1
Watering Hole – It attempts to lure victims to an
infected website.
Vishing – Targets individuals through phone calls to
gather compromising information.
Whaling – involves targeting a high profile victim.
Pharming – involves directing an internet user to fake
website.
Chain of custody – It describes the collection,
handling, and secure storage of evidence to ensure it
has not been altered after it was collected.
Best Evidence – It describes the evidence as being in
its original state.
Direct Evidence – It describes evidence that was
directly in the possession of the accused.
Attack Attribution – It refers to the process of
determining who was responsible for an intrusion or
attack.
Worm – A self-propagating malicious code that can
propagate to other systems on the network and
consume resources that could lead to denial-of-
service-attack.
Virus – A computer malware code that replicates itself
on the target computer and spreads through the
network causing damage and distributing additional
harmful payloads.
Trojan horse – A program that appears to be useful or
harmless but contains hidden code that can
compromise the target system on which it runs.
Risk – Is determined by the likelihood/potential of a
threat being carried out.
Cryptoworm – Is a type of malware
Ransomware Attack – Is malicious software that
prevents a company from accessing its data
Exploit – Is a code that takes advantage of a software
vulnerability.
Confidentiality – Data was exposed
Availability – Data is no longer available
Integrity – Data was not tampered with.
CybOX – It is a standardized schema that supports
cybersecurity
STIX – It is a set of specifications for exchanging cyber
threat
TAXII – It is the specification for a protocol designed to
support STIX.
FireEye Helix – It is not a standard but rather a security
operations
Cisco Talos – It is not a standard but rather a threat
intelligence team for protecting enterprise users, data,
and infrastructure.
SIEM – Security Information and Event Management
(SIEM) provide real-time reporting and analysis of
security events.
NSLOOKUP - Is a command line tool used to look up
IP addresses
ACL – Access Control List (ACL) tells the system
what service/systems are accessible to a user.
Netstat – Is a command-line tool that displays network
connection for Transmission Control Protocol.
Clear Screen Policy – Means that you keep your
computer in a locked state when you are away from
your desk.
Heuristic-based detection – It uses rules to specify
suspicious behavior
Signature-based detection – It uses database of
malware signature or DAT files.
Sandboxing – It separates a program from the
operating system.
Integrity Checking – It examines files to see if they
have changed before removal.
PORT 22 – It is used by Secure Socket Shell (SSH) for
secure connections to remote system.
PORT 20 – It is used by File Transfer Protocol (FTP)
for transferring files and does not provide a secure
connections.

PORT 21 – It is used by File Transfer Protocol (FTP)
for transferring files and does not provide a secure
connection.
PORT 23 – It is used by TELNET for connecting to
remote systems but does not provide a secure
connection.
Run the nslookup set recurse command – It tells the
DNS server to search other servers if it can’t resolve a
name.
Run the nslookup set querytype command – It will
change a query’s resource record type.
Run the nslookup set retry command – It sets the
number of retries attempted if a response isn’t
received.
Penetration Testing – Is used to find vulnerabilities
within a computer system.
System Testing – Is used to test how software
integrates with a system.
1 ALERT – Should be corrected immediately.
2 Critical – Critical Conditions
3 Error – Error Conditions
4 Warning – May indicate an error will occur if action
is not taken.
5 Notice – Events that are unusual but not error
conditions
6 Informational – Normal operational events that
require no action.
7 Debug – Information useful to developers.
Advanced Persistent Threat – This type of attack
involves a long – term presence to collect sensitive
data.
Zero-day – It is an attack against vulnerabilities that
vendors have only just learned about and have no
chance to address it.
Distributed Denial-of-service – It is an attack that
attempts to overwhelm a target to make a services
unavailable
2
Ransomware – It is a malware that encrypts files on a
device so they are unusable. The attacker demands a
ransom payment to decrypt the files.
Common Vulnerabilities and Exposures (CVE) –
serves as a dictionary of common names. For publicly
known cybersecurity vulnerabilities.
Structured Threat Information Expression (STIX) –
Is a set of specifications for exchanging cyber threat
information between organizations.
Automated Indicator Sharing (AIS) – Is provided for
free by the U.S. It enables a real-time exchange of
cyber threat indicators between the US federal
governments.
Common Vulnerability Scoring System (CVSS) – Is
maintained by FIRST. It is a risk assessment tool that
assigns a score to the risk inherent in a vulnerability.
ARP Spoofing – Attack the attacker sends frames that
have the attackers MAC address associated with the
IP address of the legitimate host. The attacker will then
receive packets intended for the legitimate host.
MAC Spoofing – The attacker sends frames with a
source MAC address of a legitimate host. The network
switch will then send frames intended for the legitimate
host to the attacker.
IP Spoofing – Attack the attacker creates IP packets
with a modified source address to impersonate another
computer system.
CAM table Overflow – attack the attackers flood
switch with bogus frames with fake source MAC
addresses until the switch CAM table is full.
Business Continuity Plan – It is a broad plan about
what a business should do not continue operations if it
has lost business-critical functionality.
Incident Response Plan – It is concerned with how
employees respond to individual incidents, not abroad
plan for business continuity.
Infrastructure Purchasing Plan - It is concerned with
the acquisition of infrastructure equipment
 3

