An organization is referencing NIST best practices for BCP creation while reviewing current internal organizational processes for mission-essential items.
Which of the following phases establishes the identification and prioritization of critical systems and functions?
- A . Review a recent gap analysis.
- B . Perform a cost-benefit analysis.
- C . Conduct a business impact analysis.
- D . Develop an exposure factor matrix.
C
Explanation:
Reference: https://itsm.ucsf.edu/business-impact-analysis-bia-0
According to NIST SP 800-34 Rev. 1, a business impact analysis (BIA) is a process that identifies and evaluates the potential effects of natural and man-made events on organizational operations. The BIA enables an organization to determine which systems and processes are essential to the organization’s mission and prioritize their recovery time objectives (RTOs) and recovery point objectives (RPOs).12
An organization is preparing to migrate its production environment systems from an on-premises environment to a cloud service. The lead security architect is concerned that the organization’s current methods for addressing risk may not be possible in the cloud environment.
Which of the following BEST describes the reason why traditional methods of addressing risk may not be possible in the cloud?
- A . Migrating operations assumes the acceptance of all risk.
- B . Cloud providers are unable to avoid risk.
- C . Specific risks cannot be transferred to the cloud provider.
- D . Risks to data in the cloud cannot be mitigated.
C
Explanation:
According to NIST SP 800-146, cloud computing introduces new risks that need to be assessed and managed by the cloud consumer. Some of these risks are related to the shared responsibility model of cloud computing, where some security controls are implemented by the cloud provider and some by the cloud consumer. The cloud consumer cannot transfer all the risks to the cloud provider and needs to understand which risks are retained and which are mitigated by the cloud provider.3
A company created an external application for its customers. A security researcher now reports that the application has a serious LDAP injection vulnerability that could be leveraged to bypass authentication and authorization.
Which of the following actions would BEST resolve the issue? (Choose two.)
- A . Conduct input sanitization.
- B . Deploy a SIEM.
- C . Use containers.
- D . Patch the OS
- E . Deploy a WAF.
- F . Deploy a reverse proxy
- G . Deploy an IDS.
AE
Explanation:
A WAF protects your web apps by filtering, monitoring, and blocking any malicious HTTP/S traffic traveling to the web application, and prevents any unauthorized data from leaving the app. It does this by adhering to a set of policies that help determine what traffic is malicious and what traffic is safe.
According to OWASP, LDAP injection is an attack that exploits web applications that construct LDAP statements based on user input without proper validation or sanitization. LDAP injection can result in unauthorized access, data modification, or denial of service. To prevent LDAP injection, OWASP recommends conducting input sanitization by escaping special characters in user input and deploying a web application firewall (WAF) that can detect and block malicious LDAP queries.45
A company created an external application for its customers. A security researcher now reports that the application has a serious LDAP injection vulnerability that could be leveraged to bypass authentication and authorization.
Which of the following actions would BEST resolve the issue? (Choose two.)
- A . Conduct input sanitization.
- B . Deploy a SIEM.
- C . Use containers.
- D . Patch the OS
- E . Deploy a WAF.
- F . Deploy a reverse proxy
- G . Deploy an IDS.
AE
Explanation:
A WAF protects your web apps by filtering, monitoring, and blocking any malicious HTTP/S traffic traveling to the web application, and prevents any unauthorized data from leaving the app. It does this by adhering to a set of policies that help determine what traffic is malicious and what traffic is safe.
According to OWASP, LDAP injection is an attack that exploits web applications that construct LDAP statements based on user input without proper validation or sanitization. LDAP injection can result in unauthorized access, data modification, or denial of service. To prevent LDAP injection, OWASP recommends conducting input sanitization by escaping special characters in user input and deploying a web application firewall (WAF) that can detect and block malicious LDAP queries.45
A company created an external application for its customers. A security researcher now reports that the application has a serious LDAP injection vulnerability that could be leveraged to bypass authentication and authorization.
Which of the following actions would BEST resolve the issue? (Choose two.)
- A . Conduct input sanitization.
- B . Deploy a SIEM.
- C . Use containers.
- D . Patch the OS
- E . Deploy a WAF.
- F . Deploy a reverse proxy
- G . Deploy an IDS.
AE
Explanation:
A WAF protects your web apps by filtering, monitoring, and blocking any malicious HTTP/S traffic traveling to the web application, and prevents any unauthorized data from leaving the app. It does this by adhering to a set of policies that help determine what traffic is malicious and what traffic is safe.
According to OWASP, LDAP injection is an attack that exploits web applications that construct LDAP statements based on user input without proper validation or sanitization. LDAP injection can result in unauthorized access, data modification, or denial of service. To prevent LDAP injection, OWASP recommends conducting input sanitization by escaping special characters in user input and deploying a web application firewall (WAF) that can detect and block malicious LDAP queries.45
A company created an external application for its customers. A security researcher now reports that the application has a serious LDAP injection vulnerability that could be leveraged to bypass authentication and authorization.
Which of the following actions would BEST resolve the issue? (Choose two.)
- A . Conduct input sanitization.
- B . Deploy a SIEM.
- C . Use containers.
- D . Patch the OS
- E . Deploy a WAF.
- F . Deploy a reverse proxy
- G . Deploy an IDS.
AE
Explanation:
A WAF protects your web apps by filtering, monitoring, and blocking any malicious HTTP/S traffic traveling to the web application, and prevents any unauthorized data from leaving the app. It does this by adhering to a set of policies that help determine what traffic is malicious and what traffic is safe.
According to OWASP, LDAP injection is an attack that exploits web applications that construct LDAP statements based on user input without proper validation or sanitization. LDAP injection can result in unauthorized access, data modification, or denial of service. To prevent LDAP injection, OWASP recommends conducting input sanitization by escaping special characters in user input and deploying a web application firewall (WAF) that can detect and block malicious LDAP queries.45
Despite the fact that ten new API servers were added, the load across servers was heavy at peak times.
Which of the following infrastructure design changes would be BEST for the organization to implement to avoid these issues in the future?
- A . Serve static content via distributed CDNs, create a read replica of the central database and pull reports from there, and auto-scale API servers based on performance.
- B . Increase the bandwidth for the server that delivers images, use a CDN, change the database to a non-relational database, and split the ten API servers across two load balancers.
- C . Serve images from an object storage bucket with infrequent read times, replicate the database across different regions, and dynamically create API servers based on load.
- D . Serve static-content object storage across different regions, increase the instance size on the managed relational database, and distribute the ten API servers across multiple regions.
A
Explanation:
This solution would address the three issues as follows:
Serving static content via distributed CDNs would reduce the latency for international users by delivering images from the nearest edge location to the user’s request.
Creating a read replica of the central database and pulling reports from there would offload the read-intensive workload from the primary database and avoid affecting the inventory data for order placement.
Auto-scaling API servers based on performance would dynamically adjust the number of servers to match the demand and balance the load across them at peak times.
During a remodel, a company’s computer equipment was moved to a secure storage room with cameras positioned on both sides of the door. The door is locked using a card reader issued by the security team, and only the security team and department managers have access to the room. The company wants to be able to identify any unauthorized individuals who enter the storage room by following an authorized employee.
Which of the following processes would BEST satisfy this requirement?
- A . Monitor camera footage corresponding to a valid access request.
- B . Require both security and management to open the door.
- C . Require department managers to review denied-access requests.
- D . Issue new entry badges on a weekly basis.
B
Explanation:
Reference: https://www.getkisi.com/access-control
This solution would implement a two-factor authentication (2FA) process that would prevent unauthorized individuals from entering the storage room by following an authorized employee. The two factors would be the card reader issued by the security team and the presence of a department manager.
A company is preparing to deploy a global service.
Which of the following must the company do to ensure GDPR compliance? (Choose two.)
- A . Inform users regarding what data is stored.
- B . Provide opt-in/out for marketing messages.
- C . Provide data deletion capabilities.
- D . Provide optional data encryption.
- E . Grant data access to third parties.
- F . Provide alternative authentication techniques.
A, C
Explanation:
The main rights for individuals under the GDPR are to:
allow subject access
have inaccuracies corrected
have information erased
prevent direct marketing
prevent automated decision-making and profiling
allow data portability (as per the paragraph above)
source: https://www.clouddirect.net/11-things-you-must-do-now-for-gdpr-compliance/
These are two of the requirements of the GDPR (General Data Protection Regulation), which is a legal framework that sets guidelines for the collection and processing of personal data of individuals within the European Union (EU). The GDPR also requires data controllers to obtain consent from data subjects, protect data with appropriate security measures, notify data subjects and authorities of data breaches, and appoint a data protection officer.
A SOC analyst is reviewing malicious activity on an external, exposed web server. During the investigation, the analyst determines specific traffic is not being logged, and there is no visibility from the WAF for the web application.
Which of the following is the MOST likely cause?
- A . The user agent client is not compatible with the WAF.
- B . A certificate on the WAF is expired.
- C . HTTP traffic is not forwarding to HTTPS to decrypt.
- D . Old, vulnerable cipher suites are still being used.
C
Explanation:
This could be the cause of the lack of visibility from the WAF (Web Application Firewall) for the web application, as the WAF may not be able to inspect or block unencrypted HTTP traffic. To solve this issue, the web server should redirect all HTTP requests to HTTPS and use SSL/TLS certificates to
encrypt the traffic.
A security analyst is reviewing the following output:
Which of the following would BEST mitigate this type of attack?
- A . Installing a network firewall
- B . Placing a WAF inline
- C . Implementing an IDS
- D . Deploying a honeypot
B
Explanation:
The output shows a SQL injection attack that is trying to exploit a web application. A WAF (Web Application Firewall) is a security solution that can detect and block malicious web requests, such as SQL injection, XSS, CSRF, etc. Placing a WAF inline would prevent the attack from reaching the web server and database.
Reference:
https://owasp.org/www-community/attacks/SQL_Injection
https://www.cloudflare.com/learning/ddos/glossary/web-application-firewall-waf/
Which of the following terms refers to the delivery of encryption keys to a CASB or a third-party entity?
- A . Key sharing
- B . Key distribution
- C . Key recovery
- D . Key escrow
D
Explanation:
Key escrow is a process that involves storing encryption keys with a trusted third party, such as a CASB (Cloud Access Security Broker) or a government agency. Key escrow can enable authorized access to encrypted data in case of emergencies, legal issues, or data recovery. However, key escrow also introduces some risks and challenges, such as trust, security, and privacy.
Reference:
https://www.techopedia.com/definition/1772/key-escrow
https://searchsecurity.techtarget.com/definition/key-escrow
An organization is implementing a new identity and access management architecture with the following objectives:
Supporting MFA against on-premises infrastructure
Improving the user experience by integrating with SaaS applications
Applying risk-based policies based on location
Performing just-in-time provisioning
Which of the following authentication protocols should the organization implement to support these requirements?
- A . Kerberos and TACACS
- B . SAML and RADIUS
- C . OAuth and OpenID
- D . OTP and 802.1X
C
Explanation:
Reference: https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/migrate-application-authentication-to-azure-active-directory
OAuth and OpenID are two authentication protocols that can support the objectives of the organization. OAuth is a protocol that allows users to grant access to their resources on one site (or service) to another site (or service) without sharing their credentials. OpenID is a protocol that allows users to use an existing account to sign in to multiple websites without creating new passwords. Both protocols can support MFA, SaaS integration, risk-based policies, and just-in-time provisioning.
Reference: https://auth0.com/docs/protocols/oauth2 https://openid.net/connect/
Which of the following allows computation and analysis of data within a ciphertext without knowledge of the plaintext?
- A . Lattice-based cryptography
- B . Quantum computing
- C . Asymmetric cryptography
- D . Homomorphic encryption
D
Explanation:
Reference: https://searchsecurity.techtarget.com/definition/cryptanalysis
Homomorphic encryption is a type of encryption that allows computation and analysis of data within a ciphertext without knowledge of the plaintext. This means that encrypted data can be processed
without being decrypted first, which enhances the security and privacy of the data. Homomorphic encryption can enable applications such as secure cloud computing, machine learning, and data analytics.
Reference:
https://www.ibm.com/security/homomorphic-encryption
https://www.synopsys.com/blogs/software-security/homomorphic-encryption/
A company is looking to fortify its cybersecurity defenses and is focusing on its network infrastructure. The solution cannot affect the availability of the company’s services to ensure false positives do not drop legitimate traffic.
Which of the following would satisfy the requirement?
- A . NIDS
- B . NIPS
- C . WAF
- D . Reverse proxy
A
Explanation:
Reference:
https://subscription.packtpub.com/book/networking-and-servers/9781782174905/5/ch05lvl1sec38/differentiating-between-nids-and-nips
https://owasp.org/www-community/controls/Intrusion_Detection
A NIDS (Network Intrusion Detection System) is a security solution that monitors network traffic for signs of malicious activity, such as attacks, intrusions, or policy violations. A NIDS does not affect the availability of the company’s services because it operates in passive mode, which means it does not block or modify traffic. Instead, it alerts the network administrator or other security tools when it detects an anomaly or threat.
Reference:
https://www.cisco.com/c/en/us/products/security/what-is-network-intrusion-detection-system.html https://www.imperva.com/learn/application-security/network-intrusion-detection-system-nids/
A disaster recovery team learned of several mistakes that were made during the last disaster recovery parallel test. Computational resources ran out at 70% of restoration of critical services.
Which of the following should be modified to prevent the issue from reoccurring?
- A . Recovery point objective
- B . Recovery time objective
- C . Mission-essential functions
- D . Recovery service level
D
Explanation:
Reference: https://www.nakivo.com/blog/disaster-recovery-in-cloud-computing/
The recovery service level is a metric that defines the minimum level of service or performance that a system or process must provide after a disaster or disruption. The recovery service level can include parameters such as availability, capacity, throughput, latency, etc. The recovery service level should be modified to prevent the issue of running out of computational resources at 70% of restoration of critical services. The recovery service level should be aligned with the recovery point objective (RPO) and the recovery time objective (RTO), which are the maximum acceptable amount of data loss and downtime respectively.
Reference:
https://www.techopedia.com/definition/29836/recovery-service-level
https://www.ibm.com/cloud/learn/recovery-point-objective
https://www.ibm.com/cloud/learn/recovery-time-objective
A technician is reviewing the logs and notices a large number of files were transferred to remote sites over the course of three months. This activity then stopped. The files were transferred via TLS-protected HTTP sessions from systems that do not send traffic to those sites.
The technician will define this threat as:
- A . a decrypting RSA using obsolete and weakened encryption attack.
- B . a zero-day attack.
- C . an advanced persistent threat.
- D . an on-path attack.
C
Explanation:
Reference: https://www.internetsociety.org/deploy360/tls/basics/
An advanced persistent threat (APT) is a type of cyberattack that involves a stealthy and continuous process of compromising and exploiting a target system or network. An APT typically has a specific goal or objective, such as stealing sensitive data, disrupting operations, or sabotaging infrastructure. An APT can use various techniques to evade detection and maintain persistence, such as encryption, proxy servers, malware, etc. The scenario described in the question matches the characteristics of an APT.
