Studied by 0 people
Looks like no one added any tags here yet for you.
Which of the following threat actors is the most likely to be hired by a foreign government to attack critical systems located in other countries?
Organized Crime,
a type of threat actor that is motivated by financial gain and often operates across
national borders. Organized crime groups may be hired by foreign governments to conduct cyberattacks
on critical systems located in other countries, such as power grids, military networks, or financial
institutions.
Which of the following is used to add extra complexity before using a one-way data transformation algorithm?
Salting,
the process of adding extra random data to a password or other data before applying a one
way data transformation algorithm, such as a hash function.
An employee clicked a link in an email from a payment website that asked the employee to update contact information. The employee entered the log-in information but received a “page not found” error message. Which of the following types of social engineering attacks occurred?
Phishing , based on false linkthat misleads users into providing sensitive information.
a type of social engineering attack that involves sending fraudulent emails that appear to be
from legitimate sources, such as payment websites, banks, or other trusted entities. The goal of phishing
is to trick the recipients into clicking on malicious links, opening malicious attachments, or providing
sensitive information, such as log-in credentials, personal data, or financial details.
An enterprise is trying to limit outbound DNS traffic originating from its internal network. Outbound DNS
requests will only be allowed from one device with the IP address 10.50.10.25.
Which of the following firewall ACLs will accomplish this goal?
A. Access list outbound permit 0.0.0.0 0 0.0.0.0/0 port 53 Access list outbound deny 10.50.10.25 32
0.0.0.0/0 port 53
B. Access list outbound permit 0.0.0.0/0 10.50.10.25 32 port 53 Access list outbound deny 0.0.0.0 0
0.0.0.0/0 port 53
C. Access list outbound permit 0.0.0.0 0 0.0.0.0/0 port 53 Access list outbound deny 0.0.0.0/0
10.50.10.25 32 port 53
D. Access list outbound permit 10.50.10.25 32 0.0.0.0/0 port 53 Access list outbound deny
0.0.0.0.0.0.0.0.0/0 port 53
Access list outbound permit 10.50.10.25 32 0.0.0.0/0 port 53 Access list outbound deny
0.0.0.0.0.0.0.0.0/0 port 53
because it allows only the device with the IP address 10.50.10.25 to send
outbound DNS requests on port 53, and denies all other devices from doing so.
A data administrator is configuring authentication for a SaaS application and would like to reduce the number of credentials employees need to maintain. The company prefers to use domain credentials to access new SaaS applications. Which of the following methods would allow this functionality?
SSO (single sign on)
a method of authentication that allows users to access multiple applications or services with one set of credentials. SSO reduces the number of credentials employees need to maintain and simplifies the login process.
6.Which of the following scenarios describes a possible business email compromise attack?
A. An employee receives a gift card request in an email that has an executive's name in the display field
of the email.
B. Employees who open an email attachment receive messages demanding payment in order to access
files.
C. A service desk employee receives an email from the HR director asking for log-in credentials to a
cloud administrator account.
D. An employee receives an email with a link to a phishing site that is designed to look like the
company's email portal.
A. because this is a indicator of A business email compromise (BEC) attack is a type of phishing attack that targets employees who have
access to company funds or sensitive information. The attacker impersonates a trusted person, such as
an executive, a vendor, or a client, and requests a fraudulent payment, a wire transfer, or confidential
data.
A company prevented direct access from the database administrators’ workstations to the network segment that contains database servers. Which of the following should a database administrator use to access the database servers?
Jump Server is a device or virtual machine that acts as an intermediary between a user’s workstation
and a remote network segment. A jump server can be used to securely access servers or devices that
are not directly reachable from the user’s workstation, such as database servers. A jump server can also
provide audit logs and access control for the remote connections. A jump server is also known as a jump
box or a jump host
An organization’s internet-facing website was compromised when an attacker exploited a buffer overflow.
Which of the following should the organization deploy to best protect against similar attacks in the
future?
web application firewall (WAF), a type of firewall that
monitors and filters the traffic between a web application and the internet. A WAF can detect and block
common web attacks, such as buffer overflows, SQL injections, cross-site scripting (XSS), and more. A
WAF can also enforce security policies and rules, such as input validation, output encoding, and
encryption.
.An administrator notices that several users are logging in from suspicious IP addresses. After speaking
with the users, the administrator determines that the employees were not logging in from those IP
addresses and resets the affected users’ passwords.
Which of the following should the administrator implement to prevent this type of attack from succeeding
in the future?
MFA, multifactor authentication. (MFA) is a method of verifying a user’s
identity by requiring more than one factor, such as something the user knows (e.g., password),
something the user has (e.g., token), or something the user is (e.g., biometric). MFA can prevent
unauthorized access even if the user’s password is compromised, as the attacker would need to provide
another factor to log in.
An employee receives a text message that appears to have been sent by the payroll department and
is asking for credential verification.
Which of the following social engineering techniques are being attempted? (Choose two.)
A. Typosquatting
B. Phishing
C. Impersonation
D. Vishing
E. Smishing
F. Misinformation
Smising and impersonation.
Several employees received a fraudulent text message from someone claiming to be the Chief
Executive Officer (CEO).
The message stated:
“I’m in an airport right now with no access to email. I need you to buy gift cards for employee recognition
awards. Please send the gift cards to following email address.”
