CompTIA Security+ Sy0-501 Practice Test 02

A network intrusion prevention system (NIPS) installed on the supervisory control and data acquisition (SCADA) network can
intercept malicious traffic coming into the network and is the best choice of those given. The scenario states you cannot update the SCADA systems, so you cannot install a host-based IPS (HIPS) on any of them. A firewall provides a level of protection. However, it wouldn’t be able to differentiate between valid traffic sent by Lisa and malicious traffic sent by malware from Lisa’s system. A honeypot might be useful to observe malicious traffic, but wouldn’t prevent it.

The annual loss expectancy (ALE) is $15,000. The single loss expectancy (SLE) is $6,000 ($3,500 to repair or replace each server plus $2,500 in additional losses for each outage). The annual rate of occurrence (ARO) is 2.5 (five failures in two years or 5 / 2). You calculate the ALE as SLE × ARO ($6,000 × 2.5).

A data loss prevention (DLP) solution can prevent users from copying documents to a USB drive. None of the other answers control USB drives. A hardware security module (HSM) is an external security device used to manage, generate, and securely store cryptographic keys. COPE (corporate-owned, personally enabled) is a mobile device deployment model. A self-encrypting drive (SED) includes the hardware and software to encrypt all data on the drive and securely store the encryption keys.

This is an attempted buffer overflow attack. The vrfy buffer is designed to hold only 128 bytes so sending 999 bytes to it could cause the vrfy buffer to be overrun crashing the email server. As a best practice, the vrfy command is disabled on email servers, which causes this command to fail.
It's useful to break down this command. The echo command will print specified text. The vrfy command is used to verify a username in a mailbox on an email server. The 'perl -e 'print "a" x 999" " prints the letter "a" 999 times. The result is 999 a's. The | operator pipes the result of the previous command to the next command. In this case, it sends the output of the echo command (999 a's) to port 25 of the getcertifiedgetahead.com server using nc (netcat).

A SQL injection attack will typically use a SELECT command and the scenario doesn't give any indication that a database is being queried.

Cross-site request forgery (XSRF or CSRF) is an attack where an attacker tricks a user into performing an action on a web site, but the scenario indicates a security tester is entering the command.

Address Resolution Protocol (ARP) poisoning is an attack that misleads computers or switches about the actual MAC address of a system.

Pivoting is the process of accessing other systems through a single compromised system. Reconnaissance techniques are done before attacking a system. A successful attack on a single computer is the initial exploitation. Escalating privileges attempts to gain higher privileges on a target.

VM sprawl occurs when an organization has many VMs that aren’t managed properly. Unmonitored VMs typically won’t get updated and can be vulnerable to attacks. VM escape is an attack that allows an attacker to access the host system from within the virtual system. A virtual desktop infrastructure (VDI) provides users with virtual desktops hosted on a server. A VDI snapshot is commonly used to provide users with the same non-persistent desktop that doesn’t save changes. The VMs might be Type II hypervisors (running as software within a host operating system), but that isn’t relevant to leaving them running and unmonitored.

A privacy threshold assessment helps an organization identify Personally Identifiable Information (PII) within a system, and in this scenario, it would help the organization determine if the customer data is PII. A privacy impact assessment is done after you have verified that the system is processing PII, not to determine if the data is PII. A tabletop exercise is a discussion-based exercise used to talk through a continuity of operations plan. Affinity scheduling is a load-balancing scheduling scheme using the client’s IP address and is unrelated to PII.

The application should be recoded to adhere to the company’s password policy, so the best response is to direct the application team manager to do so. Application passwords should be strong and should adhere to an organization’s security policy. It is not appropriate to weaken a security policy to match a weakness in an application. Nor is it appropriate to simply document that the application uses a weak password.

You would create rules to block all incoming traffic from private IP addresses. The border router is between the internal network and the Internet and any traffic coming from the Internet with a private IP address is a spoofed source IP address. All outgoing traffic will typically use a private IP address, so you shouldn’t block this outgoing traffic. A flood guard on a switch protects against media access control (MAC) flood attacks and is unrelated to this question. A web application firewall protects a web application and is unrelated to antispoofing.

The dd command is available on Linux systems and it is used to copy files for analysis. As an example, the dd if=/dev/sda2
of=sd2disk.img command creates an image of a disk without modifying the original disk. None of the other choices creates an image of a drive. Hashing algorithms create a hash of a file. Screenshots create a graphic from a computer screen. Logs record log entries in files.

Admittedly, this is much deeper than I would expect for a Security- exam. However, based on the objectives, test item writers that are also developers may consider it a valid question to ask. 

