CompTIA Security+ (SY0-601) Practice Exam #2

A cybersecurity analyst notices that an attacker is trying to crack the WPS pin associated with a wireless printer. The device logs show that the attacker tried 00000000, 00000001, 00000002 and continued to increment by 1 number each time until they found the correct PIN of 13252342. Which of the following type of password cracking was being performed by the attacker?

A. Hybrid

B. Rainbow table

C. Brute-force

D. Dictionary

Click the card to flip 👆

Brute-force

Explanation
OBJ-1.2: A brute-force attack consists of an attacker submitting many passwords or passphrases with the hope of eventually guessing correctly. In a traditional brute-force attack, the passcode or password is incrementally increased by one letter/number each time until the right passcode/password is found. A dictionary attack is a technique for defeating a cipher or authentication mechanism by trying to determine its decryption key or passphrase by trying hundreds or sometimes millions of likely possibilities, such as words in a dictionary. A rainbow table is a precomputed list of possible hashes used when trying to speed up the process of password cracking. A hybrid password cracking attack combines the use of a brute-force attack with a dictionary attack by using words from the dictionary's list as the basis for the brute-force attack. For example, if the diction had the word Jason in it, the hybrid attack might try Jason123, Jason!@#, and J@$0n as possible combinations based on the word Jason.

Click the card to flip 👆

1 / 80

Terms in this set (80)

Which of the following cryptographic algorithms is classified as asymmetric?

A. RC4

B. AES

C. DES

D. DSA

DSA

Explanation
OBJ-2.8: The Digital Signature Algorithm (DSA) is a Federal Information Processing Standard for digital signatures. The algorithm uses a key pair consisting of a public key and a private key. AES, RC4, and DES are all symmetric algorithms.

Dion Training is hiring a penetration testing firm to conduct an assessment of its corporate network. As part of the contract, the company has specified that it will not provide any network details to the penetration testing firm. Instead, the company wants to see how much information about the network can be found by the penetration testers using open-source research and scanning the corporate network. What type of assessment is this considered?

A. Semi-trusted environment testing

B. Partially known environment testing

C. Known environment testing

D. Unknown environment testing

Unknown environment testing

Explanation
OBJ-1.8: An unknown environment penetration test requires no previous information and usually takes the approach of an uninformed attacker. The penetration tester has no prior information about the target system or network in an unknown environment penetration test. These tests provide a realistic scenario for testing the defenses, but they can be costlier and more time-consuming to conduct as the tester is examining a system from an outsider's perspective. A partially known environment tester has the user's access and knowledge levels, potentially with elevated privileges on a system. These partially known environment penetration testers typically have some knowledge of a network's internals, potentially including design and architecture documentation and an account internal to the network. A known environment test is known by several different names, including clear-box, open-box, auxiliary, or logic-driven testing. It falls on the opposite end of the spectrum from an unknown environment test because the penetration testers have full access to source code, architecture documentation, and so forth. A known environment penetration tester can also perform static code analysis, so familiarity with source code analyzers, debuggers, and similar tools are necessary for this type of testing. A semi-trusted environment test is made up term and is used as a distractor in this question.

Your organization has recently suffered a data breach due to a server being exploited. As a part of the remediation efforts, the company wants to ensure that the default administrator password on each of the 1250 workstations on the network is changed. What is the easiest way to perform this password change requirement?

A. Utilize the key escrow process

B. Revoke the digital certificate

C. Deploy a new group policy

D. Create a new security group

Deploy a new group policy

Explanation
OBJ-3.7: A group policy is used to manage Windows systems in a Windows network domain environment utilizing a Group Policy Object (GPO). GPOs can include many settings related to credentials, such as password complexity requirements, password history, password length, and account lockout settings. You can force a reset of the default administrator account password by using a group policy update.

A security analyst conducts a Nmap scan of a server and found that port 25 is open. What risk might this server be exposed to?

A. Clear text authentication

B. Open file/print sharing

C. Web portal data leak

D. Open mail relay

D. Open mail relay

Explanation
OBJ-1.5: Port 25 is the default port for SMTP (Simple Message Transfer Protocol), which is used for sending an email. An active mail relay occurs when an SMTP server is configured in such a way that it allows anyone on the Internet to send email through it, not just mail originating from your known and trusted users. Spammers can exploit this type of vulnerability to use your email server for their benefit. File/print sharing usually operates over ports 135, 139, and 445 on a Windows server. Web portals run on ports 80 and 443. Clear text authentication could occur using an unencrypted service, such as telnet (23), FTP (20/21), or the web (80).

You have been hired as a cybersecurity analyst for a privately-owned bank. Which of the following regulations would have the greatest impact on your bank's cybersecurity program?

A. HIPAA

B. FERPA

C. SOX

D. GLBA

D. GLBA

Explanation
OBJ-5.2: The Gramm-Leach-Bliley Act (GLBA) is a United States federal law that requires financial institutions to explain how they share and protect their customers' private information. The Health Insurance Portability and Accountability Act (HIPAA) is a US law designed to provide privacy standards to protect patients' medical records and other health information provided to health plans, doctors, hospitals, and other health care providers. Sarbanes-Oxley (SOX) is a United States federal law that sets new or expanded requirements for all US public company boards, management, and public accounting firms. The Family Educational Rights and Privacy Act (FERPA) of 1974 is a United States federal law that governs the access to educational information and records by public entities such as potential employers, publicly funded educational institutions, and foreign governments.

Your team is developing an update to a piece of code that allows customers to update their billing and shipping addresses in the web application. The shipping address field used in the database was designed with a limit of 75 characters. Your team's web programmer has brought you some algorithms that may help prevent an attacker from trying to conduct a buffer overflow attack by submitting invalid input to the shipping address field. Which pseudo-code represents the best solution to prevent this issue?

A. if (shippingAddress <= 75) {update field} else exit

B. if (shippingAddress != 75) {update field} else exit

C. if (shippingAddress = 75) {update field} else exit

D. if (shippingAddress >= 75) {update field} else exit

A. if (shippingAddress <= 75) {update field} else exit

Explanation
OBJ-3.2: To ensure that the field is not overrun by an input that is too long, input validation must occur. Checking if the shipping address is less than or equal to 75 characters before updating the field will prevent a buffer overflow from occurring in this program. If the input is 76 characters or more, then the field will not be updated, and the algorithm will exit the function.

What tool can be used as an exploitation framework during your penetration tests?

A. Autopsy

B. Nmap

C. Metasploit

D. Nessus

C. Metasploit

Explanation
OBJ-4.1: The Metasploit Project is a computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development. Nessus is a very popular vulnerability scanner. It can be used to check how vulnerable your network is by using various plugins to test for vulnerabilities. Also, Nessus can perform compliance auditing, like internal and external PCI DSS audit scans. The nmap tool is a port scanner. Autopsy is used in digital forensic investigations.

You have just finished running a Nmap scan on a server are see the following output:
___________________________________________________________________________________
# nmap diontraining.com

Starting Nmap ( http://nmap.org )
Nmap scan report for diontraining.com (63.13.134.52)
Not shown: 996 filtered ports

PORTS. STATE
22/tcp open
23/tcp open
53/tcp open
443/tcp open

Nmap done: 1 IP address (1 host up) scanned in 2.56 seconds
___________________________________________________________________________________

Based on the output above, which of the following ports listed as open represents the most significant security vulnerability to your network?

A. 22
B. 53
C. 23
D. 44

C. 23

Explanation
OBJ-3.1: Port 23 is used by telnet and is not considered secure because it sends all of its data in cleartext, including authentication data like usernames and passwords. As an analyst, you should recommend that telnet be disabled and blocked from use. The other open ports are SSH (port 22), DNS (port 53), and HTTPS (port 443).

You have run a vulnerability scan and received the following output:

_________________________________________________________________________
CVE-2011-3389
QID 42366 - SSLv3.0/TLSv1.0 Protocol weak CBC mode Server side
vulnerability
Check with: openssl s_client -connect login.diontraining.com:443 - tls
-cipher "AES:CAMELLISA:SEED:3DES:DES"
_________________________________________________________________________

Which of the following categories should this be classified as?

A. PKI transfer vulnerability
B. VPN tunnel vulnerability
C. Active Directory encryption vulnerability
D. Web application cryptography vulnerability

D. Web application cryptography vulnerability

Explanation
OBJ-4.3: This vulnerability should be categories as a web application cryptographic vulnerability. This is shown by the weak SSLv3.0/TLSv1.0 protocol being used in cipher block chaining (CBC) mode. Specifically, the use of the 3DES and DES algorithms during negotiation is a significant vulnerability. A stronger protocol should be used, such as forcing the use of AES.

