Professional Documents
Culture Documents
Which of the following tools could be used to detect unexpected output from an application being managed or monitored?
A behavior-based analysis tool
(Correcto)
Manual analysis
A log analysis tool
A signature-based detection tool
Explicación
OBJ-3.3: A behavior-based analysis tool can capture/analyze normal behavior and then alert when an anomaly occurs. Configuring a
behavior-based analysis tool requires more effort to set up properly, but it requires less work and manual monitoring once it is running.
Signature-based detection is a process where a unique identifier is established about a known threat so that the threat can be identified
in the future. Manual analysis requires a person to read all the output and determine if it is erroneous. A log analysis tool would only be
useful to analyze the logs, but it would not detect unexpected output by itself. Instead, the log analysis tool would need to use a
behavior-based or signature-based detection system.
Pregunta 2: Correcto
Your firewall is blocking outbound email traffic that is attempting to be sent. Which port should you verify is set to ALLOW in the
firewall to ensure your emails are being sent?
25
(Correcto)
80
22
143
Explicación
OBJ-3.1: The simple mail transfer protocol (SMTP) is the protocol used to send mail between hosts on the Internet using TCP port 25.
Port 25 must be set to OPEN or ALLOW in the firewall for SMTP (Sendmail transfer protocol) to function properly. Secure shell (SSH) is
the protocol used for remote administration and file copying using TCP port 22. SSH is considered secure since it uses authenticated and
encrypted sessions for communication. Secure shell (SSH) is the protocol used for remote administration and file copying using TCP port
22. SSH is considered secure since it uses authenticated and encrypted sessions for communication. The internet message access
protocol (IMAP) is a TCP/IP application protocol that provides a means for a client to access email messages stored in a mailbox on a
remote server using TCP port number 143. Unlike POP3, messages persist on the server after the client has downloaded them. IMAP also
supports mailbox management functions, such as creating subfolders and access to the same mailbox by more than one client at the
same time.
Pregunta 3: Correcto
(Sample Simulation – On the real exam for this type of question, you would receive 3-5 pictures and be asked to drag and drop them into
place next to the correct term.)
Which of the following types of attacks occurs when an attacker specifically targets the CEO, CFO, CIO, and other board members during
their attack?
Spear phishing
Whaling
(Correcto)
Vishing
Phishing
Smishing
Explicación
OBJ-1.1: Whaling occurs when the attacker targets the C-level executives (CEO, CFO, CIO, etc.), board members, and other senior
executives within the organization.
Pregunta 4: Correcto
You are developing your vulnerability scanning plan and attempting to scope your scans properly. You have decided to focus on the
criticality of a system to the organization's operations when prioritizing the system in the scope of your scans. Which of the following
would be the best place to gather the criticality of a system?
Ask the CEO for a list of the critical systems
Conduct a nmap scan of the network to determine the OS of each system
Scope the scan based on IP subnets
Review the asset inventory and BCP
(Correcto)
Explicación
OBJ-4.2: To best understand a system's criticality, you should review the asset inventory and the BCP. Most organizations classify each
asset in its inventory based on its criticality to the organization's operations. This helps to determine how many spare parts to have, the
warranty requirements, service agreements, and other key factors to help keep these assets online and running at all times. Additionally,
you can review the business continuity plan (BCP) since this will provide the organization's plan for continuing business operations in the
event of a disaster or other outage. Generally, the systems or operations listed in a BCP are the most critical ones to support business
operations. While the CEO may be able to provide a list of the most critical systems in a large organization, it isn't easy to get them to
take the time to do it, even if they did know the answer. Worse, in most large organizations, the CEO isn't going to know what systems he
relies on, but instead just the business functions they serve, again making this a bad choice. While conducting a nmap scan may help you
determine what OS is being run on each system, this information doesn't help you determine criticality to operations. The same is true
of using IP subnets since a list of subnets by itself doesn't provide criticality or prioritization of the assets.
Pregunta 5: Correcto
Which of the following vulnerability scans would provide the best results if you want to determine if the target's configuration
settings are correct?
Internal scan
Credentialed scan
(Correcto)
Non-credentialed scan
External scan
Explicación
OBJ-1.7: Credentialed scans log into a system and retrieve their configuration information. Therefore, it should provide you with the best
results. A non-credentialed scan relies on external resources for configuration settings that can be altered or incorrect. The scanner's
network location does not directly impact the ability to read the configuration information, so it would not make a difference if you
conducted an external or internal scan.
Pregunta 6: Correcto
Which protocol relies on mutual authentication of the client and the server for its security?
RADIUS
Two-factor authentication
CHAP
LDAPS
(Correcto)
Explicación
OBJ-3.1: The Lightweight Directory Access Protocol (LDAP) uses a client-server model for mutual authentication. LDAP is used to enable
access to a directory of resources (workstations, users, information, etc.). TLS provides mutual authentication between clients and
servers. Since Secure LDAP (LDAPS) uses TLS, it provides mutual authentication.
Pregunta 7: Correcto
You are trying to select the best device to install to proactively stop outside attackers from reaching your internal network. Which of
the following devices would be the BEST for you to select?
Proxy server
IDS
Syslog server
IPS
(Correcto)
Explicación
OBJ-3.3: An intrusion prevention system (IPS) is a form of network security that detects and prevents identified threats. Intrusion
prevention systems continuously monitor your network, looking for possible malicious incidents, and capturing information about them.
An IPS can block malicious network traffic, unlike an IDS, which can only log them. A proxy server is a server application that acts as an
intermediary between a client requesting a resource and the server providing that resource. System Logging Protocol (Syslog) uses port
514 and is a way network devices can use a standard message format to communicate with a logging server. It was designed specifically
to make it easy to monitor network devices. Devices can use a Syslog agent to send out notification messages under a wide range of
specific conditions.
Pregunta 8: Correcto
MD-5
SHA-1
SHA-2
(Correcto)
NTLM
Explicación
OBJ-2.8: SHA-2 creates a 256-bit fixed output. SHA-1 creates a 160-bit fixed output. NTLM creates a 128-bit fixed output. MD-5 creates a
128-bit fixed output.
Pregunta 9: Correcto
Initiate
Deny
Mitigate
(Correcto)
Reject
Explicación
OBJ-5.4: Mitigating a risk makes the effect of a risk a little less unpleasant, harmful, or serious. The majority of risk management is
focused on mitigating risks down to an acceptable level of loss or risk. The risk response actions are accept, avoid, mitigate, or transfer.
Order of volatility
Right to audit
Chain of custody
(Correcto)
Legal hold
Explicación
OBJ-4.4: Chain of custody forms list every person who has worked with or who has touched the evidence that is a part of an
investigation. These forms record every action taken by each individual in possession of the evidence. Depending on the organization's
procedures, manipulation of evidence may require an additional person to act as a witness to verify whatever action is being taken. A
legal hold is a process that an organization uses to preserve all forms of potentially relevant information when litigation is pending or
reasonably anticipated. A right to audit is a clause in a contract or service agreement that allows a company the authority to audit the
systems and information processed. Order of volatility refers to the order in which you should collect evidence.
During your annual cybersecurity awareness training in your company, the instructor states that employees should be careful about
what information they post on social media. According to the instructor, if you post too much personal information on social media,
such as your name, birthday, hometown, and other personal details, it is much easier for an attacker to conduct which type of attack
to break your passwords?
Brute force attack
Cognitive password attack
(Correcto)
Rainbow table attack
Birthday attack
Explicación
OBJ-1.2: A cognitive password is a form of knowledge-based authentication that requires a user to answer a question, presumably
something they intrinsically know, to verify their identity. If you post a lot of personal information about yourself online, this password
type can easily be bypassed. For example, during the 2008 elections, Vice Presidential candidate Sarah Palin's email account was hacked
because a high schooler used the "reset my password" feature on Yahoo's email service to reset her password using the information that
was publically available about Sarah Palin (like her birthday, high school, and other such information).
Which of the following access control methods provides the most detailed and explicit type of access control over a resource?
