CompTIA Cybersecurity CySA+ (CS0-001): Practice Test #2 of 2 - Results. Rtaed A

CompTIA Cybersecurity CySA+ (CS0-001): Practice Test #2 of 2 - Results. Rtaed A Document Content and Description Below CompTIA Cybersecurity CySA+ (CS0-001): Practice Test #2 of 2 - Results You are involved in an incident response and have discovered that data has been stolen that requires protection under federal law. Which the following levels of technical expertise or management determines both when and where to bring law enforcement into the response? A.Incident response team lead and legal department B.Technical experts and management C.Legal department and management D.Technical experts and legal department -Answer- C.Legal department and management Explanation Correct Answer: Management must be involved in any decision regarding bringing law enforcement into the picture. Additionally, the legal department can advise management when and where to bring law enforcement agencies into the incident response effort. Incorrect Answers: Technical experts and the incident response team lead can advise both management and the legal department, but cannot make a decision on when or how to bring law enforcement agencies into the incident response. Which of the following techniques are necessary to ensure the correct data is collected and analyzed in order to detect security issues on the network? (Choose two.) A.Data prioritization B.Data dissemination C.Data correlation D.Data aggregation -Answer- C.Data correlation D.Data aggregation Explanation Correct Answer: Data aggregation involves the ability to collect data from various disparate sources into a form that allows you to analyze it, regardless of source. Data correlation involves the ability to pull discrete pieces of data from each of these disparate sources that are related to each other and establish a pattern.Incorrect Answers: Data dissemination involves sending specific data to the appropriate user. Data privatization involves determining which data should be collected. Both of these are important to the entire process of data collection, analysis, and dissemination as well. Which of the following types of data is the primary type protected from a business perspective? A.Intellectual property B.PHI C.PII D.Financial information -Answer- A.Intellectual property Explanation Correct Answer: Intellectual property is the lifeblood of a business. It's the special knowledge on how to make something, or a unique creation that allows an organization to distinguish itself from others. Incorrect Answers: Although all these other types of data are important to protect, intellectual property is what keeps the business in the market. Which of the following is required if your organization needs to make a general statement regarding its requirements for any aspect of its internal security? A.Procedural document B.Industry standard C.Federal law or statute D.Corporate security policy -Answer- D.Corporate security policy Explanation Correct Answer: A corporate security policy is an overall general statement produced by senior management (or a selected policy board or committee) that dictates what role security plays within the organization. Policies may cover a wide variety of items, and be very general or very specific. Examples of security policies include acceptable use policies, data classification policies, and access control policies. Incorrect Answers: Industry standards are not required to develop policy, but they are frequently used to support or enforce policy. A policy document must be created first to specify the organization's unique requirements. Federal laws, statutes, and other regulations dictate to organizationswhat they must do with regard to data protection in general. The policy supports those laws, but is organization specific. Procedure documents only give step-by-step instructions on how to perform a particular task. They do not give organizational requirements from management. All the following are considerations in the decision to preserve or rebuild a compromised host, EXCEPT: A.Replacement value of the system B.Crime scene evidence C.Ability to restore D.Threat intelligence value -Answer- A.Replacement value of the system Explanation Correct Answer: Normally, the replacement value in terms of dollars for the system is not a consideration in the decision to preserve it or rebuild it. Typically the value of the data makes the decision. Incorrect Answers: These other choices are all considerations when making the decision to preserve or rebuild a system. You are responsible for managing security on a corporate wireless network. In the past six months, you have discovered two rogue wireless access points, set up by internal users. Of the following, which would be the most effective security measure you can take to prevent this from occurring again? A.Use IPSec. B.Use WPA Enterprise and IEEE 802.1x. C.Use MAC address filtering. D.Use SSID cloaking. -Answer- B.Use WPA Enterprise and IEEE 802.1x. You are responsible for managing security on a corporate wireless network. In the past six months, you have discovered two rogue wireless access points, set up by internal users. Of the following, which would be the most effective security measure you can take to prevent this from occurring again? A.Use IPSec. B.Use WPA Enterprise and IEEE 802.1x. C.Use MAC address filtering.D.Use SSID cloaking. -Answer- B.Use WPA Enterprise and IEEE 802.1x. Explanation Correct Answer: When using WPA Enterprise, you can set up IEEE 802.1x authentication between clients and