Permit 143.27.43.32 161.212.71.14 RDP 3389 is correct because it restricts Remote Desktop access to a single authorized external IP address while allowing connections only to the specific RDP server in the DMZ on TCP port 3389, preventing penetration testers or other attackers from the wider internet subnet from accessing the service. Permit 143.27.43.0/24 161.212.71.14 RDP 3389 is incorrect because it allows any system within the entire external subnet to connect to the RDP server, significantly increasing the attack surface. Permit 143.27.43.32 161.212.71.0/24 RDP 3389 is incorrect because it grants the CSO’s IP access to every system in the DMZ rather than limiting access to the specific RDP server. Permit 143.27.43.0/24 161.212.71.0/24 RDP 3389 is incorrect because it permits RDP access from the entire internet subnet to all systems in the DMZ, making the environment highly vulnerable to unauthorized access attempts. OBJ. 1.5

OBJ 5.3: DNS tunneling is a method used to encode data within DNS queries and responses, creating a covert channel for data exfiltration. This technique exploits the DNS protocol, which is often overlooked by security monitoring systems, to move data out of a network unnoticed. The other options listed describe other methods of exfiltration or misuse of protocols that do not accurately reflect how DNS tunneling operates. OBJ. 5.3

Supported communication methods is correct because the tester is identifying which HTTP methods the server accepts and processes. Network reachability is incorrect because it relates to host discovery. System performance is incorrect because it measures resource usage. Authentication strength is incorrect because it focuses on login mechanisms rather than request handling. OBJ. 2.2

OBJ 1.5: First, you should change the username and default password since using default credentials is extremely insecure. Second, you should implement an allow list for any specific IP blocks with access to this application's administrative web frontend since it should only be a few system administrators and power users. Next, you should implement two-factor authentication to access the application since two-factor authentication provides more security than a simple username and password combination. You should not rename the URL to a more obscure name since security by obscurity is not considered a good security practice. You also should not require an alphanumeric passphrase for the application's default password. Since it is a default password, you can not change the password requirements without the vendor conducting a software update to the application. Finally, while it may be a good idea to conduct a penetration test against the organization's IP space to identify other vulnerabilities, it will not positively affect remediating this identified vulnerability. OBJ. 1.5

OBJ 1.3: Before finalizing her report, Carol should verify the vulnerabilities she has identified by cross-referencing them with reputable sources such as vulnerability databases (e.g., CVE, NVD) or vendor advisories. This step ensures that her findings are accurate, credible, and backed by reliable information. It also helps to confirm that the identified issues are indeed vulnerabilities and not false positives, enhancing the reliability of the report. Deleting any logs or information would be highly unethical and counterproductive. Logs and evidence are crucial for validating the findings, supporting the report, and maintaining transparency with the client. Making additional configuration changes after the initial test without client approval could alter the environment and lead to inaccurate reporting. The purpose of the assessment is to identify vulnerabilities, not to further exploit them unless specified by the scope of work (SoW). Only reporting the vulnerabilities she was able to exploit would provide an incomplete picture of the network's security posture. It's important to report all identified vulnerabilities, not just those that were exploited, because unexploited vulnerabilities could still pose significant risks if left unaddressed. OBJ. 5.2

OBJ 1.5: Since the analyst cannot remediate the vulnerabilities by installing a patch, the next best action would be to implement some compensating controls. If a vulnerability exists that cannot be patched, compensating controls can mitigate the risk. Additionally, the analyst should document the current situation to achieve compliance with PCI DSS. The analyst will likely not remove the terminals from the network without affecting business operations, so this is a bad option. The analyst should not build a custom OS image with the patch since this could void the support agreement with the manufacturer and introduce additional vulnerabilities. Also, it would be difficult (or impossible) to replace the POS terminals with standard Windows systems due to the custom firmware and software utilized on these systems. OBJ. 1.5

OBJ 3.3 - Michael is attempting to exploit social engineering through curiosity. By labeling the USB drives with enticing terms like “Confidential Payroll,” he aims to tempt employees into plugging in the device to see the contents, thus executing a malicious payload. OBJ. 3.3

NAC is correct because Network Access Control validates the security posture of a device before allowing it to connect to the internal network, checking for factors such as malware, patch levels, and endpoint security controls and quarantining non-compliant systems so a compromised workstation used by a penetration tester cannot pivot into the environment. MAC filtering is incorrect because MAC addresses can be easily spoofed by an attacker and operate only at Layer 2 without validating the health or security status of the connecting device. SPF is incorrect because Sender Policy Framework is used to validate email senders and prevent spoofed email domains and has no role in controlling VPN or endpoint network access. ACL is incorrect because an access control list filters traffic based on IP addresses, ports, or protocols but does not assess whether the connecting endpoint is infected or compliant with security policies. OBJ. 1.5

This is an example of a URL-based XSS (cross-site scripting) attack. A cross-site scripting attack uses a specially crafted URL that includes attack code that will cause information that users enter into their web browser to be sent to the attacker. In this example, everything from ?param onward is part of the attack. You can see the base64 encoded string of PHNjcmlwdD5hbGVydCgnSSBsb3ZlIERpb24gVHJhaW5pbmcnKTwvc2NyaXB0Pg== being used. While you could not convert it during the exam without a base64 decoder, you should be able to tell that it is not a SQL injection nor an XML injection based on your studies. It is also not an attempt to conduct password spraying by logging into different usernames with the same password. So, by process of elimination, you can determine this is an XSS attack. If you did have a base64 decoder, you would have found that the parameter being passed would translate to , which is a simple method to cause your web browser to create a popup that displays the text "I love Dion Training." If you attempt to load this URL in your browser, it may or may not function depending on your browser's security. OBJ. 4.5

Embedded data extraction is correct because the tester is retrieving hidden information stored within publicly accessible files, such as usernames and system details. Banner grabbing is incorrect because it retrieves service metadata from active systems. Protocol scanning is incorrect because it identifies supported protocols. Network sniffing is incorrect because it requires capturing live traffic. OBJ. 2.1