Reference: https://www.cisco.com/c/en/us/products/security/what-is-apt.html https://www.imperva.com/learn/application-security/advanced-persistent-threat-apt/
A security engineer thinks the development team has been hard-coding sensitive environment variables in its code.
Which of the following would BEST secure the company’s CI/CD pipeline?
- A . Utilizing a trusted secrets manager
- B . Performing DAST on a weekly basis
- C . Introducing the use of container orchestration
- D . Deploying instance tagging
A
Explanation:
Reference: https://about.gitlab.com/blog/2021/04/09/demystifying-ci-cd-variables/
A trusted secrets manager is a tool or service that securely stores and manages sensitive information, such as passwords, API keys, tokens, certificates, etc. A trusted secrets manager can help secure the company’s CI/CD (Continuous Integration/Continuous Delivery) pipeline by preventing hard-coding sensitive environment variables in the code, which can expose them to unauthorized access or leakage. A trusted secrets manager can also enable encryption, rotation, auditing, and access control for the secrets.
Reference:
https://www.hashicorp.com/resources/what-is-a-secret-manager
https://dzone.com/articles/how-to-securely-manage-secrets-in-a-ci-cd-pipeline
A small company recently developed prototype technology for a military program. The company’s security engineer is concerned about potential theft of the newly developed, proprietary information.
Which of the following should the security engineer do to BEST manage the threats proactively?
- A . Join an information-sharing community that is relevant to the company.
- B . Leverage the MITRE ATT&CK framework to map the TTR.
- C . Use OSINT techniques to evaluate and analyze the threats.
- D . Update security awareness training to address new threats, such as best practices for data security.
A
Explanation:
An information-sharing community is a group or network of organizations that share threat intelligence, best practices, and mitigation strategies related to cybersecurity. An information-sharing community can help the company proactively manage the threats of potential theft of its newly developed, proprietary information by providing timely and actionable insights, alerts, and recommendations. An information-sharing community can also enable collaboration and coordination among its members to enhance their collective defense and resilience.
Reference:
https://us-cert.cisa.gov/ncas/tips/ST04-016
https://www.cisecurity.org/blog/what-is-an-information-sharing-community/
A security engineer has been asked to close all non-secure connections from the corporate network. The engineer is attempting to understand why the corporate UTM will not allow users to download email via IMAPS. The engineer formulates a theory and begins testing by creating the firewall ID 58, and users are able to download emails correctly by using IMAP instead.
The network comprises three VLANs:
The security engineer looks at the UTM firewall rules and finds the following:
Which of the following should the security engineer do to ensure IMAPS functions properly on the corporate user network?
- A . Contact the email service provider and ask if the company IP is blocked.
- B . Confirm the email server certificate is installed on the corporate computers.
- C . Make sure the UTM certificate is imported on the corporate computers.
- D . Create an IMAPS firewall rule to ensure email is allowed.
D
Explanation:
IMAPS (Internet Message Access Protocol Secure) is a protocol that allows users to access and manipulate email messages on a remote mail server over a secure connection. IMAPS uses SSL/TLS encryption to protect the communication between the client and the server. IMAPS uses port 993 by default. To ensure IMAPS functions properly on the corporate user network, the security engineer should create an IMAPS firewall rule on the UTM (Unified Threat Management) device that allows traffic from VLAN 10 (Corporate Users) to VLAN 20 (Email Server) over port 993. The existing firewall rules do not allow this traffic, as they only allow HTTP (port 80), HTTPS (port 443), and SMTP (port 25).
Reference:
https://www.techopedia.com/definition/2460/internet-message-access-protocol-secure-imaps https://www.sophos.com/en-us/support/knowledgebase/115145.aspx
A security analyst is reviewing network connectivity on a Linux workstation and examining the active TCP connections using the command line.
Which of the following commands would be the BEST to run to view only active Internet connections?
- A . sudo netstat -antu | grep “LISTEN” | awk ‘{print$5}’
- B . sudo netstat -nlt -p | grep “ESTABLISHED”
- C . sudo netstat -plntu | grep -v “Foreign Address”
- D . sudo netstat -pnut -w | column -t -s $’w’
- E . sudo netstat -pnut | grep -P ^tcp
E
Explanation:
Reference: https://www.codegrepper.com/code-examples/shell/netstat+find+port
The netstat command is a tool that displays network connections, routing tables, interface statistics, masquerade connections, and multicast memberships. The command has various options that can modify its output.
The options used in the correct answer are:
p: Show the PID and name of the program to which each socket belongs.
n: Show numerical addresses instead of trying to determine symbolic host, port or user names.
u: Show only UDP connections.
t: Show only TCP connections.
The grep command is a tool that searches for a pattern in a file or input.
The option used in the correct answer is:
P: Interpret the pattern as a Perl-compatible regular expression (PCRE).
The pattern used in the correct answer is ^tcp, which means any line that starts with tcp. This will filter out any UDP connections from the output.
The sudo command is a tool that allows a user to run programs with the security privileges of another user (usually the superuser or root). This is necessary to run the netstat command with the – p option, which requires root privileges.
The correct answer will show only active TCP connections with numerical addresses and program names, which can be considered as active Internet connections. The other answers will either show different types of connections (such as listening or local), use different options that are not relevant (such as -a, -l, -w, or -s), or use different commands that are not useful (such as awk or column).
Reference:
https://man7.org/linux/man-pages/man8/netstat.8.html
https://man7.org/linux/man-pages/man1/grep.1.html https://man7.org/linux/man-pages/man8/sudo.8.html
A shipping company that is trying to eliminate entire classes of threats is developing an SELinux policy to ensure its custom Android devices are used exclusively for package tracking.
After compiling and implementing the policy, in which of the following modes must the company ensure the devices are configured to run?
- A . Protecting
- B . Permissive
- C . Enforcing
- D . Mandatory
C
Explanation:
Reference: https://source.android.com/security/selinux/customize
SELinux (Security-Enhanced Linux) is a security module for Linux systems that provides mandatory access control (MAC) policies for processes and files. SELinux can operate in three modes: Enforcing: SELinux enforces the MAC policies and denies access based on rules.
Permissive: SELinux does not enforce the MAC policies but only logs actions that would have been
denied if running in enforcing mode.
Disabled: SELinux is turned off.
To ensure its custom Android devices are used exclusively for package tracking, the company must configure SELinux to run in enforcing mode. This mode will prevent any unauthorized actions or applications from running on the devices and protect them from potential threats or misuse.
Reference:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/chap-security-enhanced_linux-introduction#sect-Security-Enhanced_Linux-Modes
https://source.android.com/security/selinux
A security analyst receives an alert from the SIEM regarding unusual activity on an authorized public SSH jump server. To further investigate, the analyst pulls the event logs directly from /var/log/auth.log: graphic.ssh_auth_log.
Which of the following actions would BEST address the potential risks by the activity in the logs?
- A . Alerting the misconfigured service account password
- B . Modifying the AllowUsers configuration directive
- C . Restricting external port 22 access
- D . Implementing host-key preferences
B
Explanation:
Reference: https://www.rapid7.com/blog/post/2017/10/04/how-to-secure-ssh-server-using-port-knocking-on-ubuntu-linux/
The AllowUsers configuration directive is an option for SSH servers that specifies which users are allowed to log in using SSH. The directive can include usernames, hostnames, IP addresses, or patterns. The directive can also be negated with a preceding exclamation mark (!) to deny access to specific users.
The logs show that there are multiple failed login attempts from different IP addresses using different usernames, such as root, admin, test, etc. This indicates a brute-force attack that is trying to guess the SSH credentials. To address this risk, the security analyst should modify the AllowUsers configuration directive to only allow specific users or hosts that are authorized to access the SSH jump server. This will prevent unauthorized users from attempting to log in using SSH and reduce the attack surface.
Reference:
https://man.openbsd.org/sshd_config#AllowUsers
https://www.ssh.com/academy/ssh/brute-force
A high-severity vulnerability was found on a web application and introduced to the enterprise. The vulnerability could allow an unauthorized user to utilize an open-source library to view privileged user information. The enterprise is unwilling to accept the risk, but the developers cannot fix the issue right away.
Which of the following should be implemented to reduce the risk to an acceptable level until the issue can be fixed?
- A . Scan the code with a static code analyzer, change privileged user passwords, and provide security training.
- B . Change privileged usernames, review the OS logs, and deploy hardware tokens.
- C . Implement MFA, review the application logs, and deploy a WAF.
- D . Deploy a VPN, configure an official open-source library repository, and perform a full application review for vulnerabilities.
C
Explanation:
Reference: https://www.microfocus.com/en-us/what-is/sast
Implementing MFA can add an extra layer of security to protect against unauthorized access if the vulnerability is exploited. Reviewing the application logs can help identify if any attempts have been made to exploit the vulnerability, and deploying a WAF can help block any attempts to exploit the vulnerability. While the other options may provide some level of security, they may not directly address the vulnerability and may not reduce the risk to an acceptable level.
A security analyst discovered that the company’s WAF was not properly configured.
The main web server was breached, and the following payload was found in one of the malicious requests:
Which of the following would BEST mitigate this vulnerability?
- A . CAPTCHA
- B . Input validation
- C . Data encoding
- D . Network intrusion prevention
B
Explanation:
Reference: https://hdivsecurity.com/owasp-xml-external-entities-xxe
A university issues badges through a homegrown identity management system to all staff and students. Each week during the summer, temporary summer school students arrive and need to be issued a badge to access minimal campus resources. The security team received a report from an outside auditor indicating the homegrown system is not consistent with best practices in the security field and leaves the institution vulnerable.
Which of the following should the security team recommend FIRST?
- A . Investigating a potential threat identified in logs related to the identity management system
- B . Updating the identity management system to use discretionary access control
- C . Beginning research on two-factor authentication to later introduce into the identity management
system - D . Working with procurement and creating a requirements document to select a new IAM system/vendor
D
Explanation:
This is because the homegrown identity management system is not consistent with best practices and leaves the institution vulnerable, which means it needs to be replaced with a more secure and reliable solution. A new IAM system/vendor should be able to provide features such as role-based access control, two-factor authentication, auditing, and compliance that can enhance the security and efficiency of the identity management process. A requirements document can help define the scope, objectives, and criteria for selecting a suitable IAM system/vendor that meets the needs of the institution.
A customer reports being unable to connect to a website at www.test.com to consume services.
The customer notices the web application has the following published cipher suite:
Which of the following is the MOST likely cause of the customer’s inability to connect?
- A . Weak ciphers are being used.
- B . The public key should be using ECDSA.
- C . The default should be on port 80.
- D . The server name should be test.com.
A
Explanation:
Reference: https://security.stackexchange.com/questions/23383/ssh-key-type-rsa-dsa-ecdsa-are-there-easy-answers-for-which-to-choose-when
An IT administrator is reviewing all the servers in an organization and notices that a server is missing crucial practice against a recent exploit that could gain root access.
Which of the following describes the administrator’s discovery?
- A . A vulnerability
- B . A threat
- C . A breach
- D . A risk
A
Explanation:
Reference: https://www.beyondtrust.com/blog/entry/privilege-escalation-attack-defense-explained
A security analyst is performing a vulnerability assessment on behalf of a client. The analyst must define what constitutes a risk to the organization.
Which of the following should be the analyst’s FIRST action?
- A . Create a full inventory of information and data assets.
- B . Ascertain the impact of an attack on the availability of crucial resources.
- C . Determine which security compliance standards should be followed.
- D . Perform a full system penetration test to determine the vulnerabilities.
A
Explanation:
This is because a risk assessment requires identifying the assets that are valuable to the organization and could be targeted by attackers. A full inventory of information and data assets can help the analyst prioritize the most critical assets and determine their potential exposure to threats. Without knowing what assets are at stake, the analyst cannot effectively assess the risk level or the impact of an attack. Creating an inventory of assets is also a prerequisite for performing other actions, such as following compliance standards, measuring availability, or conducting penetration tests.
While investigating a security event, an analyst finds evidence that a user opened an email attachment from an unknown source. Shortly after the user opened the attachment, a group of servers experienced a large amount of network and resource activity. Upon investigating the servers, the analyst discovers the servers were encrypted by ransomware that is demanding payment within 48 hours or all data will be destroyed. The company has no response plans for ransomware.
Which of the following is the NEXT step the analyst should take after reporting the incident to the management team?
- A . Pay the ransom within 48 hours.
- B . Isolate the servers to prevent the spread.
- C . Notify law enforcement.
- D . Request that the affected servers be restored immediately.
B
Explanation:
Isolating the servers is the best immediate action to take after reporting the incident to the management team, as it can limit the damage and contain the ransomware infection. Paying the ransom is not advisable, as it does not guarantee the recovery of the data and may encourage further attacks. Notifying law enforcement is a possible step, but not the next one after reporting. Requesting that the affected servers be restored immediately may not be feasible or effective, as it depends on the availability and integrity of backups, and it does not address the root cause of the attack.
Reference:
https://www.comptia.org/blog/what-is-ransomware-and-how-to-protect-yourself
https://www.comptia.org/certifications/comptia-advanced-security-practitioner
A company plans to build an entirely remote workforce that utilizes a cloud-based infrastructure.
The Chief Information Security Officer asks the security engineer to design connectivity to meet the following requirements:
Only users with corporate-owned devices can directly access servers hosted by the cloud provider.
The company can control what SaaS applications each individual user can access.
User browser activity can be monitored.
Which of the following solutions would BEST meet these requirements?
- A . IAM gateway, MDM, and reverse proxy
- B . VPN, CASB, and secure web gateway
- C . SSL tunnel, DLP, and host-based firewall
- D . API gateway, UEM, and forward proxy
B
Explanation:
A VPN (virtual private network) can provide secure connectivity for remote users to access servers hosted by the cloud provider. A CASB (cloud access security broker) can enforce policies and controls for accessing SaaS applications. A secure web gateway can monitor and filter user browser activity to prevent malicious or unauthorized traffic.
Reference:
https://partners.comptia.org/docs/default-source/resources/casp-content-guide
https://www.comptia.org/blog/what-is-a-vpn
During a system penetration test, a security engineer successfully gained access to a shell on a Linux host as a standard user and wants to elevate the privilege levels.
Which of the following is a valid Linux post-exploitation method to use to accomplish this goal?
- A . Spawn a shell using sudo and an escape string such as sudo vim -c ‘!sh’.
- B . Perform ASIC password cracking on the host.
- C . Read the /etc/passwd file to extract the usernames.
- D . Initiate unquoted service path exploits.
- E . Use the UNION operator to extract the database schema.
