Product Questions Reformatted PDF

Product Questions: 102 Version: 6.0 Question: 1 Thomas, an employee of an organization, is restricted from accessing specific websites from his office system. He is trying to obtain admin credentials to remove the restrictions. While waiting for an opportunity, he sniffed communication between the administrator and an application server to retrieve the admin credentials. Identify the type of attack performed by Thomas in the above scenario. A. Vishing B. Eavesdropping C. Phishing D. Dumpster diving Answer: B Explanation: The correct answer is B, as it identifies the type of attack performed by Thomas in the above scenario. Eavesdropping is a type of attack that involves intercepting and listening to the communication between two parties without their knowledge or consent. Thomas performed eavesdropping by sniffing communication between the administrator and an application server to retrieve the admin credentials. Option A is incorrect, as it does not identify the type of attack performed by Thomas in the above scenario. Vishing is a type of attack that involves using voice calls to trick people into revealing sensitive information or performing malicious actions. Thomas did not use voice calls but sniffed network traffic. Option C is incorrect, as it does not identify the type of attack performed by Thomas in the above scenario. Phishing is a type of attack that involves sending fraudulent emails or messages that appear to be from legitimate sources to lure people into revealing sensitive information or performing malicious actions. Thomas did not send any emails or messages but sniffed network traffic. Option D is incorrect, as it does not identify the type of attack performed by Thomas in the above scenario. Dumpster diving is a type of attack that involves searching through trash or discarded items to find valuable information or resources. Thomas did not search through trash or discarded items but sniffed network traffic. Question: 2 Kayden successfully cracked the final round of interviews at an organization. After a few days, he received his offer letter through an official company email address. The email stated that the selected candidate should respond within a specified time. Kayden accepted the opportunity and provided an e‐signature on the offer letter, then replied to the same email address. The company validated the e‐signature and added his details to their database. Here, Kayden could not deny the company's message, and the company could not deny Kayden's signature. Which of the following information security elements was described in the above scenario? A. Availability B. Non‐repudiation C. Integrity D. Confidentiality Answer: B Explanation: The correct answer is B, as it describes the information security element that was described in the above scenario. Non‐repudiation is an information security element that ensures that a party cannot deny sending or receiving a message or performing an action. In the above scenario, non‐repudiation was described, as Kayden could not deny company’s message, and company could not deny Kayden’s signature. Option A is incorrect, as it does not describe the information security element that was described in the above scenario. Availability is an information security element that ensures that authorized users can access and use information and resources when needed. In the above scenario, availability was not described, as there was no mention of access or use of information and resources. Option C is incorrect, as it does not describe the information security element that was described in the above scenario. Integrity is an information security element that ensures that information and resources are accurate and complete and have not been modified by unauthorized parties. In the above scenario, integrity was not described, as there was no mention of accuracy or completeness of information and resources. Option D is incorrect, as it does not describe the information security element that was described in the above scenario. Confidentiality is an information security element that ensures that information and resources are protected from unauthorized access and disclosure. In the above scenario, confidentiality was not described, as there was no mention of protection or disclosure of information and resources. Question: 3 Sam, a software engineer, visited an organization to give a demonstration on a software tool that helps in business development. The administrator at the organization created a least privileged account on a system and allocated that system to Sam for the demonstration. Using this account, Sam can only access the files that are required for the demonstration and cannot open any other file in the system. Which of the following types of accounts the organization has given to Sam in the above scenario? A. Service account B. Guest account C. User account D. Administrator account Answer: B Explanation: The correct answer is B, as it identifies the type of account that the organization has given to Sam in the above scenario. A guest account is a type of account that allows temporary or limited access to a system or network for visitors or users who do not belong to the organization. A guest account typically has minimal privileges and permissions and can only access certain files or applications. In the above scenario, the organization has given Sam a guest account for the demonstration. Using this account, Sam can only access the files that are required for the demonstration and cannot open any other file in the system. Option A is incorrect, as it does not identify the type of account that the organization has given to Sam in the above scenario. A service account is a type of account that allows applications or services to run on a system or network under a specific identity. A service account typically has high privileges and permissions and can access various files or applications. In the above scenario, the organization has not given Sam a service account for the demonstration. Option C is incorrect, as it does not identify the type of account that the organization has given to Sam in the above scenario. A user account is a type of account that allows regular access to a system or network for employees or members of an organization. A user account typically has moderate privileges and permissions and can access various files or applications depending on their role. In the above scenario, the organization has not given Sam a user account for the demonstration. Option D is incorrect, as it does not identify the type of account that the organization has given to Sam in the above scenario. An administrator account is a type of account that allows full access to a system or network for administrators or managers of an organization. An administrator account typically has the highest privileges and permissions and can access and modify any files or applications. In the above scenario, the organization has not given Sam an administrator account for the demonstration. Question: 4 Myles, a security professional at an organization, provided laptops for all the employees to carry out the business processes from remote locations. While installing necessary applications required for the business, Myles has also installed antivirus software on each laptop following the company's policy to detect and protect the machines from external malicious events over the Internet. Identify the PCI‐DSS requirement followed by Myles in the above scenario. A. PCI‐DSS requirement no 1.3.2 B. PCI‐DSS requirement no 1.3.5 C. PCI‐DSS requirement no 5.1 D. PCI‐DSS requirement no 1.3.1 Answer: C Explanation: The correct answer is C, as it identifies the PCI‐DSS requirement followed by Myles in the above scenario. PCI‐DSS is a set of standards that aims to protect cardholder data and ensure secure payment transactions. PCI‐DSS has 12 requirements that cover various aspects of security such as network configuration, data encryption, access control, vulnerability management, monitoring, and testing. PCI‐DSS requirement no 5.1 states that “Protect all systems against malware and regularly update anti‐virus software or programs”. In the above scenario, Myles followed this requirement by installing antivirus software on each laptop to detect and protect the machines from external malicious events over the Internet. Option A is incorrect, as it does not identify the PCI‐DSS requirement followed by Myles in the above scenario. PCI‐DSS requirement no 1.3.2 states that “Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet”. In the above scenario, Myles did not follow this requirement, as there was no mention of outbound traffic or cardholder data environment. Option B is incorrect, as it does not identify the PCI‐DSS requirement followed by Myles in the above scenario. PCI‐DSS requirement no 1.3.5 states that “Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment”. In the above scenario, Myles did not follow this requirement, as there was no mention of inbound or outbound traffic or cardholder data environment. Option D is incorrect, as it does not identify the PCI‐DSS requirement followed by Myles in the above scenario. PCI‐DSS requirement no 1.3.1 states that “Implement a firewall configuration that restricts connections between publicly accessible servers and any system component storing cardholder data”. In the above scenario, Myles did not follow this requirement, as there was no mention of firewall configuration or publicly accessible servers or system components storing cardholder data. Question: 5 Ashton is working as a security specialist in SoftEight Tech. He was instructed by the management to strengthen the Internet access policy. For this purpose, he implemented a type of Internet access policy that forbids everything and imposes strict restrictions on all company computers, whether it is system or network usage. Identify the type of Internet access policy implemented by Ashton in the above scenario. A. Paranoid policy B. Prudent policy C. Permissive policy D. Promiscuous policy Answer: A Explanation: The correct answer is A, as it identifies the type of Internet access policy implemented by Ashton in the above scenario. An Internet access policy is a set of rules and guidelines that defines how an organization’s employees or members can use the Internet and what types of websites or services they can access. There are different types of Internet access policies, such as: Paranoid policy: This type of policy forbids everything and imposes strict restrictions on all company computers, whether it is system or network usage. This policy is suitable for organizations that deal with highly sensitive or classified information and have a high level of security and compliance requirements. Prudent policy: This type of policy allows some things and blocks others and imposes moderate restrictions on company computers, depending on the role and responsibility of the user. This policy is suitable for organizations that deal with confidential or proprietary information and have a medium level of security and compliance requirements. Permissive policy: This type of policy allows most things and blocks few and imposes minimal restrictions on company computers, as long as the user does not violate any laws or regulations. This policy is suitable for organizations that deal with public or general information and have a low level of security and compliance requirements. Promiscuous policy: This type of policy allows everything and blocks nothing and imposes no restrictions on company computers, regardless of the user’s role or responsibility. This policy is suitable for organizations that have no security or compliance requirements and trust their employees or members to use the Internet responsibly. In the above scenario, Ashton implemented a paranoid policy that forbids everything and imposes strict restrictions on all company computers, whether it is system or network usage. Option B is incorrect, as it does not identify the type of Internet access policy implemented by Ashton in the above scenario. A prudent policy allows some things and blocks others and imposes moderate restrictions on company computers, depending on the role and responsibility of the user. In the above scenario, Ashton did not implement a prudent