What SCAP component provides a language for specifying checklists?

Try the new Google Books

Check out the new look and enjoy easier access to your favorite features

Page 2

Try the new Google Books

Check out the new look and enjoy easier access to your favorite features

Page 2

SCAP uses open specifications and each is known as a SCAP Component.  I wanted to highlight  the components and provide some reference material. In a follow up article we will look at tools that utilize the SCAP content for Compliance and Assessments.

NIST (National Institute of Standards and Technology) produces the Technical Specificataion for the Security Content Automation Protocol (SCAP)  in special publication 800-126 revision 2  for SCAP version 1.2. The publication defines the technical composition of SCAP version 1.2 in terms of its componentspecifications, their interrelationships and interoperation, and the requirements for SCAP content.  SCAP is a suite of specifications that standardize the format and nomenclature by which software flaw and security configuration information is communicated, both to machines and humans. It is a multi-purpose framework of specifications that support automated configuration, vulnerability and patch checking, technical control compliance activities, and securitymeasurement. Goals for the development of SCAP include standardizing system security management, promoting interoperability of security products, and fostering the use of standard expressions of security content.

SCAP has two major elements. First, it is a protocol—a suite of open specifications that standardize the format and nomenclature by which software communicates information about software flaws and security configurations. Each specification is also known as an SCAP component. Second, SCAP includes software flaw and security configuration standardized reference data, also known as SCAP content.  SCAP has several uses, including automating checks for known vulnerabilities, automating the verification of security configuration settings, and generating reports that link low-level settings to high-level requirements.

SCAP version 1.2 is comprised of eleven component specifications in five categories:

Languages

The SCAP languages provide standard vocabularies and conventions for expressingsecurity policy, technical check mechanisms, and assessment results. The SCAP language specifications are:

•  Extensible Configuration Checklist Description Format (XCCDF) - an XML format specifying security checklists, benchmarks and configuration documentation. (http://scap.nist.gov/specifications/xccdf/index.html)

• Open Vulnerability and Assessment Language (OVAL®) - an XML-based language that provides a standard for how to check for the presence of vulnerabilities and configuration issues on computer systems. (http://oval.mitre.org/)

• Open Checklist Interactive Language(OCIL™) - defines a framework for expressing a set of questions to be presented to a user and corresponding procedures to interpret responses to these questions.  (http://scap.nist.gov/specifications/ocil/)

Reporting formats

The SCAP reporting formats provide the necessary constructs to expresscollected information in standardized formats. The SCAP reporting format specifications are:

• Asset Reporting Format (ARF) -  a data model to express the transport format of information about assets, and the relationships between assets and reports.  (http://scap.nist.gov/specifications/arf/)

• Asset Identification - provides the necessary constructs to uniquely identify assets based on known identifiers and/or known information about the assets. This specification describes the purpose of asset identification, a data model for identifying assets, methods for identifying assets, and guidance on how to use asset identification. It also identifies a number of known use cases for asset identification.  (http://scap.nist.gov/specifications/ai/)

Although Asset Identification is not explicitly a reporting format, SCAP uses it as a key component in identifying the assets that reports relate to.

Enumerations

Each SCAP enumeration defines a standard nomenclature (naming format) and anofficial dictionary or list of items expressed using that nomenclature. The SCAP enumeration specifications are:

• Common Platform Enumeration (CPE™) - a standardized method of describing and identifying classes of applications, operating systems, and hardware devices present among an enterprise's computing assets.   (http://scap.nist.gov/specifications/cpe/)

• Common Configuration Enumeration(CCE™) - provides unique identifiers to system configuration issues in order to facilitate fast and accurate correlation of configuration data across multiple information sources and tools. For example, CCE Identifiers can be used to associate checks in configuration assessment tools with statements in configuration best-practice. (https://nvd.nist.gov/cce)

• Common Vulnerabilities and Exposures (CVE®) - a dictionary of publicly known information security vulnerabilities and exposures. (http://cve.mitre.org/)

Measurement and scoring systems

In SCAP this refers to evaluating specific characteristics of asecurity weakness (for example, software vulnerabilities and security configuration issues) and, based on those characteristics, generating a score that reflects their relative severity. The SCAP measurement and scoring system specifications:

• Common Vulnerability Scoring System (CVSS) - CVSS version 3 sets out to provide a robust and useful scoring system for IT vulnerabilities that is fit for the future. Its development has been overseen by the CVSS Special Interest Group (SIG) with input from representatives of a broad range of industry sectors, from banking and finance to technology and academia. (http://www.first.org/cvss)

• Common Configuration Scoring System (CCSS) - Metrics are organized into three groups: base, temporal, and environmental. Base metrics describe the characteristics of aconfiguration issue that are constant over time and across user environments. Temporal metrics describe the characteristics of configuration issues that can change over time but remain constant across userenvironments. Environmental metrics are used to customize the base and temporal scores based on thecharacteristics of a specific user environment.  (http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7502)

Integrity

An SCAP integrity specification helps to preserve the integrity of SCAP content and results. Trust Model for Security Automation Data (TMSAD) is the SCAP integrity specification. (http://scap.nist.gov/specifications/tmsad/)

References:

 Some of the content pulled from The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.2. 

• http://csrc.nist.gov/publications/nistpubs/800-126-rev2/SP800-126r2.pdf

• http://csrc.nist.gov/publications/nistpubs/800-117/sp800-117.pdf

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock (

) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Tony works for a company as a cybersecurity analyst. His company runs a website that allows public postings. Recently, users have started complaining about the website having pop-up messages asking for passwords. Simultaneously, there has been more compromised user accounts. What type of attack is most likely the cause of these happenings?

Options are :

• SQL injection
• Cross-site scripting
• Cross-site request forgery
• Rootkit

Answer : Cross-site scripting

Explanation The best answer is cross-site scripting. This scenario is textbook for a cross-site scripting attack. The HTML code doesn�t perform input validation to remove scripts from that code so the attacker can create a popup window that collects passwords and uses that information to compromise accounts.

When unable to implement a required control, administrators may choose to make up for the gap by implementing a ____________.

Options are :

• Compensating control
• Vulnerability
• Remediation
• Policy

Answer : Compensating control

Explanation Compensating controls seek to achieve the same objective as a control that the organization is unable to implement for some reason.

220-701 A+ Essentials Certification Practice Exam Set 11

Options are :

• Added the system to the allowed hosts file
• Routed traffic for the example.com domain to the local host
• Routed local host traffic to example.com
• Overwritten the host file and deleted all data except this entry

Answer : Routed traffic for the example.com domain to the local host

Explanation The best option is that he routed traffic for the example.com domain to his local host. This is typically done to prevent a system from communicating with a malicious host or domain as well as preventing a user who lacks technical abilities to visit specific sites or domains.

