential threats Just-in-time permissions automatically revoke access for users after a set period, ensuring they must reapply for access regularly Overall explanation OBJ 4.6: Just-in-time permissions grant users access only when needed and for a limited time, reducing exposure to potential threats by minimizing the window for privilege exploitation. These permissions are temporary, not permanent, which lowers the risk of unauthorized access if credentials are compromised. They do not allow instant privilege escalation but typically involve approval processes to ensure proper authorization. While access is temporary, it’s granted on-demand for specific purposes rather than being automatically revoked after a set period. For support or reporting issues, include Question ID: 64c15919e86d2721bec33fa1 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 439

Something you have Somewhere you are Correct answer Something you know Your answer is incorrect Something you are Overall explanation OBJ 4.6: When an employee logs in with a username and password, they are using the "Something you know" factor of MFA, relying on knowledge of specific information. This is the most common first factor in MFA. "Something you are" involves biometrics like fingerprints or facial recognition, which are not used here. "Somewhere you are" is a location-based authentication that considers geographic location but is not relevant in this password-only scenario. "Something you have" involves physical tokens, such as a smart card or mobile device, also not applicable here. For support or reporting issues, include Question ID: 64c13087a1d5881c3036f517 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 440

Supply chain vulnerabilities RTOS Correct answer Ease of deployment Your answer is incorrect Hybrid considerations Overall explanation OBJ: 3.1 - Ease of deployment is essential in Microservices Architecture to ensure that individual services can be smoothly and efficiently set up, promoting operational success. While hybrid considerations are vital for mixed computing environments, they don’t directly measure the smoothness and efficiency of setting up microservices. Supply chain vulnerabilities assess risks from providers but do not directly influence the smooth and efficient set-up of microservices. RTOS manages real-time application operations but does not directly assess the ease of setting up individual services in a microservices architecture. For support or reporting issues, include Question ID: 651713391796470bb3cfdf7b in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 441

Correct answer Fail-open Passive mode Your answer is incorrect Rate-based filtering Fail-closed Overall explanation OBJ 3.2: In the event of a malfunction, a fail-open mode would allow traffic to pass through without being checked, ensuring that the financial system remains accessible. While this may introduce some security risks, it prevents downtime, which is deemed a greater threat in this context. In passive mode, the firewall monitors traffic without actively blocking or allowing it. This can be useful for observing traffic patterns but wouldn't be ideal for a mission-critical system where active protection is essential. Rate-based filtering involves limiting traffic based on a predefined rate. While it can help in preventing denial-of-service attacks, it doesn't directly address how a firewall should behave during a malfunction. In fail-closed mode, a malfunctioning firewall would block all traffic. This can protect against potential threats but would render the financial system inaccessible, leading to significant financial implications. For support or reporting issues, include Question ID: 652c7361a67f751703997c98 in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 442

Maintaining a detailed record of every individual who accesses the digital evidence Ensuring that evidence storage mediums are in tamper-evident bags Using forensic software tools to recover deleted files from a storage device Your answer is correct Reviewing electronic files to extract relevant documents for a legal case Overall explanation OBJ 4.8: E-discovery revolves around the systematic search and retrieval of pertinent electronic data for legal purposes. Ensuring that evidence storage mediums are in tamper-evident bags is a preservation measure designed to protect and authenticate the original evidence. While data recovery is a common task in digital forensics, it isn't the primary activity in the e-discovery process. Maintaining a detailed record of every individual who accesses the digital evidence relates to the chain of custody, ensuring that evidence has been handled properly and remains credible. For support or reporting issues, include Question ID: 6543ee747082bd446863b553 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 443

Honeynet Correct answer Honeypot Honeyfile Your answer is incorrect Honeytoken Overall explanation OBJ: 1.2 - A honeypot is a cybersecurity mechanism that uses a manufactured attack target to lure cybercriminals away from legitimate targets and gather intelligence about their identity, methods, and motivations. For example, the system might create a fake server that appears to be vulnerable to attack in order to attract attackers. A honeynet is a network of honeypots designed to simulate a real network and attract attackers. A honeytoken is a fake piece of data, such as a username or password, designed to appear valuable or sensitive in order to attract attackers. A honeyfile is a fake file or set of files designed to appear valuable or sensitive in order to attract attackers. For support or reporting issues, include Question ID: 64c0435b9526987424cbd0d3 in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 444

Correct answer False negative False positive Open-source intelligence (OSINT) Your answer is incorrect Threat feed Overall explanation OBJ 4.3: A false negative arises when a security system fails to detect a genuine threat or malicious action, allowing potentially harmful activities to continue without intervention. A false positive occurs when a security measure mistakenly identifies a legitimate action as malicious or a threat, potentially leading to unnecessary corrective actions or alerts. Leveraging publicly available data sources to gather information about targets, open-source intelligence (OSINT) provides insights without violating any laws. A threat feed provides a continuous stream of data regarding potential threats, used to enhance and inform cybersecurity measures. For support or reporting issues, include Question ID: 6541c6ffb64247be6d8223ca in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 445

Assigning a different module to each team member. Updating diagrams Your answer is correct Implementing a version control system. Upgrading the software development tools. Overall explanation OBJ: 1.3 - Using a VCS ensures that all team members work on the most recent version of a module, and it allows tracking and merging changes efficiently. Updating diagrams refers process revising visual representations IT systems or processes order reflect changes or updates. Simply upgrading tools doesn't address the core problem of managing different versions of a module. Avoiding overlap doesn't resolve the conflict; it only diverts the problem. Proper version control is needed to handle such situations. For support or reporting issues, include Question ID: 64c153fc93c27dd3aaef1f79 in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 446

Disabling protocols. Correct answer Removal of unnecessary software. Patching Your answer is incorrect Using an application allow list. Overall explanation OBJ: 2.5 - Removal of unnecessary software, is the act of deleting non-essential software components to limit the potential entry points for threats and enhance system performance. Permitting only specified applications to run on a system by using an allow list, which is about control but not directly about the act of removing software. Disabling protocols is a mitigation that involves discovering what protocols are being used and disabling them, but it doesn't delete software from the system. Patching upgrades the safety of the software. It is not related to the act of software removal. For support or reporting issues, include Question ID: 652b3034818ffad49a17056e in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 447

Ensuring exiting employees receive proper farewell gifts Generation of a detailed exit interview questionnaire Correct answer Automatically deactivating accounts of exiting employees Your answer is incorrect Directly handling the physical exit procedures of an employee Overall explanation OBJ 4.7: A script can be set to instantly disable user accounts, revoke access to company resources, and even forward emails to a designated recipient upon an employee's departure. Scripting is digital and cannot manage physical processes such as escorting a departing employee or collecting company property. While scripts can be powerful, they aren't typically used for creating interview content, which often requires a human touch. Scripting focuses on automating technical tasks and doesn't concern itself with gestures like farewell gifts. For support or reporting issues, include Question ID: 6543e0f4ce1a7f5ce187d0d7 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 448

Correct answer Resilience Availability Responsiveness Your answer is incorrect Scalability Overall explanation OBJ: 3.1 - Resilience is the ability of a system or component to maintain its function or performance under changing or adverse conditions, such as failures, errors, attacks, or disruptions. Resilience can improve the reliability, availability, and security of a system. Scalability is the ability of a system or component to handle increasing or decreasing workloads or demands without compromising its performance or quality. Scalability can improve the efficiency, flexibility, and cost-effectiveness of a system. Responsiveness is the speed at which a system or component responds to requests or events. Responsiveness can affect the performance, usability, and user satisfaction of a system. Availability is the degree to which a system or component is operational and accessible when required. Availability can be affected by factors such as downtime, maintenance, failures, or attacks. Availability is a measure of how often a system is functional, not how well it handles changes or challenges. For support or reporting issues, include Question ID: 64bf6e648d118a676363a45e in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 449

