CompTIA Security - (SY0-601) Practice Exam #3 - Resultados

Pregunta 1: Correcto
An electronics store was recently the victim of a robbery where an employee

was injured, and some property was stolen. The store's IT department hired
an external supplier to expand its network to include a physical access control
system. The system has video surveillance, intruder alarms, and remotely
monitored locks using an appliance-based system. Which of the following
long-term cybersecurity risks might occur based on these actions?
These devices are insecure and should be isolated from the internet
These devices should be scanned for viruses before installation
These devices should be isolated from the rest of the enterprise network
(Correcto)
There are no new risks due to the install and the company has a stronger
physical security posture
Explicación
OBJ-2.6: While the physical security posture of the company has been improved by
adding the cameras, alarms, and locks, this appliance-based system may pose
additional risks to the store’s network. Specialized technology and appliance-based
systems rarely receive security updates at the same rate as regular servers or
endpoints. These devices need to be on a network to ensure that their network
functions can continue, but they don’t necessarily need to be on the enterprise
production network. A good option would be to set up a parallel network that is
physically or logically isolated from the enterprise network and install the video
cameras, alarms, and lock on that one. These devices cannot be isolated from the
internet without compromising their functions, such as allowing remote monitoring
of the system and locks. The devices should be scanned for viruses before
installation, but that is a short-term consideration and doesn’t protect them long-
term.
Which of the following methods should a cybersecurity analyst use to locate
any instances on the network where passwords are being sent in cleartext?
SIEM event log monitoring
Net flow capture


Full packet capture
(Correcto)
Software design documentation review
Explicación
OBJ-4.3: Full packet capture records the complete payload of every packet crossing
the network. The other methods will not provide sufficient information to detect a
cleartext password being sent. A net flow analysis will determine where
communications occurred, by what protocol, to which devices, and how much
content was sent. Still, it will not reveal anything about the content itself since it
only analyzes the metadata for each packet crossing the network. A SIEM event log
being monitored might detect that an authentication event has occurred. Still, it
will not necessarily reveal if the password was sent in cleartext, as a hash value, or
in the ciphertext. A software design documentation may also reveal the designer's
intentions for authentication when they created the application, but this only
provides an ‘as designed’ approach for a given software and does not provide
whether the ‘as-built’ configuration was implemented securely.
(Sample Simulation – On the real exam for this type of question, you would receive
3-5 pictures and be asked to drag and drop them into place next to the correct
term.)
Which of the following types of attacks occurs when an attacker sends unsolicited
messages over Facebook messenger?
Spear phishing

Spamming
Spimming
(Correcto)
Phishing
Pharming
Explicación
OBJ-1.1: Spim is a type of spam targeting users of instant messaging (IM) services,
SMS, or private messages within websites and social media. If the unsolicited
messages were sent by email, they would have instead been classified as Spam.
Which type of media sanitization would you classify degaussing as?
Clearing
Erasing
Purging
(Correcto)
Destruction
Explicación
OBJ-2.7: Degaussing is classified as a form of purging. Purging eliminates
information from being feasibly recovered even in a laboratory environment.
Purging includes degaussing, encryption of the data with the destruction of its
encryption key, and other non-destructive techniques. Some generic magnetic
storage devices can be reused after the degaussing process has finished, such as
VHS tapes and some older backup tapes. For this reason, though, the technique of
degaussing is classified as purging and not destruction, even though hard drives
are rendered unusable after being degaussed. Clearing data prevents data from
being retrieved without the use of state-of-the-art laboratory techniques. Clearing
often involves overwriting data one or more times with repetitive or randomized
data. Destroying data is designed not merely to render the information
unrecoverable but also to hinder any reuse of the media itself. Destruction is a
physical process that may involve shredding media to pieces, disintegrating it into
parts, pulverizing it to powder, or incinerating it to ash. Erasing or deleting is
considered a normal operation of a computer, which erases the data file's pointer
on a storage device. Erasing and deleting are easily reversed, and the data can be
recovered with commercially available or open-source tools.
(Sample Simulation – On the real exam for this type of question, you may
receive a list of different RAID types and be asked to visually display which
hard drives in the RAID are used for redundant data storage as either a stripe
or a mirror. You will then have to identify which RAID type is most
appropriate for each type of server shown.) You are configuring a RAID drive
for a Media Streaming Server. Your primary concern is the speed of delivery
of the data. This server has two hard disks installed. What type of RAID
should you install, and what type of data will be stored on Disk 1 and Disk 2?
RAID 1 - Disk 1 (Mirror) and Disk 2 (Mirror)
RAID 1 - Disk 1 (Stripe) and Disk 2 (Stripe)
RAID 0 - Disk 1 (Stripe) and Disk 2 (Stripe)
(Correcto)
RAID 0 - Disk 1 (Mirror) and Disk 2 (Mirror)
Explicación
OBJ-2.5: Since this is a Media Streaming Server, you should implement a RAID 0,
which provides disk stripping across both drives. This will increase the speed of the
data delivery but provides no redundancy. If you were concerned with redundancy,
then you should choose a RAID 1, which uses a mirror of the data on both hard
disks. You cannot use a RAID 5 since it requires a minimum of 3 disk drives and
stripes the data across the hard disks. You also can not use a RAID 6 since this
requires at least 4 hard disks with dual parity and disk stripping. A RAID 10 also
requires 4 hard disks and is a mirror of striped drives (combining the benefits of
RAID 1 and RAID 0).
As a cybersecurity analyst conducting vulnerability scans, you have just
completed your first scan of an enterprise network comprising over 10,000
workstations. As you examine your findings, you note that you have less than
1 critical finding per 100 workstations. Which of the following statement does
BEST explain these results?

The network has an exceptionally strong security posture
The scanner failed to connect with the majority of workstations
The scanner was not compatible with the devices on your network
An uncredentialed scan of the network was performed
(Correcto)
Explicación
OBJ-1.7: Uncredentialed scans are generally unable to detect many vulnerabilities
on a device. When conducting an internal assessment, you should perform an
authenticated (credentialed) scan of the environment to most accurately determine
the network's vulnerability posture. In most enterprise networks, if a vulnerability
exists on one machine, it also exists on most other workstations since they use a
common baseline or image. If the scanner failed to connect to the workstations, an
error would have been generated in the report.
Which of the following categories would contain information about a French
citizen's race or ethnic origin?
SPI
(Correcto)
PHI
DLP
PII
Explicación
OBJ-5.5: According to the GDPR, information about an individual's race or ethnic
origin is classified as Sensitive Personal Information (SPI). Sensitive personal
information (SPI) is information about a subject's opinions, beliefs, and nature
afforded specially protected status by privacy legislation. As it cannot be used to
identify somebody or make any relevant assertions about health uniquely, it is
neither PII nor PHI. Data loss prevention (DLP) is a software solution that detects
and prevents sensitive information from being stored on unauthorized systems or
transmitted over unauthorized networks.
What problem can you solve by using Wireshark?
Tracking source code version changes
Performing packet capture and analysis on a network
(Correcto)
Resetting the administrator password on three different server
Validating the creation dates of web pages on a server
Explicación
OBJ-4.1: Wireshark is a free and open-source packet analyzer. It is used for network
troubleshooting, analysis, software and communications protocol development,
and education. It cannot perform any of the other three options.
You have just completed identifying, analyzing, and containing an incident.
You have verified that the company uses older unencrypted SSDs as part of
their default configuration, and the manufacturer does not provide a SE utility
for the devices. The storage devices contained top-secret data that would
bankrupt the company if it fell into a competitor’s hands. After safely
extracting the device's data and saving it to a new self-encrypting drive, you
have been asked to dispose of the SSDs securely. Which of the following
methods should you use?
Physically destroy the storage devices
(Correcto)
Use a secure erase (SE) utility on the storage devices
Conduct zero-fill on the storage devices