A
Explanation:
Reference: https://docs.rapid7.com/insightvm/elevating-permissions/
Spawning a shell using sudo and an escape string is a valid Linux post-exploitation method that can exploit a misconfigured sudoers file and allow a standard user to execute commands as root. ASIC password cracking is used to break hashed passwords, not to elevate privileges. Reading the /etc/passwd file may reveal usernames, but not passwords or privileges. Unquoted service path exploits are applicable to Windows systems, not Linux. Using the UNION operator is a SQL injection technique, not a Linux post-exploitation method.
Reference:
https://www.comptia.org/blog/what-is-post-exploitation https://partners.comptia.org/docs/default-source/resources/casp-content-guide
A systems administrator is in the process of hardening the host systems before connecting to the network. The administrator wants to add protection to the boot loader to ensure the hosts are secure before the OS fully boots.
Which of the following would provide the BEST boot loader protection?
- A . TPM
- B . HSM
- C . PKI
- D . UEFI/BIOS
A
Explanation:
A TPM (trusted platform module) is a hardware device that can provide boot loader protection by storing cryptographic keys and verifying the integrity of the boot process. An HSM (hardware security module) is similar to a TPM, but it is used for storing keys for applications, not for booting. A PKI (public key infrastructure) is a system of certificates and keys that can provide encryption and authentication, but not boot loader protection. UEFI/BIOS are firmware interfaces that control the boot process, but they do not provide protection by themselves.
Reference:
https://www.comptia.org/blog/what-is-a-tpm-trusted-platform-module https://partners.comptia.org/docs/default-source/resources/casp-content-guide
A developer is creating a new mobile application for a company. The application uses REST API and TLS 1.2 to communicate securely with the external back-end server. Due to this configuration, the
company is concerned about HTTPS interception attacks.
Which of the following would be the BEST solution against this type of attack?
- A . Cookies
- B . Wildcard certificates
- C . HSTS
- D . Certificate pinning
D
Explanation:
Reference: https://cloud.google.com/security/encryption-in-transit
Certificate pinning is a technique that can prevent HTTPS interception attacks by hardcoding the expected certificate or public key of the server in the application code, so that any certificate presented by an intermediary will be rejected. Cookies are small pieces of data that are stored by browsers to remember user preferences or sessions, but they do not prevent HTTPS interception attacks. Wildcard certificates are certificates that can be used for multiple subdomains of a domain, but they do not prevent HTTPS interception attacks. HSTS (HTTP Strict Transport Security) is a policy that forces browsers to use HTTPS connections, but it does not prevent HTTPS interception attacks.
Reference:
https://www.comptia.org/blog/what-is-certificate-pinning
https://partners.comptia.org/docs/default-source/resources/casp-content-guide
DRAG DROP
An organization is planning for disaster recovery and continuity of operations.
INSTRUCTIONS
Review the following scenarios and instructions. Match each relevant finding to the affected host. After associating scenario 3 with the appropriate host(s), click the host to select the appropriate corrective action for that finding.
Each finding may be used more than once.
If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.
A threat hunting team receives a report about possible APT activity in the network.
Which of the following threat management frameworks should the team implement?
- A . NIST SP 800-53
- B . MITRE ATT&CK
- C . The Cyber Kill Chain
- D . The Diamond Model of Intrusion Analysis
B
Explanation:
MITRE ATT&CK is a threat management framework that provides a comprehensive and detailed
knowledge base of adversary tactics and techniques based on real-world observations. It can help
threat hunting teams to identify, understand, and prioritize potential threats, as well as to develop
effective detection and response strategies. MITRE ATT&CK covers the entire lifecycle of a
cyberattack, from initial access to impact, and provides information on how to mitigate, detect, and
hunt for each technique. It also includes threat actor profiles, software descriptions, and data sources
that can be used for threat intelligence and analysis.
Reference:
https://attack.mitre.org/
https://resources.infosecinstitute.com/topic/top-threat-modeling-frameworks-stride-owasp-top-10-mitre-attck-framework/
https://www.ibm.com/topics/threat-management
Device event logs sources from MDM software as follows:
Which of the following security concerns and response actions would BEST address the risks posed by the device in the logs?
- A . Malicious installation of an application; change the MDM configuration to remove application ID 1220.
- B . Resource leak; recover the device for analysis and clean up the local storage.
- C . Impossible travel; disable the device’s account and access while investigating.
- D . Falsified status reporting; remotely wipe the device.
C
Explanation:
The device event logs show that the device was in two different locations (New York and London) within a short time span (one hour), which indicates impossible travel. This could be a sign of a compromised device or account. The best response action is to disable the device’s account and access while investigating the incident. Malicious installation of an application is not evident from the logs, nor is resource leak or falsified status reporting.
Reference:
https://www.comptia.org/blog/what-is-impossible-travel
https://partners.comptia.org/docs/default-source/resources/casp-content-guide
An energy company is required to report the average pressure of natural gas used over the past quarter. A PLC sends data to a historian server that creates the required reports.
Which of the following historian server locations will allow the business to get the required reports in an ОТ and IT environment?
- A . In the ОТ environment, use a VPN from the IT environment into the ОТ environment.
- B . In the ОТ environment, allow IT traffic into the ОТ environment.
- C . In the IT environment, allow PLCs to send data from the ОТ environment to the IT environment.
- D . Use a screened subnet between the ОТ and IT environments.
D
Explanation:
A screened subnet is a network segment that separates two different environments, such as ОТ (operational technology) and IT (information technology), and provides security controls to limit and monitor the traffic between them. This would allow the business to get the required reports from the historian server without exposing the ОТ environment to unnecessary risks. Using a VPN, allowing IT traffic, or allowing PLCs to send data are less secure options that could compromise the ОТ environment.
Reference:
https://www.comptia.org/blog/what-is-operational-technology
https://partners.comptia.org/docs/default-source/resources/casp-content-guide
Which of the following is a benefit of using steganalysis techniques in forensic response?
- A . Breaking a symmetric cipher used in secure voice communications
- B . Determining the frequency of unique attacks against DRM-protected media
- C . Maintaining chain of custody for acquired evidence
- D . Identifying least significant bit encoding of data in a .wav file
D
Explanation:
Steganalysis is the process of detecting hidden data in files or media, such as images, audio, or video. One technique of steganalysis is to identify least significant bit encoding, which is a method of hiding data by altering the least significant bits of each byte in a file. For example, a .wav file could contain hidden data encoded in the least significant bits of each audio sample. Steganalysis techniques can help forensic responders to discover hidden evidence or malicious payloads. Breaking a symmetric cipher, determining the frequency of attacks, or maintaining chain of custody are not related to steganalysis.
Reference:
https://www.comptia.org/blog/what-is-steganography
https://partners.comptia.org/docs/default-source/resources/casp-content-guide
A new web server must comply with new secure-by-design principles and PCI DSS. This includes mitigating the risk of an on-path attack.
A security analyst is reviewing the following web server configuration:
Which of the following ciphers should the security analyst remove to support the business requirements?
- A . TLS_AES_128_CCM_8_SHA256
- B . TLS_DHE_DSS_WITH_RC4_128_SHA
- C . TLS_CHACHA20_POLY1305_SHA256
- D . TLS_AES_128_GCM_SHA256
B
Explanation:
The security analyst should remove the cipher TLS_DHE_DSS_WITH_RC4_128_SHA to support the business requirements, as it is considered weak and vulnerable to on-path attacks. RC4 is an outdated stream cipher that has been deprecated by major browsers and protocols due to its flaws and weaknesses. The other ciphers are more secure and compliant with secure-by-design principles and PCI DSS.
Reference:
https://www.comptia.org/blog/what-is-a-cipher
https://partners.comptia.org/docs/default-source/resources/casp-content-guide
A security analyst notices a number of SIEM events that show the following activity:
Which of the following response actions should the analyst take FIRST?
- A . Disable powershell.exe on all Microsoft Windows endpoints.
- B . Restart Microsoft Windows Defender.
- C . Configure the forward proxy to block 40.90.23.154.
- D . Disable local administrator privileges on the endpoints.
C
Explanation:
The SIEM events show that powershell.exe was executed on multiple endpoints with an outbound connection to 40.90.23.154, which is an IP address associated with malicious activity. This could indicate a malware infection or a command-and-control channel. The best response action is to configure the forward proxy to block 40.90.23.154, which would prevent further communication with the malicious IP address. Disabling powershell.exe on all endpoints may not be feasible or effective, as it could affect legitimate operations and not remove the malware. Restarting Microsoft Windows Defender may not detect or stop the malware, as it could have bypassed or disabled it. Disabling local administrator privileges on the endpoints may not prevent the malware from running or communicating, as it could have escalated privileges or used other methods.
Reference:
https://www.comptia.org/blog/what-is-a-forward-proxy
https://partners.comptia.org/docs/default-source/resources/casp-content-guide
A company hired a third party to develop software as part of its strategy to be quicker to market. The company’s policy outlines the following requirements: https://i.postimg.cc/8P9sB3zx/image.png
The credentials used to publish production software to the container registry should be stored in a secure location.
Access should be restricted to the pipeline service account, without the ability for the third-party developer to read the credentials directly.
Which of the following would be the BEST recommendation for storing and monitoring access to these shared credentials?
- A . TPM
- B . Local secure password file
- C . MFA
- D . Key vault
D
Explanation:
Reference: https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/tpm-fundamentals
A key vault is a service that provides secure storage and management of keys, secrets, and certificates. It can be used to store credentials used to publish production software to the container registry in a secure location, and restrict access to the pipeline service account without allowing the third-party developer to read the credentials directly. A TPM (trusted platform module) is a hardware device that provides cryptographic functions and key storage, but it is not suitable for storing shared credentials. A local secure password file is a file that stores passwords in an encrypted format, but it is not as secure or scalable as a key vault. MFA (multi-factor authentication) is a method of verifying the identity of a user or device by requiring two or more factors, but it does not store credentials.
Reference:
https://www.comptia.org/blog/what-is-a-key-vault
https://partners.comptia.org/docs/default-source/resources/casp-content-guide
A business stores personal client data of individuals residing in the EU in order to process requests for mortgage loan approvals.
Which of the following does the business’s IT manager need to consider?
- A . The availability of personal data
- B . The right to personal data erasure
- C . The company’s annual revenue
- D . The language of the web application
B
Explanation:
Reference: https://gdpr.eu/right-to-be-forgotten/#:~:text=Also%20known%20as%20the%20right,to%20delete%20their%20personal%20data.&text=The%20General%20Data%20Protection%20Regulation,collected%2C%20processed%2C%20and%20erased
The right to personal data erasure, also known as the right to be forgotten, is one of the requirements of the EU General Data Protection Regulation (GDPR), which applies to any business that stores personal data of individuals residing in the EU. This right allows individuals to request the deletion of their personal data from a business under certain circumstances. The availability of personal data, the company’s annual revenue, and the language of the web application are not relevant to the GDPR.
Reference:
https://www.comptia.org/blog/what-is-gdpr
https://partners.comptia.org/docs/default-source/resources/casp-content-guide
A company publishes several APIs for customers and is required to use keys to segregate customer data sets.
Which of the following would be BEST to use to store customer keys?
- A . A trusted platform module
- B . A hardware security module
- C . A localized key store
- D . A public key infrastructure
D
Explanation:
A public key infrastructure (PKI) is a system of certificates and keys that can provide encryption and authentication for APIs (application programming interfaces). A PKI can be used to store customer keys for accessing APIs and segregating customer data sets. A trusted platform module (TPM) is a hardware device that provides cryptographic functions and key storage, but it is not suitable for storing customer keys for APIs. A hardware security module (HSM) is similar to a TPM, but it is used for storing keys for applications, not for APIs. A localized key store is a software component that stores keys locally, but it is not as secure or scalable as a PKI.
Reference:
https://www.comptia.org/blog/what-is-pki
https://partners.comptia.org/docs/default-source/resources/casp-content-guide
An organization wants to perform a scan of all its systems against best practice security configurations.
Which of the following SCAP standards, when combined, will enable the organization to view each of the configuration checks in a machine-readable checklist format for fill automation? (Choose two.)
- A . ARF
- B . XCCDF
- C . CPE
- D . CVE
- E . CVSS
- F . OVAL
B, F
Explanation:
Reference: https://www.govinfo.gov/content/pkg/GOVPUB-C13-9ecd8eae582935c93d7f410e955dabb6/pdf/GOVPUB-C13-9ecd8eae582935c93d7f410e955dabb6.pdf (p.12)
XCCDF (Extensible Configuration Checklist Description Format) and OVAL (Open Vulnerability and Assessment Language) are two SCAP (Security Content Automation Protocol) standards that can enable the organization to view each of the configuration checks in a machine-readable checklist format for full automation. XCCDF is a standard for expressing security checklists and benchmarks, while OVAL is a standard for expressing system configuration information and vulnerabilities. ARF (Asset Reporting Format) is a standard for expressing the transport format of information about assets, not configuration checks. CPE (Common Platform Enumeration) is a standard for identifying and naming hardware, software, and operating systems, not configuration checks. CVE (Common Vulnerabilities and Exposures) is a standard for identifying and naming publicly known cybersecurity vulnerabilities, not configuration checks. CVSS (Common Vulnerability Scoring System) is a standard for assessing the severity of cybersecurity vulnerabilities, not configuration checks.
Reference:
https://www.comptia.org/blog/what-is-scap
https://partners.comptia.org/docs/default-source/resources/casp-content-guide
A company is migrating from company-owned phones to a BYOD strategy for mobile devices. The pilot program will start with the executive management team and be rolled out to the rest of the staff in phases. The company’s Chief Financial Officer loses a phone multiple times a year.
Which of the following will MOST likely secure the data on the lost device?
- A . Require a VPN to be active to access company data.
- B . Set up different profiles based on the person’s risk.
- C . Remotely wipe the device.
- D . Require MFA to access company applications.
C
Explanation:
Remotely wiping the device is the best way to secure the data on the lost device, as it would erase all the data and prevent unauthorized access. Requiring a VPN to be active to access company data may not protect the data on the device itself, as it could be stored locally or cached. Setting up different profiles based on the person’s risk may not prevent data loss or theft, as it depends on the level of access and encryption. Requiring MFA to access company applications may not protect the data on the device itself, as it could be stored locally or cached.
Reference:
https://www.comptia.org/blog/what-is-byod https://partners.comptia.org/docs/default-source/resources/casp-content-guide
A security architect works for a manufacturing organization that has many different branch offices. The architect is looking for a way to reduce traffic and ensure the branch offices receive the latest copy of revoked certificates issued by the CA at the organization’s headquarters location. The solution must also have the lowest power requirement on the CA.
Which of the following is the BEST solution?
- A . Deploy an RA on each branch office.
- B . Use Delta CRLs at the branches.
- C . Configure clients to use OCSP.
- D . Send the new CRLs by using GPO.
