CompTIA Security - (SY0-601) Practice Exam #6 - Resultados

Intento 1
Todas las áreas de conocimiento

Todas las preguntas
Pregunta 1: Correcto
You are working as part of a penetration testing team during an assessment
of Dion Training's headquarters. Your boss has requested that you search the
company's recycling bins for any information that might be valuable during
the reconnaissance phase of your attack. What type of social engineering
method are you performing?
Whaling
Phishing
Impersonation
Dumpster diving
(Correcto)
Explicación
OBJ-1.1: Dumpster diving involves searching through publicly accessible garbage
cans or recycling bins to find discarded paper, manuals, or other valuable types of
information from a targeted company. This is often done as part of the
reconnaissance phase before an attack is performed. Whaling is an email-based or
web-based form of phishing that targets senior executives or wealthy individuals.
Phishing is an email-based social engineering attack in which the attacker sends an
email from a supposedly reputable source, such as a bank, to try to elicit private
information from the victim. Impersonation is the act of pretending to be someone
or something else. Malicious actors often couple pretexting and impersonation to
craft a believable scenario and impersonate people in authority during a social
engineering attack.
You have been asked to scan your company’s website using the OWASP ZAP tool.
When you perform the scan, you received the following warning:
"The AUTOCOMPLETE output is not disabled in HTML FORM/INPUT containing

password type input. Passwords may be stored in browsers and retrieved."
You begin to investigate further by reviewing a portion of the HTML code from the
website that is listed below:
Based on your analysis, which of the following actions should you take?
This is a false positive and you should implement a scanner exception to

ensure you don’t receive this again during your next scan
You tell the developer to review their code and implement a bug/code fix
(Correcto)
You recommend that the system administrator disables SSL on the server
and implements TLS instead
You recommend that the system administrator pushes out a GPO update
to reconfigure the web browsers security settings
Explicación
OBJ-2.3: Since your company owns the website, you can require the developer to
implement a bug/code fix to prevent the form from allowing the AUTOCOMPLETE
function to work on this website. The code change to perform is quite simple,
simply adding "autocomplete=off" to the code's first line. The resulting code would
be <form action="authenticate.php” autocomplete="off">.
Which security control would prevent unauthorized users from connecting to
a company’s wireless network?
IPS
Firewall

NAC
(Correcto)
Segmentation
Explicación
OBJ-3.3: Network Access Control (NAC) prevents unauthorized users from
connecting to a network. Firewalls and intrusion prevention systems (IPS) are meant
to restrict access from external sources and block known attacks. They would not
keep out an intruder who is already in range of the wireless network. Network
segmentation would limit the access that an intruder has to network resources but
would not block the connection itself.
Which of the following ports should you block at the firewall if you want to
prevent a remote login to a server from occurring?
443
23
(Correcto)
110
25
Explicación
OBJ-3.1: Telnet is the protocol used for remote command-line administration of a
host using TCP port 23. Telnet is considered insecure since it is unauthenticated
and unencrypted. The simple mail transfer protocol (SMTP) is the protocol used to
send mail between hosts on the Internet using TCP port 25. The post office
protocol (POP3) is a TCP/IP application protocol providing a means for a client to
access email messages stored in a mailbox on a remote server over port 110. The
server usually deletes messages once the client has downloaded them. The
hypertext transfer protocol secure (HTTPS) is a secure protocol used to provide
web content to browsers using SSL/TLS encryption over port 443.
Which type of personnel control is being implemented if Kirsten must receive
and inventory any items that her coworker, Bob, orders?

Dual control
Mandatory vacation
Separation of duties
(Correcto)
Background checks
Explicación
OBJ-5.3: This organization uses separation of duties to ensure that neither Kirsten
nor Bob can exploit the organization’s ordering processes for their gain. Separation
of duties is the concept of having more than one person required to complete a
particular task to prevent fraud and error. Dual control, instead, requires both
people to act together. For example, a nuclear missile system uses dual control and
requires two people to each turn a different key simultaneously to allow for a
missile launch to occur. Mandatory vacation policies require employees to take
time away from their job and detect fraud or malicious activities. A background
check is a process a person or company uses to verify that a person is who they
claim to be and provides an opportunity for someone to check a person's criminal
record, education, employment history, and other past activities to confirm their
validity.
You work for a bank interested in moving some of its operations to the cloud,
but it is worried about security. You recently discovered an organization
called CloudBank that was formed by 15 local banks as a way for them to
build a secure cloud-based environment that can be accessed by the 15
member banks. Which cloud model BEST describes the cloud created by
CloudBank?
Hybrid cloud
Community cloud
(Correcto)
Private cloud

Public cloud
Explicación
OBJ-2.2: Community Cloud is another type of cloud computing in which the cloud
setup is shared manually among different organizations that belong to the same
community or area. A multi-tenant setup is developed using the cloud among
different organizations belonging to a particular community or group with similar
computing concerns. For joint business organizations, ventures, research
organizations, and tenders, a community cloud is an appropriate solution. Based on
the description of 15 member banks coming together to create the CloudBank
organization and its cloud computing environment, a community cloud model is
most likely described. A public cloud contains services offered by third-party
providers over the public Internet and is available to anyone who wants to use or
purchase them. They may be free or sold on-demand, allowing customers to pay
only per usage for the CPU cycles, storage, or bandwidth they consume. A private
cloud contains services offered either over the Internet or a private internal network
and only to select users instead of the general public. A hybrid cloud is a cloud
computing environment that uses a mix of on-premises, private cloud, and third-
party public cloud services with orchestration between these platforms. This
typically involves a connection from an on-premises data center to a public cloud.
A cybersecurity analyst just finished conducting an initial vulnerability scan
and is reviewing their results. To avoid wasting time on results that are not
related to actual vulnerabilities, the analyst wants to remove any false
positives before remediating the findings. Which of the following is an
indicator that something in their results would be a false positive?
An HTTPS entry that indicates the web page is securely encrypted
A finding that shows the scanner compliance plug-ins are not up-to-date
Items classified by the system as Low or as For Informational Purposes

Only
(Correcto)
A scan result that shows a version that is different from the automated
asset inventory
Explicación
OBJ-1.7: When conducting a vulnerability scan, it is common for the report to
include some findings that are classified as “low” priority or “for informational
purposes only.” These are most likely false positives and can be ignored by the
analyst when starting their remediation efforts. "An HTTPS entry that indicates the
web page is securely encrypted" is not a false positive but a true negative (a non-
issue). A scan result showing a different version from the automated asset
inventory should be investigated and is likely a true positive. A finding that shows
the scanner compliance plug-ins are not up-to-date would likely also be a true
positive that should be investigated.
Your smartphone begins to receive unsolicited messages while eating lunch at
the restaurant across the street from your office. What might cause this to
occur?
Geotagging
Bluesnarfing
Packet sniffing
Bluejacking
(Correcto)
Explicación
OBJ-1.4: Bluejacking sends unsolicited messages over Bluetooth to Bluetooth-
enabled devices such as smartphones and tablets. On the other hand, Bluesnarfing
involves taking data from a smartphone or tablet over Bluetooth without
permission. Bluetooth has a limited range, so the attacker is likely within 10 meters
of the victimized device. Geotagging involves embedding the geolocation
coordinates into a piece of data (normally a photo or video). Packet sniffing is a
passive method of collecting network traffic for follow-on analysis at a later time.
Which analysis framework provides the most explicit detail regarding how to
mitigate or detect a given threat?
Lockheed Martin cyber kill chain
Diamond Model of Intrusion Analysis
OpenIOC

MITRE ATT&CK framework
(Correcto)
Explicación
OBJ-4.2: The MITRE ATT&CK framework provides explicit pseudo-code examples
for detecting or mitigating a given threat within a network and ties specific
behaviors back to individual actors. The Diamond Model provides an excellent
methodology for communicating cyber events and allowing an analyst to implicitly
derive mitigation strategies. The Lockheed Martin cyber kill chain provides a
general life cycle description of how attacks occur but does not deal with the
specifics of how to mitigate them. OpenIOC contains a depth of research on APTs
but does not integrate the detection and mitigation strategy.
Pregunta 10: Incorrecto
Which of the following authentication mechanisms involves receiving a one-
time use shared secret password, usually, through a token-based key fob or
smartphone app, that automatically expires after a short period of time (for
example, 60 seconds)?
TOTP
(Correcto)
HOTP
(Incorrecto)
Smart card
EAP
Explicación
OBJ-2.4: The Time-based One-time Password Algorithm (TOTP) is a refinement of
the HOTP. One issue with HOTP is that tokens can be allowed to persist unexpired,
raising the risk that an attacker might obtain one and decrypt data in the future. In
TOTP, the HMAC is built from the shared secret plus a value derived from the
device's and server's local timestamps. TOTP automatically expires each token after
a short window (60 seconds, for instance).
Marta's organization is concerned with the vulnerability of a user's account
being vulnerable for an extended period of time if their password was
compromised. Which of the following controls should be configured as part
of their password policy to minimize this vulnerability?
Password history
Password expiration
(Correcto)
Minimum password length
Password complexity
Explicación
OBJ-3.7: A password expiration control in the policy would force users to change
their passwords at specific time intervals. This will then lock out a user who types in
the incorrect password or create an alter that the user's account has been
potentially compromised. While the other options are good components of
password security to prevent an overall compromise, they are not effective against
the vulnerability described in this particular scenario. It states the issue is based on
time. Password history is used to determine the number of unique passwords a
user must use before using an old password again. The Passwords must meet
complexity requirements. The policy setting determines whether passwords must
meet a series of guidelines that are considered important for a strong password.
Maximum password length creates a limit to how long the password can be, but a
longer password is considered stronger against a brute force attack.
You have been hired as a consultant by Dion Training to review their current
disaster recovery plans. The CEO has requested that the plans ensure that the
company can limit downtime in the event of a disaster. Still, due to staffing
concerns, he cannot approve the budget to implement or maintain a fully
redundant offsite location to ensure 99.999% availability. Based on that
limitation, what should you recommend to the CEO?
Install a set of redundant servers to another part of the company's office

