A risk assessment concludes that the perimeter network has the highest potential for compromise by an attacker, and it is labeled as a critical risk environment. Which of the following is a valid compensating control to reduce the volume of valuable information in the perimeter network that an attacker could gain using active reconnaissance techniques?

1. A. A control that demonstrates that all systems authenticate using the approved authentication method
2. B. A control that demonstrates that access to a system is only allowed by using SSH
3. C. A control that demonstrates that firewall rules are peer reviewed for accuracy and approved before deployment
4. D. A control that demonstrates that the network security policy is reviewed and updated yearly

Correct Answer: C
A valid compensating control to reduce the volume of valuable information in the perimeter network that an attacker could gain using active reconnaissance techniques is a control that demonstrates that firewall rules are peer reviewed for accuracy and approved before deployment. This control can help ensure that the firewall rules are configured correctly and securely, and that they do not allow unnecessary or unauthorized access to the perimeter network. The other options are not compensating controls or do not address the risk of active reconnaissance. References: CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives (CS0-002), page 14;
https://www.isaca.org/resources/isaca-journal/issues/2016/volume-3/compensating-controls

A company uses an FTP server to support its critical business functions The FTP server is configured as follows:
• The FTP service is running with (he data duectory configured in /opt/ftp/data.
• The FTP server hosts employees' home aVectories in /home
• Employees may store sensitive information in their home directories
An loC revealed that an FTP director/ traversal attack resulted in sensitive data loss Which of the following should a server administrator implement to reduce the risk of current and future directory traversal attacks targeted at the FTP server?

1. A. Implement file-level encryption of sensitive files
2. B. Reconfigure the FTP server to support FTPS
3. C. Run the FTP server n a chroot environment
4. D. Upgrade the FTP server to the latest version

Correct Answer: C
This would limit the FTP server’s access to a specific directory tree and prevent directory traversal attacks that could access files outside of that tree. Implementing file-level encryption, supporting FTPS, or upgrading the FTP server would not prevent directory traversal attacks.

The Chief Information Security Officer (CISO) of a large financial institution is seeking a solution that will block a predetermined set of data points from being transferred or downloaded by employees. The CISO also wants to track the data assets by name, type, content, or data profile.
Which of the following BEST describes what the CIS wants to purchase?

1. A. Asset tagging
2. B. SIEM
3. C. File integrity monitor
4. D. DLP

Correct Answer: D
DLP (Data Loss Prevention) is what the CISO wants to purchase. DLP is a solution that prevents unauthorized or accidental disclosure of sensitive data by monitoring, detecting, and blocking data transfers or downloads that violate predefined policies or rules3. DLP can also track and classify data assets based on various criteria, such as name, type, content, or data profile4. DLP can help protect data from insider threats, external attackers, or human errors.

An organization has a strict policy that if elevated permissions are needed, users should always run commands under their own account, with temporary administrator privileges if necessary. A security analyst is reviewing syslog entries and sees the following:

Which of the following entries should cause the analyst the MOST concern?

1. A. <100>2 2020-01-10T19:33:41.002z webserver su 201 32001 = BOM ' su vi httpd.conf' failed for joe
2. B. <100>2 2020-01-10T20:36:36.0010z financeserver su 201 32001 = BOM ' sudo vi users.txt success
3. C. <100> 2020-01-10T19:33:48.002z webserver sudo 201 32001 = BOM ' su vi syslog.conf failed for jos
4. D. <100> 2020-01-10T19:34..002z financeserver su 201 32001 = BOM ' su vi success
5. E. <100> 2020-01-10T19:33:48.002z webserver sudo 201 32001 = BOM ' su vi httpd.conf' success

Correct Answer: D
The syslog entries show the attempts of users to run commands with elevated permissions on two servers: webserver and financeserver. The entries include the date and time, the server name, the command used (su or sudo), the user name, and the outcome (success or failed). The policy of the organization states that users should always run commands under their own account, with temporary administrator privileges if necessary. This means that users should use sudo to run commands as another user (usually root), rather than su to switch to another user’s account. Therefore, the entry that should cause the analyst the most concern is D. <100> 2020-01-10T19:34…002z financeserver su 201 32001 = BOM ’ su vi success. This entry shows that someone used su to switch to another user’s account on the financeserver and successfully edited a file with vi. This could indicate an unauthorized access or a compromised account.

A security technician configured a NIDS to monitor network traffic. Which of the following is a condition in which harmless traffic is classified as a potential network attack?

1. A. True positive
2. B. True negative
3. C. False positive
4. D. False negative

Correct Answer: C
A false positive is a condition in which harmless traffic is classified as a potential network attack by a NIDS. A NIDS is a network intrusion detection system that monitors network traffic for any signs of malicious or anomalous activity. A false positive can result in unnecessary alerts or actions by the NIDS, such as blocking legitimate traffic or generating false alarms. False positives can be caused by various factors, such as misconfigured rules, outdated signatures, noisy network traffic or benign anomalies3 .