Of all options listed below, which of the following is not typically included in the rules of engagement for a penetration test?

Options are :

• Timing
• Authorization
• Scope
• Authorized tools

Answer : Authorized tools

Explanation The best answer listed here, for which item is NOT typically listed in the rules of engagement, is authorized tools. The rules of engagement typically list the timing, the authorization, and the scope of what can be used as well as what�s not allowed. Some rules of engagement may list authorized tools, but that�s not a common practice.

Jamie has completed the scoping document for a penetration test. The document includes the details of what tools, techniques, and targets are included in the test. What�s the next step?

Options are :

• Port scan the target.
• Get sign-off on the document.
• Begin passive fingerprinting.
• Notify local law enforcement.

Answer : Get sign-off on the document.

Explanation The best answer is to get a sign-off document. While it may be that she wants to start immediately, she needs to go through the proper channels and sign-off on the scope, timing, and effort that the test required.

CompTIA CTT+ Essentials Practice Test Certification Set 10

Options are :

• It�s being treated like a DDoS attack
• It�s scanning a CDN-hosted copy of the site
• It will not return useful information
• Nothing can be determined about this site with this information

Answer : It�s scanning a CDN-hosted copy of the site

Explanation Cloudflare is a product of a distributed server. The information is stored in a CDN and all of the information Amy is seeking may not come from a CDN, so scanning a copy of the site won�t produce all of the information she�s seeking.

Rhonda is responsible for the design of data center and networks at her organization. She wants to establish a secure zone and a DMZ. If she wants to verify that user accounts and systems traffic in the DMZ can be logged while preventing negative impacts from infected workstations, which is the best design solution?

Options are :

• Administrative virtual machines running on administrative workstations
• Jump hosts
• Bastion hosts
• SSH/RDP from administrative workstations

Answer : Jump hosts

Explanation The best option is a jump host - often referred to as a jump box. If a jump box exists, it�s easier to log administrative access and the jump box actually also performs the duties of an additional layer of protection. Bastion hosts are fully exposed to attacks; virtual machines can be useful but they make some auditing, etc more difficult and direct ssh and RDP require auditing of all workstations and could allow a system that�s been compromised to access the network.

When running an nmap scan, what is the default nmap scan type when nmap is not provided with a flag?

Options are :

• A TCP FIN scan
• A TCP connect scan
• A TCP SYN scan
• A UDP scan

Answer : A TCP SYN scan

Explanation By default, nmap uses TCP SYN for a scan. If the user doesn�t have the correct privileges, it�ll use a TCP connect scan.

CompTIA Security+ (SY0-501) Practice Exams with Simulations Set 8

Options are :

• Zero-day attack
• Known malware attack
• Session hijack
• Cookie stealing

Answer : Zero-day attack

Explanation Since the latest antivirus signatures were used and still found no signs of infection, it cannot be a known malware attack. Instead, this appears to be a zero-day attack because there is a clear sign of compromise (the web tunnel being established to a known malicious server) and the antivirus doesn�t yet have a signature for this indicator of compromise.

What version of web encryption should be used currently in order to avoid the security vulnerabilities from earlier versions?

Options are :

Answer : TLS

Explanation No version of SSL should be used. Administrators should instead configure TLS.

What is NOT considered part of the Internet of Things?

Options are :

• SCADA systems
• ICS
• Internet-connected television
• A Windows 2016 server configured as a domain controller

Answer : A Windows 2016 server configured as a domain controller

Explanation Supervisory control and data acquisition (SCADA) systems and industrial control systems (ICS) are examples of IoT implementations.

CompTIA A+ (220-1001) Practice Exams (Over 500 questions!) Set 26

Options are :

Answer : TRUE

Explanation Difficulty of remediation is one of the criteria that analysts should consider. They should also consider the criticality of the system and information, severity of the vulnerability, and exposure of the vulnerability.

What vulnerability involves leveraging access from a single virtual machine to other machines on the network?

Options are :

• VM escape
• VM migration
• VM reuse
• VM vulnerability

Answer : VM escape

Explanation Virtual machine escape vulnerabilities are the most serious issue that may exist in a virtualized environment. In this attack, the attacker has access to a single virtual host and then leverages that access to intrude on the resources assigned to a different virtual machine.

CompTIA Cloud+ Certification Exam Prep CV002 - 2019 Set 2

Options are :

• Reports show the scanner compliances plug-ins are not up-to-date
• Any items labeled �low� are considered informational only
• The scan result versions are different from the automated asset inventory
• �HTTPS� entries indicate the web page is encrypted securely

Answer : Any items labeled �low� are considered informational only

Explanation When conducting a vulnerability assessment using a vulnerability scanner, it is common for the scanner to report some things are "low?? priority or "for informational purposes only??. These are most likely false positives and can be ignored by the analyst when starting their remediation efforts.

Gary is interpreting a vulnerability scan report and finds a vulnerability in a system that has a CVSS access vector rating of A. What statement is correct based upon this information?

Options are :

• The attacker must have physical or logical access to the affected system.
• Exploiting the vulnerability requires the existence of specialized conditions.
• The attacker must have access to the local network that the system is connected to.
• Exploiting the vulnerability does not require any specialized conditions.

Answer : The attacker must have access to the local network that the system is connected to.

Explanation The access vector explains what type of access that the attacker must have to a system or network and does not refer to the types of specialized conditions that must exist. In this case, the A rating refers to Adjacent Network, and the attacker must have access to the local network to exploit the vulnerability.

What requires that government agencies and other organizations' operating systems on behalf of government agencies comply with security standards?

Options are :

Answer : FISMA

Explanation The Federal Information Security Management Act (FISMA) requires that government agencies and other organizations' operating systems on behalf of government agencies comply with security standards.

220-702 CompTIA A+ Practical Application Practice Exam Set 11

Options are :

Answer : TRUE

Explanation Discovery scans provide organizations with an automated way to identify hosts on a network and build an asset inventory.

Which of the following types of data is subject to regulations in the United States that specify a minimum frequency of vulnerability scanning?

Options are :

• Driver�s license numbers
• Insurance records
• Credit card data
• Medical records

Answer : Credit card data

Explanation Credit card data has to follow PCI DSS rules which specify all parameters dealing with scanning, data storage, etc. The other data is regulated, but not micromanaged, as such.

There are several unpatched servers that have undetected vulnerabilities because the vulnerability scanner does not have the latest set of signatures installed. The management team has directed the analysts to update their vulnerability scanners with the latest signatures at least 24 hours before conducting any scans, but the outcome of the scan remains the same. What is the BEST logical control to address the current failure?