policy, but a paranoid policy. Option C is incorrect, as it does not identify the type of Internet access policy implemented by Ashton in the above scenario. A permissive policy allows most things and blocks few and imposes minimal restrictions on company computers, as long as the user does not violate any laws or regulations. In the above scenario, Ashton did not implement a permissive policy, but a paranoid policy. Option D is incorrect, as it does not identify the type of Internet access policy implemented by Ashton in the above scenario. A promiscuous policy allows everything and blocks nothing and imposes no restrictions on company computers, regardless of the user’s role or responsibility. In the above scenario, Ashton did not implement a promiscuous policy, but a paranoid policy. Question: 6 Zion belongs to a category of employees who are responsible for implementing and managing the physical security equipment installed around the facility. He was instructed by the management to check the functionality of equipment related to physical security. Identify the designation of Zion. A. Supervisor B. Chief information security officer C. Guard D. Safety officer Answer: C Explanation: The correct answer is C, as it identifies the designation of Zion. A guard is a person who is responsible for implementing and managing the physical security equipment installed around the facility. A guard typically performs tasks such as: Checking the functionality of equipment related to physical security Monitoring the surveillance cameras and alarms Controlling the access to restricted areas Responding to emergencies or incidents In the above scenario, Zion belongs to this category of employees who are responsible for implementing and managing the physical security equipment installed around the facility. Option A is incorrect, as it does not identify the designation of Zion. A supervisor is a person who is responsible for overseeing and directing the work of other employees. A supervisor typically performs tasks such as: Assigning tasks and responsibilities to employees Evaluating the performance and productivity of employees Providing feedback and guidance to employees Resolving conflicts or issues among employees In the above scenario, Zion does not belong to this category of employees who are responsible for overseeing and directing the work of other employees. Option B is incorrect, as it does not identify the designation of Zion. A chief information security officer (CISO) is a person who is responsible for establishing and maintaining the security vision, strategy, and program for an organization. A CISO typically performs tasks such as: Developing and implementing security policies and standards Managing security risks and compliance Leading security teams and projects Communicating with senior management and stakeholders In the above scenario, Zion does not belong to this category of employees who are responsible for establishing and maintaining the security vision, strategy, and program for an organization. Option D is incorrect, as it does not identify the designation of Zion. A safety officer is a person who is responsible for ensuring that health and safety regulations are followed in an organization. A safety officer typically performs tasks such as: Conducting safety inspections and audits Identifying and eliminating hazards and risks Providing safety training and awareness Reporting and investigating accidents or incidents In the above scenario, Zion does not belong to this category of employees who are responsible for ensuring that health and safety regulations are followed in an organization. Question: 7 In an organization, all the servers and database systems are guarded in a sealed room with a singleentry point. The entrance is protected with a physical lock system that requires typing a sequence of numbers and letters by using a rotating dial that intermingles with several other rotating discs. Which of the following types of physical locks is used by the organization in the above scenario? A. Digital locks B. Combination locks C. Mechanical locks D. Electromagnetic locks Answer: B Explanation: It identifies the type of physical lock used by the organization in the above scenario. A physical lock is a device that prevents unauthorized access to a door, gate, cabinet, or other enclosure by using a mechanism that requires a key, code, or biometric factor to open or close it. There are different types of physical locks, such as: Combination lock: This type of lock requires typing a sequence of numbers and letters by using a rotating dial that intermingles with several other rotating discs. This type of lock is suitable for securing safes, lockers, or cabinets that store valuable items or documents. Digital lock: This type of lock requires entering a numeric or alphanumeric code by using a keypad or touchscreen. This type of lock is suitable for securing doors or gates that require frequent access or multiple users. Mechanical lock: This type of lock requires inserting and turning a metal key that matches the shape and size of the lock. This type of lock is suitable for securing doors or gates that require simple and reliable access or single users. Electromagnetic lock: This type of lock requires applying an electric current to a magnet that attracts a metal plate attached to the door or gate. This type of lock is suitable for securing doors or gates that require remote control or integration with other security systems. In the above scenario, the organization used a combination lock that requires typing a sequence of numbers and letters by using a rotating dial that intermingles with several other rotating discs. Option A is incorrect, as it does not identify the type of physical lock used by the organization in the above scenario. A digital lock requires entering a numeric or alphanumeric code by using a keypad or touchscreen. In the above scenario, the organization did not use a digital lock, but a combination lock. Option C is incorrect, as it does not identify the type of physical lock used by the organization in the above scenario. A mechanical lock requires inserting and turning a metal key that matches the shape and size of the lock. In the above scenario, the organization did not use a mechanical lock, but a combination lock. Option D is incorrect, as it does not identify the type of physical lock used by the organization in the above scenario. An electromagnetic lock requires applying an electric current to a magnet that attracts a metal plate attached to the door or gate. In the above scenario, the organization did not use an electromagnetic lock, but a combination lock. Question: 8 Lorenzo, a security professional in an MNC, was instructed to establish centralized authentication, authorization, and accounting for remote‐access servers. For this purpose, he implemented a protocol that is based on the client‐server model and works at the transport layer of the OSI model. Identify the remote authentication protocol employed by Lorenzo in the above scenario. A. SNMPv3 B. RADIUS C. POP3S D. IMAPS Answer: B Explanation: The correct answer is B, as it identifies the remote authentication protocol employed by Lorenzo in the above scenario. RADIUS (Remote Authentication Dial‐In User Service) is a protocol that provides centralized authentication, authorization, and accounting (AAA) for remote‐access servers such as VPNs (Virtual Private Networks), wireless networks, or dial‐up connections. RADIUS is based on the client‐server model and works at the transport layer of the OSI model. RADIUS uses UDP (User Datagram Protocol) as its transport protocol and encrypts only user passwords in its messages. In the above scenario, Lorenzo implemented RADIUS to provide centralized AAA for remote‐access servers. Option A is incorrect, as it does not identify the remote authentication protocol employed by Lorenzo in the above scenario. SNMPv3 (Simple Network Management Protocol version 3) is a protocol that provides network management and monitoring for network devices such as routers, switches, servers, or printers. SNMPv3 is based on the manager‐agent model and works at the application layer of the OSI model. SNMPv3 uses UDP as its transport protocol and encrypts all its messages with AES (Advanced Encryption Standard) or DES (Data Encryption Standard). In the above scenario, Lorenzo did not implement SNMPv3 to provide network management and monitoring for network devices. Option C is incorrect, as it does not identify the remote authentication protocol employed by Lorenzo in the above scenario. POP3S (Post Office Protocol version 3 Secure) is a protocol that provides secure email access and retrieval for email clients from email servers. POP3S is based on the client‐server model and works at the application layer of the OSI model. POP3S uses TCP (Transmission Control Protocol) as its transport protocol and encrypts all its messages with SSL (Secure Sockets Layer) or TLS (Transport Layer Security). In the above scenario, Lorenzo did not implement POP3S to provide secure email access and retrieval for email clients from email servers. Option D is incorrect, as it does not identify the remote authentication protocol employed by Lorenzo in the above scenario. IMAPS (Internet Message Access Protocol Secure) is a protocol that provides secure email access and management for email clients from email servers. IMAPS is based on the client‐server model and works at the application layer of the OSI model. IMAPS uses TCP as its transport protocol and encrypts all its messages with SSL or TLS. In the above scenario, Lorenzo did not implement IMAPS to provide secure email access and management for email clients from email servers. Question: 9 Malachi, a security professional, implemented a firewall in his organization to trace incoming and outgoing traffic. He deployed a firewall that works at the session layer of the OSI model and monitors the TCP handshake between hosts to determine whether a requested session is legitimate. Identify the firewall technology implemented by Malachi in the above scenario. A. Next generation firewall (NGFW) B. Circuit‐level gateways C. Network address translation (NAT) D. Packet filtering Answer: B Explanation: A circuit‐level gateway is a type of firewall that works at the session layer of the OSI model and monitors the TCP handshake between hosts to determine whether a requested session is legitimate. It does not inspect the contents of each packet, but rather relies on the session information to filter traffic Question: 10 Rhett, a security professional at an organization, was instructed to deploy an IDS solution on their corporate network to defend against evolving threats. For this purpose, Rhett selected an IDS solution that first creates models for possible intrusions and then compares these models with incoming events to make detection decisions. Identify the detection method employed by the IDS solution in the above scenario. A. Not‐use detection B. Protocol anomaly detection C. Anomaly detection D. Signature recognition Answer: C Explanation: Anomaly detection is a type of IDS detection method that involves first creating models for possible intrusions and then comparing these models with incoming events to make a detection decision. It can detect unknown or zero‐day attacks by looking for deviations from normal or expected behavior Question: 11 Richards, a security specialist at an organization, was monitoring an IDS system. While monitoring, he suddenly received an alert of an ongoing intrusion attempt on the organization's network. He immediately averted the malicious actions by implementing the necessary measures. Identify the type of alert generated by the IDS system in the above scenario. A. True positive B. True negative C. False negative D. False positive Answer: A Explanation: A true positive alert is generated by an IDS system when it correctly identifies an ongoing intrusion attempt on the network and sends an alert to the security professional. This is the desired outcome of an IDS system, as it indicates that the system is working effectively and accurately Question: 12 Karter, a security professional, deployed a honeypot on the organization's network for luring attackers who attempt to breach the network. For this purpose, he configured