Term
The IT department at a university is concerned about professors placing servers on the university network in an attempt to bypass security controls. Which of the following BEST represents this type of threat?
- A. A script kiddie
- B. Shadow IT
- C. Hacktivism
- D. White-hat
|
|
Definition
Answer : B
Shadow IT is the unauthorized use of any digital service or device that is not formally approved of and supported by the IT department.
Examples of shadow IT include: Creating cloud workloads using personal accounts or credentials. |
|
|
Term
A commercial cyber-threat intelligence organization observes IoCs across a variety of unrelated customers. Prior to releasing specific threat intelligence to other paid subscribers, the organization is MOST likely obligated by contracts to:
- A. perform attribution to specific APTs and nation-state actors.
- B. anonymize any PII that is observed within the IoC data.
- C. add metadata to track the utilization of threat intelligence reports.
- D. assist companies with impact assessments based on the observed data.
|
|
Definition
Answer : B
Data anonymization is the process of protecting private or sensitive information by erasing or encrypting identifiers that connect an individual to stored data.
Example, you can run Personally Identifiable Information (PII) such as names, social security numbers, and addresses through a data anonymization process that retains the data but keeps the source anonymous. |
|
|
Term
While checking logs, a security engineer notices a number of end users suddenly downloading files with the .tar.gz extension. Closer examination of the files reveals they are PE32 files. The end users state they did not initiate any of the downloads. Further investigation reveals the end users all clicked on an external email containing an infected MHT file with an href link a week prior. Which of the following is MOST likely occurring?
- A. A RAT was installed and is transferring additional exploit tools.
- B. The workstations are beaconing to a command-and-control server.
- C. A logic bomb was executed and is responsible for the data transfers.
- D. A fireless virus is spreading in the local network environment.
|
|
Definition
Answer : A
A remote access Trojan (RAT) is a malware program that opens a backdoor, enabling administrative control over the victim’s computer. RATs are typically downloaded together with a seemingly legitimate program, like a game, or are sent to the target as an email attachment. Once the attacker compromises the host’s system, they can use it to distribute RATs to additional vulnerable computers, establishing a botnet. |
|
|
Term
An organization is developing a plan in the event of a complete loss of critical systems and data. Which of the following plans is the organization MOST likely developing?
- A. Incident response
- B. Communications
- C. Disaster recovery
- D. Data retention
|
|
Definition
Answer : C
Disaster recovery: Is an organization's method of regaining access and functionality to its IT infrastructure after events like a natural disaster, cyber attack, or even business disruptions related to the COVID-19 pandemic. A variety of disaster recovery (DR) methods can be part of a disaster recovery plan.
Example: fire suppression tools help equipment and data survive through a blaze, and backup power sources support businesses' continuity in case of power failure. Similarly, AWS data centers have innovative systems that protect them from human-made and natural risks. |
|
|
Term
Which of the following is the purpose of a risk register?
- A. To define the level or risk using probability and likelihood
- B. To register the risk with the required regulatory agencies
- C. To identify the risk, the risk owner, and the risk measures
- D. To formally log the type of risk mitigation strategy the organization is using
|
|
Definition
Answer : C
The purpose of a risk register is to identify, log, and track potential project risks. A risk in project management is anything unexpected that could happen that would positively or negatively affect your project. |
|
|
Term
A university with remote campuses, which all use different service providers, loses Internet connectivity across all locations. After a few minutes, Internet and VoIP services are restored, only to go offline again at random intervals, typically within four minutes of services being restored. Outages continue throughout the day, impacting all inbound and outbound connections and services. Services that are limited to the local LAN or WiFi network are not impacted, but all WAN and VoIP services are affected.
Later that day, the edge-router manufacturer releases a CVE outlining the ability of an attacker to exploit the SIP protocol handling on devices, leading to resource exhaustion and system reloads. Which of the following BEST describe this type of attack? (Choose two.)