Options are :

• Configure a script to automatically update the scanning tool every 24 hours
• Have the analyst manually validate that the updates are being performed as directed
• Test the vulnerability remediation in a sandbox before deploying
• Configure vulnerability scans to run in credentialed mode

Answer : Configure a script to automatically update the scanning tool every 24 hours

Explanation Since the analysts appear to not be installing the latest vulnerability definitions per management�s direction, it is best to automate the process by using a script. The script will ensure that the latest definitions are downloaded and installed every 24 hours without any analyst intervention.

CompTIA JK0-022 Security Cryptography Certification Exam Set 7

Options are :

• Unauthenticated scan
• Credentialed scan
• External scan
• Internal scan

Answer : Credentialed scan

Explanation Credentialed scans log into a system and retrieve configuration information. These are the most accurate results of all options listed. Unauthenticated scans rely on external resources for configuration settings which can be altered or incorrect. The network location of the scanner doesn�t have a direct impact on the ability to read the configuration information.

Your organization�s primary operating system vendor just released a critical patch for your servers. Your system administrators have recently deployed this patch and verified the installation was successful. The critical patch designed to remediate a vulnerability that can allow a malicious actor to remotely execute code on the server from over the Internet. However, you just ran a vulnerability assessment scan of the network and found that all of the servers are still being reported as having the vulnerability. Why is the scan report still showing a vulnerability even though the patch was installed by the system administrators?

Options are :

• Your vulnerability assessment scan is returning false positives
• The critical patch did not remediate the vulnerability
• You did not wait enough time after applying the patch before running the vulnerability assessment scan
• You scanned the wrong IP range during your vulnerability assessment

Answer : The critical patch did not remediate the vulnerability

Explanation If the patch was installed properly (which the question states it was), then the only reasonable answer is that the critical patch was coded incorrectly and does not actually remediate the vulnerability. While most operating system vendors do test their patches prior to release, with extremely critical patches, sometimes they are rushed into release to the customers and the patch doesn�t actually remediate the vulnerability and a second patch will be required.

TRUE or FALSE: PCI DSS requires the use of an outside consultant to perform internal vulnerability scans.

Options are :

Answer : FALSE

Explanation PCI DSS only requires that internal scans be conducted by "qualified personnel?? and internal employees may be used.

CompTIA Security+ Cert. (SY0-501) Practice Tests Set 1

Options are :

• Script kiddies
• Hacktivists
• Advanced Persistent Threat
• Ethical hacker

Answer : Advanced Persistent Threat

Explanation Advanced Persistent Threat (APT) attackers are sophisticated and have access to financial and technical resources typically provided by a government.

TRUE or FALSE: When evaluating the functional impact of a security incident, an analyst should assign a rating of high in cases where the organization is not able to provide some critical services to any users.

Options are :

Answer : TRUE

Explanation High functional impact is defined as the organization is no longer able to provide some critical services to any users.

Caleb is designing a playbook for zero-day threats as part of his incident response program. Which of the following items should not be in his plan?

Options are :

• Segmentation
• Patching
• Using threat intelligence
• Whitelisting

Answer : Patching

Explanation The best answer would be patching. Patching is a great step to combat against many things, however, it doesn�t stop zero-day threats. If Caleb wants to specifically stop zero-day threats, or thwart them away even, he will need to use segmentation, whitelisting, and threat intelligence as well. This can best be accomplished by building a plan in advance and working through the plan.

HT0-201 CEA- CompTIA DHTI+ Certification Practice Exam Set 6

Options are :

• Preparation
• Detection and analysis
• Containment, eradication, and recovery
• Post-incident activity

Answer : Containment, eradication, and recovery

Explanation While incident responders are working on the incident, they also need to preserve forensic and incident information for future needs. Restoration is typically favored over analysis but taking time to create an image is more important for later in the investigation.

During the preparation phase of an organization's incident response process, Aaron gathered a laptop with useful software. The software included a sniffer, forensics tools, thumb drives and external hard drives, networking equipment, and a variety of cables. What type of equipment is this typically called?

Options are :

• A grab bag
• A jump kit
• A crash cart
• A first responder kit

Answer : A jump kit

Explanation This type of kit is typically called a jump kit. This kit contains tools to be used for an incident response. Crash carts are systems set up typically in data centers/server rooms, like a keyboard, mouse, and monitor to easily/quickly connect to a server to work on it. First-responder kits are usually first-aid kits for medical emergencies. Grab bags contain multiple unrelated items, typically.

Paula is working on a report that describes the common attack models used by APT actors. Which of the following is a typical characteristic of an APT attack?

Options are :

• They involve sophisticated DDoS attacks
• They quietly gather information from compromised systems
• They rely on worms to spread
• They use encryption to hold data hostage

Answer : They quietly gather information from compromised systems

Explanation APTs typically use emails to leverage the system and insert malware. These threats attempt to gain more access to the system with higher levels of privileges. They retrieve information and then use that while hiding their activities. DDoS, worms, and extortion are not typically a behavior of an APT.

220-802 CompTIA A+ Certification Practice Exam Set 4

Options are :

• Clearing
• Purging
• Destruction
• It isn�t a form of media sanitization

Answer : Purging

Explanation Degaussing is a form of purging. Degaussing uses magnets to remove data.

A cyber security technician has been running an intensive vulnerability scan to detect which ports might be open to exploitation. But, during the scan, one of the network services became disabled and this impacted the production server. What information source could be used to evaluate which network service was interrupted?

Options are :

• Syslog
• Network mapping
• Firewall logs
• NIDS

Answer : Syslog

Explanation The syslog server is a centralized log management solution. By looking through the logs on the syslog server, the technician could determine which service failed on which server, since all the logs are retained on the syslog server from all of the network devices and servers.

What is NOT part of the security incident validation effort?

Options are :

• Scanning
• Sanitization
• Patching
• Permissions

Answer : Sanitization

Explanation Patching, permissions, scanning, and verifying logging are the components of the security incident validation effort. Sanitization is a component of the security incident eradication effort.

CompTIA CTT+ Essentials Practice Test Certification Set 9

Options are :

• Data was modified
• The source disk is encrypted
• The destination disk has bad sectors
• The data cannot be copied in RAW format

Answer : The destination disk has bad sectors

Explanation If he has verified that the source and the target media are both the same size, then a failure has probably happened because of bad media on the source drive or because of bad sectors on the target drive.

TRUE or FALSE: CSIRTs should sometimes include human resource team members.

Options are :

Answer : TRUE

Explanation CSIRTs include human resources team members when investigating incidents that may include employee malfeasance.

NIST describes four major phases in the incident response cycle. Which is not one of the four?