a type of honeypot that simulates a real OS as well as the applications and services of a target network. Furthermore, the honeypot deployed by Karter only responds to pre‐configured commands. Identify the type of Honeypot deployed by Karter in the above scenario. A. Low‐interaction honeypot B. Pure honeypot C. Medium‐interaction honeypot D. High‐interaction honeypot Answer: A Explanation: A low‐interaction honeypot is a type of honeypot that simulates a real OS as well as the applications and services of a target network, but only responds to pre‐configured commands. It is designed to capture basic information about the attacker, such as their IP address, tools, and techniques. A lowinteraction honeypot is easier to deploy and maintain than a high‐interaction honeypot, which fully emulates a real system and allows the attacker to interact with it. A pure honeypot is a real system that is intentionally vulnerable and exposed to attackers. A medium‐interaction honeypot is a type of honeypot that offers more functionality and interactivity than a low‐interaction honeypot, but less than a high‐interaction honeypot. Question: 13 An MNC hired Brandon, a network defender, to establish secured VPN communication between the company's remote offices. For this purpose, Brandon employed a VPN topology where all the remote offices communicate with the corporate office but communication between the remote offices is denied. Identify the VPN topology employed by Brandon in the above scenario. A. Point‐to‐Point VPN topology B. Star topology C. Hub‐and‐Spoke VPN topology D. Full‐mesh VPN topology Answer: C Explanation: A hub‐and‐spoke VPN topology is a type of VPN topology where all the remote offices communicate with the corporate office, but communication between the remote offices is denied. The corporate office acts as the hub, and the remote offices act as the spokes. This topology reduces the number of VPN tunnels required and simplifies the management of VPN policies. A point‐to‐point VPN topology is a type of VPN topology where two endpoints establish a direct VPN connection. A star topology is a type of VPN topology where one endpoint acts as the central node and connects to multiple other endpoints. A full‐mesh VPN topology is a type of VPN topology where every endpoint connects to every other endpoint. Question: 14 Mark, a security analyst, was tasked with performing threat hunting to detect imminent threats in an organization's network. He generated a hypothesis based on the observations in the initial step and started the threat‐hunting process using existing data collected from DNS and proxy logs. Identify the type of threat‐hunting method employed by Mark in the above scenario. A. Entity‐driven hunting B. TTP‐driven hunting C. Data‐driven hunting D. Hybrid hunting Answer: C Explanation: A data‐driven hunting method is a type of threat hunting method that employs existing data collected from various sources, such as DNS and proxy logs, to generate and test hypotheses about potential threats. This method relies on data analysis and machine learning techniques to identify patterns and anomalies that indicate malicious activity. A data‐driven hunting method can help discover unknown or emerging threats that may evade traditional detection methods. An entitydriven hunting method is a type of threat hunting method that focuses on specific entities, such as users, devices, or domains, that are suspected or known to be involved in malicious activity. A TTPdriven hunting method is a type of threat hunting method that leverages threat intelligence and knowledge of adversary tactics, techniques, and procedures (TTPs) to formulate and test hypotheses about potential threats. A hybrid hunting method is a type of threat hunting method that combines different approaches, such as data‐driven, entity‐driven, and TTP‐driven methods, to achieve more comprehensive and effective results. Question: 15 An organization hired a network operations center (NOC) team to protect its IT infrastructure from external attacks. The organization utilized a type of threat intelligence to protect its resources from evolving threats. The threat intelligence helped the NOC team understand how attackers are expected to perform an attack on the organization, identify the information leakage, and determine the attack goals as well as attack vectors. Identify the type of threat intelligence consumed by the organization in the above scenario. A. Operational threat intelligence B. Strategic threat intelligence C. Technical threat intelligence D. Tactical threat intelligence Answer: C Explanation: Technical threat intelligence is a type of threat intelligence that provides information about the technical details of specific attacks, such as indicators of compromise (IOCs), malware signatures, attack vectors, and vulnerabilities. Technical threat intelligence helps the NOC team understand how attackers are expected to perform an attack on the organization, identify the information leakage, and determine the attack goals as well as attack vectors. Technical threat intelligence is often consumed by security analysts, incident responders, and penetration testers who need to analyze and respond to active or potential threats. Question: 16 Tristan, a professional penetration tester, was recruited by an organization to test its network infrastructure. The organization wanted to understand its current security posture and its strength in defending against external threats. For this purpose, the organization did not provide any information about their IT infrastructure to Tristan. Thus, Tristan initiated zero‐knowledge attacks, with no information or assistance from the organization. Which of the following types of penetration testing has Tristan initiated in the above scenario? A. Black‐box testing B. White‐box testing C. Gray‐box testing D. Translucent‐box testing Answer: A Explanation: Black‐box testing is a type of penetration testing where the tester has no prior knowledge of the target system or network and initiates zero‐knowledge attacks, with no information or assistance from the organization. Black‐box testing simulates the perspective of an external attacker who tries to find and exploit vulnerabilities without any insider information. Black‐box testing can help identify unknown or hidden vulnerabilities that may not be detected by other types of testing. However, black‐box testing can also be time‐consuming, costly, and incomplete, as it depends on the tester’s skills and tools. Question: 17 Miguel, a professional hacker, targeted an organization to gain illegitimate access to its critical information. He identified a flaw in the end‐point communication that can disclose the target application's data. Which of the following secure application design principles was not met by the application in the above scenario? A. Secure the weakest link B. Do not trust user input C. Exception handling D. Fault tolerance Answer: C Explanation: Exception handling is a secure application design principle that states that the application should handle errors and exceptions gracefully and securely, without exposing sensitive information or compromising the system’s functionality. Exception handling can help prevent attackers from exploiting errors or exceptions to gain access to data or resources or cause denial‐of‐service attacks. In the scenario, Miguel identified a flaw in the end‐point communication that can disclose the target application’s data, which means that the application did not meet the exception handling principle. Question: 18 A software company is developing a new software product by following the best practices for secure application development. Dawson, a software analyst, is checking the performance of the application on the client's network to determine whether end users are facing any issues in accessing the application. Which of the following tiers of a secure application development lifecycle involves checking the performance of the application? A. Development B. Testing C. Quality assurance (QA) D. Staging Answer: B Explanation: The testing tier of a secure application development lifecycle involves checking the performance of the application on the client’s network to determine whether end users are facing any issues in accessing the application. Testing is a crucial phase of software development that ensures the quality, functionality, reliability, and security of the application. Testing can be done manually or automatically using various tools and techniques, such as unit testing, integration testing, system testing, regression testing, performance testing, usability testing, security testing, and acceptance testing Question: 19 Nicolas, a computer science student, decided to create a guest OS on his laptop for different lab operations. He adopted a virtualization approach in which the guest OS will not be aware that it is running in a virtualized environment. The virtual machine manager (VMM) will directly interact with the computer hardware, translate commands to binary instructions, and forward them to the host OS. Which of the following virtualization approaches has Nicolas adopted in the above scenario? A. Hardware‐assisted virtualization B. Full virtualization C. Hybrid virtualization D. OS‐assisted virtualization Answer: A Explanation: Hardware‐assisted virtualization is a virtualization approach in which the guest OS will not be aware that it is running in a virtualized environment. The virtual machine manager (VMM) will directly interact with the computer hardware, translate commands to binary instructions, and forward them to the host OS. Hardware‐assisted virtualization relies on special hardware features in the CPU and chipset to create and manage virtual machines efficiently and securely34. Full virtualization is a virtualization approach in which the guest OS will not be aware that it is running in a virtualized environment, but the VMM will run in software and emulate all the hardware resources for each virtual machine5. Hybrid virtualization is a virtualization approach that combines hardware‐assisted and full virtualization techniques to optimize performance and compatibility6. OS‐assisted virtualization is a virtualization approach in which the guest OS will be modified to run in a virtualized environment and cooperate with the VMM to access the hardware resources Question: 20 Walker, a security team member at an organization, was instructed to check if a deployed cloud service is working as expected. He performed an independent examination of cloud service controls to verify adherence to standards through a review of objective evidence. Further, Walker evaluated the services provided by the CSP regarding security controls, privacy impact, and performance. Identify the role played by Walker in the above scenario. A. Cloud auditor B. Cloud provider C. Cloud carrier D. Cloud consumer Answer: A Explanation: A cloud auditor is a role played by Walker in the above scenario. A cloud auditor is a third party who examines controls of cloud computing service providers. Cloud auditor performs an audit to verify compliance with the standards and expressed his opinion through a report89. A cloud provider is an entity that provides cloud services, such as infrastructure, platform, or software, to cloud consumers10. A cloud carrier is an entity that provides connectivity and transport of cloud services between cloud providers and cloud consumers10. A cloud consumer is an entity that uses cloud services for its own purposes or on behalf of another entity Question: 21 A software company has implemented a wireless technology to track the employees' attendance by recording their in and out timings. Each employee in the company will have an entry card that is embedded with a tag. Whenever an employee enters the office premises, he/she is required to swipe the card at the entrance. The wireless technology uses radio‐frequency electromagnetic waves to transfer data for automatic identification and for tracking tags attached to objects. Which of the following technologies has the software company implemented in the above scenario? A. WiMAX B. RFID C. Bluetooth D. Wi‐Fi Answer: B Explanation: RFID (Radio Frequency Identification) is the wireless technology that the software company has implemented in the above