You are investigating a suspected compromise. You have noticed several files that you don't recognize. How can you quickly and effectively check if the files have been infected with malware? A. Scan the files using a local anti-virus/anti-malware engine B. Submit the files to an open-source intelligence provider like VirusTotal C. Disassemble the files and conduct static analysis on them using IDA Pro D. Run the Strings tool against each file to identify common malware identifiersB. Submit the files to an open-source intelligence provider like VirusTotal Explanation OBJ-1.5: The best option is to submit them to an open-source intelligence provider like VirusTotal. VirusTotal allows you to quickly analyze suspicious files and URLs to detect types of malware. It then automatically shares them with the security community, as well. Disassembly and static analysis would require a higher level of knowledge and more time to complete. Running the Strings tool can help identify text if the code is not encoded in a specific way within the malware, but you have to know what you are looking for, such as a malware signature. You should never scan the files using a local anti-virus or anti-malware engine if you suspect the workstation or server has already been compromised because the scanner may also be compromised.Which of the following BEST describes when a third-party takes components produced by a legitimate manufacturer and assembles an unauthorized replica sold in the general marketplace? A. Capitalism B. Counterfeiting C. Recycling D. EntrepreneurshipB. Counterfeiting Explanation OBJ-5.3: While the unauthorized third-party may assemble a component that was legitimately made from OEM parts, the fact remains that those parts were never intended for distribution under the manufacturer's legitimate label. Therefore, this is considered counterfeiting. As a cybersecurity analyst, you need to be concerned with your organization's supply chain management. There have been documented cases of counterfeit hardware (like switches and routers) being sold with malware or lower mean time between failures, both of which affect your network's security.Which law requires government agencies and other organizations that operate systems on behalf of government agencies to comply with security standards? A. FISMA B. HIPAA C. COPPA D. SOXA. FISMA Explanation OBJ-5.2: The Federal Information Security Management Act (FISMA) is a United States federal law that defines a comprehensive framework to protect government information, operations, and assets against natural or human-made threats. FISMA requires that government agencies and other organizations that operate systems on behalf of government agencies comply with security standards. The Health Insurance Portability and Accountability Act (HIPAA) is a United States federal law designed to provide privacy standards to protect patients' medical records and other health information provided to health plans, doctors, hospitals, and other health care providers. The Children's Online Privacy Protection Act (COPPA) is a United States federal law that imposes certain requirements on operators of websites or online services directed to children under 13 years of age and on operators of other websites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age. Sarbanes-Oxley (SOX) is a United States federal law that sets new or expanded requirements for all U.S. public company boards, management, and public accounting firms.A competitor recently bought Dion Training's ITIL 4 Foundation training course, transcribed the video captions into a document, re-recorded the course exactly word for word as an audiobook, then published this newly recorded audiobook for sale on Audible. From Dion Training's perspective, how would you BEST classify this situation? A. Data breach B. Mission essential function C. Identity theft D. IP theftD. IP theft Explanation OBJ-5.5: This is an example of intellectual property (IP) theft and it happened in 2019 to our company. The competitor wasn't even smart enough to change the examples we used throughout our course from our website (diontraining.com) to their website and re-recorded our entire 8-hour course word-for-word to sell as an audiobook. This is not identity theft because they didn't pretend to be Jason Dion or Dion Training. This is not a data breach because they did not compromise our systems to steal the course. Instead, they went to our website and purchased it. The risk is not a mission-essential function. A mission essential function is something that your organization must do to maintain its operations. For example, at Dion Training, our mission essential functions are (1) recording and editing training videos and (2) writing and publishing practice exams.Which attack method is MOST likely to be used by a malicious employee or insider trying to obtain another user's passwords? A. Shoulder surfing B. Phishing C. Tailgating D. On-path attackA. Shoulder surfing Explanation OBJ-1.1: While a malicious employee or insider could use all of the methods listed to obtain another user's passwords, shoulder surfing is the MOST likely to be used. Shoulder surfing is a type of social engineering technique used to obtain personal identification numbers (PINs), passwords, and other confidential data by looking over the victim's shoulder. Since a malicious employee or insider can work close to their victims (other users), they could easily use this technique to collect the victimized users' passwords. An on-path attack is an attack where the attacker secretly relays and possibly alters the communications between two parties who believe they are directly communicating with each other. The attacker makes independent connections with the victims and relays messages between them to make them believe they are talking directly to each other over a private connection. The attacker will intercept all relevant messages passing between the two victims and inject new ones. Tailgating is a social engineering technique to gain access to a building by following someone unaware of their presence. Phishing is an email-based social engineering attack in which the attacker sends an email from a supposedly reputable source, such as a bank, to try to elicit private information from the victim. Phishing attacks target an indiscriminate large group of random people.If you cannot ping a target because you are receiving no response or a response that states the destination is unreachable, then ICMP may be disabled on the remote end. If you wanted to elicit a response from a host using TCP, what tool would you use? A. Traceroute B. Hping C. Ptunnel D. Broadcast pingB. Hping Explanation OBJ-4.1: Hping is a handy little utility that assembles and sends custom ICMP, UDP, or TCP packets and then displays any replies. It was inspired by the ping command but offered far more control over the probes sent. It also has a handy traceroute mode and supports IP fragmentation. Hping is particularly useful when trying to traceroute/ping/probe hosts behind a firewall that blocks attempts using the standard utilities. Hping also allows you to map out firewall rule sets. It is also great for learning more about TCP/IP and experimenting with IP protocols. Hping does not support IPv6, though, so the NMAP creators have created Nping to fill this gap and serve as an updated variant of Hping. Traceroute and tracert are computer network diagnostic commands for displaying the route and measuring packets' transit delays across an Internet Protocol network. Traceroute uses ICMP and not TCP. Broadcast ping is simply pinging the subnet's broadcast IP using the ping command, but if a regular ping does not work, neither will a broadcast ping. Ptunnel is an application that allows you to reliably tunnel TCP connections to a remote host using ICMP echo request and reply packets, commonly known as ping requests and replies. Ptunnel is used as a covert channel, not to elicit a response from a host using TCP.Which of the following is a common attack model of an APT attack? A. Holds an organization's data hostage using encryption B. Relies on worms to spread laterally C. Quietly gathers information from compromised systems D. Involves sophisticated DDoS attacksC. Quietly gathers information from compromised systems Explanation OBJ-1.5: An APT refers to an adversary's ongoing ability to compromise network security by using various tools and techniques to obtain and maintain access. An APT is usually a highly sophisticated nation-state threat actor that quietly gathers information from compromised systems and can lay in waiting for several months during an ongoing attack. In general, an APT is primarily focused on espionage and strategic advantage, but some target companies purely for commercial gain. An APT is unlikely to conduct a DDoS attack, use worms to spread throughout the network, or use ransomware as part of their covert attacks.What kind of security vulnerability would a newly discovered flaw in a software application be considered? A. Time-to-check to time-to-use flaw B. Input validation flaw C. Zero-day vulnerability D. HTTP header injection vulnerabilityC. Zero-day vulnerability Explanation OBJ-1.6: A zero-day vulnerability refers to a hole in software unknown to the vendor and newly discovered. This security hole can become exploited by hackers before the vendor becomes aware of it and can fix it. An input validation attack is any malicious action against a computer system that involves manually entering strange information into a normal user input field that is successful due to an input validation flaw. HTTP header injection vulnerabilities occur when user input is insecurely included within server response headers. The time of check to time of use is a class of software bug caused by changes in a system between checking a condition (such as a security credential) and using the check's results and the difference in time passed. This is an example of a race condition.William would like to use full-disk encryption on his laptop. He is worried about slow performance, though, so he has requested that the laptop have an onboard hardware-based cryptographic processor. Based on this requirement, what should William ensure the laptop contains? A. PAM B. TPM C. FDE D. AESTPM Explanation OBJ-3.2: This question is asking if you know what each acronym means. Trusted Platform Module (TPM) is a hardware-based cryptographic processing component that is a part of the motherboard. A Pluggable Authentication Module (PAM) is a device that looks like a USB thumb drive and is used as a software key in cryptography. Full Disk Encryption (FDE) can be hardware or software-based. Therefore, it isn't the right answer. The Advanced Encryption System (AES) is a cryptographic algorithm. Therefore, it isn't a hardware solution.A firewall administrator has configured a new screened subnet to allow public systems to be segmented from the organization's internal network. The firewall now has three security zones set: Untrusted (Internet) [143.27.43.0/24]; DMZ (Screened Subnet) [161.212.71.0/24]; Trusted (Intranet) [10.10.0.0/24]. The firewall administrator has been asked to enable remote desktop access from a fixed IP on the remote network to a remote desktop server in the screened subnet for the Chief Security Officer to work from his home office after hours. The CSO's home internet uses a static IP of 143.27.43.32. The remote desktop server is assigned a public-facing IP of 161.212.71.14. What rule should the administrator add to the firewall? A. Permit 143.27.43.0/24 161.212.71.0/24 RDP 3389 B. Permit 143.27.43.0/24 161.212.71.14 RDP 3389 C. Permit 143.27.43.32 161.212.71.0/24 RDP 3389 D. Permit 143.27.43.32 161.212.71.14 RDP 3389D. Permit 143.27.43.32 161.212.71.14 RDP 3389 Explanation OBJ-3.3: Due to the requirement to allow a single remote IP to enter the firewall, the permit statement must start with a single IP in the Untrusted (Internet) zone. Based on the options provided, only 143.27.43.32 could be correct. Next, the destination is a single server in the