Which of the following are the best responses to this situation? (Choose two).
A. Cancel current employee recognition gift cards.
B. Add a smishing exercise to the annual company training.
C. Issue a general email warning to the company.
D. Have the CEO change phone numbers.
E. Conduct a forensic investigation on the CEO's phone.
F. Implement mobile device management.
Add a smishing exercise to the annual company training.
Issue a general email warning to the company.
This situation is an example of smishing, which is a type of phishing that uses text messages (SMS) to entice individuals into providing personal or sensitive information to cybercriminals. The best responses to this situation are to add a smishing exercise to the annual company training and to issue a general email warning to the company.
A company is required to use certified hardware when building networks.
Which of the following best addresses the risks associated with procuring counterfeit hardware?
A thorough analysis of the supply chain
Counterfeit hardware is hardware that is built or modified without the authorization of the original
equipment manufacturer (OEM). It can pose serious risks to network quality, performance, safety, and
reliability12. Counterfeit hardware can also contain malicious components that can compromise the
security of the network and the data that flows through it
Which of the following provides the details about the terms of a test with a third-party penetration tester?
Rules of engagement
They define the scope, objectives, methods, and boundaries
of the test, as well as the roles and responsibilities of the testers and the clients
A penetration tester begins an engagement by performing port and service scans against the client environment according to the rules of engagement.
Active reconnaissance
Active reconnaissance can reveal information such as open ports,
services, operating systems, and vulnerabilities. However, active reconnaissance is also more likely to
be detected by the target or its security devices, such as firewalls or intrusion detection systems. Port
and service scans are exa
Which of the following is required for an organization to properly manage its restore process in the event of system failure?
DRP
a set of policies and procedures that aim to restore the normal operations of an organization in the event of a system failure, natural disaster, or other emergency.
Consists of a risk assessment, business impact, recovery strategy, testing and maintenance plan (ensures drp is updated)
Which of the following vulnerabilities is associated with installing software outside of a manufacturer’s approved software repository?
Side loading,
the process of installing software outside of a manufacturer’s approved software
repository. This can expose the device to potential vulnerabilities, such as malware, spyware, or
unauthorized access. Side loading can also bypass security controls and policies that are enforced by
the manufacturer or the organization.
17.A security analyst is reviewing the following logs:
Password spraying
a type of brute force, high volume attack that tries common passwords across several accounts
to find a match. It is a mass trial-and-error approach that can bypass account lockout protocols. It can
give hackers access to personal or business accounts and information.
An analyst is evaluating the implementation of Zero Trust principles within the data plane.
Which of the following would be most relevant for the analyst to evaluate?
Reducing threat scope,
the data plane is the part of a network that carries user traffic, so reducing the treat scope would
reduces, divides and minimizes the blast radius and segment access, so that if one segment is compromised, the attack cant laterally move.
An engineer needs to find a solution that creates an added layer of security by preventing
unauthorized access to internal company resources.
Which of the following would be the best solution?
Jump Server,
an intermediary between a user and a target system. A jump
server can provide an added layer of security by preventing unauthorized access to internal company
resources. A user can connect to the jump server using a secure protocol, such as SSH, and then
access the target system from the jump server.
A jump server is
also known as a bastion host or a jump box.
.A company’s web filter is configured to scan the URL for strings and deny access when matches are found. Which of the following search strings should an analyst employ to prohibit access to non-encrypted websites?
encryption=off\
http://
www.*.com
443
http://
since the url is insecure (not https, which is port 443 and is just secured http)
During a security incident, the security operations team identified sustained network traffic from a
malicious IP address:
10.1.4.9. A security analyst is creating an inbound firewall rule to block the IP address from accessing the
organization’s network.
access-list inbound deny ig source 0.0.0.0/0 destination 10.1.4.9/32
access-list inbound deny ig source 10.1.4.9/32 destination 0.0.0.0/0
access-list inbound permit ig source 10.1.4.9/32 destination 0.0.0.0/0
access-list inbound permit ig source 0.0.0.0/0 destination 10.1.4.9/32
B,
the security analyst is
creating an inbound firewall rule to block the IP address 10.1.4.9 from accessing the organization’s
network. This means that the action should be deny, the protocol should be any (or ig for IP), the source
address should be 10.1.4.9/32 (which means a single IP address), the destination address should be
0.0.0.0/0 (which means any IP address), and the port number should be any.
A company needs to provide administrative access to internal resources while minimizing the traffic
allowed through the security boundary.
A bastion host is a special-purpose server that is designed to withstand attacks and provide secure
access to internal resources. A bastion host is usually placed on the edge of a network, acting as a
gateway or proxy to the internal network. A bastion host can be configured to allow only certain types of
traffic, such as SSH or HTTP, and block all other traffic.
.A security analyst is reviewing alerts in the SIEM related to potential malicious network traffic coming from an employee’s corporate laptop. The security analyst has determined that additional data about the executable running on the machine is necessary to continue the investigation. Which of the following logs should the analyst use as a data sour
Endpoint log
a file that contains information about the activities and events that occur on an
end-user device, such as a laptop, desktop, tablet, or smartphone. Endpoint logs can provide valuable
data for security analysts, such as the processes running on the device, the network connections
established, the files accessed or modified, the user actions performed, and the applications installed or
updated. Endpoint logs can also record the details of any executable files running on the device, such as
the name, path, size, hash, signature, and permissions of the executable.