- A. DoS
- B. SSL stripping
- C. Memory leak
- D. Race condition
- E. Shimming
- F. Refactoring
|
|
Definition
Answer : AD
A disk operating system (abbreviated DOS) is a computer operating system that resides on and can use a disk storage device, such as a floppy disk, hard disk drive, or optical disc. A disk operating system must provide a file system for organizing, reading, and writing files on the storage disk.
A race condition is an undesirable situation that occurs when a device or system attempts to perform two or more operations at the same time, but because of the nature of the device or system, the operations must be done in the proper sequence to be done correctly. |
|
|
Term
A company recently set up an e-commerce portal to sell its product online. The company wants to start accepting credit cards for payment, which requires compliance with a security standard. Which of the following standards must the company comply with before accepting credit cards on its e-commerce platform?
- A. PCI DSS
- B. ISO 22301
- C. ISO 27001
- D. NIST CSF
|
|
Definition
Answer : A
The Payment Card Industry Data Security Standard (PCI DSS) is a widely accepted set of policies and procedures intended to optimize the security of credit, debit and cash card transactions and protect cardholders against misuse of their personal information. |
|
|
Term
Which of the following BEST describes a security exploit for which a vendor patch is not readily available?
- A. Integer overflow
- B. Zero-day
- C. End of life
- D. Race condition
|
|
Definition
Answer : B
A zero-day is a computer-software vulnerability previously unknown to those who should be interested in its mitigation, like the vendor of the target software. Until the vulnerability is mitigated, hackers can exploit it to adversely affect programs, data, additional computers or a network. |
|
|
Term
The Chief Financial Officer (CFO) of an insurance company received an email from Ann, the companyג€™s Chief Executive Officer (CEO), requesting a transfer of
$10,000 to an account. The email states Ann is on vacation and has lost her purse, containing cash and credit cards. Which of the following social-engineering techniques is the attacker using?
- A. Phishing
- B. Whaling
- C. Typo squatting
- D. Pharming
|
|
Definition
Answer : B
Whaling is a highly targeted phishing attack - aimed at senior executives - masquerading as a legitimate email. Whaling is digitally enabled fraud through social engineering, designed to encourage victims to perform a secondary action, such as initiating a wire transfer of funds. |
|
|
Term
An organization wants to implement a third factor to an existing multifactor authentication. The organization already uses a smart card and password. Which of the following would meet the organizations needs for a third factor?
- A. Date of birth
- B. Fingerprints
- C. PIN
- D. TPM
|
|
Definition
Answer : B
Examples include using a security token, such as a key fob or smart card, in conjunction with a PIN (personal identification number) or swiping a card before scanning your fingerprint. Three-factor authentication requires the use of credentials from each of the three categories. |
|
|
Term
An employee has been charged with fraud and is suspected of using corporate assets. As authorities collect evidence, and to preserve the admissibility of the evidence, which of the following forensic techniques should be used?
- A. Order of volatility
- B. Data recovery
- C. Chain of custody
- D. Non-repudiation
|
|
Definition
Answer : C
The chain of custody in digital forensics can also be referred to as the forensic link, the paper trail, or the chronological documentation of electronic evidence. It indicates the collection, sequence of control, transfer, and analysis. |
|
|
Term
A company wants to deploy PKI on its Internet-facing website. The applications that are currently deployed are:
✑ www.company.com (main website)
✑ contactus.company.com (for locating a nearby location)
quotes.company.com (for requesting a price quote)
[image]
The company wants to purchase one SSL certificate that will work for all the existing applications and any future applications that follow the same naming conventions, such as store.company.com. Which of the following certificate types would BEST meet the requirements?