building
Redundant hardware be maintained at the offsite location and configured

to be ready for the recovery of the company's backup data when needed
(Correcto)
Retain their backups in their office building but install redundant

services in a collocated data center within a different company
Retain all hardware at their office building but ship their backups to an
offsite facility for storage
Explicación
OBJ-2.1: A warm site provides some of a hot site's capabilities, but it requires the
customer to do more work to become operational. Warm sites provide computer
systems and compatible media capabilities. If a warm site is used, administrators
and other staff will need to install and configure systems to resume operations. For
most organizations, a warm site could be a remote office, a leased facility, or
another organization with which yours has a reciprocal agreement. By placing your
redundant hardware at the offsite location and configuring it to be ready for
recovery when needed, the company can have a higher availability level than a cold
site but not have the full personnel costs involved with a hot site. A hot site would
ensure that the offsite location has all the hardware, equipment, personnel, and
data installed and ready to provide services at all times. Maintaining a hot site is
much more expensive than a warm site. It is not recommended that your
redundant servers are located within the same building since a fire, flood, or other
disaster could destroy your primary and redundant capabilities. Retaining the
hardware at the office building but shipping the backups offsite is more in line with
a cold site description. This would also not provide high availability levels since the
systems would need to be set up, configured, and made ready for use.
Dion Training is in early discussions with a large university to license its
cybersecurity courses as part of their upcoming semester. Both organizations
have decided to enter into an exploratory agreement while negotiating the
detailed terms of the upcoming contract. Which of the following documents
would best serve this purpose?
ISA
SLA
NDA
MOU
(Correcto)
Explicación
OBJ-5.3: A Memorandum of understanding (MOU) is used as a preliminary or
exploratory agreement to express their intent for the two companies to work
together. A service level agreement (SLA) is a contractual agreement setting out the
detailed terms under which a service is provided. The interconnection security
agreement (ISA) governs the relationship between any federal agency and a third
party interconnecting their systems. A non-disclosure agreement (NDA) is the legal
basis for protecting information assets.
You want to provide controlled remote access to the remote administration
interfaces of multiple servers hosted on a private cloud. What type of
segmentation security solution is the best choice for this scenario?
Bastion hosts
Airgap
Jumpbox
(Correcto)
Physical
Explicación
OBJ-3.3: Installing a jumpbox as a single point of entry for the administration of
servers within the cloud is the best choice for this requirement. The jumpbox only
runs the necessary administrative port and protocol (typically SSH). Administrators
connect to the jumpbox then use the jumpbox to connect to the admin interface
on the application server. The application server's admin interface has a single
entry in its ACL (the jumpbox) and denies any other hosts' connection attempts. A
bastion host is a special-purpose computer on a network specifically designed and
configured to withstand attacks. The computer generally hosts a single application.
For example, a proxy server and all other services are removed or limited to reduce
the threat to the computer. An airgap system is a network or single host computer
with unique security requirements that may physically be separated from any other
network. Physical separation would prevent a system from accessing the remote
administration interface directly and require an airgap system to reach the private
cloud.
You have been asked to write a new security policy to reduce the risk of
employees working together to steal information from the Dion Training
corporate network. Which of the following policies should you create to
counter this threat?
Privacy policy
Least privilege policy
Mandatory vacation policy
(Correcto)
Acceptable use policy
Explicación
OBJ-5.3: A mandatory vacation policy requires that all users take time away from
work to enjoy a break from their day to day routine of their jobs. But, there is a
major side benefit to mandatory vacations regarding your company's security
posture. It will require the company to have another employee fill in for the
vacationing employee's normal roles and responsibilities by requiring mandatory
vacations. The employee who is filling in might come across fraud, abuse, or theft
that the vacationing employee is a part of. The concept of least privilege may not
stop this theft from occurring since two employees could work together to steal
information that they have access to as part of their job. Also, acceptable use
outlines the types of activities allowed and not allowed; it won't prevent theft from
occurring. A privacy policy discusses how information should be properly stored
and secured, but this won't stop an employee from stealing information or
detecting the stolen information.
Which of the following attacks would most likely be used to create an
inadvertent disclosure of information from an organization's database?
Buffer overflow
SQL injection
(Correcto)
Cross-site scripting

Denial of service
Explicación
OBJ-1.3: A SQL injection poses the most direct and more impactful threat to an
organization's database. A SQL injection could allow the attacker to execute remote
commands on the database server and lead to sensitive information disclosure. A
buffer overflow attack attempts to overwrite the memory buffer to send additional
data into adjacent memory locations. A buffer overflow attack might target a
database server, but it isn't intended to disclose information directly. Instead, a
buffer overflow attack may be used to gain initial access to a server and allow for
other malicious code running. A denial of service targets the availability of the
information by attempting to take the server offline. A cross-site scripting attack
typically is focused on the user, not the server or database.
What technique is an attacker using if they review data and publicly available
information to gather intelligence about the target organization without
scanning or other technical information-gathering activities?
Active scanning
Patch management
Vulnerability scanning
Passive reconnaissance
(Correcto)
Explicación
OBJ-1.8: Passive reconnaissance combines publicly available data from various
sources about an organization and does not use active scanning or data gathering
methods. Vulnerability scanning is an inspection of the potential points of
exploitation on a computer or network to identify security holes. A vulnerability
scan is usually conducted to detect and classify system weaknesses in computers,
networks, and communications equipment and predict the effectiveness of
countermeasures. Patch management is the process that helps acquire, test, and
install multiple patches (code changes) on existing applications and software tools
on a computer, enabling systems to stay updated on existing patches and
determining which patches are the appropriate ones.
Jack is assessing the likelihood of reconnaissance activities being performed
against his organization. Which of the following would best classify the
likelihood of a port scan being conducted against his DMZ?
Medium
None
High
(Correcto)
Low
Explicación
OBJ-5.4: Since Jack's DMZ would contain systems and servers exposed to the
Internet, there is a high likelihood that they are constantly being scanned by
potential attackers performing reconnaissance.
You were conducting a forensic analysis of an iPad backup and discovered
that only some of the information is within the backup file. Which of the
following best explains why some of the data is missing?
The backup was interrupted
The backup is stored in iCloud.
The backup is encrypted
The backup is a differential backup
(Correcto)
Explicación
OBJ-2.5: iPhone/iPad backups can be created as full or differential backups. In this
scenario, the backup being analyzed is likely a differential backup containing the
information that has changed since the last full backup. If the backup were
encrypted, you would be unable to read any of the contents. If the backup were
interrupted, the backup file would be in an unusable state. If the backup were
stored in iCloud, you would need access to their iCloud account to retrieve and
access the file. Normally, during an investigation, you will not have access to the
user's iCloud account.
Your company has created a baseline image for all of its workstations using
Windows 10. Unfortunately, the image included a copy of Solitaire, and the
CIO has created a policy to prevent anyone from playing the game on the
company’s computers. You have been asked to create a technical control to
enforce the policy (administrative control) that was recently published. What
should you implement?
Application block list
(Correcto)
Application hardening
Application allow list
Disable removable media
Explicación
OBJ-3.2: You should create and implement an application block list that includes
the Solitaire game on it. This will prevent the application from being able to be run
on any corporate workstation. Application allow lists will allow only authorized
applications to be run, while application block lists will prevent any application
listed from being run. Application hardening involves updating and patching your
software (not applicable to this question). Disabling removable media is a good
practice, but it won't prevent the game that was already installed from being run
from the hard drive. Application allow lists and block lists can be deployed to hosts
on the network using a GPO update.
Which cloud computing concept is BEST described as focusing on replacing
the hardware and software required when creating and testing new
applications and programs from a customer's environment with cloud-based
resources?
PaaS
(Correcto)