scenario. RFID uses radio‐frequency electromagnetic waves to transfer data for automatic identification and for tracking tags attached to objects1112. WiMAX (Worldwide Interoperability for Microwave Access) is a wireless technology that provides high‐speed broadband access over long distances13. Bluetooth is a wireless technology that enables short‐range data communication between devices, such as phones, laptops, printers, etc.14. Wi‐Fi (Wireless Fidelity) is a wireless technology that allows devices to connect to a local area network or the internet using radio waves Question: 22 Matias, a network security administrator at an organization, was tasked with the implementation of secure wireless network encryption for their network. For this purpose, Matias employed a security solution that uses 256‐bit Galois/Counter Mode Protocol (GCMP‐256) to maintain the authenticity and confidentiality of data. Identify the type of wireless encryption used by the security solution employed by Matias in the above scenario. A. WPA2 encryption B. WPA3 encryption C. WEP encryption D. WPA encryption Answer: B Explanation: WPA3 encryption is the type of wireless encryption used by the security solution employed by Matias in the above scenario. WPA3 encryption is the latest and most secure version of Wi‐Fi Protected Access, a protocol that provides authentication and encryption for wireless networks. WPA3 encryption uses 256‐bit Galois/Counter Mode Protocol (GCMP‐256) to maintain the authenticity and confidentiality of data. WPA3 encryption also provides enhanced protection against offline dictionary attacks, forward secrecy, and secure public Wi‐Fi access. WPA2 encryption is the previous version of Wi‐Fi Protected Access, which uses Advanced Encryption Standard (AES) or Temporal Key Integrity Protocol (TKIP) for data encryption. WEP encryption is an outdated and insecure version of Wi‐Fi security, which uses RC4 stream cipher for data encryption. WPA encryption is an intermediate version of Wi‐Fi security, which uses TKIP for data encryption. Question: 23 Rickson, a security professional at an organization, was instructed to establish short‐range communication between devices within a range of 10 cm. For this purpose, he used a mobile connection method that employs electromagnetic induction to enable communication between devices. The mobile connection method selected by Rickson can also read RFID tags and establish Bluetooth connections with nearby devices to exchange information such as images and contact lists. Which of the following mobile connection methods has Rickson used in above scenario? A. NFC B. Satcom C. Cellular communication D. ANT Answer: A Explanation: NFC (Near Field Communication) is the mobile connection method that Rickson has used in the above scenario. NFC is a short‐range wireless communication technology that enables devices to exchange data within a range of 10 cm. NFC employs electromagnetic induction to create a radio frequency field between two devices. NFC can also read RFID tags and establish Bluetooth connections with nearby devices to exchange information such as images and contact lists. Satcom (Satellite Communication) is a mobile connection method that uses satellites orbiting the earth to provide communication services over long distances. Cellular communication is a mobile connection method that uses cellular networks to provide voice and data services over wireless devices. ANT is a low‐power wireless communication technology that enables devices to create personal area networks and exchange data over short distances. Question: 24 Stephen, a security professional at an organization, was instructed to implement security measures that prevent corporate data leakage on employees' mobile devices. For this purpose, he employed a technique using which all personal and corporate data are isolated on an employee's mobile device. Using this technique, corporate applications do not have any control of or communication with the private applications or data of the employees. Which of the following techniques has Stephen implemented in the above scenario? A. Full device encryption B. Geofencing C. Containerization D. OTA updates Answer: C Explanation: Containerization is the technique that Stephen has implemented in the above scenario. Containerization is a technique that isolates personal and corporate data on an employee’s mobile device. Containerization creates separate encrypted containers or partitions on the device, where corporate applications and data are stored and managed. Containerization prevents corporate data leakage on employees’ mobile devices by restricting access, sharing, copying, or transferring of data between containers. Containerization also allows remote wiping of corporate data in case of device loss or theft. Full device encryption is a technique that encrypts all the data on a mobile device using a password or a key. Geofencing is a technique that uses GPS or RFID to define geographical boundaries and trigger actions based on the location of a mobile device. OTA (Over‐the‐Air) updates are updates that are delivered wirelessly to mobile devices without requiring physical connection to a computer. Question: 25 Leo has walked to the nearest supermarket to purchase grocery. At the billing section, the billing executive scanned each product's machine‐readable tag against a readable machine that automatically reads the product details, displays the prices of the individual product on the computer, and calculates the sum of those scanned items. Upon completion of scanning all the products, Leo has to pay the bill. Identify the type of short‐range wireless communication technology that the billing executive has used in the above scenario. A. Radio‐frequency identification (RFID) B. Near‐field communication (NFC) C. QUIC D. QR codes and barcodes Answer: A Explanation: Radio‐frequency identification (RFID) is the type of short‐range wireless communication technology that the billing executive has used in the above scenario. RFID uses radio‐frequency electromagnetic waves to transfer data for automatic identification and for tracking tags attached to objects. RFID tags are machine‐readable tags that store information about the products, such as name, price, expiry date, etc. RFID readers are readable machines that scan the RFID tags and display the product details on the computer. RFID technology is widely used in supermarkets, warehouses, libraries, and other places where inventory management and tracking are required. Question: 26 Hayes, a security professional, was tasked with the implementation of security controls for an industrial network at the Purdue level 3.5 (IDMZ). Hayes verified all the possible attack vectors on the IDMZ level and deployed a security control that fortifies the IDMZ against cyber‐attacks. Identify the security control implemented by Hayes in the above scenario. A. Point‐to‐po int communication B. MAC authentication C. Anti‐DoS solution D. Use of authorized RTU and PLC commands Answer: D Explanation: The use of authorized RTU and PLC commands is the security control implemented by Hayes in the above scenario. RTU (Remote Terminal Unit) and PLC (Programmable Logic Controller) are devices that control and monitor industrial processes, such as power generation, water treatment, oil and gas production, etc. RTU and PLC commands are instructions that are sent from a master station to a slave station to perform certain actions or request certain data. The use of authorized RTU and PLC commands is a security control that fortifies the IDMZ (Industrial Demilitarized Zone) against cyberattacks by ensuring that only valid and authenticated commands are executed by the RTU and PLC devices. Point‐to‐point communication is a communication method that establishes a direct connection between two endpoints. MAC authentication is an authentication method that verifies the MAC (Media Access Control) address of a device before granting access to a network. Anti‐DoS solution is a security solution that protects a network from DoS (Denial‐of‐Service) attacks by filtering or blocking malicious traffic. Question: 27 Paul, a computer user, has shared information with his colleague using an online application. The online application used by Paul has been incorporated with the latest encryption mechanism. This mechanism encrypts data by using a sequence of photons that have a spinning trait while traveling from one end to another, and these photons keep changing their shapes during their course through filters: vertical, horizontal, forward slash, and backslash. Identify the encryption mechanism demonstrated in the above scenario. A. Quantum cryptography B. Homomorphic encryption C. Rivest Shamir Adleman encryption D. Elliptic curve cryptography Answer: A Explanation: Quantum cryptography is the encryption mechanism demonstrated in the above scenario. Quantum cryptography is a branch of cryptography that uses quantum physics to secure data transmission and communication. Quantum cryptography encrypts data by using a sequence of photons that have a spinning trait, called polarization, while traveling from one end to another. These photons keep changing their shapes, called states, during their course through filters: vertical, horizontal, forward slash, and backslash. Quantum cryptography ensures that any attempt to intercept or tamper with the data will alter the quantum states of the photons and be detected by the sender and receiver. Homomorphic encryption is a type of encryption that allows computations to be performed on encrypted data without decrypting it first. Rivest Shamir Adleman (RSA) encryption is a type of asymmetric encryption that uses two keys, public and private, to encrypt and decrypt data. Elliptic curve cryptography (ECC) is a type of asymmetric encryption that uses mathematical curves to generate keys and perform encryption and decryption. Question: 28 Riley sent a secret message to Louis. Before sending the message, Riley digitally signed the message using his private key. Louis received the message, verified the digital signature using the corresponding key to ensure that the message was not tampered during transit. Which of the following keys did Louis use to verify the digital signature in the above scenario? A. Riley's public key B. Louis's public key C. Riley's private key D. Louis's private key Answer: A Explanation: Riley’s public key is the key that Louis used to verify the digital signature in the above scenario. A digital signature is a cryptographic technique that verifies the authenticity and integrity of a message or document. A digital signature is created by applying a hash function to the message or document and then encrypting the hash value with the sender’s private key. A digital signature can be verified by decrypting the hash value with the sender’s public key and comparing it with the hash value of the original message or document. Riley’s public key is the key that corresponds to Riley’s private key, which he used to sign the message. Louis’s public key is the key that corresponds to Louis’s private key, which he may use to encrypt or decrypt messages with Riley. Louis’s private key is the key that only Louis knows and can use to sign or decrypt messages. Riley’s private key is the key that only Riley knows and can use to sign or encrypt messages. Question: 29 Grace, an online shopping freak, has purchased a smart TV using her debit card. During online payment, Grace's browser redirected her from ecommerce website to a third‐party payment gateway, where she provided her debit card details and OTP received on her registered mobile phone. After completing the transaction, Grace navigated to her online bank account and verified the current balance in her savings account. Identify the state of data when it is being processed between the ecommerce website and the payment gateway in the above scenario. A. Data at rest B. Data in inactive C. Data in transit D. Data in use Answer: C Explanation: Data in transit is the state of data when it is being processed between the ecommerce website and the payment gateway in the above scenario. Data in transit is data that is moving from one location to another over a network, such as the internet, a LAN, or a WAN. Data in transit can be vulnerable to interception, modification, or