wireless access points, ensuring that the devices are mutually authenticated to each other. This would prevent a client from authenticating to a rogue wireless access point. Incorrect Answers: MAC address filtering only permits or denies connection to a wireless access based on hardware address, which can be easily spoofed. IPSec encrypts and authenticates traffic on local networks or VPNs. It could be used on a wireless network, but it would not be the most effective solution. SSID cloaking merely hides the wireless network name and is not a valid security measure. Which of the following describes data that relates to an individual's past, present, or future physical or mental health condition? A.Trade secrets B.PHI C.PII D.PCI -Answer- B.PHI Explanation Correct Answer: Personal health information (PHI) is any data that relates to an individual's past, present, or future physical or mental health condition. Usually, this information is handled by a healthcare provider, employer, public health authority, or school. HIPAA requires appropriate safeguards to protect the privacy of personal health information, and it regulates what can be shared and with whom without patient authorization. HIPAA prescribes specific reporting requirements for violations. Incorrect Answers: Personally identifiable information (PII) is information that can be used to distinguish an individual's identity. It is protected under several different laws. Payment card information is protected under the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS was created to reduce credit card fraud and protect cardholder information. Trade secrets are protected under several international laws. Which the following is the most commonly used protocol to protect virtual private networks? A.SSL B.HTTPC.SSH D.IPSec -Answer- D.IPSec Explanation Correct Answer: IPSec, when using tunnel mode, is the most commonly used protocol to protect traffic in a virtual private network. Incorrect Answers: HTTP is an insecure protocol used to access web-based Internet traffic and sites. SSL is used to protect HTTP traffic, but is now considered insecure and has been deprecated. SSH is used to secure communications from host to host, and is not typically used in virtual private network applications. You are working to ensure your organization meets internationally accepted standards in securing its information systems and data. You also want to have your organization certified by a third party as being compliant with these standards. Implementing which of the following frameworks will meet your stated goals? A.National Institute of Standards and Technology Special Publications B.Control Objectives for Information and related Technology (COBIT) C.Information Security Management System (ISMS) standards, known as the ISO/IEC 27000 series D.Information Technology Infrastructure Library (ITIL) -Answer- C.Information Security Management System (ISMS) standards, known as the ISO/IEC 27000 series Explanation Correct Answer: The Information Security Management System (ISMS) standards, known as the ISO/IEC 27000 series, is an internationally recognized set of standards, created by international bodies, that helps organizations meet standards for information security. Additionally, organizations can be formally certified by an approved third party that they meet or exceed the ISO/IEC 27000 series standards. Incorrect Answers: The National Institute of Standards and Technology (NIST) Special Publications are produced by the U.S. Department of Commerce and are not necessarily used or recognized internationally. ISACA's Control Objectives for Information and related Technology (COBIT) defines goals for security controls that should be used to properly manage IT, and to ensure that IT maps to business needs. It is not necessarily recognized as an international standard. The Information Technology Infrastructure Library (ITIL) is the de facto standard of best practices for IT service management. It does not specifically cover information security, although parts of it do address this topic.You have been authorized to perform a vulnerability scan on critical systems. Which of the following is NOT a consideration when planning the vulnerability scan for these systems? A.Regulatory guidance B.Time of day C.Type of data D.Cost -Answer- D.Cost Explanation Correct Answer: The cost of the scan does not affect how a vulnerability scan is planned and executed. It also does not affect potential loss of systems and data. Incorrect Answers: Regulatory guidance can affect constraints on scanning particular types of systems, such as those with healthcare data on them, in order to prevent data loss or disclosure. Type of data is a consideration because certain types of data, such as PHI and PII, cannot be exposed to a potential risk for loss or exposure. Time of day is a consideration because the scan cannot take place on critical systems when users require them to be fully operational and available. Because packet capturing has trouble dealing with encrypted traffic, which the following methods is used to intercept and analyze traffic that otherwise would be encrypted? A.Dictionary attack B.Brute-force cracking C.Using an SSL or TLS proxy D.Initialization vector attack -Answer- C.Using an SSL or TLS proxy Explanation Correct Answer: In order to analyze the traffic, the organization must implement an SSL or TLS proxy that decrypts the traffic so it can be analyzed. Incorrect Answers: Brute-force cracking, dictionary attacks, and initialization vector attacks are attack methods