Cybersecurity Plan – It is about an organization’s
security, policies, and defensive measures.
Multiple Overlapping Layers of Security – It protects
different parts of an environment
Encryption – It is a single facet of protection
Multiple Firewalls – It is a single facet of protection
Strong Password Policies – It is a single facet of
protection
Warning – A storage device runs low on free space
SQL injection – This attack interferes with the queries
of a web application
Smishing – This type of attacks involves gathering
compromising information through mobile network.
Family Educational Rights and Privacy Act
(FERPA) – This act protects student educational
records.
Virtual Machine – A computer can run multiple virtual
machines that can run their own operating system and
applications

Information – A network driver loads successfully Container – A container is a virtualized application that
can consists of its dependencies.
Success Audit – A user logs into the system
Hypervisor – Is a software that enables multiple
Error – A service fails to load during startup operating systems to run on the same physical
Failure Audit – A user unsuccessfully tries to access machine.
a network device Quarantining – Involves isolating the malware
General Data Protection Regulation (GDPR) – Is a Executing – Would cause malware to run
regulation that requires businesses to protect the
personal data and privacy of EU citizens for Cleaning – Means removing the malware
transactions that occur within EU member states.
Deleting – Malware would remove entirely.
Health Insurance Portability and Accountability
Full backups – The most secure, reliable method of
Act (HIPAA) – It sets the standard for sensitive patient
copying data.
data protection.
Incremental backups – Store all the changes that
Personal Information Protection Electronic
were made since the previous backup.
Documents Act (PIPEDA) – It is a Canadian privacy
law that governs how private sector organizations, Differential backups – Only store changes made to
collect, use, and disclose personal information in order files since the last backup.
to carry out their businesses within Canada.
Mirror – An exact copy is made of the source data.
Payment Card Industry Data Security Standard (
PCI DSS) – It is a set of requirements intended to Run the nslookup set domain command - it changes
the name of the default DNS server.
ensure that all companies that process, store or
transmit credit card information maintain a secure
environment.
Man-in-the-middle – This attack can intercept and
alter data.
Dictionary – This attack is for cracking passwords.
Phishing – This attack uses email to compromise
victims.

MITRE Corporation - The MITRE Corporation
maintains a list of common vulnerabilities and
exposures (CVE) used by prominent security
organizations. They also provide the MITRE ATT&CK
framework to help identify tactics and techniques used
by threat actors.
Forum of Incident Response and Security Teams
(FIRST) - FIRST is a security organization that
maintains the Common Vulnerability Scoring System
(CVSS). The CVSS is a risk assessment tool that
assigns a score of the risk inherent in a vulnerability.
The numeric score can be used to determine the
urgency of the vulnerability and the priority of
addressing it.
Cisco Talos Intelligence Group - Cisco Talos helps
protect enterprise users, data, and infrastructure from
active adversaries. The Talos team collects
information about active, existing, and emerging
threats and then provides comprehensive protection
against these attacks and malware to its subscribers.
SysAdmin, Audit, Network, Security (SANS)
Institute - The SANS Institute provides security
training, certifications, and free resources including the
Internet Storm Center, NewsBites news articles,
@RISK weekly digest, and flash security alerts.
Nessus - Nessus can scan networks for various types
of vulnerabilities including unknown infections,
weaknesses in web-facing database services, missing
software patches, unnecessary listening ports, and
more.
Wireshark - Wireshark is a protocol analyzer.
Wireshark is a tool used to analyze network traffic.
Metasploit - . Metasploit is a penetration testing tool
that is used to exploit an asset to determine if it is
vulnerable.
OpenSSL- OpenSSL is a general-purpose
cryptography Linux tool.
Saas - SaaS provides services to customers such as
web-based email, file storage, project management
tools, and backups. Saas is a software as a service
option.
4
laaS - laaS provides the hardware, software, servers,
and storage components to the customer. laaS is an
infrastructure as a service option.
PaS - PaaS provides an operating software,
programming language, and database so that
customers can create their own cloud-based software.
PaaS is a platform as a service option.
BaaS - BaaS provides tools to integrate with a
backend. BaaS is a backend as a service option
Social engineering - phishing, tailgating, and
shoulder surfing are methods of attack by deception.
Physical - physical attacks are focused on physical
environments.
Watering hole - a watering hole attack targets specific
organizations.
Network - network attacks are focused on networking
data.
Cyber Kill Chain - it focuses on the steps an adversary
applies in accomplishing their goal.
The Diamond Model of Intrusion Analysis - it
models a time-bound security incident or event.
The Forensic Process - it provides guidance in
developing digital forensics plans using a four-phase
process.
SHA-2 - SHA-2 is a hashing algorithm.
Diffie-Hellman - Diffie-Hellman is an asymmetric
encryption algorithm.
3DES - 3DES is a symmetric encryption algorithm.
AES - Advanced Encryption Standard (AES) is a
symmetric encryption algorithm.
BitLocker - it is a Windows tool that can be used for
encryption of the entire hard drive. BitLocker deters
threat actors by enhancing file and system protections.
BitLocker also helps render data inaccessible when
BitLocker-protected computers are lost or stolen.
Firewall - it is a Windows feature that protects the OS
from external threats and exploits.