Options are :

• Containment, eradication, and recovery
• Notification and communication
• Detection and analysis
• Preparation

Answer : Notification and communication

Explanation NIST identifies the following: preparation; detection and analysis; containment, eradication and recovery; and activity that occurs after the incident.

CompTIA JK0-022 E2C Security+ Compliance & Operational Exam Set 8

Options are :

• A log analysis tool
• A behavior based analysis tool
• A signature based detection tool
• Manual analysis

Answer : A behavior based analysis tool

Explanation The best answer is behavior-based analysis tools. These can be used to capture and analyze normal behavior and then alert when an anomaly occurs. This requires more on the setup side but on the long-term side, it requires less work and less manual monitoring.

Several years ago, the Stuxnet attack relied on engineers that took malware with them, crossing the air gap between networks. What type of threat uses this method?

Options are :

• Email
• Web
• Removable media
• Attrition

Answer : Removable media

Explanation The best answer is removable media. Air gaps are design models that remove connections from one network to another network or other systems. The only way to cross an air gap is to have a physical device between these systems.

What is not a major category of security event indicator?

Options are :

• Alerts
• Logs
• People
• Databases

Answer : Databases

Explanation The four major categories of security event indicator are alerts, logs, publicly available information, and people.

CompTIA CySA+ Set 11

Options are :

• Cyber security analysts
• Chief Technology Officer
• Public Relations Officer
• Human Resources Officer

Answer : Public Relations Officer

Explanation Public relations staff should be included in incident response teams to coordinate communications with the general public and the media.

What provides the detailed, tactical information that CSIRT members need when responding to an incident?

Options are :

• Procedures
• Guidelines
• Policies
• Instructions

Answer : Procedures

Explanation Procedures provide detailed, tactical information to the CSIRT. They represent the collective wisdom of team members and subject-matter experts.

During what phase of the incident response process does an organization assemble an incident response toolkit?

Options are :

• Preparation
• Detection and analysis
• Containment, eradication, and recovery
• Post-incident activity

Answer : Preparation

Explanation Developing an incident response toolkit is a step completed during the preparation phase of incident response.

CV0-001 CompTIA Cloud+ Certification Practice Exam Set 4

Options are :

• Fmem
• Volatility Framework
• DumpIt
• EnCase

Answer : Fmem

Explanation The Volatility framework, DumpIt, and EnCase all provide Windows memory capture for forensic use. Fmem and LiME are both Linux-only kernel modules that provide access to physical memory.

Richard�s company processes credit cards and they are required to be compliant with PCI-DSS. If his company has a breach of card data, what type of disclosure will they have to provide?

Options are :

• Notification to local law enforcement
• Notification to their acquiring bank
• Notification to federal law enforcement
• Notification to Visa and Mastercard

Answer : Notification to their acquiring bank

Explanation Any organization that processes a credit card will be required to work with the banks being able to handle their card processing instead of working with the card providers. Notification to the bank is part of the response effort. Typically, law enforcement doesn�t have to be notified and the question only specifies two major credit card vendors, which aren�t directly related to the nature of the question, so the best option is notification to the acquiring bank.

Rhonda would like to build some scripts that detect malware beaconing behavior. Which one of the following isn�t a typical means of identifying malware behavior on a network?

Options are :

• Persistence of the beaconing
• Beacon protocol
• Beaconing interval
• Removal of known traffic

Answer : Beacon protocol

Explanation The best option is beacon protocol. Unless she knows the protocol, filtering out beacons by protocol may cause Rhonda to miss the behavior. Attackers typically would like to avoid common analytical tools and use protocols that are less likely to attract attention, thus preventing them from being unmasked. Filtering network traffic and removing known network traffic are means of filtering traffic to identify beacons as well.

SY0-401 CompTIA Security+ Certification Practice Exam Set 8

Options are :

• Patch management
• GPO
• HIPS
• Anti-malware

Answer : GPO

Explanation Patch management, host intrusion prevention systems (HIPS), and antimalware software are all good host security controls, but only Group Policy Objects (GPOs) provide the ability to configure settings across multiple Windows devices.

Tyler needs to implement a security control designed to detect fraudulent cases that happen, regardless of the presence of other security controls. Which of the following is best suited to meet his needs?

Options are :

• Separation of duties
• Least privilege
• Dual control
• Mandatory vacations

Answer : Mandatory vacations

Explanation The best option is mandatory vacations. These are designed to make the individual take time away from the office to allow any fraudulent activity to be surfaced during their absence. The other options listed are designed to prevent fraud, not detect fraud.

The service desk has been receiving a large number of complaints from external users that a web application is responding slow to requests and frequently receives a "connection timed out?? error when they attempt to submit information into the application. What software development best practice should have been implemented in order to have prevented this issue from occurring?

Options are :

• stress testing
• regression testing
• input validation
• fuzzing

Answer : stress testing

Explanation Stress testing is a software testing activity that determines the robustness of software by testing beyond the limits of normal operation. Stress testing is particularly important for "mission critical" software, but is used for all types of software. This stress testing is an important component in the capacity management process of IT service management and is used to ensure adequate resources are available to support the needs of the end user once the service or application goes into the production environment.

CompTIA N10-004 Network+ Certification Practice Test Set 12

Options are :

Answer : Agile

Explanation The Agile Manifesto, the underlying document behind the Agile SDLC model, emphasizes individuals and interactions over the processes and tools that Spiral and Waterfall rely on. It also calls out working software, customer collaboration, and responding to change as key elements of the Agile process.

Of all the items listed, which element is least likely to be found in a data retention policy?

Options are :

• Minimum retention period
• Maximum retention period
• Description of information needing to be retained
• Classification of information

Answer : Classification of information

Explanation Data retention policies highlight what information companies will maintain, the length of time they�ll maintain it, and the categories of information. Data classification would not be covered in the retention policy but in a classification policy.

Which party in a federation provides services to members of the federation?

Options are :

Answer : RP

Explanation Relying parties (RPs) provide services to members of a federation. An IdP, or identity provider, provides identities, makes assertions about those identities, and releases information about the identity holders. AP and IP are both not types of parties in a federation.

JK0-019 CompTIA E2C Network + Certification Exam Set 2

Options are :

• Risk assessment
• User output validation
• Error message management
• User input validation

Answer : User input validation

Explanation User input validation is a critical control in secure coding efforts. It seeks to remove dangerous inputs and makes sure that applications only receive the inputs that they expect and can handle.

You have been called into the Chief Technology Officer�s (CTO) office and been asked for a recommendation concerning network monitoring services for the company�s intranet. The CTO requests that your solution have the capability to monitor all traffic to and from the network�s gateway and have the ability to block certain types of content. What solution should you recommend?