SaaS
IaaS
SECaaS
Explicación
OBJ-2.2: Platform as a Service (PaaS) is a cloud computing service that enables
consumers to rent fully configured systems that are set up for specific purposes.
Platform as a Service (PaaS) provides the end-user with a development
environment without all the hassle of configuring and installing it themselves. If
you want to develop a customized or specialized program, PaaS helps reduce the
development time and overall costs by providing a ready to use platform.
Infrastructure as a Service (IaaS) is a cloud computing service that enables a
consumer to outsource computing equipment purchases and running their own
data center. Software as a Service (SaaS) is a cloud computing service that enables
a service provider to make applications available over the Internet to end-users.
This can be a calendar, scheduling, invoicing, word processor, database, or other
programs. For example, Google Docs and Office 365 are both word processing
SaaS solutions. Security as a service is a business model in which a service provider
integrates their security services into a corporate infrastructure on a subscription
basis more cost-effectively than most individuals or corporations can provide on
their own when the total cost of ownership is considered.
During a vulnerability scan of your network, you identified a vulnerability on
an appliance installed by a vendor on your network under an ongoing service
contract. You do not have access to the appliance's operating system as the
device was installed under a support agreement with the vendor. What is your
best course of action to remediate or mitigate this vulnerability?
Contact the vendor to provide an update or to remediate the vulnerability
(Correcto)
Try to gain access to the underlying operating system and install the
patch
Mark the identified vulnerability as a false positive

Wait 30 days, run the scan again, and determine if the vendor corrected
the vulnerability
Explicación
OBJ-1.6: You should contact the vendor to determine if a patch is available for
installation. Since this is a vendor-supported appliance installed under a service
contract, the vendor is responsible for the appliance's management and security.
You should not attempt to gain access to the underlying operating system to patch
the vulnerability yourself, as this could void your warranty and void your service
contract. Based on the information provided, there is no reason to believe that this
is a false positive, either. You should not simply wait 30 days and rerun the scan, as
this is a non-action. Instead, you should contact the vendor to fix this vulnerability.
Then, you could rerun the scan to validate they have completed the mitigations
and remediations.
Every new employee at Dion Training must sign a document to show they
understand the proper rules for using the company's computers. This
document states that the new employee has read the policy that dictates what
can and cannot be done from the corporate workstations. Which of the
following documents BEST describes this policy?
SOW
AUP
(Correcto)
SLA
MOU
Explicación
OBJ-5.3: An acceptable use policy (AUP) is a document stipulating constraints and
practices that a user must agree to for access to a corporate network or the
internet. For example, an AUP may state that they must not attempt to break any
computer network security, hack other users, or visit pornographic websites from
their work computer. A service level agreement (SLA) is a contract that outlines the
detailed terms under which a service is provided, including reasons the contract
may be terminated. A statement of work (SOW), or a scope of work, is a document
that outlines all the work that is to be performed, as well as the agreed-upon
deliverables and timelines. A memorandum of understanding (MOU) is a
preliminary or exploratory agreement to express an intent to work together that is
not legally binding and does not involve monetary exchange.
(Sample Simulation – On the real exam for this type of question, you would have to
fill in the blanks by dragging and dropping them into place.)
Using the image provided, select four security features that you should use with a
workstation or laptop within your organization?
CAT5e STP, Location tracking, Host-based firewall, Remote wipe
Remote wipe, Location tracking, Host-based firewall, Cable lock
Cable lock, Network sniffer, Host-based firewall, Remote wipe
Host-based firewall, Network sniffer, Cable lock, CAT5e STP
(Correcto)
Explicación
OBJ-3.5: Host-based firewall, Network sniffer, a Cable lock, and CAT5e STP cables
are appropriate security features to use with a corporate workstation or laptop.
Using a host-based firewall (such as Windows Firewall), you can configure the
workstation or laptop to block incoming or outgoing data from the device's
network connection. If you install a network sniffer, you will be able to capture any
network traffic used on the network for later analysis. If you use a cable lock, it will
lock the workstation or laptop to a desk and prevent theft of the device. If you use
a CAT 5e STP cable for your network connection, you will minimize EMI risk and
reduce data emanations.
Which of the following type of threats did the Stuxnet attack rely on to cross
an air gap between a business and an industrial control system network?
Removable media
(Correcto)
Session hijacking
Directory traversal
Explicación
OBJ-2.7: Air gaps are designed to remove connections between two networks to
create physical segmentation between them. The only way to cross an air gap is to
have a physical device between these systems, such as using a removable media
device to transfer files between them. A directory traversal is an HTTP attack that
allows attackers to access restricted directories and execute commands outside the
web server's root directory. Cross-Site Scripting (XSS) attacks are a type of injection
in which malicious scripts are injected into otherwise benign and trusted websites.
A session hijacking attack compromises the session token by stealing or predicting
a valid session token to gain unauthorized access to the Web Server. A directory
traversal, cross-site scripting, or session hijacking attack cannot by itself cross an air
gap.
Your company is adopting a cloud-first architecture model. Management
wants to decommission the on-premises SIEM your analysts use and migrate
it to the cloud. Which of the following is an issue with using this approach?
Legal and regulatory issues may prevent data migration to the cloud
(Correcto)
The company will be dependent on the cloud provider's backup

capabilities
The company will have less control over the SIEM

(Incorrecto)
A VM escape exploit could allow an attacker to gain access to the SIEM
Explicación
OBJ-2.2: If there are legal or regulatory requirements that require the company to
host their security audit data on-premises, then moving to the cloud will not be
possible without violating applicable laws. For example, some companies must host
their data within their national borders, even if migrating to the cloud. The other
options presented are all low risk and can be overcome with proper planning and
mitigations. Most cloud providers have degrees of redundancy far above what any
individual on-premises provider will be able to generate, making the concern over
backups a minimal risk. If the SIEM is moved to a cloud-based server, it could still
be operated and controlled in the same manner as the previous on-premise
solution using a virtualized cloud-based server. While a VM or hypervisor escape is
possible, they are rare and can be mitigated with additional controls.
Which cloud computing concept is BEST described as focusing on the
replacement of physical hardware at a customer's location with cloud-based
resources?
SaaS
SECaaS
PaaS
IaaS
(Correcto)
Explicación
OBJ-2.2: Infrastructure as a Service (IaaS) is a cloud computing service that enables
a consumer to outsource computing equipment purchases and running their own
data center. If you purchase a server in the cloud and then install and manage the
operating system and software, this is Iaas. Platform as a Service (PaaS) is a cloud
computing service that enables consumers to rent fully configured systems that are
set up for specific purposes. Software as a Service (SaaS) is a cloud computing
service that enables a service provider to make applications available over the
Internet to end-users. This can be a calendar, scheduling, invoicing, word processor,
database, or other programs. For example, Google Docs and Office 365 are both
word processing SaaS solutions. Security as a service is a business model in which a
service provider integrates their security services into a corporate infrastructure on
a subscription basis more cost-effectively than most individuals or corporations can
provide on their own when the total cost of ownership is considered.
Which of the following secure coding best practices ensures special characters
like <, >, /, and ‘ are not accepted from the user via a web form?
Error handling
Session management
Input validation
(Correcto)
Output encoding
Explicación
OBJ-3.2: Input validation is performed to ensure only properly formed data is
entering the workflow in an information system, preventing malformed data from
persisting in the database and triggering a malfunction of various downstream
components. Input validation should happen as early as possible in the data flow,
preferably as soon as the data is received from the user. Improper error handling
can introduce various security problems where detailed internal error messages
such as stack traces, database dumps, and error codes are displayed to an attacker.
The session management implementation defines the exchange mechanism that
will be used between the user and the web application to share and continuously
exchange the session ID. Output encoding involves translating special characters
into some different but equivalent form that is no longer dangerous in the target
interpreter, for example, translating the < character into the < string when
writing to an HTML page.
(Sample Simulation – On the real exam for this type of question, you would have to
fill in the blanks by dragging and dropping them into place.)
Using the image provided, select four security features that you should use with a
smartphone provided through a COPE policy in your organization?
Cellular data, Remote wipe, Location tracking, MDM
(Correcto)
Remote wipe, Location tracking, Host-based firewall, Cable lock
Cable lock, Network sniffer, Cellular data, Remote wipe
MDM, Location tracking, Host-based firewall, Remote wipe
Explicación
OBJ-3.5: Cellular data, Remote wipe, Location tracking, and MDM are all
appropriate security features to use with a company-provided laptop. By using
cellular data, your users will be able to avoid connecting to WiFi networks for
connectivity. Remote wipe enables the organization to remotely erase the device's
contents if it is lost or stolen. Location tracking uses the smart phone’s GPS
coordinates for certain apps, location-based authentication, and to track down a
device if it is lost or stolen. Mobile device management (MDM) programs enable
the administrators to remotely push software updates, security policies, and other
security features to the device from a centralized server.
If an administrator cannot fully remediate a vulnerability, which of the
following should they implement?