- A. SAN
- B. Wildcard
- C. Extended validation
- D. Self-signed
|
|
Definition
Answer : B
A wildcard certificate is a public key certificate used by all subdomains within a larger domain. Using a wildcard certificate on a publicly facing web server, you can quickly secure unlimited subdomains that are all encrypted by the same certificate. Unfortunately, so can cybercriminals. |
|
|
Term
A Chief Security Officer (CSO) is concerned about the amount of PII that is stored locally on each salespersonג€™s laptop. The sales department has a higher-than- average rate of lost equipment. Which of the following recommendations would BEST address the CSOג€™s concern?
- A. Deploy an MDM solution.
- B. Implement managed FDE.
- C. Replace all hard drives with SEDs.
- D. Install DLP agents on each laptop.
|
|
Definition
Answer : B
With FDE, all data is encrypted by default, taking the security decision out of the hands of the user. The most common use case for implementing FDE is to protect data loss due to lost or stolen laptops, which is often sufficient enough to avoid costly data breach notification requirements. |
|
|
Term
A user contacts the help desk to report the following:
✑ Two days ago, a pop-up browser window prompted the user for a name and password after connecting to the corporate wireless SSID. This had never happened before, but the user entered the information as requested.
✑ The user was able to access the Internet but had trouble accessing the department share until the next day.
The user is now getting notifications from the bank about unauthorized transactions.
[image]
Which of the following attack vectors was MOST likely used in this scenario?
- A. Rogue access point
- B. Evil twin
- C. DNS poisoning
- D. ARP poisoning
|
|
Definition
Answer : A
A rogue access point is a device not sanctioned by an administrator, but is operating on the network anyway. This could be an access point set up by either an employee or by an intruder. The access point could also belong to a nearby company. |
|
|
Term
A host was infected with malware. During the incident response, Joe, a user, reported that he did not receive any emails with links, but he had been browsing the
Internet all day. Which of the following would MOST likely show where the malware originated?
- A. The DNS logs
- B. The web server logs
- C. The SIP traffic logs
- D. The SNMP logs
|
|
Definition
Answer : A
The Domain Name System (DNS) log has an important role in how end users in your enterprise connect to the internet. Each connection made to a domain by the client devices is recorded in the DNS logs. Inspecting DNS traffic between client devices and your local recursive resolver could reveal a wealth of information for forensic analysis. |
|
|
Term
Which of the following will MOST likely adversely impact the operations of unpatched traditional programmable-logic controllers, running a back-end LAMP server and OT systems with human-management interfaces that are accessible over the Internet via a web interface? (Choose two.)
- A. Cross-site scripting
- B. Data exfiltration
- C. Poor system logging
- D. Weak encryption
- E. SQL injection
- F. Server-side request forgery
|
|
Definition
Answer : DF
A weak cipher is defined as an encryption/decryption algorithm that uses a key of insufficient length. Using an insufficient length for a key in an encryption/decryption algorithm opens up the possibility (or probability) that the encryption scheme could be broken (i.e. cracked).
Server-side request forgery (also known as SSRF) is a web security vulnerability that allows an attacker to induce the server-side application to make requests to an unintended location. |
|
|
Term
A company recently transitioned to a strictly BYOD culture due to the cost of replacing lost or damaged corporate-owned mobile devices. Which of the following technologies would be BEST to balance the BYOD culture while also protecting the company's data?
- A. Containerization
- B. Geofencing
- C. Full-disk encryption
- D. Remote wipe
|
|
Definition
Answer : C
Full disk encryption (FDE) is a security safeguard that protects all data stored on a hard drive from unauthorized access using disk-level encryption. With FDE, all data is encrypted by default, taking the security decision out of the hands of the user. |
|
|
Term
A Chief Security Office's (CSO's) key priorities are to improve preparation, response, and recovery practices to minimize system downtime and enhance organizational resilience to ransomware attacks. Which of the following would BEST meet the CSO's objectives?
- A. Use email-filtering software and centralized account management, patch high-risk systems, and restrict administration privileges on fileshares.
- B. Purchase cyber insurance from a reputable provider to reduce expenses during an incident.
- C. Invest in end-user awareness training to change the long-term culture and behavior of staff and executives, reducing the organization's susceptibility to phishing attacks.