Here is the simplest explanation: 

• This is a pointer dereference issue, or more specifically. a null-pointer dereference issue.
• The object stuffed = nuilline creates an object (called stuffed) and assigns it a value of null (nothing).
• The stuffed.heat 0; line attempts to execute a method within a non-existent (null) object and causes a null-pointer
dereference error (or exception).
• If code attempts to use an object with a value of null, it assumes the object reference points to a valid memory error,
but it doesn't.

Programming languages allow you to assign null to objects when creating them so the code doesn't describe an invalid null assignment. 

While this will throw a NullPointerException error, the error isn't the problem. The code that causes the pointer dereference error is the problem. 

• If the code is configured to handle exceptions (errors) gracefully, it doesn't cause a significant vulnerability.
• However, if the code doesn't handle the exception gracefully, an attacker may be able to exploit the exception.

Note: The difference between the code causing a null-pointer dereference error, and the NullPointerException error that it causes is subtle. Think of it this way. Bart is driving down the road at 100 MPH on his new Harley Davidson motorcycle. Chief Wiggum witnesses this and gives him a ticket. While Bart may think that the ticket is the problem, the actual cause is him speeding at 100 MPH.

This exception doesn't necessarily cause a buffer overflow vulnerability. However, depending on how the application handles the exception (or doesn't handle the exception), an attacker may be able to use exception to cause a buffer overflow.

Deep Dive

If you're interested in a deeper understanding of this question, feel free to read on.

If you are a Java developer, the syntax of the second line is probably familiar to you. It is a standard line to identify the Main method, or the entry point for the application.

public static void main (String[] ergs)

If you aren't a Java developer and this is the first time you saw it, you'd just have to guess about the programming language.

Understanding the Code

•The code is creating a class called donuts.

public class donuts {

A class provides a definition for an object but it doesn't create an object.
For comparison, a home builder has building plans to create a home. These plans aren't a home.
However, the builder can create multiple homes using these plans.
Similarly, a class provides the building plans (or the definition) of an object. The class isn't an object.
However, an application can create multiple instances of the object (donuts in this example) using the definition provided
by the class.

•The following line creates an instance of stuffed donut and assigns a value of null (nothing) to the object.

object stuffed = null;

A value of null indicates that the object doesn't have any identification.
An object is an instance of a class. It typically has properties that describe it and methods that identify actions for the
object.
In this example, "stuffed" indicates it is a stuffed donut.

• Properties may be jelly-filled, chocolate-filled, no-stuffing, and so on.
• A simple method may be "heat" (to make it hot).

•The next line is the error.

stuffed.heat ( ) ;

It tries to call the heat method of a null object. In Java, it throws the NullPointerException error.

This describes a rogue access point (AP). More specifically, it is an evil twin, which is a rogue AP with the same SSID as a legitimate access point. While the person setting up the rogue AP may be evil, a CompTIA question won't ask you to evaluate the character of an attacker. Jamming typically prevents anyone from connecting to a wireless network. Bluejacking is related to Bluetooth, not wireless networks.

The agile software development model is flexible, ensures that personnel interact with each other throughout a project, and is the best of the available choices. The waterfall model isn’t as flexible and focuses instead on completing the project in stages. Both agile and waterfall are software development life cycle (SDLC) models, which is a generic concept designed to provide structure for software development projects. Secure DevOps is an agile-aligned development methodology that focuses on security considerations throughout a project.

A heuristic-based (also called anomaly-based or behavior-based) detection system compares current activity with a previously created baseline to detect any anomalies or changes. Flood guards help protect against flood attacks (such as a SYN flood attack). Signature-based systems (also called definition-based) use signatures of known attack patterns to detect attacks. A honeypot is a server designed to look valuable to an attacker and can divert attacks.

The master image is the baseline and the administrators performed integrity measurements to identify baseline deviations. By comparing the list of applications in the baseline with the applications running on the suspect computer, you can identify unauthorized applications. None of the other answers include the troubleshooting steps necessary to discover the problem. The master image would include only the applications, services, and protocols needed to meet the principle of least functionality. A sandbox is an isolated area of a system, typically used to test applications. A blacklist is a list of prohibited applications.

Running a last logon script allows you to identify inactive accounts, such as accounts that haven’t been logged on to in the last 30 days. It’s appropriate to disable unused accounts, but it isn’t necessarily appropriate to disable all temporary accounts, because some might still be in use. If you disable the accounts you notice, you might disable accounts that some employees are still using, and you might miss some accounts that should be disabled. Setting expiration dates for newly created accounts is a good step, but it doesn’t address previously created accounts.

RAID-1 (mirroring) requires a minimum of two disks.

RAID-5 (striping with parity) requires a minimum of three disks.

RAID-6 (striping with parity) requires a minimum of four disks.

A tabletop exercise is discussion-based and is typically performed in a classroom or conference room setting. Because this is a
meeting that includes disaster recovery personnel, it is a tabletop exercise. Functional exercises are hands-on exercises and include simulations and full-blown tests.

