213.       C. A network device running SSH and a web server on TCP port 443 is a very typical dis- covery when running a vulnerability scan. Without any demonstrated issues, Carolyn should simply note that she saw those services. Telnet runs on port 21, an unencrypted web server will run on TCP 80 in most cases, and Windows fileshares use a variety of ports including TCP ports 135–139 and 445.

207.       B. The Security+ exam outline lists seven major impact categories, including data loss, data breaches, and data exfiltration. Data modification is not listed, but it is a concern as part of the integrity leg of the CIA triad.

204.       B. Trusting rather than validating user input is the root cause of improper input handling. All input should be considered potentially malicious and thus treated as untrusted. Appro- priate filtering, validation, and testing should be performed to ensure that only valid data input is accepted and processed.

195.       B. Use the following scenario for questions 193–195. Frank is the primary IT staff member for a small company and has migrated his company’s infrastructure from an on-site datacenter to a cloud-based infrastructure as a service (IaaS) provider. Recently he has been receiving reports that his website is slow to respond and that it is inaccessible at times. Frank believes that attackers may be conducting a denial-of- service attack against his organization.The most useful data is likely to come from an IPS, or intrusion prevention system. He will be able to determine if the attack is a denial-of-service (DoS) attack, and the IPS may be able to help him determine the source of the denial-of-service attack. A firewall might provide some useful information but would only show whether or not traffic was allowed and would not analyze the traffic for attack information. A vulnerability scanner would indicate if there was an issue with his application or the server, but it would not identify this type of attack. Antimalware software can help find malware on the system but isn’t effective against a DoS attack.

189.       C. The reconnaissance phase of a penetration test involves gathering information about the target, including domain information, system information, and details about employees like phone numbers, names, and email addresses.

175.       A. White teams act as judges and provide oversight of cybersecurity exercises and competi- tions. Options B and C may remind you of white- and gray-box tests, but they’re only there to confuse you. Cybersecurity teams are usually referred to with colors like red, blue, and purple as the most common colors, as well as the white teams that the Security+ exam out- line mentions. Defenders in an exercise are part of the blue team.

174.       B. Although engaging domain experts is often encouraged, requiring third-party review of proprietary algorithms is not. Many machine learning algorithms are sensitive since they are part of an organization’s competitive advantage. Ensuring that data is secure and of sufficient quality, ensuring a secure development environment, and requiring change control are all common artificial intelligence (AI)/machine learning (ML) security practices.

163.       A. Proprietary, or closed threat, intelligence is threat intelligence that is not openly avail- able. OSINT, or open source threat intelligence, is freely available. ELINT is a military term for electronic and signals intelligence. Corporate threat intelligence was made up for this question.

124.       D. In the on-path (man-in-the-middle) attack, the attacker is between the client and the server, and to either end, the attacker appears like the legitimate other end. This does not describe any denial-of-service attack. A replay attack involves resending login information. Although an on-path attack can be used to perform eavesdropping, in this scenario the best answer is an on-path attack.

120.       C. Shoulder surfing involves literally looking over someone’s shoulder in a public place and gathering information, perhaps login passwords. ARP poisoning alters the Address Reso- lution Protocol tables in the switch. Phishing is an attempt to gather information, often via email, or to convince a user to click a link to, and/or download, an attachment. A Smurf attack is a historical form of denial-of-service attack.

100.       B. A Trojan horse pretends to be legitimate software, and may even include it, but also includes malicious software as well. Backdoors, RATs, and polymorphic viruses are all attacks, but they do not match what is described in the question scenario.

98.      C. DNS poisoning occurs when false DNS information is inserted into legitimate DNS servers, resulting in traffic being redirected to unwanted or malicious sites. A backdoor pro- vides access to the system by circumventing normal authentication. An APT is an advanced persistent threat. A Trojan horse ties a malicious program to a legitimate program.

90.      A. Pharming attempts to redirect traffic intended for a legitimate site to another malicious site. Attackers most often do this by changing the local hosts file or by exploiting a trusted DNS server.

89.      D. The fact that the website is defaced in a manner related to the company’s public indicates that the attackers were most likely engaging in hacktivism to make a political or belief-based point. Scripts, nation-state actors, and organized crime don’t account for the statements adverse to the company’s policies, which is why hacktivism is the real cause.

85.      D. In a DLL injection, the malware attempts to inject code into the process of some library. This is a rather advanced attack. Option A is incorrect. A logic bomb executes its misdeed when some condition is met. Option B is incorrect. Session hijacking is taking over an authenticated session. Option C is incorrect. Buffer overflows are done by sending more data to a variable than it can hold.

74.      B. A logic bomb performs malicious actions when a specific condition or conditions are met. A boot sector virus infects the boot sector of the hard drive. A buffer overflow occurs when the attacker attempts to put more data in a variable than it can hold. A sparse infector virus performs its malicious activity intermittently to make it harder to detect.

67.      C. A race condition can occur when multiple threads in an application are using the same variable and the situation is not properly handled. Option A is incorrect. A buffer overflow is attempting to put more data in a buffer than it is designed to hold. Option B is incorrect. A logic bomb is malware that performs its misdeed when some logical condition is met. Option D is incorrect. As the name suggests, improper error handling is the lack of adequate or appropriate error handling mechanisms within software.

64.      A. The term for attempting to gain any privileges beyond what you have is privilege escala- tion. Session hijacking is taking over an authenticated session. Root grabbing and climbing are not terms used in the industry.

39.      B. A Trojan horse attaches a malicious program to a legitimate program. When the user downloads and installs the legitimate program, they get the malware. A logic bomb is mal- ware that does its misdeeds when some condition is met. A rootkit is malware that gets administrative, or root, access. A macro virus is a virus that is embedded in a document as a macro.

34.      A. Shimming is when the attacker places some malware between an application and some other file and intercepts the communication to that file (usually to a library or system API). In many cases, this is done with a driver for a hardware component. A Trojan horse might be used to get the shim onto the system, but that is not described in this scenario. A backdoor is a means to circumvent system authorization and get direct access to the system. Refactoring is the process of changing names of variables, functions, and so forth in a program.

25.      D. The term for low-skilled hackers is script kiddie. Script kiddies typically use prebuilt tools and do not have the expertise to make or modify their own tools. Nothing indicates this is being done for ideological reasons, and thus that a hacktivist is involved. Although “Amateur” may be an appropriate description, the correct term is script kiddie. Finally, nothing in this scenario indicates an insider threat.

24.      C. Domain hijacking, or domain theft, occurs when the registration or other information for the domain is changed without the original registrant’s permission. This may occur because of a compromised account or due to a breach of the domain registrar’s security. A common issue is a lapsed domain being purchased by a third party, and this can look like a hijacked domain, but it is a legitimate occurrence if the domain is not renewed! DNS hijacking inserts false information into a DNS server, on-path (man-in-the-middle) attacks capture or modify traffic by causing the traffic to pass through a compromised midpoint, and zero-day attacks are attacks that use an unknown until used vulnerability.

21.      C. Username complexity has no impact in credential harvesting. Multifactor authentication can help prevent successful credential harvesting by ensuring that even capture of username and password is not enough to compromise the account. Awareness training helps to reduce the likelihood of credential exposure, and limiting or preventing use of third-party web scripts makes websites less likely to have credentials stolen through the use of those scripts, plug-ins, or modules.

12.      C. There are many indicators of compromise (IoCs), including unusual outbound network traffic, geographical irregularities like logins from a country where the person normally does not work, or increases in database read volumes beyond normal traffic patterns. Predictive analysis is analysis work done using datasets to attempt to determine trends and likely attack vectors so that analysts can focus their efforts where they will be most needed and effective. OSINT is open source intelligence, and threat maps are often real-time or near real-time visu- alizations of where threats are coming from and where they are headed to. Use the following scenario for questions 13–15. Chris has recently deployed a security information and event management (SIEM) device and wants to use it effectively in his organization. He knows that SIEM systems have a broad range of capabilities and wants to use the features to solve problems that he knows his orga- nization faces. In each of the following questions, identify the most appropriate SIEM capa- bility or technique to accomplish what Chris needs to do for his organization.

11.      C. The machines in her network are being used as bots, and the users are not aware that they are part of a distributed denial-of-service (DDoS) attack. Social engineering is when someone tries to manipulate you into giving information. Techniques involved in social engineering attacks include consensus, scarcity, and familiarity. There is a slight chance that all computers could have a backdoor, but that is very unlikely, and attackers normally don’t manually log into each machine to do a DDoS—it would be automated, as through a bot.