.A cyber operations team informs a security analyst about a new tactic malicious actors are using to
compromise networks.
SIEM alerts have not yet been configured.
Which of the following best describes what the security analyst should do to identify this behavior?
Threat hunting
Threat hunting is the process of proactively searching for signs of malicious activity or compromise in a network, rather than waiting for alerts or indicators of compromise (IOCs) to appear. Threat hunting can help identify new tactics, techniques, and procedures (TTPs) used by malicious actors, as well as uncover hidden or stealthy threats that may have evaded detection by security tools. Threat hunting requires a combination of skills, tools, and methodologies, such as hypothesis generation, data collection and analysis, threat intelligence, and incident response. Threat hunting can also help improve the security posture of an organization by providing feedback and recommendations for security improvements
.A company purchased cyber insurance to address items listed on the risk register. Which of the following strategies does this represent?
Transfer
By purchasing cyber insurance, the company is transferring the risk to the insurance company, which will cover the financial losses and liabilities in case of a cyberattack.
A security administrator would like to protect data on employees’ laptops. Which of the following encryption techniques should the security administrator use?
FDE,
a technique that encrypts all the data on a hard drive, including the operating system, applications, and files. FDE protects the data from unauthorized access in case the laptop is lost, stolen, or disposed of without proper sanitization. FDE requires the user to enter a password, a PIN, a smart card, or a biometric factor to unlock the drive and boot the system. Using Bitlocker, File Valut or Veracrypt (software) or Self Encrypting drives (SED) or TPMS (trusted platform modules)
Which of the following security control types does an acceptable use policy best represent?
Preventive
An AUP best represents a preventive security control type, because it aims to deter or stop potential security incidents from occurring in the first place. A preventive control is proactive and anticipates possible threats and vulnerabilities, and implements measures to prevent them from exploiting or harming the system or the data
An IT manager informs the entire help desk staff that only the IT manager and the help desk lead will have access to the administrator console of the help desk software. Which of the following security techniques is the IT manager setting up?
Least privilege,
a security concept that limits access to resources to the minimum level
needed for a user, a program, or a device to perform a legitimate function. It is a cybersecurity best
practice that protects high-value data and assets from compromise or insider threat. Least privilege can
be applied to different abstraction layers of a computing environment, such as processes, systems, or
connected devices.
Which of the following is the most likely to be used to document risks, responsible parties, and thresholds?
Risk register,
a document that records and tracks the risks associated with a project, system, or
organization. A risk register typically includes information such as the risk description, the risk owner, the
risk probability, the risk impact, the risk level, the risk response strategy, and the risk status. A risk
register can help identify, assess, prioritize, monitor, and control risks, as well as communicate
them to relevant stakeholders.
Which of the following should a security administrator adhere to when setting up a new set of firewall
rules?
Change management procedure,
A change management procedure is a set of steps and guidelines that a security administrator should
adhere to when setting up a new set of firewall rules. a change management procedure is necessary
to ensure that the change is planned, tested, approved, implemented, documented, and reviewed in a
controlled and consistent manner.
A company is expanding its threat surface program and allowing individuals to security test the company’s internet-facing application. The company will compensate researchers based on the vulnerabilities discovered.
Bug bounty,
a program that rewards security researchers for finding and reporting vulnerabilities in an application or system. Bug bounties are often used by companies to improve their security posture and incentivize ethical hacking. A bug bounty program typically defines the scope, rules, and compensation for the researchers
Which of the following threat actors is the most likely to use large financial resources to attack critical systems located in other countries?
Nation-state is a threat actor that is sponsored by a government or a political entity to conduct cyberattacks against other countries or organizations. Nation-states have large financial resources, advanced technical skills, and strategic objectives that may target critical systems such as military, energy, or infrastructure. Nation-states are often motivated by espionage, sabotage, or warfare
Which of the following enables the use of an input field to run commands that can view or manipulate data?
SQL injection
is a type of attack that enables the use of an input field to run commands that can view or manipulate data in a database. SQL stands for Structured Query Language, which is a language used to communicate with databases. By injecting malicious SQL statements into an input field, an attacker can bypass authentication, access sensitive information, modify or delete data, or execute commands on the server. SQL injection is one of the most common and dangerous web application vulnerabilities.
Employees in the research and development business unit receive extensive training to ensure they understand how to best protect company data. Which of the following is the type of data these employees are most likely to use in day-to-day work activities?
Intellectual property
Employees in the research and development business unit are most likely to use intellectual property data in their day-to-day work activities, as they are involved in creating new products or services for the company. Intellectual property data needs to be protected from unauthorized use, disclosure, or theft, as it can give the company a competitive advantage in the market. Therefore, these employees receive extensive training to ensure they understand how to best protect this type of data.
.A company has begun labeling all laptops with asset inventory stickers and associating them with employee IDs. Which of the following security benefits do these actions provide? (Choose two.) A. If a security incident occurs on the device, the correct employee can be notified. B. The security team will be able to send user awareness training to the appropriate device. C. Users can be mapped to their devices when configuring software MFA tokens. D. User-based firewall policies can be correctly targeted to the appropriate laptops. E. When conducting penetration testing, the security team will be able to target the desired laptops. F. Company data can be accounted for when the employee leaves the organization.