A matrix of functions, roles, or job titles matched with the required access privileges for each of the functions, roles, or job titles is a common planning document for a role- based access control (role-BAC) model. The mandatory access control (MAC) model uses sensitivity labels and classification levels. MAC is effective at restricting access based on a need to know. The discretionary access control (DAC) model specifies that every object has an owner and it might identify owners in a list.

The chief technology officer (CTO) should ensure systems are not susceptible to unauthorized changes, which is an element of integrity. A security program should address the three core security principles of confidentiality, integrity, and availability (CIA). The system in the example is already addressing confidentiality and availability. Ensuring critical systems provide uninterrupted service addresses availability. Protecting data and securing data to prevent unauthorized disclosure addresses confidentiality.

A certificate revocation list (CRL) provides the best solution in this scenario. After a CRL is retrieved, systems hold a copy of it for a period of time (in a cache) and instead of downloading the same CRL every time a system needs to validate a certificate, they just look at the cached copy of the CRL.

Online Certificate Status Protocol (OCSP) is an alternative to a CRL and provides a real-time response to validate certificates. Because OCSP responds in real-time, it is susceptible to Internet outages.

A Subject Alternative Name (SAN) certificate is used for multiple domains that have different names but are owned by the same organization.

PEM-based certificates can be used for just about anything. They can be formatted as Canonical Encoding Rules (CER, binary files) or Distinguished Encoding Rules (DER, ASCII files). They are often used as a Base64 encoded DER certificate.

Source address IP affinity scheduling allows a load balancer to direct client requests to the same server during a web session. Round-robin scheduling simply sends each request to the next server. Load balancers can use a virtual IP, but this refers to the IP address of the web server, not the IP address of a visitor. An active-passive configuration has at least one server that is not actively serving clients, but the scenario doesn’t indicate any of the servers are in a passive mode.

You would most likely configure the Uniform Resource Locator (URL) filter on the unified threat management (UTM) security appliance. This would block access to the peer-to-peer sites based on their URL. Content inspection and malware inspection focus on inspecting the data as it passes through the UTM, but they do not block access to sites. A distributed denial-of-service (DDoS) mitigator will attempt to block incoming DDoS attack traffic.

A network intrusion prevention system (NIPS) is the most relevant security control of those listed to ensure availability of the supervisory control and data acquisition (SCADA) system. A data loss prevention (DLP) system helps prevent loss of data, but wouldn’t protect a SCADA system from potential attacks. A Trusted Platform Module (TPM) is a hardware chip on a computer’s motherboard that stores cryptographic keys used for encryption. An electromagnetic pulse (EMP) is a short burst of electromagnetic energy and unrelated to a SCADA system.

Taking a snapshot of the virtual machine (VM) before deploying it ensures that the VM can be reverted to the original configuration if the new application causes problems. Taking a snapshot after the installation doesn’t allow you to revert the image. Non-persistence is used in a virtual desktop infrastructure (VDI), where user changes to the desktop are not changed. It isn’t appropriate to use non-persistence on a virtual server. Backing up the server might be appropriate before installing the new application but not after.

An acceptable use policy (AUP) informs users of company expectations when they use computer systems and networks, and it
defines acceptable rules of behavior. A non- disclosure agreement (NDA) ensures that individuals do not share proprietary data with others. A bring your own device (BYOD) policy identifies requirements for employee- owned mobile devices. The dd command (short for data duplicator) is available on Linux systems to copy files or entire disk images. Forensic analysts use it to create an image of a disk without modifying the original disk.

Input validation should be performed on the server side. Clientside validation can be combined with server-side validation, but it can be bypassed, so it should not be used alone. Boundary or limit checks are an important part of input validation. Pointer dereference techniques use references to point to values and are unrelated to input validation techniques.

The Network Time Protocol (NTP) provides time synchronization services, so enabling NTP on servers would meet this use case. The Real-time Transport Protocol (RTP) delivers audio and video over IP networks, and Secure RTP (SRTP) provides encryption, message authentication, and integrity for RTP. Protocols such as Simple Mail Transfer Protocol (SMTP), Post Office Protocol v3 (POP3), and Internet Message Access Protocol version 4 (IMAP4) are used for email. Encrypting data isn’t relevant to time synchronization services provided by NTP.

Container-based virtualization (also called application cell virtualization) uses the same operating system kernel of the host computer. It is often used to run isolated applications or services within a virtual environment. Type I hypervisor virtualization runs directly on the system hardware. Type II hypervisor virtualization runs VMs that all include their own operating system, including their own kernel. A virtual desktop environment (VDE) provides a full desktop operating system to users.