used by hackers to crack either passwords and WEP. They cannot be used to decrypt encrypted traffic for analysis. Your company has been selected to provide information security services for a small chain of merchant stores. They currently are not adhering to any particular governance or standard to protect their data. They are especially concerned with protecting theircustomers' financial transaction data. Which of the following is an industry standard used to protect consumer financial data? A.ISO/IEC 27000 Series B.Payment Card Industry Data Security Standard C.NIST Special Publication 800-37 D.COBIT -Answer- B.Payment Card Industry Data Security Standard Explanation Correct Answer: The Payment Card Industry Data Security Standard (PCI-DSS) applies to any organization that is involved in processing credit card payments using cards branded by the five major issuers (Visa, MasterCard, American Express, Discover, and JCB). Incorrect Answers: These other standards are applied to protect all types of data, not specifically financial data. Merchants that deal with credit card transactions are required to use the PCI-DSS. Which of the following is the greatest technical concern when performing full packet captures on the network? A.Type of traffic B.Network interface throughput C.Storage space D.Privacy -Answer- C.Storage space Explanation Correct Answer: Storage space is the greatest technical concern due to the fact that full packet captures occupy a great deal of storage space—far more than simply capturing header information. You must ensure you have enough storage space for extended full packet captures. Incorrect Answers: Privacy is not a technical issue. Network interface throughput typically has nothing to do with the decision to capture only headers or full packets. The type of traffic does not typically matter, although there may be small differences in sizes between headers and full packets for different types of traffic. You are a security administrator for a new company that is just starting up. Your manager tells you that you need to create a vulnerability management program. When designing a vulnerability management program, what is the first thing you should identify?A.Number of systems involved B.Personnel responsible for performing the scans C.Types of data the organization uses D.Scan requirements -Answer- D.Scan requirements Explanation Correct Answer: The first thing you should identify when designing a vulnerability management program is the requirements you have for the program. Requirements could include the type of governance you must satisfy when performing vulnerability scans, the scope of the scans, asset inventory, and organizational infrastructure, among others. Without knowing your requirements, you won't know what and how you're supposed to scan. Incorrect Answers: Although some of these other items are definitely needed to create and then execute a vulnerability management plan, you must know the requirements you need to satisfy first. Which of the following describes the integration of security, operations, and software development functional areas? A.DevSecOps B.DevSec C.DevOps D.OPSEC -Answer- A.DevSecOps Explanation Correct Answer: The term DevSecOps consolidates development, security, and quality assurance, as well as the operations aspect of developing code. Incorrect Answers: DevOps is a term associated with combining the development and QA functions in order to produce quality code. It does not include security. OPSEC is a military term denoting operations security. DevSec is a nonexistent term. Which of the following terms best describes the amount of risk that an organization is willing to assume in pursuit of its business ventures? A.Risk tolerance B.Risk appetiteC.Mitigated risk D.Residual risk -Answer- B.Risk appetite Explanation Correct Answer: The risk appetite of an organization is the amount of risk that its senior executives are willing to assume in pursuit of business opportunities or ventures. Incorrect Answers: Risk tolerance is the amount of variance an organization is willing to accept from its risk appetite. Residual risk is the amount of risk left over after all risk has been mitigated. Mitigated risk is risk that is reduced from its initial assessment. You are reviewing and revising security policies for your organization. You have been instructed by management that because there has been an increased number of incidents involving employee misuse of company systems and data, the policies need to be updated to address this problem. Which of the following policies do you need to pay special attention to in order to help resolve this issue? A.Password policy B.Data classification policy C.Data retention policy D.Acceptable use policy -Answer- D.Acceptable use policy Explanation Correct Answer: An acceptable use policy states restrictions on the actions users can and cannot take with regard to the organization's systems and data. Incorrect Answers: A data retention policy specifies how long certain types of data must be retained by the organization. A data classification policy details the various data sensitivity levels within the organization and how each must be protected. The organization's password policy defines how passwords will be constructed, in terms of length and complexity. You are responding to an incident involving data exfiltration from your organization. Which of the following events might require that you notify law enforcement? A.Unauthorized disclosure of 600 patient records B.Unauthorized disclosure of corporate officer