Security - it is a Windows feature that provides
antivirus and malware protection.
Defender Credential Guard - it is a Windows feature
that uses virtualization-based security to isolate
secrets so that only privileged system software can
access them.
SSH - Secure Shell (SSH) is a protocol that provides
an encrypted connection to secure data in transit.
HTTPS - Hypertext Transfer Protocol Secure
(HTTPS) adds a layer of encryption to the HTTP
protocol. HTTPS uses the secure socket layer (SSL)
protocol to secure data in transit. This makes the
HTTPS data unreadable between source and
destination.
Telnet - Telnet is an older protocol that does not use
encryption to send or receive data. Telnet is insecure
because it sends messages in plain text.
FTP - File Transfer Protocol (FTP) does not use
encryption to upload or download data
DHCP spoofing - DHCP spoofing an attacker
responds to client DHCP and sends the client's
incorrect IP address information such as the wrong
default gateway or DNS server.
DNS spoofing - DNS spoofing an attacker alters DNS
records to redirect online traffic to a fraudulent website.
ARP spoofing - an ARP spoofing attack an attacker
sends frames that have the attacker's MAC address
associated with the IP address of the legitimate host.
The attacker will then receive packets intended for the
legitimate host.
IP spoofing - an IP spoofing attack the attacker
creates IP packets with a modified source address to
impersonate another computer system.
chmod og-wx filename - the command removes the
write and execute permissions from all users except
the file owner.
chmod a-wx filename - this command would change
the permissions for all users to read.
5
chmod og=wx filename - this command would
change the permissions for all users except the file
owner to write and execute.
chmod a=r filename - this command would change
the permissions for all users to read.
IPS - an IPS, or Intrusion Prevention system, is
designed to watch for potential threats and prevent or
stop the attack.
Proxy server - a proxy server is used as an
intermediary device to transfer information between an
end-user and a web server.
IDS - an IDS, or Intrusion Detection system, is
designed to watch for potential threats but takes no
measures to stop the attack.
NAT - a NAT server only translates a private IP to a
public IP address or a public to a private address. It
does not address any security issues that may exist.
True positive - true positives are validated security
incidents from alerts.
True negative - true negatives are tests that indicate
that an event was not a cybersecurity incident.
False positive - false positives are security alerts that
have been determined to not depict a valid security
incident.
False negative - false negatives are events that
should have been detected but were not. No alerts
were generated to be investigated.
Data Encryption Standard (DES) - DES is a legacy
symmetric encryption algorithm
Firewalls - firewalls block unwanted network traffic.
SPAN - SPAN is a Switch Port Analyzer for port
mirroring.
Packet capture - it is used to capture IP packets
traveling across a network.
NetFlow - it is a system that collects information on
packets flowing through the network.
Reconnaissance - it is gathering information in order
to exploit a system, not to monitor network traffic.

Key logger - it is recording keystrokes in order to gain
access to a system or computer.
Threat - a threat is the possibility of an attack.
Vulnerability - a vulnerability is a weakness in the
system.
Exploit - an exploit is an actual attack.
Rootkit - a rootkit is a program that gives attackers a
way to regain access after an attack.
UP flood - in a UP flood attack the attacker
overwhelms the ports on the targeted host UDP
datagrams so the server cannot respond to client
requests.
DHCP starvation - in a DHCP starvation attack the
attacker attempts to lease all available IP addresses
from the DHCP server.
NAC (Network Access Control) - a NAC is used to
enforce network policies for users and devices
connecting to the network.
VPN (Virtual Private Network) - a VPN is an
encrypted connection between devices over the
Internet.
IPS (Intrusion Protection System) - an IPS monitors
network traffic and performs real-time packet
inspection to prevent malicious attacks.
Q0S (Quality of Service) - QoS is used to control
network performance.
Vulnerability management - it is concerned with
identifying weaknesses and eliminating those
weaknesses so they cannot be exploited
Risk management - it is concerned with identifying
and mitigating threats.
Asset management - it is concerned with accounting
for and maintaining assets.
Configuration management - it is concerned with
keeping IT system configurations consistent.
6
DNS server - a DNS server is used to resolve a domain
name to an IP address or vice versa. AAA
management does not require a DNS server.
DHCP server - a DHCP server is used to provide
dynamic IP addressing management. The network
devices that provide remote access should use static
IP addresses.
Metered connections - you can set the network
connections as metered connections. On a metered
connection, Windows won't download feature updates,
though it will still download critical patches and security
updates.
WSUS (Windows Services Update Server) - WSUS
is used to deploy Windows updates and can also act
as an update source called an upstream server.
However, it will compete for the full bandwidth instead
of using only the available bandwidth on the slow link.
SFC (System File Checker) - SFC is used to check
the integrity of the Windows system files.
Scheduler - Windows scheduler is used to carry out
tasks at pre-determined times.
Port scanning - port scanning is probing the network
for open ports.
Phishing - phishing is used to gather secure
information or release malware through email.
Network mapping - network mapping is creating a
layout of all of the devices on the network and how they
are connected.
Virus scanning - virus scanning is searching for
viruses on a device.
Vulnerability - vulnerability is a weakness in a
computer device, system, or network.
Threat - a threat is a potential attack that could occur.
It is a potential act.
Attack - it is an actual act that is carried out to harm a
computer device or system.
Exploit - an exploit is a computer attack that occurs
through computer code.

