212-82 Certified Cybersecurity Technician Questions and Answers

Traceroute is the network troubleshooting utility employed by Steve in the above scenario. Traceroute is a utility that traces the route of packets from a source host to a destination host over a network. Traceroute sends ICMP echo request packets with increasing TTL (Time to Live) values and records the ICMP echo reply packets from each intermediate router or gateway along the path. Traceroute can help identify the network hops, latency, and packet loss between the source and destination hosts . Dnsenum is a utility that enumerates DNS information from a domain name or an IP address. Arp is a utility that displays and modifies the ARP (Address Resolution Protocol) cache of a host. Ipconfig is a utility that displays and configures the IP (Internet Protocol) settings of a host.

Prevention is the business continuity and disaster recovery activity performed by Jase in this scenario. Prevention is an activity that involves implementing a deterrent control strategy to minimize the occurrence of threats, protect critical business areas, and mitigate the impact of threats. Prevention can include measures such as backup systems, firewalls, antivirus software, or physical security1. References: Prevention Activity in BCDR

The correct answer is C, as it identifies the PCI-DSS requirement followed by Myles in the above scenario. PCI-DSS is a set of standards that aims to protect cardholder data and ensure secure payment transactions. PCI-DSS has 12 requirements that cover various aspects of security such as network configuration, data encryption, access control, vulnerability management, monitoring, and testing. PCI-DSS requirement no 5.1 states that “Protect all systems against malware and regularly update anti-virus software or programs”. In the above scenario, Myles followed this requirement by installing antivirus software on each laptop to detect and protect the machines from external malicious events over the Internet. Option A is incorrect, as it does not identify the PCI-DSS requirement followed by Myles in the above scenario. PCI-DSS requirement no 1.3.2 states that “Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet”. In the above scenario, Myles did not follow this requirement, as there was no mention of outbound traffic or cardholder data environment. Option B is incorrect, as it does not identify the PCI-DSS requirement followed by Myles in the above scenario. PCI-DSS requirement no 1.3.5 states that “Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment”. In the above scenario, Myles did not follow this requirement, as there was no mention of inbound or outbound traffic or cardholder data environment. Option D is incorrect, as it does not identify the PCI-DSS requirement followed by Myles in the above scenario. PCI-DSS requirement no 1.3.1 states that “Implement a firewall configuration that restricts connections between publicly accessible servers and any system component storing cardholder data”. In the above scenario, Myles did not follow this requirement, as there was no mention of firewall configuration or publicly accessible servers or system components storing cardholder data.

References: Section 5.2

Wireless repeater is the network component employed by the administrator to extend signals in this scenario. A wireless network is a type of network that uses radio waves or infrared signals to transmit data between devices without using cables or wires. A wireless network can consist of various components, such as wireless access points (APs), wireless routers, wireless adapters, wireless bridges, wireless repeaters, etc. A wireless repeater is a network component that extends the range or coverage of a wireless signal by receiving it from an AP or another repeater and retransmitting it to another area . A wireless repeater can be used to support new devices connected to the network beyond the AP’s range . In the scenario, a startup firm contains various devices connected to a wireless network across the floor. An AP with internet connectivity is placed in a corner to allow wireless communication between devices. To support new devices connected to the network beyond the AP’s range, an administrator used a network component that extended the signals of the wireless AP and transmitted it to the uncovered area. This means that he used a wireless repeater for this purpose. A wireless bridge is a network component that connects two or more wired or wireless networks or segments together . A wireless bridge can be used to expand the network or share resources between networks . A wireless modem is a network component that modulates and demodulates wireless signals to enable data transmission over a network . A wireless modem can be used to provide internet access to devices via a cellular network or a satellite network . A wireless router is a network component that performs the functions of both a wireless AP and a router . A wireless router can be used to create a wireless network and connect it to another network, such as the internet

Risk avoidance is the risk treatment option suggested by the risk management team in this scenario. Risk avoidance is a risk treatment option that involves eliminating the identified risk by changing the scope, requirements, or objectives of the project or activity. Risk avoidance can be used when the risk cannot be prevented using security controls or when the risk outweighs the benefits2. References: Risk Avoidance