ABAC
(Correcto)
DAC
MAC
RBAC
Explicación
OBJ-3.8: Attribute-based access control (ABAC) provides the most detailed and explicit type of access control over a resource because it
is capable of making access decisions based on a combination of subject and object attributes, as well as context-sensitive or system-
wide attributes. Information such as the group membership, the OS being used by the user, and even the machine's IP address could be
considered when granting or denying access.
You are trying to find a rogue device on your wired network. Which of the following options would NOT help find the device?
MAC validation
Port scanning
War walking
(Correcto)
Site surveys
Explicación
OBJ-1.8: War walking is conducted by walking around a build while locating wireless networks and devices. War walking will not help
find a wired rogue device. Checking valid MAC addresses against a known list, scanning for new systems or devices, and physically
surveying for unexpected systems can be used to find rogue devices on a wired network.
A cybersecurity analyst is reviewing the logs of a proxy server and saw the following URLs:
Weak or default configurations
Insecure direct object reference
(Correcto)
Race condition
Improper error handling
Explicación
OBJ-1.3: Insecure direct object references (IDOR) are a cybersecurity issue that occurs when a web application developer uses an
identifier for direct access to an internal implementation object but provides no additional access control and/or authorization checks.
An attacker could change the userid number and directly access any user's profile page in this scenario. A race condition is a software
vulnerability when the resulting outcome from execution processes is directly dependent on the order and timing of certain events.
Those events fail to execute in the order and timing intended by the developer. Weak or default configurations are commonly a result of
incomplete or ad-hoc configurations, open cloud storage, misconfigured HTTP headers, unnecessary HTTP methods, permissive Cross-
Origin resource sharing (CORS), and verbose error messages containing sensitive information. Improper handling of errors can reveal
implementation details that should never be revealed, such as detailed information that can provide hackers important clues on the
system's potential flaws.
(Sample Simulation – On the real exam for this type of question, you would receive 3-5 pictures and be asked to drag and drop them into
place next to the correct term.)
Which of the following types of attacks occurs when an attacker attempts to gain confidential information or login credentials by sending
targeted emails to a specific set of recipients within an organization?
Vishing
Phishing
Spear phishing
(Correcto)
Hoax
Pharming
Explicación
OBJ-1.1: Spear phishing is the fraudulent practice of sending emails from a seemingly known or trusted sender to induce targeted
individuals to reveal confidential information. The key to answering this question is that the attack was focused on a targeted set of
people, not just an indiscriminate large group of random people.
Users connecting to an SSID appear to be unable to authenticate to the captive portal. Which of the following is the MOST likely
cause of the issue?
RADIUS
(Correcto)
WPA2 security key
CSMA/CA
SSL certificates
Explicación
OBJ-3.8: Captive portals usually rely on 802.1x, and 802.1x uses RADIUS for authentication. The IEEE 802.1x standard is a network
authentication protocol that opens ports for network access when an organization authenticates a user's identity and authorizes them
for access to the network. This defines port security. The user's identity is determined based on their credentials or certificate, which is
confirmed by the RADIUS server. The Remote Authentication Dial-in User Service (RADIUS) is used to manage remote and wireless
authentication infrastructure. Users supply authentication information to RADIUS client devices, such as wireless access points. The
client device then passes the authentication data to an AAA (Authentication, Authorization, and Accounting) server that processes the
request. Secure Sockets Layer (SSL) is a security protocol developed by Netscape to provide privacy and authentication over the Internet.
SSL is application independent that works at layer 5 [Session] and can be used with a variety of protocols, such as HTTP or FTP. Client and
server set up a secure connection through PKI (X.509) certificates. Carrier-sense multiple access with collision avoidance (CSMA/CA) is a
network multiple access method in which carrier sensing is used, but nodes attempt to avoid collisions by beginning transmission only
after the channel is sensed to be idle. CSMA/CA occurs in the background when communicating with a wireless access point and would
not prevent the user from authenticating to the captive portal. A WPA2 security key is a preshared password used to authenticate and
connect to a wireless access point. If the user connected to the SSID, then the WPA2 security key was valid.
NDA
(Correcto)
MSA
SLA
SOW
Explicación
OBJ-5.3: This is the definition of a non-disclosure agreement (NDA). There may be two NDAs in use: One from the organization to the
pentester and another from the pentester to the organization. The Statement of Work (SOW) is a formal document stating what will and
will not be performed during a penetration test. It should also contain the assessment's size and scope and a list of the assessment's
objectives. A master service agreement (MSA) is a contract reached between parties, in which the parties agree to most of the terms
that will govern future transactions or future agreements. The MSA is used when a pentester will be on retainer for a multi-year
contract, and an individual SOW will be issued for each assessment to define the individual scopes for each one. A service level
agreement (SLA) is a contract that outlines the detailed terms under which a service is provided, including reasons the contract may be
terminated.
Dion Training is building a new data center. The group designing the facility has decided to provide additional HVAC capacity to ensure
the data center maintains a consistently low temperature. Which of the following is the most likely benefit that will be achieved by
increasing the designed HVAC capacity?
Higher data integrity due to more efficient SSD cooling
Longer MTBF of hardware due to lower operating temperatures
(Correcto)
Increase the availability of network services due to higher throughput
Longer UPS run time due to increased airflow
Explicación
OBJ-5.4: The mean time between failure (MTBF) is the measure of the anticipated rate of failure for a system or component. This is
effectively a measurement of the component's expected lifespan. If the HVAC capacity is increased, the server room can maintain a
cooler temperature range. Datacenters produce a lot of heat from the equipment being operated. Excessive heat can damage
components and cause premature hardware failure. Therefore, increasing the HVAC capacity and airflow can lead to longer lifespans for
servers and networking equipment.
Which of the following terms is used to describe the timeframe following a disaster that an individual IT system may remain offline?
MTBF
RTO
(Correcto)
MTTR
RPO
Explicación
OBJ-5.4: Recovery time objective (RTO) is when an individual IT system may remain offline following a disaster. This represents the
amount of time it takes to identify a problem and then perform recovery (restore from backup or switch in an alternative system, for
instance). Recovery point objective (RPO) is the amount of data loss that a system can sustain, measured in time. That is, if a virus
destroys a database, an RPO of 24 hours means that the data can be recovered (from a backup copy) to a point not more than 24 hours
before the database was infected. Mean time between failure (MTBF) represents the expected lifetime of a product before it fails and
must be replaced or repaired. Mean time to repair (MTTR) is a measure of the time taken to correct a fault to restore the system to full
operation.
Dion Training has an open wireless network called "InstructorDemos" for its instructors to use during class, but they do not want any
students connecting to this wireless network. The instructors need the "InstructorDemos" network to remain open since some of
their IoT devices used during course demonstrations do not support encryption. Based on the requirements provided, which of the
following configuration settings should you use to satisfy the instructor's requirements and prevent students from using the
"InstructorDemos" network?
Signal strength
QoS
NAT
MAC filtering
(Correcto)
Explicación
OBJ-3.4: Since the instructors need to keep the wireless network open, the BEST option is to implement MAC filtering to prevent the
students from connecting to the network while still keeping the network open. Since the instructors would most likely use the same
devices to connect to the network, it would be relatively easy to implement a MAC filtering based on the list of devices that are allowed
to use the open network and reject any other devices not listed by the instructors (like the student's laptops or phones). Reducing the
signal strength would not solve this issue since students and instructors are in the same classrooms. Using Network Address Translation
and Quality of Service will not prevent the students from accessing or using the open network.
Which type of threat actor can accidentally or inadvertently cause a security incident in your organization?
Organized Crime
APT
Hacktivist
Insider threat
(Correcto)
Explicación
OBJ-1.5: An insider threat is a type of threat actor assigned privileges on the system that cause an intentional or unintentional incident.
Insider threats can be used as unwitting pawns of external organizations or make crucial mistakes that can open up exploitable security
vulnerabilities. Hacktivists, Organized Crimes, and advanced persistent threats (APT) entities do not accidentally or unwittingly target
organizations. Instead, their actions are deliberate. A hacktivist is an attacker that is motivated by a social issue or political cause.
Organized crime is a type of threat actor that uses hacking and computer fraud for commercial gain. An advanced persistent threat (APT)
is a type of threat actor that can obtain, maintain, and diversify access to network systems using exploits and malware.