Information - the information event type records an
event that describes the successful operation of an
application, driver, or service.
Success audit - the success audit event type logs an
event that records an audited security access attempt
that is successful.
Warning - the warning event type records an event
that is not necessarily significant but may indicate a
possible future problem.
Error - the error event type indicates that a significant
event occurred that resulted in the loss of data or
functionality.
Application control - it is a security practice that
blocks or restricts unauthorized applications from
executing in ways that put data at risk on production
systems. However, it does not allow for testing the
software patches in a sterile environment.
Backup - it is used for restoration purposes in the
event of catastrophic failure and not for software
patching.
Cloud computing - this is used for the delivery of
computing services over the Internet ("the cloud") to
offer faster innovation, flexible resources, and
economies of scale and not for software patch testing.
IPsec (IP Security) - IPsec is a suite of protocols that
secure traffic through a Virtual Private Network (VPN)
VLAN (Virtual LAN) - a VLAN is a Layer 2 broadcast
domain.
GRE tunnel - a GRE tunnel is not secure.
DMZ - a DM allows users to access a trusted network
without compromising the internal network.
WLAN - a WLAN is a wireless computer network that
links multiple wireless devices to form a LAN within a
limited area.
VM - Virtual Machine (VM) is software that can run
operating systems, services, and deploy apps. One or
more VMs can run on one physical host machine.
7
Passive reconnaissance - the attacker attempts to
gather information without engaging with the system
they plan to attack
Active reconnaissance - the attacker engages with
the system they plan to attack to gather information.
Vulnerability testing - it is used to find ways that a
system could be exploited.
Vulnerability scanning - it is used to search for
vulnerabilities on a system or network.
Spear phishing - a spear-phishing attack targets a
specific individual or organization.
Pharming - pharming attacks occur through website
interaction.
Conduct end-user security training - it is designed
to prevent users from accidentally becoming victims of
a cyber threat.
Create a Business Continuity Plan - it does not
prevent disasters. This plan is designed to guide
personnel after an incident has occurred. For that
reason, it is a type of corrective security control.
Deploy a syslog server to harden the network
perimeter - syslog servers do not perform this function
Configure host-based anti-malware software to
submit logs to a central server - it will detect
potential disasters, not prevent them.
Rootkit - a rootkit may give hackers admin-level
privileges to a computer.
Backdoor - it is only a way of gaining access, not
admin access.
WPA3 - it provides a more secure encryption method
for wireless traffic.
WEP - WEP security architecture has been
compromised and, as such, is a weak security protocol.
MAC filtering - it restricts specific devices from
accessing the wireless network but does not encrypt
the wireless traffic that is transmitted.

SSID cloaking - it requires specific knowledge of the
SSID to access the wireless network but does not
encrypt the wireless traffic that is transmitted.
Update history - you can view the failed Windows
updates under the Update History.
Event Viewer - the Windows 10 Event Viewer is used
to view Information, Warning, Error, Success Audit
(Security Log), and
Failure Audit (Security Log) events but not for
failed Windows updates.Task Manager - This
answer is incorrect because the Windows 10 Task
Manager can be used to monitor the applications,
processes, and services running on your computer but
not failed Windows updates.
System Information panel - Windows 10 System
Information Panel is used to view a list of details about
your operating system, computer hardware, and
software components but not for failed Windows
updates.
MAC filtering - it permits or denies traffic based on a
device-specific MAC address.
WEP - it encrypts wireless traffic.
SSID hiding - any device that knows the SSID can still
access the wireless network.
Quarantine - the infected file is isolated.
Windows Update - this will not remove malware.
Sandboxing - this lets a program run in a separate
space
Windows Recovery - this will not remove malware.
In a DHCP spoofing attack, threat actors configure a
fake DHCP server on the network to issue DHCP
addresses to clients.
In a DHCP starvation attack, threat actors flood the
DHCP server with DHCP requests to use up all the
available IP addresses that the leqitimate DHCP server
can issue.
In a DNS amplification attack, threat actors use
publicly accessible open DNS servers to flood a target
with DNS response traffic.
8
In a DNS hijacking attack, threat actors change the A
record for your domain's IP address to point to a
predetermined address of their choice.
A.pcap file - the tepdump -w command will produce a
file with a pcap extension.
A.ml file - the tepdump -w command will not produce
an XML file.
A. txt file - the tpdump -w command will not produce
a text file.
A .data file - the tcpdump -w command will not
produce a data file.
Event Viewer - Event Viewer is a built-in Windows
application that lets you check the events that take
place on your computer, by giving you access to logs
about program, security, and system events.
Task Manager - Task Manager allows you to monitor
the applications, processes, and services running on
your computer.
Device Manager - Device Manager provides users an
organized, central view of the Windows-recognized
hardware attached to a computer.
Management Console - Management Console is a
graphical user interface with a programming
framework that can help the user to generate, edit,
save, and open consoles.
Nmap - it can be used to perform port scans to
determine what services are running on a system.
Nslookup - it is a tool for discovering domain name to
IP address mappings
Wireshark - it is a network protocol analyzer
Ping - it is a TCP/IP packet analyzer.