RAID Level 0 is the RAID level that was implemented by the administrator in the above scenario. RAID Level 0 is also known as striping, which breaks data into sections and stores them across multiple drives. RAID Level 0 provides high-speed data access and increases performance, but it does not provide any redundancy or fault tolerance. The storage capacity of RAID Level 0 is equal to the sum of disk capacities in the set3. References: RAID Level 0

Quantum cryptography is the encryption mechanism demonstrated in the above scenario. Quantum cryptography is a branch of cryptography that uses quantum physics to secure data transmission and communication. Quantum cryptography encrypts data by using a sequence of photons that have a spinning trait, called polarization, while traveling from one end to another. These photons keep changing their shapes, called states, during their course through filters: vertical, horizontal, forward slash, and backslash. Quantum cryptography ensures that any attempt to intercept or tamper with the data will alter the quantum states of the photons and be detected by the sender and receiver . Homomorphic encryption is a type of encryption that allows computations to be performed on encrypted data without decrypting it first. Rivest Shamir Adleman (RSA) encryption is a type of asymmetric encryption that uses two keys, public and private, to encrypt and decrypt data. Elliptic curve cryptography (ECC) is a type of asymmetric encryption that uses mathematical curves to generate keys and perform encryption and decryption.

The number of files in the “Sensitive Corporate Documents” folder is 4. This can be verified by initiating a remote connection to the target machine from the “Attacker Machine-1” using Theef client. Theef is a Remote Access Trojan (RAT) that allows an attacker to remotely control a victim’s machine and perform various malicious activities. To connect to the target machine using Theef client, one can follow these steps:

Launch Theef client from Z:\CCT-Tools\CCT Module 01 Information Security Threats and Vulnerabilities\Remote Access Trojans (RAT)\Theef on the “Attacker Machine-1”.

Enter the IP address of the target machine (20.20.10.26) and click on Connect.

Wait for a few seconds until a connection is established and a message box appears saying “Connection Successful”.

Click on OK to close the message box and access the remote desktop of the target machine.

Navigate to the Documents directory and locate the “Sensitive Corporate Documents” folder.

Open the folder and count the number of files in it. The screenshot below shows an example of performing these steps: References: [Theef Client Tutorial], [Screenshot of Theef client showing remote desktop and folder]

/var/log/wtmp is the Linux log file accessed by Gideon in this scenario. /var/log/wtmp is a log file that records information related to user login/logout, such as username, terminal, IP address, and login time. /var/log/wtmp can be used to determine the current login state of users in a Linux system. /var/log/wtmp can be viewed using commands such as last, lastb, or utmpdump1.

References: Linux Log Files

The correct answer is A, as it identifies the type of Internet access policy implemented by Ashton in the above scenario. An Internet access policy is a set of rules and guidelines that defines how an organization’s employees or members can use the Internet and what types of websites or services they can access. There are different types of Internet access policies, such as:

• Paranoid policy: This type of policy forbids everything and imposes strict restrictions on all company computers, whether it is system or network usage. This policy is suitable for organizations that deal with highly sensitive or classified information and have a high level of security and compliance requirements.
• Prudent policy: This type of policy allows some things and blocks others and imposes moderate restrictions on company computers, depending on the role and responsibility of the user. This policy is suitable for organizations that deal with confidential or proprietary information and have a medium level of security and compliance requirements.
• Permissive policy: This type of policy allows most things and blocks few and imposes minimal restrictions on company computers, as long as the user does not violate any laws or regulations. This policy is suitable for organizations that deal with public or general information and have a low level of security and compliance requirements.
• Promiscuous policy: This type of policy allows everything and blocks nothing and imposes no restrictions on company computers, regardless of the user’s role or responsibility. This policy is suitable for organizations that have no security or compliance requirements and trust their employees or members to use the Internet responsibly.

