Correct Answer:

HTTPS connection from internal network is correct. For the highest security, you should use a Hypertext Transfer Protocol Secure (HTTPS) connection from an internal network.

Incorrect Answers:

HTTP connection from external network and HTTPS connection from external network incorrect. Allowing connections from an external network, even via HTTPS, leaves your management console open to attacks.

HTTP connection from internal network is incorrect. HTTP sends communication in cleartext.

Correct Answer:

TOTP is correct. Time-based one-time passwords allow users to log in to a system with a username and password combination and then a one-time token, generally generated from a separate device.

Incorrect Answers:

PKI is incorrect. Public Key Infrastructure (PKI) manages public key encryption.

SSL is incorrect. Secure Sockets Layer (SSL) provides secure communications.

One-way hash is incorrect. A one-way hash is used to validate the integrity of a message.

Correct Answer:

RAM is correct. Random-access memory (RAM) is extremely volatile, meaning that if power is lost or removed from the memory, it loses its contents. This makes it incredibly important that, if at all possible, systems that are isolated after an event are not powered down.

Incorrect Answers:

Paper, disk, and firmware are incorrect. These are not as volatile as RAM.

Correct Answer:

Host-based firewall monitoring outgoing connections is correct. A host-based firewall monitors all inbound and outbound connections. After an incident, you can ensure your rules block applications trying to create an outbound connection inappropriately.

Incorrect Answers:

Caching proxy server is incorrect. A caching proxy server is used for saving web data locally for more efficient retrieval by clients.

Anti-malware scanning is incorrect. Many types of adware are not considered malware or spyware and thus won’t be flagged as malware by anti-malware scanning.

Web authentication is incorrect. Web browser authentication will not prevent adware from transmitting data from a computer that is already authenticated by a user.

Correct Answer:

Using MDM to enforce a lock after five minutes of inactivity is correct. By using mobile device management (MDM) to enforce automatic locking of users’ mobile devices after five minutes of inactivity, you ensure that users’ smartphones are not accessible if they are away from them for a lengthy period of time. The users must authenticate to their device to unlock it.

Incorrect Answers:

Password history and rotation is incorrect. Password history (ensuring the same password is not used too often) and rotation (ensuring passwords are changed regularly) will not stop someone from using a user’s logged-in device when the user is away from their desk.

Clean desk policy is incorrect. A clean desk policy is used to ensure that users do not leave important documentation and passwords on their desks while they are away.

Screen privacy guard is incorrect. A screen privacy guard is used to prevent shoulder surfing when a user is working at her workstation.

Correct Answer:

Security guards is correct. Security guards regularly patrolling the facility and monitoring CCTV can detect and respond immediately to security occurrences as they happen and prevent any equipment from leaving the building.

Security lighting and perimeter fencing are incorrect. Although security lighting and perimeter fencing are important physical security controls, they can be bypassed and cannot fully prevent theft.

Video surveillance is incorrect. Video surveillance can only record a theft; it cannot prevent theft or catch the perpetrator in the act.

Correct Answer:

Escape command characters is correct. Escaping is a technique used when processing input fields to process command characters inserted into the input as text data to prevent commands from being run.

Incorrect Answers:

Fuzz input is incorrect. Fuzzing is used to test input validation through the entry of random characters.

Disable cut-and-paste functionality is incorrect. Disabling cut-and-paste functionality on the input field will not prevent command injection.

Use SQL injection is incorrect. SQL injection is a similar type of command injection attack that is performed on SQL database servers.

Correct Answer:

Time restrictions is correct. You can disable system access after a certain time so that no users are logged in to their computers after hours.

Incorrect Answers:

Limitation on logon attempts, account expiry dates, and machine restrictions based on MAC address are incorrect. These options will not prevent after-hours use of the computers.

Correct Answer:

Playbook is correct. A playbook lists step-by-step actions that need to occur within the security orchestration, automation, and response (SOAR) process. The actions typically need to be performed by humans, so the playbook serves as the definitive guide to ensure that any documentation, required reporting, or other mandated actions that require human involvement and decision-making occur exactly when they should.

Incorrect Answers:

Runbook is incorrect. A runbook is a set of rules that can be largely automated and, while it can indeed include human elements, often is used to automate features such as threat response.

SIEM is incorrect. Security information and event management (SIEM) tools are used to gather and analyze multiple sources of data to enable cybersecurity analysts to understand trends better and make decisions.

Policy is incorrect. While policies might guide the rules within the runbook, they don’t orchestrate the activities within the SOAR platform.

Correct Answer:

Monitor traffic from that specific computer with a traffic capture and analysis tool is correct. A tool like Wireshark, a common protocol analyzer, can capture and allow analysis of network traffic. Each individual network packet can be analyzed to decode its header information (where the packet originated and its destination) and also the content of the packet.

Incorrect Answers:

Run a performance baseline test on the system, check the antivirus logs, and run a port scan on your firewall are incorrect. None of these options will help you track down the information transmitted between the Trojan horse program and the attacker.