Which protocol relies on mutual authentication of the client and the server for its
security?
CHAP
LDAPS
Two-factor authentication
RADIUS
LDAPS
Explanation
OBJ-3.1: The Lightweight Directory Access Protocol (LDAP) uses a client-server
model for mutual authentication. LDAP is used to enable access to a directory of
resources (workstations, users, information, etc.). TLS provides mutual authentication
between clients and servers. Since Secure LDAP (LDAPS) uses TLS, it provides
mutual authentication.
You have just completed identifying, analyzing, and containing an incident. You
have verified that the company uses self-encrypting drives as part of its default
configuration. As you begin the eradication and recovery phase, you must
sanitize the storage devices' data before restoring the data from known-good
backups. Which of the following methods would be the most efficient to use to
sanitize the affected hard drives?
Incinerate and replace the storage devices
Perform a cryptographic erase (CE) on the storage devices
Conduct zero-fill on the storage devices
Use a secure erase (SE) utility on the storage devices
Perform a cryptographic erase (CE) on the storage devices
Explanation
,OBJ-2.7: Sanitizing a hard drive can be done using cryptographic erase (CE), secure
erase (SE), zero-fill, or physical destruction. In this case, the hard drives already used
data at rest. Therefore, the most efficient method would be to choose CE. The
cryptographic erase (CE) method sanitizes a self-encrypting drive by erasing the
media encryption key and then reimaging the drive. A secure erase (SE) is used to
perform the sanitization of flash-based devices (such as SSDs or USB devices) when
cryptographic erase is not available. The zero-fill method relies on overwriting a
storage device by setting all bits to the value of zero (0), but this is not effective on
SSDs or hybrid drives, and it takes much longer than the CE method. The final option
is to conduct physical destruction, but since the scenario states that the storage device
will be reused, this is not a valid technique. Physical destruction occurs by mechanical
shredding, incineration, or degaussing magnetic hard drives.
Which of the following types of data breaches would require that the US
Department of Health and Human Services and the media be notified if more
than 500 individuals are affected by a data breach?
Personally identifiable information
Trade secret information
Protected health information
Credit card information
Protected health information
Explanation
OBJ-4.5: Protected health information (PHI) is defined as any information that
identifies someone as the subject of medical and insurance records, plus their
associated hospital and laboratory test results. This type of data is protected by the
Health Insurance Portability and Accountability Act (HIPAA). It requires notification
of the individual, the Secretary of the US Department of Health and Human Services
(HHS), and the media (if more than 500 individuals are affected) in the case of a data
breach. Personally identifiable information (PII) is any data that can be used to
identify, contact, or impersonate an individual. Credit card information is protected
under the PCI DSS information security standard. Trade secret information is
protected by the organization that owns those secrets.
A user has reported that their workstation is running very slowly. A technician
begins to investigate the issue and notices a lot of unknown processes running in
the background. The technician determines that the user has recently
downloaded a new application from the internet and may have become infected
with malware. Which of the following types of infections does the workstation
MOST likely have?
Ransomware
Rootkit
,Keylogger
Trojan
Trojan
Explanation
OBJ-1.2: A trojan is a type of malware that looks legitimate but can take control of
your computer. A Trojan is designed to damage, disrupt, steal, or in general, inflict
some other harmful action on your data or network. The most common form of a
trojan is a Remote Access Trojan (RAT), which allows an attacker to control a
workstation or steal information remotely. To operate, a trojan will create numerous
processes that run in the background of the system. Ransomware is a type of malware
designed to deny access to a computer system or data until a ransom is paid.
Ransomware typically spreads through phishing emails or by unknowingly visiting an
infected website. Once infected, a system or its files are encrypted, and then the
decryption key is withheld from the victim unless payment is received. A rootkit is a
clandestine computer program designed to provide continued privileged access to a
computer while actively hiding its presence. A rootkit is generally a collection of tools
that enabled administrator-level access to a computer or network. They can often
disguise themselves from detection by the operating system and anti-malware
solutions. If a rootkit is suspected on a machine, it is best to reformat and reimage the
system. A keylogger actively attempts to steal confidential information by capturing
the data when entered into the computer by the user. This is done by recording
keystrokes entered into a web browser or other application. A software keylogger can
be run in the background on a victim's computer. A hardware keylogger may be
placed between the USB port and the wired keyboard.