Access requirements
An engineering tradeoff
A policy
A compensating control
(Correcto)
Explicación
OBJ-5.1: Based on the question's wording, a compensating control would be most
accurate for the given scenario. Compensating controls may be considered when
an entity cannot meet a requirement explicitly, as stated due to legitimate technical
or documented business constraints but has sufficiently mitigated the risk
associated with the requirement by implementing other controls. Access
requirements are a form of logical controls that can be implemented to protect a
system and could be a form of compensating control if used appropriately. A policy
is a statement of intent and is implemented as a procedure or protocol within an
organization. An engineering tradeoff is a situational decision that involves
diminishing or losing one quality, quantity, or property of a set or design in return
for gains in other aspects. Often, an engineering tradeoff occurs when we trade
security requirements for operational requirements or vice versa.
A supplier needs to connect several laptops to an organization’s network as
part of their service agreement. These laptops will be operated and
maintained by the supplier. Victor, a cybersecurity analyst for the
organization, is concerned that these laptops could contain some
vulnerabilities that could weaken the network's security posture. What can
Victor do to mitigate the risk to other devices on the network without having
direct administrative access to the supplier’s laptops?
Require 2FA (two-factor authentication) on the laptops
Implement a jumpbox system
(Correcto)
Scan the laptops for vulnerabilities and patch them


Increase the encryption level of VPN used by the laptops
Explicación
OBJ-3.3: A jumpbox is a system on a network used to access and manage devices in
a separate security zone. This would create network segmentation between the
supplier's laptops and the rest of the network to minimize the risk. A jump-box
system is a hardened and monitored device that spans two dissimilar security
zones and provides a controlled means of access between them. While the other
options listed are all good security practices, they do not fully mitigate the risk that
insecure systems pose since Victor cannot enforce these configurations on a
supplier-provided laptop. Instead, he must find a method of segmenting the
laptops from the rest of the network, either physically, logically, using an air gap, or
using a jumpbox.
Riaan's company runs critical web applications. During a vulnerability scan,
Riaan found a serious SQL injection vulnerability in one of their web
applications. The system cannot be taken offline to remediate the
vulnerability. Which of the following compensating controls should Riaan
recommend using until the system can be remediated?
Vulnerability scanning
WAF
(Correcto)
Encryption
IPS
Explicación
OBJ-3.3: WAF (web application firewall) is the best option since it can serve as a
compensating control and protect against web application vulnerabilities like an
SQL injection until the application can be fully remediated. Vulnerability scanning
could only be used to detect the issue. Therefore, it is a detective control, not a
compensating control. Encryption would not be effective in stopping an SQL
injection. An intrusion prevention system (IPS) is designed to protect network
devices based on ports, protocols, and signatures. It would not be effective against
an SQL injection and is not considered a compensating control for this
vulnerability.
You are analyzing the SIEM for your company's e-commerce server when you
notice the following URL in the logs of your SIEM:
Based on this line, what type of attack do you expect has been attempted?
SQL injection
Session hijacking
Buffer overflow
XML injection
(Correcto)
Explicación
OBJ-1.3: This is an example of an XML injection. XML injection manipulates or
compromises the logic of an XML application or service. The injection of
unintended XML content and/or structures into an XML message can alter an
application's intended logic. XML Injection can cause the insertion of malicious
content into resulting messages/documents. In this case, the URL is attempting to
modify the server's XML structure. The original XML structure would be:
<addToCart> <item id="5" perItemPrice="50.00" quantity="1" /> </addToCart>.
By using the URL above, this would be modified to the following: <addToCart>
<item id="5" perItemPrice="0.00" quantity="10" /> <item id="5"
perItemPrice="50.00" quantity="0" /> </addToCart>. The result would be that a
new line was added in the XML document that could be processed by the server.
This line would allow 10 of the product at $0.00 to be added to the shopping cart,
while 0 of the product at $50.00 is added to the cart. This defeats the integrity of
the e-commerce store's add to cart functionality through this XML injection. A SQL
injection occurs when data input by a user is interpreted as a SQL command rather
than as normal data by the backend database. A buffer overflow is an exploit that
attempts to write data to a buffer and exceed that buffer's boundary to overwrite
an adjacent memory location. A session hijacking attack consists of exploiting the
web session control mechanism, normally managed for a session token. The real
key to answering this question is identifying the XML structured code being
entered as part of the URL, shown by the bracketed data.
Your organization has recently been the target of a spearphishing campaign.
You have identified the website associated with the link in the spearphishing
emails and want to deny access to it. Which of the following techniques
would be the MOST effective in this situation?
Quarantine
Containment
URL filter
(Correcto)
Application blocklist
Explicación
OBJ-4.4: A URL filter can be used to block a website based on its website address or
universal resource locator (URL). This is not a containment technique but a blocking
and filtering technique. Quarantine would be used against an infected machine,
and it would not be effective against trying to block access to a given website
across the entire organization. An application blocklist is used to prevent an
application from running, so this cannot be used to block a single malicious or
suspicious website or URL.
What type of malicious application does not require user intervention or
another application to act as a host to replicate?
Macro
Virus
Worm
(Correcto)
Trojan
Explicación
OBJ-1.2: A worm is a self-replicating type of malware that does not require user
intervention or another application to act as a host for it to replicate. Viruses and
Macros require user intervention to spread, and Trojans are hosted within another
application that appears harmless.
Jennifer decided that the licensing cost for a piece of video editing software
was too expensive. Instead, she decided to download a keygen program to
generate a license key and install a pirated version of the editing software.
After she runs the keygen, a license key is created, but her system
performance becomes very sluggish, and her antimalware suite begins to
display numerous alerts. Which type of malware might her computer be
infected with?
Trojan
(Correcto)
Worm
Adware
Logic bomb
Explicación
OBJ-1.2: A trojan is a program in which malicious or harmful code is contained
inside a harmless program. In this example, the harmless program is the key
generator (which does create a license key). It also has malicious code inside it
causing the additional alerts from the antimalware solution. A Trojan is designed to
damage, disrupt, steal, or in general, inflict some other harmful action on your data
or network. The most common form of a trojan is a Remote Access Trojan (RAT),
which allows an attacker to control a workstation or steal information remotely. To
operate, a trojan will create numerous processes that run in the background of the
system. A worm is a standalone malware computer program that replicates itself to
spread to other computers. Often, it uses a computer network to spread itself,
relying on security failures on the target computer to access it. A worm can spread
on its own, whereas a virus needs a host program or user interaction to propagate
itself. A logic bomb is a malicious program that is triggered when a logical
condition is met, such as after a number of transactions have been processed, or on
a specific date. Adware is software that displays unwanted advertisements on your
computer.
Based on some old SIEM alerts, you have been asked to perform a forensic
analysis on a given host. You have noticed that some SSL network
connections are occurring over ports other than port 443. The SIEM alerts
indicate that copies of svchost.exe and cmd.exe have been found in the host's
%TEMP% folder. The logs indicate that RDP connections have previously
connected with an IP address that is external to the corporate intranet, as
well. What threat might you have uncovered during your analysis?
Ransomware
(Incorrecto)
Software vulnerability
APT
(Correcto)
DDoS
Explicación
OBJ-1.2: The provided indicators of compromise appear to be from an Advanced
Persistent Threat (APT). These attacks tend to go undetected for several weeks or
months and utilize secure communication to external IPs and Remote Desktop
Protocol connections to provide the attackers with access to the infected host.
While an APT might use a software vulnerability to gain their initial access, the full
description provided in the question that includes the files being copied and
executed from the %TEMP% folder and the use of SSL/RDP connections indicates
longer-term exploitation, such as one caused by an APT.
Your company has created a baseline image for all of its workstations using
Windows 10. Unfortunately, the image included a copy of Solitaire, and the CIO has
created a policy to prevent anyone from playing the game on the company’s
computers. You have been asked to create a technical control to enforce the policy
(administrative control) that was recently published. What should you implement?
Application hardening
Disable removable media