A permission auditing and review process verifies that the principle of least privilege is followed. This includes ensuring users can access only the resources they need to perform their job. Continuous monitoring includes monitoring all relevant security controls, but isn’t the best choice for this specific scenario. A vulnerability scan will discover vulnerabilities on a system or network and a penetration test will scan a system or network and attempt to exploit vulnerabilities. However, vulnerability scans and penetration tests cannot verify a user has the appropriate privileges.

Code signing provides a digital signature for the code and verifies the publisher of the code and verifies that it hasn’t been modified since the publisher released it. None of the other answers verify the application hasn’t been modified. Input validation verifies data is valid before using it. Code obfuscation makes the code more difficult to read. Stored procedures are used with SQL databases and can be used for input validation.

Kerberos uses a ticket-granting ticket (TGT) server, which creates tickets for authentication. Shibboleth is a federated identity solution used in some single sign-on (SSO) solutions. Security Assertion Markup Language (SAML) is an Extensible Markup Language (XML) used for some SSO solutions. Lightweight Directory Access Protocol (LDAP) is an X.500- based authentication service used to identify objects.

Tailgating is the practice of following closely behind someone else without using credentials. In this scenario, Bart might be an employee who forgot his badge, or he might be a social engineer trying to get in by tailgating. Spear phishing and whaling are two types of phishing with email. Mantraps prevent tailgating.

The design is using load balancing to spread the load across multiple application servers. The scenario indicates the goal is to use multiple servers because of heavy processing requirements, and this is exactly what load balancing does. Clustering is typically used to provide high availability by failing over to another server if one server fails. RAID provides fault tolerance for disk drives, not servers. Affinity scheduling helps ensure clients go to the same server during a session, but this isn’t relevant to this scenario.

The court order specified a legal hold on email from the last three years, so all the backups for the last three years should be kept. If the backups had been destroyed before the court order, they wouldn’t be available, so the legal hold wouldn’t apply to them. Deleting them after the court order is illegal. Protecting only the backups from the last 12 months or the last two years doesn’t comply with the court order.

A security information and event management (SIEM) system provides a centralized solution for collecting, analyzing, and managing data from multiple sources and can aggregate and correlate logs. None of the other choices aggregate and correlate logs. Nmap is a network scanner that can discover and map devices on a network. Netcat is a command-line tool that can be used to connect to servers. Wireshark is a graphical-based protocol analyzer.

This is a port scan. The key is to understand the log format. In this example, it is:

Time - Source IP : Port - Destination IP : Port 

Each packet was sent 

• At 10:10 PM (22:10 using a 24-hour clock format)
• From a source computer with an IP address of 10.10.80.5
• From the source computer's port 49154
• To the destination computer with an IP address of 192.168.1.15
• To the destination computer's ports of 20, 21, 23, and 25
How do you know the source computer has an IP address of 10.10.80.5? 

The packets are always coming from the same port of 49154. Also, with the varied ports (20, 21, 23, and 25) on the destination computer helps you identify it as port scan. 

A ping sweep attempts to identify active IP addresses on a network. It typically uses Internet Control Message Protocol (ICMP) to check a range of IP addresses, but it doesn't use different ports. 

A service scan is typically done after a port scan. It checks to see if the system is actually running the service associated with well-known port.

A SYN stealth scan uses part of the TCP three-way handshake to see if a system responds and identify active IP addresses on a network. It sends the SYN packet and waits for the SYN/ACK packet. If it receives it, it typically responds with a RST packet to reset and close the connection.

Dynamic analysis techniques (such as fuzzing) can test the application’s ability to maintain availability and data integrity for some scenarios. Fuzzing sends random data to an application to verify the random data doesn’t crash the application or expose the system to a data breach. Model verification ensures that the software meets specifications and fulfills its intended purpose, but it doesn’t focus on reliability or integrity. Input validation and error-handling techniques protect applications, but do not test them.

The ifconfig command displays network settings on a Linux computer. This includes the IP address, subnet mask, and default gateway assigned to the network interface card (NIC). The ipconfig command performs similar checks on Windows computers, but not on Linux systems. Netstat shows network statistics and active connections but not the network settings. The tracert command traces the route of data and can help determine which network devices are failing.

Removing all shared accounts is the best answer of the available choices. If two employees are using the same account, and one employee maliciously deletes data in a database, it isn’t possible to identify which employee deleted the data. File and folder access control lists (ACLs) identify permissions for users, but don’t control the user identity. Role-based (or group-based) privileges assign the same permissions to all members of a group, which simplifies administration. A single sign-on (SSO) solution allows a user to log on once and access multiple resources.

Domain Name System Security Extensions (DNSSEC) add security to DNS systems. The functions in the list indicate that the server in the demilitarized zone (DMZ) is a DNS server.

DNS servers identify mail servers with MX records, provide IPv4 addresses of systems with A records, and provide IPv6 addresses with AMA records.