DMZ (screened subnet), so only 161.212.71.14 could be correct. The destination port should be 3389, which is the port for the Remote Desktop Protocol. Combining these three facts, only "permit 143.27.43.32 161.212.71.14 RDP 3389" could be correct.Dion Training has set up a lab consisting of 12 laptops for students to use outside of normal classroom hours. The instructor is worried that a student may try to steal one of the laptops. Which of the following physical security measures should be used to ensure the laptop is not stolen or moved out of the lab environment? A. Key fob B. Cable locks C. USB lock D. Biometric locksB. Cable locks Explanation OBJ-2.7: The Kensington lock is a small hole found on almost every portable computer or laptop made after 2000. It allows a cable lock to be attached to a portable computer or laptop to lock it to a desk and prevent theft. These locks often use a combination lock or padlock type of locking system. These locks do not affect the user's ability to use the laptop or device. It only prevents them from moving the laptop from the area. A biometric lock is any lock that can be activated by biometric features, such as a fingerprint, voiceprint, or retina scan. Biometric locks make it more difficult for someone to counterfeit the key used to open the lock or a user's account. A smart card is a form of hardware token. A key fob generates a random number code synchronized to a code on the server. The code changes every 60 seconds or so. This is an example of a one-time password. A SecureID token is an example of a key fob that is produced by RSA. USB lock prevents unauthorized data transfer through USB ports, reducing the risk of data leakage, data theft, computer viruses, and malware by physically locking and blocking the USB Ports.You have discovered that an employee has been conducting illegal activities using his workplace computer. You have taken possession of the employee's laptop according to your company's procedures and are waiting to give it to law enforcement authorities. What should you do when turning over the laptop to the police? A. Maintain the chain of custody B. Quarantine the system C. Preserve the evidence D. Document the changesA. Maintain the chain of custody Explanation OBJ-4.5: The chain of custody is the chronological documentation or paper trail that records the sequence of custody, control, transfer, analysis, and disposition of physical or electronic evidence. The chain of custody must be maintained from when you arrived at the laptop until you turn it over to law enforcement officials. As first responders, our job is to collect the evidence and maintain the chain of custody.Lamont is in the process of debugging a software program. As he examines the code, he discovers that it is miswritten. Due to the error, the code does not validate a variable's size before allowing the information to be written into memory. Based on Lamont's discovery, what type of attack might occur? A. Buffer overflow B. Cross-site scripting C. SQL injection D. Malicious logicA. Buffer overflow Explanation OBJ-1.3: A buffer overflow occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information can cause an overflow into adjacent buffers, corrupting or overwriting the valid data held in them. Although it may occur accidentally through programming error, buffer overflow is an increasingly common security attack on data integrity. In buffer overflow attacks, the extra data may contain codes designed to trigger specific actions, in effect sending new instructions to the attacked computer that could, for example, damage the user's files, change data, or disclose confidential information. Programs should use the variable size validation before writing the data to memory to ensure that the variable can fit into the buffer to prevent this type of attack.Which of the following policies should contain the requirements for removing a user's access when an employee is terminated? A. Data retention policy B. Data ownership policy C. Account management policy D. Data classification policyC. Account management policy Explanation OBJ-3.7: Account management policies describe the account life cycle from creation through decommissioning. Data ownership policies describe how ownership information is created and used. Data classification policies describe the classification structure of the data in use by an organization. Retention policies describe what data will be maintained and for how long it will be retained.Nick is participating in a security exercise as part of the network defense team for his organization. Which team is Nick playing on? A. Red team B. Blue team C. White team D. Yellow teamB. Blue team Explanation OBJ-1.8: Penetration testing can form the basis of functional exercises. One of the best-established means of testing a security system for weaknesses is to play "war game" exercises in which the security personnel split into teams: red, blue, and white. The red team acts as the adversary. The blue team acts as the defenders. The white team acts as the referees and sets the parameters for the exercise. The yellow team is responsible for building tools and architectures in which the exercise will be performed.Your company just launched a new invoicing website for use by your five largest vendors. You are the cybersecurity analyst and have been receiving numerous phone calls that the webpage is timing out, and the website overall is performing slowly. You have noticed that the website received three million requests in just 24 hours, and the service has now become unavailable for use. What do you recommend should be implemented to restore and maintain the availability of the new invoicing system? A. MAC filtering B. VPN C. Intrusion Detection System D. Implement an allow listD. Implement an allow list Explanation OBJ-3.2: By implementing an allow list of the authorized IP addresses for the five largest vendors, they will be the only ones who can access the webserver. This can be done by creating rules in the Access Control List (ACL) to deny ALL other users except these five vendors, thereby dropping a large number of requests from any other IP addresses, such as those from an attacker. Based on the scenario's description, it appears like the system is under some form of denial of service attack. Still, by implementing an allow list at the edge of the network and sinkholing any traffic from IP addresses that are not allow listed, the server will no longer be overwhelmed or perform slowly to respond to legitimate requests. MAC filtering is only applicable at layer 2 of the OSI model (which would not work for traffic being sent over the internet from your vendors to your server). A VPN is a reasonable solution to secure the connection between the vendors and your systems, but it will not deal with the DoS condition being experienced. An intrusion detection system may detect the DoS condition, but an IDS cannot resolve it (whereas an IPS could).You just received an email from Bob, your investment banker, stating that he completed the wire transfer of $10,000 to your bank account in Vietnam. The problem is, you do not have a bank account in Vietnam, so you immediately call Bob to ask what happened. Bob explains that he received an email from you requesting the transfer. You insist you never sent that email to Bob initiating this wire transfer. What aspect of PKI could be used to BEST ensure that a sender sent a particular email message and avoid this type of situation? A. Non-repudiation B. Recovery agents C. CRL D. Trust modelsA. Non-repudiation Explanation OBJ-2.8: Non-repudiation occurs when a sender cannot claim they didn't send an email when they did. A digital signature should be attached to each email sent to achieve non-repudiation. This digital signature is comprised of a digital hash of the email's contents, and then encrypting that digital hash using the sender's private key. The receiver can then unencrypt the digital hash using the sender's public key to verify the message's integrity.Dion Training utilizes a wired network throughout the building to provide network connectivity. Jason is concerned that a visitor might plug their laptop into a CAT 5e wall jack in the lobby and access the corporate network. What technology should be utilized to prevent users from gaining access to network resources if they can plug their laptops into the network? A. NAC B. DMZ C. VPN D. UTMA. NAC Explanation OBJ-3.3: Network Access Control (NAC) is an approach to computer security that attempts to unify endpoint security technology, the user or system authentication, and network security enforcement. NAC restricts the data that each particular user can access and implements anti-threat applications such as firewalls, anti-virus software, and spyware detection programs. NAC also regulates and restricts the things individual subscribers or users can do once they are connected. If a user is unknown, the NAC can quarantine the device from the network upon connection. A DMZ (demilitarized zone), a type of screened subnet, is a physical or logical subnetwork that contains and exposes an organization's external-facing services to an untrusted network such as the Internet. A virtual private network (VPN) extends a private network across a public network and enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network. Unified threat management (UTM) provides multiple security features (anti-virus, anti-spam, content filtering, and web filtering) in a single device or network appliance.A financial services company wants to donate some old hard drives from their servers to a local charity. The hard drives used in the servers are self-encrypting drives. Still, they are concerned about the possibility of residual data being left on the drives. Which of the following secure disposal methods would you recommend the company use? A. Secure erase B. Overwrite C. Cryptographic erase D. Zero-fillC. Cryptographic erase Explanation OBJ-3.2: In a cryptographic erase (CE), the storage media is encrypted by default. The encryption key itself is destroyed during the erasing operation. CE is a feature of self-encrypting drives (SED) and is often used with solid-state devices. Cryptographic erase can be used with hard drives, as well. Zero-fill is a process that fills the entire storage device with zeroes. For SSDs and hybrid drives, zero-fill-based methods might not be reliable because the device uses wear-leveling routines in the drive controller to communicate which locations are available for use to any software process accessing the device. A secure erase is a special utility provided with some solid-state drives that can perform the sanitization of flash-based devices. Overwrite is like zero-fill but can utilize a random pattern of ones and zeroes on the storage device. The most secure option would be a cryptographic erase (CE) for the question's scenario.You are conducting an intensive vulnerability scan to detect which ports might be open to exploitation. During the scan, one of the network services becomes disabled and impacts the production server. Which of the following sources of information would provide you with the most relevant information for you to use in determining which network service was interrupted and why? A. Syslog B. Firewall logs C. NIDS D. Network mappingA. Syslog Explanation OBJ-4.3: The Syslog server is a centralized log management solution. By looking through the Syslog server's logs, the technician could determine which service failed on which server since all the logs are retained on the Syslog server from all the network devices and servers. Network mapping is conducted using active and passive scanning techniques and could help determine which server was offline, but not what caused the interruption. Firewall logs would only help determine why the network connectivity between a host and destination may have been disrupted. A network intrusion detection system (NIDS) is used to detect hacking activities, denial of service attacks, and port scans on a computer network. It is unlikely to