A, F
associating this identifier with an employee ID, the security team can easily track and locate the owner of the laptop in case of a security incident, such as a malware infection, a data breach, or a theft.
A technician wants to improve the situational and environmental awareness of existing users as they transition from remote to in-office work.
Modify the content of recurring training.
Recurring training can help improve the situational and environmental awareness of existing users as they transition from remote to in-office work, as it can cover the latest threats, best practices, and policies that are relevant to their work environment. Modifying the content of recurring training can ensure that the users are aware of the current security landscape and the expectations of their roles.
.A newly appointed board member with cybersecurity knowledge wants the board of directors to receive a quarterly report detailing the number of incidents that impacted the organization. The systems administrator is creating a way to present the data to the board of directors. Which of the following should the systems administrator use?
dashboard
is a graphical user interface that provides a visual representation of key performance indicators, metrics, and trends related to security events and incidents. A dashboard can help the board of directors to understand the number and impact of incidents that affected the organization in a given period, as well as the status and effectiveness of the security controls and processes.
.A systems administrator receives the following alert from a file integrity monitoring tool: The hash of the cmd.exe file has changed. The systems administrator checks the OS logs and notices that no patches were applied in the last two months.
A rootkit was deployed.
A rootkit is a type of malware that modifies or replaces system files or processes to hide its presence and activity. A rootkit can change the hash of the cmd.exe file, which is a command-line interpreter for Windows systems, to avoid detection by antivirus or file integrity monitoring tools. A rootkit can also grant the attacker remote access and control over the infected system, as well as perform malicious actions such as stealing data, installing backdoors, or launching attacks on other systems. A rootkit is one of the most difficult types of malware to remove, as it can persist even after rebooting or reinstalling the OS.
Which of the following roles, according to the shared responsibility model, is responsible for securing the company’s database in an IaaS model for a cloud environment?
Client,
the client is responsible for securing the operating systems, applications, and data that run on the cloud infrastructure. Therefore, the client is responsible for securing the company’s database in an IaaS model for a cloud environment, as the database is an application that stores data.
A client asked a security company to provide a document outlining the project, the cost, and the completion time frame. Which of the following documents should the company provide to the client?
MSA B. SLA C. BPA D. SOW
SOW
Security Operations Work, and it is a type of contract that specifies the scope, deliverables, milestones, and payment terms of a security project. An ISOW is usually used for one-time or short-term projects that have a clear and defined
A security team is reviewing the findings in a report that was delivered after a third party performed a penetration test. One of the findings indicated that a web application form field is vulnerable to cross-site scripting.
Input validation
a technique that checks the user input for any malicious or unexpected data before
processing it by the web application. Input validation can prevent cross-site scripting (XSS) attacks,
which exploit the vulnerability of a web application to execute malicious scripts in the browser
Which of the following must be considered when designing a high-availability network? (Choose two)
A. Ease of recovery B. Ability to patch C. Physical isolation D. Responsiveness E. Attack surface F. Extensible authentication
A, E
A high-availability network is a network that is designed to minimize downtime and ensure continuous operation even in the event of a failure or disruption
factors for HA:
Ease of recovery, the ability of the network to restore normal functionality quickly and efficiently after a failure or disruption.
Attack surface, refers to the amount of exposure and vulnerability of the network to potential threats and attacks
.A technician needs to apply a high-priority patch to a production system. Which of the following steps should be taken first?
Create a change control request,
a document that describes the proposed change to a system, the reason for the change, the expected impact, the approval process, the testing plan, the implementation plan, the rollback plan, and the communication plan.
minimizes the risk of unintended consequences, such as system downtime, data loss, or security breaches
.Which of the following describes the reason root cause analysis should be conducted as part of incident response?
To prevent future incidents of the same nature
, security professionals can learn from the incident and implement corrective actions to prevent future incidents of the same nature.
Which of the following is the most likely outcome if a large bank fails an internal PCI DSS compliance assessment?
Fines
PCI DSS aims to protect the confidentiality, integrity, and availability of cardholder data and prevent fraud, identity theft, and data breaches
If a large bank fails an internal PCI DSS compliance assessment, the most likely outcome is that the bank will face fines from the payment card brands.
A company is developing a business continuity strategy and needs to determine how many staff members would be required to sustain the business in the case of a disruption. Which of the following best describes this step?
Capacity planning
the process of determining the resources needed to meet the current and future demands of an organization. Capacity planning can help a company develop a business continuity strategy by estimating how many staff members would be required to sustain the business in the case of a disruption, such as a natural disaster, a cyberattack, or a pandemic. Capacity planning can also help a company optimize the use of its resources, reduce costs, and improve performance.
A company’s legal department drafted sensitive documents in a SaaS application and wants to ensure the documents cannot be accessed by individuals in high-risk countries. Which of the following is the most effective way to limit this access?
Geolocation policy
a policy that restricts or allows access to data or resources based on the geographic location of the user or device. A geolocation policy can be implemented using various methods, such as IP address filtering, GPS tracking, or geofencing.
Which of the following is a hardware-specific vulnerability?