Tombstone policy for quarantined files CIS-RAM evaluation tool Correct answer Benchmarks by the Center for Internet Security Your answer is incorrect PCI DSS payment processing procedures Overall explanation OBJ: 4.4 - CIS offers benchmarks for a plethora of aspects in cybersecurity, ranging from compliance with IT frameworks to specific product-focused benchmarks, guiding entities in securing their environments. While PCI DSS is a standard for payment card industry data security, it's not a broad guideline for multiple technologies and platforms like the benchmarks from CIS. The CIS-RAM is a tool for assessing security posture and does not offer detailed guidelines for securing technologies, unlike the benchmarks. A tombstone policy replaces quarantined files with a placeholder but is not a standardized guideline for broader cybersecurity practices. For support or reporting issues, include Question ID: 6542db372db926e34949512f in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 450

Disaster Recovery Plan Correct answer Playbook Your answer is incorrect Threat Intelligence Report Incident Response Plan Overall explanation OBJ 5.1 - A playbook provides detailed, step-by-step procedures for handling specific incidents like phishing attacks. It helps ensure a consistent, efficient response, detailing actions to contain and analyze the threat. An Incident Response Plan is broader, outlining the overall strategy, while a Threat Intelligence Report provides information on threats without detailing specific response actions, and a Disaster Recovery Plan focuses on system recovery post-incident. For support or reporting issues, include Question ID: 67224039d2c288f9d722158d in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 451

Correct answer APIs enable the automation and integration of diverse security tools and systems APIs provide real-time monitoring and analysis of network traffic to allow immediate response times Your answer is incorrect APIs automate the process of user authentication which prevents unauthorized software from being introduced APIs automatically generate and enforce complex password policies Overall explanation OBJ 4.7: APIs (Application Programming Interfaces) play a crucial role in the automation and integration of diverse security tools and systems. They allow different applications and services to communicate and share information, enabling a unified defense strategy against cyber threats. By leveraging APIs, security solutions can work together, exchanging data and triggering actions to respond to security incidents effectively. While APIs can be used for various purposes, API's main significance lies in their ability to facilitate communication and integration between different systems and applications. APIs are more broadly used to facilitate communication and data exchange between different systems and applications. APIs are not specifically focused on password policy generation and enforcement. For support or reporting issues, include Question ID: 64c0138047f49ddd337f44e5 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 452

Data Processor Data Owner Data Controller Your answer is correct Data Custodian Overall explanation OBJ 5.1 - John is the Data Custodian, responsible for enforcing access permissions as per the policies defined by the Data Owner. The Data Owner sets these policies but does not directly handle access control. The Data Processor processes data on behalf of the Data Controller, and the Data Controller determines how and why data is processed, rather than configuring permissions. For support or reporting issues, include Question ID: 67223e6b4ba26b3d1637fc78 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 453

Correct answer Record-level encryption Volume encryption Your answer is incorrect Tokenization Database segmentation Overall explanation OBJ: 1.4 - Record-level encryption protects data by encrypting individual entries or records within a database. By using unique encryption keys for each record, it ensures that sensitive information within each entry remains safeguarded, even if the broader database is compromised. Database segmentation involves dividing a database into separate segments based on criteria such as user roles or data sensitivity. While it enhances security, it doesn't encrypt individual records. Volume encryption refers to encrypting an entire storage volume or disk. It doesn't specifically target individual records within a database. Tokenization replaces sensitive data with non-sensitive substitutes or tokens. While it protects data, it's not focused on encrypting individual records in a database. For support or reporting issues, include Question ID: 6524e02cb1ae4efac1349025 in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 454

To prevent any form of malware from spreading within the organization's network. Correct answer To test employees' ability to recognize and report phishing attempts. Your answer is incorrect To trick employees into revealing sensitive information. To promote a competitive environment among employees. Overall explanation OBJ: 5.6 - The main objective of phishing campaigns conducted during security awareness training is to test employees' ability to identify and report phishing attempts. These campaigns are designed to simulate real-world phishing attacks to gauge how well employees can recognize suspicious emails and report them to the appropriate authorities. While phishing may involve malware, it doesn't always. In addition, preventing phishing won't prevent any form of malware from spreading on a network. The primary objective of phishing campaigns is not to trick employees into revealing sensitive information. The primary objective of phishing campaigns is not to promote a competitive environment among employees. For support or reporting issues, include Question ID: 64c352eb006636d14b20613b in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 455

Database encryption Partition encryption Full-disk encryption Your answer is correct Volume encryption Overall explanation OBJ: 1.4 - Volume encryption affects a defined, formatted block of storage, which could span across multiple partitions. Database encryption encrypts data at the database level, not a defined block of storage that could span across multiple partitions. Partition encryption encrypts a specific partition on a storage device, not a defined block of storage that could span across multiple partitions. Full-disk encryption encrypts the entire disk, not just a defined block of storage. For support or reporting issues, include Question ID: 64c27e52216b86411ab101c4 in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 456

The number of false positive results from the scan The list of all firewall rules from the latest vulnerability scan Correct answer The identified vulnerabilities and the affected systems Your answer is incorrect The comparison of the old vulnerability scan and the most recent one Overall explanation OBJ 4.9: Understanding the vulnerabilities that exist within a network can provide a direction for the investigation by highlighting potential entry points a hacker might have used. It can provide associations between the breach and the vulnerabilities, assisting in mitigating those risks. The comparison of the old vulnerability scan and the most recent one will not provide you with much information that just looking at the most recent vulnerability scan would not. The total number of false positive results in a vulnerability scan data wouldn't provide valuable information to assist with a specific security investigation. While firewall rules are important for network security, having a list of all firewall rules in a vulnerability scan report would not be of immediate use in the investigation of a specific security breach. For support or reporting issues, include Question ID: 64c172e96ab51895b912b844 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 457

Physical security Gap analysis Correct answer Threat scope reduction Your answer is incorrect Zero Trust Overall explanation OBJ: 1.2 - Threat scope reduction refers to the proactive steps and strategies taken to reduce the potential areas of attack within a system or network. By limiting the avenues that attackers can exploit, organizations can more effectively secure their assets. Zero Trust is a security concept that advocates for not trusting any entity inside or outside the organization's perimeter by default. It emphasizes the need for continuous verification and validation. A gap analysis identifies the differences between the current state of a system or process and its desired future state, providing a roadmap for achieving those desired outcomes. Physical security focuses on measures designed to protect the physical assets of an organization, such as buildings, devices, and personnel, from harm and unauthorized access. For support or reporting issues, include Question ID: 64c03c3170f3f547abb5751b in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 458

Key exchange Asymmetric encryption Correct answer Symmetric encryption Your answer is incorrect Communication encryption Overall explanation OBJ: 1.4 - Symmetric encryption uses a single key for both encryption and decryption. The same secret key is shared between the sender and the receiver, and both parties must keep it confidential. Since the same key is used for both processes, it's essential that it remains secret to ensure data security. Key exchange involves the exchange of cryptographic keys between two parties, but it doesn't use the same key for both encryption and decryption. Communication encryption encrypts data while it is being transferred from one location to another, but it doesn't use the same key for both encryption and decryption. Asymmetric encryption uses different keys for encryption and decryption, but it doesn't use the same key for both encryption and decryption. For support or reporting issues, include Question ID: 64c281ee216b86411ab101e2 in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 459

RFID cloning Correct answer Environmental attack Your answer is incorrect Brute force DDoS attack Overall explanation OBJ: 2.4 - An environmental attack targets the physical environment where systems operate. The intentional disruption of the cooling systems to cause server failures during peak times aligns with this method. RFID cloning involves copying RFID data for unauthorized access and isn't relevant to disrupting environmental systems. Brute force is about trying many combinations to gain unauthorized entry, not about causing system failures. While this does aim to overload servers, a DDoS attack is a method used on online systems and doesn't interfere with the physical environment directly. For support or reporting issues, include Question ID: 65296b8ed3431852994c8f7a in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 460