DNSSEC uses a Resource Record Signature (RRSIG), commonly referred to as a digital signature, to provide data integrity and authentication for DNS replies. While a DNS server responds to DNS queries with A and AMA records, DNS without DNSSEC doesn't prevent poisoning attacks.

RRSIG can use Transport Layer Security (TLS) to create the signature, but TLS by itself doesn't provide adequate protection. Nslookup is a command-line tool used to test DNS, but it doesn't provide any DNS services.

His account should be disabled (or deleted if that is the company policy) during the exit interview. It’s appropriate to conduct an exit interview immediately before an employee departs. Employees often give a two-week or longer notice. If their access is revoked immediately, they won’t be able to do any more work. While some companies do terminate employment when someone gives notice, from a security perspective, it’s best to take action related to the user account. The purpose of a mandatory vacation is to detect fraud, but if the employee is leaving, any potential fraud will be detected when that employee leaves.

A Time-based One-Time Password (TOTP) meets this requirement. Passwords created with TOTP expire after 30 seconds. An HMAC-based One-Time Password (HOTP) creates passwords that do not expire. A Common Access Card (CAC) is a type of smart card, but it does not create passwords. Kerberos uses tickets instead of passwords.

A vulnerability scanner is passive and has the least impact on systems, and it can detect systems that are lacking specific security controls. Network scanners use methods such as a syn stealth scan and a ping scan to discover devices on a network, but they don’t identify missing security controls. A penetration test is invasive and does not have the least impact on systems.

The database servers are in an active-active load-balancing configuration because web servers can query both database servers. In an active-passive configuration, only one of the database servers would be answering queries at any given time. Round-robin and affinity are two methods of scheduling the load balancing in an active-active configuration.

The ping command sends Internet Control Message Protocol (ICMP) echo requests and checks for ICMP echo replies. Arp resolves IP addresses to media access control (MAC) addresses and does not use echo commands. Ipconfig checks the configuration of a NIC. Netstat shows active connections and network statistics.

A password salt is additional random characters added to password before hashing the password, and it decreases the success of password attacks. Rainbow tables are used by attackers and contain precomputed hashes. Message Digest 5 (MD5) is a hashing algorithm that creates hashes, but the scenario already states that passwords are hashed. Input validation techniques verify data is valid before using it and they are unrelated to protecting hashed passwords.

A virtual private network (VPN) provides access to a private network over a public network such as the Internet via remote locations and is the best choice. Network access control (NAC) methods can check VPN clients for health before allowing them access to the network, but it doesn’t directly provide the access. Intrusion detection systems (IDSs) and intrusion prevention systems (IPSs) protect networks, but do not control remote access.

Iptables include settings used by the Linux Kernel firewall and can be used to replace a firewall. While it’s possible to implement iptables on a wireless access point (assuming it is Linux-based), iptables still function as a firewall, not a wireless access point. A Layer 2 switch routes traffic based on the destination media access control (MAC) address, but iptables focus on IP addresses. A network bridge connects multiple networks together.

The best response is to disable the accounts and then enable them when needed by the contractors. Ideally, the accounts would include an expiration date so that they would automatically expire when no longer needed, but the scenario doesn’t indicate the accounts have an expiration date. Because the contractors need to access the accounts periodically, it’s better to disable them rather than delete them. Reset the accounts implies you are changing the password, but this isn’t needed.

A demilitarized zone (DMZ) is a buffered zone between a private network and the Internet, and it will separate the web server’s web-facing traffic from the internal network. You can use a virtual local area network (VLAN) to group computers together based on job function or some other administrative need, but it is created on switches in the internal network. A firewall does provide protection for the web server, but doesn’t necessarily separate the web-facing traffic from the internal network. A web application firewall (WAF) protects a web server from incoming attacks, but it does not necessarily separate Internet and internal network traffic.

A logic bomb is code that executes in response to an event. In this scenario, the logic bomb executes when it discovers the account is disabled (indicating Dr. Bob Terwilliger is no longer employed at the company). In this scenario, the logic bomb is creating a backdoor. A rootkit includes hidden processes, but it does not activate in response to an event. Spyware is software installed on user systems without their awareness or consent. Its purpose is often to monitor the user’s computer and the user’s activity. Ransomware demands payment as ransom.

Cable locks are effective equipment theft deterrents for laptops and other systems. Snapshots refer to digital snapshots that capture the state of a virtual machine at a moment in time. Passwords prevent unauthorized access to systems but don’t provide physical security. A virtual desktop infrastructure (VDI) allows users to access a desktop on a remote server. A persistent VDI saves the user changes on the desktop, but it does not deter thefts.

A sandbox provides a simple method of testing patches and would be used with snapshots so that the virtual machine (VM) can easily be reverted to the original state. A baseline image is a starting point of a single environment. Bring your own device (BYOD) refers to allowing employee-owned mobile devices in a network, and is not related to this question. Change management practices ensure changes are not applied until they are approved and documented.