Firmware version
firmware is a type of software that is embedded in a hardware device, such as a router, a printer, or a BIOS chip
Firmware version is a hardware-specific vulnerability, as it can expose the device to security risks if it is outdated, corrupted, or tampered with. An attacker can exploit firmware vulnerabilities to gain unauthorized access, modify device settings, install malware, or cause damage to the device or the network
.While troubleshooting a firewall configuration, a technician determines that a “deny any” policy should be added to the bottom of the ACL. The technician updates the policy, but the new policy causes several company servers to become unreachable.
Testing the policy in a non-production environment before enabling the policy in the production network
a misconfigured policy can cause network disruptions or security breaches. A common best practice is to test the policy in a non production environment, such as a lab or a simulation, before enabling the policy in the production network. This way, the technician can verify the functionality and performance of the policy, and identify and resolve any issues or conflicts, without affecting the live network.
.An organization is building a new backup data center with cost-benefit as the primary requirement and RTO and RPO values around two days. Which of the following types of sites is the best for this scenario?
Cold
a type of backup data center that has the necessary infrastructure to support IT operations, but does not have any pre-configured hardware or software. A cold site is the cheapest option among the backup data center types, but it also has the longest recovery time objective (RTO) and recovery point objective (RPO) values
.A company requires hard drives to be securely wiped before sending decommissioned systems to recycling. Which of the following best describes this policy?
Sanitization
is the process of removing sensitive data from a storage device or a system before it is disposed of or reused. Sanitization can be done by using software tools or hardware devices that overwrite the data with random patterns or zeros, making it unrecoverable.
Sanitization is different from destruction, which is the physical damage of the storage device to render it unusable.
A systems administrator works for a local hospital and needs to ensure patient data is protected and secure. Which of the following data classifications should be used to secure patient data?
Sensitive,
data that is intended for authorized use only, and has a high impact to the organization if compromised. Examples of sensitive data include personal information, health records, and intellectual property.
A U.S.-based cloud-hosting provider wants to expand its data centers to new international locations. Which of the following should the hosting provider consider first?
Local data protection regulations
the first thing that a cloud-hosting provider should consider before expanding its data centers to new international locations. Data protection regulations are laws or standards that govern how personal or sensitive data is collected, stored, processed, and transferred across borders. Different countries or regions may have different data protection regulations, such as the General Data Protection Regulation (GDPR) in the European Union, the Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada, or the California Consumer Privacy Act (CCPA) in the United States
.Which of the following would be the best way to block unknown programs from executing?
Application allow list.
a security technique that specifies which applications are permitted to run on a system or a network. An application allow list can block unknown programs from executing by only allowing the execution of programs that are explicitly authorized and verified. An application allow list can prevent malware, unauthorized software, or unwanted applications from running and compromising the security of the system or the network
A company hired a consultant to perform an offensive security assessment covering penetration testing and social engineering. Which of the following teams will conduct this assessment activity?
Red
a group of security professionals who perform offensive security assessments covering penetration testing and social engineering. A red team simulates real-world attacks and exploits the vulnerabilities of a target organization, system, or network. A red team aims to test the effectiveness of the security controls, policies, and procedures of the target, as well as the awareness and response of the staff and the blue team
A software development manager wants to ensure the authenticity of the code created by the company.
Performing code signing on company-developed software
a technique that uses cryptography to verify the authenticity and integrity of the code created by the company. Code signing involves applying a digital signature to the code using a private key that only the company possesses. The digital signature can be verified by anyone who has the corresponding public key, which can be distributed through a trusted certificate authority. Code signing can prevent unauthorized modifications, tampering, or malware injection into the code, and it can also assure the users that the code is from a legitimate source.
Which of the following can be used to identify potential attacker activities without affecting production servers?
honey pot
is a system or a network that is designed to mimic a real production server and attract potential attackers. A honey pot can be used to identify the attacker’s methods, techniques, and objectives without affecting the actual production servers. A honey pot can also divert the attacker’s attention from the real targets and waste their time and resources
.During an investigation, an incident response team attempts to understand the source of an incident. Which of the following incident response activities describes this process?
Analysis,
Analysis involves collecting and examining evidence, identifying the root cause, determining the scope and impact, and assessing the threat actor’s motives and capabilities. Analysis helps the incident response team to formulate an appropriate response strategy, as well as to prevent or mitigate future incidents.
A security practitioner completes a vulnerability assessment on a company’s network and finds several vulnerabilities, which the operations team remediates.
Rescan the network,
After completing a vulnerability assessment and remediating the identified vulnerabilities, the next step is to rescan the network to verify that the vulnerabilities have been successfully fixed and no new vulnerabilities have been introduced.
.An administrator was notified that a user logged in remotely after hours and copied large amounts of data to a personal device.
An administrator was notified that a user logged in remotely after hours and copied large amounts of data to a personal device.
insider threat
is a security risk that originates from within the organization, such as an employee, contractor, or business partner, who has authorized access to the organization’s data and systems. An insider threat can be malicious, such as stealing, leaking, or sabotaging sensitive data, or unintentional, such as falling victim to phishing or social engineering.
Which of the following allows for the attribution of messages to individuals?
Non-repudiation
is the ability to prove that a message or document was sent or signed by a particular person, and that the person cannot deny sending or signing it. Non-repudiation can be achieved by using cryptographic techniques, such as hashing and digital signatures, that can verify the authenticity and integrity of the message or document.