Parallel processing Correct answer Continuity of operations Warm site Your answer is incorrect Platform diversity Overall explanation OBJ 3.4: Continuity of operations relates to the ability of a system to continue functioning during and after a disruption, like a disaster or system failure. Parallel processing involves using multiple CPUs to process different parts of a bigger task. The benefits of parallel processing include greater speed and greater fault tolerance; it isn't a plan to keep the organization going. Platform diversity refers to using a range of different technologies and vendors to avoid a single point of failure but doesn't necessarily guarantee continuous operations. Warm sites have much of the equipment and resources already at the site. Devices may be kept updated, but the data will need to be loaded. This may be part of a larger continuity of operations plan, but it requires time and expense to make a warm site into a live state. For support or reporting issues, include Question ID: 64c19e6c1dbd2f0d7852a7b0 in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 461

Correct answer Physical Network Your answer is incorrect Known environment Blue team Overall explanation OBJ: 5.5 - A physical penetration test simulates attempts by attackers to gain unauthorized physical access to facilities, evaluating vulnerabilities in door entry systems, security camera placements, alarm responses, and employee behaviors. Network penetration testing involves attempting to gain access through networks and exploit network based vulnerabilities. Paul is not planning on attempting to access networks in this scenario. In known environment penetration tests, the tester is given full credentials and open access to the system being tested. If Paul were conducting the penetration tests in a known environment, he would not need to gain access through techniques like tailgating and lock picking. Blue teams play defense in team based penetration test or incident response exercise. Paul's actions are offensive, not defensive. For support or reporting issues, include Question ID: 6522ff2d5c8036d6edbf22c5 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 462

Correct answer VM escaping Hypervisor patching Virtualization detection Your answer is incorrect Guest OS isolation Overall explanation OBJ: 2.3 - VM escaping refers to the ability of malware on a guest OS to breach the virtualization layer, allowing it to affect another guest OS or the host system itself. Hypervisor patching refers to the act of updating or patching the hypervisor software to address known vulnerabilities and ensure the security of the virtualized environment. Guest OS isolation is the process of ensuring that each guest OS operates independently and securely, without interacting or affecting other guest OSs or the host. Virtualization detection refers to methods used by malware or attackers to detect if they are operating within a virtual environment, often to alter their behavior accordingly. For support or reporting issues, include Question ID: 6515dcabfc06e416f3a94664 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 463

Distributed management Decentralized governance Autocratic leadership Your answer is correct Centralized governance Overall explanation OBJ: 5.1 - The centralized governance model concentrates decision-making power within the upper echelons of management, potentially leading to a unified strategy and policy enforcement. Decentralized governance distributes decision-making authority across various departments or units, allowing for localized control and flexibility. Distributed management refers to the allocation of management tasks across various geographical locations or divisions but does not specifically address decision-making authority. While Autocratic leadership refers to control by an individual leader, it does not inherently address organizational governance structure. For support or reporting issues, include Question ID: 65485bdec9a8ea1ef491a30d in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 464

The absence of the CEO's usual late-night login. Correct answer Simultaneous CEO logins from distant locations. Your answer is incorrect A recent software update on the CEO's computer. The sudden increase in emails from the HR department. Overall explanation OBJ: 2.4 - Simultaneous CEO logins from distant locations suggests that the CEO's credentials may have been compromised. It's unlikely for one person to log in from two vastly different geographical locations in such a short time frame. This could mean that an unauthorized entity has gained access to a potentially high-privilege account. It's common for employees to have specific patterns of logging in, but missing a usual login doesn't necessarily indicate a compromise. It could be due to various benign reasons, such as a change in the CEO's schedule or activities. While software updates are essential for fixing vulnerabilities, merely updating software is not typically an immediate indicator of a security compromise. Unless there's evidence that the update itself was malicious or introduced vulnerabilities, it shouldn't be Aiden's primary concern in this context. While unusual email patterns can be an indicator of a compromised email account or a potential phishing campaign originating from a trusted source, it's not as direct an indicator as the simultaneous logins, especially without knowing the content and recipients of those emails. For support or reporting issues, include Question ID: 6527e308fca22485d224f0d8 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 465

Correct answer Understanding specific jurisdictional regulations and requirements. Automating the compliance monitoring process across all regions. Assessing global data breach notification timelines. Your answer is incorrect Attestation of compliance for all global branches of an organization. Overall explanation OBJ: 5.4 - Different local and regional jurisdictions often have unique laws and mandates related to data protection and security, making it crucial for organizations to be knowledgeable about them to maintain compliance. Attestation is about confirming compliance understanding, but local/regional implications primarily involve adhering to specific geographical rules or laws. While understanding global implications can be vital, the focus of local/regional considerations is on specific area-based regulations. Automation can help with compliance tasks, but when considering local/regional legal implications, the primary concern is understanding and following specific area-based regulations. For support or reporting issues, include Question ID: 64bf5e78c1419febaafa96e3 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 466

List of employees who received the highest number of phishing emails in the last quarter The total number of security alerts generated Your answer is incorrect Average time between security alerts over the past month Correct answer Specific details of security alerts triggered around the time of the suspected incident Overall explanation OBJ 4.9: Detailed information on security alerts triggered around the timeframe of the incident could be vital in identifying the cause, origin, and scope of the breach. The total number of security alerts generated is too broad and generic. It fails to provide useful insights into the specific security incident in question. While useful for identifying potential future threats, the list of employees who received the highest number of phishing emails in the last quarter information would not be particularly relevant for investigating a specific, current security incident unless that incident was due to a successful phishing attack. While the average time between security alerts over the past month information may help to identify trends or patterns in security alerts, it would not directly provide valuable insights into a specific security incident. For support or reporting issues, include Question ID: 64c17348fbaff7327d208b77 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 467

Memory leaks Correct answer Time-of-check (TOC) Race conditions Your answer is incorrect Resource exhaustion Overall explanation OBJ: 2.3 - A TOC vulnerability occurs when an attacker exploits the time gap between the verification of data and its use, potentially leading to unauthorized or malicious activities. Race conditions relate to the unexpected order and timing of events in software execution but are not specifically about the gap between data verification and use. Memory leaks are when a program doesn't release memory that it no longer needs, leading to potential system slowdowns or crashes. This does not involve data manipulation after verification. Resource exhaustion refers to the overuse of system resources, be it CPU time, memory, or others, which can lead to denial of service. It's not specific to data manipulation after its verification. For support or reporting issues, include Question ID: 6526e6ff9b24798246878627 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 468

Zero-day vulnerability Jailbreaking Your answer is correct Side loading Mobile device management (MDM) failure Overall explanation OBJ: 2.3 - Side loading is the process of installing applications on a mobile device from sources other than the official app store, which can allow unauthorized applications to be installed. Mobile device management (MDM) failure can leave mobile devices vulnerable to unauthorized access or manipulation, but it does not directly relate to installing unauthorized applications from sources other than the official app store. Jailbreaking is the process of bypassing the security restrictions on a mobile device, which can allow unauthorized applications to be installed, but it is not the only way to install unauthorized applications. A zero-day vulnerability is a vulnerability that is unknown to the vendor and can be exploited by attackers, but it does not directly relate to installing unauthorized applications from sources other than the official app store. For support or reporting issues, include Question ID: 64bc5bd0e4f09b19bbb9382a in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 469