You have been investigating how a malicious actor could exfiltrate confidential data from a web server to a remote host. After an in-
depth forensic review, you determine that a rootkit's installation had modified the web server’s BIOS. After removing the rootkit and
reflashing the BIOS to a known good image, what should you do to prevent the malicious actor from affecting the BIOS again?
Install an anti-malware application
Utilize file integrity monitoring
Utilize secure boot
(Correcto)
Install a host-based IDS
Explicación
OBJ-3.2: Since you are trying to protect the BIOS, utilizing secure boot is the best choice. Secure boot is a security system offered by
UEFI. It is designed to prevent a computer from being hijacked by a malicious OS. Under secure boot, UEFI is configured with digital
certificates from valid OS vendors. The system firmware checks the operating system boot loader using the stored certificate to ensure
that the OS vendor has digitally signed it. This prevents a boot loader that has been changed by malware (or an OS installed without
authorization) from being used. The TPM can also be invoked to compare hashes of key system state data (boot firmware, boot loader,
and OS kernel) to ensure they have not been tampered with by a rootkit. The other options are all good security practices, but they only
apply once you have already booted into the operating system. This makes them ineffective against boot sector or rootkit attacks.
What information should be recorded on a chain of custody form during a forensic investigation?
The law enforcement agent who was first on the scene
Any individual who worked with evidence during the investigation
(Correcto)
The list of former owners/operators of the workstation involved in the investigation
The list of individuals who made contact with files leading to the investigation
Explicación
OBJ-4.5: Chain of custody forms list every person who has worked with or who has touched the evidence that is a part of an
investigation. These forms record every action taken by each individual in possession of the evidence. Depending on the organization's
procedures, manipulation of evidence may require an additional person to act as a witness to verify whatever action is being taken.
While the chain of custody would record who initially collected the evidence, it does not have to record who was the first person on the
scene (if that person didn't collect the evidence). The other options presented by the question are all good pieces of information to
record in your notes, but it is not required to be on the chain of custody form.
Which of the following authentication protocols was developed by Cisco to provide authentication, authorization, and accounting
services?
Kerberos
RADIUS
TACACS+
(Correcto)
CHAP
Explicación
OBJ-3.8: TACACS+ is an extension to TACACS (Terminal Access Controller Access Control System) and was developed as a proprietary
protocol by Cisco. The Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that operates on port 1812 and
provides centralized Authentication, Authorization, and Accounting management for users who connect and use a network service, but
Cisco did not develop it. Kerberos is a network authentication protocol designed to provide strong mutual authentication for
client/server applications using secret-key cryptography developed by MIT. Challenge-Handshake Authentication Protocol (CHAP) is used
to authenticate a user or network host to an authenticating entity. CHAP is an authentication protocol but does not provide
authorization or accounting services.
Which of the following biometric authentication factors relies on matching patterns on the eye's surface using near-infrared imaging?
Pupil dilation
Iris scan
(Correcto)
Facial recognition
Retinal scan
(Incorrecto)
Explicación
OBJ-2.4: Iris scans rely on the matching of patterns on the surface of the eye using near-infrared imaging, and so is less intrusive than
retinal scanning (the subject can continue to wear glasses, for instance) and much quicker. Iris scanners offer a similar level of accuracy
as retinal scanners but are much less likely to be affected by diseases. Iris scanning is the technology most likely to be rolled out for high-
volume applications, such as airport security. There is a chance that an iris scanner could be fooled by a high-resolution photo of
someone's eye.
(Sample Simulation – On the real exam for this type of question, you would receive 3-5 pictures and drag and drop them into place next
to the correct term.)
How would you appropriately categorize the authentication method displayed here?
Biometric authentication
(Correcto)
One-time password authentication
PAP authentication
Multifactor authentication
Explicación
OBJ-2.4: For the exam, you need to know the different authentication categories and what type of authentication methods belong to
each category. A fingerprint scan is a type of biometric authentication. Biometric authentications include any authentication system that
relies on a person’s physical characteristics for authentication.
Your company is required to remain compliant with PCI-DSS due to the type of information processed by your systems. If there was a
breach of this data, which type of disclosure would you be required to provide during your incident response efforts?
Notification to federal law enforcement
Notification to Visa and Mastercard
Notification to local law enforcement
Notification to your credit card processor
(Correcto)
Explicación
OBJ-4.5: Any organization that processes a credit card will be required to work with their credit card processor instead of working
directly with the card issuers (Visa and Mastercard). Conducting notification to your bank or credit card processor is one of the first steps
in the incident response effort for a breach of this type of data. Typically, law enforcement does not have to be notified of a data breach
at a commercial organization.
Your company is making a significant investment in infrastructure-as-a-service (IaaS) hosting to replace its data centers. Which of the
following techniques should be used to mitigate the risk of data remanence when moving virtual hosts from one server to another in
the cloud?
Use full-disk encryption
(Correcto)
Use data masking
Zero-wipe drives before moving systems
Span multiple virtual disks to fragment data
Explicación
OBJ-2.2: To mitigate the risk of data remanence, you should implement full disk encryption. This method will ensure that all data is
encrypted and cannot be exposed to other organizations or the underlying IaaS provider. Using a zero wipe is typically impossible
because VM systems may move without user intervention during scaling and elasticity operations. Data masking can mean that all or
part of a field's contents is redacted, by substituting all character strings with "x," for example. Data masking will not prevent your
corporate data from being exposed by data remanence. Spanning multiple disks will leave the data accessible, even though it would be
fragmented, and would make the data remanence problem worse overall.
Which of the following vulnerabilities involves leveraging access from a single virtual machine to other machines on a hypervisor?
VM migration
VM sprawl
VM escape
(Correcto)
VM data remnant
Explicación
OBJ-2.2: Virtual machine escape vulnerabilities are the most severe issue that may exist in a virtualized environment. In this attack, the
attacker can access a single virtual host and then leverages that access to intrude on the resources assigned to different virtual
machines. Data remnant is the residual representation of digital data that remains even after attempts have been made to remove or
erase it. Virtualization sprawl is a phenomenon that occurs when the number of virtual machines on a network reaches a point where
the administrator can no longer manage them effectively. Virtual machine migration is the task of moving a virtual machine from one
physical hardware environment to another.
What is the biggest disadvantage of using single sign-on (SSO) for authentication?
Systems must be configured to utilize the federation
It introduces a single point of failure
(Correcto)
The identity provider issues the authorization
Users need to authenticate with each server as they log on
Explicación
OBJ-5.4: Single sign-on is convenient for users since they only need to remember one set of credentials. Unfortunately, single sign-on
also introduces a single point of failure. If the identity provider is offline, then the user cannot log in to any of the resources they may
wish to utilize across the web. Additionally, if the single sign-on is compromised, the attacker now has access to every site that the user
would have access to using the single set of credentials.
Conduct notification to all affected customers within 72 hours of the discovery of the breach
(Correcto)
Conduct a ‘hack-back' of the attacker to retrieve the stolen information
(Incorrecto)
Provide a statement to the press that minimizes the scope of the breach
Purchase a cyber insurance policy, alter the date of the incident in the log files, and file an insurance claim
Explicación
OBJ-1.6: Generally speaking, most laws require notification within 72 hours, such as the GDPR. All other options are either unethical,
constitute insurance fraud, or are illegal. Conducting a hack-back is considered illegal, and once data has been taken, it is nearly
impossible to steal it back as the attacker probably has a backup of it. Providing an incorrect statement to the press is unethical, and if
your company is caught lying about the extent of the breach, it could further hurt your reputation. Purchasing a cyber insurance policy
and altering the log file dates to make it look like the attack occurred after buying the policy would be insurance fraud. This is unethical
and illegal.
Something you have
Something you know
Something you want
(Correcto)
Something you are
Explicación
OBJ-2.4: The five factors of authentication are knowledge, possession, biometric, action, and location. This is also known as 'something
you know,' 'something you have,' 'something you are,' 'something you do,' and 'somewhere you are.'
(Sample Simulation – On the real exam for this type of question, you would have to rearrange the steps into the proper order by
dragging and dropping them into place.) What is the correct order of the Incident Response process?