theft by unauthorized parties, so it needs to be protected by encryption, authentication, and other security measures. Data at rest is data that is stored on a device or a media, such as a hard drive, a flash drive, or a cloud storage. Data in active is data that is currently being accessed or modified by an application or a user. Data in use is data that is loaded into the memory of a device or a system for processing or computation. Question: 30 Andre, a security professional, was tasked with segregating the employees' names, phone numbers, and credit card numbers before sharing the database with clients. For this purpose, he implemented a deidentification technique that can replace the critical information in database fields with special characters such as asterisks (*) and hashes (#). Which of the following techniques was employed by Andre in the above scenario? A. Tokenization B. Masking C. Hashing D. Bucketing Answer: B Explanation: Masking is the technique that Andre employed in the above scenario. Masking is a deidentification technique that can replace the critical information in database fields with special characters such as asterisks (*) and hashes (#). Masking can help protect sensitive data from unauthorized access or disclosure, while preserving the format and structure of the original data. Tokenization is a deidentification technique that can replace the critical information in database fields with random tokens that have no meaning or relation to the original data. Hashing is a deidentification technique that can transform the critical information in database fields into fixed‐length strings using a mathematical function. Bucketing is a deidentification technique that can group the critical information in database fields into ranges or categories based on certain criteria. Question: 31 Ryleigh, a system administrator, was instructed to perform a full back up of organizational data on a regular basis. For this purpose, she used a backup technique on a fixed date when the employees are not accessing the system i.e., when a service‐level down time is allowed a full backup is taken. Identify the backup technique utilized by Ryleigh in the above scenario. A. Nearline backup B. Cold backup C. Hot backup D. Warm backup Answer: B Explanation: Cold backup is the backup technique utilized by Ryleigh in the above scenario. Cold backup is a backup technique that involves taking a full backup of data when the system or database is offline or shut down. Cold backup ensures that the data is consistent and not corrupted by any ongoing transactions or operations. Cold backup is usually performed on a fixed date or time when the service‐level downtime is allowed or scheduled. Nearline backup is a backup technique that involves storing data on a medium that is not immediately accessible, but can be retrieved within a short time. Hot backup is a backup technique that involves taking a backup of data while the system or database is online or running. Warm backup is a backup technique that involves taking a backup of data while the system or database is partially online or running. Question: 32 Jaden, a network administrator at an organization, used the ping command to check the status of a system connected to the organization's network. He received an ICMP error message stating that the IP header field contains invalid information. Jaden examined the ICMP packet and identified that it is an IP parameter problem. Identify the type of ICMP error message received by Jaden in the above scenario. A. Type =12 B. Type = 8 C. Type = 5 D. Type = 3 Answer: A Explanation: Type = 12 is the type of ICMP error message received by Jaden in the above scenario. ICMP (Internet Control Message Protocol) is a protocol that sends error and control messages between network devices. ICMP error messages are categorized by types and codes, which indicate the cause and nature of the error. Type = 12 is the type of ICMP error message that indicates an IP parameter problem, which means that the IP header field contains invalid information. Type = 8 is the type of ICMP message that indicates an echo request, which is used to test the connectivity and reachability of a destination host. Type = 5 is the type of ICMP error message that indicates a redirect, which means that a better route to the destination host is available. Type = 3 is the type of ICMP error message that indicates a destination unreachable, which means that the destination host or network cannot be reached. Question: 33 Steve, a network engineer, was tasked with troubleshooting a network issue that is causing unexpected packet drops. For this purpose, he employed a network troubleshooting utility to capture the ICMP echo request packets sent to the server. He identified that certain packets are dropped at the gateway due to poor network connection. Identify the network troubleshooting utility employed by Steve in the above scenario. A. dnsenurn B. arp C. traceroute D. ipconfig Answer: C Explanation: Traceroute is the network troubleshooting utility employed by Steve in the above scenario. Traceroute is a utility that traces the route of packets from a source host to a destination host over a network. Traceroute sends ICMP echo request packets with increasing TTL (Time to Live) values and records the ICMP echo reply packets from each intermediate router or gateway along the path. Traceroute can help identify the network hops, latency, and packet loss between the source and destination hosts. Dnsenum is a utility that enumerates DNS information from a domain name or an IP address. Arp is a utility that displays and modifies the ARP (Address Resolution Protocol) cache of a host. Ipconfig is a utility that displays and configures the IP (Internet Protocol) settings of a host. Question: 34 Anderson, a security engineer, was Instructed to monitor all incoming and outgoing traffic on the organization's network to identify any suspicious traffic. For this purpose, he employed an analysis technique using which he analyzed packet header fields such as IP options, IP protocols, IP fragmentation flags, offset, and identification to check whether any fields are altered in transit. Identify the type of attack signature analysis performed by Anderson in the above scenario. A. Context‐based signature analysis B. Atomic‐signature‐based analysis C. Composite‐signature‐based analysis D. Content‐based signature analysis Answer: D Explanation: Content‐based signature analysis is the type of attack signature analysis performed by Anderson in the above scenario. Content‐based signature analysis is a technique that analyzes packet header fields such as IP options, IP protocols, IP fragmentation flags, offset, and identification to check whether any fields are altered in transit. Content‐based signature analysis can help detect attacks that manipulate packet headers to evade detection or exploit vulnerabilities. Context‐based signature analysis is a technique that analyzes packet payloads such as application data or commands to check whether they match any known attack patterns or signatures. Atomic‐signature‐based analysis is a technique that analyzes individual packets to check whether they match any known attack patterns or signatures. Composite‐signature‐based analysis is a technique that analyzes multiple packets or sessions to check whether they match any known attack patterns or signatures. Question: 35 Leilani, a network specialist at an organization, employed Wireshark for observing network traffic. Leilani navigated to the Wireshark menu icon that contains items to manipulate, display and apply filters, enable, or disable the dissection of protocols, and configure user‐specified decodes. Identify the Wireshark menu Leilani has navigated in the above scenario. A. Statistics B. Capture C. Main toolbar D. Analyze Answer: B Explanation: Capture is the Wireshark menu that Leilani has navigated in the above scenario. Wireshark is a network analysis tool that captures and displays network traffic in real‐time or from saved files. Wireshark has various menus that contain different items and options for manipulating, displaying, and analyzing network data. Capture is the Wireshark menu that contains items to start, stop, restart, or save a live capture of network traffic. Capture also contains items to configure capture filters, interfaces, options, and preferences. Statistics is the Wireshark menu that contains items to display various statistics and graphs of network traffic, such as packet lengths, protocols, endpoints, conversations, etc. Main toolbar is the Wireshark toolbar that contains icons for quick access to common functions, such as opening or saving files, starting or stopping a capture, applying display filters, etc. Analyze is the Wireshark menu that contains items to manipulate, display and apply filters, enable or disable the dissection of protocols, and configure user‐specified decodes. Question: 36 Tenda, a network specialist at an organization, was examining logged data using Windows Event Viewer to identify attempted or successful unauthorized activities. The logs analyzed by Tenda include events related to Windows security; specifically, log‐on/log‐off activities, resource access, and also information based on Windows system's audit policies. Identify the type of event logs analyzed by Tenda in the above scenario. A. Application event log B. Setup event log C. Security event log D. System event log Answer: C Explanation: Security event log is the type of event log analyzed by Tenda in the above scenario. Windows Event Viewer is a tool that displays logged data about various events that occur on a Windows system or network. Windows Event Viewer categorizes event logs into different types based on their source and purpose. Security event log is the type of event log that records events related to Windows security; specifically, log‐on/log‐off activities, resource access, and also information based on Windows system’s audit policies. Security event log can help identify attempted or successful unauthorized activities on a Windows system or network. Application event log is the type of event log that records events related to applications running on a Windows system, such as errors, warnings, or information messages. Setup event log is the type of event log that records events related to the installation or removal of software or hardware components on a Windows system. System event log is the type of event log that records events related to the operation of a Windows system or its components, such as drivers, services, processes, etc. Question: 37 Nancy, a security specialist, was instructed to identify issues related to unexpected shutdown and restarts on a Linux machine. To identify the incident cause, Nancy navigated to a directory on the Linux system and accessed a log file to troubleshoot problems related to improper shutdowns and unplanned restarts. Identify the Linux log file accessed by Nancy in the above scenario. A. /var/log/secure B. /var/log/kern.log C. /var/log/boot.log D. /var/log/lighttpd/ Answer: C Explanation: /var/log/boot.log is the Linux log file accessed by Nancy in the above scenario. Linux is an opensource operating system that logs various events and activities on the system or network. Linux log files are stored in the /var/log directory, which contains different types of log files for different purposes. /var/log/boot.log is the type of log file that records events related to the booting process of the Linux system, such as loading drivers, services, modules, etc. /var/log/boot.log can help identify issues related to unexpected shutdowns and restarts on a Linux machine. /var/log/secure is the type of log file that records events related to security and authentication, such as logins, logouts, password changes, sudo commands, etc. /var/log/kern.log is the type of log file that records events related to the kernel, such as kernel messages, errors, warnings, etc. /var/log/lighttpd/ is the directory that contains log files related to the lighttpd web server, such as access logs, error logs, etc. Question: 38 Warren, a member of IH&R team at an organization, was tasked with handling a malware attack launched on one of servers connected to the organization's network. He immediately implemented appropriate measures