Which of the following is the best way to consistently determine on a daily basis whether security settings on servers have been modified?
Automation
s the process of using software, hardware, or other tools to perform tasks that would otherwise require human intervention or manual effort. Automation can be used to monitor, audit, and enforce security settings on servers, such as firewall rules, encryption keys, access controls, patch levels, and configuration files
.Which of the following tools can assist with detecting an employee who has accidentally emailed a file containing a customer’s PII?
DLP
a tool that can assist with detecting and preventing the unauthorized transmission or leakage of sensitive data, such as a customer’s PII (Personally Identifiable Information). DLP can monitor, filter, and block data in motion (such as emails), data at rest (such as files), and data in use (such as applications). DLP can also alert the sender, the recipient, or the administrator of the data breach, and apply remediation actions, such as encryption, quarantine, or deletion. DLP can help an organization comply with data protection regulations, such as GDPR, HIPAA, or PCI DSS, and protect its reputation and assets.
.An organization recently updated its security policy to include the following statement: Regular expressions are included in source code to remove special characters such as $, |, ;. &, `, and ?
Which of the following best explains the security technique the organization adopted by making this addition to the policy?
Input validation
a security technique that checks the user input for any malicious or unexpected data before processing it by the application. Input validation can prevent various types of attacks, such as injection, cross-site scripting, buffer overflow, and command execution, that exploit the vulnerabilities in the application code. Input validation can be performed on both the client-side and the server-side, using methods such as whitelisting, blacklisting, filtering, sanitizing, escaping, and encoding.
A security analyst and the management team are reviewing the organizational performance of a recent phishing campaign. The user click-through rate exceeded the acceptable risk threshold, and the management team wants to reduce the impact when a user clicks on a link in a phishing message. Which of the following should the analyst do?
Update the EDR policies to block automatic execution of downloaded programs.
Which of the following has been implemented when a host-based firewall on a legacy Linux system allows connections from only specific internal IP addresses?
Compensating control, a security measure that is implemented to mitigate the risk of a vulnerability or a weakness that cannot be resolved by the primary control.
The management team notices that new accounts that are set up manually do not always havecorrect access or permissions. Which of the following automation techniques should a systems administrator use to streamline account creation?
User provisioning script
an automation technique that uses a predefined set of instructions or commands to create, modify, or delete user accounts and assign appropriate access or permissions. A user provisioning script can help to streamline account creation by reducing manual errors, ensuring consistency and compliance, and saving time and resources
A company is planning to set up a SIEM system and assign an analyst to review the logs on a weekly basis.
Detective
a type of control that monitors and analyzes the events and activities in a system or a network, and alerts or reports when an incident or a violation occurs. A SIEM (Security Information and Event Management) system is a tool that collects, correlates, and analyzes the logs from various sources, such as firewalls, routers, servers, or applications, and provides a centralized view of the security status and incidents.
.A systems administrator is looking for a low-cost application-hosting solution that is cloud-based. Which of the following meets these requirements?
A serverless framework
is a cloud-based application-hosting solution that meets the requirements of low cost and cloud-based. A serverless framework is a type of cloud computing service that allows developers to run applications without managing or provisioning any servers. The cloud provider handles the server-side infrastructure, such as scaling, load balancing, security, and maintenance, and charges the developer only for the resources consumed by the application.
A security operations center determines that the malicious activity detected on a server is normal. Which of the following activities describes the act of ignoring detected activity in the future
Tuning
is the activity of adjusting the configuration or parameters of a security tool or system to optimize its performance and reduce false positives or false negatives. Tuning can help to filter out the normal or benign activity that is detected by the security tool or system, and focus on the malicious or anomalous activity that requires further investigation or response
71.A security analyst reviews domain activity logs and notices the following:
C. An attacker is attempting to brute force ismith's account.
The domain activity logs show that the user ismith has failed to log in 10 times in a row within a short period of time, which is a strong indicator of a brute force attack. The logs also show that the source IP address of the failed logins is different from the usual IP address of ismith
.A company is concerned about weather events causing damage to the server room and downtime. Which of the following should the company consider?
Geographic dispersion
a strategy that involves distributing the servers or data centers across different geographic locations. Geographic dispersion can help the company to mitigate the risk of weather events causing damage to the server room and downtime, as well as improve the availability, performance, and resilience of the network.
A company decided to reduce the cost of its annual cyber insurance policy by removing the coverage for ransomware attacks. Which of the following analysis elements did the company most likely use in making this decision?
ARO
most likely used ARO in making the decision to remove the coverage for ransomware attacks from its cyber insurance policy
an analysis element that measures the frequency or likelihood of an event happening in a given year. ARO is often used in risk assessment and management, as it helps to estimate the potential loss or impact of an event. A company can use ARO to calculate the annualized loss expectancy (ALE) of an event, which is the product of ARO and the single loss expectancy (SLE). ALE represents the expected cost of an event per year, and can be used to compare with the cost of implementing a security control or purchasing an insurance policy.
Which of the following is a primary security concern for a company setting up a BYOD program?
