Mock Exam D

#1. A recent data breach revealed that a company has a number of files containing customer data across its storage environment. These files are individualized for each employee and are used in tracking various customer orders, inquiries, and issues. The files are not encrypted and can be accessed by anyone. The senior management team would like to address these issues without interrupting existing processes. Which of the following should a security architect recommend?

A DLP program to identify which files have customer data and delete them

An ERP program to identify which processes need to be tracked

A CMDB to report on systems that are not configured to security baselines

A CRM application to consolidate the data and provision access based on the process and need

#2. Which of the following is the MOST important security objective when applying cryptography to control messages that tell an ICS how much electrical power to output?

Importing the availability of messages

Assuring the integrity of messages

Ensuring non-repudiation of messages

Enforcing protocol conformance for messages

Man-in-the-middle attacks exploit a lack of authentication. Once a connection is established, the attacker can control the connection, eavesdrop on data passing through, and inject false messages

#3. A development team created a mobile application that contacts a company's back-end APIs housed in a PaaS environment. The APIs have been experiencing high processor utilization due to scraping activities. The security engineer needs to recommend a solution that will prevent and remedy the behaviour. Which of the following would BEST safeguard the APIs? (Choose two.)

Select all that apply:

OAuth 2.0

Autoscaling endpoints

Input validation

CSRF protection

Bot protection

Rate limiting

#4. A security architect is implementing a web application that uses a database back end. Prior to the production, the architect is concerned about the possibility of XSS attacks and wants to identify security controls that could be put in place to prevent these attacks. Which sources could the architect consult to address this security concern?

SDLC

IEEE

OWASP

OVAL

#5. A software house is developing a new application. The application has the following requirements: (see exhibit) Which of the following is the BEST federation method to use for the application?

SAML

OpenID

OAuth

WS-Federation

#6. A security compliance requirement states that specific environments that handle sensitive data must be protected by need-to-know restrictions and can only be connected to authorized endpoints. The requirement also states that a DLP solution within the environment must be used to control the data from leaving the environment. What should be implemented for privileged users so they can support the environment from their workstations while remaining compliant?

NAC to control authorized endpoints

A jump box in the screened subnet

A general VPN solution to the primary network

FIM on the servers storing the data

#7. A company is preparing to deploy a global service. Which of the following must the company do to ensure GDPR compliance? (Choose two.)

Provide data deletion capabilities

Provide optional data encryption

Grant data access to third parties

Provide alternative authentication techniques

Inform users regarding what data is stored.

Provide opt-in/out for marketing messages

Under GDPR

Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the UK GDPR.
You must provide individuals with information including: your purposes for processing their personal data, your retention periods for that personal data, and who it will be shared with. We call this ‘privacy information’

Organisations can’t send marketing emails without active, specific consent.

Companies can only send email marketing to individuals if:

The individual has specifically consented.
They are an existing customer who previously bought a similar service or product and were given a simple way to opt out.

There must be a valid contact address available to people so they can unsubscribe or opt out

#8. A company is repeatedly being breached by hackers who use valid credentials. The company's Chief information Security Officer (CISO) has installed multiple controls for authenticating users, including biometric and token-based factors. Each successive control has increased overhead and complexity but has failed to stop further breaches. An external consultant is evaluating the process currently in place to support the authentication controls. Which recommendation would MOST likely reduce the risk of unauthorized access?

Implement strict three-factor authentication

Switch to one-time or all user authorizations

Implement least privilege policies

Strengthen identify-proofing procedures

#9. Amy, a security analyst, is trying to identify the source of a recent data loss incident. She has reviewed all the logs for the time surrounding the incident and identified all the assets on the network at the time of the data loss. Amy suspects the key to finding the source was obfuscated in an application. Which tool should Amy use NEXT?

Log reduction and analysis tool

Static code analysis

Software Decompiler

Network enumerator

It is likely the source code will not be available – we need to analyse the code but will have to gain access to the source

#10. Acme technicians are in the process of hardening host systems before connecting to the company network. Technicians need to add protection to the boot loader to ensure the hosts are secure before the OS fully boots. Which of the following would provide the BEST boot loader protection?

HSM

UEFI/BIOS

TPM

PKI

#11. A systems administrator is preparing to run a vulnerability scan on a set of information systems in the organization. The systems administrator wants to ensure that the targeted systems produce accurate information especially regarding configuration settings. Which scan types will provide the systems administrator with the MOST accurate information?