Identification, Containment, Eradication, Preparation, Recovery, and Lessons Learned
Lessons Learned, Recovery, Preparation, Identification, Containment, and Eradication
Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned
(Correcto)
Containment, Eradication, Identification, Lessons learned, Preparation, and Recovery
Explicación
OBJ-4.2: The proper order of the Incident Response process is Preparation, Identification, Containment, Eradication, Recovery, and
Lessons Learned. Concepts with lists of steps are common questions asked as an ordering or a drag and drop question on the exam. For
example, the steps of incident response, the order of volatility, or the strength of encryption schemes could be asked using this question
format.
Measured boot
(Correcto)
Startup Control
Advanced anti-malware
Master Boot Record analytics
Explicación
OBJ-3.2: Measured boot is a feature where a log of all boot actions is taken and stored in a trusted platform module for later retrieval
and analysis by anti-malware software on a remote server. Master boot record analysis is used to capture the hard disk's required
information to support a forensic investigation. It would not detect malware during the system's boot-up process. Startup control would
be used to determine which programs will be loaded when the operating system is initially booted, but this would be too late to detect
malware loaded during the pre-startup and boot process. Advanced anti-malware solutions are programs that are loaded within the
operating system. Therefore, they are loaded too late in the startup process to be effective against malicious boot sector viruses and
other BIOS/UEFI malware variants.
Which role validates the user’s identity when using SAML for authentication?
RP
User agent
IdP
(Correcto)
SP
Explicación
OBJ-3.8: The IdP provides the validation of the user's identity. Security assertions markup language (SAML) is an XML-based framework
for exchanging security-related information such as user authentication, entitlement, and attributes. SAML is often used in conjunction
with SOAP. SAML is a solution for providing single sign-on (SSO) and federated identity management. It allows a service provider (SP) to
establish a trust relationship with an identity provider (IdP) so that the SP can trust the identity of a user (the principal) without the user
having to authenticate directly with the SP. The principal's User Agent (typically a browser) requests a resource from the service provider
(SP). The resource host can also be referred to as the relying party (RP). If the user agent does not already have a valid session, the SP
redirects the user agent to the identity provider (IdP). The IdP requests the principal's credentials if not already signed in and, if correct,
provides a SAML response containing one or more assertions. The SP verifies the signature(s) and (if accepted) establishes a session and
provides access to the resource.
NTLM
RIPEMD
(Correcto)
MD-5
(Incorrecto)
SHA-2
Explicación
OBJ-2.8: RIPEMD creates a 160-bit fixed output. SHA-2 creates a 256-bit fixed output. NTLM creates a 128-bit fixed output. MD-5 creates
a 128-bit fixed output.
You are trying to select the best device to install to detect an outside attacker trying to reach into your internal network. The device
should log the event, but it should not take any action to stop it. Which of the following devices would be the BEST for you to select?
Proxy server
Authentication server
IDS
(Correcto)
IPS
Explicación
OBJ-3.3: An intrusion detection system is a device or software application that monitors a network or system for malicious activity or
policy violations. Any malicious activity or violation is typically reported to an administrator or collected centrally using a security
information and event management system. Unlike an IPS, which can stop malicious activity or policy violations, an IDS can only log
these issues and not stop them. An intrusion prevention system (IPS) conducts the same functions as an IDS but can also block or take
actions against malicious events. An authentication, authorization, and accounting (AAA) server is a server used to identify
(authenticate), approve (authorize), and keep track of (account for) users and their actions. AAA servers can also be classified based on
the protocol they use, such as a RADIUS server or TACACS+ server. A proxy server is a server that acts as an intermediary between a
client requesting a resource and the server that provides that resource. A proxy server can be used to filter content and websites from
reaching a user.
Vulnerability
(Correcto)
Exploit
Malicious actor
Mitigation
Explicación
OBJ-1.6: A risk results from the combination of a threat and a vulnerability. A vulnerability is a weakness in a device, system, application,
or process that might allow an attack to take place. A threat is an outside force that may exploit a vulnerability. Remember, a
vulnerability is something internal to your organization's security goals. Therefore, you can control, mitigate, or remediate a vulnerability.
A threat is external to your organization's security goals. A threat could be a malicious actor, a software exploit, a natural disaster, or
other external factors. In the case of an insider threat, they are considered an external factor for threats and vulnerabilities since their
goals lie outside your organization's security goals.
Fail To Pass Systems has just been the victim of another embarrassing data breach. Their database administrator needed to work from
home this weekend, so he downloaded the corporate database to his work laptop. On his way home, he left the laptop in an Uber,
and a few days later, the data was posted on the internet. Which of the following mitigations would have provided the greatest
protection against this data breach?
Require all new employees to sign an NDA
Require data at rest encryption on all endpoints
(Correcto)
Require a VPN to be utilized for all telework employees
Require data masking for any information stored in the database
Explicación
OBJ-2.1: The greatest protection against this data breach would have been to require data at rest encryption on all endpoints, including
this laptop. If the laptop were encrypted, the data would not have been readable by others, even if it was lost or stolen. While requiring
a VPN for all telework employees is a good idea, it would not have prevented this data breach since the laptop's loss caused it. Even if a
VPN had been used, the same data breach would still have occurred if the employee copied the database to the machine. Remember on
exam day that many options are good security practices, but you must select the option that solves the issue or problem in the question
being asked. Similarly, data masking and NDAs are useful techniques, but they would not have solved this particular data breach.
Which of the following is the LEAST secure wireless security and encryption protocol?
WPA
WPA2
WPA3
WEP
(Correcto)
Explicación
OBJ-3.4: Wired equivalent privacy (WEP) is an older mechanism for encrypting data sent over a wireless connection. WEP is considered
vulnerable to attacks that can break its encryption. WEP relies on the use of a 24-bit initialization vector to secure its preshared key. Wi-
Fi protected access (WPA) is an improved encryption scheme for protecting Wi-Fi communications that was designed to replace WEP.
WPA uses the RC4 cipher and a temporal key integrity protocol (TKIP) to overcome the vulnerabilities in the older WEP protection
scheme. Wi-Fi protected access version 2 (WPA2) replaced the original version of WPA after the completion of the 802.11i security
standard. WPA2 features an improved method of key distribution and authentication for enterprise networks, though the pre-shared key
method is still available for home and small office networks. WPA2 uses the improved AES cipher with counter mode with cipher-block
chaining message authentication protocol (CCMP) for encryption. Wi-Fi protected access version 3 (WPA3) has replaced WPA2 as the
most secure wireless encryption method. WPA3 uses the simultaneous authentication of equals (SAE) to increase the security of
preshared keys. WPA3 provides the enhanced open mode that encrypts transmissions from a client to the access point when using an
open network. WPA3 Enterprise mode supports the use of AES with the Galois/counter mode protocol (GCMP-256) for the highest levels
of encryption.
802.1q
802.1x
(Correcto)
802.11ac
802.3af
Explicación
OBJ-3.8: If you are using RADIUS/TACACS+ with the switch, you will need to use 802.1x for the protocol. The IEEE 802.1x standard is a
network authentication protocol that opens ports for network access when an organization authenticates a user's identity and
authorizes them for access to the network. This defines port security. The user's identity is determined based on their credentials or
certificate, which is confirmed by the RADIUS server.
What should be done NEXT if the final set of security controls does not eliminate all of the risks in a given system?
You should remove the current controls since they are not completely effective
You should accept the risk if the residual risk is low enough
(Correcto)
You should continue to apply additional controls until there is zero risk
You should ignore any remaining risk
Explicación
OBJ-5.4: In most cases, you will be unable to remove all risks. Instead, it would be best to mitigate the risk to a low enough level to
accept the residual risk. Removing the controls would add to the risk, which is a bad course of action to select. Ignoring the remaining
risk is unacceptable; instead, you should acknowledge what risk remains and accept it if it is low enough. If it is not low enough, you
should continue to mitigate the risk by adding additional control measures. It is unlikely you will ever be able to get all risk down to zero,
but mitigating to a lower level and then accepting the residual risk is a common industry practice.