AES Stream cipher Transposition Your answer is correct Block cipher Overall explanation OBJ: 1.4 - Block ciphers process plaintext in equal-sized chunks, such as 128-bit blocks. If a plaintext doesn't align with this block size, it must be padded. The plaintext undergoes detailed transposition and substitution operations depending on the key value, ensuring secure encryption. Transposition is a type of operation used within encryption processes, especially within block ciphers, but isn't a type of symmetric encryption on its own. Stream ciphers work by encrypting data one byte or bit at a time, making them ideal for scenarios where the total length of the message isn't known in advance. The Advanced Encryption Standard is a widely-adopted encryption cipher and is a type of block cipher. While it provides an encryption mechanism, it's not a general category of symmetric encryption. For support or reporting issues, include Question ID: 652588d632649f26caa100c7 in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 470

Correct answer Discretionary Role-based Your answer is incorrect Mandatory Rule-based Overall explanation OBJ 4.6: The access control mechanism in the startup is Discretionary Access Control (DAC), where resource owners control access permissions for their files and resources, granting flexibility suited to smaller organizations. DAC allows users to set access rights based on their judgment. In contrast, Mandatory Access Control (MAC) enforces access strictly through predefined rules with no user discretion, which does not apply here. Rule-Based Access Control is broader and may allow various mechanisms, while Role-Based Access Control (RBAC) assigns permissions based on roles, not individual user control, as described in this scenario. For support or reporting issues, include Question ID: 64c13a8522b3af538ad05a2f in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 471

Degaussing is a method of destruction for magnetic storage devices Destruction methods include physical destruction such as pulverizing, incinerating, and shredding Correct answer Data destruction is unnecessary when the hardware is not physically damaged and can be reused Your answer is incorrect Destruction ensures that there is no possibility for data to be recovered from discarded assets Overall explanation OBJ 4.2: Even if the hardware is intended for reuse, proper data destruction is still essential to prevent any sensitive data from falling into the wrong hands. Physical destruction methods, such as pulverizing, incinerating, and shredding, are often used in the disposal process. Degaussing, which uses a magnetic field to erase data from magnetic storage devices, is a common method of data destruction. The goal of destruction in the disposal process is to eliminate any chance of data recovery from the discarded asset. For support or reporting issues, include Question ID: 64c191b38a3754c97798b037 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 472

Correct answer ALE SLE EF Your answer is incorrect ARO Overall explanation OBJ: 5.2 - Annualized Loss Expectancy (ALE) represents the yearly financial loss a company can expect from a specific risk, factoring in both the severity and frequency of the event. ARO (Annualized Rate of Occurrence) is the frequency with which a specific risk is expected to occur within a one-year period, but without being multiplied by the SLE, it does not represent the total expected annual loss. Exposure Factor (EF) determines the proportion of asset value lost per risk event, a component of SLE calculation, but not directly related to the annualized expected loss. While SLE (Single loss expectancy) calculates the cost of a single occurrence of a risk event, it does not account for the frequency of that event over time, which is necessary to calculate ALE. For support or reporting issues, include Question ID: 65487814acaa0dbbe5e8021f in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 473

A routine connection attempt from an employee's new device. Your answer is incorrect Regular network noise that can be ignored. Correct answer A potential brute-force attack on the WPA3-Enterprise system. An automated software update trying to access the internet. Overall explanation OBJ: 2.4 - Repeated attempts to authenticate in a short time span, especially without success, is a classic sign of a brute-force attempt where an attacker tries multiple combinations in hopes of finding the correct one. While it's possible that an employee is trying to connect a new device, the repeated failed attempts in such a short span suggest it might be more than just a routine connection. Persistent and rapid connection attempts are not just regular "network noise" and shouldn't be ignored, especially in a secure environment. Software updates wouldn't need to authenticate repeatedly with the wireless system in such a manner, making this an unlikely reason. For support or reporting issues, include Question ID: 6527e9237b75b14e42cb502f in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 474

Performance tuning Infrastructure hardening Correct answer Capacity planning Your answer is incorrect Redundancy implementation Overall explanation OBJ 3.4: Analyzing current capabilities of IT infrastructure and forecasting future needs is the essence of capacity planning. It determines when and where additional resources will be required to address future growth. While redundancy implementation ensures that there's a backup in place in case of system failures, redundancy doesn't focus on analyzing current capabilities against future workload demands. Infrastructure hardening refers to security measures and practices applied to protect IT infrastructure from threats but doesn't involve forecasting future resource needs. Performance tuning optimizes the performance of a system, which can increase the efficiency of current resources; it doesn't inherently focus on forecasting or analyzing future infrastructure needs. For support or reporting issues, include Question ID: 64c1a87ff35deb7523e71f6a in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 475

Correct answer Enforce 2FA for all device logins Enable open Wi-Fi connections Recommend the use of voice recognition software Your answer is incorrect Regularly change device wallpaper settings Overall explanation OBJ 4.1: By requiring a second form of authentication, unauthorized access becomes much harder even if an attacker obtains the password. While keeping the user interface fresh, changing wallpapers has no impact on the device's security posture. Voice recognition, although useful, is not as secure as 2FA due to the potential of voice spoofing or background noise interference. Open Wi-Fi connections might provide ease of access, but they expose devices to potential threats, making it less secure compared to 2FA. For support or reporting issues, include Question ID: 652f3779f16fca9ffbd99a6e in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 476

Correct answer NIDS Vulnerability scanners SNMP traps Your answer is incorrect Log aggregation tools Overall explanation OBJ: 4.4 - NIDS (Network intrusion detection system) specializes in monitoring network traffic, analyzing it for signs of security breaches or policy violations, making it the ideal choice for infrastructure monitoring. Log aggregation tools collect and manage logs, but they don't provide real-time monitoring of network traffic like NIDS. While SNMP (Simple Network Management Protocol) traps can alert administrators to specific events or problems, they don't provide a holistic view of network health like NIDS. These tools search for known vulnerabilities within systems or applications, but they don't provide continuous monitoring of network interactions. For support or reporting issues, include Question ID: 6542f4441051691b93d0b944 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 477

Password vaulting requires users to use the same password for all accounts to simplify management and ensure consistency Correct answer Password vaulting stores passwords in an encrypted database, providing a central, secure location for managing passwords, reducing the risk of password reuse and exposure Your answer is incorrect Password vaulting eliminates the need for users to remember their passwords by automatically generating and assigning strong passwords to each account Password vaulting uses biometric authentication to grant access to stored passwords, ensuring only authorized individuals can retrieve them Overall explanation OBJ 4.6: Password vaulting stores passwords in an encrypted database, centralizing and securing password management. This reduces the risk of reuse and exposure, allowing users to maintain strong, unique passwords for each account while remembering only a master password. Although password vaulting manages passwords, it doesn’t automatically generate them; users must still create strong passwords. While biometric authentication can enhance security, it is not the primary purpose of password vaulting, which focuses on secure password storage. Using the same password across accounts is insecure and counters the purpose of vaulting, which supports unique passwords for each account. For support or reporting issues, include Question ID: 64c158b9e86d2721bec33f9c in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 478

Differential backups Daily full backups Correct answer Incremental backups Your answer is incorrect Snapshots Overall explanation OBJ 3.4: Incremental backups back up only the changes since the last backup, thereby using minimal network resources daily and ensuring quick recovery when combined with the latest full backup. Differential backups back up all changes since the last full backup, potentially using more resources as the week progresses. While useful for instant recovery points, snapshots might not serve as the best daily backup strategy for all types of data or systems as they may be incomplete. Daily full backups would be comprehensive but would have a higher impact on network resources. For support or reporting issues, include Question ID: 652e0004bceb2655f8a32ca5 in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 479

