A network engineer must ensure that always-on VPN access is enabled Curt restricted to company assets Which of the following best describes what the engineer needs to do''
A. Generate device certificates using the specific template settings needed
B. Modify signing certificates in order to support IKE version 2
C. Create a wildcard certificate for connections from public networks
D. Add the VPN hostname as a SAN entry on the root certificate
Explanation:
To ensure always-on VPN access is enabled and restricted to company
assets, the network engineer needs to generate device certificates using the specific
template settings required for the company's VPN solution. These certificates ensure that
only authorized devices can establish a VPN connection.
Why Device Certificates are Necessary:
Authentication: Device certificates authenticate company assets, ensuring that
only authorized devices can access the VPN.
Security: Certificates provide a higher level of security compared to username and
password combinations, reducing the risk of unauthorized access.
Compliance: Certificates help in meeting security policies and compliance
requirements by ensuring that only managed devices can connect to the corporate
network.
Other options do not provide the same level of control and security for always-on VPN
access:
B. Modify signing certificates for IKE version 2: While important for VPN protocols,
it does not address device-specific authentication.
C. Create a wildcard certificate: This is not suitable for device-specific
authentication and could introduce security risks.
D. Add the VPN hostname as a SAN entry: This is more related to certificate
management and does not ensure device-specific authentication.
References:
CompTIA SecurityX Study Guide
"Device Certificates for VPN Access," Cisco Documentation
NIST Special Publication 800-77, "Guide to IPsec VPNs"
A security analyst received a notification from a cloud service provider regarding an attack
detected on a web server The cloud service provider shared the following information about
the attack:
• The attack came from inside the network.
• The attacking source IP was from the internal vulnerability scanners.
• The scanner is not configured to target the cloud servers.
Which of the following actions should the security analyst take first?
A. Create an allow list for the vulnerability scanner IPs m order to avoid false positives
B. Configure the scan policy to avoid targeting an out-of-scope host
C. Set network behavior analysis rules
D. Quarantine the scanner sensor to perform a forensic analysis
Explanation:
When a security analyst receives a notification about an attack that appears
to originate from an internal vulnerability scanner, it suggests that the scanner itself might
have been compromised. This situation is critical because a compromised scanner can
potentially conduct unauthorized scans, leak sensitive information, or execute malicious
actions within the network. The appropriate first action involves containing the threat to
prevent further damage and allow for a thorough investigation.
Here’s why quarantining the scanner sensor is the best immediate action:
Containment and Isolation: Quarantining the scanner will immediately prevent it
from continuing any malicious activity or scans. This containment is crucial to
protect the rest of the network from potential harm.
Forensic Analysis: By isolating the scanner, a forensic analysis can be performed
to understand how it was compromised, what actions it took, and what data or
systems might have been affected. This analysis will provide valuable insights into
the nature of the attack and help in taking appropriate remedial actions.
Preventing Further Attacks: If the scanner is allowed to continue operating, it might
execute more unauthorized actions, leading to greater damage. Quarantine
ensures that the threat is neutralized promptly.
Root Cause Identification: A forensic analysis can help identify vulnerabilities in the
scanner’s configuration, software, or underlying system that allowed the
compromise. This information is essential for preventing future incidents.
Other options, while potentially useful in the long term, are not appropriate as immediate
actions in this scenario:
A. Create an allow list for the vulnerability scanner IPs to avoid false positives:
This action addresses false positives but does not mitigate the immediate threat
posed by the compromised scanner.
B. Configure the scan policy to avoid targeting an out-of-scope host: This step is
preventive for future scans but does not deal with the current incident where the
scanner is already compromised.
C. Set network behavior analysis rules: While useful for ongoing monitoring and
detection, this does not address the immediate need to stop the compromised
scanner’s activities.
In conclusion, the first and most crucial action is to quarantine the scanner sensor to halt
any malicious activity and perform a forensic analysis to understand the scope and nature
of the compromise. This step ensures that the threat is contained and provides a basis for
further remediation efforts.
References:
CompTIA SecurityX Study Guide
NIST Special Publication 800-61 Revision 2, "Computer Security Incident Handling
Guide"
A company isolated its OT systems from other areas of the corporate network These systems are required to report usage information over the internet to the vendor Which oi the following b*st reduces the risk of compromise or sabotage' (Select two).
