The application’s broken access controls are an example of what?
- A security control
- A threat
- An exploit
- A vulnerability
Q: What security strategy uses a layered approach to prevent attackers
from gaining access to sensitive data?
- Defense in depth
- Kerchoff’s principle
- Caesar’s cipher
- Triple DES (3DES)
Q: What is the difference between the application and data layers of the
defense in depth model?
- The data layer includes controls like encryption and hashing to secure data at rest. The application layer protects individual devices that are connected to a network.
- The data layer only allows employees to access information. The application layer secures information with controls that are programmed into the application itself.
- The application layer secures information with controls that are programmed into the application itself. The data layer maintains the integrity of information with controls like encryption and hashing.
- The application layer maintains the integrity of information with controls like encryption and hashing. The data layer blocks network traffic from untrusted websites.
Q: What is the main purpose of the CVE® list?
- To provide organizations with a framework for managing cybersecurity risk
- To share a standard way of identifying and categorizing known vulnerabilities and exposures
- To create a dictionary of threats to organizational assets that must be addressed
- To keep a record of the coding mistakes of major software developers
Q: What is the purpose of vulnerability management? Select three
answers.
- To review an organization’s internal security systems
- To identify exposures to internal and external threats
- To track assets and the risks that affect them
- To uncover vulnerabilities and reduce their exploitation
Q: What is the main goal of performing a vulnerability assessment?
- To catalog assets that need to be protected
- To practice ethical hacking techniques
- To pass remediation responsibilities over to the IT department
- To identify weaknesses and prevent attacks
Q: Fill in the blank: All the potential vulnerabilities that a threat
actor could exploit is called an attack _____.
- vector
- network
- surface
- database
Q: Fill in the blank: An attack _____ refers to the pathways attackers
use to penetrate security defenses.
- vector
- landscape
- vulnerability
- surface
Q: What are ways to protect an organization from common attack vectors?
Select three answers.
- By keeping software and systems updated
- By not practicing an attacker mindset
- By educating employees about security vulnerabilities
- By implementing effective password policies
Q: Consider the following scenario:
A cloud service provider has misconfigured a cloud drive. They’ve
forgotten to change the default sharing permissions. This allows all of their
customers to access any data that is stored on the drive.
This misconfigured cloud drive is an example of what?
- An exploit
- A security control
- A vulnerability
- A threat
Q: Why do organizations use the defense in depth model to protect
information? Select two answers.
- Security teams can easily determine the “who, what, when, and how” of an attack.
- Each layer uses unique technologies that communicate with each other.
- Threats that penetrate one level can be contained in another.
- Layered defenses reduce risk by addressing multiple vulnerabilities.
Q: An organization’s firewall is configured to allow traffic only from
authorized IP addresses. Which layer of the defense in depth model is the
firewall associated with?
- Endpoint
- Network
- Data
- Application
Q: Which of the following are criteria that a vulnerability must meet
to qualify for a CVE® ID? Select all that apply.
- It must be independent of other issues. (CORRECT)
- It must pose a financial risk.
- It must be submitted with supporting evidence.
- It must be recognized as a potential security risk.
- It can only affect one codebase.
Q: A security team is preparing new workstations that will be installed
in an office.
Which vulnerability management steps should they take to prepare these
workstations? Select three answers.
- Consider who will be using each computer.
- Configure the company firewall to allow network access.
- Download the latest patches and updates for each system.
- Install a suite of collaboration tools on each workstation.
Q: What are the two types of attack surfaces that security
professionals defend? Select two answers.
- Intellectual property
- Brand reputation
- Digital
- Physical
Q: An online newspaper suffered a data breach. The attackers exploited
a vulnerability in the login form of their website. The attackers were able to
access the newspaper’s user database, which did not encrypt personally
identifiable information (PII).
- What attack vectors did the malicious hackers use to steal user information? Select two answers.
- The online login form
- The user database
- The newspaper’s website
- The unencrypted PII
Q: A security team is performing a vulnerability assessment on a
banking app that is about to be released. Their objective is to identify the
tools and methods that an attacker might use.
- Which steps of an attacker mindset should the team perform to figure this out? Select three answers.
- Determine how the target can be accessed.
- Evaluate attack vectors that can be exploited.
- Identify a target.
- Consider potential threat actors.
Q: Consider the following scenario:
You are working as a security professional for a school district. An
application developer with the school district created an app that connects
students to educational resources. You’ve been assigned to evaluate the
security of the app.
Using an attacker mindset, which of the following steps would you take
to evaluate the application? Select two answers.
- Evaluate how the app handles user data.
- Identify the types of users who will interact with the app.
- Ensure the app’s login form works.
- Integrate the app with existing educational resources.
Q: What phase comes after identifying a target when practicing an
attacker mindset?
- Evaluate the target’s attack vectors.
- Determine how the target can be accessed. (CORRECT)
- Find the tools and methods of attack.
- Prepare defenses against threats.
Q: A hotel chain has outdated WiFi routers in their guest rooms. An
attacker hacked into the devices and stole sensitive information from several
guests.
The outdated WiFi router is an example of what?
- A threat
- An exploit
- A vulnerability
- An access control
Q: Fill in the blank: According to the CVE® list, a vulnerability with
a score of _____ or above is considered to be a critical risk to company assets
that should be addressed right away.
- 11
- 1
- 4
- 9