Database column (or field) encryption is the best choice because it can be used to encrypt the fields holding credit card data, but not fields that don’t need to be encrypted. Full database encryption and whole disk encryption aren’t appropriate because everything doesn’t need to be encrypted to protect the credit card data. File-level encryption isn’t appropriate on a database and will often make it inaccessible to the database application.

The recovery time objective (RTO) identifies the maximum amount of time it should take to restore a system after an outage. The recovery point objective (RPO) refers to the amount of data you can afford to lose. RTO only refers to time, not data. RPO refers to data recovery points, not time to restore a system.

A software defined network (SDN) typically uses an attributebased access control (ABAC) model, which is based on attributes that identify subjects and objects within a policy. A discretionary access control (DAC) model has an owner, and the owner establishes access for the objects. A mandatory access control (MAC) model uses labels assigned to subjects and objects. A role-based access control (role-BAC) model uses roles or groups to assign rights and permissions.

A location-based policy restricts access based on location, such as with an IP address, and this is the best possible answer of those given. The scenario indicates they could use the virtual private network (VPN) connection from home, but it was blocked when they tried to access it from the library. A time-of-day access control restricts access based on the time of day, but the scenario doesn’t indicate the time. Neither a discretionary access control model nor a role-based access control model restricts access based on location.

A digital signature provides assurances of who sent an email and meets the goal of this scenario. Although a spam filter might filter a spear phishing attack, it does not provide assurances about who sent an email. A training program would help educate employees about attacks and would help prevent the success of these attacks, but it doesn’t provide assurances about who sent an email. Some antivirus software includes heuristic-based detection. Heuristic-based detection attempts to detect viruses that were previously unknown and do not have virus signatures.

A stateful firewall filters traffic based on the state of the packet within a session. It would filter a packet that isn’t part of a TCP three-way handshake. A stateless firewall filters traffic based on the IP address, port, or protocol ID. While it’s appropriate to place a network firewall in a demilitarized zone (DMZ), a network firewall could be either a stateless firewall or a stateful firewall. An application-based firewall is typically only protecting a host, not a network.

The best choice is Triple Data Encryption Standard (3DES). None of the other answers are valid replacements for the symmetric
encryption algorithm Data Encryption Standard (DES). Secure/Multipurpose Internet Mail Extensions (S/MIME) is used to digitally sign and encrypt email. Hash-based Message Authentication Code (HMAC) is a hashing algorithm used to verify the integrity and authenticity of messages. Transport Layer Security (TLS) uses both symmetric and asymmetric encryption to encrypt data-in-transit, not data-at- rest.

When creating temporary accounts, i t ’s best to configure expiration dates so that the system will automatically disable the accounts on the specified date. History, password expiration, and complexity all refer to password policy settings. However, it’s rare to configure a specific password policy on a single account.

The best solution is to use certificates signed by an internal private Certificate Authority (CA). This ensures connections use Hypertext Transfer Protocol Secure (HTTPS) instead of HTTP. Even if the organization doesn’t have an internal CA, it is possible to create one on an existing server without incurring any additional costs. A code signing certificate provides a digital signature for an application or script, not an entire web server. A wildcard certificate is used for a single domain with multiple subdomains. It is not used for multiple web servers unless they all share the same root domain name, but the scenario doesn’t indicate the web servers share the same root domain name. You would not create a public CA to support internal private servers. While it is feasible to purchase certificates from a public CA, that would cost money, but the scenario indicates money isn’t available.

A redundant array of inexpensive disks 10 (RAID-10) subsystem provides fault tolerance for disks and increases data availability. An alternate processing site might be used for a mission-essential function, but it is expensive and does much more than increase the availability of data. Backups help ensure data availability, but they do not help with fault tolerance. A Faraday cage is a room or enclosure that prevents signals from emanating beyond the room.

You can use Secure Shell (SSH) to encrypt Personally Identifiable Information (PII) data when transmitting it over the network (data-intransit). Secure File Transfer Protocol (SFTP) uses SSH to encrypt File Transfer Protocol (FTP) traffic. FTP, Simple Mail Transfer Protocol (SMTP), and Hypertext Transfer Protocol (HTTP) transmit data in cleartext unless they are combined with an encryption protocol.

A non-disclosure agreement (NDA) helps ensure that proprietary data is not shared. It can be written to ensure that employees don’t share proprietary data or business partners don’t share proprietary data. A memorandum of understanding (MOU) expresses an understanding between two or more parties indicating their intention to work together toward a common goal. A business partners agreement (BPA) details the relationship between business partners, including their obligations toward the partnership. An interconnection security agreement (ISA) specifies the technical and security requirements for planning, establishing, maintaining, and disconnecting a secure connection between two or more entities.