A. Implementing allow lists
B. Monitoring network behavior
C. Encrypting data at rest
D. Performing boot Integrity checks
E. Executing daily health checks
F. Implementing a site-to-site IPSec VPN
Explanation:
A. Implementing allow lists: Allow lists (whitelisting) restrict network communication
to only authorized devices and applications, significantly reducing the attack
surface by ensuring that only pre-approved traffic is permitted.
F. Implementing a site-to-site IPSec VPN: A site-to-site VPN provides a secure,
encrypted tunnel for data transmission between the OT systems and the vendor,
protecting the data from interception and tampering during transit.
Other options:
B. Monitoring network behavior: While useful for detecting anomalies, it does not
proactively reduce the risk of compromise or sabotage.
C. Encrypting data at rest: Important for protecting data stored on devices, but
does not address network communication risks.
D. Performing boot integrity checks: Ensures the integrity of the system at startup
but does not protect ongoing network communications.
E. Executing daily health checks: Useful for maintaining system health but does
not directly reduce the risk of network-based compromise or sabotage.
References:
CompTIA Security+ Study Guide
NIST SP 800-82, "Guide to Industrial Control Systems (ICS) Security"
"Industrial Network Security" by Eric D. Knapp and Joel Thomas Langill
Company A acquired Company B and needs to determine how the acquisition will impact the attack surface of the organization as a whole. Which of the following is the best way to achieve this goal? (Select two). Implementing DLP controls preventing sensitive data from leaving Company B's network
A. Documenting third-party connections used by Company B
B. Reviewing the privacy policies currently adopted by Company B
C. Requiring data sensitivity labeling tor all files shared with Company B
D. Forcing a password reset requiring more stringent passwords for users on Company B's network
E. Performing an architectural review of Company B's network
Explanation:
To determine how the acquisition of Company B will impact the attack
surface, the following steps are crucial:
A. Documenting third-party connections used by Company B: Understanding all
external connections is essential for assessing potential entry points for attackers and
ensuring that these connections are secure.
E. Performing an architectural review of Company B's network: This review will identify
vulnerabilities and assess the security posture of the acquired company's network,
providing a comprehensive understanding of the new attack surface.
These actions will provide a clear picture of the security implications of the acquisition and
help in developing a plan to mitigate any identified risks.
References:
CompTIA SecurityX Study Guide: Emphasizes the importance of understanding
third-party connections and conducting architectural reviews during acquisitions.
NIST Special Publication 800-37, "Guide for Applying the Risk Management
Framework to Federal Information Systems": Recommends comprehensive
reviews and documentation of third-party connections.
"Mergers, Acquisitions, and Other Restructuring Activities" by Donald DePamphilis:
Discusses the importance of security assessments during acquisitions.
Users must accept the terms presented in a captive petal when connecting to a guest
network. Recently, users have reported that they are unable to access the Internet after
joining the network A network engineer observes the following:
• Users should be redirected to the captive portal.
• The Motive portal runs Tl. S 1 2
• Newer browser versions encounter security errors that cannot be bypassed
• Certain websites cause unexpected re directs
Which of the following mow likely explains this behavior?
A. The TLS ciphers supported by the captive portal ate deprecated
B. Employment of the HSTS setting is proliferating rapidly.
C. Allowed traffic rules are causing the NIPS to drop legitimate traffic
D. An attacker is redirecting supplicants to an evil twin WLAN.
Explanation:
The most likely explanation for the issues encountered with the captive portal
is that the TLS ciphers supported by the captive portal are deprecated. Here’s why:
TLS Cipher Suites: Modern browsers are continuously updated to support the
latest security standards and often drop support for deprecated and insecure
cipher suites. If the captive portal uses outdated TLS ciphers, newer browsers may
refuse to connect, causing security errors.
HSTS and Browser Security: Browsers with HTTP Strict Transport Security
(HSTS) enabled will not allow connections to sites with weak security
configurations. Deprecated TLS ciphers would cause these browsers to block the
connection.
References:
By updating the TLS ciphers to modern, supported ones, the security engineer can ensure
compatibility with newer browser versions and resolve the connectivity issues reported by
users.