C
Explanation:
Reference: https://www.sciencedirect.com/topics/computer-science/revoke-certificate
OCSP (Online Certificate Status Protocol) is a protocol that allows clients to check the revocation status of certificates in real time by querying an OCSP responder server. This would enable the organization to determine whether it is vulnerable to the active campaign utilizing a specific vulnerability, as it would show if any certificates have been compromised or revoked. Deploying an RA (registration authority) on each branch office may not help with checking the revocation status of certificates, as an RA is responsible for verifying the identity of certificate applicants, not issuing or revoking certificates. Using Delta CRLs (certificate revocation lists) at the branches may not provide timely or accurate information on certificate revocation status, as CRLs are updated periodically and may not reflect the latest changes. Implementing an inbound BGP (Border Gateway Protocol) prefix list may not help with checking the revocation status of certificates, as BGP is a protocol for routing network traffic between autonomous systems, not verifying certificates.
Reference: https://www.comptia.org/blog/what-is-ocsp https://partners.comptia.org/docs/default-source/resources/casp-content-guide
After a security incident, a network security engineer discovers that a portion of the company’s sensitive external traffic has been redirected through a secondary ISP that is not normally used.
Which of the following would BEST secure the routes while allowing the network to function in the event of a single provider failure?
- A . Disable BGP and implement a single static route for each internal network.
- B . Implement a BGP route reflector.
- C . Implement an inbound BGP prefix list.
- D . Disable BGP and implement OSPF.
C
Explanation:
Defenses against BGP hijacks include IP prefix filtering, meaning IP address announcements are sent and accepted only from a small set of well-defined autonomous systems, and monitoring Internet traffic to identify signs of abnormal traffic flows.
A company’s SOC has received threat intelligence about an active campaign utilizing a specific vulnerability. The company would like to determine whether it is vulnerable to this active campaign.
Which of the following should the company use to make this determination?
- A . Threat hunting
- B . A system penetration test
- C . Log analysis within the SIEM tool
- D . The Cyber Kill Chain
B
Explanation:
The security analyst should remove the cipher TLS_DHE_DSS_WITH_RC4_128_SHA to support the business requirements, as it is considered weak and vulnerable to on-path attacks. RC4 is an outdated stream cipher that has been deprecated by major browsers and protocols due to its flaws and weaknesses. The other ciphers are more secure and compliant with secure-by-design principles and PCI DSS.
Reference: https://www.comptia.org/blog/what-is-a-cipher https://partners.comptia.org/docs/default-source/resources/casp-content-guide
A security engineer needs to recommend a solution that will meet the following requirements:
Identify sensitive data in the provider’s network
Maintain compliance with company and regulatory guidelines
Detect and respond to insider threats, privileged user threats, and compromised accounts Enforce datacentric security, such as encryption, tokenization, and access control
Which of the following solutions should the security engineer recommend to address these requirements?
- A . WAF
- B . CASB
- C . SWG
- D . DLP
D
Explanation:
DLP (data loss prevention) is a solution that can meet the following requirements: identify sensitive data in the provider’s network, maintain compliance with company and regulatory guidelines, detect and respond to insider threats, privileged user threats, and compromised accounts, and enforce data-centric security, such as encryption, tokenization, and access control. DLP can monitor, classify, and protect data in motion, at rest, or in use, and prevent unauthorized disclosure or exfiltration. WAF (web application firewall) is a solution that can protect web applications from common attacks, such as SQL injection or cross-site scripting, but it does not address the requirements listed. CASB (cloud access security broker) is a solution that can enforce policies and controls for accessing cloud services and applications, but it does not address the requirements listed. SWG (secure web gateway) is a solution that can monitor and filter web traffic to prevent malicious or unauthorized access, but it does not address the requirements listed.
Reference:
https://www.comptia.org/blog/what-is-data-loss-prevention
https://partners.comptia.org/docs/default-source/resources/casp-content-guid
A security engineer estimates the company’s popular web application experiences 100 attempted breaches per day. In the past four years, the company’s data has been breached two times.
Which of the following should the engineer report as the ARO for successful breaches?
- A . 0.5
- B . 8
- C . 50
- D . 36,500
A
Explanation:
Reference: https://blog.netwrix.com/2020/07/24/annual-loss-expectancy-and-quantitative-risk-analysis/
The ARO (annualized rate of occurrence) for successful breaches is the number of times an event is expected to occur in a year. To calculate the ARO for successful breaches, the engineer can divide the number of breaches by the number of years. In this case, the company’s data has been breached two times in four years, so the ARO is 2 / 4 = 0.5. The other options are incorrect calculations.
Reference:
https://www.comptia.org/blog/what-is-risk-management
https://partners.comptia.org/docs/default-source/resources/casp-content-guide
A security engineer estimates the company’s popular web application experiences 100 attempted breaches per day. In the past four years, the company’s data has been breached two times.
Which of the following should the engineer report as the ARO for successful breaches?
- A . 0.5
- B . 8
- C . 50
- D . 36,500
A
Explanation:
Reference: https://blog.netwrix.com/2020/07/24/annual-loss-expectancy-and-quantitative-risk-analysis/
The ARO (annualized rate of occurrence) for successful breaches is the number of times an event is expected to occur in a year. To calculate the ARO for successful breaches, the engineer can divide the number of breaches by the number of years. In this case, the company’s data has been breached two times in four years, so the ARO is 2 / 4 = 0.5. The other options are incorrect calculations.
Reference:
https://www.comptia.org/blog/what-is-risk-management
https://partners.comptia.org/docs/default-source/resources/casp-content-guide
A security engineer estimates the company’s popular web application experiences 100 attempted breaches per day. In the past four years, the company’s data has been breached two times.
Which of the following should the engineer report as the ARO for successful breaches?
- A . 0.5
- B . 8
- C . 50
- D . 36,500
A
Explanation:
Reference: https://blog.netwrix.com/2020/07/24/annual-loss-expectancy-and-quantitative-risk-analysis/
The ARO (annualized rate of occurrence) for successful breaches is the number of times an event is expected to occur in a year. To calculate the ARO for successful breaches, the engineer can divide the number of breaches by the number of years. In this case, the company’s data has been breached two times in four years, so the ARO is 2 / 4 = 0.5. The other options are incorrect calculations.
Reference:
https://www.comptia.org/blog/what-is-risk-management
https://partners.comptia.org/docs/default-source/resources/casp-content-guide
A security engineer estimates the company’s popular web application experiences 100 attempted breaches per day. In the past four years, the company’s data has been breached two times.
Which of the following should the engineer report as the ARO for successful breaches?
- A . 0.5
- B . 8
- C . 50
- D . 36,500
A
Explanation:
Reference: https://blog.netwrix.com/2020/07/24/annual-loss-expectancy-and-quantitative-risk-analysis/
The ARO (annualized rate of occurrence) for successful breaches is the number of times an event is expected to occur in a year. To calculate the ARO for successful breaches, the engineer can divide the number of breaches by the number of years. In this case, the company’s data has been breached two times in four years, so the ARO is 2 / 4 = 0.5. The other options are incorrect calculations.
Reference:
https://www.comptia.org/blog/what-is-risk-management
https://partners.comptia.org/docs/default-source/resources/casp-content-guide
Documents downloaded from websites must be scanned for malware.
Which of the following solutions should the network architect implement to meet the requirements?
- A . Reverse proxy, stateful firewalls, and VPNs at the local sites
- B . IDSs, WAFs, and forward proxy IDS
- C . DoS protection at the hub site, mutual certificate authentication, and cloud proxy
- D . IPSs at the hub, Layer 4 firewalls, and DLP
A security engineer needs to implement a solution to increase the security posture of user endpoints by providing more visibility and control over local administrator accounts. The endpoint security team is overwhelmed with alerts and wants a solution that has minimal operational burdens. Additionally, the solution must maintain a positive user experience after implementation.
Which of the following is the BEST solution to meet these objectives?
- A . Implement Privileged Access Management (PAM), keep users in the local administrators group, and enable local administrator account monitoring.
- B . Implement PAM, remove users from the local administrators group, and prompt users for explicit approval when elevated privileges are required.
- C . Implement EDR, remove users from the local administrators group, and enable privilege escalation monitoring.
- D . Implement EDR, keep users in the local administrators group, and enable user behavior analytics.
B
Explanation:
PAM (Privileged Access Management) is a solution that can increase the security posture of user endpoints by providing more visibility and control over local administrator accounts. By implementing PAM, removing users from the local administrators group, and prompting users for explicit approval when elevated privileges are required, the security engineer can reduce the attack surface, prevent unauthorized access, and enforce the principle of least privilege. Implementing PAM, keeping users in the local administrators group, and enabling local administrator account monitoring may not provide enough control or visibility over local administrator accounts, as users could still abuse or compromise their privileges. Implementing EDR (Endpoint Detection and Response) may not provide enough control or visibility over local administrator accounts, as EDR is mainly focused on detecting and responding to threats, not managing privileges. Enabling user behavior analytics may not provide enough control or visibility over local administrator accounts, as user behavior analytics is mainly focused on identifying anomalies or risks in user activity, not
managing privileges.
Reference:
https://www.comptia.org/blog/what-is-pam
https://partners.comptia.org/docs/default-source/resources/casp-content-guide
An organization’s hunt team thinks a persistent threats exists and already has a foothold in the enterprise network.
Which of the following techniques would be BEST for the hunt team to use to entice the adversary to uncover malicious activity?
- A . Deploy a SOAR tool.
- B . Modify user password history and length requirements.
- C . Apply new isolation and segmentation schemes.
- D . Implement decoy files on adjacent hosts.
D
Explanation:
Implementing decoy files on adjacent hosts is a technique that can entice the adversary to uncover malicious activity, as it can lure them into accessing fake or irrelevant data that can trigger an alert or reveal their presence. Decoy files are also known as honeyfiles or honeypots, and they are part of deception technology. Deploying a SOAR (Security Orchestration Automation and Response) tool may not entice the adversary to uncover malicious activity, as SOAR is mainly focused on automating and streamlining security operations, not deceiving attackers. Modifying user password history and length requirements may not entice the adversary to uncover malicious activity, as it could affect legitimate users and not reveal the attacker’s actions. Applying new isolation and segmentation schemes may not entice the adversary to uncover malicious activity, as it could limit their access and movement, but not expose their presence.
Reference:
https://www.comptia.org/blog/what-is-deception-technology
https://partners.comptia.org/docs/default-source/resources/casp-content-guide
A junior developer is informed about the impact of new malware on an Advanced RISC Machine (ARM) CPU, and the code must be fixed accordingly. Based on the debug, the malware is able to insert itself in another process memory location.
Which of the following technologies can the developer enable on the ARM architecture to prevent this type of malware?
- A . Execute never
- B . No-execute
- C . Total memory encryption
- D . Virtual memory encryption
A
Explanation:
Execute never is a technology that can be enabled on the ARM architecture to prevent malware
from inserting itself in another process memory location and executing code. Execute never is a
feature that allows each memory region to be tagged as not containing executable code by setting
the execute never (XN) bit in the translation table entry. If the XN bit is set to 1, then any attempt to
execute an instruction in that region results in a permission fault. If the XN bit is cleared to 0, then
code can execute from that memory region. Execute never also prevents speculative instruction
fetches from memory regions that are marked as non-executable, which can avoid undesirable side-
effects or vulnerabilities. By enabling execute never, the developer can protect the process memory
from being hijacked by malware.
Reference:
https://developer.arm.com/documentation/ddi0360/f/memory-management-unit/memory-access-control/execute-never-bits
https://developer.arm.com/documentation/den0013/d/The-Memory-Management-Unit/Memory-attributes/Execute-Never
https://developer.arm.com/documentation/ddi0406/c/System-Level-Architecture/Virtual-Memory-System-ArchitectureCVMSA-/Memory-access-control/Execute-never-restrictions-on-instruction-fetching
A company is implementing SSL inspection. During the next six months, multiple web applications that will be separated out with subdomains will be deployed.
Which of the following will allow the inspection of the data without multiple certificate deployments?
- A . Include all available cipher suites.
- B . Create a wildcard certificate.
- C . Use a third-party CA.
- D . Implement certificate pinning.
B
Explanation:
A wildcard certificate is a certificate that can be used for multiple subdomains of a domain, such as *.example.com. This would allow the inspection of the data without multiple certificate deployments, as one wildcard certificate can cover all the subdomains that will be separated out with subdomains. Including all available cipher suites may not help with inspecting the data without multiple certificate deployments, as cipher suites are used for negotiating encryption and authentication algorithms, not for verifying certificates. Using a third-party CA (certificate authority) may not help with inspecting the data without multiple certificate deployments, as a third-party CA is an entity that issues and validates certificates, not a type of certificate. Implementing certificate pinning may not help with inspecting the data without multiple certificate deployments, as certificate pinning is a technique that hardcodes the expected certificate or public key in the application code, not a type of certificate.
Reference:
https://www.comptia.org/blog/what-is-a-wildcard-certificate
https://partners.comptia.org/docs/default-source/resources/casp-content-guide
A small business requires a low-cost approach to theft detection for the audio recordings it produces and sells.
Which of the following techniques will MOST likely meet the business’s needs?
- A . Performing deep-packet inspection of all digital audio files
- B . Adding identifying filesystem metadata to the digital audio files
- C . Implementing steganography
- D . Purchasing and installing a DRM suite
C
Explanation:
Steganography is a technique that can hide data within other files or media, such as images, audio, or video. This can provide a low-cost approach to theft detection for the audio recordings produced and sold by the small business, as it can embed identifying information or watermarks in the audio files that can reveal their origin or ownership. Performing deep-packet inspection of all digital audio files may not be feasible or effective for theft detection, as it could consume a lot of bandwidth and resources, and it may not detect hidden data within encrypted packets. Adding identifying filesystem metadata to the digital audio files may not provide enough protection for theft detection, as filesystem metadata can be easily modified or removed by unauthorized parties. Purchasing and installing a DRM (digital rights management) suite may not be a low-cost approach for theft detection, as it could involve licensing fees and hardware requirements.
Reference:
https://www.comptia.org/blog/what-is-steganography
https://partners.comptia.org/docs/default-source/resources/casp-content-guide
Clients are reporting slowness when attempting to access a series of load-balanced APIs that do not require authentication. The servers that host the APIs are showing heavy CPU utilization. No alerts are found on the WAFs sitting in front of the APIs.
Which of the following should a security engineer recommend to BEST remedy the performance issues in a timely manner?
- A . Implement rate limiting on the API.
- B . Implement geoblocking on the WAF.
- C . Implement OAuth 2.0 on the API.
- D . Implement input validation on the API.
A
Explanation:
Rate limiting is a technique that can limit the number or frequency of requests that a client can make to an API (application programming interface) within a given time frame. This can help remedy the performance issues caused by high CPU utilization on the servers that host the APIs, as it can prevent excessive or abusive requests that could overload the servers. Implementing geoblocking on the WAF (web application firewall) may not help remedy the performance issues, as it could block
legitimate requests based on geographic location, not on request rate. Implementing OAuth 2.0 on the API may not help remedy the performance issues, as OAuth 2.0 is a protocol for authorizing access to APIs, not for limiting requests. Implementing input validation on the API may not help remedy the performance issues, as input validation is a technique for preventing invalid or malicious input from reaching the API, not for limiting requests.