Jailbreaking,
is the process of removing the manufacturer’s or the carrier’s restrictions on a device, such as a smartphone or a tablet, to gain root access and install unauthorized or custom software. Jailbreaking can compromise the security of the device and the data stored on it, as well as expose it to malware, viruses, or hacking. Jailbreaking can also violate the warranty and the terms of service of the device, and make it incompatible with the company’s security policies and standards.
Which of the following is the most likely to be included as an element of communication in a security awareness program?
Reporting phishing attempts or other suspicious activities
A security awareness program is a set of activities and initiatives that aim to educate and inform the users and employees of an organization about the security policies, procedures, and best practices.
Which of the following vulnerabilities is exploited when an attacker overwrites a register with a malicious address?
Buffer overflow
A buffer overflow is a vulnerability that occurs when an application writes more data to a memory buffer than it can hold, causing the excess data to overwrite adjacent memory locations. A register is a small storage area in the CPU that holds temporary data or instructions. An attacker can exploit a buffer overflow to overwrite a register with a malicious address that points to a shellcode, which is a piece of code that gives the attacker control over the system.
9.Which of the following would be the best way to handle a critical business application that is running on a legacy server?
Isolation
A legacy server is a server that is running outdated or unsupported software or hardware, which may pose security risks and compatibility issues. A critical business application is an application that is essential for the operation and continuity of the business, such as accounting, payroll, or inventory management. A legacy server running a critical business application may be difficult to replace or upgrade, but it should not be left unsecured or exposed to potential threats.
Which of the following describes the process of concealing code or text inside a graphical image?
Steganography
s the process of hiding information within another medium, such as an image, audio, video, or text file. The hidden information is not visible or noticeable to the casual observer, and can only be extracted by using a specific technique or key. Steganography can be used for various purposes, such as concealing secret messages, watermarking, or evading detection by antivirus software
After a company was compromised, customers initiated a lawsuit. The company's attorneys have requested that the security team initiate a legal hold in response to the lawsuit. Which of the following describes the action the security team will most likely be required to take?
Retain any communications related to the security breach until further notice.
A legal hold (also known as a litigation hold) is a notification sent from an organization’s legal team to employees instructing them not to delete electronically stored information (ESI) or discard paper documents that may be relevant to a new or imminent legal case. A legal hold is intended to preserve evidence and prevent spoliation, which is the intentional or negligent destruction of evidence that could harm a party’s case. A legal hold can be triggered by various events, such as a lawsuit, a regulatory investigation, or a subpoena
A network manager wants to protect the company's VPN by implementing multifactor authentication that uses:
Something you know . Something you have . Something you are Which of the following would accomplish the manager's goal?
Password, (you know)
authentication token (you have)
, thumbprint (you are)
A security manager created new documentation to use in response to various types of security incidents. Which of the following is the next step the manager should take?
Conduct a tabletop exercise with the team.
A tabletop exercise is a simulated scenario that tests the effectiveness of a security incident response
Users at a company are reporting they are unable to access the URL for a new retail website because it is flagged as gambling and is being blocked. Which of the following changes would allow users to access the site?
Updating the categorization in the content filter
A content filter is a device or software that blocks or allows access to web content based on predefined rules or categories. In this case, the new retail website is mistakenly categorized as gambling by the content filter, which prevents users from accessing it.
.An administrator discovers that some files on a database server were recently encrypted. The administrator sees from the security logs that the data was last accessed by a domain user.
Insider threat
a type of attack that originates from someone who has legitimate access to an organization’s network, systems, or data. In this case, the domain user who encrypted the files on the database server is an example of an insider threat, as they abused their access privileges to cause harm to the organization.
.Which of the following automation use cases would best enhance the security posture of an organization by rapidly updating permissions when employees leave a company?
Disabling access
an automation use case that would best enhance the security posture of an organization by rapidly updating permissions when employees leave a company. Disabling access is the process of revoking or suspending the access rights of a user account, such as login credentials, email, VPN, cloud services, etc
Which of the following must be considered when designing a high-availability network? (Select two). A. Ease of recovery B. Ability to patch C. Physical isolation D. Responsiveness E. Attack surface F. Extensible authentication
East of recovery and Attack Surface
A high-availability network is a network that is designed to minimize downtime and ensure continuous operation even in the event of a failure or disruption.
Which of the following methods to secure credit card data is best to use when a requirement is to see only the last four numbers on a credit card?
Masking
it can prevent unauthorized access to the full card number, does not alter the original data, unlike encryption, hashing, or tokenization, which use algorithms to transform the data into different formats.
.An administrator finds that all user workstations and servers are displaying a message that is associated with files containing an extension of .ryk.
Ransomware
Ransomware is a type of malware that encrypts the victim’s files and demands a ransom for the decryption key. The ransomware usually displays a message on the infected system with instructions on how to pay the ransom and recover the files. The .ryk extension is associated with a ransomware variant called Ryuk, which targets large organizations and demands high ransoms
A healthcare organization wants to provide a web application that allows individuals to digitally report health emergencies. Which of the following is the most important consideration during development?
Availability
is the ability of a system or service to be accessible and usable when needed. For a web application that allows individuals to digitally report health emergencies, availability is the most important consideration during development, because any downtime or delay could have serious consequences for the health and safety of the users. The web application should be designed to handle high traffic, prevent denial-of-service attacks, and have backup and recovery plans in case of failures
An organization wants a third-party vendor to do a penetration test that targets a specific device. The organization has provided basic information about the device.