Options are :

• Setup of IP filtering on the internal and external interfaces of the gateway router
• Installation of an IDS on the internal interface and a firewall on the external interface of the gateway router
• Installation of a firewall on the internal interface and a NIDS on the external interface gateway router
• Installation of an IPS on both the internal and external interfaces of the gateway router

Answer : Installation of a firewall on the internal interface and a NIDS on the external interface gateway router

Explanation In order to meet the requirement to monitor all traffic to and from the network�s gateway, it is best to utilize a network intrusion detection system (NIDS) that monitors the external interface of the gateway router. In order to be able to block certain types of content, it is best to install a firewall on the internal interface, where ACLs can be established for those traffic types.

Which authentication protocol was designed by Cisco to provide authentication, authorization, and accounting services?

Options are :

• RADIUS
• CHAP
• TACACS+
• Kerberos

Answer : TACACS+

Explanation Cisco�s TACACS+ is an extension to TACACS, the Terminal Access Controller Access Control System. RADIUS and Kerberos are both authentication protocols but were not designed by Cisco. CHAP is the Challenge-Handshake Authentication Protocol.

CompTIA Security+ (SY0-501) Practice Exams with Simulations Set 2

Options are :

• ping
• netstat
• tracert
• ipconfig

Answer : tracert

Explanation Tracert traces a route that a packet of data takes and helps with troubleshooting points of concern.

Your organization wants to update its Acceptable User Policy (AUP) to incorporate its newly implemented password standard that requires the sponsored authentication of guest wireless devices. What should be added to the AUP to support this new requirement?

Options are :

• Sponsored guest passwords must be at least 14 characters in length, contain uppercase and lowercase letters, and contain at least 2 symbols
• Wireless infrastructure should use open authentication standards
• Guests using the wireless network should provide valid identification when registering their wireless devices
• Network authentication of all guest users should occur using 802.1x backed by a RADIUS server

Answer : Guests using the wireless network should provide valid identification when registering their wireless devices

Explanation Sponsored authentication of guest wireless devices requires a guest user to provide valid identification when registering their wireless devices and an employee to validate their need for access (thereby "sponsoring?? the guest).

An organization uses Acunetix for software testing. Which of the issues is Acunetix most likely to detect?

Options are :

• Cross-site scripting
• Lexical scoping errors
• Buffer overflows
• Insecure data storage

Answer : Cross-site scripting

Explanation Acunetix is a vulnerability scanner and of all the flaws listed, cross-site scripting would be detected by the scanner.

CompTIA Security+ SY0-501 Practice Exams and Tests Set 11

Options are :

Answer : ASLR

Explanation ASLR (address space layout randomization) rearranges the memory locations into a random order to prevent attacks that rely on specific memory location. DEP prevents the execution of malware that�s loaded into the data space of memory.

A cyber security analyst needs to pick a tool in order to be able to identify open ports and services on a host along with the version of the application that is associated with the ports and services. They have decided to choose a command line tool. What tool should they choose?

Options are :

Answer : nmap

Explanation Nmap sends specially crafted packets to the target host(s) and then analyzes the responses to determine the open ports and services running on those hosts. In addition, nmap can determine the versions of the applications being used on those ports and services. Nmap is a command line tool for use on Linux, Windows, and OS X systems.

What phase of the software development lifecycle is sometimes known as the acceptance, installation, and deployment phase?

Options are :

• Development
• Training and Transition
• Operations and Maintenance
• Disposition

Answer : Training and Transition

Explanation The Training and Transition phase ensures that end users are trained on the software and that the software has entered general use. Because of these activities, this phase is sometimes called the acceptance, installation, and deployment phase.

CompTIA JK0-022 E2C Security+ Threats & Vulnerabilities Exam Set 2

Options are :

• PIN
• Security questions
• Smartcard
• Password complexity

Answer : Smartcard

Explanation The best option would be a smartcard. Passwords are something you know as is a PIN. The goal is multifactor, so using something you have along with something you know creates a multifactor environment. You know a password and you have a smartcard.

What should a vulnerability report include if a cybersecurity analyst wants it to reflect the assets scanned accurately?

Options are :

• Processor utilization
• Virtual hosts
• Organizational governance
• Log disposition

Answer : Virtual hosts

Rhett notices that a code inside of a malware sample appears to be obfuscated. Which of the following methods is typically used to prevent codes from being easily read by opening a file?

Options are :

• QR coding
• Base64
• Base128
• XINT

Answer : Base64

Explanation The best option is base64. Malware usually uses base64 encoding and there are multiple formats, but online decoders can perform a rapid check to see if the code has anymore encoding other than base64. Other tools may have multiple methods, but it takes longer to figure it out.

A salesperson began having issues with their laptop becoming unresponsive after attempting to open a PDF in their email. They called the cyber security analyst, who checked the IDS and antivirus software for any unusual behavior or alerts, but the analyst found nothing suspicious. What term BEST describes this threat?

Options are :

• Packet of death
• Zero-day malware
• PII exfiltration
• Known virus

Answer : Zero-day malware

Explanation This threat is a zero-day malware. Since it is a new piece of malware, a signature has not been created for the antivirus or IDS definitions file. This type of malware cannot be combatted with traditional signature-based methods, such as anti-virus or an IDS.

CompTIA JK0-019 E2C Network Media & Topologies Practice Exam Set 2

Options are :

• Encryption and physical accessibility
• Network access control and encryption
• Port security and physical accessibility
• Authentication and encryption

Answer : Encryption and physical accessibility

Explanation The best choice is encryption and physical accessibility. Most wired networks do not use end-to-end encryption and wireless networks are usually more accessible. However, without more information, it cannot be determined if authentication is required for both networks or not. Port security is only used on wired connections.

Michelle is preparing to run an nmap scan of a targeted network. She wants to perform a quick scan but knows that a SYN scan isn�t possible because she doesn�t have raw socket privileges on the system she is going to conduct her scan from. What flag should she use to set her scan type?

Options are :

Answer : -sT

Explanation Nmap�s TCP scan function is enabled using the -sT flag and is a quick way to scan when you are unable to get raw socket access to the scanner system. Fast scans are more frequently conducted using the -sS (SYN) scan, but it requires raw socket access.

What type of scans are useful for probing firewall rules?

Options are :

• TCP SYN
• TCP ACK
• TCP RST
• XMAS TREE

Answer : TCP ACK

Explanation TCP ACK scans can help to determine what services are allowed through a firewall.

CompTIA Security+ (SY0-501) Practice Exams with Simulations Set 5

Options are :

Answer : XCCDF

Explanation XCCDF (extensible configuration checklist description format) is a language that�s used in checklists for reporting results. CCE (common configuration enumeration), CPE (common platform enumeration), and CVE (common vulnerabilities exposure) all provide standards for security related flaws. Your best option is XCCDF.