OAuth LDAP Your answer is correct Kerberos SAML Overall explanation OBJ: 2.4 - Kerberos is an authentication protocol that uses tickets to prevent eavesdropping and replay attacks. It relies on a trusted third-party, the Key Distribution Center (KDC), to facilitate mutual authentication between clients and services. SAML is an XML-based standard for exchanging authentication and authorization data between parties. It's focused more on Single Sign-On (SSO) and doesn't use the Kerberos ticketing mechanism. LDAP is a protocol used to access and manage directory information over a network. While it can be used for authentication, it does not inherently prevent credential replay. OAuth is an open standard for access delegation. It allows third-party services to use account information without exposing user passwords. However, it doesn't use a ticketing. For support or reporting issues, include Question ID: 65298bf35f06c3bd1068e384 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 480

Risk indicator Risk assessor Correct answer Risk owner Your answer is incorrect Risk register Overall explanation OBJ: 5.2 - A risk owner is responsible for identifying, assessing, managing, and mitigating a particular risk, as well as for monitoring the effectiveness of these measures and taking corrective action when necessary. A risk assessor evaluates and analyzes the risks but is not necessarily responsible for managing them. A risk indicator is a metric used to measure aspects of risk but does not refer to the individual overseeing the risk management process. A risk register is a document listing all identified risks, their severity, and mitigation strategies, not the individual managing the risks. For support or reporting issues, include Question ID: 6549031e7939ad97e063adb0 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 481

Onboarding/offboarding Using playbooks Correct answer Change management Your answer is incorrect Incident response Overall explanation OBJ: 5.1 - Change management outlines the steps and guidelines for managing changes to IT systems within an organization. It includes processes for requesting, evaluating, approving, implementing, and reviewing changes to minimize the risk of disruptions and ensure that changes are carried out in a controlled and coordinated manner. Playbooks are comprehensive sets of instructions that outline predefined responses to specific situations or events. They are often used in incident response and cybersecurity for guiding actions during security incidents. While valuable for incident management, playbooks are not specifically related to managing changes in IT systems. Onboarding and offboarding involves the processes and tasks related to welcoming new employees (onboarding) and handling the departure of employees (offboarding) within an organization. While important for managing personnel transitions, it is not directly related to changes in IT systems. Incident response defines the steps for detecting, analyzing, responding to, and recovering from cybersecurity incidents and data breaches. While essential for handling security incidents, it is not directly related to managing changes to IT systems. For support or reporting issues, include Question ID: 64b75960527f0f59c61e8218 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 482

Correct answer Implement an ACL Enable UPnP Rename the SSID to a unique name Your answer is incorrect Enable remote management from any IP address Overall explanation OBJ 4.1: Access control lists (ACLs) provide a mechanism to selectively allow or deny traffic, offering precise control over what can communicate with the router. While renaming the SSID can deter some unsophisticated threats, it doesn't offer robust protection against targeted attacks. Universal Plug and Play (UPnP) can simplify device connectivity but can be exploited if an untrusted device joins the network. Allowing remote management from any IP can make administrative tasks easier but also exposes the router to potential attacks. For support or reporting issues, include Question ID: 652f38b1f16fca9ffbd99a73 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 483

Information-sharing organization Dynamic analysis Vulnerability scanning Your answer is correct Bug bounty program Overall explanation OBJ 4.3: A bug bounty program is an initiative where organizations offer rewards, often financial, to individuals who identify and responsibly disclose security vulnerabilities in their software or systems. Vulnerability scanning is an automated tool used to probe systems and networks for known vulnerabilities, providing an assessment of potential security risks. Information-sharing organizations are entities that enable groups to share data about threats and vulnerabilities, enhancing collective defense against cyber risks. Dynamic analysis involves evaluating software during its runtime to uncover vulnerabilities that might not be apparent when the software is not running. For support or reporting issues, include Question ID: 6541c5e0b64247be6d8223c5 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 484

Public key Correct answer Key escrow Private key Your answer is incorrect Wildcard certificate Overall explanation OBJ: 1.4 - Kelly Innovations LLC is using key escrow. It's a service where encrypted keys are securely stored with a trusted third party, ensuring their availability for recovery during emergencies, which underlines the importance of having a backup for critical cryptographic assets. A private key is kept secret by its holder and is used for decryption. Storing it with another party without additional security measures can pose risks. Freely distributed, a public key is used to encrypt messages meant for the key holder, but it's not stored for emergency recovery purposes. A wildcard certificate secures multiple subdomains under a main domain but doesn't pertain to the storage or recovery of encryption keys. For support or reporting issues, include Question ID: 65257fccf1de9bff7fa6880b in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 485

Buffer overflow Correct answer Time-of-use (TOU) Memory Injection Your answer is incorrect Time-of-check (TOC) Overall explanation OBJ: 2.3 - Time-of-use (TOU) is a type of race condition that occurs when a process performs an action on a resource without verifying that it is still in the same state or value as when it was last checked. It can lead to incorrect or unauthorized actions based on invalid assumptions. Memory injection is the insertion of malicious code into a system’s memory, not the exploitation of a time gap between a check and use of a condition. Buffer overflow is a type of memory corruption that occurs when a program writes more data than the allocated buffer can hold, causing it to overwrite adjacent memory locations. It can lead to crashes, code execution, or privilege escalation. Time-of-check (TOC) is a type of race condition that occurs when a process checks the state or value of a resource before using it, but another process changes it in between. It can lead to incorrect or unauthorized actions based on outdated information. For support or reporting issues, include Question ID: 64bc454adc603a642627e82f in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 486

Setting the timeline for the next vendor agreement renewal. Listing the personnel who will be involved in the security assessment. Determining the financial costs of the security assessment. Your answer is correct Defining the boundaries and limitations during the assessment. Overall explanation OBJ: 5.3 - Rules of engagement are essential to ensure that the security assessment is conducted within specified parameters and doesn't inadvertently harm the vendor's operations or reputation. While listing the personnel who will be involved in the security assessment might be part of the overall planning, it's not the primary purpose of the rules of engagement. While the cost might be a consideration in the overall agreement, the rules of engagement are more about the technical and operational constraints of the assessment. Rules of engagement are focused on the assessment's conduct, not on contractual timelines or renewal processes. For support or reporting issues, include Question ID: 64bb3fc099b63f15eee0cd06 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 487

CASB Proxy server Correct answer SASE Your answer is incorrect VPN Overall explanation OBJ 3.2: Secure Access Service Edge (SASE) is a security model that converges multiple security services into a single cloud-based service, making it the prime option for the given scenario. A Virtual Private Network (VPN) is primarily used to encrypt internet connections and protect digital privacy but doesn't specifically consolidate multiple network security services into a single cloud-based model. A proxy server can serve as an intermediary for requests but does not consolidate multiple network security services into a cloud-based model. Cloud Access Security Broker (CASB) provides visibility and control over cloud applications; however, it does not consolidate network security services into a single cloud-based model like SASE does. For support or reporting issues, include Question ID: 64c16ea8fbaff7327d208b54 in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 488

Correct answer Purchase cyber liability insurance Migrate to a more secure cloud platform Your answer is incorrect Encrypt data-at-rest and data-in-transit Implement intrusion detection systems (IDS) Overall explanation OBJ 4.3: Cyber liability insurance is designed to offset costs involved with recovering from a cyber breach or similar events. This will financially safeguard Dion Training Solutions against potential repercussions of future cyber incidents. Migration might enhance security, but it doesn't shield the company from the financial implications of a cyberattack. While IDS can alert and help prevent unauthorized access, it does not provide financial protection against the consequences of cyberattacks. While encryption can secure data and prevent unauthorized access, it doesn't offer financial coverage against cyber breaches. For support or reporting issues, include Question ID: 6541d4cee009fceed4cafc8b in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 489