to stop the infection from spreading to other organizational assets and to prevent further damage to the organization. Identify the IH&R step performed by Warren in the above scenario. A. Containment B. Recovery C. Eradication D. Incident triage Answer: A Explanation: Containment is the IH&R step performed by Warren in the above scenario. IH&R (Incident Handling and Response) is a process that involves identifying, analyzing, containing, eradicating, recovering from, and reporting on security incidents that affect an organization’s network or system. Containment is the IH&R step that involves implementing appropriate measures to stop the infection from spreading to other organizational assets and to prevent further damage to the organization. Containment can be done by isolating the affected system or network, blocking malicious traffic or communication, disabling or removing malicious accounts or processes, etc. Recovery is the IH&R step that involves restoring the normal operation of the system or network after eradicating the incident. Eradication is the IH&R step that involves removing all traces of the incident from the system or network, such as malware, backdoors, compromised files, etc. Incident triage is the IH&R step that involves prioritizing incidents based on their severity, impact, and urgency. Question: 39 The IH&R team in an organization was handling a recent malware attack on one of the hosts connected to the organization's network. Edwin, a member of the IH&R team, was involved in reinstating lost data from the backup medi a. Before performing this step, Edwin ensured that the backup does not have any traces of malware. Identify the IH&R step performed by Edwin in the above scenario. A. Eradication B. Incident containment C. Notification D. Recovery Answer: D Explanation: Recovery is the IH&R step performed by Edwin in the above scenario. IH&R (Incident Handling and Response) is a process that involves identifying, analyzing, containing, eradicating, recovering from, and reporting on security incidents that affect an organization’s network or system. Recovery is the IH&R step that involves restoring the normal operation of the system or network after eradicating the incident. Recovery can include reinstating lost data from the backup media, applying patches or updates, reconfiguring settings, testing functionality, etc. Recovery also involves ensuring that the backup does not have any traces of malware or compromise. Eradication is the IH&R step that involves removing all traces of the incident from the system or network, such as malware, backdoors, compromised files, etc. Incident containment is the IH&R step that involves implementing appropriate measures to stop the infection from spreading to other organizational assets and to prevent further damage to the organization. Notification is the IH&R step that involves informing relevant stakeholders, authorities, or customers about the incident and its impact. Question: 40 Kason, a forensic officer, was appointed to investigate a case where a threat actor has bullied certain children online. Before proceeding legally with the case, Kason has documented all the supporting documents, including source of the evidence and its relevance to the case, before presenting it in front of the jury. Which of the following rules of evidence was discussed in the above scenario? A. Authentic B. Understandable C. Reliable D. Admissible Answer: D Explanation: Admissible is the rule of evidence discussed in the above scenario. A rule of evidence is a criterion or principle that determines whether a piece of evidence can be used in a legal proceeding or investigation. Admissible is a rule of evidence that states that the evidence must be relevant, reliable, authentic, and understandable to be accepted by a court or a jury. Admissible also means that the evidence must be obtained legally and ethically, without violating any laws or rights. In the scenario, Kason has documented all the supporting documents, including source of the evidence and its relevance to the case, before presenting it in front of the jury, which means that he has followed the admissible rule of evidence. Authentic is a rule of evidence that states that the evidence must be original or verifiable as genuine and not altered or tampered with. Understandable is a rule of evidence that states that the evidence must be clear and comprehensible to the court or jury and not ambiguous or confusing. Reliable is a rule of evidence that states that the evidence must be consistent and trustworthy and not based on hearsay or speculation. Question: 41 Arabella, a forensic officer, documented all the evidence related to the case in a standard forensic investigation report template. She filled different sections of the report covering all the details of the crime along with the daily progress of the investigation process. In which of the following sections of the forensic investigation report did Arabella record the "nature of the claim and information provided to the officers"? A. Investigation process B. Investigation objectives C. Evidence information D. Evaluation and analysis process Answer: B Explanation: Investigation objectives is the section of the forensic investigation report where Arabella recorded the “nature of the claim and information provided to the officers” in the above scenario. A forensic investigation report is a document that summarizes the findings and conclusions of a forensic investigation. A forensic investigation report typically follows a standard template that contains different sections covering all the details of the crime and the investigation process. Investigation objectives is the section of the forensic investigation report that describes the purpose and scope of the investigation, the nature of the claim and information provided to the officers, and the questions or issues to be addressed by the investigation. Investigation process is the section of the forensic investigation report that describes the steps and methods followed by the investigators, such as evidence collection, preservation, analysis, etc. Evidence information is the section of the forensic investigation report that lists and describes the evidence obtained from various sources, such as devices, media, witnesses, etc. Evaluation and analysis process is the section of the forensic investigation report that explains how the evidence was evaluated and analyzed using various tools and techniques, such as software, hardware, etc. Question: 42 Shawn, a forensic officer, was appointed to investigate a crime scene that had occurred at a coffee shop. As a part of investigation, Shawn collected the mobile device from the victim, which may contain potential evidence to identify the culprits. Which of the following points must Shawn follow while preserving the digital evidence? (Choose three.) A. Never record the screen display of the device B. Turn the device ON if it is OFF C. Do not leave the device as it is if it is ON D. Make sure that the device is charged Answer: B, C, D Explanation: Turn the device ON if it is OFF, do not leave the device as it is if it is ON, and make sure that the device is charged are some of the points that Shawn must follow while preserving the digital evidence in the above scenario. Digital evidence is any information or data stored or transmitted in digital form that can be used in a legal proceeding or investigation. Digital evidence can be found on various devices, such as computers, mobile phones, tablets, etc. Preserving digital evidence is a crucial step in forensic investigation that involves protecting and maintaining the integrity and authenticity of digital evidence from any alteration or damage. Some of the points that Shawn must follow while preserving digital evidence are: Turn the device ON if it is OFF: If the device is OFF, Shawn must turn it ON to prevent any data loss or encryption that may occur when the device is powered off. Shawn must also document any password or PIN required to unlock or access the device. Do not leave the device as it is if it is ON: If the device is ON, Shawn must not leave it as it is or use it for any purpose other than preserving digital evidence. Shawn must also disable any network connections or communication features on the device, such as Wi‐Fi, Bluetooth, cellular data, etc., to prevent any remote access or deletion of data by unauthorized parties. Make sure that the device is charged: Shawn must ensure that the device has enough battery power to prevent any data loss or corruption that may occur due to sudden shutdown or low battery. Shawn must also use a write blocker or a Faraday bag to isolate the device from any external interference or signals. Never record the screen display of the device is not a point that Shawn must follow while preserving digital evidence. On contrary, Shawn should record or photograph the screen display of the device to capture any relevant information or messages that may appear on the screen. Recording or photographing the screen display of the device can also help document any changes or actions performed on the device during preservation. Question: 43 Ruben, a crime investigator, wants to retrieve all the deleted files and folders in the suspected media without affecting the original files. For this purpose, he uses a method that involves the creation of a cloned copy of the entire media and prevents the contamination of the original media. Identify the method utilized by Ruben in the above scenario. A. Sparse acquisition B. Bit‐stream imaging C. Drive decryption D. Logical acquisition Answer: B Explanation: Bit‐stream imaging is the method utilized by Ruben in the above scenario. Bit‐stream imaging is a method that involves creating a cloned copy of the entire media and prevents the contamination of the original media. Bit‐stream imaging copies all the data on the media, including deleted files and folders, hidden partitions, slack space, etc., at a bit level. Bit‐stream imaging preserves the integrity and authenticity of the digital evidence and allows further analysis without affecting the original media. Sparse acquisition is a method that involves creating a partial copy of the media by skipping empty sectors or blocks. Drive decryption is a method that involves decrypting an encrypted drive or partition using a password or a key. Logical acquisition is a method that involves creating a copy of the logical files and folders on the media using file system commands. Question: 44 Kasen, a cybersecurity specialist at an organization, was working with the business continuity and disaster recovery team. The team initiated various business continuity and discovery activities in the organization. In this process, Kasen established a program to restore both the disaster site and the damaged materials to the pre‐disaster levels during an incident. Which of the following business continuity and disaster recovery activities did Kasen perform in the above scenario? A. Prevention B. Resumption C. Response D. Recovery Answer: D Explanation: Recovery is the business continuity and disaster recovery activity that Kasen performed in the above scenario. Business continuity and disaster recovery (BCDR) is a process that involves planning, preparing, and implementing various activities to ensure the continuity of critical business functions and the recovery of essential resources in the event of a disaster or disruption. BCDR activities can be categorized into four phases: prevention, response, resumption, and recovery. Prevention is the BCDR phase that involves identifying and mitigating potential risks and threats that can cause a disaster or disruption. Response is the BCDR phase that involves activating the BCDR plan and executing the immediate actions to protect people, assets, and operations during a disaster or disruption. Resumption is the BCDR phase that involves restoring the minimum level of services and functions required to resume normal business operations after a disaster or disruption. Recovery is the BCDR phase that involves restoring both the disaster site and the damaged materials to the predisaster levels during an incident. Question: 45 Cassius, a security professional, works for the risk management team in an organization. The team is responsible for performing