- D. Implement application whitelisting and centralized event-log management, and perform regular testing and validation of full backups.
|
|
Definition
Answer : D
A whitelist (allowlist) is a cybersecurity strategy that approves a list of email addresses, IP addresses, domain names or applications, while denying all others.
Centralized log management is a comprehensive approach to network, data, and security management that uses automated tools to collect logs from across an IT infrastructure. |
|
|
Term
A network engineer has been asked to investigate why several wireless barcode scanners and wireless computers in a warehouse have intermittent connectivity to the shipping server. The barcode scanners and computers are all on forklift trucks and move around the warehouse during their regular use. Which of the following should the engineer do to determine the issue? (Choose two.)
- A. Perform a site survey
- B. Deploy an FTK Imager
- C. Create a heat map
- D. Scan for rogue access points
- E. Upgrade the security protocols
- F. Install a captive portal
|
|
Definition
Answer : AC
A wireless site survey, sometimes called an RF (Radio Frequency) site survey or wireless survey, is the process of planning and designing a wireless network, to provide a wireless solution that will deliver the required wireless coverage, data rates, network capacity, roaming capability and Quality of Service (QoS)[1].
A security heat map is essential to determine exactly where your issues and/or vulnerabilities are and what needs to be fixed to keep you fully protected. |
|
|
Term
A security administrator suspects an employee has been emailing proprietary information to a competitor. Company policy requires the administrator to capture an exact copy of the employeeג€™s hard disk. Which of the following should the administrator use?
- A. dd
- B. chmod
- C. dnsenum
- D. logger
|
|
Definition
Answer : A
In the venerable Unix command dd, the disk/data duplicator (or, sometimes, disk destroyer) allows us to copy raw data from one source to another. It's not used to copy individual files like cp. Instead, it lets us read from and write to block devices — for example, physical hard drives. |
|
|
Term
Which of the following is MOST likely to outline the roles and responsibilities of data controllers and data processors?
- A. SSAE SOC 2
- B. PCI DSS
- C. GDPR
- D. ISO 31000
|
|
Definition
Answer : C
The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information from individuals who live in the European Union (EU). |
|
|
Term
Phishing and spear-phishing attacks have been occurring more frequently against a companyג€™s staff. Which of the following would MOST likely help mitigate this issue?
- A. DNSSEC and DMARC
- B. DNS query logging
- C. Exact mail exchanger records in the DNS
- D. The addition of DNS conditional forwarders
|
|
Definition
Answer : A
The Domain Name System Security Extensions (DNSSEC) is a set of specifications that extend the DNS protocol by adding cryptographic authentication for responses received from authoritative DNS servers. Its goal is to defend against techniques that hackers use to direct computers to rogue websites and servers.
DMARC is an open email authentication protocol that provides domain-level protection of the email channel. DMARC authentication detects and prevents email spoofing techniques used in phishing, business email compromise (BEC) and other email-based attacks. |
|
|
Term
On which of the following is the live acquisition of data for forensic analysis MOST dependent? (Choose two.)
- A. Data accessibility
- B. Legal hold
- C. Cryptographic or hash algorithm
- D. Data retention legislation
- E. Value and volatility of data
- F. Right-to-audit clauses
|
|
Definition
Answer : EF
Volatility often refers to the amount of uncertainty or risk related to the size of changes in a security's value. A higher volatility means that a security's value can potentially be spread out over a larger range of values.
A right to audit clause entitles your organization to review your vendor's work product and reporting which may include self-assessments, third-party audits and other, official documents detailing the sufficiency of internal systems and controls. |
|
|
Term
Which of the following incident response steps involves actions to protect critical systems while maintaining business operations?
- A. Investigation
- B. Containment
- C. Recovery
- D. Lessons learned
|
|
Definition
Answer : B
Containment: The actions required to prevent the incident or event from spreading across the network. |
|
|