A remote attestation process checks a computer during the boot cycle and sends a report to a remote system. The remote system attests, or confirms, that the computer is secure. None of the other answers sends data to a remote system. A Trusted Platform Module (TPM) is a hardware chip on a motherboard and provides a local secure boot process. A TPM includes an encryption key burned into the CPU, which provides a hardware root of trust. A trusted operating system meets a set of predetermined requirements typically enforced with the mandatory access control (MAC) model.

A lower crossover error rate (CER) indicates a more accurate biometric system. The false acceptance rate (FA R ) and the false rejection rate (FRR) vary based on the sensitivity of the biometric system and don’t indicate accuracy by themselves. A higher CER indicates a less accurate biometric system.

The /var/log/btmp log contains information on user failed login attempts. While not available as an answer, /var/log/auth also includes information on failed login attempts. While the /var/log/faillog log includes information on failed logins, /var/log/fail isn’t a valid log name in Linux. The /var/log/httpd directory includes logs from the Apache web server, when i t ’s installed. The /var/log/kern log contains information logged by the system kernel.

This command sends a query to the server over port 80 and if the server is running a service on port 80, it will connect. This is a
common beginning command for a banner grabbing attempt. It does not send 80 separate packets. Netcat is often used to remotely administer servers, but not using port 80. Remote Desktop Protocol (RDP) uses port 3389 and is not relevant in this scenario.

Of the given choices, an untrained user is the most likely vulnerability in this scenario. A trained user would be less likely to click
on a malicious link received in an email. While the attack describes ransomware, ransomware isn’t a vulnerability. A denial-of-service (DoS) or distributed denial-of-service (DDoS) attack often results in resource exhaustion, but that is the result of an attack, not a vulnerability. An insider threat implies a malicious insider, but there isn’t any indication that the new employee was malicious.

The best solution is to create a rule in the password policy for the password minimum age. Currently, users can change their passwords five more times in just a couple of minutes, changing it back to their original password on the sixth change. None of the other settings prevent the users from doing this. A password history of 10 forces the users to take a couple more minutes to get back to the original password. The password policy currently requires complex passwords. A maximum age of 60 days increases how long a user can keep the same password.

Digital signatures will support a use case of supporting nonrepudiation. Digital signatures don’t encrypt data, so they do not support a use case of supporting confidentiality. Redundancy and fault-tolerance solutions will increase availability. Steganography is one way of supporting obfuscation.

P12 (PKCS #12) certificates commonly include a private key and they are used to install a private key on a server. A Distinguished Encoding Rules (DER)–based certificate is an ASCII encoded file, but P12 certificates are Canonical Encoding Rules (CER) binary encoded files. A P7B (PKCS #7) certificate never includes the private key. CRT isn’t a valid certificate type, though many certificates do use the .crt extension.

Lisa would decrypt the digital signature with Bart’s public key and verify the public key is valid by querying a Certificate Authority (CA). The digital signature provides verification that Bart sent the message, non-repudiation, and integrity for the message. Bart encrypts the digital signature with his private key, which can only be decrypted with his public key. Lisa’s keys are not used for Bart’s digital signature, but might be used for the encryption of the email. Although not part of this scenario, Bart would encrypt the email with Lisa’s public key and Lisa would decrypt the email with Lisa’s private key.

Running the scans as credentialed scans (within the context of a valid account) allows the scan to see more information and typically results in fewer falsepositives. Non-credentialed scans run without any user credentials and can be less accurate. Passive reconnaissance collects information on a target using open-source intelligence. All vulnerability scans use active reconnaissance techniques.

The sender is using the social engineering principle of authority in this scenario. A chief executive officer (CEO) would respect legal authorities and might be more inclined to open an attachment from such an authority. While the scenario describes whaling, a specific type of phishing attack, whaling and phishing are attacks, not social engineering principles. The social engineering principle of consensus attempts to show that other people like a product, but this is unrelated to this scenario.

Using directional antennas on both access points (APs) is the best choice to meet this need because they have high gain with a very narrow radiation pattern. Omnidirectional antennas transmit the signal in all directions at the same time and are not a good choice when connecting networks between two buildings. Wider channels reduce the range of wireless transmissions and aren’t a good choice here. Because 802.11ac uses only the 5 GHz frequency band, you can’t use 2.4 GHz.

Vendor diversity is a defense in depth strategy that provides resiliency. Resiliency includes the ability to withstand deliberate attacks. Using different vendor firewalls in the demilitarized zone (DMZ) helps protect the internal network from attacks because it is unlikely that both vendor firewalls will be susceptible to new vulnerabilities at the same time.

Homogeneity refers to the sameness of things and is the opposite of diversity.

Elasticity refers to the ability of a system to increase and decrease computing capacity based on the load.