Application block list
(Correcto)
Application allow list

Explicación
OBJ-4.4: You should create and implement an application block list that includes
the Solitaire game on it. This will prevent the application from being able to be run
on any corporate workstation. Application allow lists will allow only authorized
applications to be run, while application block lists will prevent any application
listed from being run. Application hardening involves updating and patching your
software (not applicable to this question). Disabling removable media is a good
practice, but it won't prevent the game that was already installed from being run
from the hard drive. Application allow lists and block lists can be deployed to hosts
on the network using a GPO update.
Your company explicitly obtains permission from its customers to use their
email address as an account identifier in its CRM. Max, who works at the
marketing department in the company's German headquarters, just emailed
all their customers to let them know about a new sales promotion this
weekend. Which of the following privacy violations has occurred, if any?
There was a privacy violation since the customers explicitly gave

permission to use the email address as an identifier and did not consent
to receive marketing emails
(Correcto)
There was no privacy violation since the customers were emailed

securely through the customer relationship management tool
There was a privacy violation since data minimization policies were not
followed properly
There was no privacy violation because only corporate employees had

access to their email addresses
Explicación
OBJ-5.2: According to the European Union's General Data Protection Regulation
(GDPR), personal data collected can only be used for the exact purpose in which
explicit consent was obtained. To use email addresses for marketing purposes,
separate explicit consent should have been obtained. Since the company operates
in Germany, it must follow the GDPR privacy standard. Even if a company doesn't
operate within the European Union, its customers might be European Union
citizens, and therefore the company should still optional follow the GDPR
guidelines. While data minimization is a good internal policy to utilize, not
following it doesn't equate to a privacy violation or breach. Data minimization is
the principle that data should only be processed and stored, if necessary, to
perform the purpose for which it is collected. The option concerning the customer
relationship management (CRM) tool is a distractor since the issue is using the data
in ways that were not consented to by the customer, not which system the email
was sent through. A privacy violation can occur when corporate employees view
data if those employees do not have a need to know, a valid business requirement
to use the data, or consent from the customer to use the data for a specific
purpose (as was the case in this scenario).
What technology is NOT PKI x.509 compliant and cannot be used in various
secure functions?
SSL/TLS
AES
PKCS
Blowfish
(Correcto)
Explicación
OBJ-3.9: AES, PKCS, and SSL/TLS are all compatible with x.509 and can be used in a
wide variety of functions and purposes. AES is used for symmetric encryption. PKCS
is used as a digital signature algorithm. SSL/TLS is used for secure key exchange.
(This is a simulated performance-based question.)
You have been asked to help conduct a known environment penetration test. As
part of your preparations, you have been given the source code for the
organization’s custom web application.
Which type of vulnerability might be able to exploit the code shown in this image?
Buffer overflow
(Correcto)
Remote code execution
JavaScript injection
SQL injection
Explicación
OBJ-1.2: The function DionCode may be subject to a buffer overflow as the user
enters something over 20 characters as their input. In defining the char (character)
type array, the programmer only allocated 20 characters worth of memory storage.
To solve this problem, the programmer should create proper input validation to
ensure that the input is less than 20 characters before passing the user_input
variable to the strcpy (string copy) function.
You are reviewing the logs in your HIDS and see that entries were showing
SYN packets received from a remote host targeting each port on your web
server from 1 to 1024. Which of the following MOST likely occurred?
Port scan
(Correcto)
UDP probe
SYN flood
The remote host cannot find the right service port
Explicación
OBJ-4.1: Based on the description provided, this is most likely a port scan. Using a
tool like nmap, an attacker can create an SYN scan across every port in the range
against the desired target. A port scan or SYN scan may trigger an alert in your IDS.
While scanners support more stealthy scans, default scans may connect to each
port sequentially. The other options are incorrect because a remote host will
typically connect to only a single port associated with a service. An SYN flood
normally sends many SYNs to a single system. Still, it doesn’t send them to unused
ports, and a UDP probe will not send SYN packets.
Which of the following is the MOST secure wireless security and encryption
protocol?
WEP
WPA
WPA3
(Correcto)
WPA2
Explicación
OBJ-3.4: Wi-Fi protected access version 3 (WPA3) has replaced WPA2 as the most
secure wireless encryption method. WPA3 uses the simultaneous authentication of
equals (SAE) to increase the security of preshared keys. WPA3 provides the
enhanced open mode that encrypts transmissions from a client to the access point
when using an open network. WPA3 Enterprise mode supports the use of AES with
the Galois/counter mode protocol (GCMP-256) for the highest levels of encryption.
Wi-Fi protected access version 2 (WPA2) replaced the original version of WPA after
the completion of the 802.11i security standard. WPA2 features an improved
method of key distribution and authentication for enterprise networks, though the
pre-shared key method is still available for home and small office networks. WPA2
uses the improved AES cipher with counter mode with cipher-block chaining
message authentication protocol (CCMP) for encryption. Wi-Fi protected access
(WPA) is an improved encryption scheme for protecting Wi-Fi communications
designed to replace WEP. WPA uses the RC4 cipher and a temporal key integrity
protocol (TKIP) to overcome the vulnerabilities in the older WEP protection scheme.
Wired equivalent privacy (WEP) is an older mechanism for encrypting data sent
over a wireless connection. WEP is considered vulnerable to attacks that can break
its encryption. WEP relies on the use of a 24-bit initialization vector to secure its
preshared key.
Which of the following cryptographic algorithms is classified as asymmetric?
PGP
(Correcto)
AES
3DES
RC4
Explicación
OBJ-2.8: Pretty Good Privacy (PGP) is an encryption program that provides
cryptographic privacy and authentication for data communication. PGP is used for
signing, encrypting, and decrypting texts, emails, files, directories, and whole disk
partitions and to increase the security of email communications. PGP is a public-key
cryptosystem and relies on an asymmetric algorithm. AES, RC4, and 3DES are all
symmetric algorithms.
You want to create a new mobile application and develop it in the cloud. You
just signed up for a cloud-based service provider's offering to allow you to
develop it using their programming environment. Which of the following best
describes which type of service you have just purchased?
SaaS

DaaS
PaaS
(Correcto)
IaaS
Explicación
OBJ-2.2: Platform as a Service (PaaS) provides the end-user with a development
environment without all the hassle of configuring and installing it themselves. If
you want to develop a customized or specialized program, PaaS helps reduce the
development time and overall costs by providing a ready to use platform.
Infrastructure as a Service (IaaS) is a cloud computing service that enables a
consumer to outsource computing equipment purchases and running their own
data center. Software as a Service (SaaS) is ca loud computing service that enables
a service provider to make applications available over the Internet to end-users.
This can be a calendar, scheduling, invoicing, word processor, database, or other
programs. For example, Google Docs and Office 365 are both word processing
SaaS solutions. Desktop as a Service (DaaS) provides a full virtualized desktop
environment from within a cloud-based service. This is also known as VDI
(Virtualized Desktop Infrastructure) and is coming in large enterprise businesses
focused on increasing their security and minimizing their operational expenses.
Dion Training wants to reduce the management and administrative costs of
using multiple digital certificates for all of their subdomains of
diontraining.com. Which of the following solutions would allow the company
to use one digital certificate for all of its subdomains?
OCSP
Key escrow
Wildcards
(Correcto)
CRL
Explicación
OBJ-3.9: Wildcards are certificates that allow your company unlimited subdomains
on a parent domain. Object identifiers identify an object. Key escrow is for key
storage. OCSP is a protocol used to query CA about the revocation status of a
certificate.

You are analyzing the following network utilization report because you suspect one of the
servers has been compromised.
Based on the report above, which of the following servers do you suspect has been
compromised and should be investigated further?
webdev02
dbsvr01
(Correcto)
marketing01
web01
Explicación
OBJ-1.6: Due to the considerable increase in network utilization on dbsvr01, it should be
suspected of compromise and further investigated. The server has a historical average
utilization of only 3.15 GB per month, but this month there has been an increase to 24.6 GB
of usage. This increase is nearly 8x more than the previous month when all of the other
servers stayed relatively constant. This indicates a possible compromise of the database
server (dbsvr01) and a data breach or data exfiltration.
Which command is used in the Linux terminal to change the permissions of a file?
chown

sudo
chmod
(Correcto)
pwd
Explicación
OBJ-4.1: The chmod command sets the permissions of files or directories on a Linux
system. A set of flags associated with each file determines who can access that file and how
they can access it. These flags are called file permissions or modes. The command name
chmod stands for change mode and it restricts the way a file can be accessed. The chown
command is used to change the owner of the file, directory, or link in Linux. The pwd
command displays the present working directory (current directory) path to the terminal or
display. If you are working on a Linux system and are unsure of where you are in the
directory structure, type "pwd" and hit enter to display the path to the screen. The sudo
command allows programs to be executed as a superuser (known as the root user) or
another user. The command's name is an abbreviation of the phrase "superuser do" and
works on all Unix-based operating systems.
Which of the following elements is LEAST likely to be included in an organization's
data retention policy?
Minimum retention period
Description of information that needs to be retained
Classification of information
(Correcto)
Maximum retention period
Explicación
OBJ-4.2: Data retention policies highlight what types of information an organization will
maintain and the length of time they will maintain it. Data classification would not be
covered in the retention policy but would be a key part of your organization's data
classification policy.
A cybersecurity analyst is reviewing the logs of an authentication server and saw the
following output:
What type of attack was most likely being attempted by the attacker?
Impersonation
Session hijacking
Credential stuffing
(Incorrecto)
Password spraying
(Correcto)
Explicación
OBJ-1.2: Password spraying refers to the attack method that takes many usernames and
loops them with a single password. We can use multiple iterations using many different
passwords, but the number of passwords attempted is usually low compared to the number
of users attempted. This method avoids password lockouts, and it is often more effective at
uncovering weak passwords than targeting specific users. In the scenario provided, only
one or two attempts are being made to each username listed. This is indicative of a
password spraying attack instead of a brute force attempt against a single user.
Impersonation is the act of pretending to be another person for fraud. Credential stuffing is
the automated injection of breached username/password pairs to gain user accounts access
fraudulently. This is a subset of the brute force attack category: large numbers of spilled
credentials are automatically entered into websites until they are potentially matched to an
existing account. The attacker can then hijack the account for their purposes. Session
hijacking exploits a valid computer session to gain unauthorized access to information or
services in a computer system.
During a penetration test of your company’s network, the assessor came across a
spreadsheet with the passwords being used for several servers. Four of the passwords
recovered are listed below. Which one is the weakest password and should be changed
FIRST to increase the password’s complexity?
Pa55w0rd