A cybersecurity analyst has deployed a custom DLP signature to alert on any
files that contain numbers in the format of a social security number (xxx-xx-
xxxx). Which of the following concepts within DLP is being utilized?
Document matching
Classification
Exact data match
Statistical matching
Exact data match
Explanation
OBJ-3.2: An exact data match (EDM) is a pattern matching technique that uses a
structured database of string values to detect matches. For example, a company might
have a list of actual social security numbers of its customers. But, since it is not
appropriate to load these numbers into a DLP filter, they could use EDM to match the
numbers' fingerprints instead based on their format or sequence. Document matching
, attempts to match a whole document or a partial document against a signature in the
DLP. Statistical matching is a further refinement of partial document matching that
uses machine learning to analyze various data sources using artificial intelligence or
machine learning. Classification techniques use a rule based on a confidentiality
classification tag or label attached to the data. For example, the military might use a
classification-based DLP to search for any files labeled as secret or top secret.
Which of the following proprietary tools is used to create forensic disk images
without making changes to the original evidence?
FTK Imager
Autopsy
Memdump
dd
FTK Imager
Explanation
OBJ-4.1: FTK Imager can create perfect copies or forensic images of computer data
without making changes to the original evidence. The forensic image is identical in
every way to the original, including copying the slack, unallocated, and free space on
a given drive. The dd tool can also create forensic images, but it is not a proprietary
tool since it is open-source. Memdump is used to collect the content within RAM on a
given host. Autopsy is a cross-platform, open-source forensic tool suite.
You have been hired to investigate a possible insider threat from a user named
Terri. Which command would you use to review all sudo commands ever issued
by Terri (whose login account is terri and UID=1003) on a Linux system? (Select
the MOST efficient command)
journalctl _UID=1003 | grep sudo
journalctl _UID=1003 | grep -e [Tt]erri | grep sudo
journalctl _UID=1003 | grep -e [Tt]erri | grep -e 1003 | grep sudo
journalctl _UID=1003 | grep -e 1003 | grep sudo
journalctl _UID=1003 | grep sudo
Explanation
OBJ-4.3: journalctl is a command for viewing logs collected by systemd. The
systemd-journald service is responsible for systemd’s log collection, and it retrieves
messages from the kernel, systemd services, and other sources. These logs are
gathered in a central location, which makes them easy to review. If you specify the
security?
CHAP
LDAPS
Two-factor authentication
RADIUS
LDAPS
Explanation
OBJ-3.1: The Lightweight Directory Access Protocol (LDAP) uses a client-server
model for mutual authentication. LDAP is used to enable access to a directory of
resources (workstations, users, information, etc.). TLS provides mutual authentication
between clients and servers. Since Secure LDAP (LDAPS) uses TLS, it provides
mutual authentication.
You have just completed identifying, analyzing, and containing an incident. You
have verified that the company uses self-encrypting drives as part of its default
configuration. As you begin the eradication and recovery phase, you must
sanitize the storage devices' data before restoring the data from known-good
backups. Which of the following methods would be the most efficient to use to
sanitize the affected hard drives?
Incinerate and replace the storage devices
Perform a cryptographic erase (CE) on the storage devices
Conduct zero-fill on the storage devices
Use a secure erase (SE) utility on the storage devices
Perform a cryptographic erase (CE) on the storage devices
Explanation
,OBJ-2.7: Sanitizing a hard drive can be done using cryptographic erase (CE), secure
erase (SE), zero-fill, or physical destruction. In this case, the hard drives already used
data at rest. Therefore, the most efficient method would be to choose CE. The
cryptographic erase (CE) method sanitizes a self-encrypting drive by erasing the
media encryption key and then reimaging the drive. A secure erase (SE) is used to
perform the sanitization of flash-based devices (such as SSDs or USB devices) when
cryptographic erase is not available. The zero-fill method relies on overwriting a
storage device by setting all bits to the value of zero (0), but this is not effective on
SSDs or hybrid drives, and it takes much longer than the CE method. The final option
is to conduct physical destruction, but since the scenario states that the storage device
will be reused, this is not a valid technique. Physical destruction occurs by mechanical
shredding, incineration, or degaussing magnetic hard drives.
Which of the following types of data breaches would require that the US
Department of Health and Human Services and the media be notified if more
than 500 individuals are affected by a data breach?