Your company recently suffered a small data breach caused by an employee emailing themselves a copy of the current customer's
names, account numbers, and credit card limits. You are determined that something like this shall never happen again. Which of the
following logical security concepts should you implement to prevent a trusted insider from stealing your corporate data?
MDM
DLP
(Correcto)
Firewall
Strong passwords
Explicación
OBJ-2.1: Data loss prevention software detects potential data breaches/data ex-filtration transmissions and prevents them by
monitoring, detecting, and blocking sensitive data while in use (endpoint actions), in-motion (network traffic), and at rest (data storage).
Since the user was an authorized user (employee), changing your password policy, reconfiguring the firewall, or setting up an MDM
solution would not solve this problem. Instead, a DLP solution must be implemented.
Dion Consulting Group has recently been awarded a contract to provide cybersecurity services for a major hospital chain in 48 cities
across the United States. Previously, the consultants have won numerous contracts with financial services and publicly traded
companies, but they are new to the healthcare industry. Which of the following laws must the consultants review to ensure the
hospital and its customers are fully protected?
COSO
GLBA
SOX
HIPAA
(Correcto)
Explicación
OBJ-5.2: The Health Insurance Portability and Accountability Act (HIPAA) was created primarily to modernize the flow of healthcare
information, stipulate how Personally Identifiable Information maintained by the healthcare and healthcare insurance industries should
be protected from fraud and theft, and address limitations on healthcare insurance coverage. This is a federal law that must be followed
in the United States. The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to
their customers and safeguard sensitive data. This includes companies that offer consumers financial products or services like loans,
financial or investment advice, or insurance. The Sarbanes-Oxley Act of 2002 is a federal law that established sweeping auditing and
financial regulations for public companies. Lawmakers created the legislation to help protect shareholders, employees, and the public
from accounting errors and fraudulent financial practices. The Committee of Sponsoring Organizations of the Treadway Commission
(COSO) guides governance-related topics, including fraud, controls, finance, and ethics. COSO’s ERM-integrated framework defines risk,
and related common terminology lists key components of risk management strategies and supplies direction and criteria for enhancing
risk management practices.
Lateral movement
Pass the hash
(Correcto)
Golden ticket
Pivoting
Explicación
OBJ-1.3: Pass the Hash (PtH) is the process of harvesting an account's cached credentials when the user logs in to a single sign-on (SSO)
system. This would then allow the attacker to use the credentials on other systems, as well. A golden ticket is a Kerberos ticket that can
grant other tickets in an Active Directory environment. Attackers who can create a golden ticket can use it to grant administrative access
to other domain members, even to domain controllers. Lateral movement is an umbrella term for a variety of attack types. Attackers can
extend their lateral movement by a great deal if they can compromise host credentials. Pivoting is a process similar to lateral movement.
When attackers pivot, they compromise one central host (the pivot) that allows them to spread out to other hosts that would otherwise
be inaccessible.
Enforce a policy that requires passwords to be changed every 30 days
Require a username and a password for user logins
Install security cameras in secure areas to monitor logins
Require biometric identification for user logins
(Correcto)
Explicación
OBJ-2.4: The BEST choice is to implement biometric identification for user logins, such as a fingerprint reader or a retina scanner. This
would ensure that even if an employee could discover another employee's username and password, they would be prevented from
logging into the workstation without the employee's finger or eye to scan. Enforcing short password retention can limit the possible
damage when a password is disclosed, but it won't prevent a login during the valid period. Security cameras may act as a deterrent or
detective control, but they cannot prevent an employee from logging into the workstation as another employee. Security cameras could
be used to determine who logged in after the fact, though.
3DES
(Correcto)
ECC
RSA
(Incorrecto)
PGP
Explicación
OBJ-2.8: Triple DES (3DES) is a symmetric-key block cipher that applies the DES cipher algorithm three times to each data block to
increase its security over DES. RSA, PGP, and ECC are all asymmetric algorithms.
Dion Training just installed a new webserver within a screened subnet. You have been asked to open up the port for secure web
browsing on the firewall. Which port should you set as open to allow users to access this new server?
80
143
443
(Correcto)
21
Explicación
OBJ-3.1: The hypertext transfer protocol secure (HTTPS) is a secure protocol used to provide web content to browsers using SSL/TLS
encryption over port 443. The hypertext transfer protocol (HTTP) is a protocol used to provide web content to browsers using port 80.
The hypertext transfer protocol (HTTP) is a protocol used to provide web content to browsers using port 80. The file transfer protocol
(FTP) is the protocol used to transfer files across the internet over ports 20 and 21.
Which of the following devices helps mitigate the risk of data exfiltration via unauthorized USB connections?
Security Cable Lock
Biometric Scanner
USB Data Blocker
(Correcto)
Firewall
Explicación
OBJ-2.7: A USB data blocker is a device that allows charging while blocking data transfer when a USB device is connected to a computer
or charging port. It is essential for preventing unauthorized data access or malware transmission through USB connections, making it the
correct choice for mitigating the risk of data exfiltration.A firewall is a network security device that filters incoming and outgoing
network traffic. It is not designed to prevent data exfiltration via unauthorized USB connections, making it an incorrect choice for this
scenario. A biometric scanner is used for authentication and access control based on unique physical characteristics, such as fingerprints
or retinal scans. While it enhances access security, it does not directly address the risk of unauthorized USB data transfer. Security cable
locks are used to physically secure laptops and other devices to prevent theft. While they enhance physical security, they do not prevent
data exfiltration through USB ports.
What technique is most effective in determining whether or not increasing end-user security training would benefit the organization
during your technical assessment of their network?
Network sniffing
Application security testing
Vulnerability scanning
Social engineering
(Correcto)
Explicación
OBJ-5.3: Social engineering refers to the psychological manipulation of people into performing actions or divulging confidential
information. During your technical assessment, utilizing social engineering techniques such as phishing or pharming can help you
determine if additional end-user security training should be included in the organization. The other three options focus solely on
technical controls. Therefore adding end-user training would not affect these technology options.
You are an analyst and have been asked to review and categorize the following output from a packet analysis in Wireshark:
Based on your review, what does this scan indicate?
192.168.3.145 might be infected and beaconing to a C2 server
(Incorrecto)
This appears to be normal network traffic
(Correcto)
173.12.15.23 might be infected and beaconing to a C2 server
192.168.3.145 might be infected with malware
173.12.15.23 might be infected with malware
Explicación
OBJ-4.1: This appears to be normal network traffic. The first line shows that a DNS lookup was performed for a website
(test.diontraining.com). The second line shows the response from the DNS server with the IP address of the website. The third line
begins a three-way handshake between an internal host and the website. The fourth line is the SYN-ACK response from the website to
the internal host as part of this handshake. The fifth line is a standard Windows NetBIOS query within the local area network to translate
human-readable names to local IP addresses. The sixth and seventh lines appear to be inbound requests to port 443 and port 8080, both
of which were sent the RST by the internal host's firewall since it is not running those services on the host. None of this network traffic
appears to be suspicious.
Which of the following actions should be done FIRST after forensically imaging a hard drive for evidence in an investigation?
Encrypt the source drive to ensure an attacker cannot modify its contents
Encrypt the image file to ensure it maintains data integrity
Digitally sign the image file to provide non-repudiation of the collection
Create a hash digest of the source drive and the image file to ensure they match
(Correcto)
Explicación
OBJ-4.5: The first thing that must be done after acquiring a forensic disk image is to create a hash digest of the source drive and
destination image file to ensure they match. A critical step in the presentation of evidence will be to prove that analysis has been
performed on an identical image to the data present on the physical media and that neither data set has been tampered with. The
standard means of proving this is to create a cryptographic hash or fingerprint of the disk contents and any derivative images made from
it. When comparing hash values, you need to use the same algorithm used to create the reference value. While encrypting the image
files is a good security practice to maintain the data's confidentiality, it does not provide data integrity like a hash digest does. Once
imaged, the source drive should not be altered or encrypted. Digitally signing the image file could serve the function of non-repudiation,
but it is an uncommon practice and not required to be performed.