In a smurf attack, threat actors will spoof the source
address of the IMP packet and send a broadcast to all
computers on that network to generate enough
broadcast traffic to compromise the network.
Fingerprinting is a technique used to exploit the
vulnerability in the IMP echo packet to obtain details of
the operating system on the target computer.
A teardrop attack is when threat actors exploit
overlapping IP fragments present in the target system.
When the destination target tries to reassemble them,
it cannot do so and fails, which causes the target
system to reboot or crash.
Netstat is able to examine UDP packets over IPv6
protocol.
DoS - in a DoS (Denial-of-Service) attack, a single
computer is used by threat actors to flood a target
server with TCP and UDP packets. Botnets are pieces
of malware that infect several computers allowing them
to be remotely controlled by a threat actor.
Man-in-the-middle attack - in a man-in-the-middle
attack, threat actors gain access to the
communications between two other parties for
malicious purposes, without either of those parties
realizing it.
Ransomware - a ransomware attack involves the use
of malware that threat actors use to encrypt targeted
hard drives for ransom purposes.
Jailbreaking - it is an attempt to bypass user account
restrictions on an iOS device.
Rooting - it is an attempt to gain root privileges on an
Android device.
Cracking - it is a technique used to breach computer
software or a computer system.
Trespassing - it is the act of intentionally accessing a
system without having authorization
9
Remediation - remediation is fully resolving the
vulnerability's chance of being exploited.
Acceptance - acceptance is when nothing is done to
eliminate or lessen the likelihood of the exploit.
Evaluation - evaluating the vulnerability will not
eliminate or lessen the likelihood of the exploit.
Non-production system - any security flaws in the
patch could compromise the corporate network. It
would also be difficult to replicate different
environments to test the patch.
Baseline image - this is the starting point of a singular
environment and is open to security flaws that may
compromise the network.
Windows Server Update Services - it is a tool to
manage update services, but it does not provide a
separate environment to verify a patch.
Penetration testing - it is used to find weaknesses
that can be used to exploit a computer system
To stop malicious traffic from entering the private
network - this is the function of a firewall.
To protect switches from MAC address table overflow
attacks - as this is a Layer 2 security function.
To secure traffic flows between two endpoints as it
passes through an unsecured network - this is a
function of a VPN.
/var/log/messages - contains global system
messages, including the messages that are logged
during system startup.
/var/log/cron - records events related to the cron
deamon.
/var/log/maillog - contains the log information from the
mail server that is running on the system.

/var/log/messages - contains global system
messages, including the messages that are logged
during system startup.
/var/log/cron - records events related to the cron
deamon.
/var/log/maillog - contains the log information from
the mail server that is running on the system.
Privilege Escalation - it happens when unauthorized
high-level access is used to gain entry to a system. It
often starts with low-level access and the attacker uses
a vulnerability to obtain higher-level access.
PowerShell - it is used to create scripts to automate
Windows tasks.
System Restore - this is used to restore a computer
system to a previous state.
Server Update Service - his allows administrators to
manage and deploy updates.
Object Access - it determines attempts to access files
and other objects.
Process Tracking - it determines events such as
program activation and process exits.
Directory Services - it determines whether the
operating system generates audit events when an
Active Directory Domain Services (AD DS) object is
accessed.
Audit Logon - it determines whether the operating
system generates audit events when a user attempts
to log on to the computer.
Using NSLookup to get information related to a
hostname - the attacker does not interact directly with
the target, rather the attacker uses NSLookup to
discover other information about a domain name.
Using Map to identify open ports on a host - it
involves direct interaction with the target to identify
open ports on the target.
Using Nessus to scan for vulnerabilities on a
network - it involves direct interaction with the target
to scan for network vulnerabilities.
10
Using SQLMap to detect SQL injection flaws on a
database - it involves direct interaction with the target
to detect SQL injection issues.
A program with malicious purposes that hides inside
another useful program - this type of malware is a
trojan.
A program that replicates itself by modifying system or
application software - this type of malware is a worm.
A proqram that prevents, scans, detects, and deletes
viruses from a computer - this is an antivirus.
MDM (Mobile Device Manaqement) software - MDM
is a security software that allows for the implementation
of policies that secure, monitor, and manage end-user
mobile devices including asset tracking.
Firewall software - firewalls are used to permit or
deny access into and out of networks, but not for asset
tracking.
MAC filtering - MAC filtering is used to allow only
specific MAC addresses on devices to connect to the
network and not for asset tracking.
RFID (Radio Frequency Identification) tagging -
RFIDs use radio frequency for the purpose of asset
management and are localized in terms of the distance
where the tracker and the beacon are placed.
SHA-2 - is a hashing algorithm.
MD5 - is a leqacy hashing algorithm.
Virtual machine - a virtual machine can be used as a
sandbox to provide an isolated environment where
testing can occur and changes can be safely
configured.
Honeypot - a honeypot does run in an isolated
environment, it is intended as a lure for hackers to
attempt to penetrate a system.
Demilitarized zone - a DMZ, or demilitarized zone, is
a segment of a company's network that provides
limited public access and is used for servers that
provide services used by the public, such as email or a
web server.
 11