A passive, non-credentialed scan

A passive, credentialed scan

An active, credentialed scan

An active, non-credentialed scan

Nessus is a SCAP scanner, it will need a service account with privileges and will perform an active scan

#12. An organization is designing a network architecture that must meet the following requirements: (see exhibit) Which architectural designs should the organization use to meet these requirements?

VLANs enabled by network infrastructure devices

Peer-to-peer secure communications enabled by mobile applications

Proxied application data connections enabled by API gateways

Microsegmentation enabled by software-defined networking

Cloud provider will host customer workloads using secure Microsegmentation and SDN will dynamically secure connections

#13. An e-commerce company is running a web server on premises, and the resource utilization is usually less than 30%. During the last two holiday seasons, the server experienced performance issues because of too many connections, and several customers were not able to finalize purchase orders. The company is looking to change the server configuration to avoid this kind of performance issue. Which of the following is the MOST cost-effective solution?

Buy a new server and create an active-active cluster

Upgrade the server with a new one

Move the server to a cloud provider

Change the operating system

#14. An online retailer created an external application for its customers. A security researcher now reports that the application has a serious LDAP injection vulnerability that could be leveraged to bypass authentication and authorization. Which of the following actions would BEST resolve the issue? (Choose two.)

Select all that apply:

Deploy a reverse proxy

Use containers

Conduct input validation

Deploy an IDS

Patch the OS

Deploy a WAF

Deploy a SIEM.

#15. During a system penetration test, a security engineer successfully gained access to a shell on a Linux host as a standard user and wants to elevate the privilege levels. Which of the following is a valid Linux post-exploitation method to use to accomplish this goal?

Perform ASIC password cracking on the host

Read the /etc/passwd file to extract the usernames

Use the UNION operator to extract the database schema

Spawn a shell using sudo and an escape string such as sudo vim -c '!sh'.

Initiate unquoted service path exploits

You are logged in with an account that has no privileges – cannot use sudo, extracting the users from the passwd file is a common exploit (check out Mitre Att&ck framework)

#16. Which of the following represents the MOST significant benefit of implementing a password-less authentication solution?

Biometric authenticators are immutable

The likelihood of account compromise is reduced

Zero trust is achieved

Privacy risks are minimized

#17. Due to locality and budget constraints, an organization's satellite office has a lower bandwidth allocation than other offices in the organization. As a result, the local security infrastructure staff is assessing architectural options that will help preserve network bandwidth and increase speed to both internal and external resources while not sacrificing threat visibility. Which would be the BEST option to implement?

Local caching

Distributed connection allocation

Content delivery network

SD-WAN vertical heterogeneity

A content delivery network (CDN) refers to a geographically distributed group of servers which work together to provide fast delivery of Internet content.

A CDN allows for the quick transfer of assets needed for loading Internet content including HTML pages, javascript files, stylesheets, images, and videos. The popularity of CDN services continues to grow, and today the majority of web traffic is served through CDNs, including traffic from major sites like Facebook, Netflix, and Amazon.

A properly configured CDN may also help protect websites against some common malicious attacks, such as Distributed Denial of Service (DDOS) attacks.

#18. An insurance company receives a large number of customer transaction requests via email. While investigating a security breach, the CIRT correlates an unusual spike in port 80 traffic from the IP address of a desktop used by a customer relations employee who has access to several of the compromised accounts. Subsequent antivirus scans of the device do not return any findings, but the CIRT finds undocumented services running on the device. Which of the following controls would reduce the discovery time for similar in the future

Increasing the cadence for antivirus DAT updates to twice daily

Deploying host-based firewalls and shipping the logs to the SIEM

Implementing application blacklisting

Configuring the mall to quarantine incoming attachment automatically

#19. An organization recently started processing, transmitting, and storing its customers' credit card information. Within a week of doing so, the organization suffered a massive breach that resulted in the exposure of the customers' information. Which of the following provides the BEST guidance for protecting such information while it is at rest and in transit?

GDPR

ISO

PCI DSS

NIST

PCI DSS Is industry compliance for organizations that store, process or transmit cardholder details

#20. A security analyst is performing a vulnerability assessment on behalf of a client. The analyst must define what constitutes a risk to the organization. What should be the analyst's FIRST action?