Perform a cryptographic erase (CE) on the storage devices
Explicación
OBJ-2.7: Physical destruction is the only option that will meet the requirements of
this scenario. Sanitizing a hard drive can be done using cryptographic erase (CE),
secure erase (SE), zero-fill, or physical destruction. In this scenario, the SSDs were
not self-encrypting drives (SED) and did not have a SE utility available, so the CE or
SE methods cannot be used. The cryptographic erase (CE) method sanitizes a self-
encrypting drive by erasing the media encryption key and then reimaging the drive.
A secure erase (SE) is used to perform the sanitization of flash-based devices (such
as SSDs or USB devices) when cryptographic erase is not available. The zero-fill
method relies on overwriting a storage device by setting all bits to the value of zero
(0), but this is not effective on SSDs or hybrid drives. The best option is to conduct
physical destruction since the scenario states that the storage device was already
replaced with a new self-encrypting drive (SED). The old SSD contained top-secret
data crucial to maintaining a corporate advantage over the company's competitors.
Physical destruction occurs by mechanical shredding, incineration, or degaussing
magnetic hard drives.
A new smartphone supports users' ability to transfer a photograph by simply
placing their phones near each other and "tapping" the two phones together.
What type of technology does this most likely rely on?
NFC
(Correcto)
IR
BT
RF
Explicación
OBJ-1.4: Near-field communication (NFC) is a set of communication protocols that
enable two electronic devices, one of which is usually a portable device such as a
smartphone, to establish communication by bringing them within 4 cm of each
other. This is commonly used for contactless payment systems, transferring
contacts, or transferring a file from one device to another. Bluetooth (BT) is a
wireless technology standard used for exchanging data between fixed and mobile
devices over short distances using UHF radio waves in the industrial, scientific, and
medical radio bands from 2.402 GHz to 2.480 GHz and building a personal area
network (PAN). Bluetooth is commonly used when connecting wireless devices like
mice, trackpads, headphones, and other devices. Infrared (IR) was a wireless
networking standard supporting speeds up to about 4 Mbps with a direct line of
sight for communications. Infrared sensors are used in mobile devices and with IR
blasters to control appliances. While infrared (IR) used to be commonly used to
connect wireless mice and keyboards to a laptop in the 1990s, it has fallen out of
favor in the last 10-15 years since Bluetooth is more reliable and does not require a
direct line of sight between the device and the laptop. Radio frequency (RF) is the
propagation of radio waves at different frequencies and wavelengths. For example,
Wi-Fi network products use a frequency of either 2.4 GHz or 5 GHz.
Which of the following protocols could be used inside a virtual system to
manage and monitor the network?
SMTP
BGP
EIGRP
SNMP
(Correcto)
Explicación
OBJ-3.1: SNMP is used to monitor and manage networks, both physical and virtual.
SMTP is used for email. BGP and EIGRP are used for routing network data.
Susan, a help desk technician at Dion Training, has received several trouble tickets
today related to employees receiving the same email as part of a phishing
campaign. She has determined that the email's malicious link is not being blocked
by the company's security suite when a user clicks the link. Susan asked you what
action can be performed to prevent a user from reaching the website associated
with the phishing email's malicious link. What action do you recommend she
utilize?
Enable TLS on your organization's mail server
Forward this phishing email to all employees with a warning not to click
on the embedded links

Add the malicious domain name to your content filter and web proxy's
block list
(Correcto)
Block the IP address of the malicious domain in your firewall's ACL
Explicación
OBJ-3.3: To prevent a user from accessing the malicious website when the link is
clicked, the malicious domain name should be added to the blocklist of the
company's content filter and web proxy. This will ensure that no devices on the
network can reach the malicious domain name. While blocking the IP address
associated with the domain name might help for a short period of time, the
malicious domain's owner could quickly redirect the DNS to point to a different IP.
Then the users would still be able to access the malicious domain and its contents.
Enabling TLS on the mail server will only encrypt the connection between the email
server and its clients. Still, it will not prevent the users from clicking on the
malicious link and accessing the malicious content. While informing the users that
there is an active attempt at phishing being conducted against the organization is a
good idea, forwarding the phishing email with the malicious link will generally
cause more users to accidentally click on the malicious link, which further
exacerbates the issue.
An internet marketing company decided that they didn't want to follow the
rules for GDPR because it would create too much work for them. They wanted
to buy insurance, but no insurance company would write them a policy to
cover any fines received. They considered how much the fines might be and
decided to ignore the regulation and its requirements. Which of the following
risk strategies did the company choose?
Acceptance
(Correcto)
Transference
Mitigation
Avoidance
Explicación
OBJ-5.4: The internet marketing company initially tried to transfer the risk (buy
insurance) but then decided to accept the risk. To avoid the risk, the company
would have changed how it did business or would prevent European customers
from signing up on their mailing list using geolocation blocks.
A cybersecurity analyst conducts an incident response at a government
agency when she discovers that attackers had exfiltrated PII. Which of the
following types of breaches has occurred?
Proprietary breach
Privacy breach
(Correcto)
Integrity breach
Financial breach
Explicación
OBJ-4.5: A data breach is an incident where information is stolen or taken from a
system without the system's owner's knowledge or authorization. If sensitive
personally identifiable information (PII) was accessed or exfiltrated, then a privacy
breach has occurred. If information like trade secrets were accessed or exfiltrated,
then a proprietary breach has occurred. If any data is modified or altered, then an
integrity breach has occurred. If any information related to payroll, tax returns,
banking, or investments is accessed or exfiltrated, then a financial breach has
occurred.
Pregunta 15: Incorrecto
term.)
How would you appropriately categorize the authentication method being
displayed here?
One-time password authentication
Biometric authentication
(Incorrecto)
PAP authentication
(Correcto)
Multifactor authentication
Explicación
OBJ-2.4: For the exam, you need to know the different authentication categories
and what type of authentication methods belong to each category. A username
and password are used as part of the Password Authentication Protocol (PAP)
authentication system. A username and password are also considered a knowledge
factor in an authentication system.
Windows file servers commonly hold sensitive files, databases, passwords,
and more. What common vulnerability is usually used against a Windows file
server to expose sensitive files, databases, and passwords?

Missing patches
(Correcto)
SQL injection
Cross-site scripting
CRLF injection
Explicación
OBJ-3.2: Missing patches are the most common vulnerability found on both
Windows and Linux systems. When a security patch is released, attackers begin to
reverse engineer the security patch to exploit the vulnerability. If your servers are
not patched against the vulnerability, they can become victims of the exploit, and
the server's data can become compromised. Cross-Site Scripting (XSS) attacks are a
type of injection in which malicious scripts are injected into otherwise benign and
trusted websites. Cross-site scripting focuses on exploiting a user’s workstation, not
a server. CRLF injection is a software application coding vulnerability that occurs
when an attacker injects a CRLF character sequence where it is not expected. SQL
injection is the placement of malicious code in SQL statements via web page input.
SQL is commonly used against databases, but they are not useful when attacking
file servers.
When you purchase an exam voucher at diontraining.com, the system only
collects your name, email, and credit card information. Which of the following
privacy methods is being used by Dion Training?
Tokenization
Anonymization
Data minimization
(Correcto)
Data masking
Explicación
OBJ-5.5: Data minimization involves limiting data collection to only what is required
to fulfill a specific purpose. Reducing what information is collected reduces the
amount and type of information that must be protected. Since we only need your
name and email to deliver the voucher and your credit card to receive payment for
the voucher, we do not collect any additional information, such as your home
address or phone number. Data masking can mean that all or part of a field's
contents are redacted, by substituting all character strings with x, for example.
Tokenization means that all or part of data in a field is replaced with a randomly
generated token. The token is stored with the original value on a token server or
token vault, separate from the production database. An authorized query or app
can retrieve the original value from the vault, if necessary, so tokenization is a
reversible technique. Data anonymization is the process of removing personally
identifiable information from data sets so that the people whom the data describe
remain anonymous.
Which of the following is a best practice that should be followed when
scheduling vulnerability scans of an organization's data center?
Schedule scans to run during peak times to simulate performance under