Josh performed a system scan recently and noticed that it was running services on ports 139 and 445. What operating system is this system likely running?

Options are :

Answer : Windows

Explanation Ports 139 and 445 are associated with Windows file and printer sharing.

Latonya is making plans to patch a production system in an effort to correct a vulnerability that was detected during a recent scan. What process should she follow to minimize the risk of system failure while correcting the vulnerability?

Options are :

• Deploy the patch immediately on the production system
• Wait 60 days to deploy the patch - to determine whether or not bugs are reported
• Deploy the patch in a sandbox environment to test it prior to production
• Contact the vendor to determine a safe time frame for deploying the patch in production

Answer : Deploy the patch in a sandbox environment to test it prior to production

Explanation Out of all options listed, a sandbox environment is the best place to deploy a patch, because testing could be very thorough prior to release. This also reduces some of the risks you place on your network when you consider deploying a patch to a live environment. Asking the vendor to wait 60 days seems a little unreasonable.

FC0-TS1 CompTIA Strata IT for Sales Practice Exam Set 3

Options are :

• Operating system
• Web application
• Database server
• Firewall

Answer : Web application

Explanation SQL injections target the data stored in enterprise databases, by exploiting flaws in client-facing applications. These are typically found in web applications.

The presence of _________________ triggers specific vulnerability scanning requirements based upon law or regulation.

Options are :

• Credit card information
• Protected health information
• Personally identifiable information
• Trade secret information

Answer : Credit card information

Explanation All of these situations need laws to help with regulation, however, the only one that currently has a policy/law to follow is something involving credit card information. The Payment Card Industry Data Security Standard (PCI DSS) has detailed requirements for vulnerability scanning.

Jesus is creating a remediation procedure for vulnerabilities discovered in his organization. He would like to make sure that any vendor patches are tested prior to deploying them in production. What type of environment should be included to best address this issue?

Options are :

• Sandbox
• Honeypot
• Honeynet
• Production

Answer : Sandbox

Explanation Deploying changes in a sandbox environment gives a safe, isolated place for testing changes without interfering with production systems. Honeypots/Honeynets are not testing environments but they�re intended more to attract attackers. Vendor patches don�t need to be tested in production because it could negatively impact business operations.

CompTIA CySA+ (CS0-002) Practice Certification Exams Set 10

Options are :

Answer : SCADA

Explanation SCADA (supervisory control and data acquisition) networks is a type of network that works off of an ICS (industry control system) and is used to maintain sensors and control systems over large geographic areas.

Timothy�s company is starting a BYOD (bring your own device) policy for all mobile devices. Which of the following allows you to secure the sensitive information on personally owned devices, including administrators, and the ability to remotely wipe corporate information without affecting personal data?

Options are :

• Remote wipe
• Strong passwords
• Biometric authentication
• Containerization

Answer : Containerization

Explanation All of your options listed here could help secure mobile devices, but containerization is the only option that will allow you to isolate work from personal. This technology basically creates a vault that�s secured where your corporate information will reside.

Patrick is the manager of his organization's vulnerability scanning program. He�s experiencing some issues with scans aborting because the previous day scans are still running when the scanner attempts to start the current scans. Which of the following solutions is least likely to resolve the issue?

Options are :

• Add a new scanner
• Reduce the scope of scans
• Reduce the sensitivity of scans
• Reduce the frequency of scans

Answer : Reduce the sensitivity of scans

Explanation The best way to help Patrick is to lessen the number of systems in the scan or to add additional scanners to help balance the load. Changing the sensitivity level may not give accurate results.

CompTIA CA1-001 Advanced Security Practitioner Practice Exam Set 1

Options are :

• The CEO
• System names
• IP addresses
• Asset inventory

Answer : Asset inventory

Explanation The best resource to use, as of now, is the asset inventory. If this resource has been designed and implemented properly, as well as being maintained correctly, it should have most of the information in it. The CEO knows some of this but he/she doesn�t typically have time to review it. System names/IP addresses could contain some of the information but it isn�t as good of a resource as an inventory would be.

TRUE or FALSE: Organizations may decide not to remediate vulnerabilities because of conflicting business requirements.

Options are :

Answer : TRUE

Explanation Organizations may make risk-based decisions not to remediate vulnerabilities. In those cases, they should create a documented exception.

Which of the following vulnerabilities would you consider the greatest threat to information confidentiality?

Options are :

• HTTP TRACE/TRACK methods enabled
• SSL Server with SSLv3 enabled vulnerability
• phpinfo information disclosure vulnerability
• Web application SQL injection vulnerability

Answer : Web application SQL injection vulnerability

Explanation Each vulnerability mentioned poses a significant risk. The greatest threat comes from the SQL injection because it allows an attacker to retrieve the information from the backend database and with this, the attacker could even alter the information and put it back and nobody would notice everything that had been changed. The HTTP TRACE/TRACK methods would not directly disclose information and the SSLv3 option is not even considered to be secure anymore.

CompTIA Network+ (N10-007) 6 Practice Exams and Simulations Set 7

Options are :

• Ensure all stakeholders are informed of planned outage
• Document the change in the change management system
• Identify any potential risks associated with the change
• All supplied choices

Answer : All supplied choices

Explanation Ample time is provided for Barrett to send out some communication and change management before making the change. Even though this is considered to be an urgent issue, communication is very important. A risk assessment should be conducted and the change management process should be started. These can be short forms of each, but they still need to be completed.

What SCAP component provides a language for specifying checklists?

Options are :

Answer : XCCDF

Explanation The Extensible Configuration Checklist Description Format (XCCDF) provides a language for specifying checklists and reporting checklist results.

Matt is prioritizing vulnerability scans and has interest in basing the frequency of scanning on the information asset value. Which of the following items would be the most appropriate for him to use in this analysis?

Options are :

• Cost of hardware acquisition
• Cost of hardware replacement
• Types of information processed
• Depreciated hardware cost

Answer : Types of information processed

Explanation Information asset value is a number that an organization places on data stored, processed, and transmitted by an asset. Many different types of data, regulated data, intellectual property, personally identifiable information, etc. helps to determine the value of the asset. The cost of server acquisition, cost of hardware replacement, and depreciated costs refer to the financial value of the hardware, which is different from information value.

SK0-004 CompTIA Server+ Certification Practice Exam Set 3

Options are :

• httpd_log
• apache_log
• access_log
• http_log

Answer : access_log

Explanation On Apache web servers, the logs are stored in a file named access_log. By default, the file may be found at /var/log/httpd/access_log.

Nicole is investigating a security incident at a government agency and discovers that attackers obtained PII. What is the information impact of this incident?