provide the details needed to identify why the network service was interrupted.Frank and John have started a secret club together. They want to ensure that when they send messages to each other, they are truly unbreakable. What encryption key would provide the STRONGEST and MOST secure encryption? A. Randomized one-time use pad B. AES with a 256-bit key C. DES with a 56-bit key D. ECC with a 256-bit keyA. Randomized one-time use pad Explanation OBJ-2.8: The only truly unbreakable encryption is one that uses a one-time use pad. This ensures that every message is encrypted with a different shared key that only the two owners of the one-time use pad would know. This technique ensures that there is no pattern in the key for an attacker to guess or find. Even if one of the messages could be broken, all of the other messages would remain secure since they use different keys to encrypt them. Unfortunately, one-time use pads require that two identical copies of the pad are produced and distributed securely before they can be used. DES and AES both rely on a single shared secret key, making it vulnerable to attack. DES has already been broken, while AES remains unbroken (today). With enough time and computing power, though, an AES key could be discovered. RSA is also vulnerable to attack with enough time and computing power.What regulation protects the privacy of student educational records? A. GLBA B. SOX C. HIPAA D. FERPAD. FERPA Explanation OBJ-5.2: The Family Educational Rights and Privacy Act (FERPA) requires that educational institutions implement security and privacy controls for student educational records. Gramm-Leach-Bliley Act (GLBA) institutes requirements that help protect the privacy of an individual's financial information held by financial institutions and others, such as tax preparation companies. The privacy standards and rules created as part of GLBA safeguard private information and set penalties in the event of a violation. Sarbanes-Oxley Act (SOX) dictates requirements for storing and retaining documents relating to an organization's financial and business operations, including the type of documents to be stored and their retention periods. It is relevant for any publicly-traded company with a market value of at least $75 million. The Health Insurance Portability and Accountability Act (HIPAA) establishes several rules and regulations regarding healthcare in the United States. With the rise of electronic medical records, HIPAA standards have been implemented to protect patient medical information privacy through restricted access to medical records and regulations for sharing medical records.Which of the following describes the overall accuracy of a biometric authentication system? A. Crossover error rate B. False acceptance rate C. False positive rate D. False rejection rateA. Crossover error rate Explanation OBJ-2.4: The Crossover Error Rate (CER) describes the point where the False Reject Rate (FRR) and False Accept Rate (FAR) are equal. CER is also known as the Equal Error Rate (EER). The Crossover Error Rate describes the overall accuracy of a biometric system.Your company has just finished replacing all of its computers with brand new workstations. Colleen, one of your coworkers, has asked the company's owner if she can have the old computers that are about to be thrown away. Colleen would like to refurbish the old computers by reinstalling a new operating system and donating them to a local community center for disadvantaged children in the neighborhood. The owner thinks this is a great idea but is concerned that the private and sensitive corporate data on the old computer's hard drives might be placed at risk of exposure. You have been asked to choose the best solution to sanitize or destroy the data while ensuring the computers will still be usable by the community center. What type of data destruction or sanitization method do you recommend? A. Shredding B. Purging C. Degaussing D. WipingD. Wiping Explanation OBJ-2.7: Data wiping or clearing occurs by using a software tool to overwrite the data on a hard drive to destroy all electronic data on a hard disk or other media. Data wiping may be performed with a 1x, 7x, or 35x overwriting, with a higher number of times being more secure. This allows the hard drive to remain functional and allows for hardware reuse. Degaussing a hard drive involves demagnetizing a hard drive to erase its stored data. You cannot reuse a hard drive once it has been degaussed. Therefore, it is a bad solution for this scenario. Purging involves removing sensitive data from a hard drive using the device's internal electronics or an outside source such as a degausser, or by using a cryptographic erase function if the drive supports one. Shredding involves the physical destruction of the hard drive. This is a secure method of destruction but doesn't allow for device reuse.A cybersecurity analyst is working at a college that wants to increase its network's security by implementing vulnerability scans of centrally managed workstations, student laptops, and faculty laptops. Any proposed solution must scale up and down as new students and faculty use the network. Additionally, the analyst wants to minimize the number of false positives to ensure accuracy in their results. The chosen solution must also be centrally managed through an enterprise console. Which of the following scanning topologies would be BEST able to meet these requirements? A. Combination of cloud-based and server-based scanning engines B. Passive scanning engine located at the core of the network infrastructure C. Combination of server-based and agent-based scanning engines D. Active scanning engine installed on the enterprise consoleD. Active scanning engine installed on the enterprise console Explanation OBJ-1.7: Since the college wants to ensure a centrally-managed enterprise console, an active scanning engine installed on the enterprise console would best meet these requirements. The college's cybersecurity analysts could then perform scans on any devices connected to the network using the active scanning engine at the desired intervals. Agent-based scanning would be ineffective since the college cannot force the agents' installation onto each of the personally owned devices brought in by the students or faculty. A cloud-based or server-based engine may be useful, but it won't address the centrally-managed requirement. Passive scanning is less intrusive but is subject to a high number of false positives.A user has reported that their workstation is running very slowly. A technician begins to investigate the issue and notices a lot of unknown processes running in the background. The technician determines that the user has recently downloaded a new application from the internet and may have become infected with malware. Which of the following types of infections does the workstation MOST likely have? A. Keylogger B. Ransomware C. Rootkit D. TrojanD. Trojan Explanation OBJ-1.2: A trojan is a type of malware that looks legitimate but can take control of your computer. A Trojan is designed to damage, disrupt, steal, or in general, inflict some other harmful action on your data or network. The most common form of a trojan is a Remote Access Trojan (RAT), which allows an attacker to control a workstation or steal information remotely. To operate, a trojan will create numerous processes that run in the background of the system. Ransomware is a type of malware designed to deny access to a computer system or data until a ransom is paid. Ransomware typically spreads through phishing emails or by unknowingly visiting an infected website. Once infected, a system or its files are encrypted, and then the decryption key is withheld from the victim unless payment is received. A rootkit is a clandestine computer program designed to provide continued privileged access to a computer while actively hiding its presence. A rootkit is generally a collection of tools that enabled administrator-level access to a computer or network. They can often disguise themselves from detection by the operating system and anti-malware solutions. If a rootkit is suspected on a machine, it is best to reformat and reimage the system. A keylogger actively attempts to steal confidential information by capturing the data when entered into the computer by the user. This is done by recording keystrokes entered into a web browser or other application. A software keylogger can be run in the background on a victim's computer. A hardware keylogger may be placed between the USB port and the wired keyboard.You are applying for a job at a cybersecurity firm. The application requests you enter your social security number, date of birth, and email address to conduct a background check as part of the hiring process. Which of the following types of information have you been asked to provide? A. PII B. CUI C. PHI D. IPA. PII Explanation OBJ-5.5: Personally identifiable information (PII) is data used to identify, contact, or locate an individual. Information such as social security number (SSN), name, date of birth, email address, telephone number, street address, and biometric data is considered PII. Protected health information (PHI) refers to medical and insurance records, plus associated hospital and laboratory test results. Proprietary information or intellectual property (IP) is information created and owned by the company, typically about the products or services that they make or perform. Controlled Unclassified Information (CUI) is federal non-classified information that must be safeguarded by implementing a uniform set of requirements and information security controls to secure sensitive government information.Question 38: Correct (Sample Simulation - On the real exam for this type of question, you would have to rearrange the steps into the proper order by dragging and dropping them into place.) Swap File -> 1. __________ Processor Cache -> 2. __________ Hard Drive or USB drive -> 3. __________ Random Access Memory -> 4. __________ You are working as part of a cyber incident response team. An ongoing attack has been identified on your webserver. Your company wants to take legal action against the criminals who have hacked your server, so they have brought a forensic analyst from the FBI to collect the evidence from the server. In what order should the digital evidence be collected based on the order of volatility? A. Swap File, Processor Cache, Random Access Memory, Hard Drive or USB Drive B. Processor Cache, Swap File, Random Access Memory, Hard Drive or USB Drive C. Processor Cache, Random Access Memory, Swap File, Hard Drive or USB Drive D. Hard Drive or USB Drive, Swap File, Random Access Memory, Processor CacheC. Processor Cache, Random Access Memory, Swap File, Hard Drive or USB Drive Explanation OBJ-4.5: The correct order for evidence collection based on the order of volatility is the Processor Cache, Random Access Memory, Swap File, and then the Hard Drive or USB Drive. Since the Processor Cache is the most volatile and changes the most frequently, it should be captured first. Random Access Memory (RAM) is temporary storage on a computer. It can quickly change or be overwritten, and the information stored in RAM is lost when power is removed from the computer, so it should be collected second. Swap files are temporary files on a hard disk used as virtual memory, and therefore, they should be collected third. The files on a hard disk or USB drive are the least volatile of the four options presented since they are used for long-term storage of data and are not lost when the computer loses power.Which of the following items represents a document that includes detailed information on when an incident was detected, how impactful the incident was, how it was remediated, the effectiveness of the incident response, and any identified gaps that might require improvement? A. Forensic analysis report B. Lessons learned report C. Chain of custody report D. Trends analysis reportB. Lessons learned report Explanation OBJ-4.2: The lessons learned report provides you