Pretexting Correct answer Image-based Your answer is incorrect Removable device File-based Overall explanation OBJ: 2.2 - Image-based Image-based attacks use malicious images, such as JPEGs, PNGs, or GIFs, to exploit vulnerabilities in image processing software or embed malicious code in the image metadata. File-based attacks use malicious files, such as executables, documents, or archives, to infect systems with malware or perform other malicious actions. Pretexting uses a story to create a sense of trust with the victim. It makes it more likely that the victim will do what the attacker wants them to do. In the scenario, there is no fake story used. Removable device attacks use devices such as USB drives, CDs, or DVDs to infect systems with malware or perform other malicious actions. For support or reporting issues, include Question ID: 64ba1c06f40009f7ec301d3a in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 490

Correct answer It ensures the integrity and authenticity of evidence It provides legal teams with a roadmap for case strategy It determines the relevance of the evidence to the case Your answer is incorrect It allocates budgetary resources for the forensic investigation Overall explanation OBJ 4.8: The chain of custody chronicles the handling and storage of evidence, verifying its authenticity and that it hasn't been tampered with. While the evidence's relevance is crucial, the chain of custody doesn't ascertain this. Budgetary concerns are separate and not directly linked to the chain of custody, which pertains to evidence handling. Though the evidence affects case strategies, the chain of custody specifically deals with documenting evidence handling, not strategic planning. For support or reporting issues, include Question ID: 6543e57937ac18cc00032e43 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 491

Correct answer Containerization Microservices Virtualization Your answer is incorrect Serverless Overall explanation OBJ: 3.1 - Containerization is a method that involves packaging an application and its dependencies into a lightweight and portable unit, which can run on any platform that supports containers. Containerization can improve performance, scalability, and security of applications. Serverless is an architecture model that involves running code without provisioning or managing servers. It does not involve packaging an application and its dependencies into a unit. Microservices is an architecture model that involves deploying applications as independent services that communicate with each other. It does not involve packaging an application and its dependencies into a unit. Virtualization is a technique that involves creating virtual versions of physical resources, such as servers, storage, or networks. It does not involve packaging an application and its dependencies into a unit. For support or reporting issues, include Question ID: 64bf765a5ff7b41f675e422b in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 492

Staff and other resources Outputs Correct answer Inputs Your answer is incorrect Hardware Overall explanation OBJ: 5.3 - In a BPA, Inputs are identified as the sources of information vital for the execution of a function, and the analysis includes the impact of any delays or disorder in their provision. This factor accounts for the human resources and other supports necessary for the function, but does not deal with information sources. Outputs refer to the end products or results generated by the function, which come after the information inputs in the process flow. Hardware relates to the physical technological components used in the process, such as servers or data centers, not the informational inputs. For support or reporting issues, include Question ID: 65497b7866eb6419b9e435cf in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 493

Correct answer Confidentiality Availability Integrity Your answer is incorrect Non-repudiation Overall explanation OBJ: 1.2 - Confidentiality ensures that information is accessible only to those with the appropriate permissions, preventing unauthorized access. Integrity ensures that data remains unchanged and free from tampering unless it has been authorized. Availability ensures that information is accessible and functional to authorized users when needed. Non-repudiation ensures that both the sender and the recipient of a message cannot deny having sent or received it. For support or reporting issues, include Question ID: 6720fc3c6c5aab4d75b9be41 in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 494

Correct answer Implementing email gateways helps filter and block malicious emails, reducing the risk of phishing attacks and malware infections Email gateways provide end-to-end encryption for email messages, protecting sensitive information from unauthorized access during transmission Your answer is incorrect Email gateways offer real-time monitoring and reporting capabilities, enabling administrators to track email delivery status and performance Email gateways allow users to digitally sign their emails, ensuring the authenticity and integrity of the messages Overall explanation OBJ 4.5: One of the primary functions of email gateways is to filter and block malicious emails, including phishing attempts and emails containing malware. By implementing email gateways, Sanders & Associates can significantly reduce the risk of successful email-based attacks, enhancing their email security. While email gateways may support email authentication methods like SPF, DKIM, and DMARC, their main role is not to allow users to digitally sign their emails. While encryption is important for protecting sensitive information, email gateways are not primarily responsible for providing end-to-end encryption for email messages. While email gateways may provide some monitoring and reporting features, their primary function in this scenario is to filter and block malicious emails to improve email security. For support or reporting issues, include Question ID: 64c09f5c7ba9f971a4156c54 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 495

Correct answer External regulatory audits Operational audits In-House compliance reviews Your answer is incorrect Forensic audits Overall explanation OBJ: 5.5 - External regulatory audits are audits carried out by third-party entities to determine if an organization is adhering to specific external regulatory standards, often pertaining to areas like finance, health, or cybersecurity. Forensic audits are a deep dive analysis usually conducted in response to suspected fraudulent activities, aiming to uncover evidence of malfeasance. Operational audits focus on evaluating the efficiency and effectiveness of an organization's operating procedures, not necessarily regulatory compliance. While In-House compliance reviews assess adherence to rules and regulations, they are typically initiated by the organization itself, not by an outside entity. For support or reporting issues, include Question ID: 64c1ac54086115a48f03b4b2 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 496

Vulnerability Scanning Correct answer Attestation Your answer is incorrect Penetration Testing Auditing Overall explanation OBJ 5.5 - Attestation involves a formal statement verifying that security controls are in place and meet required standards, usually signed by an authorized official. This differs from auditing and penetration testing, which involve active reviews but do not necessarily include a formal declaration or signature. For support or reporting issues, include Question ID: 67224d22f473465b2fce3fa5 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 497

Installing an application through an official app store after approval Correct answer Installing an application from an unofficial or third-party source Updating applications automatically through the app store Your answer is incorrect Downloading an application from a trusted corporate network Overall explanation OBJ 2.3 - Side loading refers to the process of installing an application from an unofficial or third-party source rather than from an official app store. When an application is side-loaded, it bypasses the security and vetting processes typically enforced by official app stores, which helps ensure app safety and integrity. As a result, side-loaded apps may introduce security risks, as they could contain malware or malicious code that hasn’t been screened. This differs from downloading from a trusted corporate network or official app store, which have controls in place to verify the security of apps. Automatic updates through the app store also do not apply, as side loading specifically involves sourcing applications from external or unofficial locations. For support or reporting issues, include Question ID: 67212a65778e02cc991bb841 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 498

Reviewing the latest patch notes for the database software Setting up additional firewall rules around the database Monitoring real-time database access logs for suspicious activities Your answer is correct Re-executing vulnerability scans on affected database endpoints Overall explanation OBJ 4.3: Re-scanning previously vulnerable endpoints is the direct approach to confirm if SQL injection flaws have been addressed. While enhancing protection, setting up additional firewall rules around the database doesn't provide direct confirmation that SQL injection vulnerabilities are fixed. Real-time monitoring is about detecting ongoing threats, not confirming the resolution of a specific vulnerability. While patch notes give an overview of updates, they do not directly validate the resolution of specific vulnerabilities. For support or reporting issues, include Question ID: 6542c621cedb2e2b131aec47 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 499

Correct answer Geographic dispersion Warm sites Your answer is incorrect Fault tolerance High availability Overall explanation OBJ 3.4: Geographic dispersion specifically refers to the practice of spreading critical resources and assets across multiple geographic locations to protect against localized disasters or failures. In the context of data backups, geographical dispersion helps ensure that if one location is compromised, data can still be retrieved from another location. High availability refers to systems designed to be available a significant amount of the time, reducing downtime to a minimum, which typically involves redundant systems and components to maintain service continuity, but it doesn't specifically address or require the geographic distribution of backups. Fault tolerance refers to a system's ability to continue operating in the event of a failure of some of its components; it generally focuses on system design and redundancy rather than ensuring geographical dispersal of backups. A warm site is a type of disaster recovery site that is equipped and ready to be activated within a reasonable time after a disaster. It involves having facilities partially equipped with network connections and servers, which doesn't always ensure or require that these sites are geographically dispersed. For support or reporting issues, include Question ID: 64c1a2fdbbc49fb66931eafe in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 500