Ascertain the impact of an attack on the availability of crucial resources

Determine which security compliance standards should be followed

Create a full inventory of information and data assets

Perform a full system penetration test to determine the vulnerabilities

#21. A security analyst notices a number of SIEM events that show the following activity: (see exhibit) Which of the following response actions should the analyst take FIRST?

Disable local administrator privileges on the endpoints.

Configure the forward proxy to block 40.90.23.154.

Disable powershell.exe on all Microsoft Windows endpoints.

Local users may be over-privileged

#22. A disaster recovery team learned of several mistakes that were made during the last disaster recovery parallel test. Computational resources ran out at 70% of restoration of critical services. Which of the following should be modified to prevent the issue from reoccurring?

Recovery service level

Mission-essential functions

Recovery point objective

#23. A security engineer is hardening a company's multihomed SFTP server. When scanning a public-facing network interface, the engineer finds the following ports are open: 22,25,110,137-139,445. Internal Windows clients are used to transfer files to the server to stage them for customer download as part of the company's distribution process. Which would be the BEST solution to harden the system?

Close ports 25 and 110. Bind ports 137, 138, 139, and 445 to only the internal interface

Close ports 22 and 139. Bind ports 137, 138, and 445 to only the internal interface

Close ports 110, 138, and 139. Bind ports 22, 25, and 137 to only the internal interface

Close ports 22, 137, and 138. Bind ports 110 and 445 to only the internal interface

#24. An organization's assessment of a third-party, non-critical vendor reveals that the vendor does not have cybersecurity insurance and IT staff turnover is high. The organization uses the vendor to move customer office equipment from one service location to another. The vendor acquires customer data and access to the business via an API. Given this information, which of the following is a noted risk?

The possibility of the vendor's business ceasing operations

Financial liability from a vendor data breach

Feature delay due to extended software development cycles

Technical impact to the API configuration

#25. An organization's hunt team thinks a persistent threat exists and already has a foothold in the enterprise network. Which of the following techniques would be BEST for the hunt team to use to entice the adversary to uncover malicious activity?

Implement decoy files on adjacent hosts

Deploy a SOAR tool

Apply new isolation and segmentation schemes

Modify user password history and length requirements

#26. A Chief information Security Officer (CISO) is developing corrective-action plans based on the following from a vulnerability scan of internal hosts: (see exhibit) Which is the MOST appropriate corrective action to document for this finding?

The security operations center should develop a custom IDS rule to prevent attacks buffer overflows against this server

The application developer should use a static code analysis tool to ensure any application code is not vulnerable to buffer overflows.

The system administrator should evaluate dependencies and perform upgrades as necessary

The product owner should perform a business impact assessment regarding the ability to implement a WAF.

PHP should be updated – however it is important to ensure no modules or plugins are dependent on the older code base

#27. Jeff, an analyst finds, evidence that a user opened an email attachment from an unknown source. After the user opened the attachment, a group of servers experienced a large amount of network and resource activity. Upon investigating the servers, Jeff discovers the servers were encrypted by ransomware that is demanding payment within 48 hours or all data will be destroyed. The company has a response plan for ransomware. Which of the following is the NEXT step the Jeff should take after reporting the incident to the management team?

Request that the affected servers be restored immediately

Isolate the servers to prevent the spread

Pay the ransom within 48 hours

Notify law enforcement

#28. Which of the following controls primarily detects abuse of privilege but does not prevent it?

Off-boarding

Job rotation

Separation of duties

Least privilege

#29. A security architect for a large, multinational manufacturer needs to design and implement a security solution to monitor traffic. When designing the solution, which of the following threats should the security architect focus on to prevent attacks against the OT network?

Use of any non-DNP3 communication on a DNP3 port

Packets that are the wrong size or length

Application of an unsupported encryption algorithm

Multiple solicited responses over time

SCADA & ICS so integrity is the key here

#30. A business stores personal client data of individuals residing in the EU in order to process requests for mortgage loan approvals. Which of the following does the business's IT manager need to consider?

The availability of personal data

The right to personal data erasure

The company's annual revenue

The language of the web application

GDPR introduces a right for individuals to have personal data erased.
The right to erasure is also known as ‘the right to be forgotten’.
Individuals can make a request for erasure verbally or in writing.
You have one month to respond to a request.