In the above scenario, Ashton implemented a paranoid policy that forbids everything and imposes strict restrictions on all company computers, whether it is system or network usage. Option B is incorrect, as it does not identify the type of Internet access policy implemented by Ashton in the above scenario. A prudent policy allows some things and blocks others and imposes moderate restrictions on company computers, depending on the role and responsibility of the user. In the above scenario, Ashton did not implement a prudent policy, but a paranoid policy. Option C is incorrect, as it does not identify the type of Internet access policy implemented by Ashton in the above scenario. A permissive policy allows most things and blocks few and imposes minimal restrictions on company computers, as long as the user does not violate any laws or regulations. In the above scenario, Ashton did not implement a permissive policy, but a paranoid policy. Option D is incorrect, as it does not identify the type of Internet access policy implemented by Ashton in the above scenario. A promiscuous policy allows everything and blocks nothing and imposes no restrictions on company computers, regardless of the user’s role or responsibility. In the above scenario, Ashton did not implement a promiscuous policy, but a paranoid policy.

References: , Section 6.2

Permissive policy is the type of Internet access policy implemented by George in this scenario. An Internet access policy is a policy that defines the rules and guidelines for accessing the Internet from a system or network. An Internet access policy can be based on various factors, such as security, productivity, bandwidth, etc. An Internet access policy can have different types based on its level of restriction or control. A permissive policy is a type of Internet access policy that allows users to access any site, download any application, and access any computer or network without any restrictions. A permissive policy can be used to provide maximum flexibility and freedom to users, but it can also pose significant security risks and challenges. In the scenario, George implemented an Internet access policy that allowed employees working from a remote location to access any site, download any application, and access any computer or network without any restrictions. This means that he implemented a permissive policy for those employees. A paranoid policy is a type of Internet access policy that blocks or denies all Internet access by default and only allows specific sites, applications, or computers that are explicitly authorized. A prudent policy is a type of Internet access policy that allows most Internet access but blocks or restricts some sites, applications, or computers that are deemed inappropriate, malicious, or unnecessary. A promiscuous policy is not a type of Internet access policy, but a term that describes a network mode that allows a network interface card (NIC) to capture all packets on a network segment, regardless of their destination address. 

A low-interaction honeypot is a type of honeypot that simulates a real OS as well as the applications and services of a target network, but only responds to pre-configured commands. It is designed to capture basic information about the attacker, such as their IP address, tools, and techniques. A low-interaction honeypot is easier to deploy and maintain than a high-interaction honeypot, which fully emulates a real system and allows the attacker to interact with it. A pure honeypot is a real system that is intentionally vulnerable and exposed to attackers. A medium-interaction honeypot is a type of honeypot that offers more functionality and interactivity than a low-interaction honeypot, but less than a high-interaction honeypot.

Data in transit is the state of data when it is being processed between the ecommerce website and the payment gateway in the above scenario. Data in transit is data that is moving from one location to another over a network, such as the internet, a LAN, or a WAN. Data in transit can be vulnerable to interception, modification, or theft by unauthorized parties, so it needs to be protected by encryption, authentication, and other security measures . Data at rest is data that is stored on a device or a media, such as a hard drive, a flash drive, or a cloud storage. Data in active is data that is currently being accessed or modified by an application or a user. Data in use is data that is loaded into the memory of a device or a system for processing or computation. 

TCP/UDP is the protocol that has been used to apply the rule to block the web application www.abchacker.com in the above scenario. pfSense is a firewall and router software that can be installed on a computer or a device to protect a network from various threats and attacks. pfSense can be configured to block or allow traffic based on various criteria, such as source, destination, port, protocol, etc. pfSense rules are applied to traffic in the order they appear in the firewall configuration . To perform an analysis on the rules set by the admin, one has to follow these steps:

• Open a web browser and type 20.20.10.26
• Press Enter key to access the pfSense web interface.
• Enter admin as username and admin@l23 as password.
• Click on Login button.
• Click on Firewall menu and select Rules option.
• Click on LAN tab and observe the rules applied to LAN interface.

The rules applied to LAN interface are:

The first rule blocks any traffic from LAN interface to www.abchacker.com website using TCP/UDP protocol. The second rule allows any traffic from LAN interface to any destination using any protocol. Since the first rule appears before the second rule, it has higher priority and will be applied first. Therefore, TCP/UDP is the protocol that has been used to apply the rule to block the web application www.abchacker.com. POP3 (Post Office Protocol 3) is a protocol that allows downloading emails from a mail server to a client device. FTP (File Transfer Protocol) is a protocol that allows transferring files between a client and a server over a network. ARP (Address Resolution Protocol) is a protocol that resolves IP addresses to MAC (Media Access Control) addresses on a network. 