RADIUS AAA Your answer is correct WPA3 Cryptographic protocols Overall explanation OBJ 4.1: WPA3 (Wi-Fi Protected Access 3) is the latest and most secure version of Wi-Fi security protocols. It provides robust encryption and authentication mechanisms, making it highly resistant to various attacks, including brute force and dictionary attacks. WPA3 significantly enhances the security of wireless networks, ensuring the confidentiality and integrity of data transmitted over the network. RADIUS (Remote Authentication Dial-In User Service) is not a wireless security technique. RADIUS is a networking protocol used for centralized authentication, authorization, and accounting (AAA) for users who access network resources via remote access servers, such as Virtual Private Network (VPN) servers or dial-up servers. AAA, which stands for Authentication, Authorization, and Accounting, is a framework for controlling access to network resources and services. While it is an essential aspect of network security, it does not directly relate to wireless security settings. While cryptographic protocols are used in various aspects of security, such as data encryption and secure communication, the question specifically asks for a wireless security technique. WPA3, on the other hand, is a specific wireless security protocol that aligns with the scenario provided. For support or reporting issues, include Question ID: 64b7e52911acc58047805ca8 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 501

Installing servers in multiple rooms for redundancy Correct answer Centrally locating server rooms with limited access points Placing servers away from windows so people won't be able to find them Your answer is incorrect Locating servers near the main entrance for easier access Overall explanation OBJ 3.2: Centralizing servers in a room with controlled access ensures better security by reducing the number of potential physical entry points. Placing servers in multiple locations can create more access points and complicate physical security controls, making the environment harder to secure. Placing servers away from windows might reduce visibility, but it does not address the more critical issue of securing access points, making it less comprehensive. Having servers near the main entrance exposes them to more traffic, increasing the risk of unauthorized physical access. For support or reporting issues, include Question ID: 652c710ba67f751703997c93 in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 502

Cloud Correct answer Microservices IaC Your answer is incorrect Serverless Overall explanation OBJ: 3.1 - Microservices is an architecture model that involves deploying applications as independent services that communicate with each other through well-defined APIs. Microservices can improve performance, scalability, and security of applications, but they also introduce complexity, dependency, and communication challenges. Infrastructure as code (IaC) is a method that involves using code or configuration files to automate the provisioning and management of infrastructure. It does not involve deploying applications as independent services that communicate with each other. Cloud is an architecture model that involves delivering computing services over the internet. It does not involve deploying applications as independent services that communicate with each other. Serverless is an architecture model that involves running code without provisioning or managing servers. It does not involve deploying applications as independent services that communicate with each other. For support or reporting issues, include Question ID: 64bf7abbcb1c7a74be71f9d5 in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 503

System downtime during significant changes is insignificant and shouldn't be scheduled. Changes should be implemented spontaneously to test system robustness. Correct answer Every implemented change should have a rollback plan in case of harmful consequences. Your answer is incorrect Once a change is implemented, there's no need to assess its impact. Overall explanation OBJ: 5.1 - A rollback or remediation plan ensures that if a change results in unexpected issues, it can be reversed quickly to mitigate negative impacts. Change management emphasizes careful planning and consideration, not spontaneity. Assessing the impact of a change is a critical step in the change management process to ensure desired outcomes and to learn from the process. Changes that might cause downtime should be scheduled carefully, preferably during maintenance windows. For support or reporting issues, include Question ID: 65448bd020a8f3844e2903fb in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 504

Exposing Unethical Behavior Service disruption Political beliefs Your answer is correct Blackmail Overall explanation OBJ: 2.1 - Blackmail involves threatening to reveal embarrassing, disgraceful, or damaging information about a person or entity unless certain demands, typically for money, are met. Service disruption is an act to interrupt or prevent the regular operation or function of services, typically IT services. Acting in a way that aligns with a set of moral principles or values, exposing unethical behavior does not pertain to threats or demands for money. Actions that are driven by deep-seated beliefs or ideologies, political beliefs don't relate to monetary demands. For support or reporting issues, include Question ID: 6525a07a4988c07bf4bc2849 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 505

Setting SELinux to "Permissive" mode to avoid potential compatibility issues with critical applications Your answer is incorrect Running SELinux in "Disabled" mode, but configuring other security mechanisms, such as a firewall, to compensate Correct answer Configuring SELinux to "Enforcing" mode and regularly reviewing audit logs Setting SELinux to "Permissive" mode to allow all actions and generate logs for review Overall explanation OBJ 4.5: Setting SELinux to "Enforcing" mode actively restricts access based on security policies, adding robust protection against unauthorized access. Regularly reviewing SELinux logs helps administrators proactively identify threats. "Permissive" mode allows monitoring without enforcement, reducing compatibility issues but removing SELinux's security layer. Relying solely on other security tools, like firewalls, is insufficient, as SELinux provides unique mandatory access controls. "Disabled" mode eliminates this layer entirely, and while "Permissive" generates logs, it does not prevent unauthorized access, making it less effective for security. For support or reporting issues, include Question ID: 64c1272452ce7fd0f0ee040c in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 506

Access badge Honeyfile Correct answer Infrared Your answer is incorrect Bollards Overall explanation OBJ: 1.2 - Infrared sensors detect radiation emitted by objects and are commonly used in security systems for motion detection. Bollards are short, vertical posts designed to prevent vehicular access to certain areas. A honeyfile is a decoy data or file set up to detect unauthorized access or data breaches. An access badge provides identification and allows the holder to enter a restricted area. For support or reporting issues, include Question ID: 65245bb251dc39e50c47fbdc in your ticket. Thank you. Domain 1.0 - General Security Concepts

Answer 507

Require users to change their passwords every 30 days. Correct answer Instruct users to create strong, unique passwords for each account. Letting users reuse long strong passwords if they haven't used them in the past two years. Your answer is incorrect Create and enforce complexity rules. Overall explanation OBJ: 5.6 - Encouraging employees to keep their passwords confidential and use strong, unique passwords for each account is a crucial aspect of password management best practices. This practice enhances security awareness by promoting secure password habits. Reusing passwords is a bad practice, so it should be avoided Letting users create unique long, strong passwords that they can remember is a better practice. In the past, complexity rules were seen as a useful way to improve password management. However, in current NIST guidelines, complexity rules are seen as counter-productive. Users are more likely to write down complex passwords because they are difficult to remember. Letting users create long, strong passwords that they can remember is a better practice. In the past, aging rules were seen as a useful way to improve password management. However, in current NIST guidelines, aging rules are seen as counter-productive. Users are more likely to write down and reuse passwords when they are forced to change passwords frequently. Letting users create long, strong passwords that they can remember is a better practice. For support or reporting issues, include Question ID: 64c3544384a7d77f398b8890 in your ticket. Thank you. Domain 5.0 - Security Program Management and Oversight

Answer 508

Redeem the remaining workstation resources to maximize computational performance Leave the workstations as they are until the next planned system update Your answer is incorrect Instruct users to manage their own security updates, patches, and configurations moving forward Correct answer Implement a routine schedule to keep the configurations, patches, and security up-to-date Overall explanation OBJ 4.1: Regularly reviewing, updating, and verifying the existing configurations, patches, and security updates is part of the "Maintain" phase in secure baselines. This helps ensure that any newly identified vulnerabilities are patched timely, and security configurations are kept updated as per the evolving threat landscape. While maximizing computational performance is important, redeeming the remaining workstation resources to maximize computational performance. shouldn't be done at the expense of cybersecurity. Not reviewing and updating system security until the next planned system update can leave the workstation exposed to newly arisen threats. Leaving users to manage their own security updates can lead to irregular or neglected updates, potentially exposing the system to vulnerabilities. For support or reporting issues, include Question ID: 64c17c14b193c28a2864d593 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 509