pa55word
(Correcto)
P@$$W0RD
P@$$w0rd
Explicación
OBJ-3.7: Password policies often enforce a mixture of standard character types, including
uppercase letters, lowercase letters, numbers, and symbols. The option ‘pa55word’ is the
weakest choice since it only includes lowercase letters and numbers. The option
‘Pa55w0rd’ is slightly more complex since it includes uppercase letters, lowercase letters,
and numbers. The option ‘P@$$W0RD is also similar in complexity since it includes
uppercase letters, numbers, and special characters. The most secure option is ‘P@5$w0rd’
since it includes a mixture of uppercase letters, lowercase letters, numbers, and special
characters.
What command should a forensic analyst use to make a forensic disk image of a hard
drive?
wget
dd
(Correcto)
touch
rm
Explicación
OBJ-4.1: The dd tool is used to make bit by bit copies of a disk, drive, or partition. Once
the image is created using dd, a hash of the file should be made and placed into evidence to
validate the integrity of the disk image that was created. This will ensure that no
modification occurs between the collection and analysis of the disk image. The wget
command is a command-line utility for downloading files from the Internet. The touch
command is a standard command used in the UNIX/Linux operating system used to create,
change, and modify timestamps of a file. The rm command is used to delete one or more
files or directories.
Which type of monitoring would utilize a network tap?
Passive
(Correcto)
Router-based
SNMP
Active
Explicación
OBJ-3.3: Network taps are devices that allow a copy of network traffic to be captured for
analysis. They conduct passive network monitoring and visibility without interfering with
the network traffic itself. Active monitoring relies on scanning targeted systems, not a
network tap. Router-based monitoring would involve looking over the router's logs and
configuration files. SNMP is used to monitor network devices but is considered active
monitoring and doesn't rely on network taps.
Which of the following Wireshark filters should be applied to a packet capture to
detect applications that send passwords in cleartext to a REST API located at
10.1.2.3?
ip.dst==10.1.2.3
http.request.method=="POST" && ip.dst==10.1.2.3
(Correcto)
http.request.method=="POST"
(Incorrecto)
ip.proto==tcp
Explicación
OBJ-4.1: Filtering the available PCAP with just the http "post" methods would display any
data sent when accessing a REST API, regardless of the destination IP. Filtering the
available PCAP with just the desired IP address would show all traffic to that host
(10.1.2.3). Combining both of these can minimize the data displayed to only show things
posted to the API located at 10.1.2.3. The ip.proto==tcp filter would display all TCP traffic
on a network, regardless of the port, IP address, or protocol being used. It would simply
produce too much information to analyze.
Which type of method is used to collect information during the passive
reconnaissance?
Network traffic sniffing
API requests and responses
Reviewing public repositories
(Correcto)
Social engineering
Explicación
OBJ-1.8: Passive reconnaissance focuses on collecting information that is widely and
openly available from publicly available sources. While network traffic sniffing is
considered passive, gaining access to the network to place a sniffer in a good network tap
location would not be considered passive. Of the choices provided, publicly accessible
sources are the best answer to choose. Collecting API requests and responses would involve
a penetration tester sending data to a given server and analyzing the responses received,
which is considered an active reconnaissance method. Social engineering is also an active
reconnaissance technique that uses deception to trick a user into providing information to
an attacker or penetration tester.
You are helping to set up a backup plan for your organization. The current plan
states that all of the organization's Linux servers must have a daily backup conducted.
These backups are then saved to a local NAS device. You have been asked to
recommend a method to ensure the backups will work when needed for restoration.
Which of the following should you recommend?
Create an additional copy of the backups in an off-site datacenter
Attempt to restore to a test server from one of the backup files to verify
them
(Correcto)

Frequently restore the server from backup files to test them
Set up scripts to automatically reattempt any failed backup jobs
Explicación
OBJ-2.5: The only way to fully ensure that a backup will work when needed is to restore
the files from the backups. To do that, it is best to restore them to a test server since this
will not affect your production environment.
Raj is working to deploy a new vulnerability scanner for an organization. He wants to
verify the information he gets is the most accurate view of the configurations on the
organization's traveling salespeople's laptops to determine if any configuration issues
could lead to new vulnerabilities. Which of the following technologies would work
BEST to collect the configuration information in this situation?
Non-credentialed scanning
Server-based scanning
Agent-based scanning
(Correcto)
Passive network monitoring
Explicación
OBJ-1.7: Using agent-based scanning, you typically get the most reliable results for
systems that are not connected to the network, as well as the ones that are connected. This
is ideal for traveling salespeople since their laptops are not constantly connected to the
organization’s network. These agent-based scans can be conducted when the laptop is
offline and then sent to a centralized server the next time it is connected to the network.
Server-based scanning, non-credentialed scanning, and passive network monitoring require
a continuous network connection to collect the devices' configurations accurately.
You have been asked to install a computer in a public workspace. Only an authorized
user should use the computer. Which of the following security requirements should
you implement to prevent unauthorized users from accessing the network with this
computer?
Issue the same strong and complex password for all users

Remove the guest account from the administrator group
Disable single sign-on
Require authentication on wake-up
(Correcto)
Explicación
OBJ-3.8: To prevent the computer from being used inadvertently to access the network, the
system should be configured to require authentication whenever the computer is woken up.
Therefore, if an authorized user walks away from the computer and goes to sleep when
another person tries to use the computer, it will ask for a username and password before
granting them access to the network. A screen lock can secure the desktop with a password
while leaving programs running if a user walks away, as well. Single sign-on (SSO) is a
type of mutual authentication for multiple services that can accept the credential from one
domain or service as authentication for other services. A guest account is a Microsoft
Windows user account with limited capabilities, no privacy, and is disabled by default.
Using the same password for all users is considered extremely poor security and should not
be done.
(This is a simulated performance-based question.)
You are working as a help desk technician and received a call from a user who complains
about their computer’s performance has slowed down over the last week since they
installed a new free video game on the computer. As part of your troubleshooting efforts,
you enter the command prompt in Windows and run the following command:
Based on the output provided, what type of malware may have been installed on this user’s
computer?
RAT
(Correcto)
Spam
Worm
Keylogger
Explicación
OBJ-1.2: Based on the scenario and the output provided, the best choice is a RAT. A RAT
is a Remote Access Trojan, and it is usually installed accidentally by a user when they
install free software on their machine that has a RAT embedded into it. The first two output
lines show that ports 135 and 445 are open and listening for an inbound connection (typical
of a RAT). This is not an example of a worm because the user admitted to installing a free
program, and worms can install themselves and continue to send data outbound across the
network to continue to spread. There is no indication in the scenario that a keylogger is
being used, nor that spam (unsolicited emails) has been received.
Last week, your organization was the victim of a cyber attack. The attack's root cause
was investigated and found to be due to a missing patch on your Windows 2016 server
for the EternalBlue exploit. The organization's vulnerability management team has
rescanned the network and identified all the machines missing this critical patch.
These systems were then patched, and the network was rescanned to verify the patch
was installed properly. Which of the following types of controls would you classify the
installation of this patch as?
Deterrent
Corrective
(Correcto)
Compensating
Detective
Explicación
OBJ-5.1: A corrective control is one that responds to and fixes an incident. A corrective
control can also help to prevent the incident's reoccurrence. A compensating control fixes
the root cause of an attack but instead adds additional layers of protection if the root cause
cannot be fixed to mitigate the risk. Detective control is used to identify and record any
attempted or successful intrusion, not prevent or deter access. A deterrent control is used to
discourage an attacker from attempting an intrusion psychologically.
You are working as a security administrator and need to respond to an ongoing
spearphishing campaign against your organization. Which of the following should be
used as a checklist of actions to perform to detect and respond to this particular
incident?
Playbook
(Correcto)
Runbook
Incident response plan
Disaster recovery plan
Explicación
OBJ-4.4: A playbook is a checklist of actions to perform to detect and respond to a specific
type of incident. Your organization will have playbooks for phishing attempts, privilege
escalation, and other specific types of incidents. A runbook is an automated version of a
playbook used by a SOAR to have the system conduct as many steps as possible. DRP is a
disaster recovery plan focused on the response to a natural or man-made disaster, not an
incident. An incident response plan is a generic document for the overall steps of incident
response. Therefore, it doesn't apply to a specific type of incident. This is a hard question
because all four terms are very closely related to incidents and disasters.
Due to a worldwide pandemic in 2020 caused by the COVID-19 virus, Dion Training
Solutions instituted teleworking for all of its employees. This was part of a preplanned
response so that the company's students could continue to learn and receive support
throughout the pandemic. Which of the following plans should contain the company's
pandemic response plan?
Incident response plan
Disaster recovery plan
Rollback plan