Reference:
https://www.comptia.org/blog/what-is-rate-limiting
https://partners.comptia.org/docs/default-source/resources/casp-content-guide
An organization is considering a BYOD standard to support remote working. The first iteration of the solution will utilize only approved collaboration applications and the ability to move corporate data between those applications.
The security team has concerns about the following:
Unstructured data being exfiltrated after an employee leaves the organization
Data being exfiltrated as a result of compromised credentials
Sensitive information in emails being exfiltrated
Which of the following solutions should the security team implement to mitigate the risk of data loss?
- A . Mobile device management, remote wipe, and data loss detection
- B . Conditional access, DoH, and full disk encryption
- C . Mobile application management, MFA, and DRM
- D . Certificates, DLP, and geofencing
C
Explanation:
Mobile application management (MAM) is a solution that allows the organization to control and secure the approved collaboration applications and the data within them on personal devices. MAM can prevent unstructured data from being exfiltrated by restricting the ability to move, copy, or share data between applications. Multi-factor authentication (MFA) is a solution that requires the user to provide more than one piece of evidence to prove their identity when accessing corporate data. MFA can prevent data from being exfiltrated as a result of compromised credentials by adding an extra layer of security. Digital rights management (DRM) is a solution that protects the intellectual property rights of digital content by enforcing policies and permissions on how the content can be used, accessed, or distributed. DRM can prevent sensitive information in emails from being exfiltrated by encrypting the content and limiting the actions that can be performed on it, such as forwarding, printing, or copying.
Reference:
https://www.manageengine.com/data-security/what-is/byod.html
https://www.cimcor.com/blog/7-scariest-byod-security-risks-how-to-mitigate
A Chief Information Officer is considering migrating all company data to the cloud to save money on expensive SAN storage.
Which of the following is a security concern that will MOST likely need to be addressed during migration?
- A . Latency
- B . Data exposure
- C . Data loss
- D . Data dispersion
B
Explanation:
Data exposure is a security concern that will most likely need to be addressed during migration of all company data to the cloud, as it could involve sensitive or confidential data being accessed or disclosed by unauthorized parties. Data exposure could occur due to misconfigured cloud services, insecure data transfers, insider threats, or malicious attacks. Data exposure could also result in compliance violations, reputational damage, or legal liabilities. Latency is not a security concern, but a performance concern that could affect the speed or quality of data access or transmission. Data loss is not a security concern, but a availability concern that could affect the integrity or recovery of data. Data dispersion is not a security concern, but a management concern that could affect the visibility or control of data.
Reference:
https://www.comptia.org/blog/what-is-data-exposure
https://partners.comptia.org/docs/default-source/resources/casp-content-guide
Due to locality and budget constraints, an organization’s satellite office has a lower bandwidth allocation than other offices in the organization. As a result, the local security infrastructure staff is assessing architectural options that will help preserve network bandwidth and increase speed to both internal and external resources while not sacrificing threat visibility.
Which of the following would be the BEST option to implement?
- A . Distributed connection allocation
- B . Local caching
- C . Content delivery network
- D . SD-WAN vertical heterogeneity
D
Explanation:
SD-WAN (software-defined wide area network) vertical heterogeneity is a technique that can help preserve network bandwidth and increase speed to both internal and external resources while not sacrificing threat visibility. SD-WAN vertical heterogeneity involves using different types of network links (such as broadband, cellular, or satellite) for different types of traffic (such as voice, video, or data) based on their performance and security requirements. This can optimize the network efficiency and reliability, as well as provide granular visibility and control over traffic flows. Distributed connection allocation is not a technique for preserving network bandwidth and increasing speed, but a method for distributing network connections among multiple servers or devices. Local caching is not a technique for preserving network bandwidth and increasing speed, but a method for storing frequently accessed data locally to reduce latency or load times. Content delivery network is not a technique for preserving network bandwidth and increasing speed, but a system of distributed servers that deliver web content to users based on their geographic location.
Reference:
https://www.comptia.org/blog/what-is-sd-wan
https://partners.comptia.org/docs/default-source/resources/casp-content-guide
A security analyst is concerned that a malicious piece of code was downloaded on a Linux system. After some research, the analyst determines that the suspected piece of code is performing a lot of input/output (I/O) on the disk drive.
Based on the output above, from which of the following process IDs can the analyst begin an investigation?
- A . 65
- B . 77
- C . 83
- D . 87
D
Explanation:
The process ID 87 can be the starting point for an investigation of a possible buffer overflow attack, as it shows a high percentage of CPU utilization (99.7%) and a suspicious command name (graphic.linux_randomization.prg). A buffer overflow attack is a type of attack that exploits a vulnerability in an application or system that allows an attacker to write data beyond the allocated buffer size, potentially overwriting memory segments and executing malicious code. A high CPU utilization could indicate that the process is performing intensive or abnormal operations, such as a buffer overflow attack. A suspicious command name could indicate that the process is trying to disguise itself or evade detection, such as by mimicking a legitimate program or using random characters. The other process IDs do not show signs of a buffer overflow attack, as they have low CPU utilization and normal command names.
Reference:
https://www.comptia.org/blog/what-is-buffer-overflow
https://partners.comptia.org/docs/default-source/resources/casp-content-guide
Which of the following are risks associated with vendor lock-in? (Choose two.)
- A . The client can seamlessly move data.
- B . The vendor can change product offerings.
- C . The client receives a sufficient level of service.
- D . The client experiences decreased quality of service.
- E . The client can leverage a multicloud approach.
- F . The client experiences increased interoperability.
B, D
Explanation:
Reference: https://www.cloudflare.com/learning/cloud/what-is-vendor-lock-in/#:~:text=Vendor%20lock%2Din%20can%20become,may%20involve%20reformatting%20the%20data
Vendor lock-in is a situation where a client becomes dependent on a vendor for products or services and cannot easily switch to another vendor without substantial costs or inconvenience. Some of the risks associated with vendor lock-in are that the vendor can change product offerings, such as by discontinuing or modifying features, increasing prices, or reducing support, and that the client experiences decreased quality of service, such as by having poor performance, reliability, or security. These risks could affect the client’s business operations, satisfaction, or competitiveness. The client can seamlessly move data, the client receives a sufficient level of service, and the client can leverage a multicloud approach are not risks associated with vendor lock-in, but potential benefits of avoiding vendor lock-in.
Reference: https://www.comptia.org/blog/what-is-vendor-lock-in https://partners.comptia.org/docs/default-source/resources/casp-content-guide
An organization recently experienced a ransomware attack. The security team leader is concerned about the attack reoccurring. However, no further security measures have been implemented.
Which of the following processes can be used to identify potential prevention recommendations?
- A . Detection
- B . Remediation
- C . Preparation
- D . Recovery
C
Explanation:
Preparation is the process that can be used to identify potential prevention recommendations after a security incident, such as a ransomware attack. Preparation involves planning and implementing security measures to prevent or mitigate future incidents, such as by updating policies, procedures, or controls, conducting training or awareness campaigns, or acquiring new tools or resources. Detection is the process of discovering or identifying security incidents, not preventing them. Remediation is the process of containing or resolving security incidents, not preventing them. Recovery is the process of restoring normal operations after security incidents, not preventing them.
Reference: https://www.comptia.org/blog/what-is-incident-response https://partners.comptia.org/docs/default-source/resources/casp-content-guide
A security architect is implementing a web application that uses a database back end. Prior to the production, the architect is concerned about the possibility of XSS attacks and wants to identify
security controls that could be put in place to prevent these attacks.
Which of the following sources could the architect consult to address this security concern?
- A . SDLC
- B . OVAL
- C . IEEE
- D . OWASP
D
Explanation:
OWASP is a resource used to identify attack vectors and their mitigations, OVAL is a vulnerability assessment standard OWASP (Open Web Application Security Project) is a source that the security architect could consult to address the security concern of XSS (cross-site scripting) attacks on a web application that uses a database back end. OWASP is a non-profit organization that provides resources and guidance for improving the security of web applications and services. OWASP publishes the OWASP Top 10 list of common web application vulnerabilities and risks, which includes XSS attacks, as well as recommendations and best practices for preventing or mitigating them. SDLC (software development life cycle) is not a source for addressing XSS attacks, but a framework for developing software in an organized and efficient manner. OVAL (Open Vulnerability and Assessment Language) is not a source for addressing XSS attacks, but a standard for expressing system configuration information and vulnerabilities. IEEE (Institute of Electrical and Electronics Engineers) is not a source for addressing XSS attacks, but an organization that develops standards for various fields of engineering and technology.
Reference:
https://www.comptia.org/blog/what-is-owasp
https://partners.comptia.org/docs/default-source/resources/casp-content-guide
A security engineer was auditing an organization’s current software development practice and discovered that multiple open-source libraries were Integrated into the organization’s software. The organization currently performs SAST and DAST on the software it develops.
Which of the following should the organization incorporate into the SDLC to ensure the security of the open-source libraries?
- A . Perform additional SAST/DAST on the open-source libraries.
- B . Implement the SDLC security guidelines.
- C . Track the library versions and monitor the CVE website for related vulnerabilities.
- D . Perform unit testing of the open-source libraries.
C
Explanation:
Reference: https://www.whitesourcesoftware.com/resources/blog/application-security-best-practices/
Tracking the library versions and monitoring the CVE (Common Vulnerabilities and Exposures) website for related vulnerabilities is an activity that the organization should incorporate into the SDLC (software development life cycle) to ensure the security of the open-source libraries integrated into its software. Tracking the library versions can help identify outdated or unsupported libraries that may contain vulnerabilities or bugs. Monitoring the CVE website can help discover publicly known vulnerabilities in the open-source libraries and their severity ratings. Performing additional SAST/DAST (static application security testing/dynamic application security testing) on the open-source libraries may not be feasible or effective for ensuring their security, as SAST/DAST are mainly focused on testing the source code or functionality of the software, not the libraries. Implementing the SDLC security guidelines is a general activity that the organization should follow for developing secure software, but it does not specifically address the security of the open-source libraries. Performing unit testing of the open-source libraries may not be feasible or effective for ensuring their security, as unit testing is mainly focused on testing the individual components or modules of the software, not the libraries.
Reference:
https://www.comptia.org/blog/what-is-cve
https://partners.comptia.org/docs/default-source/resources/casp-content-guide
A security analyst is investigating a possible buffer overflow attack.
The following output was found on a user’s workstation: graphic.linux_randomization.prg
Which of the following technologies would mitigate the manipulation of memory segments?
- A . NX bit
- B . ASLR
- C . DEP
- D . HSM
B
Explanation:
https://eklitzke.org/memory-protection-and-aslr
ASLR (Address Space Layout Randomization) is a technology that can mitigate the manipulation of memory segments caused by a buffer overflow attack. ASLR randomizes the location of memory segments, such as the stack, heap, or libraries, making it harder for an attacker to predict or control where to inject malicious code or overwrite memory segments. NX bit (No-eXecute bit) is a technology that can mitigate the execution of malicious code injected by a buffer overflow attack. NX bit marks certain memory segments as non-executable, preventing an attacker from running code in those segments. DEP (Data Execution Prevention) is a technology that can mitigate the execution of malicious code injected by a buffer overflow attack. DEP uses hardware and software mechanisms to mark certain memory regions as data-only, preventing an attacker from running code in those regions. HSM (Hardware Security Module) is a device that can provide cryptographic functions and key storage, but it does not mitigate the manipulation of memory segments caused by a buffer overflow attack.
Reference:
https://www.comptia.org/blog/what-is-aslr
https://partners.comptia.org/docs/default-source/resources/casp-content-guide
An e-commerce company is running a web server on premises, and the resource utilization is usually less than 30%. During the last two holiday seasons, the server experienced performance issues because of too many connections, and several customers were not able to finalize purchase orders. The company is looking to change the server configuration to avoid this kind of performance issue.
Which of the following is the MOST cost-effective solution?
- A . Move the server to a cloud provider.
- B . Change the operating system.
- C . Buy a new server and create an active-active cluster.
- D . Upgrade the server with a new one.
A
Explanation:
Moving the server to a cloud provider is the most cost-effective solution to avoid performance issues caused by too many connections during peak seasons, such as holidays. Moving the server to a cloud provider can provide scalability, elasticity, and availability for the web server, as it can adjust its resources and capacity according to the demand and traffic. Moving the server to a cloud provider can also reduce operational and maintenance costs, as the cloud provider can handle the infrastructure and security aspects. Changing the operating system may not help avoid performance issues, as it could introduce compatibility or functionality problems, and it may not address the resource or capacity limitations. Buying a new server and creating an active-active cluster may help avoid performance issues, but it may not be cost-effective, as it could involve hardware and software expenses, as well as complex configuration and management tasks. Upgrading the server with a new one may help avoid performance issues, but it may not be cost-effective, as it could involve hardware and software expenses, as well as migration and testing efforts.
Reference:
https://www.comptia.org/blog/what-is-cloud-computing
https://partners.comptia.org/docs/default-source/resources/casp-content-guide
A company has decided to purchase a license for software that is used to operate a mission-critical process. The third-party developer is new to the industry but is delivering what the company needs at this time.
Which of the following BEST describes the reason why utilizing a source code escrow will reduce the operational risk to the company if the third party stops supporting the application?
- A . The company will have access to the latest version to continue development.
- B . The company will be able to force the third-party developer to continue support.
- C . The company will be able to manage the third-party developer’s development process.
- D . The company will be paid by the third-party developer to hire a new development team.
A
Explanation:
Utilizing a source code escrow will reduce the operational risk to the company if the third party stops supporting the application, as it will provide access to the latest version of the source code to
continue development. A source code escrow is an agreement between a software developer and a client that involves depositing the source code of a software product with a third-party escrow agent. The escrow agent can release the source code to the client under certain conditions specified in the agreement, such as bankruptcy, termination, or breach of contract by the developer. The company will not be able to force the third-party developer to continue support, manage their development process, or pay them to hire a new development team by utilizing a source code escrow.
Reference:
https://www.comptia.org/blog/what-is-source-code-escrow
https://partners.comptia.org/docs/default-source/resources/casp-content-guide
A security analyst is researching containerization concepts for an organization. The analyst is concerned about potential resource exhaustion scenarios on the Docker host due to a single application that is overconsuming available resources.
Which of the following core Linux concepts BEST reflects the ability to limit resource allocation to containers?