A security review revealed that not all of the client proxy traffic is being captured. Which of the following architectural changes best enables the capture of traffic for analysis?
A. Adding an additional proxy server to each segmented VLAN
B. Setting up a reverse proxy for client logging at the gateway
C. Configuring a span port on the perimeter firewall to ingest logs
D. Enabling client device logging and system event auditing
Explanation:
Configuring a span port on the perimeter firewall to ingest logs is the best architectural
change to ensure that all client proxy traffic is captured for analysis. Here’s why:
Comprehensive Traffic Capture: A span port (or mirror port) on the perimeter
firewall can capture all inbound and outbound traffic, including traffic that might
bypass the proxy. This ensures that all network traffic is available for analysis.
Centralized Logging: By capturing logs at the perimeter firewall, the organization
can centralize logging and analysis, making it easier to detect and investigate
anomalies.
Minimal Disruption: Implementing a span port is a non-intrusive method that does
not require significant changes to the network architecture, thus minimizing
disruption to existing services.
The identity and access management team is sending logs to the SIEM for continuous monitoring. The deployed log collector is forwarding logs to the SIEM. However, only false positive alerts are being generated. Which of the following is the most likely reason for the inaccurate alerts?
A. The compute resources are insufficient to support the SIEM
B. The SIEM indexes are 100 large
C. The data is not being properly parsed
D. The retention policy is not property configured
Explanation:
Proper parsing of data is crucial for the SIEM to accurately interpret and analyze the logs
being forwarded by the log collector. If the data is not parsed correctly, the SIEM may
misinterpret the logs, leading to false positives and inaccurate alerts. Ensuring that the log
data is correctly parsed allows the SIEM to correlate and analyze the logs effectively, which
is essential for accurate alerting and monitoring.
An organization wants to implement a platform to better identify which specific assets are affected by a given vulnerability. Which of the following components provides the best foundation to achieve this goal?
A. SASE
B. CMDB
C. SBoM
D. SLM
Explanation:
A Configuration Management Database (CMDB) provides the best foundation for
identifying which specific assets are affected by a given vulnerability. A CMDB maintains
detailed information about the IT environment, including hardware, software,
configurations, and relationships between assets. This comprehensive view allows
organizations to quickly identify and address vulnerabilities affecting specific assets.
References:
CompTIA SecurityX Study Guide: Discusses the role of CMDBs in asset
management and vulnerability identification.
ITIL (Information Technology Infrastructure Library) Framework: Recommends the
use of CMDBs for effective configuration and asset management.
"Configuration Management Best Practices" by Bob Aiello and Leslie Sachs:
Covers the importance of CMDBs in managing IT assets and addressing
vulnerabilities.
Which of the following best explains the importance of determining organization risk appetite when operating with a constrained budget?
A. Risk appetite directly impacts acceptance of high-impact low-likelihood events
B. Organizational risk appetite varies from organization to organization
C. Budgetary pressure drives risk mitigation planning in all companies
D. Risk appetite directly influences which breaches are disclosed publicly
Explanation:
Risk appetite is the amount of risk an organization is willing to accept to achieve its
objectives. When operating with a constrained budget, understanding the organization's
risk appetite is crucial because:
It helps prioritize security investments based on the level of risk the organization is
willing to tolerate.
High-impact, low-likelihood events may be deemed acceptable if they fall within
the organization's risk appetite, allowing for budget allocation to other critical
areas.
Properly understanding and defining risk appetite ensures that limited resources
are used effectively to manage risks that align with the organization's strategic
goals.
References:
CompTIA Security+ Study Guide
NIST Risk Management Framework (RMF) guidelines
ISO 31000, "Risk Management – Guidelines"
Configure a scheduled task nightly to save the logs
A. Configure a scheduled task nightly to save the logs
B. Configure event-based triggers to export the logs at a threshold.
C. Configure the SIEM to aggregate the logs
D. Configure a Python script to move the logs into a SQL database.
Explanation:
To ensure that logs from a legacy platform are properly retained beyond the default
retention period, configuring the SIEM to aggregate the logs is the best approach. SIEM
solutions are designed to collect, aggregate, and store logs from various sources, providing
centralized log management and retention. This setup ensures that logs are retained
according to policy and can be easily accessed for analysis and compliance purposes.