Partially known environment
a type of penetration test where the tester has some information about the target, such as the IP address, the operating system, or the device type. This can help the tester focus on specific vulnerabilities and reduce the scope of the test. A partially known environment is also called a gray box test
.An attacker posing as the Chief Executive Officer calls an employee and instructs the employee to buy gift cards.
Impersonating
The attacker impersonates someone with authority or influence and tries to trick the victim into performing an action, such as transferring money, revealing sensitive information, or clicking on a malicious link. Whaling is also called CEO fraud or business email compromise
An analyst is evaluating the implementation of Zero Trust principles within the data plane. Which of the following would be most relevant for the analyst to evaluate?
Secured zones
a key component of the Zero Trust data plane, which is the layer where data is stored, processed, and transmitted. Secured zones are logical or physical segments of the network that isolate data and resources based on their sensitivity and risk.
An organization is leveraging a VPN between its headquarters and a branch location. Which of the following is the VPN protecting?
Data in transit
Data in transit is data that is moving from one location to another, such as over a network or through the air. Data in transit is vulnerable to interception, modification, or theft by malicious actors. A VPN (virtual private network) is a technology that protects data in transit by creating a secure tunnel between two endpoints and encrypting the data that passes through it
.The marketing department set up its own project management software without telling the appropriate departments. Which of the following describes this scenario?
Shadow IT
Shadow IT is the term used to describe the use of unauthorized or unapproved IT resources within an organization. The marketing department set up its own project management software without telling the appropriate departments, such as IT, security, or compliance. This could pose a risk to the organization’s security posture, data integrity, and regulatory compliance
An enterprise is trying to limit outbound DNS traffic originating from its internal network. Outbound DNS requests will only be allowed from one device with the IP address 10.50.10.25. Which of the following firewall ACLs will accomplish this goal?
Access list outbound permit 10.50.10.25/32 0.0.0.0/0 port 53 Access list outbound deny 0.0.0.0/0 0.0.0.0/0 port 53
A firewall ACL (access control list) is a set of rules that determines which traffic is allowed or denied by the firewall. The rules are processed in order, from top to bottom, until a match is found. The syntax of a firewall ACL rule is: Access list:
<direction><action><source address><destination address> <protocol><port?
To limit outbound DNS traffic originating from the internal network
After a security incident, a systems administrator asks the company to buy a NAC platform. Which of the following attack surfaces is the systems administrator trying to protect?
Wired
NAC (network access control) platform is a technology that enforces security policies on devices that attempt to access a network. A NAC platform can verify the identity, role, and compliance of the devices, and grant or deny access based on predefined rules. A NAC platform can protect both wired and wireless networks, but in this scenario, the systems administrator is trying to protect the wired attack surface, which is the set of vulnerabilities that can be exploited through a physical connection to the network
Which of the following factors are the most important to address when formulating a training curriculum plan for a security awareness program? (Select two).
A. Channels by which the organization communicates with customers
B. The reporting mechanisms for ethics violations
C. Threat vectors based on the industry in which the organization operates
D. Secure software development training for all personnel
E. Cadence and duration of training events F. Retraining requirements for individuals who fail phishing simulations
Threat vectors based on the industry in which the organization operates
Cadence and duration of training events
A training curriculum plan for a security awareness program should address the following factors: The threat vectors based on the industry in which the organization operates. This will help the employees to understand the specific risks and challenges that their organization faces, and how to protect themselves and the organization from cyberattacks.
.An organization disabled unneeded services and placed a firewall in front of a business-critical legacy system.
Compensating controls
are alternative security measures that are implemented when the primary controls are not feasible, cost-effective, or sufficient to mitigate the risk. In this case, the organization used compensating controls to protect the legacy system from potential attacks by disabling unneeded services and placing a firewall in front of it. This reduced the attack surface and the likelihood of exploitation.
Which of the following is the best reason to complete an audit in a banking environment?
Regulatory requirement
a mandate imposed by a government or an authority that must be followed by an organization or an individual. In a banking environment, audits are often required by regulators to ensure compliance with laws, standards, and policies related to security, privacy, and financial reporting. Audits help to identify and correct any gaps or weaknesses in the security posture and the internal controls of the organization
.A security administrator is deploying a DLP solution to prevent the exfiltration of sensitive customer data.
Apply classifications to the data.
Data classification is the process of assigning labels or tags to data based on its sensitivity, value, and risk. Data classification is the first step in a data loss prevention (DLP) solution, as it helps to identify what data needs to be protected and how. By applying classifications to the data, the security administrator can define appropriate policies and rules for the DLP solution to prevent the exfiltration of sensitive customer data.
Which of the following describes a security alerting and monitoring tool that collects system, application, and network logs from multiple sources in a centralized system?
SIEM
SIEM stands for Security Information and Event Management. It is a security alerting and monitoring tool that collects system, application, and network logs from multiple sources in a centralized system. SIEM can analyze the collected data, correlate events, generate alerts, and provide reports and dashboards. SIEM can also integrate with other security tools and support compliance requirements. SIEM helps organizations to detect and respond to cyber threats, improve security posture, and reduce operational costs.
Note 
Flashcard (25)