- A . Union filesystem overlay
- B . Cgroups
- C . Linux namespaces
- D . Device mapper
B
Explanation:
Cgroups (control groups) is a core Linux concept that reflects the ability to limit resource allocation to containers, such as CPU, memory, disk I/O, or network bandwidth. Cgroups can help prevent resource exhaustion scenarios on the Docker host due to a single application that is overconsuming available resources, as it can enforce quotas or priorities for each container or group of containers. Union filesystem overlay is not a core Linux concept that reflects the ability to limit resource allocation to containers, but a technique that allows multiple filesystems to be mounted on the same mount point, creating a layered representation of files and directories. Linux namespaces is not a core Linux concept that reflects the ability to limit resource allocation to containers, but a feature that isolates and virtualizes system resources for each process or group of processes, creating independent instances of global resources. Device mapper is not a core Linux concept that reflects the ability to limit resource allocation to containers, but a framework that provides logical volume management, encryption, or snapshotting capabilities for block devices.
Reference:
https://www.comptia.org/blog/what-is-cgroups
https://partners.comptia.org/docs/default-source/resources/casp-content-guide
A developer wants to maintain integrity to each module of a program and ensure the code cannot be altered by malicious users.
Which of the following would be BEST for the developer to perform? (Choose two.)
- A . Utilize code signing by a trusted third party.
- B . Implement certificate-based authentication.
- C . Verify MD5 hashes.
- D . Compress the program with a password.
- E . Encrypt with 3DES.
- F . Make the DACL read-only.
A, F
Explanation:
Utilizing code signing by a trusted third party and making the DACL (discretionary access control list) read-only are actions that the developer can perform to maintain integrity to each module of a program and ensure the code cannot be altered by malicious users. Code signing is a technique that uses digital signatures to verify the authenticity and integrity of code, preventing unauthorized modifications or tampering. A trusted third party, such as a certificate authority, can issue and validate digital certificates for code signing. A DACL is an attribute of an object that defines the permissions granted or denied to users or groups for accessing or modifying the object. Making the DACL read-only can prevent unauthorized users or groups from changing the permissions or accessing the code. Implementing certificate-based authentication is not an action that the developer can perform to maintain integrity to each module of a program and ensure the code cannot be altered by malicious users, but a method for verifying the identity of users or devices based on digital certificates, preventing unauthorized access or impersonation. Verifying MD5 hashes is not an action that the developer can perform to maintain integrity to each module of a program and ensure the code cannot be altered by malicious users, but a method for checking the integrity of files based on cryptographic hash functions, detecting accidental or intentional changes or corruption. Compressing the program with a password is not an action that the developer can perform to maintain integrity to each module of a program and ensure the code cannot be altered by malicious users, but a method for reducing the size of files and protecting them with a password, preventing unauthorized access or extraction. Encrypting with 3DES is not an action that the developer can perform to maintain integrity to each module of a program and ensure the code cannot be altered by malicious users, but a method for protecting the confidentiality of data based on symmetric-key encryption algorithms, preventing unauthorized disclosure or interception.
Reference:
https://www.comptia.org/blog/what-is-code-signing
https://partners.comptia.org/docs/default-source/resources/casp-content-guide
A company is moving most of its customer-facing production systems to the cloud-facing production systems to the cloud. IaaS is the service model being used. The Chief Executive Officer is concerned about the type of encryption available and requires the solution must have the highest level of security.
Which of the following encryption methods should the cloud security engineer select during the implementation phase?
- A . Instance-based
- B . Storage-based
- C . Proxy-based
- D . Array controller-based
B
Explanation:
We recommend that you encrypt your virtual hard disks (VHDs) to help protect your boot volume and data volumes at rest in storage, along with your encryption keys and secrets. Azure Disk Encryption helps you encrypt your Windows and Linux IaaS virtual machine disks. Azure Disk Encryption uses the industry-standard BitLocker feature of Windows and the DM-Crypt feature of Linux to provide volume encryption for the OS and the data disks. The solution is integrated with Azure Key Vault to help you control and manage the disk-encryption keys and secrets in your key vault subscription. The solution also ensures that all data on the virtual machine disks are encrypted at rest in Azure Storage. https://docs.microsoft.com/en-us/azure/security/fundamentals/iaas
A vulnerability analyst identified a zero-day vulnerability in a company’s internally developed software. Since the current vulnerability management system does not have any checks for this vulnerability, an engineer has been asked to create one.
Which of the following would be BEST suited to meet these requirements?
- A . ARF
- B . ISACs
- C . Node.js
- D . OVAL
D
Explanation:
OVAL (Open Vulnerability and Assessment Language) is a standard that would be best suited for creating checks for a zero-day vulnerability in an organization’s internally developed software. OVAL is a standard for expressing system configuration information and vulnerabilities in an XML format, allowing interoperability and automation among different security tools and platforms. An engineer can use OVAL to create definitions or tests for specific vulnerabilities or states in the software, and then use OVAL-compatible tools to scan or evaluate the software against those definitions or tests. ARF (Asset Reporting Format) is not a standard for creating checks for vulnerabilities, but a standard for expressing information about assets and their characteristics in an XML format, allowing interoperability and automation among different security tools and platforms. ISACs (Information Sharing and Analysis Centers) are not standards for creating checks for vulnerabilities, but organizations that collect, analyze, and disseminate information about threats, vulnerabilities, incidents, or best practices among different sectors or communities. Node.js is not a standard for creating checks for vulnerabilities, but a runtime environment that allows executing JavaScript code outside of a web browser, enabling the development of scalable web applications or services.
Reference:
https://www.comptia.org/blog/what-is-oval
https://partners.comptia.org/docs/default-source/resources/casp-content-guide
An organization recently started processing, transmitting, and storing its customers’ credit card
information. Within a week of doing so, the organization suffered a massive breach that resulted in the exposure of the customers’ information.
Which of the following provides the BEST guidance for protecting such information while it is at rest and in transit?
- A . NIST
- B . GDPR
- C . PCI DSS
- D . ISO
C
Explanation:
PCI DSS (Payment Card Industry Data Security Standard) is a standard that provides the best guidance for protecting credit card information while it is at rest and in transit. PCI DSS is a standard that defines the security requirements and best practices for organizations that process, store, or transmit credit card information, such as merchants, service providers, or acquirers. PCI DSS aims to protect the confidentiality, integrity, and availability of credit card information and prevent fraud or identity theft. NIST (National Institute of Standards and Technology) is not a standard that provides the best guidance for protecting credit card information, but an agency that develops standards, guidelines, and recommendations for various fields of science and technology, including cybersecurity. GDPR (General Data Protection Regulation) is not a standard that provides the best guidance for protecting credit card information, but a regulation that defines the data protection and privacy rights and obligations for individuals and organizations in the European Union or the European Economic Area. ISO (International Organization for Standardization) is not a standard that provides the best guidance for protecting credit card information, but an organization that develops standards for various fields of science and technology, including information security.
Reference:
https://www.comptia.org/blog/what-is-pci-dss
https://partners.comptia.org/docs/default-source/resources/casp-content-guide
Which of the following is the MOST important security objective when applying cryptography to control messages that tell an ICS how much electrical power to output?
- A . Importing the availability of messages
- B . Ensuring non-repudiation of messages
- C . Enforcing protocol conformance for messages
- D . Assuring the integrity of messages
D
Explanation:
Assuring the integrity of messages is the most important security objective when applying cryptography to control messages that tell an ICS (industrial control system) how much electrical power to output. Integrity is the security objective that ensures the accuracy and completeness of data or information, preventing unauthorized modifications or tampering. Assuring the integrity of
messages can prevent malicious or accidental changes to the control messages that could affect the operation or safety of the ICS or the electrical power output. Importing the availability of messages is not a security objective when applying cryptography, but a security objective that ensures the accessibility and usability of data or information, preventing unauthorized denial or disruption of service. Ensuring non-repudiation of messages is not a security objective when applying cryptography, but a security objective that ensures the authenticity and accountability of data or information, preventing unauthorized denial or dispute of actions or transactions. Enforcing protocol conformance for messages is not a security objective when applying cryptography, but a security objective that ensures the compliance and consistency of data or information, preventing unauthorized deviations or violations of rules or standards.
Reference:
https://www.comptia.org/blog/what-is-integrity
https://partners.comptia.org/docs/default-source/resources/casp-content-guide
A company wants to protect its intellectual property from theft. The company has already applied ACLs and DACs.
Which of the following should the company use to prevent data theft?
- A . Watermarking
- B . DRM
- C . NDA
- D . Access logging
B
Explanation:
DRM (digital rights management) is a technology that can protect intellectual property from theft by restricting the access, use, modification, or distribution of digital content or devices. DRM can use encryption, authentication, licensing, watermarking, or other methods to enforce the rights and permissions granted by the content owner or provider to authorized users or devices. DRM can prevent unauthorized copying, sharing, or piracy of digital content, such as software, music, movies, or books. Watermarking is not a technology that can protect intellectual property from theft by itself, but a technique that can embed identifying information or marks in digital content or media, such as images, audio, or video. Watermarking can help prove ownership or origin of digital content, but it does not prevent unauthorized access or use of it. NDA (non-disclosure agreement) is not a technology that can protect intellectual property from theft by itself, but a legal contract that binds parties to keep certain information confidential and not disclose it to unauthorized parties. NDA can help protect sensitive or proprietary information from exposure or misuse, but it does not prevent unauthorized access or use of it. Access logging is not a technology that can protect intellectual property from theft by itself, but a technique that can record the activities or events related to accessing data or resources. Access logging can help monitor or audit access to data or resources, but it does not prevent unauthorized access or use of them.
Reference:
https://www.comptia.org/blog/what-is-drm
https://partners.comptia.org/docs/default-source/resources/casp-content-guide
A satellite communications ISP frequently experiences outages and degraded modes of operation over one of its legacy satellite links due to the use of deprecated hardware and software. Three days per week, on average, a contracted company must follow a checklist of 16 different high-latency commands that must be run in serial to restore nominal performance. The ISP wants this process to be automated.
Which of the following techniques would be BEST suited for this requirement?
- A . Deploy SOAR utilities and runbooks.
- B . Replace the associated hardware.
- C . Provide the contractors with direct access to satellite telemetry data.
- D . Reduce link latency on the affected ground and satellite segments.
A
Explanation:
Deploying SOAR (Security Orchestration Automation and Response) utilities and runbooks is the best technique for automating the process of restoring nominal performance on a legacy satellite link due to degraded modes of operation caused by deprecated hardware and software.
A company processes data subject to NDAs with partners that define the processing and storage constraints for the covered data. The agreements currently do not permit moving the covered data to the cloud, and the company would like to renegotiate the terms of the agreements.
Which of the following would MOST likely help the company gain consensus to move the data to the cloud?
- A . Designing data protection schemes to mitigate the risk of loss due to multitenancy
- B . Implementing redundant stores and services across diverse CSPs for high availability
- C . Emulating OS and hardware architectures to blur operations from CSP view
- D . Purchasing managed FIM services to alert on detected modifications to covered data
Ransomware encrypted the entire human resources fileshare for a large financial institution. Security operations personnel were unaware of the activity until it was too late to stop it. The restoration will take approximately four hours, and the last backup occurred 48 hours ago. The management team has indicated that the RPO for a disaster recovery event for this data classification is 24 hours.
Based on RPO requirements, which of the following recommendations should the management team make?
- A . Leave the current backup schedule intact and pay the ransom to decrypt the data.
- B . Leave the current backup schedule intact and make the human resources fileshare read-only.
- C . Increase the frequency of backups and create SIEM alerts for IOCs.
- D . Decrease the frequency of backups and pay the ransom to decrypt the data.
C
Explanation:
Increasing the frequency of backups and creating SIEM (security information and event management) alerts for IOCs (indicators of compromise) are the best recommendations that the management team can make based on RPO (recovery point objective) requirements. RPO is a metric that defines the maximum acceptable amount of data loss that can occur during a disaster recovery event. Increasing the frequency of backups can reduce the amount of data loss that can occur, as it can create more recent copies or snapshots of the data. Creating SIEM alerts for IOCs can help detect and respond to ransomware attacks, as it can collect, correlate, and analyze security events and data from various sources and generate alerts based on predefined rules or thresholds. Leaving the current backup schedule intact and paying the ransom to decrypt the data are not good recommendations, as they could result in more data loss than the RPO allows, as well as encourage more ransomware attacks or expose the company to legal or ethical issues. Leaving the current backup schedule intact and making the human resources fileshare read-only are not good recommendations, as they could result in more data loss than the RPO allows, as well as affect the normal operations or functionality of the fileshare. Decreasing the frequency of backups and paying the ransom to decrypt the data are not good recommendations, as they could result in more data loss than the RPO allows, as well as increase the risk of losing data due to less frequent backups or unreliable decryption.
Reference:
https://www.comptia.org/blog/what-is-rpo
https://partners.comptia.org/docs/default-source/resources/casp-content-guide
A company undergoing digital transformation is reviewing the resiliency of a CSP and is concerned about meeting SLA requirements in the event of a CSP incident.
Which of the following would be BEST to proceed with the transformation?
- A . An on-premises solution as a backup
- B . A load balancer with a round-robin configuration
- C . A multicloud provider solution
- D . An active-active solution within the same tenant
C
Explanation:
A multicloud provider solution is the best option for proceeding with the digital transformation while ensuring SLA (service level agreement) requirements in the event of a CSP (cloud service provider) incident. A multicloud provider solution is a strategy that involves using multiple CSPs for different cloud services or applications, such as infrastructure, platform, or software as a service. A multicloud provider solution can provide resiliency, redundancy, and availability for cloud services or applications, as it can distribute the workload and risk across different CSPs and avoid single points of failure or vendor lock-in. An on-premises solution as a backup is not a good option for proceeding with the digital transformation, as it could involve high costs, complexity, or maintenance for maintaining both cloud and on-premises resources, as well as affect the scalability or flexibility of cloud services or applications. A load balancer with a round-robin configuration is not a good option for proceeding with the digital transformation, as it could introduce latency or performance issues for cloud services or applications, as well as not provide sufficient resiliency or redundancy in case of a CSP incident. An active-active solution within the same tenant is not a good option for proceeding with the digital transformation, as it could still be affected by a CSP incident that impacts the entire tenant or region, as well as increase the costs or complexity of managing multiple instances of cloud services or applications.
Reference:
https://www.comptia.org/blog/what-is-multicloud
https://partners.comptia.org/docs/default-source/resources/casp-content-guide
A company has hired a security architect to address several service outages on the endpoints due to new malware. The Chief Executive Officer’s laptop was impacted while working from home. The goal is to prevent further endpoint disruption. The edge network is protected by a web proxy.
Which of the following solutions should the security architect recommend?
- A . Replace the current antivirus with an EDR solution.
- B . Remove the web proxy and install a UTM appliance.
- C . Implement a deny list feature on the endpoints.
- D . Add a firewall module on the current antivirus solution.