salaries C.Exfiltration of a proprietary manufacturing processD.Exfiltration of company telephone numbers and e-mail addresses -AnswerA.Unauthorized disclosure of 600 patient records Explanation Correct Answer: Federal law requires that records containing PHI be disclosed to law enforcement and other regulatory agencies if the number of records exceeds 500. Incorrect Answers: Although it may be a good idea to involve law enforcement, the exfiltration of proprietary manufacturing processes does not require that you notify them. Corporate officer salaries are generally public knowledge, as required by the Securities and Exchange Commission—particularly for publicly held companies. The disclosure of company telephone numbers and e-mail addresses, although they may be sensitive in nature, is not required to be reported to law enforcement. Which network-scanning tool is often used to generate an inventory of hosts on the network? A.Nmap B.Nikto C.Metaspolit Framework D.Netcat -Answer- A.Nmap Explanation Correct Answer: Nmap, typically used to scan for open ports and services, can also be used to scan for hosts on the network, which can then be compared with an earlier scan or a known inventory of hosts to determine whether there are any changes to the number of hosts on the network. Incorrect Answers: Metaspolit Framework is an exploitation tool. Nikto is a web vulnerability scanner, and netcat is a tool used by hackers to create a covert channel between two hosts. Which of the following drives the frequency with which you would perform vulnerability scans? A.Patch cycle B.Configuration management procedures C.Penetration testing schedule D.Governance -Answer- D.Governance ExplanationCorrect Answer: Governance drives the frequency of vulnerability scans because each individual directive may require a certain frequency of scanning. Incorrect Answers: Each of these other choices is driven by management policy and are subject to change. You are helping management to draft an organizational data classification policy. After you have determined the different types of data the organization processes and decided on the various sensitivity levels, who should be consulted to assist in determining what sensitivity level each data type should be classified as? A.Chief Information Security Officer (CISO) B.Chief Information Officer (CIO) C.Data user D.Data owner -Answer- D.Data owner Explanation Correct Answer: The data owner is a member of management who is in charge of a specific business unit, and is ultimately responsible for the protection and use of a specific subset of information. The data owner has due-care responsibilities and will be held responsible for any negligent act that results in the corruption or disclosure of the data. Data owners decide the classification of the data for which they are responsible and alter classifications if business needs arise. Incorrect Answers: The CIO and CISO positions have overall responsibility for the organization's IT assets and their security, respectively, but may not necessarily have the expertise needed to determine data classification for specific data types or data sets. The data user is responsible for any data he or she accesses and interact with, but cannot make any management decisions regarding what the sensitivity levels of the data should be. If an intruder has physical access to the network, which of the following is a common tool for the intruder to use to gain network access and capture packets? A.Honeypot B.Passive tap C.IDS/IPS D.Bastion host -Answer- B.Passive tap Explanation Correct Answer: A passive tap is a device used to eavesdrop on the signal on a network cable to intercept traffic.Incorrect Answers: A bastion host is a security device that separates two disparate networks. A honeypot is used to attract potential attackers in order to learn their attack patterns and distract them from valuable targets. An IDS/IPS is used to detect and prevent network attacks. Which of the following data classification labels within an organization would be most appropriate to protect engineering processes the company uses to remain competitive in the market? A.Proprietary B.Public C.Confidential D.Private -Answer- A.Proprietary Explanation Correct Answer: Proprietary information is data that could cause some damage, such as loss of competitiveness to the organization. Incorrect Answers: Private data, if improperly disclosed, could raise personal privacy issues. Confidential data is information that could cause grave damage to the organization if disclosed. This could include salary information, disciplinary information, or other potentially embarrassing information. Public data is information that can be disclosed to the public without any adverse effect to the organization. This data might be posted on a public website, for example. Which the following is the most likely scenario in which the human resources staff would become involved in an incident response? A.If an employee discovered the incident B.If an outsider is determined to be at fault for the incident C.If an employee responded to the incident D.If an employee had a role in causing the incident -Answer- D.If an employee had a role in causing the incident Explanation Correct Answer: If an employee had a role in causing the incident, human resources staff would become involved, due to potential disciplinary issues or, even if the role was accidental, in retraining the employee so that the incident does not happen again.Incorrect Answers: If an employee discovers or responds to an incident, this