Business continuity plan
(Correcto)
Explicación
OBJ-4.2: The business continuity plan (BCP) contains a collection of processes that enable
an organization to maintain normal business operations in the face of some adverse event.
This event could be natural or man-made; as long as it affects the business operations, then
the BCP should be activated. The development of the BCP is often referred to as continuity
of operations planning (COOP). A disaster recovery plan focuses on procedures and steps
to follow to recover a system or site to a working state. For example, if a power failure or a
fire occurred, the site would have to be recovered to a working state again. In the pandemic
example, the facility did not have a disaster to recover from. Still, the business operations
were affected and needed to be modified to continue operations under the BCP.
What process is used to conduct an inventory of critical systems, components, and
devices within an organization?
Patch management
Asset management
(Correcto)
Vulnerability management
Change management
Explicación
OBJ-5.3: An asset management process takes inventory of and tracks all the organization's
critical systems, components, devices, and other valuable objects. It also involves collecting
and analyzing information about these assets so that personnel can make more informed
changes or otherwise work with assets to achieve business goals. Many software suites and
associated hardware solutions are available for tracking and managing assets (or inventory).
Which of the following categories of controls are firewalls, intrusion detection
systems, and a RADIUS server classified as?
Administrative controls
Compensating controls

Physical controls
Technical controls
(Correcto)
Explicación
OBJ-5.1: Firewalls, intrusion detection systems, and a RADIUS server are all examples of
technical controls. Technical controls are implemented as a system of hardware, software,
or firmware. Administrative controls involve processes and procedures. Physical controls
include locks, fences, and other controls over physical access. Compensating controls are
controls that are put in place to cover any gaps and reduce the risk remaining after using
other controls.
(Sample Simulation – On the real exam for this type of question, you would receive 3-5
pictures and be asked to drag and drop them into place next to the correct term.)
How would you appropriately categorize the authentication method being displayed here?
(Note: the hardware token is being by itself used for authentication.)
Multifactor authentication
Biometric authentication
PAP authentication
One-time password authentication
(Correcto)
Explicación
OBJ-2.4: For the exam, you need to know the different categories of authentication and
what type of authentication methods belong to each category. A hardware security token
like the one displayed creates a one-time use password by presenting the user with a
random string of numbers that changes every 30-60 seconds. When used by itself, it is
considered a one-time password authentication method. If combined with a username and
password, it would become a multi-factor authentication scheme.
A cybersecurity analyst at a mid-sized retail chain has been asked to determine how much
information can be gathered from the store’s public webserver. The analyst opens up the
terminal on his Kali Linux workstation and uses netcat to gather some information.
What type of action did the analyst perform, based on the command and response above?
SQL injection
Querying the Whois database
(Incorrecto)
Banner grabbing
(Correcto)
Explicación
OBJ-1.8: The analyst conducted banner grabbing. Banner grabbing is a technique used to
learn information about a computer system on a network and the services running on its
open ports. In the question, the command “nc test.diontraining.com 80” was used to
establish a connection to a target web server using netcat, then send an HTTP request
(HEAD / HTTP/1.1). The response contains information about the service running on the
webserver. In this example, the server software version (Apache 2.0.46) and the operating
system (Red Hat Linux). Cross-Site Scripting (XSS) attacks are a type of injection in which
malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur
when an attacker uses a web application to send malicious code, generally in a browser side
script, to a different end-user. SQL injection is a code injection technique used to attack
data-driven applications where malicious SQL statements are inserted into an entry field for
execution, such as dumping the database contents to the attacker. A query to the WHOIS
database would return information on the website owner, not the server's operating system.
Which of the following cryptographic algorithms is classified as symmetric?
Diffie-Hellman
Twofish
(Correcto)
ECC
RSA
Explicación
OBJ-2.8: Twofish is a symmetric key block cipher with a block size of 128 bits and key
sizes up to 256 bits. ECC, RSA, and Diffie-Hellman are all asymmetric algorithms.
What is a major security risk that could occur when you comingle hosts/servers with
different security requirements in a single network?
Zombie attacks
Password compromises
Security policy violations

(Correcto)
Privilege creep
Explicación
OBJ-5.3: A network is only as strong as its weakest link (or host/server). When you
comingle hosts/servers, there is a large risk that security policy violations could occur. This
is because users may be used to following a less stringent security policy for one set of
machines and carry over those procedures to a machine that should have had stronger
security policies.
Karen lives in an area that is prone to hurricanes and other extreme weather
conditions. She asks you to recommend an electrical conditioning device that will
prevent her files from being corrupted if the building's power is unstable or lost.
Additionally, she would like the computer to maintain power for up to an hour of
uptime to allow for a graceful shutdown of her programs and computer. Which of the
following should you recommend?
Line conditioner
Power distribution unit
Uninterruptible power supply
(Correcto)
Surge protector
Explicación
OBJ-2.5: An uninterruptible power supply or uninterruptible power source (UPS) is an
electrical apparatus that provides emergency power to a load when the input power source
becomes too low or the main power fails. A UPS provides near-instantaneous protection
from input power interruptions by using a battery backup. The on-battery run-time of most
uninterruptible power sources is usually short (less than 60 minutes) but sufficient to
properly shut down a computer system. A line conditioner is a device that adjusts voltages
in under-voltage and overvoltage conditions to maintain a 120 V output. Line conditioners
raise a sag or under-voltage event back to normal levels, but they cannot protect the line
from a complete power failure or power outage. A surge protector defends against possible
voltage spikes that could damage your electronics, appliances, or equipment. A power strip
will not protect against voltage spikes. A UPS or line conditioner could protect against
voltage spikes, but they cost much more than a surge protector. A power distribution unit
(PDU) is a device designed to provide power to devices that require power, and may or
may not support remote monitoring and access.
Which of the following command-line tools would you use to identify open ports and
services on a host along with the version of the application that is associated with
them?
netstat
nmap
(Correcto)
Wireshark
ping
Explicación
OBJ-4.1: Nmap sends specially crafted packets to the target host(s) and then analyzes the
responses to determine the open ports and services running on those hosts. Also, nmap can
determine the versions of the applications being used on those ports and services. Nmap is a
command-line tool for use on Linux, Windows, and macOS systems. The netstat (network
statistics) tool is a command-line utility that displays network connections for incoming
and outgoing TCP packets, routing tables, and some network interface and network
protocol statistics. Still, it cannot identify open ports and services on a host with their
version numbers. The ping tool is used to query another computer on a network to
determine whether there is a valid connection. Wireshark is an open-source packet analyzer
used for network troubleshooting, analysis, software and communications protocol
development, and education.
Which of the following cryptographic algorithms is classified as asymmetric?
DES
AES
RSA
(Correcto)
RC4
Explicación
OBJ-2.8: RSA (Rivest–Shamir–Adleman) was one of the first public-key cryptosystems
and is widely used for secure data transmission. As a public-key cryptosystem, it relies on
an asymmetric algorithm. AES, RC4, and DES are all symmetric algorithms.
An attacker has compromised a virtualized server. You are conducting forensic
analysis as part of the recovery effort but found that the attacker deleted a virtual
machine image as part of their malicious activity. Which of the following challenges
do you now have to overcome as part of the recovery and remediation efforts?
All log files are stored within the VM disk image, therefore, they are lost
The attack widely fragmented the image across the host file system
(Correcto)
File formats used by some hypervisors cannot be analyzed with