The testing tier of a secure application development lifecycle involves checking the performance of the application on the client’s network to determine whether end users are facing any issues in accessing the application. Testing is a crucial phase of software development that ensures the quality, functionality, reliability, and security of the application. Testing can be done manually or automatically using various tools and techniques, such as unit testing, integration testing, system testing, regression testing, performance testing, usability testing, security testing, and acceptance testing

Fire extinguisher is the firefighting system that Calvin used in this scenario. A firefighting system is a system that detects and suppresses fire in a physical location or environment. A firefighting system can consist of various components, such as sensors, alarms, sprinklers, extinguishers, etc. A firefighting system can use various agents or substances to suppress fire, such as water, foam, gas, powder, etc. A fire extinguisher is a portable device that contains an agent or substance that can be sprayed or discharged onto a fire to extinguish it . A fire extinguisher can be used to curb fire in the initial stage and prevent it from spreading over a large area . In the scenario, Calvin spotted blazing flames originating from a physical file storage location in his organization because of a short circuit. In response to the incident, he used a fire suppression system that helped curb the incident in the initial stage and prevented it from spreading over a large area. This means that he used a fire extinguisher for this purpose. A fire detection system is a system that detects the presence of fire by sensing its characteristics, such as smoke, heat, flame, etc., and alerts the occupants or authorities about it . A sprinkler system is a system that consists of pipes and sprinkler heads that release water onto a fire when activated by heat or smoke. A smoke detector is a device that senses smoke and emits an audible or visual signal to warn about fire.

The correct answer is C, as it identifies the designation of Zion. A guard is a person who is responsible for implementing and managing the physical security equipment installed around the facility. A guard typically performs tasks such as:

• Checking the functionality of equipment related to physical security
• Monitoring the surveillance cameras and alarms
• Controlling the access to restricted areas
• Responding to emergencies or incidents

In the above scenario, Zion belongs to this category of employees who are responsible for implementing and managing the physical security equipment installed around the facility. Option A is incorrect, as it does not identify the designation of Zion. A supervisor is a person who is responsible for overseeing and directing the work of other employees. A supervisor typically performs tasks such as:

• Assigning tasks and responsibilities to employees
• Evaluating the performance and productivity of employees
• Providing feedback and guidance to employees
• Resolving conflicts or issues among employees

In the above scenario, Zion does not belong to this category of employees who are responsible for overseeing and directing the work of other employees. Option B is incorrect, as it does not identify the designation of Zion. A chief information security officer (CISO) is a person who is responsible for establishing and maintaining the security vision, strategy, and program for an organization. A CISO typically performs tasks such as:

• Developing and implementing security policies and standards
• Managing security risks and compliance
• Leading security teams and projects
• Communicating with senior management and stakeholders

In the above scenario, Zion does not belong to this category of employees who are responsible for establishing and maintaining the security vision, strategy, and program for an organization. Option D is incorrect, as it does not identify the designation of Zion. A safety officer is a person who is responsible for ensuring that health and safety regulations are followed in an organization. A safety officer typically performs tasks such as:

• Conducting safety inspections and audits
• Identifying and eliminating hazards and risks
• Providing safety training and awareness
• Reporting and investigating accidents or incidents

In the above scenario, Zion does not belong to this category of employees who are responsible for ensuring that health and safety regulations are followed in an organization. References: Section 7.1

Quid pro quo is the social engineering technique that Johnson employed in the above scenario. Social engineering is a technique that involves manipulating or deceiving people into performing actions or revealing information that can be used for malicious purposes. Social engineering can be performed through various methods, such as phone calls, emails, websites, etc. Quid pro quo is a social engineering method that involves offering a service or a benefit in exchange for information or access. Quid pro quo can be used to trick victims into believing that they are receiving help or assistance from a legitimate source, while in fact they are compromising their security or privacy . In the scenario, Johnson performed quid pro quo by claiming himself to represent a technical support team from a vendor and offering to help sibertech.org with a server issue, while in fact he prompted the victim to execute unusual commands and install malicious files, which were then used to collect and pass critical information to Johnson’s machine. Diversion theft is a social engineering method that involves diverting the delivery or shipment of goods or assets to a different location or destination. Elicitation is a social engineering method that involves extracting information from a target by engaging them in a conversation or an interaction. Phishing is a social engineering method that involves sending fraudulent emails or messages that appear to come from a trusted source, such as a bank, a company, or a person, and asking the recipient to click on a link, open an attachment, or provide personal or financial information.