A
Explanation:
Replacing the current antivirus with an EDR (endpoint detection and response) solution is the best solution for addressing several service outages on the endpoints due to new malware. An EDR solution is a technology that provides advanced capabilities for detecting, analyzing, and responding to threats or incidents on endpoints, such as computers, laptops, mobile devices, or servers. An EDR solution can use behavioral analysis, machine learning, threat intelligence, or other methods to identify new or unknown malware that may evade traditional antivirus solutions. An EDR solution can also provide automated or manual remediation actions, such as isolating, blocking, or removing malware from endpoints. Removing the web proxy and installing a UTM (unified threat management) appliance is not a good solution for addressing service outages on endpoints due to new malware, as it could expose endpoints to more threats or attacks by removing a layer of protection that filters web traffic, as well as not provide sufficient detection or response capabilities for endpoint-specific malware. Implementing a deny list feature on endpoints is not a good solution for addressing service outages on endpoints due to new malware, as it could be ineffective or impractical for blocking new or unknown malware that may not be on the deny list, as well as not provide sufficient detection or response capabilities for endpoint-specific malware. Adding a firewall module on the current antivirus solution is not a good solution for addressing service outages on endpoints due to new malware, as it could introduce compatibility or performance issues for endpoints by adding an additional feature that may not be integrated or optimized with the antivirus solution, as well as not provide sufficient detection or response capabilities for endpoint-specific malware.
Reference:
https://www.comptia.org/blog/what-is-edr
https://partners.comptia.org/docs/default-source/resources/casp-content-guide
All staff at a company have started working remotely due to a global pandemic. To transition to remote work, the company has migrated to SaaS collaboration tools.
The human resources department wants to use these tools to process sensitive information but is concerned the data could be:
Leaked to the media via printing of the documents
Sent to a personal email address
Accessed and viewed by systems administrators
Uploaded to a file storage site
Which of the following would mitigate the department’s concerns?
- A . Data loss detection, reverse proxy, EDR, and PGP
- B . VDI, proxy, CASB, and DRM
- C . Watermarking, forward proxy, DLP, and MFA
- D . Proxy, secure VPN, endpoint encryption, and AV
B
Explanation:
VDI (virtual desktop infrastructure), proxy, CASB (cloud access security broker), and DRM (digital rights management) are technologies that can mitigate the concerns of processing sensitive information using SaaS (software as a service) collaboration tools. VDI is a technology that provides virtualized desktop environments for users that are hosted and managed by a central server, allowing users to access applications or data from any device or location. VDI can prevent data leakage to the media via printing of documents, as it can restrict or monitor the printing capabilities or permissions of users or devices. Proxy is a technology that acts as an intermediary between clients and servers, filtering or modifying web traffic based on predefined rules or policies. Proxy can prevent data leakage to a personal email address, as it can block or redirect web requests to unauthorized or untrusted email domains or services. CASB is a technology that provides visibility and control over cloud services or applications, enforcing security policies or compliance requirements based on predefined rules or criteria. CASB can prevent data access and viewing by systems administrators, as it can encrypt or mask sensitive data before it reaches the cloud provider or application, making it unreadable or inaccessible by unauthorized parties. DRM is a technology that restricts the access, use, modification, or distribution of digital content or devices, enforcing the rights and permissions granted by the content owner or provider to authorized users or devices. DRM can prevent data upload to a file storage site, as it can limit or disable the copying, sharing, or transferring capabilities or permissions of users or devices.
Reference:
https://www.comptia.org/blog/what-is-vdi
https://partners.comptia.org/docs/default-source/resources/casp-content-guide
A home automation company just purchased and installed tools for its SOC to enable incident identification and response on software the company develops. The company would like to prioritize defenses against the following attack scenarios:
Unauthorized insertions into application development environments Authorized insiders making unauthorized changes to environment configurations
Which of the following actions will enable the data feeds needed to detect these types of attacks on development environments? (Choose two.)
- A . Perform static code analysis of committed code and generate summary reports.
- B . Implement an XML gateway and monitor for policy violations.
- C . Monitor dependency management tools and report on susceptible third-party libraries.
- D . Install an IDS on the development subnet and passively monitor for vulnerable services.
- E . Model user behavior and monitor for deviations from normal.
- F . Continuously monitor code commits to repositories and generate summary logs.
EF
Explanation:
Modeling user behavior and monitoring for deviations from normal and continuously monitoring code commits to repositories and generating summary logs are actions that will enable the data feeds needed to detect unauthorized insertions into application development environments and authorized insiders making unauthorized changes to environment configurations. Modeling user behavior and monitoring for deviations from normal is a technique that uses baselines, analytics, machine learning, or other methods to establish normal patterns of user activity and identify anomalies or outliers that could indicate malicious or suspicious behavior. Modeling user behavior and monitoring for deviations from normal can help detect unauthorized insertions into application development environments, as it can alert on unusual or unauthorized access attempts, commands, actions, or transactions by users. Continuously monitoring code commits to repositories and generating summary logs is a technique that uses tools, scripts, automation, or other methods to track and record changes made to code repositories by developers, testers, reviewers, or other parties involved in the software development process. Continuously monitoring code commits to repositories and generating summary logs can help detect authorized insiders making unauthorized changes to environment configurations, as it can audit and verify the source, time, reason, and impact of code changes made by authorized users. Performing static code analysis of committed code and generate summary reports is not an action that will enable the data feeds needed to detect unauthorized insertions into application development environments and authorized insiders making unauthorized changes to environment configurations, but an action that will enable the data feeds needed to detect vulnerabilities, errors, bugs, or quality issues in committed code. Implementing an XML gateway and monitor for policy violations is not an action that will enable the data feeds needed to detect unauthorized insertions into application development environments and authorized insiders making unauthorized changes to environment configurations, but an action that will enable the data feeds needed to protect XML-based web services from threats or attacks by validating XML messages against predefined policies. Monitoring dependency management tools and report on susceptible third-party libraries is not an action that will enable the data feeds needed to detect unauthorized insertions into application development environments and authorized insiders making unauthorized changes to environment configurations, but an action that will enable the data feeds needed to identify outdated or vulnerable third-party libraries used in software development projects. Installing an IDS (intrusion detection system) on the development subnet and passively monitor for vulnerable services is not an action that will enable the data feeds needed to detect unauthorized insertions into application development environments and authorized insiders making unauthorized changes
An enterprise is deploying APIs that utilize a private key and a public key to ensure the connection string is protected. To connect to the API, customers must use the private key.
Which of the following would BEST secure the REST API connection to the database while preventing the use of a hard-coded string in the request string?
- A . Implement a VPN for all APIs.
- B . Sign the key with DSA.
- C . Deploy MFA for the service accounts.
- D . Utilize HMAC for the keys.
D
Explanation:
Utilizing HMAC (hash-based message authentication code) for the keys is the best option for securing the REST API connection to the database while preventing the use of a hard-coded string in the request string. HMAC is a technique that uses a secret key and a hash function to generate a code that can verify the authenticity and integrity of a message, preventing unauthorized modifications or tampering. Utilizing HMAC for the keys can prevent the use of a hard-coded string in the request string, as it can dynamically generate a unique code for each request based on the secret key and the message content, making it difficult to forge or replay. Implementing a VPN (virtual private network) for all APIs is not a good option for securing the REST API connection to the database, as it could introduce latency or performance issues for API requests, as well as not prevent the use of a hard-coded string in the request string. Signing the key with DSA (Digital Signature Algorithm) is not a good option for securing the REST API connection to the database, as it could be vulnerable to attacks or forgery if the key is compromised or weak, as well as not prevent the use of a hard-coded string in the request string. Deploying MFA (multi-factor authentication) for the service accounts is not a good option for securing the REST API connection to the database, as it could affect the usability or functionality of API requests, as well as not prevent the use of a hard-coded string in the request string.
Reference:
https://www.comptia.org/blog/what-is-hmac
https://partners.comptia.org/docs/default-source/resources/casp-content-guide
An application server was recently upgraded to prefer TLS 1.3, and now users are unable to connect their clients to the server.
Attempts to reproduce the error are confirmed, and clients are reporting the following: ERR_SSL_VERSION_OR_CIPHER_MISMATCH
Which of the following is MOST likely the root cause?
- A . The client application is testing PFS.
- B . The client application is configured to use ECDHE.
- C . The client application is configured to use RC4.
- D . The client application is configured to use AES-256 in GCM.
C
Explanation:
Reference: https://kinsta.com/knowledgebase/err_ssl_version_or_cipher_mismatch/
The client application being configured to use RC4 is the most likely root cause of why users are unable to connect their clients to the server that prefers TLS 1.3. RC4 is an outdated and insecure symmetric-key encryption algorithm that has been deprecated and removed from TLS 1.3, which is the latest version of the protocol that provides secure communication between clients and servers. If the client application is configured to use RC4, it will not be able to negotiate a secure connection with the server that prefers TLS 1.3, resulting in an error message such as ERR_SSL_VERSION_OR_CIPHER_MISMATCH. The client application testing PFS (perfect forward secrecy) is not a likely root cause of why users are unable to connect their clients to the server that prefers TLS 1.3, as PFS is a property that ensures that session keys derived from a set of long-term keys cannot be compromised if one of them is compromised in the future. PFS is supported and recommended by TLS 1.3, which uses ephemeral Diffie-Hellman or elliptic curve Diffie-Hellman key exchange methods to achieve PFS. The client application being configured to use ECDHE (elliptic curve Diffie-Hellman ephemeral) is not a likely root cause of why users are unable to connect their clients to the server that prefers TLS 1.3, as ECDHE is a key exchange method that provides PFS and high performance by using elliptic curve cryptography to generate ephemeral keys for each session.
ECDHE is supported and recommended by TLS 1.3, which uses ECDHE as the default key exchange method. The client application being configured to use AES-256 in GCM (Galois/Counter Mode) is not a likely root cause of why users are unable to connect their clients to the server that prefers TLS 1.3, as AES-256 in GCM is an encryption mode that provides confidentiality and integrity by using AES with a 256-bit key and GCM as an authenticated encryption mode. AES-256 in GCM is supported and recommended by TLS 1.3, which uses AES-256 in GCM as one of the default encryption modes.
Reference:
https://www.comptia.org/blog/what-is-tls-13
https://partners.comptia.org/docs/default-source/resources/casp-content-guide
An organization is designing a network architecture that must meet the following requirements:
Users will only be able to access predefined services.
Each user will have a unique allow list defined for access.
The system will construct one-to-one subject/object access paths dynamically.
Which of the following architectural designs should the organization use to meet these requirements?
- A . Peer-to-peer secure communications enabled by mobile applications
- B . Proxied application data connections enabled by API gateways
- C . Microsegmentation enabled by software-defined networking
- D . VLANs enabled by network infrastructure devices
C
Explanation:
Microsegmentation enabled by software-defined networking is an architectural design that can meet the requirements of allowing users to access only predefined services, having unique allow lists defined for each user, and constructing one-to-one subject/object access paths dynamically. Microsegmentation is a technique that divides a network into smaller segments or zones based on granular criteria, such as applications, services, users, or devices. Microsegmentation can provide fine-grained access control and isolation for network resources, preventing unauthorized or lateral movements within the network. Software-defined networking is a technology that decouples the control plane from the data plane in network devices, allowing centralized and programmable management of network functions and policies. Software-defined networking can enable microsegmentation by dynamically creating and enforcing network segments or zones based on predefined rules or policies. Peer-to-peer secure communications enabled by mobile applications is not an architectural design that can meet the requirements of allowing users to access only predefined services, having unique allow lists defined for each user, and constructing one-to-one subject/object access paths dynamically, as peer-to-peer secure communications is a technique that allows direct and encrypted communication between two or more parties without relying on a central server or intermediary. Proxied application data connections enabled by API gateways is not an architectural design that can meet the requirements of allowing users to access only predefined services, having unique allow lists defined for each user, and constructing one-to-one subject/object access paths dynamically, as proxied application data connections is a technique that allows indirect and filtered communication between applications or services through an intermediary device or service that can modify or monitor the traffic. VLANs (virtual local area networks) enabled by network infrastructure devices is not an architectural design that can meet the requirements of allowing users to access only predefined services, having unique allow lists defined for each user, and constructing one-to-one subject/object access paths dynamically, as VLANs are logical segments of a physical network that can group devices or users based on common criteria, such as function, department, or location.
Reference:
https://www.comptia.org/blog/what-is-microsegmentation
https://partners.comptia.org/docs/default-source/resources/casp-content-guide
A company’s claims processed department has a mobile workforce that receives a large number of email submissions from personal email addresses. An employees recently received an email that approved to be claim form, but it installed malicious software on the employee’s laptop when was opened.
- A . Impalement application whitelisting and add only the email client to the whitelist for laptop in the claims processing department.
- B . Required all laptops to connect to the VPN before accessing email.
- C . Implement cloud-based content filtering with sandboxing capabilities.
- D . Install a mail gateway to scan incoming messages and strip attachments before they reach the mailbox.
C
Explanation:
Implementing cloud-based content filtering with sandboxing capabilities is the best solution for preventing malicious software installation on the employee’s laptop due to opening an email attachment that appeared to be a claim form. Cloud-based content filtering is a technique that uses a cloud service to filter or block web traffic based on predefined rules or policies, preventing unauthorized or malicious access to web resources or services. Cloud-based content filtering can prevent malicious software installation on the employee’s laptop due to opening an email attachment that appeared to be a claim form, as it can scan or analyze email attachments before they reach the mailbox and block or quarantine them if they are malicious. Sandboxing is a technique that uses an isolated or virtualized environment to execute or test suspicious or untrusted code or applications, preventing them from affecting the host system or network. Sandboxing can prevent malicious software installation on the employee’s laptop due to opening an email attachment that appeared to be a claim form, as it can run or detonate email attachments in a safe environment and observe their behavior or impact before allowing them to reach the mailbox. Implementing application whitelisting and adding only the email client to the whitelist for laptops in the claims processing department is not a good solution for preventing malicious software installation on the employee’s laptop due to opening an email attachment that appeared to be a claim form, as it could affect the usability or functionality of other applications on the laptops that may be needed for work purposes, as well as not prevent malicious software from running within the email client. Requiring all laptops to connect to the VPN (virtual private network) before accessing email is not a good solution for preventing malicious software installation on the employee’s laptop due to opening an email attachment that appeared to be a claim form, as it could introduce latency or performance issues for accessing email, as well as not prevent malicious software from reaching or executing on the laptops. Installing a mail gateway to scan incoming messages and strip attachments before they reach the mailbox is not a good solution for preventing malicious software installation on the employee’s laptop due to opening an email attachment that appeared to be a claim form, as it could affect the normal operations or functionality of email communication, as well as not prevent legitimate attachments from reaching the mailbox.
Reference:
https://www.comptia.org/blog/what-is-cloud-based-content-filtering
https://partners.comptia.org/docs/default-source/resources/casp-content-guide
A company suspects a web server may have been infiltrated by a rival corporation.
The security engineer reviews the web server logs and finds the following:
The security engineer looks at the code with a developer, and they determine the log entry is created when the following line is run:
Which of the following is an appropriate security control the company should implement?