Because the firewalls are from different vendors, configurability becomes a challenge because administrators must know how to configure each correctly.

Some people consider this a vulnerability rather than a security advantage.

A RAID-0 does not provide fault tolerance so all of the space is available for data storage. With two 400 GB drives, you have 800 GB of storage.

Non-repudiation methods such as digital signatures prevent users from denying they took an action. Encryption methods protect confidentiality. Access control methods protect access to data.

The chief technology officer (CTO) is recommending vendor diversity for the demilitarized zone (DMZ). Firewalls from different
companies (vendors) provide vendor diversity. This also provides defense in depth or layered security, but not single-layer security. Control diversity is the use of different controls such as technical, administrative, and physical. Redundancy is the use of duplicate components for fault tolerance, but the two firewalls work together in the DMZ.

The winserver.exe file is a remote access Trojan (RAT). All of the other executable names displayed by netstat are valid.
 
A worm is self-replicating malware that travels throughout a network without the assistance of a host application or user interaction.

A logic bomb is a string of code embedded into an application or script that will execute in response to an event.

Ransomware is a specific type of Trojan that typically encrypts the user's data until the user pays a ransom.

Ransomware that encrypts data is often called crypto-malware.

Because winserver.exe is known malware, the netstat output does indicate malware is running.

A distributed denial-of-service (DDoS) mitigator attempts to block DDoS attacks and should be placed at the border of the network, between the private network and the Internet. If the network includes a demilitarized zone (DMZ), the appliance should be placed at the border of the DMZ and the Internet. Placing it in the DMZ or the internal network doesn’t ensure it will block incoming traffic.

A security information and event management (SIEM) system collects, aggregates, and correlates logs from multiple sources. A network mapper can detect all the devices on a network and a network scanner can detect more information about these devices, but neither of these tools aggregates and correlates logs. Nmap is a command-line network scanner.

A cross-site scripting (XSS) attack can be blocked by using input validation techniques to filter special characters such as the
characters used in HTML code. None of the other listed attacks require the use of special characters. A man-in-the-browser attack exploits vulnerabilities in browsers to capture user data entries. An amplification attack increases the amount of data sent to a victim to overwhelm it. A domain hijacking attack changes the domain registration of a domain name without permission of the owner.

A change management policy helps reduce risk associated with making any changes to systems, including updating them. Patches should be tested and evaluated before implementing them and implementing them when they are released sometimes causes unintended consequences. The use of a trusted operating system or operating systems with secure configurations doesn’t address how they are updated.

The Electronic Codebook (ECB) mode of operation encrypts blocks with the same key, making it easier for attackers to crack. The other cipher modes are secure and can be used. Cipher Block Chaining (CBC) mode is used by some symmetric block ciphers, though it isn’t as efficient. Counter (CTM) mode combines an initialization vector (IV) with a counter and effectively converts a block cipher into a stream cipher. Galois/Counter Mode (GCM) combines the Counter mode with hashing techniques for data authenticity and confidentiality.

A round-robin scheduling scheme allows a load balancer to send requests to servers one after another. Affinity scheduling directs user requests to a specific server based on the user’s IP address to ensure that the user accesses the same server during a web session. An airgap ensures that computing systems are physically separated from each other and is unrelated to this question. A mantrap prevents unauthorized entry using the social engineering tactic of tailgating.

Context-aware authentication can authenticate a user and a mobile device using multiple elements, including identity, geolocation, time of day, and type of device. None of the other answers meets all the requirements of the question. A geofence creates a virtual fence, or geographic boundary, and can be used with context-aware authentication. Containerization isolates an application, protecting it and its data. Tethering allows one device to share its Internet connection with other devices.

Banner grabbing is a technique used to gain information about a remote server and it will identify the operating system of the system in the demilitarized zone (DMZ). A vulnerability scanner checks for vulnerabilities. A password cracker attempts to discover passwords. A protocol analyzer collects packets sent across a network and can be used to analyze the packets.

You can maintain confidentiality of any data, including Personally Identifiable Information (PII) with encryption. Hashes provide integrity, not confidentiality. A digital signature provides authentication, nonrepudiation, and integrity. A redundant array of inexpensive disks (RAID) provides higher availability for a disk subsystem.

Owners are responsible for identifying the proper classification of data, ensuring it is labeled correctly, and ensuring security controls are implemented to protect the data. A data steward is responsible for routine daily tasks such as backing up data. A privacy officer is responsible for ensuring the organization is complying with relevant laws. End users need to be trained on common threats, such as malware and phishing attacks.

The centralized access point (AP) is a fat AP and it configures thin APs in the network. The fat AP could also be called a stand-alone, intelligent, or autonomous AP and it is used to configure thin APs, not fat APs. Thin APs do not configure other APs. Stand-alone APs are not configured by other APs.