Options are :

• None
• Privacy breach
• Proprietary breach
• Integrity breach

Answer : Privacy breach

Explanation In a privacy breach, sensitive personally identifiable information (PII) was accessed or exfiltrated.

CompTIA 220-801 A+ Advanced Certification Practice Exam Set 4

Options are :

• Forensic analysis report
• Chain of custody report
• Trends analysis report
• Lessons learned report

Answer : Lessons learned report

Explanation The lessons learned report provides you with the details of the incident, its severity, the remediation method, and most importantly, how effective your response was. Additionally, it provides recommendations for improvements in the future. A forensic analysis report would not provide recommendations for future improvements, even though it provides many of the other details.

Choose the set of Linux permissions set up from least permissive to most permissive?

Options are :

• 777, 444, 111
• 544, 444, 545
• 711, 717, 117
• 111, 734, 747

Answer : 111, 734, 747

Explanation Linux permissions are read "owner, group, other??. They also have numbers which are 4 (read), 2 (write), and 1 (execute). Therefore, the best option here begins with 777 because that gives the broadest set of permissions while 000 gives the least set of permissions.

You have been tasked to conduct a review of the firewall logs. During your review, you notice that an IP address from within your company�s server subnet had been transmitting between 125 to 375 megabytes of data to a foreign IP address during nighttime hours. Looking over the logs, you have determined this has been occurring for approximately 5 days and the affected server has since been taken offline for forensic review. What is MOST likely to increase the impact assessment of the incident?

Options are :

• PII of company employees and customers was exfiltrated
• Raw financial information about the company was accessed
• Forensic review of the server required fallback on a less efficient service
• IP addresses and other network-related configurations were exfiltrated

Answer : PII of company employees and customers was exfiltrated

Explanation If the PII (Personally Identifiable Information) of the company�s employees or customers was exfiltrated or stolen during the compromise, this would increase the impact assessment of the incident. Loss of PII is a large issue for corporations and one that might garner media attention as well.

HT0-201 CEA- CompTIA DHTI+ Certification Practice Exam Set 6

Options are :

• Analyzing the hibernation file
• Analyzing the memory dump file
• Retrieving the key from the MBR
• Performing a FireWire attack on mounted drives

Answer : Retrieving the key from the MBR

Explanation The best option is to retrieve the key from the MBR (master boot record). BitLocker keys can be retrieved via hibernation files or memory dumps. BitLocker information isn�t stored in an MBR.

After analyzing and correlating activity from the firewall logs, server logs, and the intrusion detection system logs, a cyber security analyst has determined that a sophisticated breach of the company�s network security may have occurred from a group of specialized attackers in a foreign country over the past five months. Up until now, these cyber attacks against the company network had gone unnoticed by the company�s information security team. What would this be an example of?

Options are :

• advanced persistent threat (APT)
• spear phishing
• malicious insider threat
• privilege escalation

Answer : advanced persistent threat (APT)

Explanation An advanced persistent threat (APT) is a network attack in which an unauthorized person gains access to a network and stays there undetected for a long period of time. The intention of an APT attack is to steal data rather than to cause damage to the network or organization. APTs often work either in or for a foreign country.

TRUE or FALSE: Organizations should always involve law enforcement if they suspect a crime was committed.

Options are :

Answer : FALSE

Explanation The organization should consult with management and legal counsel to decide whether to involve law enforcement.

LX0-104 CompTIA Linux + Powered by LPI Practice Exam Set 2

Options are :

• File size and file creation date
• MD5 hash
• Private key and cryptographic hash
• Public key and cryptographic hash

Answer : MD5 hash

Explanation The best answer is MD5 hash. This file needs to be a verifiable MD5 hash file in order to validate the other files. With this being the case, he can verify that the downloaded file matches the hash of the file from the vendor. This is an important step when security is critical in an organization.

You are a cyber security analyst and your company has just enabled key-based authentication on its SSH server. You have been asked to review the following log file and determine what action should be performed to secure the server. 

BEGIN LOG-------------Sep 09 13:15:24 cramtopass sshd[3423]: Failed password for root from 192.168.3.2 port 45273 ssh2Sep 09 15:43:15 cramtopass sshd[3542]: Failed password for root from 192.168.2.24 port 43543 ssh2Sep 09 15:43:24 cramtopass sshd[3544]: Failed password for nobody from 192.168.2.24 port 43589 ssh2Sep 09 15:43:31 cramtopass sshd[3546]: Failed password for invalid user from 192.168.2.24 port 43619 ssh2Sep 09 15:43:31 cramtopass sshd[3546]: Failed password for jdion from 192.168.2.24 port 43631 ssh2Sep 09 15:43:37 cramtopass sshd[3548]: Failed password for root from 192.168.2.24 port 43657 ssh2��������--

END LOG

Options are :

• Disable anonymous SSH logon
• Disable password authentication for SSH
• Disable SSHv1
• Disable remote root SSH logons

Answer : Disable password authentication for SSH

Explanation The ssh daemon is continually receiving login errors for all accounts. It would be prudent to disable the password authentication for SSH remote logins, while simultaneously implementing something like PKI authentication instead.

Stacy is in charge of Windows workstations in her domain and wants to protect them from buffer overflow attacks. What should be recommended to the domain administrators at her company?

Options are :

• Install an anti-malware tool
• Install an antivirus tool
• Enable DEP in Windows
• Set VirtualAllocProtection to 1 in the registry

Answer : Enable DEP in Windows

Explanation Windows comes with DEP, which is a built-in memory protection resource. This prevents code from being run in pages that are marked for nonexecutable. DEP, by default, only protects Windows programs and services classified as "essential??, but it can be used for all programs and services, or all programs and services except the ones on an exception list.

CompTIA CySA+ (CS0-002) Practice Certification Exams Set 10

Options are :

Answer : Clear

Explanation Clear applies logical techniques to sanitize data in all user-addressable storage locations for protection against simple noninvasive data recovery techniques. Degaussing, destruction, and purging all may involve physical techniques.

Sarah is attempting to determine whether the user of a company-owned laptop accessed a malicious wireless access point. Where can he find a list of the wireless networks the system already knows about?

Options are :

• The registry
• The user profile directory
• The wireless adapter cache
• Wireless network lists are not stored after use.

Answer : The registry

Explanation The best choice is the registry. The Windows registry keeps a list of wireless networks the system has previously connected to. The registry keys can be found in the directory of HKLM\Software\Microsoft\WindowsNT\CurrentVersion\NetworkList\Profiles. This stored in Local Machine because it keeps all copies, not just for specific users.

Steven is performing a forensic analysis of an iPhone backup and has discovered that only some of the information is there, not all of it. What is the best scenario that would result in the backup being used only having partial information?