with the details of the incident, its severity, the remediation method, and, most importantly, how effective your response was. Additionally, it provides recommendations for improvements in the future. A forensic analysis report would not provide recommendations for future improvements, even though it provides many of the other details. A trend analysis report describes whether behaviors have increased, decreased, or stayed the same over time. The chain of custody report is the chronological documentation or paper trail that records the custody, control, transfer, analysis, and disposition of physical or electronic evidence.A security analyst is conducting a log review of the company's web server and found two suspicious entries: *reference top image* The analyst contacts the web developer and asks for a copy of the source code to the logon.php script. The script is as follows: *reference bottom image* Based on source code analysis, which type of vulnerability is this web server vulnerable to? A. Directory traversal B. LDAP injection C. SQL injection D. Command injectionC. SQL injection Explanation OBJ-1.3: Based on the log entries, it appears the attack was successful in conducting a SQL injection. Notice the escape character (') used in the log. A connection to the MySQL database is being used in the script, which could be exploited since no input validation is being performed. Command injection is an attack in which the goal is to execute arbitrary commands on the host operating system via a vulnerable application. SQL injection is a specific type of command injection. LDAP injection is a code injection technique used to exploit web applications that could reveal sensitive user information or modify information represented in the LDAP (Lightweight Directory Access Protocol) data stores. Directory traversal or Path Traversal is an HTTP attack that allows attackers to access restricted directories and execute commands outside of the web server's root directory.What tool is used to collect wireless packet data? A. Netcat B. Aircrack-ng C. Nessus D. John the RipperB. Aircrack-ng Explanation OBJ-3.4: Aircrack-ng is a complete suite of wireless security assessment and exploitation tools that includes monitoring, attacking, testing, and cracking of wireless networks. This includes packet capture and export of the data collected as a text file or pcap file. John the Ripper is a password cracking software tool. Nessus is a vulnerability scanner. Netcat is used to create a reverse shell from a victimized machine back to an attacker.You are working as part of the server team for an online retail store. Due to the upcoming holidays, your boss is worried that the current servers may not be able to handle the increased demand during a big sale. Which of the following cloud computing concepts can quickly allow services to scale upward during busy periods and scale down during slower periods based on the changing user demand? A. Resource pooling B. On-demand C. Metered services D.Rapid elasticityD. Rapid elasticity Explanation OBJ-2.3: Rapid elasticity is used to describe scalable provisioning or the capability to provide scalable cloud computing services. Rapid elasticity is very critical to meet the fluctuating demands of cloud users. The downside of rapid elasticity implementations is that they can cause significant loading of the system due to the high resource number of allocation and deallocation requests. Resource pooling refers to the concept that allows a virtual environment to allocate memory and processing capacity for a VMs use. On-demand refers to the fact that a consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each service provider. Metered services are pre-paid, a-la-carte, pay-per-use, or committed offerings. A metered service like a database may charge its users based on the actual usage of the service resources on an hourly or monthly basis. For example, Dion Training used the AWS Lambda serverless product in some of our automation. This service charges us $0.20 for every 1 million requests processed.You have been asked to determine if Dion Training's web server is vulnerable to a recently discovered attack on an older version of SSH. Which technique should you use to determine the current version of SSH running on their web server? A. Protocol analysis B. Vulnerability scan C. Passive scan D. Banner grabbingD. Banner grabbing Explanation OBJ-1.7: Banner grabbing is conducted by actively connecting to the server using telnet or netcat and collecting the web server's response. This banner usually contains the server's operating system and the version number of the service (SSH) being run. This is the fastest and easiest way to determine the SSH version being run on this web server. While it is possible to use a vulnerability scanner, protocol analyzer, or to conduct a passive scan to determine the SSH version, these are more time-consuming and not fully accurate methods to determine the version being run.Dave's company utilizes Google's G-Suite environment for file sharing and office productivity, Slack for internal messaging, and AWS for hosting their web servers. Which of the following cloud models type of cloud deployment models is being used? A. Multi-cloud B. Private C. Public D. CommunityA. Multi-cloud Explanation OBJ-2.2: Multi-cloud is a cloud deployment model where the cloud consumer uses multiple public cloud services. In this example, Dave is using the Google Cloud, Amazon's AWS, and Slack's cloud-based SaaS product simultaneously. A private cloud is a cloud that is deployed for use by a single entity. A public cloud is a cloud that is deployed for shared use by multiple independent tenants. A community cloud is a cloud that is deployed for shared use by cooperating tenants.What type of scan will measure the size or distance of a person's external features with a digital video camera? A. Retinal scan B. Iris scan C. Facial recognition scan D. Signature kinetics scanC. Facial recognition scan Explanation OBJ-2.4: A face recognition system is a computer application capable of identifying or verifying a person from a digital image or a video frame from a video source. One way to do this is by comparing selected facial features from the image and a face database. By measuring the external facial features, such as the distance between your eyes and nose, you can uniquely identify the user. A retinal scan is a biometric technique that uses unique patterns on a person's retina blood vessels. Iris recognition or iris scanning is the process of using visible and near-infrared light to take a high-contrast photograph of a person's iris. A signature kinetics scan measures a user's action when signing their name and compares it against a known-good example or baseline.After completing an assessment, you create a chart listing the associated risks based on the vulnerabilities identified with your organization's privacy policy. The chart contains listings such as high, medium, and low. It also utilizes red, yellow, and green colors based on the likelihood and impact of a given incident. Which of the following types of assessments did you just complete? A. Quantitative risk assessment B. Qualitative risk assessment C. Supply chain assessment D. Privacy assessmentB. Qualitative risk assessment Explanation OBJ-5.4: This describes a qualitative risk assessment since it categorizes things based on the likelihood and impact of a given incident using non-numerical terms, such as high, medium, and low. If the risk assessment provided exact numbers or percentages of risk, then it would be a quantitative risk assessment.Which of the following ports should you block at the firewall if you want to prevent a remote login to a server from occurring? A. 80 B. 22 C. 143 D. 21B. 22 Explanation OBJ-3.1: Secure shell (SSH) is the protocol used for remote administration and file copying using TCP port 22. SSH is considered secure since it uses authenticated and encrypted sessions for communication. The file transfer protocol (FTP) is the protocol used to transfer files across the internet over ports 20 and 21. The hypertext transfer protocol (HTTP) is a protocol used to provide web content to browsers using port 80. The internet message access protocol (IMAP) is a TCP/IP application protocol that provides a means for a client to access email messages stored in a mailbox on a remote server using TCP port number 143. Unlike POP3, messages persist on the server after the client has downloaded them. IMAP also supports mailbox management functions, such as creating subfolders and access to the same mailbox by more than one client at the same time.Which of the following technologies is NOT a shared authentication protocol? A. LDAP B. OpenID Connect C. Facebook Connect D. OAuthA. LDAP Explanation OBJ-3.8: LDAP can be used for single sign-on but is not a shared authentication protocol. OpenID, OAuth, and Facebook Connect are all shared authentication protocols. Open ID Connect (OIDC) is an authentication protocol that can be implemented as special types of OAuth flows with precisely defined token fields. OAuth is designed to facilitate the sharing of information (resources) within a user profile between sites.You are working for a government contractor who requires all users to use a PIV device when sending digitally signed and encrypted emails. Which of the following physical security measures is being implemented? A. Biometric reader B. Cable lock C. Key fob D. Smart cardD. Smart card Explanation OBJ-3.7: A smart card is used in applications that need to protect personal information and/or deliver fast, secure transactions, such as transit fare payment cards, government, and corporate identification cards, documents such as electronic passports and visas, and financial payment cards. Often, smart cards are used as part of a multifactor authentication system in which the smart card and a PIN need to be entered for system authentication to occur. Biometrics are identifying features stored as digital data that can be used to authenticate a user. Typical features used include facial pattern, iris, retina, or fingerprint pattern, and signature recognition. This requires a relevant scanning device, such as a fingerprint reader, and a database of biometric information for authentication to occur. The Kensington lock is a small hole found on almost every portable computer or laptop made after 2000. It allows a cable lock to be attached to a portable computer or laptop to lock it to a desk and prevent theft. These locks often use a combination lock or padlock type of locking system. These locks do not affect the user's ability to use the laptop or device. It only prevents them from moving the laptop from the area. A key fob generates a random number code synchronized to a code on the server. The code changes every 60 seconds or so. This is an example of a one-time password. A SecureID token is an example of a key fob that is produced by RSA.James, a programmer at Apple Computers, is surfing the internet on his lunch break. He comes across a rumor site focused on providing details of the upcoming iPhone being released in a few months. James knows that Apple likes to keep its product details a secret until it is publicly announced. As James is looking over the website, he sees a blog post with an embedded picture of a PDF containing detailed specifications for the next iPhone and labeled "Proprietary Information - Internal Use Only." The new iPhone is still several months away from release. What should James do next? A. Contact the service desk or incident response team to determine what to do next B. Contact his team lead and ask what he should do next C. Contact the website's owner and request they take down the PDF D. Reply to the blog post and deny the accuracy of the specificationsA. Contact the service desk or incident response team to determine what to do next Explanation OBJ-5.5: This is an example of either a data leak or a data breach. James is not sure how the website got the details of the product's specifications. Therefore, he should