Barbara received a phone call from a colleague asking why she sent him an email with lewd and unusual content. Barbara doesn't
remember sending the email to the colleague. What is Barbara MOST likely the victim of?
Hijacked email
(Correcto)
Ransomware
Spear phishing
Phishing
Explicación
OBJ-1.1: Barbara is MOST likely the victim of hijacked email. Hijacked email occurs when someone takes over your email account and
sends out messages on your behalf. Hijacked email can occur after a system is taken over by an attacker. The victim usually finds out
about it when someone asks about an email the victim sent them, or the victim sees an automated out-of-office reply from one of the
recipients of the victim's emails. Phishing is an email-based social engineering attack in which the attacker sends an email from a
supposedly reputable source, such as a bank, to try to elicit private information from the victim. Phishing attacks target an indiscriminate
large group of random people. Spear phishing is the fraudulent practice of sending emails from a seemingly known or trusted sender to
induce targeted individuals to reveal confidential information. Ransomware is a type of malware designed to deny access to a computer
system or data until a ransom is paid. Ransomware typically spreads through phishing emails or by unknowingly visiting an infected
website. Once infected, a system or its files are encrypted, and then the decryption key is withheld from the victim unless payment is
received.
You are conducting an incident response and want to determine if any account-based indicators of compromise (IoC) exist on a
compromised server. Which of the following would you NOT search for on the server?
Failed logins
Malicious processes
(Correcto)
Unauthorized sessions
Off-hours usage
Explicación
OBJ-4.3: A malicious process is any process running on a system that is outside the norm. This is a host-based indicator of compromise
(IOC) and not directly associated with an account-based IOC. Off-hours usage, unauthorized sessions, and failed logins are all account-
based examples of an IOC. Off-hours usage occurs when an account is observed to log in during periods outside of normal business
hours. An attacker often uses this to avoid detection during business hours. Unauthorized sessions occur when a device or service is
accessed without authorization. For example, if a limited privilege user is signed into a domain controlled. A failed login might be normal
if a user forgets or incorrectly types their password, but repeated failures for one account could also be an indication of an attack
attempting to crack a user's password.
Purchase multiple inexpensive workstations and install one operating system that will be used to test the applications being
developed on each workstation
Purchase multiple workstations, install a VM on each one, then install one operating system that will be used to test the applications
being developed in each VM
Purchase one computer, install an operating system on it, create an image of the system, then reformat it, install the next operating
system, create another image, and reimage the machine each time you need to test a different application
Purchase a high-end computer that has a lot of CPU cores and RAM, install a hypervisor, and configure a virtual machine for each
operating system that will be used to test the applications being developed
(Correcto)
Explicación
OBJ-2.2: Since the company's main goal was to minimize the amount of hardware required, the BEST solution is to purchase a high-end
computer that has a lot of CPU cores and RAM, install a hypervisor, and configure a virtual machine for each operating system that will
be used to test the applications being developed. This allows a single machine to run multiple operating systems for testing with the
least amount of hardware.
Your organization has been receiving many phishing emails recently, and you are trying to determine why they are effective in getting
your users to click on their links. The latest email consists of what looks like an advertisement that is offering an exclusive early access
opportunity to buy a new iPhone at a discounted price. Still, there are only 5 phones available at this price. What type of social
engineering principle is being exploited here?
Trust
Familiarity
Intimidation
Scarcity
(Correcto)
Explicación
OBJ-1.1: Scarcity is used to create a fear in a person of missing out on a special deal or offer. This technique is used in advertising all the
time, such as "supplies are limited," "only available for the next 4 hours", and other such artificial limitations being used. Familiarity is a
social engineering technique that relies on assuming a widely known organization's persona. For example, in the United States, nearly
25% of Americans have a Bank of America account. For this reason, phishing campaigns often include emails pretending to be from Bank
of America since 1 in 4 people who receive the email in the United States are likely to have an account. This makes them familiar with
the bank name and is more likely to click on the email link.
Which of the following methods is used to replace all or part of a data field with a randomly generated number used to reference the
original value stored in another vault or database?
Data masking
Tokenization
(Correcto)
Anonymization
Data minimization
Explicación
OBJ-5.5: Tokenization means that all or part of data in a field is replaced with a randomly generated token. The token is stored with the
original value on a token server or token vault, separate from the production database. An authorized query or app can retrieve the
original value from the vault, if necessary, so tokenization is a reversible technique. Data masking can mean that all or part of a field's
contents is redacted, by substituting all character strings with x, for example. Data minimization involves limiting data collection to only
what is required to fulfill a specific purpose. Reducing what information is collected reduces the amount and type of information that
must be protected. Data anonymization is the process of removing personally identifiable information from data sets so that the people
whom the data describe remain anonymous.
You have been hired as a consultant to help Dion Training develop a new disaster recovery plan. Dion Training has recently grown in
the number of employees and information systems infrastructure used to support its employees. Unfortunately, Dion Training does
not currently have any documentation, policies, or procedures for its student and faculty networks. What is the first action you
should take to assist them in developing a disaster recovery plan?
Identify the organization's assets
(Correcto)
Develop a data retention policy
Conduct a vulnerability scan
Conduct a risk assessment
Explicación
OBJ-4.2: The first step to developing an effective disaster recovery plan is to identify the assets. The organization must understand
exactly what assets they own and operate. Once identified, you can then determine what assets and services are essential to business
operations, what risks are facing them, and how best to recovery in the event of a disaster. To best understand the organization's risks,
they will undertake an organization-wide risk assessment and conduct a vulnerability scan of its assets.
Trade secret information
Credit card information
Protected health information
(Correcto)
Personally identifiable information
Explicación
OBJ-4.5: Protected health information (PHI) is defined as any information that identifies someone as the subject of medical and
insurance records, plus their associated hospital and laboratory test results. This type of data is protected by the Health Insurance
Portability and Accountability Act (HIPAA). It requires notification of the individual, the Secretary of the US Department of Health and
Human Services (HHS), and the media (if more than 500 individuals are affected) in the case of a data breach. Personally identifiable
information (PII) is any data that can be used to identify, contact, or impersonate an individual. Credit card information is protected
under the PCI DSS information security standard. Trade secret information is protected by the organization that owns those secrets.
Hardening the DEV_SERVER7 server
Conduct a data criticality and prioritization analysis
(Correcto)
Conduct a Nessus scan of the FIREFLY server
Logically isolate the PAYROLL_DB server from the production network
Explicación
OBJ-5.4: While the payroll server could be assumed to hold PII, financial information, and corporate information, the analyst would only
be making that assumption based on its name. Even before an incident response occurs, it would be a good idea to conduct a data
criticality and prioritization analysis to determine what assets are critical to your business operations and need to be prioritized for
protection. After an intrusion occurs, this information could be used to better protect and defend those assets against an attacker. Since
the question states the analyst is trying to determine which server to look at based on their names, it is clear this organization never
performed a data criticality and prioritization analysis and should do that first. After all, with names like FIREFLY, DEATHSTAR, THOR, and
DION, the analyst has no idea what is stored on those systems. For example, how do we know that DEATHSTAR doesn’t contain their
credit card processing systems that would be a more lucrative target for APT 38 than the PAYROLL_DB. The suggestions of hardening,
logically isolating, or conducting a vulnerability scan of a particular server are random guesses by the analyst since they don’t know
which data they should focus on protecting or where the attacker is currently.
Alexa is an analyst for a large bank that has offices in multiple states. She wants to create an alert to detect if an employee from one
bank office logs into a workstation located at an office in another state. What type of detection and analysis is Alexa configuring?
Behavior
(Correcto)
Trend
Heuristic
Anomaly
Explicación
OBJ-1.7: This is an example of behavior-based detection. Behavior-based detection (or statistical- or profile-based detection) means that
the engine is trained to recognize baseline traffic or expected events associated with a user account or network device. Anything that
deviates from this baseline (outside a defined level of tolerance) generates an alert. The heuristic analysis determines whether several
observed data points constitute an indicator and whether related indicators make up an incident depending on a good understanding of
the relationship between the observed indicators. Human analysts are typically good at interpreting context but work painfully slowly, in
computer terms, and cannot hope to cope with the sheer volume of data and traffic generated by a typical network. Anomaly analysis is
the process of defining an expected outcome or pattern to events and then identifying any events that do not follow these patterns. This
is useful in tools and environments that enable you to set rules. Trend analysis is not used for detection but instead to better understand
capacity and the system's normal baseline. Behavioral-based detection differs from anomaly-based detection. Behavioral-based
detection records expected patterns concerning the entity being monitored (in this case, user logins). Anomaly-based detection
prescribes the baseline for expected patterns based on its observation of what normal looks like.