load
Schedule scans to run during periods of low activity
(Correcto)
Schedule scans to begin at the same time every day
Schedule scans to be conducted evenly throughout the day
Explicación
OBJ-1.7: For the best results, the scans should be scheduled during periods of low
activity. This will help to reduce the negative impact of scanning on business
operations. The other three options all carry a higher risk of causing disruptions to
the network or its business operations.
Which of the following cryptographic algorithms is classified as asymmetric?
AES
RSA
(Correcto)
DES
RC4
Explicación
OBJ-2.8: RSA (Rivest–Shamir–Adleman) was one of the first public-key
cryptosystems and is widely used for secure data transmission. As a public-key
cryptosystem, it relies on an asymmetric algorithm. AES, RC4, and DES are all
symmetric algorithms.
Which cloud computing concept is BEST described as focusing on the
replacement of applications and programs on a customer's workstation with
cloud-based resources?
IaaS
SaaS
(Correcto)
DaaS
PaaS
Explicación
OBJ-2.2: Software as a Service (SaaS) is ca loud computing service that enables a
service provider to make applications available over the Internet to end-users. This
can be a calendar, scheduling, invoicing, word processor, database, or other
programs. For example, Google Docs and Office 365 are both word processing
SaaS solutions. Infrastructure as a Service (IaaS) is a cloud computing service that
enables a consumer to outsource computing equipment purchases and running
their own data center. Platform as a Service (PaaS) is a cloud computing service
that enables consumers to rent fully configured systems that are set up for specific
purposes. Desktop as a Service (DaaS) provides a full virtualized desktop
environment from within a cloud-based service. This is also known as VDI
(Virtualized Desktop Infrastructure) and is coming in large enterprise businesses
focused on increasing their security and minimizing their operational expenses.
A penetration tester has issued the following command on a victimized host:
nc -l -p 8080 | nc 192.168.1.76 443. What will occur based on this command?
Netcat will listen on port 8080 and then output anything received to local
interface 192.168.1.76
Netcat will listen on port 8080 and output anything received to a remote
connection on 192.168.1.76 port 443
(Correcto)
Netcat will listen on the 192.168.1.76 interface for 443 seconds on port
8080
Netcat will listen for a connection from 192.168.1.76 on port 443 and
output anything received to port 8080
Explicación
OBJ-4.1: The proper syntax for netcat (nc) is -l to signify listening and -p to specify
the listening port. Then, the | character allows multiple commands to execute
during a single command’s execution. Next, netcat sends the data to the given IP
(192.168.1.76) over port 443. This is a common technique to bypass the firewall by
sending traffic over port 443 (a secure SSL/TLS tunnel).
(Sample Simulation – On the real exam for this type of question, you would have to
fill in the blanks by dragging and dropping them into place.)
Using the image provided, select four security features that you should use to best
protect your servers in the data center. This can include physical, logical, or
administrative protections.
Strong passwords, Biometrics, Mantrap, Cable lock
(Incorrecto)
Antivirus, Mantrap, Cable lock, GPS tracking
GPS tracking, Biometrics, Proximity badges, Remote wipe
FM-200, Biometric locks, Mantrap, Antivirus
(Correcto)
Explicación
OBJ-2.7: The best option based on your choices is FM-200, Biometric locks,
Mantrap, and Antivirus. FM-200 is a fire extinguishing system commonly used in
data centers and server rooms to protect the servers from fire. Biometric locks are
often used in high-security areas as a lock on the access door. Additionally,
biometric authentication could be used for a server by using a USB fingerprint
reader. Mantraps often are used as part of securing a data center as well. This area
creates a boundary between a lower security area (such as the offices) and the
higher security area (the server room). Antivirus should be installed on servers since
they can use signature-based scans to ensure files are safe before being executed.
(Sample Simulation – On the real exam for this type of question, you would have to
rearrange the ports into the proper order by dragging and dropping them into
place.)
Using the image provided, place the port numbers in the correct order with their
associated protocols:
22, 110, 161, 23
(Correcto)
110, 161, 23, 22
23, 110, 22, 161
161, 22, 110, 23
Explicación
OBJ-3.1: For the exam, you need to know your ports and protocols. The Secure
Copy (SCP) operates over port 22. Telnet operates over port 23. The Simple
Network Management Protocol (SNMP) operates over port 161. The Post Office
Protocol 3 (POP3) operates over port 110.
Tim, a help desk technician, receives a call from a frantic executive who states
that their company-issued smartphone was stolen during their lunch meeting
with a rival company’s executive. Tim quickly checks the MDM administration
tool and identifies that the user’s smartphone is still communicating with the
MDM, and displays its location on a map. What should Tim do next to ensure
the stolen device's data remains confidential and inaccessible to the thief?

Reset the device's password
Perform a remote wipe of the device
(Correcto)
Remotely encrypt the device
Identify the IP address of the smartphone
Explicación
OBJ-3.5: To ensure the data remains confidential and is not accessed by the thief,
Tim should perform a remote wipe of the device from the MDM. This will ensure
any corporate data is erased before anyone accesses it. Additionally, Tim could
reset the device's password, but if the thief could guess or crack the password, they
would have access to the data. Identifying the smartphone's IP address is not a
useful step in protecting the data on the device. Additionally, devices should be
encrypted BEFORE they are lost or stolen, not after. Therefore, the option to
remotely encrypt the device is provided as a wrong answer and a distractor.
Dion Training has just completed an assessment as part of its disaster
recovery planning. The assessment found that the organization can only
tolerate a maximum of 30 minutes of downtime for their public-facing
webserver. Which of the following metrics would best represent this period of
time?
RTO
(Correcto)
MTTR
MTBF
RPO
Explicación
OBJ-5.4: The Recovery Time Objective (RTO) is the targeted duration of time and a
service level within which a business process must be restored after a disaster (or
disruption) to avoid unacceptable consequences associated with a break in
business continuity. In this example, 30 minutes would be the RTO.
An ethical hacker has been hired to conduct a physical penetration test of a
company. During the first day of the test, the ethical hacker dresses up like a
plumber and waits in the building's main lobby until an employee goes
through the main turnstile. As soon as the employee enters his access number
and proceeds to go through the turnstile, the ethical hacker follows them
through the access gate. What type of attack did the ethical hacker utilize to
access the restricted area of the building?
Spoofing
Tailgating
(Correcto)
Social engineering
Shoulder surfing
Explicación
OBJ-1.1: Based on the description, the ethical hacker conducted a very specialized
type of social engineering attack known as tailgating. Sometimes on a certification
exam, there are two correct answers, but one is more correct. This question is an
example of that concept. Tailgating involves someone who lacks the proper
authentication following an employee into a restricted area. Social engineering
uses deception to manipulate individuals into divulging confidential or personal
information that may be used for fraudulent purposes. Shoulder surfing is a type of
social engineering technique used to obtain personal identification numbers (PINs),
passwords, and other confidential data by looking over the victim's shoulder.
Spoofing is the act of disguising a communication from an unknown source as
being from a known, trusted source.
You have been asked to help design a new architecture for Dion Training’s website.
The current architecture involves a single server that hosts the website in its
entirety. The company’s newest course has been creating a lot of interest on social
media. The CIO is concerned that the single server will not be able to handle the
increased demand that could result from this increased publicity. What technology
should you implement in the new architecture to allow multiple web servers to
serve up the courses and meet this expected increase in demand from new
students?

VPN concentrator
DLP
RAID
Load balancer
(Correcto)
Explicación
OBJ-3.3: A load balancer allows for high availability and the ability to serve
increased demand by splitting the workload across multiple servers. RAID is a high
availability technology that allows for multiple hard disks to act logically as one to
handle more throughput, but this will not solve the higher demand on the server’s
limited processing power as a load balancer would. A VPN concentrator is a
networking device that provides the secure creation of VPN connections and the
delivery of messages between VPN nodes. A data loss prevention (DLP) system is
focused on ensuring that intellectual property theft does not occur. Therefore, a
DLP will not help meet the increased demand from new students.
term.)
Which of the following types of attacks occurs when an attacker attempts to obtain
personal or private information through domain spoofing or poisoning a DNS
server?

Spear phishing
Hoax
Vishing
Pharming
(Correcto)
Spamming
Explicación
OBJ-1.1: Pharming is the fraudulent practice of directing Internet users to a bogus
website that mimics the appearance of a legitimate one to obtain personal
information such as user passwords, account numbers, and other confidential data.
You are working in a doctor's office and have been asked to set up a kiosk to
allow customers to check in for their appointments. The kiosk should be
secured, and only customers to access a single application used for the check-
in process. You must also ensure that the computer will automatically log in
whenever the system is powered on or rebooted. Which of the following
types of accounts should you configure for this kiosk?
Guest
(Correcto)
Administrator
Remote Desktop User
Power User
Explicación
OBJ-3.7: A Windows guest account will let other people use your computer without
being able to change PC settings, install apps, or access your private files. A Guest
account is a Microsoft Windows user account with limited capabilities, no privacy,
and is disabled by default. An administrator account is a Microsoft Windows user
account that can perform all tasks on the computer, including installing and
uninstalling apps, setting up other users, and configuring hardware and software.
You are working as a penetration tester and have discovered a new method of
exploiting a vulnerability within the Windows 10 operating system. You
conduct some research online and discover that a security patch against this
particular vulnerability doesn't exist yet. Which type of threat would this BEST
be categorized as?
Brute force
Zero-day
(Correcto)
Spoofing
DDOS
Explicación
OBJ-1.6: A zero-day attack happens once that flaw, or software/hardware
vulnerability, is exploited, and attackers release malware before a developer has an
opportunity to create a patch to fix the vulnerability, hence the term zero-day. A
Distributed Denial of Service (DDoS) attack is an attempt to make an online service
unavailable by overwhelming it with traffic from multiple sources. A brute-force
attack consists of an attacker systematically trying all possible password and
passphrase combinations until the correct one is found. Spoofing is the act of
disguising a communication from an unknown source as being from a known,
trusted source.
A cybersecurity analyst is attempting to classify network traffic within an
organization. The analyst runs the tcpdump command and receives the following
output:
Which of the following statements is true based on this output?

11.154.12.121 is a client that is accessing an SSH server over port 52497
11.154.12.121 is under attack from a host at 10.0.19.121
10.0.19.121 is a client that is accessing an SSH server over port 52497
(Correcto)
10.0.19.121 is under attack from a host at 11.154.12.121
Explicación
OBJ-4.1: This output from the tcpdump command is displaying three packets in a
larger sequence of events. Based solely on these three packets, we can only be
certain that the server (11.154.12.121) runs an SSH server over port 22. This is
based on the first line of the output. The second and third lines are the server
responding to the request and sending data back to the client (10.0.19.121) over
port 52497. There is no evidence of an attack against either the server or the client
based on this output since we can only see the headers and not the content being
sent between the client and server.
In which type of attack does the attacker begin with a normal user account
and then seek additional access rights?
Remote code exploitation
Spear phishing
Privilege escalation
(Correcto)
Explicación
OBJ-1.8: Privilege escalation attacks seek to increase the access level that an
attacker has to a target system. Privilege escalation is the act of exploiting a bug,
design flaw, or configuration oversight in an operating system or software
application to gain elevated access to resources that are normally protected from
an application or user. Spear phishing is an email or electronic communications
scam targeted towards a specific individual, organization, or business. Cross-Site
Scripting (XSS) attacks are a type of injection in which malicious scripts are injected
into otherwise benign and trusted websites. Remote code execution is the ability
an attacker has to access someone else's computing device and make changes, no
matter where the device is geographically located.
While working as a security analyst, you have been asked to monitor the
SIEM. You observed network traffic going from an external IP to an internal
host's IP within your organization's network over port 443. Which of the
following protocols would you expect to be in use?
HTTP
(Incorrecto)
TLS
(Correcto)
TFTP
SSH
Explicación
OBJ-3.1: Transport Layer Security (TLS) is used to secure web connections over port
443. Since port 443 was in use, you should expect either HTTPS, SSL, or TLS to be
used as the protocol. If not, this would be suspicious activity and should be
investigated. In fact, since this was a connection from the external IP to an internal
host over port 443, this is suspicious and could be indicative of a remote access
trojan on your host.
An independent cybersecurity researcher has contacted your company to
prove a buffer overflow vulnerability exists in one of your applications. Which
technique would have been most likely to identify this vulnerability in your
application during development?
Pair programming
Dynamic code analysis


Manual Peer Review
Static code analysis
(Correcto)
Explicación
OBJ-3.4: Buffer overflows are most easily detected by conducting a static code
analysis. Manual peer review or pair programming methodologies might have been
able to detect the vulnerability. Still, they do not have the same level of success as a
static code analysis using proper tools. DevSecOps methodology would also
improve the likelihood of detecting such an error but still rely on human-to-human
interactions and human understanding of source code to detect the fault. Dynamic
code analysis also may have detected this if the test found exactly the right
condition. Still, again, a static code analysis tool is designed to find buffer overflows
more effectively.
After analyzing and correlating activity from the firewall logs, server logs, and
the intrusion detection system logs, a cybersecurity analyst has determined
that a sophisticated breach of the company’s network security may have
occurred from a group of specialized attackers in a foreign country over the
past five months. Up until now, these cyberattacks against the company
network had gone unnoticed by the company’s information security team.
How would you best classify this threat?
Insider threat
Spear phishing
Privilege escalation
Advanced persistent threat (APT)
(Correcto)
Explicación
OBJ-1.5: An advanced persistent threat (APT) is a network attack in which an
unauthorized person gains access to a network and stays there undetected for a
long period of time. An APT attack intends to steal data rather than to cause
damage to the network or organization. An APT refers to an adversary's ongoing
ability to compromise network security, obtain and maintain access, and use
various tools and techniques. They are often supported and funded by nation-
states or work directly for a nation-states' government. Spear phishing is the
fraudulent practice of sending emails ostensibly from a known or trusted sender to
induce targeted individuals to reveal confidential information. An insider threat is a
malicious threat to an organization from people within the organization, such as
employees, former employees, contractors, or business associates, who have inside
information concerning the organization's security practices, data, and computer
systems. Privilege escalation is the act of exploiting a bug, design flaw, or
configuration oversight in an operating system or software application to gain
elevated access to resources that are normally protected from an application or
user. While an APT may use spear phishing, privilege escalation, or an insider threat
to gain access to the system, the scenario presented in this question doesn't
specify what method was used. Therefore, APT is the best answer to select.
You are in the recovery steps of an incident response. Your analysis revealed
that the attacker exploited an unpatched vulnerability on a public-facing web
server as the initial intrusion vector in this incident. Which of the following
mitigations should be implemented first during the recovery?
Disable unused user account and reset the administrator credentials
Restrict host access to peripheral protocols like USB and Bluetooth
Restrict shell commands by user or host to ensure least privilege is

followed
Scan the network for additional instances of this vulnerability and patch
the affected assets
(Correcto)
Explicación
OBJ-4.2: All of the options listed are the best security practices to implement before
and after a detected intrusion, but scanning for additional instances of this
vulnerability should be performed first. Often, an enterprise network uses the same
baseline configuration for all servers and workstations. Therefore, if a vulnerability
is exploited on one device (such as an insecure configuration), that same
vulnerability could exist on many other assets across the network. During your
recovery, you must identify if any other network systems share the same
vulnerability and mitigate them. If you don't, the attacker could quickly reinfect
your network by simply attacking another machine using the same techniques used
during this intrusion. The other options listed are all examples of additional device
hardening that should be conducted during recovery after you have identified the
exploited vulnerability across the rest of the network.
During her login session, Sally is asked by the system for a code sent to her
via text (SMS) message. Which of the following concerns should she raise to
her organization’s AAA services manager?
SMS is a costly method of providing a second factor of authentication
SMS should be paired with a third factor
(Incorrecto)
SMS should be encrypted to be secure
SMS messages may be accessible to attackers via VoIP or other systems
(Correcto)
Explicación
OBJ-2.4: NIST’s SP 800-63-3 recommends that SMS messages be deprecated as a
means of delivering a second factor for multifactor authentication because they
may be accessible to attackers. SMS is unable to be encrypted (at least without
adding additional applications to phones). A third factor is typically not a user-
friendly recommendation and would be better handled by replacing SMS with the
proposed third factor. SMS is not a costly method since it can be deployed for less
than $20/month at scale.
You conducted a security scan and found that port 389 is being used when
connecting to LDAP for user authentication instead of port 636. The security
scanning software recommends that you remediate this by changing user
authentication to port to 636 wherever possible. What should you do?
Conduct remediation actions to update encryption keys on each server to

match port 636
Change all devices and servers that support it to port 636 since port 389
is a reserved port that requires root access and can expose the server to
privilege escalation attacks
Mark this as a false positive in your audit report since the services that
typically run on ports 389 and 636 are identical
Change all devices and servers that support it to port 636 since encrypted
services run by default on port 636
(Correcto)
Explicación
OBJ-3.1: LDAP can be run on either port 389 or port 636. Port 389 is the standard
port for LDAP but typically runs unencrypted LDAP services over this port. Instead,
you should change all devices and servers that can technically support the change
to port 636 since LDAP services over port 636 are encrypted by default.
What is the lowest layer (bottom layer) of a bare-metal virtualization
environment?
Hypervisor
Host operating system
Physical hardware
(Correcto)
Guest operating system
Explicación
OBJ-2.2: The bottom layer is physical hardware in this environment. It is what sits
beneath the hypervisor and controls access to guest operating systems. The bare-
metal approach doesn’t have a host operating system. A hypervisor is a program
used to run and manage one or more virtual machines on a computer. A host
operating system is an operating system that is running the hypervisor. A host
operating system is an operating system that is running the hypervisor.
To improve the Dion Training corporate network's security, a security
administrator wants to update the configuration of their wireless network to
have IPSec built into the protocol by default. Additionally, the security
administrator would like for NAT to no longer be required for extending the
number of IP addresses available. What protocol should the administrator
implement on the wireless network to achieve their goals?

IPv6
(Correcto)
IPv4
WEP
WPA2
Explicación
OBJ-3.1: IPv6 includes IPsec built into the protocol by default. Additionally, IPv6
also provides an extended IP address range for networks, eliminating the need for
using NAT. IPv4 does not include IPsec or extended IP address ranges by default.
WPA2 is the most modern and secure version of wireless encryption for WiFi
networks, but it doesn't include IPsec or extended IP address ranges by default.
WEP is an older version of wireless encryption for WiFi networks and doesn't
provide these features by default, either.
You are conducting threat hunting for an online retailer. Upon analyzing their
web server, you identified that a single HTML response returned as 45 MB in
size, but an average response is normally only 275 KB. Which of the following
categories of potential indicators of compromise would you classify this as?
Data exfiltration
(Correcto)
Introduction of new accounts
Beaconing
Unauthorized privilege
Explicación
OBJ-1.6: If attackers use SQL injection to extract data through a Web application,
the requests issued by them will usually have a larger HTML response size than a
normal request. For example, if the attacker extracts the full credit card database,
then a single response for that attacker might be 20 to 50 MB, where a normal
response is only 200 KB. Therefore, this scenario is an example of a data exfiltration
indicator of compromise. Based on the scenario, there is no evidence that a user is
conducting a privilege escalation or using unauthorized privileges. There is also no
evidence of a new account having been created or beaconing occurring over the
network.
A cybersecurity analyst is reviewing the logs of an authentication server and saw
the following output:
What type of attack was most likely being attempted by the attacker?
Impersonation
Brute force
(Correcto)
Password spraying
Credential stuffing
Explicación
OBJ-1.2: This is an example of a brute force attack. Unlike password spraying that
focuses on attempting only one or two passwords per user, a brute force attack
focuses on trying multiple passwords for a single user. The goal of this attack is to
crack the user's password and gain access to their account. Password spraying,
instead, refers to the attack method that takes a large number of usernames and
loops them with a single password. We can use multiple iterations using several
different passwords, but the number of passwords attempted is usually low
compared to the number of users attempted. This method avoids password
lockouts, and it is often more effective at uncovering weak passwords than
targeting specific users. In the scenario provided, only one or two attempts are
being made to each username listed. This is indicative of a password spraying
attack instead of a brute force attempt against a single user. Impersonation is the
act of pretending to be another person for fraudulent purposes. Credential stuffing
is the automated injection of breached username/password pairs to gain user
accounts access fraudulently. This is a subset of the brute force attack category:
large numbers of spilled credentials are automatically entered into websites until
they are potentially matched to an existing account. The attacker can then hijack
the account for their purposes.
term.)
How would you appropriately categorize the authentication method being

displayed here?
Multifactor authentication
(Correcto)
Biometric authentication
PAP authentication
One-time password authentication
Explicación
OBJ-2.4: For the exam, you need to know the different authentication categories
and what type of authentication methods belong to each category. This is an
example of multifactor authentication because you are using both a
username/password combination with an SMS code. This provides a knowledge
factor (username/password) and a possession factor (your smartphone) to provide
two factors of authentication, making this the best option.
What containment technique is the strongest possible response to an
incident?
Segmentation
Isolating affected systems
(Correcto)
Enumeration
Isolating the attacker
Explicación
OBJ-4.4: Isolation involves removing an affected component from whatever larger
environment it is a part of. This can be everything from removing a server from the
network after it has been the target of a DoS attack, placing an application in a
sandbox virtual machine (VM) outside of the host environments it usually runs on.
Segmentation-based containment is a means of achieving the isolation of a host or
group of hosts using network technologies and architecture. Segmentation uses
VLANs, routing/subnets, and firewall ACLs to prevent a host or group of hosts from
communicating outside the protected segment. Removal is not an industry term
used but would be a synonym for isolation. Enumeration is defined as the process
of extracting usernames, machine names, network resources, shares, and services
from a system. Isolating the attacker would only stop their direct two-way
communication and control of the affected system. However, it would not be the
strongest possible response since there could be malicious code still running on
your victimized machine.
Your company is adopting a new BYOD policy for tablets and smartphones.
Which of the following would allow the company to secure the sensitive
information on personally owned devices and the ability to remote wipe
corporate information without the user's affecting personal data?
Face ID

Long and complex passwords
Containerization
(Correcto)
Touch ID
Explicación
OBJ-3.5: Containerization is the logical isolation of enterprise data from personal
data while co-existing in the same device. The major benefit of containerization is
that administrators can only control work profiles that are kept separate from the
user’s personal accounts, apps, and data. This technology creates a secure vault for
your corporate information. Highly targeted remote wiping is supported with most
container-based solutions.
While investigating a data breach, you discover that the account credentials
used belonged to an employee who was fired several months ago for
misusing company IT systems. The IT department never deactivated the
employee's account upon their termination. Which of the following
categories would this breach be classified as?
Zero-day
Advanced persistent threat
Insider Threat
(Correcto)
Known threat
Explicación
OBJ-1.5: An insider threat is any current or former employee, contractor, or
business partner who has or had authorized access to an organization’s network,
system, or data and intentionally exceeded or misused that access in a manner that
negatively affected the confidentiality, integrity, or availability of the organization’s
information or information systems. Based on the details provided in the question,
it appears the employee’s legitimate credentials were used to conduct the breach.
This would be classified as an insider threat. A zero-day is a vulnerability in software
unpatched by the developer or an attack that exploits such a vulnerability. A known
threat is a threat that can be identified using a basic signature or pattern matching.
An advanced persistent threat (APT) is an attacker with the ability to obtain,
maintain, and diversify access to network systems using exploits and malware.
You are conducting a routine vulnerability scan of a server when you find a
vulnerability. You locate a patch for the vulnerability on the software vendor's
website. What should you do next?
Submit a Request for Change using the change management process
(Correcto)
Download and install the patch immediately
Start the incident response process
Establish continuous monitoring
Explicación
OBJ-5.3: Before any change to a baseline occurs, a Request for Change should be
submitted. This submission will start the change management process within your
organization. Once approved, the patch should be tested in a staging environment,
installed on the production server, and then the server should be rescanned to
ensure the vulnerability no longer exists. In this scenario, no incident response is
being performed since this vulnerability is found during a routine vulnerability scan.
Dion Training’s offices utilize an open concept floor plan. They are concerned
that a visitor might attempt to steal an external hard drive and carry it out of
the building. To mitigate this risk, the security department has recommended
installing security cameras clearly visible to both employees and visitors.
What type of security control do these cameras represent?
Compensating
Corrective
Deterrent
(Correcto)
Administrative
Explicación
OBJ-5.1: A deterrent control is designed to discourage the violation of a security
policy. Since the cameras are clearly visible, they are acting as a deterrent control.
Corrective control is one that is used to fix or eliminate a vulnerability. A
compensating control is used to minimize a vulnerability when it is deemed too
difficult or impractical to correct the vulnerability fully. Administrative control is
used to create a policy or procedure to minimize or eliminate a vulnerability.
The digital certificate on the Dion Training web server is about to expire.
Which of the following should Jason submit to the CA to renew the server's
certificate?
CRL
OCSP
Key escrow
CSR
(Correcto)
Explicación
OBJ-3.9: A CSR (certificate signing request) is what is submitted to the CA
(certificate authority) to request a digital certificate. Key escrow stores keys, CRL is a
list of revoked certificates, and the OCSP is a status of certificates that provide
validity such as good, revoked, or unknown.
What is used as a measure of biometric performance to rate the system’s
ability to correctly authenticate an authorized user by measuring the rate that
an unauthorized user is mistakenly permitted access?
False rejection rate
False acceptance rate

(Correcto)
Crossover error rate
Failure to capture
Explicación
OBJ-2.4: False acceptance rate (FAR), or Type II, is the measure of the likelihood
that the biometric security system will incorrectly accept an access attempt by an
unauthorized user. The false rejection rate is calculated based upon the number of
times an authorized user is denied access to the system.
You want to play computer-based video games from anywhere in the world
using your laptop or tablet. You heard about a new product called a Shadow
PC that is a virtualized Windows 10 Home gaming PC in the cloud. Which of
the following best describes this type of service?
PaaS
DaaS
(Correcto)
IaaS
SaaS
Explicación
OBJ-2.2: Desktop as a Service (DaaS) provides a full virtualized desktop
environment from within a cloud-based service. This is also known as VDI
(Virtualized Desktop Infrastructure) and is coming in large enterprise businesses
focused on increasing their security and minimizing their operational expenses.
Shadow PC (shadow.tech) provides a version of DaaS for home users who want to
have a gaming PC without all the upfront costs. Software as a Service (SaaS) is ca
loud computing service that enables a service provider to make applications
available over the Internet to end-users. This can be a calendar, scheduling,
invoicing, word processor, database, or other programs. For example, Google Docs
and Officer 365 are both word processing SaaS solutions. Platform as a Service
(PaaS) is a cloud computing service that enables consumers to rent fully configured
systems that are set up for specific purposes. Infrastructure as a Service (IaaS) is a
cloud computing service that enables a consumer to outsource computing
equipment purchases and running their own data center.
Which security tool is used to facilitate incident response, threat hunting, and
security configuration by orchestrating automated runbooks and delivering
data enrichment?
SIEM
SOAR
(Correcto)
DLP
MDM
Explicación
OBJ-4.4: A security orchestration, automation, and response (SOAR) is used to
facilitate incident response, threat hunting, and security configuration by
orchestrating automated runbooks and delivering data enrichment. A SOAR may
be implemented as a standalone technology or integrated within a SIEM as a next-
gen SIEM. A SOAR can scan the organization's store of security and threat
intelligence, analyze it using machine/deep learning techniques, and then use that
data to automate and provide data enrichment for the workflows that drive
incident response and threat hunting.
What type of weakness is John the Ripper used to test during a technical
assessment?
Firewall rulesets
Usernames
Passwords
(Correcto)

File permissions
Explicación
OBJ-4.1: John the Ripper is a free, open-source password cracking software tool. It
tests the strength of passwords during a technical assessment. John the Ripper
supports both dictionary and brute force attacks.
Which of the following access control methods utilizes a set of organizational
roles in which users are assigned to gain permissions and access rights?
RBAC
(Correcto)
MAC
ABAC
DAC
Explicación
OBJ-3.8: Role-based access control (RBAC) is a modification of DAC that provides a
set of organizational roles that users may be assigned to gain access rights. The
system is non-discretionary since the individual users cannot modify the ACL of a
resource. Users gain their access rights implicitly based on the groups to which
they are assigned as members.
You have been asked to recommend a capability to monitor all of the traffic
entering and leaving the corporate network's default gateway. Additionally,
the company's CIO requests to block certain content types before it leaves the
network based on operational priorities. Which of the following solution
should you recommend to meet these requirements?
Install a firewall on the router's internal interface and a NIDS on the

router's external interface
Installation of a NIPS on both the internal and external interfaces of the

router

Configure IP filtering on the internal and external interfaces of the router
Install a NIPS on the internal interface and a firewall on the external

interface of the router
(Correcto)
Explicación
OBJ-3.3: Due to the requirements provided, you should install a NIPS on the
gateway router's internal interface and a firewall on the external interface of the
gateway router. The firewall on the external interface will allow the bulk of the
malicious inbound traffic to be filtered before reaching the network. Then, the NIPS
can be used to inspect the traffic entering the network and provide protection for
the network using signature-based or behavior-based analysis. A NIPS is less
powerful than a firewall and could easily "fail open" if it is overcome with traffic by
being placed on the external interface. The NIPS installed on the internal interface
would also allow various content types to be quickly blocked using custom
signatures developed by the security team. We wouldn't want to place the NIPS on
the external interface in the correct choice for the same reasons. We also wouldn't
choose to install a NIPS on both the internal and external connections. IP filtering
on both interfaces of the router will not provide the ability to monitor the traffic or
to block traffic based on content type. Finally, we would not want to rely on a NIDS
on the external interface alone since it can only monitor and not provide the
content blocking capabilities needed.
term.)
Which of the following types of attacks occurs when an attacker calls up people
over the phone and attempts to trick them into providing their credit card
information?

Spear phishing
Vishing
(Correcto)
Hoax
Phishing
Pharming
Explicación
OBJ-1.1: Vishing is the fraudulent practice of making phone calls or leaving voice
messages purporting to be from reputable companies to induce individuals to
reveal personal information, such as bank details and credit card numbers.
Christina is auditing the security procedures related to the use of a cloud-
based online payment service. She notices that the access permissions are set
so that a single person can not add funds to the account and transfer funds
out of the account. What security principle is most closely related to this
scenario?
Separation of duties
(Correcto)
Least privilege
Dual control authentication
Security through obscurity
Explicación
OBJ-5.3: Separation of duties is the concept of having more than one person
required to complete a task. In business, the separation by sharing more than one
individual in a single task is an internal control intended to prevent fraud and error.
In this case, one person can transfer money in, while another must transfer money
out. Dual control authentication is used when performing a sensitive action and
requires two different users to log in. Least privilege is the concept and practice of
restricting access rights for users, accounts, and computing processes to only those
resources required to perform routine, legitimate activities. Security through
obscurity is the reliance on security engineering in design or implementation by
using secrecy as the main method of providing security to a system or component.

You are conducting threat hunting on your organization's network. Every
workstation on the network uses the same configuration baseline and contains a 500
GB HDD, 4 GB of RAM, and the Windows 10 Enterprise operating system. You know
from previous experience that most of the workstations only use 40 GB of space on the
hard drives since most users save their files on the file server instead of the local
workstation. You discovered one workstation that has over 250 GB of data stored on
it. Which of the following is a likely hypothesis of what is happening, and how would
you verify it?
The host might use as a staging area for data exfiltration -- you should
conduct volume-based trend analysis on the host's storage device
(Correcto)
The host might be used as a command and control node for a botnet -- you
should immediately disconnect the host from the network
The host might be offline and conducted backups locally -- you should
contact a system administrator to have it analyzed
The host might be the victim of a remote access trojan -- you should
reimage the machine immediately
Explicación
OBJ-1.6: Based on your previous experience, you know that most workstations only store
40 GB of data. Since client workstations don't usually need to store data locally, and you
noticed that a host's disk capacity has suddenly diminished, you believe it could indicate
that it is used to stage data for exfiltration. To validate this hypothesis, you should
configure monitoring and conduct volume-based trend analysis to see how much data is
added over the next few hours or days. If you suspect the machine is the victim of a remote
access trojan, you should not reimage it immediately. By reimaging the host, you would
lose any evidence or the ability to confirm your hypothesis. Based on the scenario, you
have no evidence that the system is offline or conducting backups locally. If you did
suspect this, you could confirm this by checking the network connectivity or analyzing the
files stored on the system. If you suspect the host used as a command and control (C2) node
for a botnet, you should conduct network monitoring to validate your hypothesis before
disconnecting the host from the network. If the host were a C2 node, that would not explain
the excessive use of disk space observed.
Which of the following would NOT be useful in defending against a zero-day threat?
Segmentation
Allow listing
Threat intelligence
Patching
(Correcto)
Explicación
OBJ-1.6: While patching is a great way to combat threats and protect your systems, it is not
effective against zero-day threats. By definition, a zero-day threat is a flaw in the software,
hardware, or firmware that is unknown to the party or parties responsible for patching or
otherwise fixing the flaw. This attack has no time (or days) between the time the
vulnerability is discovered and the first attack, and therefore no patch would be available to
combat it. Using segmentation, allow listing, and threat intelligence, a cybersecurity
analyst, can put additional mitigations in place to protect the network even if a zero-day
attack was successful.
What type of malware changes its binary pattern in its code on specific dates or times
to avoid detection by antimalware software?
Logic bomb
Trojan
Polymorphic virus
(Correcto)
Ransomware
Explicación
OBJ-1.2: A polymorphic virus alters its binary code to avoid detection by antimalware
scanners that rely on signature-based detection. By changing its signature, the virus can
avoid detection.
During which incident response phase is the preservation of evidence performed?
Preparation
Containment, eradication, and recovery
(Correcto)
Post-incident activity
Detection and analysis
Explicación
OBJ-4.2: A cybersecurity analyst must preserve evidence during the containment,
eradication, and recovery phase. They must preserve forensic and incident information for
future needs, prevent future attacks or bring up an attacker on criminal charges. Restoration
and recovery are often prioritized over analysis by business operations personnel, but
taking time to create a forensic image is crucial to preserve the evidence for further analysis
and investigation. During the preparation phase, the incident response team conducts
training, prepares their incident response kits, and researches threats and intelligence.
During the detection and analysis phase, an organization focuses on monitoring and
detecting any possible malicious events or attacks. During the post-incident activity phase,
the organization conducts after-action reports, creates lessons learned, and conducts follow-
up actions to better prevent another incident from occurring.
Jason has installed multiple virtual machines on a single physical server. He needs to
ensure that the traffic is logically separated between each virtual machine. How can
Jason best implement this requirement?
Install a virtual firewall and establish an access control list
Create a virtual router and disable the spanning tree protocol
Conduct system partitioning on the physical server to ensure the virtual

disk images are on different partitions

Configure a virtual switch on the physical server and create VLANs
(Correcto)
Explicación
OBJ-3.3: A virtual switch is a software application that allows communication between
virtual machines. A virtual local area network (VLAN) is a hardware-imposed network
segmentation created by switches. This solution provides a logical separation of each
virtual machine through the use of VLANs on the virtual switch.
You want to create a website for your new technical support business. You decide to
purchase an on-demand cloud-based server and install Linux, Apache, and
WordPress on it to run your website. Which of the following best describes which type
of service you have just purchased?
PaaS
IaaS
(Correcto)
SaaS
DaaS
Explicación
OBJ-2.2: Infrastructure as a Service (Iaas) is focused on moving your servers and
computers into the cloud. If you purchase a server in the cloud and then install and manage
the operating system and software on it, this is Iaas. Platform as a Service (PaaS) is a cloud
computing service that enables consumers to rent fully configured systems that are set up
for specific purposes. Software as a Service (SaaS) is ca loud computing service that
enables a service provider to make applications available over the Internet to end-users.
This can be a calendar, scheduling, invoicing, word processor, database, or other programs.
For example, Google Docs and Office 365 are both word processing SaaS solutions.
Desktop as a Service (DaaS) provides a full virtualized desktop environment from within a
cloud-based service. This is also known as VDI (Virtualized Desktop Infrastructure) and is
coming in large enterprise businesses focused on increasing their security and minimizing
their operational expenses.
Dion Training is currently undergoing an audit of its information systems. The
auditor wants to understand better how the PII data from a particular database is
used within business operations. Which of the following employees should the auditor
interview?
Data controller

Data steward
Data owner
Data protection officer
(Correcto)
Explicación
OBJ-5.5: The primary role of the data protection officer (DPO) is to ensure that her
organization processes the personal data of its staff, customers, providers, or any other
individuals (also referred to as data subjects) in compliance with the applicable data
protection rules. They must understand how any privacy information is used within
business operations. Therefore, they are the best person for the auditor to interview to get a
complete picture of the data usage.
A macOS user is browsing the internet in Google Chrome when they see a notification
that says, "Windows Enterprise Defender: Your computer is infected with a virus,
please click here to remove it!" What type of threat is this user experiencing?
Worm
Rogue anti-virus
(Correcto)
Phishing
Pharming
Explicación
OBJ-1.1: Rogue anti-virus is a form of malicious software and internet fraud that misleads
users into believing there is a virus on their computer and to pay money for a fake malware
removal tool (that actually introduces malware to the computer). It is a form of scareware
that manipulates users through fear and a form of ransomware. Since the alert is being
displayed on a macOS system but appears to be meant for a Windows system, it is
obviously a scam or fake alert and most likely a rogue anti-virus attempting to infect the
system. Phishing is an email-based social engineering attack in which the attacker sends an
email from a supposedly reputable source, such as a bank, to try to elicit private
information from the victim. Phishing attacks target an indiscriminate large group of
random people. A worm is a standalone malware computer program that replicates itself to
spread to other computers. Often, it uses a computer network to spread itself, relying on
security failures on the target computer to access it. A worm can spread on its own, whereas
a virus needs a host program or user interaction to propagate itself. Pharming is a type of
social engineering attack that redirects a request for a website, typically an e-commerce
site, to a similar-looking, but fake, website. The attacker uses DNS spoofing to redirect the
user to the fake site.
Following a root cause analysis of an edge router's unexpected failure, a cybersecurity
analyst discovered that the system administrator had purchased the device from an
unauthorized reseller. The analyst suspects that the router may be a counterfeit
device. Which of the following controls would have been most effective in preventing
this issue?
Increase network vulnerability scan frequency
Verify that all routers are patched to the latest release
Ensure all anti-virus signatures are up to date
Conduct secure supply chain management training
(Correcto)
Explicación
OBJ-5.3: Anti-counterfeit training is part of the NIST 800-53r4 control set (SA-19(1)) and
should be a mandatory part of your supply chain management training within your
organization. All other options may produce security gains in the network. They are
unlikely to reliably detect a counterfeit item or prevent its introduction into the
organization's supply chain. Training on detection methodologies (i.e., simple visual
inspections) and training for acquisition personnel will better prevent recurrences.
You are configuring the ACL for the network perimeter firewall. You have just
finished adding all the proper allow and deny rules. What should you place at the end
of your ACL rules?
An Implicit allow statement
A SNMP deny string
A time of day restriction

An Implicit deny statement
(Correcto)
Explicación
OBJ-3.3: According to the best practices of firewall configurations, you should include an
Implicit deny at the end of your ACL rules. This will ensure that anything not specifically
allowed in the rules above is blocked. Using an implicit allow is a bad security practice
since it will allow anything into the network that is not specifically denied. While the time
of day restrictions can be useful, they are not required for all network implementations.
Which of the following would a virtual private cloud (VPC) infrastructure be
classified as?
Platform as a Service
Software as a Service
Function as a Service
Infrastructure as a Service
(Correcto)
Explicación
OBJ-2.2: Infrastructure as a Service (IaaS) is a computing method that uses the cloud to
provide any or all infrastructure needs. In a VPC environment, an organization may
provision virtual servers in a cloud-hosted network. The service consumer is still
responsible for maintaining the IP address space and routing internally to the cloud.
Platform as a Service (PaaS) is a computing method that uses the cloud to provide any
platform-type services. Software as a Service (SaaS) is a computing method that uses the
cloud to provide users with application services. Function as a Service (FaaS) is a cloud
service model that supports serverless software architecture by provisioning runtime
containers to execute code in a particular programming language.
Which of the following proprietary tools is used to create forensic disk images without
making changes to the original evidence?
FTK Imager
(Correcto)
Autopsy

Memdump
dd
Explicación
OBJ-4.1: FTK Imager can create perfect copies or forensic images of computer data
without making changes to the original evidence. The forensic image is identical in every
way to the original, including copying the slack, unallocated, and free space on a given
drive. The dd tool can also create forensic images, but it is not a proprietary tool since it is
open-source. Memdump is used to collect the content within RAM on a given host.
Autopsy is a cross-platform, open-source forensic tool suite.
Your company has decided to begin moving some of its data into the cloud. Currently,
your company's network consists of both on-premise storage and some cloud-based
storage. Which of the following types of clouds is your company currently using?
Private
Hybrid
(Correcto)
Public
Community
Explicación
OBJ-2.2: A hybrid cloud is a cloud computing environment that uses a mix of on-premises,
private cloud, and third-party public cloud services with orchestration between these
platforms. This typically involves a connection from an on-premises data center to a public
cloud. A community cloud is a collaborative effort in which infrastructure is shared
between several organizations from a specific community with common concerns (security,
compliance, jurisdiction, etc.), whether managed internally or by a third-party and hosted
internally or externally. A public cloud contains services offered by third-party providers
over the public Internet and is available to anyone who wants to use or purchase them.
They may be free or sold on-demand, allowing customers to pay only per usage for the
CPU cycles, storage, or bandwidth they consume. A private cloud contains services offered
either over the Internet or a private internal network and only to select users instead of the
general public.
Which of the following is a senior role with the ultimate responsibility for maintaining
confidentiality, integrity, and availability in a system?

Data custodian
Data steward
Privacy officer
Data owner
(Correcto)
Explicación
OBJ-5.5: A data owner is responsible for the confidentiality, integrity, availability, and
privacy of information assets. They are usually senior executives and somebody with
authority and responsibility. A data owner is responsible for labeling the asset and ensuring
that it is protected with appropriate controls. The data owner typically selects the data
steward and data custodian and has the authority to direct their actions, budgets, and
resource allocations. The data steward is primarily responsible for data quality. This
involves ensuring data are labeled and identified with appropriate metadata. That data is
collected and stored in a format and with values that comply with applicable laws and
regulations. The data custodian is the role that handles managing the system on which the
data assets are stored. This includes responsibility for enforcing access control, encryption,
and backup/recovery measures. The privacy officer is responsible for oversight of any
PII/SPI/PHI assets managed by the company.
You are reviewing the IDS logs and notice the following log entry:
What type of attack is being performed?
SQL injection
(Correcto)
XML injection
Header manipulation
Explicación
OBJ-1.3: SQL injection is a code injection technique that is used to attack data-driven
applications. SQL injections are conducted by inserting malicious SQL statements into an
entry field for execution. For example, an attacker may try to dump the contents of the
database by using this technique. A common SQL injection technique is to insert an always
true statement, such as 1 == 1, or in this example, 7 == 7. Header manipulation is the
insertion of malicious data, which has not been validated, into an HTTP response header.
XML Injection is an attack technique used to manipulate or compromise an XML
application or service's logic. The injection of unintended XML content and/or structures
into an XML message can alter the application's intended logic. Cross-Site Scripting (XSS)
attacks are a type of injection in which malicious scripts are injected into otherwise benign
and trusted websites. XSS attacks occur when an attacker uses a web application to send
malicious code, generally in a browser side script, to a different end-user.
A customer brought in a computer that has been infected with a virus. Since the
infection, the computer began redirecting all three of the system's web browsers to a
series of malicious websites whenever a valid website is requested. You quarantined
the system, disabled the system restore, and then perform the remediation to remove
the malware. You have scanned the machine with several anti-virus and anti-malware
programs and determined it is now cleaned of all malware. You attempt to test the
web browsers again, but a small number of valid websites are still being redirected to
a malicious website. Luckily, the updated anti-virus you installed blocked any new
malware from infecting the system. Which of the following actions should you
perform NEXT to fix the redirection issue with the browsers?
Reformat the system and reinstall the OS
Verify the hosts file has not been maliciously modified
(Correcto)
Perform a System Restore to an earlier date before the infection
Install a secondary anti-malware solution on the system
Explicación
OBJ-1.4: Browser redirection usually occurs if the browser's proxy is modified or the
hosts.ini file is modified. If the redirection occurs only for a small number of sites or occurs
in all web browsers on a system, it is most likely a maliciously modified hosts.ini file. The
hosts.ini file is a local file that allows a user to specify specific domain names to map to
particular addresses. It works as an elementary DNS server and can redirect a system's
internet connection. For example, if your children are overusing YouTube, you can change
YouTube.com to resolve to YourSchool.edu for just your child's laptop.
Which of the following biometric authentication factors uses an infrared light shone
into the eye to identify the pattern of blood vessels?

Facial recognition
Retinal scan
(Correcto)
Pupil dilation
Iris scan
Explicación
OBJ-2.4: Retinal scans utilize an infrared light shone into the eye to identify the pattern of
blood vessels. The arrangement of these blood vessels is highly complex and typically does
not change from birth to death, except in the event of certain diseases or injuries. Retinal
scanning is, therefore, one of the most accurate forms of biometrics. Retinal patterns are
very secure, but the equipment required is expensive, and the process is relatively intrusive
and complex. False negatives can be produced by disease, such as cataracts.
A cybersecurity analyst is reviewing the logs of a proxy server and saw the following
URL, http://test.diontraining.com/../../../../etc/shadow. What type of attack has likely
occurred?
Directory traversal
(Correcto)
Buffer overflow
XML injection
SQL injection
Explicación
OBJ-1.3: This is an example of a directory traversal. A directory traversal attack aims to
access files and directories that are stored outside the webroot folder. By manipulating
variables or URLs that reference files with “dot-dot-slash (../)” sequences and its variations
or using absolute file paths, it may be possible to access arbitrary files and directories
stored on the file system, including application source code or configuration and critical
system files. A buffer overflow is an exploit that attempts to write data to a buffer and
exceed that buffer's boundary to overwrite an adjacent memory location. XML Injection is
an attack technique used to manipulate or compromise an XML application or service's
logic. SQL injection is the placement of malicious code in SQL statements via web page
input.
Julie was just hired to conduct a security assessment of Dion Training’s security
policies. During her assessment, she noticed that many users were sharing group
accounts to conduct their work roles. Julie recommended that the group accounts be
eliminated and instead have an account created for each user. What improvement will
this recommended action provide for the company?
More routing auditing
Increase password security
Increase individual accountability
(Correcto)
More efficient baseline management
Explicación
OBJ-5.3: To adequately provide accountability, the use of shared or group accounts should
be disabled. This allows you to log and track individual user actions based on individual
user accounts. This enables the organization to hold users accountable for their actions, too.
A software assurance test analyst performs a dynamic assessment on an application
by automatically generating random data sets and inputting them in an attempt to
cause an error or failure condition. Which technique is the analyst utilizing?
Fuzzing
(Correcto)
Known bad data injection
Static code analysis
Sequential data sets
Explicación
OBJ-3.2: Fuzzing is an automated software assessment technique that involves providing
invalid, unexpected, or random data as inputs to a computer program. The program is then
monitored for exceptions (crashes), failing built-in code assertions, or finding potential
memory leaks. Static code analysis is a method of debugging by examining source code
before a program is run. Known bad data injection is a technique where data known to
cause an exception or fault is entered as part of the testing / assessment with known bad
data injections. You would not use randomly generated data sets, though.
A software assurance laboratory performs a dynamic assessment on an application by
automatically generating random data sets and inputting them to cause an error or
failure condition. Which of the following is the laboratory performing?
Fuzzing
(Correcto)
Stress testing
User acceptance testing
Security regression testing
Explicación
OBJ-3.2: Fuzzing or fuzz testing is an automated software testing technique that involves
providing invalid, unexpected, or random data as inputs to a computer program. The
program is then monitored for exceptions such as crashes, failing built-in code assertions,
or potential memory leaks. User Acceptance Testing is the process of verifying that a
created solution/software works for the user. Security regression testing ensures that
changes made to a system do not harm its security, are therefore of high significance, and
the interest in such approaches has steadily increased. Stress testing verifies the system's
stability and reliability by measuring its robustness and error handling capabilities under
heavy load conditions.
You are working as a junior cybersecurity analyst and utilize a SIEM to support
investigations into ongoing incidents. The SIEM is configured to collect data from
numerous sources across the network, including network sensors, routers, switches,
firewalls, hosts, and servers. Unfortunately, due to the number of data sources, you
have data about a particular event being detected by different sensors and devices.
Which of the following must you ensure to make sense of all the data being collected
by your SIEM before analyzing it?
Data correlation
(Correcto)

Data retention
Data recovery
Data sanitization
Explicación
OBJ-4.3: Data correlation is the first step in making sense of data from across numerous
sensors. This will ensure the data is placed concerning other pieces of data within the
system. For example, if your IDS detected an incident, host logs were collected, and your
packet capture system collected the network traffic, the SIEM could be used to correlate all
three pieces of information from these different systems to allow an analyst to understand
the event better. By conducting data correlation, it allows an analyst to identify a pattern
more clearly and take action. Data correlation should be performed as soon as the SIEM
indexes the data.
Which of the following does a User-Agent request a resource from when conducting a
SAML transaction?
Relying party (RP)
Single sign-on (SSO)
(Incorrecto)
Identity provider (IdP)
Service provider (SP)
(Correcto)
Explicación
OBJ-3.8: Security assertions markup language (SAML) is an XML-based framework for
exchanging security-related information such as user authentication, entitlement, and
attributes. SAML is often used in conjunction with SOAP. SAML is a solution for
providing single sign-on (SSO) and federated identity management. It allows a service
provider (SP) to establish a trust relationship with an identity provider (IdP) so that the SP
can trust the identity of a user (the principal) without the user having to authenticate
directly with the SP. The principal's User Agent (typically a browser) requests a resource
from the service provider (SP). The resource host can also be referred to as the relying
party (RP). If the user agent does not already have a valid session, the SP redirects the user
agent to the identity provider (IdP). The IdP requests the principal's credentials if not
already signed in and, if correct, provides a SAML response containing one or more
assertions. The SP verifies the signature(s) and (if accepted) establishes a session and
provides access to the resource.

CompTIA Security - (SY0-601) Practice Exam #3 - Resultados

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CompTIA Security - (SY0-601) Practice Exam #3 - Resultados

Uploaded by

Copyright:

Available Formats

Pregunta 1: Correcto

An electronics store was recently the victim of a robbery where an employee

These devices should be scanned for viruses before installation

SIEM event log monitoring

Net flow capture

Full packet capture

Software design documentation review

RAID 1 - Disk 1 (Mirror) and Disk 2 (Mirror)

RAID 1 - Disk 1 (Stripe) and Disk 2 (Stripe)

RAID 0 - Disk 1 (Stripe) and Disk 2 (Stripe)

RAID 0 - Disk 1 (Mirror) and Disk 2 (Mirror)

The network has an exceptionally strong security posture

The scanner failed to connect with the majority of workstations

An uncredentialed scan of the network was performed

Tracking source code version changes

Performing packet capture and analysis on a network

Resetting the administrator password on three different server

Validating the creation dates of web pages on a server

Physically destroy the storage devices

Use a secure erase (SE) utility on the storage devices

Conduct zero-fill on the storage devices

Perform a cryptographic erase (CE) on the storage devices

Enable TLS on your organization's mail server

Block the IP address of the malicious domain in your firewall's ACL

One-time password authentication

Schedule scans to run during peak times to simulate performance under

Schedule scans to run during periods of low activity

Schedule scans to begin at the same time every day

Schedule scans to be conducted evenly throughout the day

Strong passwords, Biometrics, Mantrap, Cable lock

Antivirus, Mantrap, Cable lock, GPS tracking

GPS tracking, Biometrics, Proximity badges, Remote wipe

FM-200, Biometric locks, Mantrap, Antivirus

22, 110, 161, 23

110, 161, 23, 22

23, 110, 22, 161

161, 22, 110, 23

Perform a remote wipe of the device

Remotely encrypt the device

Identify the IP address of the smartphone

Remote Desktop User

Which of the following statements is true based on this output?

11.154.12.121 is under attack from a host at 10.0.19.121

10.0.19.121 is a client that is accessing an SSH server over port 52497

10.0.19.121 is under attack from a host at 11.154.12.121

Remote code exploitation

Dynamic code analysis

Manual Peer Review

Static code analysis

Advanced persistent threat (APT)

Disable unused user account and reset the administrator credentials

Restrict host access to peripheral protocols like USB and Bluetooth

Restrict shell commands by user or host to ensure least privilege is

SMS is a costly method of providing a second factor of authentication

SMS should be paired with a third factor

SMS should be encrypted to be secure

SMS messages may be accessible to attackers via VoIP or other systems

Conduct remediation actions to update encryption keys on each server to

Host operating system

Guest operating system

Introduction of new accounts

How would you appropriately categorize the authentication method being

One-time password authentication