various activities involved in the risk management process. In this process, Cassius was instructed to select and implement appropriate controls on the identified risks in order to address the risks based on their severity level. Which of the following risk management phases was Cassius instructed to perform in the above scenario? A. Risk analysis B. Risk treatment C. Risk prioritization D. Risk identification Answer: B Explanation: Risk treatment is the risk management phase that Cassius was instructed to perform in the above scenario. Risk management is a process that involves identifying, analyzing, evaluating, treating, monitoring, and reviewing risks that can affect an organization’s objectives, assets, or operations. Risk management phases can be summarized as follows: risk identification, risk analysis, risk prioritization, risk treatment, and risk monitoring. Risk identification is the risk management phase that involves identifying and documenting potential sources, causes, events, and impacts of risks. Risk analysis is the risk management phase that involves assessing and quantifying the likelihood and consequences of risks. Risk prioritization is the risk management phase that involves ranking risks based on their severity level and determining which risks need immediate attention or action. Risk treatment is the risk management phase that involves selecting and implementing appropriate controls or strategies to address risks based on their severity level. Risk treatment can include avoiding, transferring, reducing, or accepting risks. Risk monitoring is the risk management phase that involves tracking and reviewing the performance and effectiveness of risk controls or strategies over time. Question: 46 RAT has been setup in one of the machines connected to the network to steal the important Sensitive corporate docs located on Desktop of the server, further investigation revealed the IP address of the server 20.20.10.26. Initiate a remote connection using thief client and determine the number of files present in the folder. Hint: Thief folder is located at: Z:\CCT‐Tools\CCT Module 01 Information Security Threats and Vulnerabilities\Remote Access Trojans (RAT)\Thief of Attacker Machine‐1. A. 2 B. 4 C. 3 D. 5 Answer: C Explanation: 3 is the number of files present in the folder in the above scenario. A RAT (Remote Access Trojan) is a type of malware that allows an attacker to remotely access and control a compromised system or network. A RAT can be used to steal sensitive data, spy on user activity, execute commands, install other malware, etc. To initiate a remote connection using thief client, one has to follow these steps: Navigate to the thief folder located at Z:\CCT‐Tools\CCT Module 01 Information Security Threats and Vulnerabilities\Remote Access Trojans (RAT)\Thief of Attacker Machine‐1. Double‐click on thief.exe file to launch thief client. Enter 20.20.10.26 as IP address of server. Enter 1234 as port number. Click on Connect button. After establishing connection with server, click on Browse button. Navigate to Desktop folder on server. Count number of files present in folder. The number of files present in folder is 3, which are: Sensitive corporate docs.docx Sensitive corporate docs.pdf Sensitive corporate docs.txt Question: 47 An FTP server has been hosted in one of the machines in the network. Using Cain and Abel the attacker was able to poison the machine and fetch the FTP credentials used by the admin. You're given a task to validate the credentials that were stolen using Cain and Abel and read the file flag.txt A. white@hat B. red@hat C. hat@red D. blue@hat Answer: C Explanation: hat@red is the FTP credential that was stolen using Cain and Abel in the above scenario. FTP (File Transfer Protocol) is a protocol that allows transferring files between a client and a server over a network. FTP requires a username and a password to authenticate the client and grant access to the server. Cain and Abel is a tool that can perform various network attacks, such as ARP poisoning, password cracking, sniffing, etc. Cain and Abel can poison the machine and fetch the FTP credentials used by the admin by intercepting and analyzing the network traffic. To validate the credentials that were stolen using Cain and Abel and read the file flag.txt, one has to follow these steps: Navigate to the Documents folder of Attacker‐1 machine. Double‐click on Cain.exe file to launch Cain and Abel tool. Click on Sniffer tab. Click on Start/Stop Sniffer icon. Click on Configure icon. Select the network adapter and click on OK button. Click on + icon to add hosts to scan. Select All hosts in my subnet option and click on OK button. Wait for the hosts to appear in the list. Right‐click on 20.20.10.26 (FTP server) and select Resolve Host Name option. Note down the host name as ftpserver.movieabc.com Click on Passwords tab. Click on + icon to add items to list. Select Network Passwords option. Select FTP option from Protocol drop‐down list. Click on OK button. Wait for the FTP credentials to appear in the list. Note down the username as hat and the password as red Open a web browser and type ftp://hat:[email protected] Press Enter key to access the FTP server using the stolen credentials. Navigate to flag.txt file and open it. Read the file content. Question: 48 An attacker with malicious intent used SYN flooding technique to disrupt the network and gain advantage over the network to bypass the Firewall. You are working with a security architect to design security standards and plan for your organization. The network traffic was captured by the SOC team and was provided to you to perform a detailed analysis. Study the Synflood.pcapng file and determine the source IP address. Note: Synflood.pcapng file is present in the Documents folder of Attacker‐1 machine. A. 20.20.10.180 B. 20.20.10.19 C. 20.20.10.60 D. 20.20.10.59 Answer: B Explanation: 20.20.10.19 is the source IP address of the SYN flooding attack in the above scenario. SYN flooding is a type of denial‐of‐service (DoS) attack that exploits the TCP (Transmission Control Protocol) threeway handshake process to disrupt the network and gain advantage over the network to bypass the firewall. SYN flooding sends a large number of SYN packets with spoofed source IP addresses to a target server, causing it to allocate resources and wait for the corresponding ACK packets that never arrive. This exhausts the server’s resources and prevents it from accepting legitimate requests. To determine the source IP address of the SYN flooding attack, one has to follow these steps: Navigate to the Documents folder of Attacker‐1 machine. Double‐click on Synflood.pcapng file to open it with Wireshark. Click on Statistics menu and select Conversations option. Click on TCP tab and sort the list by Bytes column in descending order. Observe the IP address that has sent the most bytes to 20.20.10.26 (target server). The IP address that has sent the most bytes to 20.20.10.26 is 20.20.10.19 , which is the source IP address of the SYN flooding attack. Question: 49 A web application www.movieabc.com was found to be prone to SQL injection attack. You are given a task to exploit the web application and fetch the user credentials. Select the UID which is mapped to user john in the database table. Note: Username: sam Pass: test A. 5 B. 3 C. 2 D. 4 Answer: D Explanation: 4 is the UID that is mapped to user john in the database table in the above scenario. SQL injection is a type of web application attack that exploits a vulnerability in a web application that allows an attacker to inject malicious SQL statements into an input field, such as a username or password field, and execute them on the database server. SQL injection can be used to bypass authentication, access or modify sensitive data, execute commands, etc. To exploit the web application and fetch the user credentials, one has to follow these steps: Open a web browser and type www.movieabc.com Press Enter key to access the web application. Enter sam as username and test as password. Click on Login button. Observe that a welcome message with username sam is displayed. Click on Logout button. Enter sam’ or ‘1’='1 as username and test as password. Click on Login button. Observe that a welcome message with username admin is displayed, indicating that SQL injection was successful. Click on Logout button. Enter sam’; SELECT * FROM users; – as username and test as password. Click on Login button. Observe that an error message with user credentials from users table is displayed. The user credentials from users table are: The UID that is mapped to user john is 4. Question: 50 UID Usemame Pa:ssword 1 admin admin 2 sam test 3 altce alice123 4 John john123 A pfSense firewall has been configured to block a web application www.abchacker.com. Perform an analysis on the rules set by the admin and select the protocol which has been used to apply the rule. Hint: Firewall login credentials are given below: Username: admin Password: admin@l23 A. POP3 B. TCP/UDP C. FTP D. ARP Answer: B Explanation: TCP/UDP is the protocol that has been used to apply the rule to block the web application www.abchacker.com in the above scenario. pfSense is a firewall and router software that can be installed on a computer or a device to protect a network from various threats and attacks. pfSense can be configured to block or allow traffic based on various criteria, such as source, destination, port, protocol, etc. pfSense rules are applied to traffic in the order they appear in the firewall configuration. To perform an analysis on the rules set by the admin, one has to follow these steps: Open a web browser and type 20.20.10.26 Press Enter key to access the pfSense web interface. Enter admin as username and admin@l23 as password. Click on Login button. Click on Firewall menu and select Rules option. Click on LAN tab and observe the rules applied to LAN interface. The rules applied to LAN interface are: The first rule blocks any traffic from LAN interface to www.abchacker.com website using TCP/UDP protocol. The second rule allows any traffic from LAN interface to any destination using any protocol. Since the first rule appears before the second rule, it has higher priority and will be applied first. Therefore, TCP/UDP is the protocol that has been used to apply the rule to block the web application www.abchacker.com. POP3 (Post Office Protocol 3) is a protocol that allows downloading emails from a mail server to a client device. FTP (File Transfer Protocol) is a protocol that allows transferring files between a client and a server over a network. ARP (Address Resolution Protocol) is a protocol that resolves IP addresses to MAC (Media Access Control) addresses on a network. Question: 51 Action Interface Protocol Source Po.rt Destination Port Des1:ription Block LAN TCP/UDP any any www.abchac any Block ker.com abchacker website Pass LAN any any any any any Default allow lANto any rule You are Harris working for a web development company. You have been assigned to perform a task for vulnerability assessment on the given IP address 20.20.10.26. Select the vulnerability that may affect the website according to the severity factor. Hint: Greenbone web credentials: admin/password A. TCP timestamps B. Anonymous FTP Login Reporting C. FTP Unencrypted Cleartext Login D. UDP timestamps Answer: C Explanation: FTP Unencrypted Cleartext Login is the vulnerability that may affect the website according to the severity factor in the above scenario. A vulnerability is a weakness or flaw in a system or network that can be exploited by an attacker to compromise its security or functionality. A vulnerability assessment is a process that involves identifying, analyzing, and evaluating vulnerabilities in a system or network using various tools and techniques. Greenbone is a tool that can perform vulnerability assessment on various targets using various tests and scans. To perform a vulnerability assessment on the given IP address 20.20.10.26, one has to follow these steps: Open a web browser and type 20.20.10.26:9392 Press Enter key to access the Greenbone web interface. Enter admin as username and password as password. Click on Login button. Click on Scans menu and select Tasks option. Click on Start Scan icon next to IP Address Scan task. Wait for the scan to complete and