follow his organizational procedures for notification that internal company information has been leaked to the internet. In most organizations, the service desk acts as the single point of contact for all IT issues (even possible data breaches), and they can refer James to the incident response team (if one is currently stood up). Since James works as a programmer, it is unlikely that his team lead is responsible for handling a data leak or data breach, so it is better to contact the service desk first. James should not contact the website directly nor reply to the blog post. Instead, he should leave the response actions to the security team and the incident response team.Which of the protocols listed is NOT likely to trigger a vulnerability scan alert when used to support a virtual private network (VPN)? A. SSLv3 B. SSLv2 C. PPTP D. IPsecD. IPsec Explanation OBJ-3.3: IPsec is the most secure protocol that works with VPNs. The use of PPTP and SSL is discouraged for VPN security. Due to this, PPTP and SSL for a VPN will likely alert during a vulnerability scan as an issue to be remediated.While performing a vulnerability scan, Christina discovered an administrative interface to a storage system is exposed to the internet. She looks through the firewall logs and attempts to determine whether any access attempts have occurred from external sources. Which of the following IP addresses in the firewall logs would indicate a connection attempt from an external source? A. 192.186.1.100 B. 192.168.1.100 C. 10.15.1.100 D. 172.16.1.100A. 192.186.1.100 Explanation OBJ-1.7: This question tests your ability to determine if an IP address is a publicly routable IP (external connection) or private IP (internal connection). During your CompTIA A+, Network+, and Security+ studies, you should have learned that private IP addresses are either 10.x.x.x, 172.16-31.x.x, or 192.168.x.x. All other IP addresses are considered publicly routable over the internet (except localhost and APIPA addresses). Therefore, the answer must be 192.186.1.100 since it is not a private IP address.You have been asked to assist with an investigation into a malicious user's activities. Unfortunately, your organization did not have full packet capture available for the time period of the suspected activities. Instead, you have received netflow data that contains statistics and information about the network traffic during that time period. Which of the following best represents the type of data you can obtain from this netflow data to support the investigation? A. Email messages B. Application logs C. File contents D. MetadataD. Metadata Explanation OBJ-4.3: Netflow is a flow analysis tool. Netflow does not capture the full packet capture of data as it crosses the network sensor but instead captures metadata and statistics about the network traffic. This metadata can highlight trends and patterns in the traffic generated by the malicious user, such as the volume of data sent and received. This could indicate data exfiltration if a large amount of data was sent in a short period of time. File contents and email messages could be retrieved from a full packet capture, but unfortunately, that was not provided in this scenario. Application logs are stored locally on a host or a centralized server, but those would not be captured in the netflow data.You just received a notification that your company's email servers have been blocklisted due to reports of spam originating from your domain. What information do you need to start investigating the source of the spam emails? A. The SMTP audit log from his company's email server B. The full email header from one of the spam messages C. Firewall logs showing the SMTP connections D. Network flows for the DMZ containing the email serversB. The full email header from one of the spam messages Explanation OBJ-1.1: You should first request a copy of one of the spam messages, including the full email header. By reading through the full headers of one of the messages, you can determine where the email originated from, whether it was from your email system or external, and if it was a spoofed email or a legitimate email. Once this information has been analyzed, you can then continue your analysis based on those findings, whether that be analyzing your email server, the firewalls, or other areas of concern. If enough information cannot be found by analyzing the email headers, you will need to conduct more research to determine the best method to solve the underlying problem.A small business recently experienced a catastrophic data loss due to flooding from a recent hurricane. The customer had no backups, and flooding destroyed all of the hardware associated with the small business. As part of the rebuilding process, the small business contracts with your company to help create a disaster recovery plan to ensure this never reoccurs again. Which of the following recommendations should you include as part of the disaster recovery plan? A. Local backups should be verified weekly to ensure no data loss occurs B. Purchase waterproof devices to prevent data loss C. Local backups should be conducted D. Backups should be conducted to a cloud-based storage solutionD. Backups should be conducted to a cloud-based storage solution Explanation OBJ-4.2: While losing the hardware is a problem for the business, their insurance will replace the hardware if flooding destroyed it. The data involved is more of a concern. Therefore, backups should be the primary concern. Local backups are risky since a flood might also destroy them; therefore, using a cloud-based storage solution would be ideal and prevent future data loss.You are troubleshooting an issue with a Windows desktop and need to display the machine's active TCP connections. Which of the following commands should you use? A. netstat B. ipconfig C. net use D. pingA. netstat Explanation OBJ-4.1: The netstat command is used to display active TCP connections, ports on which the computer is listening, Ethernet statistics, the IP routing table, IPv4 statistics (for the IP, ICMP, TCP, and UDP protocols), and IPv6 statistics (for the IPv6, ICMPv6, TCP over IPv6, and UDP over IPv6 protocols) on a Windows machine. This is a useful command when determining if any malware has been installed on the system and maybe maintaining a remote connection with a command and control server. The ipconfig tool displays all current TCP/IP network configuration values on a given system. The ping command is used to test a host's reachability on an Internet Protocol network. The net use command is used to connect to, remove, and configure connections to shared resources such as mapped drives and network printers.You need to determine the best way to test operating system patches in a lab environment before deploying them to your automated patch management system. Unfortunately, your network has several different operating systems in use, but you only have one machine available to test the patches on. What is the best environment to utilize to perform the testing of the patches before deployment? A. Purchase additional workstations B. Bypass testing and deploy patches directly into the production environment C. Sandboxing D. VirtualizationD. Virtualization Explanation OBJ-3.2: When you have a limited amount of hardware resources to utilize but have a requirement to test multiple operating systems, you should set up a virtualized environment to test the patch across each operating system before deployment. You should never deploy patches directly into production without testing them first in the lab. Virtualization will allow the organization to create a lab environment without significant costs. Purchasing additional workstations would be costly and more time-consuming to configure.What is the utilization of insights gained from threat research and threat modeling to proactively discover evidence of an adversarial TTP within a network or system called? A. Penetration testing B. Threat hunting C. Incident response D. Information assuranceB. Threat hunting Explanation OBJ-1.7: Threat hunting is the utilization of insights gained from threat research and threat modeling to proactively discover evidence of an adversarial TTP within a network or system. Penetration testing uses active tools and security utilities to evaluate security by simulating an attack on a system. A penetration test verifies that a threat exists, actively tests and bypasses security controls, and finally exploits vulnerabilities on the system. Information assurance (IA) is the practice of assuring information and managing risks related to the use, processing, storage, and transmission of information or data and the systems and processes used for those purposes. Incident response is an organized approach to addressing and managing the aftermath of a security breach or cyberattack, also known as an IT incident, computer incident, or security incident. The goal is to handle the situation to limit damage and reduce recovery time and costs.In 2014, Apple's implementation of SSL had a severe vulnerability that, when exploited, allowed an attacker to gain a privileged network position that would allow them to capture or modify data in an SSL/TLS session. This was caused by poor programming in which a failed check of the connection would exit the function too early. Based on this description, what is this an example of? A. Insufficient logging and monitoring B. Improper error handling C. Insecure object reference D. Use of insecure functionsB. Improper error handling Explanation OBJ-1.3: This is an example of an improper error handling vulnerability. A well-written application must be able to handle errors and exceptions gracefully. The main goal must be for the application not to fail and allow the attacker to execute code or perform an injection attack. One famous example of an improper error handling vulnerability is Apple's GoTo bug, as described above. For more details on this particular vulnerability, please see CVE-2014-1266. Insecure object reference refers to when a reference to an internal implementation object, such as a file or database key, is exposed to users without any other access control. Insufficient logging and monitoring allow attackers to achieve their goals without being detected due to the lack of monitoring and timely response by defenders. The use of insecure functions occurs in the C language when legacy functions like strcpy() are used. These insecure functions can lead to buffer overflow and other exploits being successful against a program.A new corporate policy dictates that all access to network resources will be controlled based on the user's job functions and tasks within the organization. For example, only people working in Human Resources can access employee records, and only the people working in finance can access customer payment histories. Which of the following security concepts is BEST described by this new policy? A. Least privilege B. Permission creep C. Directory permissions D. BlocklistsA. Least privilege Explanation OBJ-5.3: Least privilege is the concept and practice of restricting access rights for users, accounts, and computing processes to only those resources absolutely required to perform routine, legitimate activities. Privilege itself refers to the authorization to bypass certain security restraints. Permissions Creep, also known as privilege creep, is what happens when an employee moves between roles in an organization and keeps the access or permissions of the previous role. Directory permissions are used to determine which users can access, read, write, and delete files or directories within a given directory. A blocklist is a list of IP addresses, ports, or applications that are not allowed to be run or used on a given system.Which type of system would classify traffic as malicious or benign based on explicitly defined examples of malicious and benign traffic? A. Machine learning B. Generative adversarial network C. Artificial intelligence D. Deep learningA. Machine learning Explanation OBJ-1.2: A machine learning (ML) system uses a computer to accomplish a task without being explicitly programmed. In the context of cybersecurity, ML generally works by analyzing example data sets to create its own ability to classify future items presented. If the system was presented with large datasets of malicious and benign traffic, it will learn which is malicious and categorize future traffic presented to it. Artificial Intelligence is the science of creating machines to develop problem-solving and analysis strategies without significant human direction or intervention. AI goes beyond ML and can make a more complicated decision than just the classifications made by ML. A deep learning system can determine what is malicious traffic without having the prior benefit of being told what is benign/malicious. A generative adversarial network is an underlying strategy used to accomplish deep learning but is not specific to the scenario described.A hacker successfully modified the sale price of items purchased through your company's website. During the investigation that followed, the security analyst has verified the web server, and the Oracle database was not compromised directly. The analyst also found no attacks that could have caused this during their log verification of the Intrusion Detection System (IDS). What is the most likely method that the attacker used to change the items' sale price? A. Changing hidden form values B. Cross-site scripting C. SQL injection D. Buffer overflow attackA. Changing hidden form values Explanation OBJ-3.2: Since there are no indications in the IDS logs, the database, or the server, it is most likely that the hacker changed hidden form values to change the items' price in the shopping cart. A buffer overflow is an anomaly that occurs when a program overruns the buffer's boundary and overwrites adjacent memory locations while writing data to a buffer. Cross-Site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in a browser side script, to a different end-user. SQL injection is a code injection technique used to attack data-driven applications. Malicious SQL statements are inserted into an entry field for execution, such as dumping the database contents to the attacker.Which of the following cryptographic algorithms is classified as symmetric? A. AES B. Diffie-Hellman C. RSA D. ECCA. AES Explanation OBJ-2.8: The Advanced Encryption Standard (AES) is a symmetric-key algorithm for encrypting digital data. It was established as an electronic data encryption standard by NIST in 2001. AES can use a 128-bit, 192-bit, or 256-bit key, and uses a 128-bit block size.Which protocol is paired with OAuth2 to provide authentication of users in a federated identity management solution? A. OpenID Connect B. ADFS C. SAML D. KerberosC. SAML Explanation OBJ-2.4: OAuth 2 is explicitly designed to authorize claims and not to authenticate users. The implementation details for fields and attributes within tokens are not defined. Open ID Connect (OIDC) is an authentication protocol that can be implemented as special types of OAuth flows with precisely defined token fields. Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. SAML is an XML-based markup language for security assertions. Active Directory Federation Services (ADFS) is a software component developed by Microsoft that can run on Windows Server operating systems to provide users with single sign-on access to systems and applications located across organizational boundaries. Kerberos is a computer network authentication protocol that works based on tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner.During your review of the firewall logs, you notice that an IP address from within your company's server subnet had been transmitting between 125 to 375 megabytes of data to a foreign IP address overnight each day. You have determined this has been occurring for approximately 5 days, and the affected server has since been taken offline for forensic review. Which of the following is MOST likely to increase the impact assessment of the incident? A. Raw financial information about the company was accessed B. PII of company employees and customers was exfiltrated C. Forensic review of the server required fallback to a less efficient service D. IP addresses and other network-related configurations were exfiltratedB. PII of company employees and customers was exfiltrated Explanation OBJ-5.5: If the PII (Personally Identifiable Information) of the company's employees or customers were exfiltrated or stolen during the compromise, this would increase the incident's impact assessment. Loss of PII is a big issue for corporations and one that might garner media attention. While all of the options presented here are bad things that could increase the impact of the assessment, loss of PII is considered the MOST likely to increase the impact dramatically. Depending on the company's size or organization, there may also be mandatory reporting requirements, fines, or restitution that must be paid.Your company has decided to move all of its data into the cloud. Your company is small and has decided to purchase some on-demand cloud storage resources from a commercial provider (such as Google Drive) as its primary cloud storage solution. Which of the following types of clouds is your company using? A. Community B. Public C. Hybrid D. PrivateB. Public Explanation OBJ-2.2: The public cloud is defined as computing services offered by third-party providers over the public internet, making them available to anyone who wants to use or purchase them. They may be free or sold on-demand, allowing customers to pay only per usage for the CPU cycles, storage, or bandwidth they consume. Amazon Web Services, Microsoft Azure, and Google Cloud are three popular public cloud platforms. A private cloud contains services offered either over the Internet or a private internal network and only to select users instead of the general public. A community cloud is a collaborative effort in which infrastructure is shared between several organizations from a specific community with common concerns (security, compliance, jurisdiction, etc.), whether managed internally or by a third party and hosted internally or externally. A hybrid cloud is a cloud computing environment that uses a mix of on-premises, private cloud, and third-party public cloud services with orchestration between these platforms. This typically involves a connection from an on-premises data center to a public cloud.Which of the following cryptographic algorithms is classified as asymmetric? A. DES B. ECC C. RC4 D. TwofishB. ECC Explanation OBJ-2.8: Elliptic-curve cryptography (ECC) is an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields. As a public-key cryptosystem, it relies on an asymmetric algorithm. Twofish, RC4, and DES are all symmetric algorithms.Which of the following is not normally part of an endpoint security suite? A. Anti-virus B. VPN C. Software firewall D. IPSB. VPN Explanation OBJ-3.2: Endpoint security includes software host-based firewalls, host-based intrusion protection systems (HIPS), and anti-virus software. A VPN is not typically considered an endpoint security tool because it is a network security tool.Vulnerability scans must be conducted continuously to meet regulatory compliance requirements for the storage of PHI. During the last vulnerability scan, a cybersecurity analyst received a report of 2,592 possible vulnerabilities and was asked by the Chief Information Security Officer (CISO) for a plan to remediate all the known issues. Which of the following should the analyst do next? A. Wait to perform any additional scanning until the current list of vulnerabilities have been remediated fully B. Place any assets that contain PHI in a sandbox environment and then remediate all the vulnerabilities C. Attempt to identify all the false positives and exceptions, then resolve any remaining items D. Filter the scan results to include only those items listed as critical in the asset inventory and remediate those vulnerabilities firstD. Filter the scan results to include only those items listed as critical in the asset inventory and remediate those vulnerabilities first Explanation OBJ-5.5: PHI is an abbreviation for Personal Health Information. When attempting to remediate numerous vulnerabilities, it is crucial to prioritize the vulnerabilities to determine which ones should be remediated first. In this case, there is a regulatory requirement to ensure the security of the PHI data. Therefore, those critical assets to the secure handling or storage of PHI are of the highest risk should be prioritized for remediation first. It is impractical to resolve all 2,592 vulnerabilities at once. Therefore, you should not identify all the false positives and exceptions and then resolve any remaining items since they won't be prioritized for remediation. You should also not wait to perform additional scanning because a scan is only a snapshot of your current status. If it takes 30 days to remediate all the vulnerabilities and do not scan, new vulnerabilities may have been introduced. Placing all the PHI assets into a sandbox will not work either because you have removed them from the production environment and can no longer serve their critical business functions.Which of the following security controls provides Windows system administrators with an efficient way to deploy system configuration settings across many devices? A. HIPS B. GPO C. Anti-malware D. Patch managementB. GPO Explanation OBJ-4.4: Microsoft's Group Policy Object (GPO) is a collection of Group Policy settings that defines what a system will look like and how it will behave for a defined group of users. A Group Policy is the primary administrative tool for defining and controlling how programs, network resources, and the operating system operate for users and computers in an organization. In an active directory environment, Group Policy is applied to users or computers based on their membership in sites, domains, or organizational units. A host-based intrusion detection system (HIDS) is a device or software application that monitors a system for malicious activity or policy violations. Any malicious activity or violation is typically reported to an administrator or collected centrally using a security information and event management system. Anti-malware software is a program that scans a device or network for known viruses, Trojans, worms, and other malicious software. Patch management is the process of distributing and applying updates to the software to prevent vulnerabilities from being exploited by an attacker or malware. Proper patch management is a technical control that would prevent future outbreaks.The Pass Certs Fast corporation has recently been embarrassed by several high-profile data breaches. The CIO proposes improving the company's cybersecurity posture by migrating images of all the current servers and infrastructure into a cloud-based environment. What, if any, is the flaw in moving forward with this approach? A. This approach assumes that the on-site administrators will provide better security than the cloud provider B. This approach only changes the location of the network and not the network's attack surface C. The company has already paid for the physical servers and will not fully realize their ROI on them due to the migration D. This is a reasonable approach that will increase the security of the servers and infrastructureB. This approach only changes the location of the network and not the network's attack surface Explanation OBJ-3.6: A poorly implemented security model at a physical location will still be a poorly implemented security model in a virtual location. Unless the fundamental causes of the security issues that caused the previous data breaches have been understood, mitigated, and remediated, then migrating the current images into the cloud will change where the processing occurs without improving the network's security. While the statement concerning unrealized ROI may be accurate, it simply demonstrates the sunk cost argument's fallacy. These