References:
CompTIA SecurityX Study Guide: Discusses the role of SIEM in log management
and retention.
NIST Special Publication 800-92, "Guide to Computer Security Log Management":
Recommends the use of centralized log management solutions, such as SIEM, for
effective log retention and analysis.
"Security Information and Event Management (SIEM) Implementation" by David
Miller: Covers best practices for configuring SIEM systems to aggregate and retain
logs from various sources.
An organization is required to
* Respond to internal and external inquiries in a timely manner
* Provide transparency.
* Comply with regulatory requirements
The organization has not experienced any reportable breaches but wants to be prepared if
a breach occurs in the future. Which of the following is the best way for the organization to
prepare?
A. Outsourcing the handling of necessary regulatory filing to an external consultant
B. Integrating automated response mechanisms into the data subject access request process
C. Developing communication templates that have been vetted by internal and external counsel
D. Conducting lessons-learned activities and integrating observations into the crisis management plan
Explanation:
Preparing communication templates that have been vetted by both internal and external
counsel ensures that the organization can respond quickly and effectively to internal and
external inquiries, comply with regulatory requirements, and provide transparency in the
event of a breach.
Why Communication Templates?
Timely Response: Pre-prepared templates ensure that responses are ready to be
deployed quickly, reducing response time.
Regulatory Compliance: Templates vetted by counsel ensure that all
communications meet legal and regulatory requirements.
Consistent Messaging: Ensures that all responses are consistent, clear, and
accurate, maintaining the organization’s credibility.
Crisis Management: Pre-prepared templates are a critical component of a broader
crisis management plan, ensuring that all stakeholders are informed appropriately.
Other options, while useful, do not provide the same level of preparedness and
compliance:
A. Outsourcing to an external consultant: This may delay response times and lose
internal control over the communication.
B. Integrating automated response mechanisms: Useful for efficiency but not for
ensuring compliant and vetted responses.
D. Conducting lessons-learned activities: Important for improving processes but
does not provide immediate preparedness for communication.
References:
CompTIA SecurityX Study Guide
NIST Special Publication 800-61 Revision 2, "Computer Security Incident Handling
Guide"
ISO/IEC 27002:2013, "Information technology — Security techniques — Code of
practice for information security controls"
An organization mat performs real-time financial processing is implementing a new backup
solution Given the following business requirements?
* The backup solution must reduce the risk for potential backup compromise
* The backup solution must be resilient to a ransomware attack.
* The time to restore from backups is less important than the backup data integrity
* Multiple copies of production data must be maintained
Which of the following backup strategies best meets these requirement?
A. Creating a secondary, immutable storage array and updating it with live data on a continuous basis
B. Utilizing two connected storage arrays and ensuring the arrays constantly sync
C. Enabling remote journaling on the databases to ensure real-time transactions are mirrored
D. Setting up antitempering on the databases to ensure data cannot be changed unintentionally
Explanation:
A. Creating a secondary, immutable storage array and updating it with live data on
a continuous basis: An immutable storage array ensures that data, once written,
cannot be altered or deleted. This greatly reduces the risk of backup compromise
and provides resilience against ransomware attacks, as the ransomware cannot
modify or delete the backup data. Maintaining multiple copies of production data
with an immutable storage solution ensures data integrity and compliance with the
requirement for multiple copies.
Other options:
B. Utilizing two connected storage arrays and ensuring the arrays constantly sync:
While this ensures data redundancy, it does not provide protection against
ransomware attacks, as both arrays could be compromised simultaneously.
C. Enabling remote journaling on the databases: This ensures real-time
transaction mirroring but does not address the requirement for reducing the risk of
backup compromise or resilience to ransomware.
D. Setting up anti-tampering on the databases: While this helps ensure data
integrity, it does not provide a comprehensive backup solution that meets all the
specified requirements.
References:
CompTIA Security+ Study Guide
NIST SP 800-209, "Security Guidelines for Storage Infrastructure"
"Immutable Backup Architecture" by Veeam
| Page 3 out of 9 Pages |
| Previous |