Options are :

• The backup was interrupted
• The backup is encrypted
• The backup is a differential backup
• The backup is stored in iCloud.

Answer : The backup is a differential backup

Explanation iPhone backups can be full backups, or they can be differential backups. In the given scenario, chances are great that he�s found a differential backup which contains only the information that has changed since the last full backup. If the backup was encrypted, he would have to have additional tools/resources to access it and if that was interrupted, the file wouldn�t be in a state to be used. iCloud backups require access to someone�s computer account and aren�t as probable to be used in an investigation.

CompTIA CySA+ (CS0-002) Practice Certification Exams Set 10

Options are :

Answer : FERPA

Explanation The Family Educational Rights and Privacy Act (FERPA) requires that educational institutions implement security and privacy controls for student educational records.

Of the systems mentioned below, which of the following is not considered a component that belongs to the category of identity management infrastructure?

Options are :

• HR system
• LDAP
• Provisioning engine
• Auditing system

Answer : HR system

Explanation LDAP servers, provisioning engines, and auditing systems are all part of identity management infrastructures. The HR system is a data course for identity management, but not part of the infrastructure itself. Your best option is HR system.

Matt has been offered and accepted a position as a cybersecurity analyst for a bank which is privately owned. Which of the following regulations will have the greatest impact on his cybersecurity program?

Options are :

Answer : GLBA

Explanation The GLBA (Gramm Leach Bliley Act) is the only one listed that covers cybersecurity at financial institutions. HIPAA is for medical facilities/patients, FERPA is for educational situations, and SOX is for publicly traded companies.

NEW! CompTIA A+ 2019 Cert. Core 2 (220-1002) Practice Tests Set 9

Options are :

• AlienVault
• QRadar
• ArcSight
• OSSIM

Answer : OSSIM

Explanation OSSIM is the best option listed. OSSIM is open source made by AlienVault and is capable of pulling information together from a wide variety of sources. The other options listed are all examples of commercial SIEM solutions.

Which policy contains (or should contain) requirements for removing user access when the user is terminated?

Options are :

• Data ownership policy
• Data classification policy
• Data retention policy
• Account management policy

Answer : Account management policy

Explanation Account management policies is the best option for this question. This describes the account life cycle from the beginning through use and decommissioning. Data ownership policies state the ownership information created/used, data classification policies describe the classification structure, and retention policies outline what information will be maintained and how long it will be maintained.

A cyber security professional visited an e-commerce website by typing in its URL and found that the administrative web frontend for its backend e-commerce application is accessible over the Internet and is only being protected by the default password. What three things should the analyst recommend to the website owner in order to MOST securely remediate this discovered vulnerability?

Options are :

• Rename the URL to a more obscure name, whitelist all corporate IP blocks, and require two-factor authentication
• Change the username and default password, whitelist specific source IP addresses, and require two-factor authentication for access
• Change the default password, whitelist all specific IP blocks, and require two-factor authentication
• Red Team all corporate IP blocks, require an alphanumeric passphrase for the default password, and require two-factor authentication

Answer : Change the username and default password, whitelist specific source IP addresses, and require two-factor authentication for access

Explanation Since the application was only protected by the default password, the username and password should be changed immediately to increase the security of the application. Since this is an administrative frontend, only a few machines should require access and they should specifically have their IP addresses added to the whitelist and deny all other machines from accessing the administrative frontend. Finally, since this is an administrative frontend, it is a best practice to utilize two-factor authentication in order to most effectively secure the application from attack.

CompTIA A+ (220-1002) Test Prep, Exams and Simulations Set 1

Options are :

Answer : 3DES

Explanation 3DES is an older encryption method and is no longer considered secure. Public Key Infrastructure (PKI) relies on X.509 and its associated secure technologies, such as AES, PKCS, and SSL/TLS, in order to perform secure functions.

In which tier of the NIST cybersecurity framework does an organization understand its dependencies and partners?

Options are :

• Partial
• Risk informed
• Repeatable
• Adaptive

Answer : Repeatable

Explanation In the repeatable tier (Tier 3) of the NIST CSF, the organization understands its dependencies and partners and receives information from these partners that enables collaboration and risk-based management decisions within the organization in response to events.

Ashley is looking for a physical security control for her organization that will help protect against attacks where an individual could drive a vehicle through the glass doors in the front of the building. Which of the following would be the most effective way to protect against such attack?

Options are :

• Mantraps
• Security guards
• Bollards
• Intrusion alarm

Answer : Bollards

Explanation The best option is Bollards. These are physical barriers that are designed to prevent vehicles from crossing into an area. Mantraps prevent tailgating individuals, while security guards and intrusion alarms detect people but do not stop moving vehicles.

CompTIA CySA+ (CS0-002) Practice Certification Exams Set 3

Options are :

• Partial, Risk Informed, Repeatable, Adaptive
• Partial, Repeatable, Risk Informed, Adaptive
• Partial, Risk Informed, Managed, Adaptive
• Partial, Managed, Risk Informed, Adaptive

Answer : Partial, Risk Informed, Repeatable, Adaptive

Explanation NIST, in the first tier, or stage 1 is: Partial, Risk Informed, Repeatable, and Adaptive.

Liberty Beverages allows its visiting business partners from SodaCorp to use an available Ethernet port in the Liberty Beverage conference rooms when they are in the building. This access is provided to allow employees of SodaCorp to have the ability to establish a VPN connection back to the SodaCorp network. You have been tasked to ensure that SodaCorp employees can gain direct Internet access from the Ethernet port in the conference room only. But, if a Liberty Beverage employee uses the same Ethernet port, they should be able to access Liberty�s internal network as well. What should you use to ensure this capability?

Options are :

Answer : NAC

Explanation NAC should be used, so that the laptop being connected can be scanned to determine if it meets the normal baseline for a Liberty Beverage laptop. If it does, it can be given access to the company�s internal network. If not, it can be placed in a different subnet and given access only to the Internet.

Tony�s manager requires him to receive and inventory the items that his co-worker Barbara orders. This is an example of what kind of personnel control?

Options are :

• Separation of duties
• Background checks
• Dual control
• Mandatory vacation

Answer : Separation of duties

Explanation Tony's manager is using separation of duties to ensure that neither Barbara nor Tony can exploit the organization�s ordering processes. Dual control, the most likely other answer, requires two employees to perform an action together.

220-702 CompTIA A+ Practical Application Practice Exam Set 9

Options are :

• Fuzzer
• Static code analyzer
• Web application assessor
• Fault injector

Answer : Static code analyzer

Explanation Vulnerability reports should include not just physical hosts but also virtual hosts. A common mistake of new cyber security analysts is to only include physical hosts, thereby missing a large number of assets on the network.