General Security Concepts
A vulnerability scan shows that an embedded device that Alice is responsible for has a vulnerability. She knows the vendor is no longer in business and that there is on updated firmware or software update for this device. To resolve the issue, Alice places a firewall between the device and the rest of the network and creates rules that prevent the vulnerable service from being availbable to other devices. What type of control is this?
A.) Directive
B.) Compensating
C.) Detective
D.) Procedural
B. Compensating
Alice has deployed a compensating control since she cannot apply controls like patching, configuration, or updates. Directive controls provide formal directions to staff, detective controls detect issues rather that preventing the directly, and procedural controls are not a type of control type used on the Security+ exam.
John is analyzing a recent malware infection on his company network. He discovers malware that can spread rapidly via vulnerable network services and does not require any interaction from the user. What best describes this malware?
A.) Worm
B.)Virus
C.) Logic Bomb
D.) Trojan Horse
A.) Worm
Worms spread themselves through vulnerabilities, making this an example of a worm. A virus is a software that self replicates and needs interaction. A logic bomb executes its malicious activity when some condition is met. A trojan horse combines malware with a legitimate program.
What is the best way to protect data at rest?
A.) Classification
B.) Segmentation
C.) Encryption
D.) Hashing
C.) Encryption
Encryption is the most effective way to protect data at rest. Classification is useful to ensure data is handled in appropriate ways, but does not directly protect the data. Segmentation can help keep data in the right locations with appropriate controls around it, but again does not directly protect the data if the server or data store is accessible. Hashing is a one way function and does not leave data in a useable state for most purposes that rely on the data being intact and in its original form
Telnet, RSH, and FTP are all examples of what?
A.) File transfer protocols
B.) Unsecure protocols
C.) Core protocols
D.) Open ports
B.) Unsecure protocols
All of these protocols are unsecure. FTP has been replaced by secure versions in some uses (SFTP/FTPS), whereas Telnet has been superseded by SSH in modern applications. RSH is outmoded and should only been seen on super old systems.
Neil's organization has signed a contract that includes guarantees of 99.9% uptime. What type of agreement has Neil's organization created?
A.) an MSA
B.) an NDA
C.) a MTBF
D.) an SLA
D.) an SLA
SLAs set forth the expected service level as well as penalties for nonperformance. A master services agreement (MSA) is a broad agreement that additional work may be performed under. an NDA, or nondisclosure agreement, sets forth what information may and may not be shared or disclosed. The mean time between failures (MTBF) is a measure of the reliability of a system. It is the expected amount of time that will elapse between system failures.
Marty wants to deploy a corrective control to deal with a recently compromised system. Which of the following would be considered a corrective control?
A.) patching the vulnerability that allowed the compromise to occur
B.) Deploying full disk encrytion
C.) Deploying an EDR tool
D.) Enabling logging and sending log to a SIEM
A.) patching the vulnerability that allowed the compromise to occur
Corrective controls attempt to remediate security issues that have already occurred. Patching the flaw that allowed an attack to succeed is an example of a corrective control. Deploying full disk encryption or an EDR tool are both examples of preventative controls, and logging and log monitoring are examples of detective controls. Its is important to note that in many cases, controls could be identified as multiple potential control types, you should look for the control that is most obviously the correct control type.
Organize the following threat actors by their typical level of sophistication from most sophisticated to least sophisticated?
A.) Hacktivists, Shadow IT, Organized Crime, Nation-state actors
B.)Nation-state actors, Organized crime, Hacktivists, Shadow IT
C.) Organized crime, Hacktivists, Shadow IT, Nation-state actors
D.)Shadow IT, Hacktivist, Organized crime, Nation-state actors
B.) Nation-state actors, Organized crime, Hacktivists, Shadow IT
Given the available threat actors: Nation-state actors are typically the most sophisticated adversaries organizations will face. Organized crime is the second most sophisticated threat actor in general, with hacktivist, then shadow IT following.
Which of the following is not a common means of enforcing segmentation on a network?
A.) ACLs
B.) VLANs
C.) Firewalls
D.) Air Gaps
D.) Air Gaps
ACls,VLANs, and firewalls are all commonly used to implement network segmentation. Due to the operational challenges that air gaps create, they are far less commonly implemented and are only used when absolutely necessary.
Andrea wants to use a tool to help her analyze malware and attacks and wants to cover a broad range of tactics and tools that are used by adversaries. Which of the following is broadly implemented in technical tools and covers techniques and tactics without requiring a specific order of operations?
A.) The CIS Benchmark
B.) The Dark Web Analysis Project
C.) The MITRE ATT&CK framework
D.) The CVSS standard
C.) The MITRE ATT&CK framework
The MITRE ATT&CK framework focuses on techniques and tactics. CIS Benchmarks are security configurations baselines, the Dark Web Analysis project was made up for this question, and the CVSS standard is a vulnerability scoring system and is not a useful framework for analyzing malware and attacks.
Carmen's organization wants to purchase cybersecurity insurance to offset the cost of potential breaches. What risk management strategy has her organization adopted?
A.) Transfer
B.) Accept
C.) Avoid
D.) Mitigate
A.) Transfer
Risk transfer options move the costs of risks to another organization such as through insurance. Acceptance involves management acknowledging that the risk and its impacts may occur, and that the organization will move forward despite that chance. Avoidance seeks to prevent the risk from occurring. Mitigation work to limit the impact of a risk.
Skip wants to implement a deterrent control to prevent physical security issues for his organization. Which of the following controls should he select?
A.) Fence
B.) A generator
C.) Access Badges
D.) A camera system
A.) Fence, considered a deterrent because it will be discourage potential intruders.
Fencing is considered a deterrent because it will discourage potential intruders from accessing facilities. Generator are used to ensure availability and are a preventative control. Access badges are a technical and preventive control in most cases. A camera system is a detective, technical control.
What technique drives image-based threat vectors?
A.) Encryption
B.) Hashing
C.) Forgery
D.) Steganography
D.) Steganography
Images can have data, including malware or exfiltrated organizational information using a technique called steganography that embeds data into images without losing the integrity of the image. Encryption, hashing and forgery are not the direct driver of image-based threat vectors, although encryption is likely to be used as an additional later to protect data from more advanced threat actors wishing to conceal what they are hiding.
John's data is stored in a cloud service's database. What data state is the data in?
A.) It is at rest
B.) It is in transit
C.) It is in use
D.) It is sovereign
A.) It is at rest
Since the data is not actively being moved between systems or via a network, and it is not being processed, it is data at rest.
Endpoint detection and response has three major components that make up its ability to provide visibility into endpoints. Which of the following is not one of those three parts?
A.) Data search
B.) Malware analysis
C.) Data exploration
D.) Suspicious activity detection
B.) Malware analysis
Endpoint detection and response (EDR) focuses on identifying anomalies and issues, but it is not designed to be a malware analysis tool. Instead, the ability to search and explore data, identify suspicious activities, and coordinate responses is what makes up and EDR tool.
Probability and impact are used to rate what key security item?
A.) Cost
B.) Risk
C.) Vulnerability
D.) Audit findings
B.) Risk
Risk exposure is calculated by multiplying probability and impact. Cost is measured in currency, time, or other cost metrics; vulnerability is often measured using CVSS scores; and audit findings may have criticality ratings.
Harold has deployed a file integrity monitoring tool and has configured alerts to notify him if files are modified. What control type best describes this solution?
A.) Preventative
B.) Deterrent
C.) Directive
D.) Detective
D.) Detective
This solution monitors for changes and is therefore a detective control. It does not prevent changes, and intruders and malicious actors are unlikely to know about it, making it a poor deterrent. Since its not a policy or practice, it is not a directive control.
John is a network administrator for Acme Company. He has discovered that someone has registered a domain name that is spelled just one letter different than his company's domain. The website with the misspelled URL is a phishing site. What best describes the attack?
A.) Session hijacking
B.) Cross-site request forgery
C.) Typo squatting
D.) Clickjacking
C.) Typo squatting
This is an example of typo squatting. The website is off by only one or two letters, and the attacker hopes that users of the real website must type the URL and are taken to their fake website. Session hijacking is taking over an authenticated session. Cross-site request forgery sends fake requests to a website that purport to be from a trusted authenticated user. Clickjacking attempts to trick users into clicking on something other than what they intended.
Jackson has deployed a next generation firewall. Which of the following features is most likely to help him prevent new attacks without having to create individual rules to stop them?
A.) Threat Feeds
B.) Application Awareness
C.) Deep packet inspection
D.) High throughput
A.) Threat Feeds
Using threat feeds allows administrators to have rules that automatically block new threats using IP reputation and other services. Those detections may rely on application awareness or deep packet inspection, but without the feed information new rules will have to be crafted to address specific new threats. High throughput allows NGFW devices to deal with significant load as well as the demads of deep packet inspection and application awareness.
Tom wants to his email servers to reject email that is not authenticated in a way to prevent spoofing. Which of the following should he implement?
A.) SPF
B.) DMARC
C.) DKIM
D.) TLS
B.) DMARC
Domain-based Message Authentication, Reporting, and Conformance, controls how unauthenticated messages are handled by mailbox providers, including quarantining and rejecting. SPF (Sender Policy Framework) lists IP addresses of systems allowed to send email in DNS TXT records for a domain. Domain Keys Identified Mail (DKIM) validates a domain's identity using a public key pair, validating the authenticity of the sender. TLS is used to encrypt data in motion.
How is SLE (single loss expectancy) calculated?
A.) AV * EF
B.) RTO * AV
C.) MTTR * EF
D.) AV * ARO
A.) AV * EF
The sinle loss expectancy (SLE) describes what a single risk event is likely to cost. It is calculated using the asset value (AV) times the exposure factor (EF), which is an estimated percentage of the cost that will occur in damage if the loss occurs. MTTR is the mean time to repair, ARO is the annual rate of occurrence, and RTO is the recovery time objective. These are not part of the SLE equation.
Selena's organization has recently experienced a breach and the private keys for her organization's certificates were exposed. What should she immediately do?
A.) Reissue the certificates with changed hostnames and other details.
B.) Replace the certificates with self-signed certificates until they can be replaced by the vendor.
C.) Revoke the certificates and place them on a certificate revocation list.
D.) Replace the certificates with wildcard certificates.
C.) Revoke the certificates and place them on a certificate revocation list.
If a certificate may have been breached, organizations should immediately revoke the certificates and place them on a certificate revocation list (CRL). They will then need to replace the certificates with new certificates, but changing hostnames is not required as the certificates themselves will be new. The other options are not typical practices.
You have noticed that when in a crowded area, data from your cell phone is stolen. Later investigation shows a Bluetooth connection to your phone, one that you cannot explain. What describes this attack?
A.) Bluejacking
B.) Bluesnarfing
C.) An evil twin attack
D.) A remote-trojan
B.) Bluesnarfing
Bluesnarfing involves accessing data from a Bluetooth device when it is in range. Bluejacking involves sending unsolicited messages to Bluetooth devices when they are in range. Evil twin attacks use a rogue access point whose name is similar or identical to that of a legitimate access point. Nothing in this scenario points to a remote-access trojan being the case of the stolen data.
Olivia wants to deploy a new firewall. What type of firewall should she select if the ability to operate at layer 7 is important to her?
A.) a WAF
B.) An NGFW
C.) A stateful firewall
D.) A packet filer
B.) An NGFW
Next generation firewalls typically provide the ability to inspect traffic at both the transport later (layer 4) and the application layer (Layer 7). Web application firewalls also work at this level, buit only focus on web applications, which does not fully meet the broad application inspection requirement in the question.
Carolyn runs a vulnerability scan of a network device and discovers that the device is running services on TCP ports 22 and 443. What services has she most likely discovered?
A.) Telnet and a webserver
B.) FTP and a Windows file share
C.) SSH and a web server
D.) SSH and a Windows file share
C.) SSH and a web server
A network device running SSH on port 22 and a web server on TCP port 443 is a very typical discovery when running a vulnerability scan. Without any demonstrated issues, Carolyn should simply note that she saw those services. Telnet runs on port 21, an unencrypted web server will run on TCP 80 in most cases, and Windows file shares use a variety of ports, including TCP ports 135-139 and 445.
Jeremy knows that his customer data is worth $500,000, and that the value of that data would be reduced by 25% if it was exposed. What is the SLE (single loss expectancy) for this data?
A.) $25,000
B.) $125,000
C.) $250,000
D.) $375,000
B.) $125,000
Single loss expectancy (SLE) is calculated by multiplying the asset value (AV) by the exposure factor (EF). In this case, that means that the potential loss during a loss event would be $125,000.