Quarantined network - a quarantined network

provides an isolated environment for computers that
are not in compliance with security standards. They are
placed here after a user logs in and security standards
are not met.
ARP Spoofing - this is when the threat actors send
false ARP messages attempting to substitute the MAC
(media access control) address from the legitimate one
within the network to the target system.
Man-in-the-Middle (MitM - this is when the threat
actors insert themselves between ongoing
communication between parties to intercept, read,
insert, modify, and relay messages.
Buffer overflow - this is when the threat actors try to
overwhelm the memory registers with additional data
so that it overwrites current data in the registers
causing them to overflow.
Run the tepdump -c command - it allows you to
specify the number of packets to capture.
Run the tepdump -n command - it allows you to
capture packets for a particular interface.
Run the tepdump -i command - it allows you to
capture packets for a particular interface.
Run the tcpdump -a command - it changes the
packet display to ASCII format.
FileVault - FileVault is included with MacOS and is
used to encrypt data.
Defender - this tool is not included with MacOS and is
not used for encryption.
BitLocker - this encryption tool is not included with
MacOS and is commonly used on Windows
computers.
GnuPG - this encryption tool is not included with
MacOS and is commonly used on Linux computers.

Why is it important to block incoming IP broadcast
addresses and reserved private IP addresses from
entering your network? - These types of addresses
are easier to use for IP spoofing attacks: This answer
is correct because in IP spoofing attacks, known IP
addresses are cloned and used to disrupt the network.
These types of addresses are commonly routed
across the internet by businesses - broadcast and
private IP addresses are not routed across the internet.
ISPs and businesses block them to avoid duplicate
addresses, routing issues, and broadcast storms.
Firewalls cannot detect and block private IP
addresses - firewalls can block any IP address that is
properly defined in the rules or statements.
Blocking broadcast and reserved IP addresses can
stop the depletion of IPv4 addresses - IPv4 address
depletion increases as the number of devices on the
network increases.
An attacker has launched a DoS attack on a target
server. The attack prevents the server from
responding to client requests because it is waiting
to close half-open Layer 4 sessions with the
attacker's computer. Which type of attack is this? -
SYN flood: This answer is correct because in an SYN
flood attack the attacker overwhelms a server with TCP
SYN requests to prevent the server from responding
to client requests.
Which technology should a company use to
enforce corporate policies on BYOD devices
connecting to the network? - Sandboxing: This
answer is correct because it separates a program from
the operating system
Your company has a VPN server and a few routers
that allow remote access by authorized employees.
You are a network administrator and ready to
implement the AAA framework for access control.
Which server component should you install and
confiqure to support a centralized AAA solution? -
RADIUS server: This answer is correct because a
RADIUS server can provide centralized AAA
management.
12
What is the purpose of conducting the active
reconnaissance attack? - To scan systems for
vulnerabilities and identify weaknesses for attack: This
answer is correct because the purpose of a
reconnaissance attack is to identify vulnerabilities that
can be exploited.
How should a cybersecurity technician start a
firmware update implementation plan? - By
evaluating and prioritizing updates against the
potential for disruption to users and systems: This
answer is correct because firmware updates can cause
a lot of downtime on critical systems and this should be
the first step in approaching a firmware update
implementation plan.
You need to test a new software patch before a
company-wide deployment. You are worried about
the possibility of malicious code within the new
software patch. Which technology should you use
to test the patch before the company-wide
deployment? Virtualization: This answer is correct
because virtualization is a valuable part of a patch
testing strategy. You can replicate various production
environments on one computer and verify that applying
patches will not result in unexpected or undesirable
system behavior that would affect production
computers within the company.
A company has remote employees working from
home who need to securely access resources on
the company's private LAN. Which technology
protects traffic between the employees and the
company private LAN? - IPsec (IP Security): This
answer is correct because IPsec is a suite of protocols
that secure traffic through a Virtual Private Network
(VPN)
Which threat intelligence organization provides the
Automated Indicator Sharing (AIS) service to
governmental and private sector organizations? -
U.S. Department of Homeland Security (DHS): This
answer is correct. DHS Automated Indicator Sharing
(AIS) is a free service provided to US private sector
and governmental organizations. When a threat is
reported, AlS immediately shares cyber threat
indicators in STIX format with the registered
community.