traditional forensic tools
You will need to roll back to an early snapshot and then merge any
checkpoints to the main image
(Incorrecto)
Explicación
OBJ-4.5: Due to the VM disk image's deletion, you will now have to conduct file carving
or other data recovery techniques to recover and remediate the virtualized server. If the
server's host uses a proprietary file system, such as VMFS on ESXi, this can further limit
support by data recovery tools. The attacker may have widely fragmented the image across
the host file system when they deleted the disk image. VM instances are most useful when
they are elastic (meaning they optimally spin up when needed) and then destroyed without
preserving any local data when security has performed the task, but this can lead to the
potential of lost system logs. To prevent this, most VMs also save their logs to an external
Syslog server or file. Virtual machine file formats are image-based and written to a mass
storage device. Depending on the configuration and VM state, security must merge any
checkpoints to the main image, using a hypervisor tool, not recovery from an old snapshot,
and then roll forward. It is possible to load VM data into a memory analysis tool, such as
Volatility. However, some hypervisors' file formats require conversion first, or they may
not support the analysis tool.
An analyst just completed a port scan and received the following results of open ports:
Based on these scan results, which of the following services are NOT currently operating?
RDP
Web
SSH
(Correcto)
Database
Explicación
OBJ-4.3: Based on the port numbers shown as open in the nmap scan results, SSH is not
currently operating. SSH operates over port 22. Web servers use port 80 for HTTP and 443
for HTTPS. Database servers run on port 1433 (Microsoft SQL) or 3306 (MySQL). Remote
Desktop Protocol runs on port 3389.
You have just finished running a vulnerability scan of the network and are reviewing the
results. The first result in the report shows the following vulnerability:
You log into the MySQL server and verify that you are currently running version 3.5.3.
Based on the item shown on the image, what best describes how you should categorize this
finding?
False positive
(Correcto)
False negative
True positive
(Incorrecto)
True negative
Explicación
OBJ-1.7: You should categorize the results as a false positive. Based on the scenario and
output, your server is not vulnerable to a remote code execution for the identified
vulnerability. You are already running MySQL v3.5.3 that is greater than v3.3.x or above.
This indicates that the vulnerability scanner falsely identified your MySQL version as an
earlier and more vulnerable version. The system incorrectly identified a vulnerability, but
the vulnerability doesn’t exist on your system. Therefore this is a false positive.
Which of the following is NOT a means of improving data validation and trust?
Encrypting data in transit


Using MD5 checksums for files
Decrypting data at rest
(Correcto)
Implementing Tripwire
(Incorrecto)
Explicación
OBJ-2.1: Encrypting data in transit leads to more integrity and confidentiality of the data,
and therefore trust. Hashing files using MD5 to check against known valid checksums
would provide integrity, and therefore validation and trust. Implementing a file integrity
monitoring program, such as Tripwire, would also improve data validation and trust.
Decrypting data at rest does not improve data validation, or trust since the data at rest could
be modified when decrypted.
During a penetration test of your company’s network, the assessor came across a
spreadsheet with the passwords being used for several servers. Four of the passwords
recovered are listed below. Which one is the weakest password and should be changed
FIRST to increase the password’s complexity?
P@$$w0rd
Pa55w0rd
P@$$W0RD
pa55word
(Correcto)
Explicación
OBJ-3.7: Password policies often enforce a mixture of standard character types, including
uppercase letters, lowercase letters, numbers, and symbols. The option ‘pa55word’ is the
weakest choice since it only includes lowercase letters and numbers. The option
‘Pa55w0rd’ is slightly more complex since it includes uppercase letters, lowercase letters,
and numbers. The option ‘P@$$W0RD is also similar in complexity since it includes
uppercase letters, numbers, and special characters. The most secure option is ‘P@5$w0rd’
since it includes a mixture of uppercase letters, lowercase letters, numbers, and special
characters.
What type of threat actor is highly funded and often backed by nation-states?
Insider Threat
Script Kiddies
APT
(Correcto)
Hacktivist
Explicación
OBJ-1.5: Advanced Persistent Threats are a group of hackers with great capability and
intent. Nation-states and other large organizations often fund them to conduct highly covert
hacks over a long period of time for political or economic gain. Script kiddies are people
who use existing computer scripts or code to hack into computers, lacking the expertise to
write their own. An insider threat is a malicious threat to an organization from people
within the organization, such as employees, former employees, contractors, or business
associates, who have inside information concerning the organization's security practices,
data, and computer systems. A hacktivist is someone who uses hacking to bring about
political and social change.
You are installing a new wireless network in your office building and want to ensure it
is secure. Which of the following configurations would create the MOST secure
wireless network?
WPA and MAC filtering
WPA2 and AES
(Correcto)
WPA2 and RC4
WEP and TKIP

Explicación
OBJ-3.4: The most secure wireless network configuration utilizes WPA2 with AES
encryption. WPA2 is the most secure wireless encryption standard listed as an option and
has replaced both WPA and WEP. Wi-Fi protected access version 2 (WPA2) replaced the
original version of WPA after the completion of the 802.11i security standard. WPA2
features an improved method of key distribution and authentication for enterprise networks,
though the pre-shared key method is still available for home and small office networks.
WPA2 uses the improved AES cipher with counter mode with cipher-block chaining
message authentication protocol (CCMP) for encryption. Wi-Fi protected access (WPA) is
an improved encryption scheme for protecting Wi-Fi communications designed to replace
WEP. WPA uses the RC4 cipher and a temporal key integrity protocol (TKIP) to overcome
the vulnerabilities in the older WEP protection scheme. Wired equivalent privacy (WEP) is
an older mechanism for encrypting data sent over a wireless connection. WEP is considered
vulnerable to attacks that could probably break its encryption. WEP relies on the use of a
24-bit initialization vector to secure its preshared key. MAC filtering is the application of
an access control list to a switch or access point so that only clients with approved MAC
addresses connect.
A web developer wants to protect their new web application from an on-path attack.
Which of the following controls would best prevent an attacker from stealing tokens
stored in cookies?
Setting the secure attribute on the cookie
(Correcto)
Forcing the use of TLS for the web application
Forcing the use of SSL for the web application
Hashing the cookie value
(Incorrecto)
Explicación
OBJ-3.2: When a cookie has the Secure attribute, the user agent includes the cookie in an
HTTP request only if transmitted over a secure channel (typically HTTPS). Although
seemingly useful for protecting cookies from active network attackers, the Secure attribute
protects only the cookie’s confidentiality. Forcing the web application to use TLS or SSL
does not force the cookie to be sent over TLS/SSL, so you still need to set the cookie's
Secure attribute. Hashing the cookie provides the cookie's integrity, not confidentiality;
therefore, it will not solve the issue presented by this question.
(Sample Simulation – On the real exam for this type of question, you would receive 3-5
pictures and be asked to drag and drop them into place next to the correct term.)
Based on the image provided, what type of attack is occurring?
SYN flood
Ping flood
(Correcto)
Smurf attack
DDoS
Explicación
OBJ-1.4: A Ping flood occurs when an attacker attempts to flood the server by sending too
many ICMP echo request packets (known as pings). This image is a graphical depiction of
this type of attack.

CompTIA Security - (SY0-601) Practice Exam #6 - Resultados

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CompTIA Security - (SY0-601) Practice Exam #6 - Resultados

Uploaded by

Copyright:

Available Formats

Intento 1

Todas las áreas de conocimiento

"The AUTOCOMPLETE output is not disabled in HTML FORM/INPUT containing

This is a false positive and you should implement a scanner exception to

An HTTPS entry that indicates the web page is securely encrypted

Items classified by the system as Low or as For Informational Purposes

Lockheed Martin cyber kill chain

Diamond Model of Intrusion Analysis

MITRE ATT&CK framework

Minimum password length

Install a set of redundant servers to another part of the company's office

Redundant hardware be maintained at the offsite location and configured

Retain their backups in their office building but install redundant

Least privilege policy

Mandatory vacation policy

Acceptable use policy

The backup was interrupted

The backup is stored in iCloud.

The backup is encrypted

The backup is a differential backup

Application block list

Application allow list

Disable removable media

Contact the vendor to provide an update or to remediate the vulnerability

Mark the identified vulnerability as a false positive

CAT5e STP, Location tracking, Host-based firewall, Remote wipe

Remote wipe, Location tracking, Host-based firewall, Cable lock

Cable lock, Network sniffer, Host-based firewall, Remote wipe

Host-based firewall, Network sniffer, Cable lock, CAT5e STP

The company will be dependent on the cloud provider's backup

The company will have less control over the SIEM

A VM escape exploit could allow an attacker to gain access to the SIEM

Cellular data, Remote wipe, Location tracking, MDM

Remote wipe, Location tracking, Host-based firewall, Cable lock

Cable lock, Network sniffer, Cellular data, Remote wipe

MDM, Location tracking, Host-based firewall, Remote wipe

Require 2FA (two-factor authentication) on the laptops

Implement a jumpbox system

Scan the laptops for vulnerabilities and patch them

Increase the encryption level of VPN used by the laptops

Disable removable media

Application allow list

There was a privacy violation since the customers explicitly gave

There was no privacy violation since the customers were emailed

There was no privacy violation because only corporate employees had

Remote code execution

The remote host cannot find the right service port

Pregunta 47: Correcto

Minimum retention period

Description of information that needs to be retained

Maximum retention period

http.request.method=="POST" && ip.dst==10.1.2.3

Network traffic sniffing

API requests and responses

Reviewing public repositories

Create an additional copy of the backups in an off-site datacenter

Frequently restore the server from backup files to test them

Set up scripts to automatically reattempt any failed backup jobs

Passive network monitoring

Remove the guest account from the administrator group

Disable single sign-on

Require authentication on wake-up