Samantha works in the human resource department in an open floorplan office. She is concerned about the possibility of someone
conducting shoulder surfing to read sensitive information from employee files while accessing them on her computer. Which of the
following physical security measures should she implement to protect against this threat?
Biometric lock
Hardware token
Badge reader
Privacy screen
(Correcto)
Explicación
OBJ-1.1: A privacy screen is a filter placed on a monitor to decrease the viewing angle of a monitor. This prevents the monitor from being
viewed from the side and can help prevent shoulder surfing. The standard type of anti-glare filter consists of a coating that reduces the
reflection from a glass or plastic surface. A biometric lock is any lock that can be activated by biometric features, such as a fingerprint,
voiceprint, or retina scan. Biometric locks make it more difficult for someone to counterfeit the key used to open the lock or a user’s
account. A smart card is a form of hardware token. A smart card, chip card, or integrated circuit card is a physical, electronic
authorization device used to control access to a resource. It is typically a plastic credit card-sized card with an embedded integrated
circuit chip. In high-security environments, employee badges may contain a smart card embedded chip that must be inserted into a
smart card reader to log in or access information on the system. A badge reader is used to read an employee's identification badge using
a magnetic stripe, barcode, or embedded RFID chip.
Which term is used in software development to refer to the method in which app and platform updates are committed to a
production environment rapidly?
Continuous monitoring
Continuous delivery
Continuous integration
Continuous deployment
(Correcto)
Explicación
OBJ-2.3: Continuous deployment is a software development method in which app and platform updates are committed to production
rapidly. Continuous delivery is a software development method in which app and platform requirements are frequently tested and
validated for immediate availability. Continuous integration is a software development method in which code updates are tested and
committed to development or build server/code repositories rapidly. Continuous monitoring is the technique of constantly evaluating an
environment for changes so that new risks may be more quickly detected and business operations improved upon. While continuous
deployment and continuous delivery sound very similar, there is one key difference. In continuous delivery, a human is still required to
approve the release into the production environment. In continuous deployment, the test and release process into the production
environment is automated, making the changes available for immediate release once the code is committed.
User authentication
(Correcto)
Secure generation of cryptographic keys
Random number generation
Remote attestation
Binding
Sealing
Explicación
OBJ-3.2: User authentication is performed at a much higher level in the operating system. Trusted Platform Module (TPM) technology is
designed to provide hardware-based, security-related functions. A TPM chip is a secure crypto-processor that is designed to carry out
cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper-resistant, and malicious software
cannot tamper with the security functions of the TPM. The TPM provides random number generation, secure generation of
cryptographic keys, remote attestation, binding, and sealing functions securely.
Your organization has just migrated to provisioning its corporate desktops as virtual machines and accessing them using thin clients.
The organization believes this will enhance security since the desktop can be rewritten with a new baseline image every time the user
logs into it. Based on this scenario, which of the following technologies has the organization adopted?
VPC
UEBA
VPN
VDI
(Correcto)
Explicación
OBJ-3.5: Virtual desktop infrastructure (VDI) is a virtualization implementation that separates the personal computing environment from
a user's physical computer. Virtual private cloud (VPC) is a private network segment made available to a single cloud consumer on a
public cloud. A virtual private network (VPN) is a secure tunnel created between two endpoints connected via an insecure network,
typically the internet. User and entity behavior analytics (UEBA) is a system that can provide automated identification of suspicious
activity by user accounts and computer hosts.
Dion Training has a $15,000 server that has frequently been crashing. Over the past 12 months, the server has crashed 10 times,
requiring the server to be rebooted to recover from the crash. Each time, this has resulted in a 5% loss of functionality or data. Based
on this information, what is the Annual Loss Expectancy (ALE) for this server?
$2,500
$15,000
$7,500
(Correcto)
$1,500
Explicación
OBJ-5.4: To calculate the ALE, you need to multiple the Single Loss Expectancy (SLE) by the Annual Rate of Occurrence (ARO). The SLE is
calculated by multiplying the Exposure Factor (EF) by the Asset Value (AV). Therefore, SLE = EF x AV, and ALE = SLE x ARO. For this
scenario, the asset value is $15,000, the annual rate of occurrence is 10 times per year, and the exposure factor is 5% (or 0.05). To
calculate the SLE, SLE = 0.05 x $15,000 = $750. Therefore, the ALE = SLE x ARO = $750 x 10 = $7,500.
An analyst reviews the logs from the network and notices that there have been multiple attempts from the open wireless network to
access the networked HVAC control system. The open wireless network must remain openly available so that visitors can access the
internet. How can this type of attack be prevented from occurring in the future?
Enable NAC on the open wireless network
(Incorrecto)
Install an IDS to protect the HVAC system
Implement a VLAN to separate the HVAC control system from the open wireless network
(Correcto)
Enable WPA2 security on the open wireless network
Explicación
OBJ-1.5: A VLAN is useful to segment out network traffic to various parts of the network and stop someone from the open wireless
network from logging to the HVAC controls. By utilizing NAC, each machine connected to the open wireless network could be checked
for compliance and determine if it is a 'known' machine, but they would still be given access to the entire network. Also, since this is a
publicly usable network, using NAC could prevent users from accessing all the network features. An IDS would be a good solution to
detect the attempted logins, but it won't prevent them. Instead, an IPS would be required to prevent logins.
You are troubleshooting a network connectivity issue and need to determine the packet's flow path from your system to the remote
server. Which of the following tools would best help you identify the path between the two systems?
tracert
(Correcto)
ipconfig
nbtstat
netstat
Explicación
OBJ-4.1: The tracert (trace route) diagnostic utility determines the route to a destination by sending Internet Control Message Protocol
(ICMP) echo packets to the destination. In these packets, tracert uses varying IP Time-To-Live (TTL) values. When the TTL on a packet
reaches zero (0), the router sends an ICMP "Time Exceeded" message back to the source computer. The ICMP "Time Exceeded"
messages that intermediate routers send back show the route. The ipconfig tool displays all current TCP/IP network configuration values
on a given system. The netstat tool is a command-line network utility that displays network connections for Transmission Control
Protocol, routing tables, and some network interface and network protocol statistics on a single system. The nbtstat command is a
diagnostic tool for NetBIOS over TCP/IP used to troubleshoot NetBIOS name resolution problems.
An attacker uses the nslookup interactive mode to locate information on a Domain Name Service (DNS). What command should they
type to request the appropriate records for only the name servers?
transfer type=ns
request type=ns
set type=ns
(Correcto)
locate type=ns
Explicación
OBJ-4.1: The nslookup command is used to query the Domain Name System to obtain the mapping between a domain name and an IP
address or to view other DNS records. The "set type=ns" tells nslookup only reports information on name servers. If you used "set
type=mx" instead, you would receive information only about mail exchange servers.
Using the image provided, place the port numbers in the correct order with their associated protocols.
80, 53, 69, 25
53, 69, 25, 80
69, 25, 80, 53
(Correcto)
25, 80, 53, 69
Explicación
OBJ-3.1: For the exam, you need to know your ports and protocols. The Trivial File Transfer Protocol (TFTP) uses port 69. The Simple Mail
Transfer Protocol (SMTP) uses port 25. The Hypertext Transfer Protocol (HTTP) uses port 80. The Domain Name Service (DNS) protocol
uses port 53.
You are working as a network administrator for Dion Training. The company has decided to allow employees to connect their devices
to the corporate wireless network under a new BYOD policy. You have been asked to separate the corporate network into an
administrative network (for corporate-owned devices) and an untrusted network (for employee-owned devices). Which of the
following technologies should you implement to achieve this goal?