A new company needs to allow customers access
to its website, but the company also needs to
protect its internal network from unauthorized
users Which network tool should the company
use? - DMZ: This answer is correct because a DM
allows users to access a trusted network without
compromising the internal network.
Your team needs to update the preventive disaster
recovery controls that are used in your
organization What should you do? - Conduct end-
user security training: This answer is correct because
it is designed to prevent users from accidentally
becoming victims of a cyber threat.
What is the term for a collection of software tools
used by an attacker to obtain administrator-level
access to a computer? - Rootkit: This answer is
correct because a rootkit may give hackers admin-level
privileges to a computer.
What provides the strongest security for wireless
network traffic? - WPA3: This answer is correct
because it provides a more secure encryption method
for wireless traffic.
A technician is concerned about the security of a
Windows 10 machine that has failed to install some
newly released Windows security updates. Where
should the technician look to find information on
the Windows security updates that have failed to
install? - Update history: This answer is correct
because you can view the failed Windows updates
under the Update History
Which compliance act provides a framework for US
federal agencies and contractors to adhere to in
order to protect their data? - FISMA (Federal
Information Security Modernization Act): This answer
is correct. The US FISMA mandates that all US federal
agencies and contractors develop a method of
protecting their information systems.
13
What will permit access to a home wireless
network for only specific devices? - MAC filtering:
This answer is correct because it permits or denies
traffic based on a device-specific MAC address.
Which option is used by anti-malware software to
isolate infected files on a computer? - Quarantine:
This answer is correct because the infected file is
isolated.
An IT company is learning about new types of
cyber attacks that might be used against its
customers. The IT company sets up a decoy
network site as a potential target to attract
attackers and gather information about the new
threats. What is the term used to describe the
decoy site? - Honeypot: This answer is correct
because a honeypot is a safe network site that is used
to lure attackers and then used to detect and study the
hacking attempts.
You need to analyze network traffic captured by the
tepdump -w command Which file type should you
expect? - A.pcap file: This answer is correct because
the tepdump -w command will produce a file with a
pcap extension.
Which Windows tool is used to review security
logs? - Event Viewer: This answer is correct because
Event Viewer is a built-in Windows application that lets
you check the events that take place on your computer,
by giving you access to logs about program, security,
and system events.
You discover malware that has been collecting
data and forwarding it to another server in a
different country for several months Which type of
attack is this? - Advanced persistent threat: This
answer is correct because this type of attack involves
a long-term presence to collect sensitive data.

Why is it important to block incoming IP broadcast
addresses and reserved private IP addresses from
entering your network? - These types of addresses
are easier to use for IP spoofing attacks: This answer
is correct because in IP spoofing attacks, known IP
addresses are cloned and used to disrupt the network.
Which tool would an attacker use to determine
which services are running on a target server? -
Nmap: This answer is correct because it can be used
to perform port scans to determine what services are
running on a system.
The statement is false. You cannot use nslookup in
non-interactive mode in order to query information
about multiple websites or servers. You can use
nslookup in interactive mode in order to query
information about multiple websites or servers.
which type of attack occurs when threat actors
utilize botnets on several computers to overwhelm
a targeted web server? - DoS: This answer is correct
because a DoS (Distributed Denial-of-Service) attack
is a malicious attempt by threat actors to disrupt the
normal traffic of a targeted server by overwhelming the
server's resources by the use of botnets. Botnets are
pieces of malware that infect several computers
allowing them to be remotely controlled by a threat
actor. The threat actors can send remote instructions
to the botnets with a targeted IP address for the botnets
to initiate a lot of web traffic. This would cause the
target server to get overwhelmed by the traffic and
cause it to be in a compromised state.
Which two options are examples of privilege
escalation attacks? - Jailbreaking: This answer is
correct because it is an attempt to bypass user account
restrictions on an iOS device.
In which order should you collect digital evidence
from a computer system? - Contents of RAM,
Contents of Fixed Disk, Archived Backup: This answer
is correct because the contents of RAM are the most
volatile and the contents of an archived backup are the
least volatile.
14
A company wants to prevent downtime and the
likelihood of a vulnerability being exploited What
vulnerability management solution should be
used? - Mitigation: This answer is correct because
mitigation lessens the likelihood or severity of an
exploit.
A technician needs to install a recently developed
patch for one of the company applications running
in a mixed Windows environment. Before installing
the patch on the production server, the technician
needs to test it in different environments. Which
solution provides the method to test the patch in
different environments? - Virtualized sandbox: This
answer is correct because it provides a safe, isolated
environment to test out the effects and security of the
patch.
Why would you implement Network Admission
Control? - to enforce network security policy for
devices that join the network: This answer is correct
because this is a function of Network Admission
Control.
A new user makes an unsuccessful login attempt
on the corporate Linux email server. Which file
would log this event? - /var/log/secure: This answer
is correct because /var/log/secure contains information
related to authentication and authorization privileges.
An adversary is obtaining an automated tool to
deliver a malware payload after having identified a
potential vulnerability in the email server of an
organization Which step of the Cyber Kill Chain
framework does this represent? - Weaponization:
This answer is correct because the adversary is using
information from reconnaissance to develop a weapon
against specific targeted systems or individuals in the
organization.
 15