Correct answer Operating system (OS) based Hardware based Web based Your answer is incorrect Application based Overall explanation OBJ: 2.3 - Operating system (OS) based attacks involve modifying the boot sequence or configuration of a system to execute malicious code or bypass security controls. They can allow an attacker to gain persistent and stealthy access to the system, or compromise its integrity or availability. Application based attacks involve exploiting vulnerabilities or weaknesses in software applications, such as memory injection, buffer overflow, race conditions, or malicious updates. They can allow an attacker to alter the behavior, performance, or security of the application, or install malware, backdoors, or spyware on it. Web-based attacks involve exploiting vulnerabilities or weaknesses in web servers, applications, or browsers, such as SQL injection, XSS, CSRF, or directory traversal. They can allow an attacker to access, modify, delete, or execute data or commands on the web server or the user’s browser. Hardware based attacks involve exploiting vulnerabilities or weaknesses in hardware devices, such as firmware, end-of-life, legacy, or hardware tampering. They can allow an attacker to alter the functionality, performance, or security of the hardware device, or install malware, backdoors, or spyware on it. For support or reporting issues, include Question ID: 64bc299b14129444ae1912c6 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 510

Phishing Default credentials Your answer is correct Managed service providers Business email compromise Overall explanation OBJ: 2.2 - Managed service providers (MSP) are companies that provide a wide array of services including infrastructure management and regular maintenance. MSPs are third-parties hired by companies to reduce cost or improve service offerings for other companies. MSP provide software can be a significant threat vector, allowing unauthorized access. While posing a risk, default credentials concern the use of preset login information, which can be exploited if unchanged, but isn’t directly related to third-party service providers. Phishing is a threat vector that involves tricking individuals into providing sensitive data, typically through deceptive emails, and is not primarily related to third-party service management vulnerabilities. Business email compromise typically involves manipulating business email systems for unauthorized financial transactions and does not specifically relate to vulnerabilities in third-party service providers’ software. For support or reporting issues, include Question ID: 64b9ece0025989b5e01b7bf3 in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 511

Tokenization Correct answer Encryption Hashing Your answer is incorrect Compression Overall explanation OBJ 3.3: Encryption transforms data into a coded format using specific algorithms and a key. Only those possessing the correct key can decrypt and access the original data, making it a primary means to secure information against unauthorized access. Tokenization replaces sensitive data with non-sensitive placeholders, or "tokens." While it hides original data, it doesn’t convert the entire data set into a coded format. Tokenized data often remains on-premise, with the original data stored securely offsite. Compression reduces the size of data to save space or accelerate transmission. Though it changes the data format, its primary purpose isn't security. Compressed data can typically be decompressed without a specific key. Hashing converts data into a fixed-length string of characters, typically a hash value. Hashing is one-way; once data is hashed, it can’t be reversed to its original form. Hashing is more about data integrity and verification than preventing unauthorized access. For support or reporting issues, include Question ID: 64c19108dd32557d54e4c0dc in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 512

Data exfiltration Service disruption Correct answer Blackmail Your answer is incorrect Revenge Overall explanation OBJ: 2.1 - Blackmail refers to the act of threatening to expose or harm someone unless they comply with certain demands. Blackmail is a form of extortion that can be done for financial, personal, or ideological reasons. Revenge refers to the act of harming a person or the person's reputation as a result of a perceived wrong or injury. Revenge can be done for personal, emotional, or ideological reasons. Data exfiltration refers to the act of stealing sensitive or confidential data from a system or network. The data that is stolen can be later used for financial gain, espionage, blackmail, or other purposes. Service disruption refers to the act of impairing or interrupting the availability or functionality of a system or network. Service disruption can be done as a form of protest, sabotage, or extortion, or to create a diversion. For support or reporting issues, include Question ID: 64b861b074a248bfc6c933bd in your ticket. Thank you. Domain 2.0 - Threats, Vulnerabilities, and Mitigations

Answer 513

Implement account lockouts after three failed login attempts Advise users to change their password if they receive a suspicious email Switch to token-based authentication Your answer is correct Enforce 16 character minimum password length Overall explanation OBJ 4.6: The Center for Internet Security (CIS) emphasizes the importance of password length in its recommendations, acknowledging that the number of characters in a password is a critical factor in its security. As password length increases, the number of possible combinations for each character added grows exponentially, making brute-force attacks significantly more challenging and time-consuming. Consequently, a longer password is generally considered more secure than a shorter one, even if the shorter password contains a complex mixture of letters, numbers, and special characters. Advising users to change their password if they receive a suspicious email targets phishing but doesn't address the fundamental issue of password complexity. Implementing account lockouts after three failed login attempts can deter brute-force attacks but doesn't ensure users set complex passwords. While tokens add an additional security layer, they don't directly address the issue of password complexity. For support or reporting issues, include Question ID: 654445eed7728cf5f6ef5294 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 514

Correct answer WAF UTM Your answer is incorrect EAP Proxy server on port 8080 Overall explanation OBJ 3.2: A WAF (Web application firewall) protects web applications by monitoring, filtering, and blocking HTTP/HTTPS traffic that can exploit any vulnerabilities in the application. Typically, it operates on Layer 7 (Application Layer) of the OSI model and can specifically defend against common web-based threats. A UTM (Unified threat management) is an all-in-one security solution that can include a WAF, but it also comprises other functionalities like anti-virus, anti-spam, VPN, and more. While a UTM can indeed monitor HTTP/HTTPS traffic, choosing a specific WAF might be more tailored to the described requirement. EAP (Extensible authentication protocol) is an authentication framework, not a specific protocol. While EAP offers several methods and supports authentication for wireless networks and point-to-point connections, it doesn't specifically filter or block malicious HTTP/HTTPS traffic targeting web application vulnerabilities. A proxy server can act as an intermediary for network requests and offers some level of security by obscuring the true network addresses; however, it is not inherently designed to defend against specific web application threats like a WAF. The mention of port 8080, a common alternate port for HTTP, might make it seem relevant but doesn't specifically cater to the requirement described. For support or reporting issues, include Question ID: 652c791dc7a7b1e22ed067bc in your ticket. Thank you. Domain 3.0 - Security Architecture

Answer 515

Correct answer $2,500 $250 $25,000 Your answer is incorrect $7,500 Overall explanation OBJ 4.3: The exposure factor represents the percentage of loss an asset would suffer if a security incident occurs. Therefore, 25% of $10,000 results in a potential loss of $2,500. $25,000 value is more than double the asset's value and doesn't correspond to the exposure factor provided. $250 is 2.5% of the asset's value, not 25%. $7,500 would be the remaining value of the asset after a 25% loss, not the loss itself. For support or reporting issues, include Question ID: 6541cddcf6cd0ea2a54d2eb8 in your ticket. Thank you. Domain 4.0 - Security Operations

Answer 516

Implementing strict access control only for external users Using a centralized logging system to monitor all network traffic Your answer is correct Disabling unnecessary services and protocols Deploying IDS to identify suspicious activity Overall explanation OBJ 3.2: Reducing active services and protocols minimizes potential entry points for attackers, thereby reducing the attack surface. An IDS helps detect attacks, but it does not reduce the attack surface by itself, as it does not prevent unnecessary services from being exposed. External access control is important, but not addressing all users (including internal users) still leaves this specific attack surface exposed and is not the most effective solution available. Monitoring traffic is useful, but it does not directly reduce the attack surface as it is more reactive than proactive in minimizing exposed services or vulnerabilities. For support or reporting issues, include Question ID: 652c718bc7a7b1e22ed067ad in your ticket. Thank you. Domain 3.0 - Security Architecture

SEC - Jas - U 2 Flashcards

(540 cards)