is not usually a scenario where human resources needs to be involved. If it is determined that an outsider is at fault for the incident, human resources has no reason to be involved. All of the following are valid methods used to sanitize a drive, EXCEPT: A.Encrypting B.Degaussing C.Formatting D.Overwriting -Answer- C.Formatting Explanation Correct Answer: Formatting does not remove data from the drive; it merely deletes the file table entry for the data. The data is still there until overwritten by other data. Incorrect Answers: Overwriting, encrypting, and degaussing are all valid methods for sanitizing media. Which of the following are factors contributing to a determination of the scope of impact of an incident? (Choose two.) A.Loss of availability B.Reduction of vulnerability C.Loss of revenue D.Reduction of threat -Answer- C.Loss of revenue Explanation Correct Answer: Loss of revenue and loss of availability are definitely factors that contribute to the scope of an impact. Additional factors might include loss of confidentiality or integrity, loss of the asset itself to any degree, loss of productivity, and even loss of reputation or consumer confidence. Although some of these may be difficult to quantify, all would impact the organization to some degree. Incorrect Answers: A reduction in the threat (typically in the likelihood of exploitation of a vulnerability) and a reduction of the vulnerability (that is, reducing its exposure) also reduce risk and therefore reduce the impact to the organization. Which of the following are examples of context-based authentication? (Choose all that apply.) A.Location dataB.Passwords C.Time D.Typing patterns -Answer- A.Location data C.Time D.Typing patterns Explanation Correct Answers: All of these are context-based factors that can be used in conjunction with multifactor authentication. Incorrect Answer:Passwords may be used as one factor in a multifactor authentication scheme (something you know), but they are not context based. Which of the following is a common vulnerability found on an organization's servers? A.Lack of encryption for all traffic entering and leaving the server B.Allowing the server to run unnecessary services and open ports C.Allowing too many users to access the server D.Lack of two-factor authentication to access the server -Answer- B.Allowing the server to run unnecessary services and open ports Explanation Correct Answer: It is a common vulnerability for servers to run multiple services and have an excessive number of open ports. Services should be dedicated to a specific task, and only run the minimum number of services and open ports needed. Incorrect Answers: Although lack of two-factor authentication provides less security, it may not necessarily be required for the organization's use of the server. Not all traffic entering and leaving a server requires encryption. DNS queries, for example, are typically not encrypted if the server is a DNS server. The same applies to a DHCP server, where queries and responses are not encrypted. Finally, as many users as needed to access to the server for legitimate purposes should be allowed. Too many users might cause a performance issue, requiring load balancing, but this is typically not a vulnerability or security issue. Which of the following vulnerabilities associated with virtual machines might allow an attacker to escape the VM and attack the host operating system? A.Host operating system vulnerability B.Virtual machine vulnerabilityC.Hypervisor vulnerability D.Virtual hardware vulnerability -Answer- C.Hypervisor vulnerability Explanation Correct Answer: A vulnerability in the hypervisor that manages virtual machines could allow an attacker to actually escape a virtual machine and access the host operating system. Incorrect Answers: A host operating system vulnerability would affect the host. A virtual machine vulnerability would only affect that particular virtual machine, as would a virtual hardware vulnerability. Which of the following statements best describes the concept of containers in virtualization? A.Containers separate specific resources for virtual machines, such as CPU time, RAM, and hard disk space. B.Containers are Type-2 hypervisors. C.Containers are Type-1 hypervisors. D.Containers use the resources of the host operating system, instead of the guest operating system, enabling a user to run applications rather than entire operating systems. -Answer- D.Containers use the resources of the host operating system, instead of the guest operating system, enabling a user to run applications rather than entire operating systems. Explanation Correct Answer: Containers use the resources of the host operating system, instead of the guest operating system, enabling a user to run applications rather than entire operating systems. Incorrect Answers: Containers do not separate resources for virtual machines. Containers are also not a type of hypervisor. You are registering for a domain name in Canada. Which regional Internet Registry would you use? A.ARIN B.RIPE NCC C.AFRINIC D.APNIC -Answer- A.ARINExplanation Correct Answer: ARIN handles the registries for Canada, many Caribbean and North Atlantic islands, and the United States. Incorrect Answers: AFRINIC is responsible for Africa and portions of the Indian Ocean. APNIC handles portions of Asia and Oceania. RIPE NCC takes care of registries for Europe, the Middle East, and Central Asia. You are reviewing a full packet capture in Wireshark. Most of the traffic you see is readable, but in some traffic, the payload is gibberish