servers were already purchased, and the money was spent. Regardless of whether we maintain the physical servers or migrate to the cloud, that money is gone. Those servers could also be repurposed, reused, or possibly resold to recoup some of the capital invested. While the company's physical security will potentially improve in some regards, the physical security of the endpoints on-premises is still a concern that cannot be solved by this cloud migration. Additionally, the scenario never stated that physical security was an issue that required being addressed, so it is more likely that the data breach occurred due to a data exfiltration over the network. As a cybersecurity analyst, you must consider the business case and the technical accuracy of a proposed approach or plan to add the most value to your organization.Jamie's organization is attempting to budget for the next fiscal year. Jamie has calculated that the asset value of a database server is $120,000. Based on her analysis, she believes that a data breach to this server will occur once every four years and has a risk factor is 30%. What is the ALE for a data breach within Jamie's organization? A. $9,000 B. $90,000 C. $360,000 D. $36,000A. $9,000 Explanation OBJ-5.4: The single loss expectancy (SLE) is the amount that would be lost in a single occurrence (AV) times the exposure factor (EF). The annual loss expectancy (ALE) is the total cost of a risk to an organization annually. This is determined by multiplying the SLE by the annual rate of occurrence (ARO). SLE = AV x RF = $120,000 x 30% = $36,000 ALE = SLE x ARO = $36,000 x 0.25 = $9,000Your company has an office in Boston and is worried that its employees may not reach the office during periods of heavy snowfall. You have been asked to select a technology that would allow employees to work remotely from their homes during poor weather conditions. Which of the following should you select? A. VLAN B. NAT C. IDS D. VPND. VPN Explanation OBJ-3.3: A remote-access VPN connection allows an individual user to connect to a private network from a remote location using a laptop or desktop computer connected to the internet. A remote-access VPN allows individual users to establish secure connections with a remote computer network. Once established, the remote user can access the corporate network and its capabilities as if they were accessing the network from their own office spaces. Network address translation (NAT) is a network service provided by a router or proxy server to map private local addresses to one or more publicly accessible IP addresses. NAT can use static mappings but is commonly implemented as network port address translation (PAT) or NAT overloading, where a few public IP addresses are mapped to multiple LAN hosts using port allocations. A Virtual LAN (VLAN) is a logically separate network that is created using switching technology. Even though hosts on two VLANs may be physically connected to the same cabling, local traffic is isolated to each VLAN so they must use a router to communicate. An intrusion detection system (IDS) is a device or software application that monitors a network or system for malicious activity or policy violations. Any malicious activity or violation is typically reported to an administrator or collected centrally using a security information and event management system. Unlike an IPS, which can stop malicious activity or policy violations, an IDS can only log these issues and not stop them.Dion Training has added a salt and cryptographic hash to their passwords to increase the security before storing them. To further increase security, they run this process many times before storing the passwords. What is this technique called? A. Collision resistance B. Rainbow table C. Salting D. Key stretchingD. Key stretching Explanation OBJ-2.8: In cryptography, key stretching techniques are used to make a possibly weak key, typically a password or passphrase, more secure against a brute-force attack by increasing the resources it takes to test each possible key. The question describes one such key stretching technique.Your intrusion detection system has produced an alert based on its review of a series of network packets. After analysis, it is determined that the network packets did not contain any malicious activity. How should you classify this alert? A. True negative B. True positive C. False negative D. False positiveD. False positive Explanation OBJ-1.7: A false positive occurs when an alert is triggered (the system believes malicious activity occurred) when there is no malicious activity involved. A false positive is an error in some evaluation process in which a condition tested for is mistakenly found to have been detected.The paparazzi have found copies of pictures of a celebrity's new baby online. The celebrity states they were never publicly released but were uploaded to their cloud provider's automated photo backup. Which of the following threats was the celebrity MOST likely a victim of? A. Unauthorized root access B. Leaked personal files C. Unauthorized camera activation D. Unintended Bluetooth pairingB. Leaked personal files Explanation OBJ-2.5: When authorized users access devices through unintended connections or unauthorized users get their hands on absconded devices, they can access data on the device(s) that they were never intended to see. Every firm should have a policy for protecting data (encryption) and dealing with leaks when they occur.You work as the incident response team lead at Fail to Pass Systems. Sierra, a system administrator, believes an incident has occurred on the network and contacts the SOC. At 2:30 am, you are woken up by a phone call from the CEO of Fail to Pass stating an incident has occurred and that you need to solve this immediately. As you are getting dressed to drive into the office, your phone rings again. This time, the CIO starts asking you a lot of technical questions about the incident. The first you heard of this incident was 5 minutes ago from the CEO, so you don't have the answers to the CIO's questions, yet. Based on this scenario, which of the following issues needs to be documented in your lessons learned report once this incident is resolved? A. A robust method of incident detection B. An offline incident response jump bag or kit C. A call list/escalation list D. An established incident response form for all employees to use to collect dataC. A call list/escalation list Explanation OBJ-4.2: To maintain a disciplined approach to incident response, the organization needs to document and follow procedures developed during the preparation phase. The SOC should have a call list or an escalation list as part of those procedures. This list should detail who should be called, what order, and how high up the organizational leadership chart a particular issue would reach. In almost every case, the incident response team lead should be contacted before the CEO or CIO is notified of the incident. When companies go "right to the top" of the leadership chart, the CEO and CIO will be acting on half-true or unverified information during the start of an incident response process. Instead, an established form for incident detail collection should be performed, the right technical leads should be notified of the incident, and the incident response team should be called in to analyze the information and provide a quick "stand up" report to leadership on what the issue is, what has already been done, and what they recommend doing from here to resolve the incident. All of the other options are best practices to consider and develop in the preparation phase. Still, they would not have solved the issue in this scenario of senior leadership being notified before the incident response team lead.A corporate workstation was recently infected with malware. The malware was able to access the workstation's credential store and steal all the usernames and passwords from the machine. Then, the malware began to infect other workstations on the network using the usernames and passwords it stole from the first workstation. The IT Director has directed its IT staff to develop a plan to prevent this issue from occurring again. Which of the following would BEST prevent this from reoccurring? A. Install a host-based intrusion detection system on all of the corporate workstations B. Install an anti-virus or anti-malware solution that uses heuristic analysis C. Install a Unified Threat Management system on the network to monitor for suspicious traffic D. Monitor all workstations for failed login attempts and forward them to a centralized SYSLOG serverB. Install an anti-virus or anti-malware solution that uses heuristic analysis Explanation OBJ-3.3: The only solution that could stop this from reoccurring would be to use an anti-virus or anti-malware solution with heuristic analysis. The other options might be able to monitor and detect the issue but not stop it from spreading. Heuristic analysis is a method employed by many computer anti-virus programs designed to detect previously unknown computer viruses and new variants of viruses already in the wild. This is behavior-based detection and prevention, so it should detect the issue and stop it from spreading throughout the network. A host-based intrusion detection system (HIDS) is a device or software application that monitors a system for malicious activity or policy violations. Any malicious activity or violation is typically reported to an administrator or collected centrally using a security information and event management system. The UTM is also acting as an IDS in this scenario based on the option presented.You are conducting a code review of a program and observe the following calculation of 0xffffffff + 1 was attempted, but the result was returned as 0x0000000. Based on this, what type of exploit could be created against this program? A. Impersonation B. Password spraying C. Integer overflow attack D. SQL injectionC. Integer overflow attack Explanation OBJ-1.3: Integer overflows and other integer manipulation vulnerabilities frequently result in buffer overflows. An integer overflow occurs when an arithmetic operation results in a large number to be stored in the space allocated for it. Integers are stored in 32 bits on the x86 architecture; therefore, if an integer operation results in a number greater than 0xffffffff, an integer overflow occurs, as was the case in this example. SQL injection is an attack that injects a database query into the input data directed at a server by accessing the application's client-side. Password spraying is a type of brute force attack in which multiple user accounts are tested with a dictionary of common passwords. Impersonation is the act of pretending to be another person or system for fraud.Taylor needs to sanitize hard drives from some leased workstations before returning them to a supplier at the end of the lease period. The workstations' hard drives contained sensitive corporate data. Which is the most appropriate choice to ensure that data exposure doesn't occur during this process? A. The drives must be destroyed to ensure no data loss B. Purge, validate, and document the sanitization of the drives C. Clear, validate, and document the sanitization of the drives D. Clear the drivesB. Purge, validate, and document the sanitization of the drives Explanation OBJ-2.7: Purging the drives, validating that the purge was effective, and documenting the sanitization is the best response. Purging includes methods that eliminate information from being feasibly recovered even in a lab environment. For example, performing a cryptographic erasure (CE) would sanitize and purge the drives' data without harming the drives themselves. Clearing them leaves the possibility that some tools would allow data recovery. Since the scenario indicates that these were leased drives that must be returned at the end of a lease, they cannot be destroyed.

CompTIA Security+ (SY0-601) Practice Exam #2

Sets found in the same folder

Other sets by this creator

Verified questions

Other Quizlet sets