Which security practice is designed to proactively What are the two classes of encryption
prevent the exploitation of weaknesses in a algorithms? (Choose 2.) - Asymmetric: Symmetric:
computer system or software? - Vulnerability
Which algorithm is a one-way mathematical
management: This answer is correct because it is
function that is used to provide data integrity? -
concerned with identifying weaknesses and eliminating
SHA-2: This answer is correct because SHA-2 is a
those weaknesses so they cannot be exploited.
hashing algorithm.
Windows on a Windows host. is when an attacker
A company has remote employees working from
uses a vulnerability to gain high levels of access -
home who need to securely access resources on
Privilege Escalation: This answer is correct because it
the company's private LAN. Which technology
happens when unauthorized high-level access is used
protects traffic between the employees and the
to gain entry to a system. It often starts with low-level
company private LAN? - IPsec (IP Security): This
access and the attacker uses a vulnerability to obtain
answer is correct because IPsec is a suite of protocols
higher-level access.
that secure traffic through a Virtual Private Network
You are required to keep track of file access. Which (VPN)
type of auditing should be implemented? - Object
What is the key characteristic of a cybersecurity
Access: This answer is correct because it determines
defense-in-depth definition? - Multiple overlapping
attempts to access files and other objects.
layers of security: This answer is correct because it
Which scenario is an example of a passive protects different parts of an environment.
reconnaissance technique? Using NSLookup to get
Which type of attack occurs when an attacker
information related to a hostname: This answer is
compromises a company's server so that it
correct because the attacker does not interact directly
reroutes a specific domain name to a fraudulent
with the target, rather the attacker uses NSLookup to
website? - DNS Spoofing: This answer is correct
discover other information about a domain name.
because in a DNS Spoofing attack an attacker alters
What is spyware? - A program that collects DNS records to redirect online traffic to a fraudulent
information about users, systems, and browsing website.
habits: This answer is correct because spyware
Which threat intelligence organization provides the
collects personal and user information.
Automated Indicator Sharing (AIS) service to
A company gives each employee a mobile tablet governmental and private sector organizations? -
device to work from home. The company security U.S. Department of Homeland Security (DHS): This
policy specifies all endpoint computing devices be answer is correct. DHS Automated Indicator Sharing
assigned a unique identifier so the device can be (AIS) is a free service provided to US private sector
tracked. What would help the company remain and governmental organizations. When a threat is
compliant with the security policy? - MDM (Mobile reported, AlS immediately shares cyber threat
Device Manaqement) software: This answer is correct indicators in STIX format with the registered
because MDM is a security software that allows for the community.
implementation of policies that secure, monitor, and
manage end-user mobile devices including asset
tracking.
 16

A new operating system security patch has been Which Windows tool or feature can an
released. Before deploying it to endpoints, you administrator use to ensure that the data on
need to test the patched operatinq system in a safe employee laptops is secure in the event of theft or
and isolated environment. Which technology loss? - BitLocker: This answer is correct because it is
provides these testing benefits? - Virtual machine: a Windows tool that can be used for encryption of the
This answer is correct because a virtual machine can entire hard drive. BitLocker deters threat actors by
be used as a sandbox to provide an isolated enhancing file and system protections. BitLocker also
environment where testing can occur and changes can helps render data inaccessible when BitLocker-
be safely configured. protected computers are lost or stolen.
A cyber technician is worried about the security of What happens during a source route attack? -
the current driver installed on the 64-bit Windows Threat actors gain access to the source path and
10 platform on a corporate laptop. The technician modify the options in the route for a data packet to take:
tries to install an updated version of the driver that This answer is correct because this is the definition of
was found on the web, but the driver fails to install. a source route attack.
What is the issue? - The driver is not digitally signed:
You need to use tepdump to capture a specified
This answer is correct because Windows 10 device
number of packets from the network. What should
installations use digital signatures to verify the integrity
you do? - Run the tepdump -c command: This answer
of the driver packages and to verify the identity of the
is correct because it allows you to specify the number
vendor who provides the driver packages for security
of packets to capture.
purposes.
Which option is the built-in MacOS file encryption
Which type of attack substitutes a source IP
tool? - FileVault: This answer is correct because
address to impersonate a legitimate computer
FileVault is included with MacOS and is used to
system? - IP Spoofing: This answer is correct because
encrypt data.
threat actors alter IP packets with false source IP
addresses to impersonate another computer and make
it difficult to know the source of the attack.
Which statement is True about advanced
persistent threat (APT) attacks? - They are used to
steal data: This answer is correct because, unlike other
attacks, APTs are initiated to steal data and not
damage systems or networks.
Which term describes the process for ensuring
that evidence has not been altered or fabricated
after it was collected? - Chain of custody: This
answer is correct because it describes the collection,
handling, and secure storage of evidence to ensure it
has not been altered after it was collected.
17
18