Personally identifiable information
Trade secret information
Protected health information
Credit card information
Protected health information
Explanation
OBJ-4.5: Protected health information (PHI) is defined as any information that
identifies someone as the subject of medical and insurance records, plus their
associated hospital and laboratory test results. This type of data is protected by the
Health Insurance Portability and Accountability Act (HIPAA). It requires notification
of the individual, the Secretary of the US Department of Health and Human Services
(HHS), and the media (if more than 500 individuals are affected) in the case of a data
breach. Personally identifiable information (PII) is any data that can be used to
identify, contact, or impersonate an individual. Credit card information is protected
under the PCI DSS information security standard. Trade secret information is
protected by the organization that owns those secrets.
A user has reported that their workstation is running very slowly. A technician
begins to investigate the issue and notices a lot of unknown processes running in
the background. The technician determines that the user has recently
downloaded a new application from the internet and may have become infected
with malware. Which of the following types of infections does the workstation
MOST likely have?
Ransomware
Rootkit
,Keylogger
Trojan
Trojan
Explanation
OBJ-1.2: A trojan is a type of malware that looks legitimate but can take control of
your computer. A Trojan is designed to damage, disrupt, steal, or in general, inflict
some other harmful action on your data or network. The most common form of a
trojan is a Remote Access Trojan (RAT), which allows an attacker to control a
workstation or steal information remotely. To operate, a trojan will create numerous
processes that run in the background of the system. Ransomware is a type of malware
designed to deny access to a computer system or data until a ransom is paid.
Ransomware typically spreads through phishing emails or by unknowingly visiting an
infected website. Once infected, a system or its files are encrypted, and then the
decryption key is withheld from the victim unless payment is received. A rootkit is a
clandestine computer program designed to provide continued privileged access to a
computer while actively hiding its presence. A rootkit is generally a collection of tools
that enabled administrator-level access to a computer or network. They can often
disguise themselves from detection by the operating system and anti-malware
solutions. If a rootkit is suspected on a machine, it is best to reformat and reimage the
system. A keylogger actively attempts to steal confidential information by capturing
the data when entered into the computer by the user. This is done by recording
keystrokes entered into a web browser or other application. A software keylogger can
be run in the background on a victim's computer. A hardware keylogger may be
placed between the USB port and the wired keyboard.
A cybersecurity analyst has deployed a custom DLP signature to alert on any
files that contain numbers in the format of a social security number (xxx-xx-
xxxx). Which of the following concepts within DLP is being utilized?
Document matching
Classification
Exact data match
Statistical matching
Exact data match
Explanation
OBJ-3.2: An exact data match (EDM) is a pattern matching technique that uses a
structured database of string values to detect matches. For example, a company might
have a list of actual social security numbers of its customers. But, since it is not
appropriate to load these numbers into a DLP filter, they could use EDM to match the
numbers' fingerprints instead based on their format or sequence. Document matching
, attempts to match a whole document or a partial document against a signature in the
DLP. Statistical matching is a further refinement of partial document matching that
uses machine learning to analyze various data sources using artificial intelligence or
machine learning. Classification techniques use a rule based on a confidentiality
classification tag or label attached to the data. For example, the military might use a
classification-based DLP to search for any files labeled as secret or top secret.
Which of the following proprietary tools is used to create forensic disk images
without making changes to the original evidence?
FTK Imager
Autopsy
Memdump
dd
FTK Imager
Explanation
OBJ-4.1: FTK Imager can create perfect copies or forensic images of computer data
without making changes to the original evidence. The forensic image is identical in
every way to the original, including copying the slack, unallocated, and free space on
a given drive. The dd tool can also create forensic images, but it is not a proprietary
tool since it is open-source. Memdump is used to collect the content within RAM on a
given host. Autopsy is a cross-platform, open-source forensic tool suite.
You have been hired to investigate a possible insider threat from a user named
Terri. Which command would you use to review all sudo commands ever issued
by Terri (whose login account is terri and UID=1003) on a Linux system? (Select
the MOST efficient command)
journalctl _UID=1003 | grep sudo
journalctl _UID=1003 | grep -e [Tt]erri | grep sudo
journalctl _UID=1003 | grep -e [Tt]erri | grep -e 1003 | grep sudo
journalctl _UID=1003 | grep -e 1003 | grep sudo
journalctl _UID=1003 | grep sudo
Explanation
OBJ-4.3: journalctl is a command for viewing logs collected by systemd. The
systemd-journald service is responsible for systemd’s log collection, and it retrieves
messages from the kernel, systemd services, and other sources. These logs are
gathered in a central location, which makes them easy to review. If you specify the