VPN
MAC filtering
VLAN
(Correcto)
WPA2
Explicación
OBJ-3.3: A virtual local area network (VLAN) is a type of network segmentation configured in your network switches that prevent
communications between different VLANs without using a router. This allows two virtually separated networks to exist on one physical
network and separates the two virtual network's data. A virtual private network (VPN) is a remote access capability to connect a trusted
device over an untrusted network back to the corporate network. A VPN would not create the desired effect. WPA2 is a type of wireless
encryption, but it will not create two different segmented networks on the same physical hardware. MAC filtering is used to allow or
deny a device from connecting to a network, but it will not create two network segments, as desired.
What popular open-source port scanning tool is commonly used for host discovery and service identification?
services.msc
nmap
(Correcto)
Nessus
dd
Explicación
OBJ-4.1: The world's most popular open-source port scanning utility is nmap. The Services console (services.msc) allows an analyst to
disable or enable Windows services. The dd tool is used to copy files, disks, and partitions, and it can also be used to create forensic disk
images. Nessus is a proprietary vulnerability scanner developed by Tenable. While Nessus does contain the ability to conduct a port
scan, its primary role is as a vulnerability scanner, and it is not an open-source tool.
What role does the red team perform during a tabletop exercise (TTX)?
Adversary
(Correcto)
Network defender
System administrator
Cybersecurity analyst
Explicación
OBJ-1.8: The red team acts as the adversary, attempting to penetrate the network or exploit it as a rogue internal attacker. The red team
might select members of in-house security staff, a third-party company, or a consultant contracted to perform the role. The blue team
operates the security system with a focus on detecting and repelling the red team. The blue team usually consists of system
administrators, cybersecurity analysts, and network defenders.
RP
(Correcto)
SAML
SSO
IdP
Explicación
OBJ-2.4: Relying parties (RPs) provide services to members of a federation. An identity provider (IdP) provides identities, makes
assertions about those identities, and releases information about the identity holders. The Security Assertion Markup Language (SAML)
is an open standard for exchanging authentication and authorization data between parties between an identity provider and a service
provider (SP) or a relying party (RP). Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single ID and
password to any of several related yet independent software systems across a federation. SAML and SSO are not parties. Therefore, they
cannot possibly be the right answer to this question.
Stealthing
Windowing
Hardening
(Correcto)
Harvesting
Explicación
OBJ-3.2: Hardening is usually the process of securing a system by reducing its surface of vulnerability, which is larger when a system
performs more functions; in principle, a single-function system is more secure than a multipurpose one. Reducing available ways of
attack typically includes changing default passwords, removing unnecessary software, unnecessary usernames or logins, and disabling or
removing unnecessary services. Windows is the use of windows for the simultaneous display of more than one item on a screen.
Harvesting is the process of gathering data, normally user credentials. Stealthing is a made-up term in this question.
Dion Training has applied a new Group Policy to all student accounts that will lock out any account in which the student enters their
password incorrectly 3 times in a row. Once the account is locked out, the student must wait 15 minutes before they can attempt to
log in again. What type of attack is this mitigation strategy trying to prevent?
Privilege escalation
On-path attack
Brute force attack
(Correcto)
Spoofing
Explicación
OBJ-1.2: Since the policy will lock out the student for 15 minutes between attempts, it is a valid mitigation technique against a brute
force attack. By extending the waiting period, the attacker's brute force attempts are less effective. A brute force attack is a type of
password attack where an attacker uses an application to exhaustively try every possible alphanumeric combination to crack encrypted
passwords. An on-path attack is an attack where the threat actor makes an independent connection between two victims and can read,
and possibly modify traffic. A privilege escalation is a practice of exploiting flaws in an operating system or other application to gain a
greater level of access than was intended for the user or application. Spoofing is a type of attack that disguises a communication from an
unknown source as being from a known, trusted source. Spoofing can occur using different methods, such as MAC spoofing, IP spoofing,
call spoofing, and others.
Pregunta 77: Correcto
Dion Training is concerned with students entering the server room without permission. To prevent this from occurring, the organization
wants to purchase and install an access control system that will allow each instructor to have access using an RFID device. Which of the
following authentication mechanisms should Dion Training use to meet this requirement?
Biometric reader
Access control vestibule
Proximity badge
(Correcto)
CCTV
Explicación
OBJ-2.7: The best option is to use a proximity badge. This type of badge embeds an RFID chip into the card or badge. When an
authorized user swipes their card or badge over the reader, it sends an RF signal that uniquely identifies the card's holder or badge.
While some of the other options presented could be used for authentication (such as biometrics), these options do not use an RFID as
stated in the requirements. Closed-circuit television is a type of video surveillance where video cameras transmit a signal to a specific
place using a limited set of monitors. An access control vestibule is a physical security access control system comprising a small space
with two sets of interlocking doors, such that the first set of doors must close before the second set opens. Biometrics are identifying
features stored as digital data that can be used to authenticate a user. Typical features used include facial pattern, iris, retina, or
fingerprint pattern, and signature recognition. This requires a relevant scanning device, such as a fingerprint reader, and a database of
biometric information for authentication to occur.
A popular game allows for in-app purchases to acquire extra lives in the game. When a player purchases the extra lives, the number
of lives is written to a configuration file on the gamer's phone. A hacker loves the game but hates having to buy lives all the time, so
they developed an exploit that allows a player to purchase 1 life for $0.99 and then modifies the content of the configuration file to
claim 100 lives were purchased before the application reading the number of lives purchased from the file. Which of the following
type of vulnerabilities did the hacker exploit?
Sensitive data exposure
Race condition
(Correcto)
Broken authentication
Dereferencing
Explicación
OBJ-1.6: Race conditions occur when the outcome from execution processes is directly dependent on the order and timing of certain
events. Those events fail to execute in the order and timing intended by the developer. In this scenario, the hacker's exploit is racing to
modify the configuration file before the application reads the number of lives from it. Sensitive data exposure is a fault that allows
privileged information (such as a token, password, or PII) to be read without being subject to the proper access controls. Broken
authentication refers to an app that fails to deny access to malicious actors. Dereferencing attempts to access a pointer that references
an object at a particular memory location.
An employee contacts the service desk because they cannot open an attachment they receive in their email. The service desk agent
conducts a screen-sharing session with the user and investigates the issue. The agent notices that the attached file is named
Invoice1043.pdf, and a black pop-up window appears and then disappears quickly when the attachment was double-clicked. Which of
the following is most likely causing this issue?
The email is a form of spam and should be deleted
The user doesn't have a PDF reader installed on their computer
The attachment is using a double file extension to mask its identity
(Correcto)
The file contains an embedded link to a malicious website
(Incorrecto)
Explicación
OBJ-1.1: The message contains a file attachment hoping that the user will execute or open it. The attachment's nature might be
disguised by formatting tricks such as using a double file extension, such as Invoice1043.pdf.exe, where the user only sees the first
extension since .exe is a known file type in Windows. This would explain the black popup window that appears and then disappeared,
especially if the exe file was running a command-line tool. This file is most likely not a PDF, so there is no need for a PDF reader.
Additionally, most modern web browsers, such as Chrome and Edge, can open PDF files by default for the user. The file would not
contain an embedded link since an embedded link is another popular attack vector that embeds a link to a malicious site within the
email body, not within the file. This email is likely not spam and would be better categorized as a phishing attempt instead.
Jason has created a new password cracking tool using some Python code. When he runs the program, the following output is displayed:
Based on the output, what type of password cracking method does Jason’s new tool utilize?
Brute force attack
Hybrid attack
(Correcto)
Dictionary attack
Rainbow attack
Explicación
OBJ-1.2: Based on the passwords found in the example, Jason’s new password cracker is most likely using a hybrid approach. All of the
passwords found are dictionary words with some additional characters added to the end. For example, Jason’s password of rover123 is
made up of the dictionary word “rover” and the number 123. The cracker likely attempted to use a dictionary word (like rover) and the
attempted variations on it using brute force (such as adding 000, 001, 002, …122, 123) to the end of the password until found.
Combining the dictionary and brute force methods into a single tool is known as a hybrid password cracking approach.