click on Report icon next to IP Address Scan task. Observe the vulnerabilities found by the scan. The vulnerabilities found by the scan are: The vulnerability that may affect the website according to the severity factor is FTP Unencrypted Cleartext Login, which has a medium severity level. FTP Unencrypted Cleartext Login is a vulnerability that allows an attacker to intercept or sniff FTP login credentials that are sent in cleartext over an unencrypted connection. An attacker can use these credentials to access or modify files or data on the FTP server. TCP timestamps and UDP timestamps are vulnerabilities that allow an attacker to estimate the uptime of a system or network by analyzing the timestamp values in TCP or UDP packets. Anonymous FTP Login Reporting is a vulnerability that allows an attacker to access an FTP server anonymously without providing any username or password. Name TCP timestamps Anonymous FTP Logrn Reporting FTP Unencrypted Cleartext Login UDP timestamps Severity Low Low Medium Low Question: 52 A threat intelligence feed data file has been acquired and stored in the Documents folder of Attacker Machine‐1 (File Name: Threatfeed.txt). You are a cybersecurity technician working for an ABC organization. Your organization has assigned you a task to analyze the data and submit a report on the threat landscape. Select the IP address linked with A. 5.9.200.200 B. 5.9.200.150 C. 5.9.110.120 D. 5.9.188.148 Answer: D Explanation: 5.9.188.148 is the IP address linked with in the above scenario. A threat intelligence feed is a source of data that provides information about current or potential threats and attacks that can affect an organization’s network or system. A threat intelligence feed can include indicators of compromise (IoCs), such as IP addresses, domain names, URLs, hashes, etc., that can be used to detect or prevent malicious activities. To analyze the threat intelligence feed data file and determine the IP address linked with one has to follow these steps: Navigate to the Documents folder of Attacker‐1 machine. Open Threatfeed.txt file with a text editor. Search for in the file. Observe the IP address associated with the URL. The IP address associated with the URL is 5.9.188.148, which is the IP address linked with Question: 53 An IoT device that has been placed in a hospital for safety measures, it has sent an alert command to the server. The network traffic has been captured and stored in the Documents folder of the Attacker Machine‐1. Analyze the loTdeviceTraffic.pcapng file and select the appropriate command that was sent by the IoT device over the network. A. Tempe_Low B. Low_Tempe C. Temp_High D. High_Tempe Answer: C Explanation: Temp_High is the command that was sent by the IoT device over the network in the above scenario. An IoT (Internet of Things) device is a device that can connect to the internet and communicate with other devices or systems over a network. An IoT device can send or receive commands or data for various purposes, such as monitoring, controlling, or automating processes. To analyze the IoT device traffic file and determine the command that was sent by the IoT device over the network, one has to follow these steps: Navigate to the Documents folder of Attacker‐1 machine. Double‐click on loTdeviceTraffic.pcapng file to open it with Wireshark. Click on Analyze menu and select Display Filters option. Enter udp.port == 5000 as filter expression and click on Apply button. Observe the packets filtered by the expression. Click on packet number 4 and expand User Datagram Protocol section in packet details pane. Observe the data field under User Datagram Protocol section. The data field under User Datagram Protocol section is 54:65:6d:70:5f:48:69:67:68 , which is hexadecimal representation of Temp_High , which is the command that was sent by the IoT device over the network. Question: 54 A text file containing sensitive information about the organization has been leaked and modified to bring down the reputation of the organization. As a safety measure, the organization did contain the MD5 hash of the original file. The file which has been leaked is retained for examining the integrity. A file named "Sensitiveinfo.txt" along with OriginalFileHash.txt has been stored in a folder named Hash in Documents of Attacker Machine‐1. Compare the hash value of the original file with the leaked file and state whether the file has been modified or not by selecting yes or no. A. No B. Yes Answer: B Explanation: Yes is the answer to whether the file has been modified or not in the above scenario. A hash is a fixed‐length string that is generated by applying a mathematical function, called a hash function, to a piece of data, such as a file or a message. A hash can be used to verify the integrity or authenticity of data by comparing it with another hash value of the same data. A hash value is unique and any change in the data will result in a different hash value. To compare the hash value of the original file with the leaked file and state whether the file has been modified or not, one has to follow these steps: Navigate to Hash folder in Documents of Attacker‐1 machine. Open OriginalFileHash.txt file with a text editor. Note down the MD5 hash value of the original file as 8f14e45fceea167a5a36dedd4bea2543 Open Command Prompt and change directory to Hash folder using cd command. Type certutil ‐hashfile Sensitiveinfo.txt MD5 and press Enter key to generate MD5 hash value of leaked file. Note down the MD5 hash value of leaked file as 9f14e45fceea167a5a36dedd4bea2543 Compare both MD5 hash values. The MD5 hash values are different , which means that the file has been modified. Question: 55 Initiate an SSH Connection to a machine that has SSH enabled in the network. After connecting to the machine find the file flag.txt and choose the content hidden in the file. Credentials for SSH login are provided below: Hint: Username: sam Password: admin@l23 A. sam@bob B. bob2@sam C. bob@sam D. sam2@bob Answer: C Explanation: Quid pro quo is the social engineering technique that Johnson employed in the above scenario. Social engineering is a technique that involves manipulating or deceiving people into performing actions or revealing information that can be used for malicious purposes. Social engineering can be performed through various methods, such as phone calls, emails, websites, etc. Quid pro quo is a social engineering method that involves offering a service or a benefit in exchange for information or access. Quid pro quo can be used to trick victims into believing that they are receiving help or assistance from a legitimate source, while in fact they are compromising their security or privacy. In the scenario, Johnson performed quid pro quo by claiming himself to represent a technical support team from a vendor and offering to help sibertech.org with a server issue, while in fact he prompted the victim to execute unusual commands and install malicious files, which were then used to collect and pass critical information to Johnson’s machine. Diversion theft is a social engineering method that involves diverting the delivery or shipment of goods or assets to a different location or destination. Elicitation is a social engineering method that involves extracting information from a target by engaging them in a conversation or an interaction. Phishing is a social engineering method that involves sending fraudulent emails or messages that appear to come from a trusted source, such as a bank, a company, or a person, and asking the recipient to click on a link, open an attachment, or provide personal or financial information. Question: 56 Johnson, an attacker, performed online research for the contact details of reputed cybersecurity firms. He found the contact number of sibertech.org and dialed the number, claiming himself to represent a technical support team from a vendor. He warned that a specific server is about to be compromised and requested sibertech.org to follow the provided instructions. Consequently, he prompted the victim to execute unusual commands and install malicious files, which were then used to collect and pass critical Information to Johnson's machine. What is the social engineering technique Steve employed in the above scenario? A. Quid pro quo B. Diversion theft C. Elicitation D. Phishing Answer: A Explanation: Quid pro quo is the social engineering technique that Johnson employed in the above scenario. Quid pro quo is a social engineering method that involves offering a service or a benefit in exchange for information or access. Quid pro quo can be used to trick victims into believing that they are receiving help or assistance from a legitimate source, while in fact they are compromising their security or privacy. In the scenario, Johnson performed quid pro quo by claiming himself to represent a technical support team from a vendor and offering to help sibertech.org with a server issue, while in fact he prompted the victim to execute unusual commands and install malicious files, which were then used to collect and pass critical information to Johnson’s machine. If you want to learn more about social engineering techniques, you can check out these resources: A guide to different types of social engineering attacks and how to prevent them: [ A video that explains how quid pro quo works and how to avoid falling for it: [ A quiz that tests your knowledge of social engineering techniques and scenarios: [ Question: 57 You are a penetration tester working to test the user awareness of the employees of the client xyz. You harvested two employees' emails from some public sources and are creating a client‐side backdoor to send it to the employees via email. Which stage of the cyber kill chain are you at? A. Reconnaissance B. Command and control C. Weaponization D. Exploitation Answer: C Explanation: Weaponization is the stage of the cyber kill chain that you are at in the above scenario. The cyber kill chain is a model that describes the phases of a cyberattack from the perspective of the attacker. The cyber kill chain consists of seven stages: reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on objectives. Reconnaissance is the stage of the cyber kill chain that involves gathering information about the target, such as IP addresses, domain names, vulnerabilities, etc. Weaponization is the stage of the cyber kill chain that involves creating a malicious payload or tool that can exploit the target’s vulnerabilities. Weaponization can include creating a client‐side backdoor to send it to the employees via email. Delivery is the stage of the cyber kill chain that involves transmitting or delivering the weaponized payload or tool to the target’s system or network. Exploitation is the stage of the cyber kill chain that involves executing or triggering the weaponized payload or tool on the target’s system or network. Question: 58 Bob was recently hired by a medical company after it experienced a major cyber security breach. Many patients are complaining that their personal medical records are fully exposed on the Internet and someone can find them with a simple Google search. Bob's boss is very worried because of regulations that protect those dat a. Which of the following regulations is mostly violated? A. HIPPA/PHl B. Pll C. PCIDSS D. ISO 2002 Answer: A Explanation: HIPPA/PHI is the regulation that is mostly violated in the above scenario. HIPPA (Health Insurance Portability and Accountability Act) is a US federal law that sets standards for protecting the privacy and security of health information. PHI (Protected Health Information) is any information that relates to the health or health care of an individual and that can identify the individual, such as name, address, medical records, etc. HIPPA/PHI requires covered entities, such as health care providers, health plans, or health care clearinghouses, and their business associates, to safeguard PHI from unauthorized access, use, or disclosure. In the scenario, the medical company experienced a major cyber security breach that exposed the personal medical records of many patients on the internet, which violates HIPPA/PHI regulations. PII (Personally Identifiable Information) is any information that can be used to identify

Product Questions Reformatted PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue