213.       C. A network device running SSH and a web server on TCP port 443 is a very typical dis- covery when running a vulnerability scan. Without any demonstrated issues, Carolyn should simply note that she saw those services. Telnet runs on port 21, an unencrypted web server will run on TCP 80 in most cases, and Windows fileshares use a variety of ports including TCP ports 135–139 and 445.

210.       C. Although it may be tempting to immediately upgrade, reading and understanding the CVEs for a vulnerability is a good best practice. Once Charles understands the issue, he can then remediate it based on the recommendations for that specific problem. Disabling PHP or the web server would break the service, and in this case, only newer versions of PHP than 5.4 have the patch Charles needs.

199.       D. Predictive analysis tools use large volumes of data, including information about security trends and threats, large security datasets from various security tools and other sources, and behavior patterns, to predict and identify malicious and suspicious behavior.

192.       B. XML injection is often done by modifying HTTP queries sent to an XML-based web service. Reviewing web server logs to see what was sent and analyzing them for potential attacks will help Christina see if unexpected user input is visible in the logs. Syslog, authen- tication logs, and event logs are unlikely to contain information about web applications that would show evidence of an XML injection–based attack.

186.       B. Threat hunting can involve a variety of activities such as intelligence fusion, combining multiple data sources and threat feeds, and reviewing advisories and bulletins to remain aware of the threat environment for your organization or industry.

181.       C. A false negative occurs with a vulnerability scanning system when a scan is run and an issue that exists is not identified. This can be because of a configuration option, a firewall, or other security setting or because the vulnerability scanner is otherwise unable to detect the issue. A missing vulnerability update might be a concern if the problem did not specif- ically state that the definitions are fully up-to-date. Unless the vulnerability is so new that there is no definition, a missing update shouldn’t be the issue. Silent patching refers to a patching technique that does not show messages to users that a patch is occurring. A false positive would have caused a vulnerability to show that was not actually there. This some- times happens when a patch or fix is installed but the application does not change in a way that shows the change.

177.       A. Linux privileges can be set numerically, and 777 sets user, group, and world to all have read, write, and execute access to the entire /etc directory. Setting permissions like this is a common workaround when permissions aren’t working but can expose data or make binaries executable by users who should not have access to them. When you set permissions for a system, remember to set them according to the rule of least privilege: only the permis- sions that are required for the role or task should be configured.

165.       B. Script kiddies are the least resourced of the common threat actors listed above. In gen- eral, they flow from national state actors as the most highly resourced, to organized crime, to hacktivists, to inside actors, and then to script kiddies as the least capable and least resourced actors. As with any scale like this, there is room for some variability between specific actors, but for the exam, you should track them in that order.

163.       A. Proprietary, or closed threat, intelligence is threat intelligence that is not openly avail- able. OSINT, or open source threat intelligence, is freely available. ELINT is a military term for electronic and signals intelligence. Corporate threat intelligence was made up for this question.

136.       B. This is vishing, or using voice calls for phishing. Spear phishing is targeting a small, specific group. War dialing is dialing numbers hoping a computer modem answers. Robo- calling is used to place unsolicited telemarketing calls.

135.       B. The word you will need to know for the Security+ exam for phishing via SMS is “smishing,” a term that combines SMS and phishing. Bluejacking sends unsolicited messages to Bluetooth devices, and phonejacking and text whaling were made up for this question.

131.       C. Memory leaks can cause crashes, resulting in an outage. This targets the availability leg of the CIA (confidentiality, integrity, and availability) triad, making it a security issue. Memory leaks do not actually leak to other locations, nor do they allow code injection. Instead memory leaks cause memory exhaustion or other issues over time as memory is not properly reclaimed.

129.       D. You will need to be able to read and understand basic scripts and programs in multiple languages for the Security+ exam. In this example, you can recognize common Bash syntax and see that it is adding a key to the authorized keys file for root. If that’s not an expected script, you should be worried!

126.       B. Uniform resource locator (URL) redirection is frequently used in web applications to direct users to another service or portion of the site. If this redirection is not properly secured, it can be used to redirect to an arbitrary untrusted or malicious site. This issue, known as Open Redirect vulnerabilities, remains quite common. The code shown does not contain SQL or LDAP code, and there is no mention of changing DNS information on the server, thus making the other options incorrect.

123.       A. A partially known (gray-box) test involves the tester being given partial information about the network. A known environment (white-box) test involves the tester being given full or nearly full information about the target network, and unknown (black-box) envi- ronments don’t provide information about the target environment. Masked is not a testing term.

121.       A. Invoice scams typically either send legitimate appearing invoices to trick an organization into paying the fake invoice, or they focus on tricking employees into logging into a fake site to allow the acquisition of credentials. They typically do not focus on delivery of mal- ware or stealing cryptocurrency.

118.       A. In a known environment (white-box) test, the tester is given extensive knowledge of the target network. Full disclosure is not a term used to describe testing. Unknown environment (black-box) testing involves only very minimal information being given to the tester. A red team test simulates a particular type of attacker, such as a nation-state attacker, an insider, or other type of attacker.

72.      C. A buffer overflow is possible when boundaries are not checked and the attacker tries to put in more data than the variable can hold. Cross-site scripting (XSS) is a web page attack. Cross-site request forgery (CSRF) is a web page attack. A logic bomb is malware that per- forms its misdeed when some condition is met.

70.      A. Annie has moved laterally. Lateral movement moves to systems at the same trust level. This can provide access to new data or different views of the network depending on how the sys- tems and security are configured. Privilege escalation involves gaining additional privileges, often those of an administrative user. Vertical movement is sometimes referenced when gain- ing access to systems or accounts with a higher security or trust level. Privilege retention was made up for this question.

37.      B. His machines are part of a distributed denial-of-service (DDoS) attack. This scenario describes a generic DDoS, not a specific one like SYN flood, which would involve many SYN packets being sent without a full three-way TCP handshake. These machines could be part of a botnet or they may just have a trigger that causes them to launch the attack at a specific time. The real key in this scenario is the DDoS attack. Finally, a backdoor gives an attacker access to the target system.

35.      C. SOAR is a relatively new category as defined by Gartner. Security orchestration, automa- tion, and response includes threat and vulnerability management, security incident response, and security operations automation, but not automated malware analysis.

21.      C. Username complexity has no impact in credential harvesting. Multifactor authentication can help prevent successful credential harvesting by ensuring that even capture of username and password is not enough to compromise the account. Awareness training helps to reduce the likelihood of credential exposure, and limiting or preventing use of third-party web scripts makes websites less likely to have credentials stolen through the use of those scripts, plug-ins, or modules.

17.      A. The simplest way to ensure that APIs are only used by legitimate users is to require the use of authentication. API keys are one of the most frequently used methods for this. If an API key is lost or stolen, the key can be invalidated and reissued, and since API keys can be matched to usage, Cynthia’s company can also bill customers based on their usage patterns if they want to. A firewall or IP restrictions may be able to help, but they can be fragile; customer IP addresses may change. An intrusion prevention system (IPS) can detect and pre- vent attacks, but legitimate usage would be hard to tell from those who are not customers using an IPS.

15.      A. Using log aggregation to pull together logs from multiple sources, and performing collection and initial analysis on log collectors can help centralize and handle large log volumes. Capturing packets is useful for network traffic analysis to identify issues or secu- rity concerns. Security monitoring is an overall function for security information and event management (SIEM) and doesn’t specifically help with this need. Both sentiment analysis and user behavior analysis are aimed at users and groups rather than at how data is collected and managed.

8.          D. Retaining the actual password is not a best practice, and thus encrypting password plain text is not a common technique to make passwords harder to crack. Since the application would need the cryptographic key to read the passwords, anybody who had access to that key could decrypt the passwords. Using a salt, a pepper, and a cryptographic hashing algorithm designed for passwords are all common best practices to prevent offline brute- force attacks.