- A . Restrict directory permission to read-only access.
- B . Use server-side processing to avoid XSS vulnerabilities in path input.
- C . Separate the items in the system call to prevent command injection.
- D . Parameterize a query in the path variable to prevent SQL injection.
C
Explanation:
The company using the wrong port is the most likely root cause of why secure LDAP is not working. Secure LDAP is a protocol that provides secure communication between clients and servers using LDAP (Lightweight Directory Access Protocol), which is a protocol that allows querying and modifying directory services over TCP/IP. Secure LDAP uses SSL (Secure Sockets Layer) or TLS (Transport Layer Security) to encrypt LDAP traffic and prevent unauthorized disclosure or interception.
A company that uses AD is migrating services from LDAP to secure LDAP. During the pilot phase, services are not connecting properly to secure LDAP.
Block is an except of output from the troubleshooting session:
Which of the following BEST explains why secure LDAP is not working? (Select TWO.)
- A . The clients may not trust idapt by default.
- B . The secure LDAP service is not started, so no connections can be made.
- C . Danvills.com is under a DDoS-inator attack and cannot respond to OCSP requests.
- D . Secure LDAP should be running on UDP rather than TCP.
- E . The company is using the wrong port. It should be using port 389 for secure LDAP.
- F . Secure LDAP does not support wildcard certificates.
- G . The clients may not trust Chicago by default.
AF
Explanation:
The clients may not trust idapt by default because it is a self-signed certificate authority that is not in the trusted root store of the clients. Secure LDAP does not support wildcard certificates because they do not match the fully qualified domain name of the server.
Reference:
https://www.professormesser.com/security-plus/sy0-401/ldap-and-secure-ldap/,
https://www.comptia.org/training/books/casp-cas-004-study-guide
A threat analyst notices the following URL while going through the HTTP logs.
Which of the following attack types is the threat analyst seeing?
- A . SQL injection
- B . CSRF
- C . Session hijacking
- D . XSS
D
Explanation:
XSS stands for cross-site scripting, which is a type of attack that injects malicious code into a web page that is then executed by the browser of a victim. The URL in the question contains a script tag that tries to execute a JavaScript code from an external source, which is a sign of XSS.
Reference:
https://www.comptia.org/training/books/casp-cas-004-study-guide,
https://owasp.org/www-community/attacks/xss/
The Chief information Officer (CIO) of a large bank, which uses multiple third-party organizations to deliver a service, is concerned about the handling and security of customer data by the parties.
Which of the following should be implemented to BEST manage the risk?
- A . Establish a review committee that assesses the importance of suppliers and ranks them according to contract renewals. At the time of contract renewal, incorporate designs and operational controls into the contracts and a right-to-audit clause. Regularly assess the supplier’s post-contract renewal with a dedicated risk management team.
- B . Establish a team using members from first line risk, the business unit, and vendor management to assess only design security controls of all suppliers. Store findings from the reviews in a database for all other business units and risk teams to reference.
- C . Establish an audit program that regularly reviews all suppliers regardless of the data they access, how they access the data, and the type of data, Review all design and operational controls based on best practice standard and report the finding back to upper management.
- D . Establish a governance program that rates suppliers based on their access to data, the type of data, and how they access the data Assign key controls that are reviewed and managed based on the supplier’s rating. Report finding units that rely on the suppliers and the various risk teams.
D
Explanation:
A governance program that rates suppliers based on their access to data, the type of data, and how they access the data is the best way to manage the risk of handling and security of customer data by third parties. This allows the company to assign key controls that are reviewed and managed based on the supplier’s rating and report findings to the relevant units and risk teams.
Reference:
https://www.comptia.org/training/books/casp-cas-004-study-guide ,
https://www.isaca.org/resources/isaca-journal/issues/2018/volume-1/third-party-risk-management
Company A is establishing a contractual with Company B. The terms of the agreement are formalized in a document covering the payment terms, limitation of liability, and intellectual property rights.
Which of the following documents will MOST likely contain these elements
- A . Company A-B SLA v2.docx
- B . Company A OLA v1b.docx
- C . Company A MSA v3.docx
- D . Company A MOU v1.docx
- E . Company A-B NDA v03.docx
C
Explanation:
A MSA stands for master service agreement, which is a document that covers the general terms and conditions of a contractual relationship between two parties. It usually includes payment terms, limitation of liability, intellectual property rights, dispute resolution, and other clauses that apply to all services provided by one party to another.
Reference:
https://www.comptia.org/training/books/casp-cas-004-study-guide ,
https://www.upcounsel.com/master-service-agreement
A company requires a task to be carried by more than one person concurrently. This is an example of:
- A . separation of d duties.
- B . dual control
- C . least privilege
- D . job rotation
B
Explanation:
Dual control is a security principle that requires two or more authorized individuals to perform a task concurrently. This reduces the risk of fraud, error, or misuse of sensitive assets or information.
Reference:
https://www.comptia.org/training/books/casp-cas-004-study-guide ,
https://www.isaca.org/resources/isaca-journal/issues/2018/volume-1/using-dual-control-to-mitigate-risk
A health company has reached the physical and computing capabilities in its datacenter, but the computing demand continues to increase. The infrastructure is fully virtualized and runs custom and commercial healthcare application that process sensitive health and payment information.
Which of the following should the company implement to ensure it can meet the computing demand while complying with healthcare standard for virtualization and cloud computing?
- A . Hybrid IaaS solution in a single-tenancy cloud
- B . Pass solution in a multinency cloud
- C . SaaS solution in a community cloud
- D . Private SaaS solution in a single tenancy cloud.
A
Explanation:
A hybrid IaaS solution in a single-tenancy cloud is the best option for the company to meet the computing demand while complying with healthcare standards for virtualization and cloud computing. A hybrid IaaS solution allows the company to use both on-premises and cloud-based resources to scale up its capacity and performance. A single-tenancy cloud ensures that the company’s data and applications are isolated from other customers and have dedicated resources and security controls.
Reference:
https://www.comptia.org/training/books/casp-cas-004-study-guide ,
https://www.hhs.gov/hipaa/for-professionals/special-topics/cloud-computing/index.html
A developer implement the following code snippet.
Which of the following vulnerabilities does the code snippet resolve?
- A . SQL inject
- B . Buffer overflow
- C . Missing session limit
- D . Information leakage
A
Explanation:
SQL injection is a type of vulnerability that allows an attacker to execute malicious SQL commands on a database by inserting them into an input field. The code snippet resolves this vulnerability by using parameterized queries, which prevent the input from being interpreted as part of the SQL command.
Reference:
https://www.comptia.org/training/books/casp-cas-004-study-guide ,
https://owasp.org/www-community/attacks/SQL_Injection
A security analyst is investigating a series of suspicious emails by employees to the security team. The email appear to come from a current business partner and do not contain images or URLs. No images or URLs were stripped from the message by the security tools the company uses instead, the emails only include the following in plain text.
Which of the following should the security analyst perform?
- A . Contact the security department at the business partner and alert them to the email event.
- B . Block the IP address for the business partner at the perimeter firewall.
- C . Pull the devices of the affected employees from the network in case they are infected with a zero-day virus.
- D . Configure the email gateway to automatically quarantine all messages originating from the business partner.
A
Explanation:
The best option for the security analyst to perform is to contact the security department at the business partner and alert them to the email event. The email appears to be a phishing attempt that tries to trick the employees into revealing their login credentials by impersonating a legitimate sender. The security department at the business partner should be notified so they can investigate the source and scope of the attack and take appropriate actions to protect their systems and users.
Reference:
https://www.comptia.org/training/books/casp-cas-004-study-guide ,
https://us-cert.cisa.gov/ncas/tips/ST04-014
A financial services company wants to migrate its email services from on-premises servers to a cloud-based email solution. The Chief information Security Officer (CISO) must brief board of directors on the potential security concerns related to this migration.
The board is concerned about the following.
* Transactions being required by unauthorized individual
* Complete discretion regarding client names, account numbers, and investment information.
* Malicious attacker using email to distribute malware and ransom ware.
* Exfiltration of sensitivity company information.
The cloud-based email solution will provide an6-malware, reputation-based scanning, signature-based scanning, and sandboxing.
Which of the following is the BEST option to resolve the board’s concerns for this email migration?
- A . Data loss prevention
- B . Endpoint detection response
- C . SSL VPN
- D . Application whitelisting
A
Explanation:
Data loss prevention (DLP) is the best option to resolve the board’s concerns for this email migration. DLP is a set of tools and policies that aim to prevent unauthorized access, disclosure, or exfiltration of sensitive data. DLP can monitor, filter, encrypt, or block email messages based on predefined rules and criteria, such as content, sender, recipient, attachment, etc. DLP can help protect transactions, customer data, and company information from being compromised by malicious actors or accidental leaks.
Reference:
https://www.comptia.org/training/books/casp-cas-004-study-guide ,
https://www.csoonline.com/article/3245746/what-is-dlp-data-loss-prevention-and-how-does-it-work.html
Which of the following BEST sets expectation between the security team and business units within an organization?
- A . Risk assessment
- B . Memorandum of understanding
- C . Business impact analysis
- D . Business partnership agreement
- E . Services level agreement
E
Explanation:
A service level agreement (SLA) is the best option to set expectations between the security team and business units within an organization. An SLA is a document that defines the scope, quality, roles, responsibilities, and metrics of a service provided by one party to another. An SLA can help align the security team’s objectives and activities with the business units’ needs and expectations, as well as establish accountability and communication channels.
Reference:
https://www.comptia.org/training/books/casp-cas-004-study-guide ,
https://searchitchannel.techtarget.com/definition/service-level-agreement
A small company needs to reduce its operating costs. vendors have proposed solutions, which all focus on management of the company’s website and services. The Chief information Security Officer (CISO) insist all available resources in the proposal must be dedicated, but managing a private cloud is not an option.
Which of the following is the BEST solution for this company?
- A . Community cloud service model
- B . Multinency SaaS
- C . Single-tenancy SaaS
- D . On-premises cloud service model
C
Explanation:
A single-tenancy SaaS solution is the best solution for this company. SaaS stands for software as a service, which is a cloud-based model that allows customers to access applications hosted by a provider over the internet. A single-tenancy SaaS solution means that the company has its own dedicated instance of the application and its underlying infrastructure, which offers more control, customization, and security than a multi-tenancy SaaS solution where multiple customers share the same resources. A single-tenancy SaaS solution also eliminates the need for managing a private cloud or an on-premises infrastructure.
Reference:
https://www.comptia.org/training/books/casp-cas-004-study-guide ,
https://www.ibm.com/cloud/learn/saas
A security is assisting the marketing department with ensuring the security of the organization’s social media platforms.
The two main concerns are:
The Chief marketing officer (CMO) email is being used department wide as the username The password has been shared within the department
Which of the following controls would be BEST for the analyst to recommend?
- A . Configure MFA for all users to decrease their reliance on other authentication.
- B . Have periodic, scheduled reviews to determine which OAuth configuration are set for each media platform.
- C . Create multiple social media accounts for all marketing user to separate their actions.
- D . Ensue the password being shared is sufficiently and not written down anywhere.
A
Explanation:
Configuring MFA for all users to decrease their reliance on other authentication is the best option to improve email security at the company. MFA stands for multi-factor authentication, which is a method of verifying a user’s identity by requiring two or more factors, such as something the user knows (e.g., password), something the user has (e.g., token), or something the user is (e.g., biometric). MFA can prevent unauthorized access to email accounts even if the username or password is compromised or shared.
Reference:
https://www.comptia.org/training/books/casp-cas-004-study-guide ,
https://www.csoonline.com/article/3239144/what-is-mfa-how-multi-factor-authentication-works.html
A security engineer at a company is designing a system to mitigate recent setbacks caused competitors that are beating the company to market with the new products. Several of the products incorporate propriety enhancements developed by the engineer’s company. The network already includes a SEIM and a NIPS and requires 2FA for all user access.
Which of the following system should the engineer consider NEXT to mitigate the associated risks?
- A . DLP
- B . Mail gateway
- C . Data flow enforcement
- D . UTM
A
Explanation:
A DLP system is the best option for the company to mitigate the risk of losing its proprietary enhancements to competitors. DLP stands for data loss prevention, which is a set of tools and policies that aim to prevent unauthorized access, disclosure, or exfiltration of sensitive data. DLP can monitor, filter, encrypt, or block data transfers based on predefined rules and criteria, such as content, source, destination, etc. DLP can help protect the company’s intellectual property and trade secrets from being compromised by malicious actors or accidental leaks.
Reference:
https://www.comptia.org/training/books/casp-cas-004-study-guide ,
https://www.csoonline.com/article/3245746/what-is-dlp-data-loss-prevention-and-how-does-it-work.html
The Chief information Officer (CIO) asks the system administrator to improve email security at the company based on the following requirements:
* Transaction being requested by unauthorized individuals.
* Complete discretion regarding client names, account numbers, and investment information.
* Malicious attackers using email to malware and ransomeware.
* Exfiltration of sensitive company information.
The cloud-based email solution will provide anti-malware reputation-based scanning, signature-based scanning, and sandboxing.
Which of the following is the BEST option to resolve the boar’s concerns for this email migration?
- A . Data loss prevention
- B . Endpoint detection response
- C . SSL VPN
- D . Application whitelisting
A
Explanation:
Data loss prevention (DLP) is the best option to resolve the board’s concerns for this email migration. DLP is a set of tools and policies that aim to prevent unauthorized access, disclosure, or exfiltration of sensitive data. DLP can monitor, filter, encrypt, or block email messages based on predefined rules and criteria, such as content, sender, recipient, attachment, etc. DLP can help protect transactions, customer data, and company information from being compromised by malicious actors or accidental leaks.
Reference:
https://www.comptia.org/training/books/casp-cas-004-study-guide ,
https://www.csoonline.com/article/3245746/what-is-dlp-data-loss-prevention-and-how-does-it-work.html
A company that all mobile devices be encrypted, commensurate with the full disk encryption scheme of assets, such as workstation, servers, and laptops.
Which of the following will MOST likely be a limiting factor when selecting mobile device managers for the company?
- A . Increased network latency
- B . Unavailable of key escrow
- C . Inability to selected AES-256 encryption
- D . Removal of user authentication requirements
C
Explanation:
The inability to select AES-256 encryption will most likely be a limiting factor when selecting mobile device managers for the company. AES-256 is a symmetric encryption algorithm that uses a 256-bit key to encrypt and decrypt data. It is considered one of the strongest encryption methods available and is widely used for securing sensitive data. Mobile device managers are software applications that allow administrators to remotely manage and secure mobile devices used by employees. However, not all mobile device managers may support AES-256 encryption or allow the company to enforce it
as a policy on all mobile devices.
Reference:
https://www.comptia.org/training/books/casp-cas-004-study-guide ,
https://searchmobilecomputing.techtarget.com/definition/mobile-device-management