Managing and maintaining is the phase of firewall implementation and deployment in which Elliott monitored the firewall logs in the above scenario. A firewall is a system or device that controls and filters the incoming and outgoing traffic between different networks or systems based on predefined rules or policies. A firewall can be used to protect a network or system from unauthorized access, use, disclosure, modification, or destruction . Firewall implementation and deployment is a process that involves planning, installing, configuring, testing, managing, and maintaining firewalls in a network or system . Managing and maintaining is the phase of firewall implementation and deployment that involves monitoring and reviewing the performance and effectiveness of firewalls over time . Managing and maintaining can include tasks such as updating firewall rules or policies, analyzing firewall logs , detecting evolving threats or attacks , ensuring firewall security , addressing network issues , etc. In the scenario, Elliott was tasked with implementing and deploying firewalls in the corporate network of an organization. After planning and deploying firewalls in the network, Elliott monitored the firewall logs to detect evolving threats and attacks; this helped in ensuring firewall security and addressing network issues beforehand. This means that he performed managing and maintaining phase for this purpose. Deploying is the phase of firewall implementation and deployment that involves installing and activating firewalls in the network or system according to the plan. Testing is the phase of firewall implementation and deployment that involves verifying and validating the functionality and security of firewalls before putting them into operation. Configuring is the phase of firewall implementation and deployment that involves setting up and customizing firewalls according to the requirements and specifications.

Hardware-assisted virtualization is a virtualization approach in which the guest OS will not be aware that it is running in a virtualized environment. The virtual machine manager (VMM) will directly interact with the computer hardware, translate commands to binary instructions, and forward them to the host OS. Hardware-assisted virtualization relies on special hardware features in the CPU and chipset to create and manage virtual machines efficiently and securely34. Full virtualization is a virtualization approach in which the guest OS will not be aware that it is running in a virtualized environment, but the VMM will run in software and emulate all the hardware resources for each virtual machine5. Hybrid virtualization is a virtualization approach that combines hardware-assisted and full virtualization techniques to optimize performance and compatibility6. OS-assisted virtualization is a virtualization approach in which the guest OS will be modified to run in a virtualized environment and cooperate with the VMM to access the hardware resources

Riley’s public key is the key that Louis used to verify the digital signature in the above scenario. A digital signature is a cryptographic technique that verifies the authenticity and integrity of a message or document. A digital signature is created by applying a hash function to the message or document and then encrypting the hash value with the sender’s private key. A digital signature can be verified by decrypting the hash value with the sender’s public key and comparing it with the hash value of the original message or document . Riley’s public key is the key that corresponds to Riley’s private key, which he used to sign the message. Louis’s public key is the key that corresponds to Louis’s private key, which he may use to encrypt or decrypt messages with Riley. Louis’s private key is the key that only Louis knows and can use to sign or decrypt messages. Riley’s private key is the key that only Riley knows and can use to sign or encrypt messages.

 hat@red is the FTP credential that was stolen using Cain and Abel in the above scenario. FTP (File Transfer Protocol) is a protocol that allows transferring files between a client and a server over a network. FTP requires a username and a password to authenticate the client and grant access to the server . Cain and Abel is a tool that can perform various network attacks, such as ARP poisoning, password cracking, sniffing, etc. Cain and Abel can poison the machine and fetch the FTP credentials used by the admin by intercepting and analyzing the network traffic . To validate the credentials that were stolen using Cain and Abel and read the file flag.txt, one has to follow these steps:

• Navigate to the Documents folder of Attacker-1 machine.
• Double-click on Cain.exe file to launch Cain and Abel tool.
• Click on Sniffer tab.
• Click on Start/Stop Sniffer icon.
• Click on Configure icon.
• Select the network adapter and click on OK button.
• Click on + icon to add hosts to scan.
• Select All hosts in my subnet option and click on OK button.
• Wait for the hosts to appear in the list.
• Right-click on 20.20.10.26 (FTP server) and select Resolve Host Name option.
• Note down the host name as ftpserver.movieabc.com
• Click on Passwords tab.
• Click on + icon to add items to list.
• Select Network Passwords option.
• Select FTP option from Protocol drop-down list.
• Click on OK button.
• Wait for the FTP credentials to appear in the list.
• Note down the username as hat and the password as red
• Open a web browser and type ftp://hat:red@ftpserver.movieabc.com
• Press Enter key to access the FTP server using the stolen credentials.
• Navigate to flag.txt file and open it.
• Read the file content.

TCP Timestamps is the vulnerability with a severity score of 8.0. This can be verified by performing a vulnerability assessment of the web server located at IP address 20.20.10.26 using the OpenVAS vulnerability scanner, available with the Parrot Security machine, with credentials admin/password. To perform the vulnerability assessment, one can follow these steps:

Launch the Parrot Security machine and open a terminal.

Enter the command sudo openvas-start to start the OpenVAS service and wait for a few minutes until it is ready.

Open a web browser and navigate to https://127.0.0.1:9392 to access the OpenVAS web interface.

Enter the credentials admin/password to log in to OpenVAS.

Click on Scans -> Tasks from the left menu and then click on the blue icon with a star to create a new task.

Enter a name and a comment for the task, such as “Web Server Scan”.

Select “Full and fast” as the scan config from the drop-down menu.

Click on the icon with a star next to Target to create a new target.

Enter a name and a comment for the target, such as “Web Server”.

Enter 20.20.10.26 as the host in the text box and click on Save.

Select “Web Server” as the target from the drop-down menu and click on Save.

Click on the green icon with a play button next to the task name to start the scan and wait for it to finish.

Click on the task name to view the scan report and click on Results from the left menu to see the list of vulnerabilities found.

Sort the list by Severity in descending order and look for the vulnerability with a severity score of 8.0. The screenshot below shows an example of performing these steps: The vulnerability with a severity score of 8.0 is TCP Timestamps, which is an option in TCP packets that can be used to measure round-trip time and improve performance, but it can also reveal information about the system’s uptime, clock skew, or TCP sequence numbers, which can be used by attackers to launch various attacks, such as idle scanning, OS fingerprinting, or TCP hijacking1. The vulnerability report provides more details about this vulnerability, such as its description, impact, solution, references, and CVSS score2. References: Screenshot of OpenVAS showing TCP Timestamps vulnerability, TCP Timestamps Vulnerability, Vulnerability Report

Geofencing is a technique that uses GPS features to determine the proximity of a user’s mobile device to an exact location. Geofencing can be used to create a virtual barrier positioned at a static location to interact with mobile users crossing the barrier. Geofencing can be used for marketing, security, and tracking purposes2.

References: What is Geofencing?

 FTP Unencrypted Cleartext Login is the vulnerability that may affect the website according to the severity factor in the above scenario. A vulnerability is a weakness or flaw in a system or network that can be exploited by an attacker to compromise its security or functionality. A vulnerability assessment is a process that involves identifying, analyzing, and evaluating vulnerabilities in a system or network using various tools and techniques. Greenbone is a tool that can perform vulnerability assessment on various targets using various tests and scans. To perform a vulnerability assessment on the given IP address 20.20.10.26, one has to follow these steps:

• Open a web browser and type 20.20.10.26:9392
• Press Enter key to access the Greenbone web interface.
• Enter admin as username and password as password.
• Click on Login button.
• Click on Scans menu and select Tasks option.
• Click on Start Scan icon next to IP Address Scan task.
• Wait for the scan to complete and click on Report icon next to IP Address Scan task.
• Observe the vulnerabilities found by the scan.

The vulnerabilities found by the scan are:

The vulnerability that may affect the website according to the severity factor is FTP Unencrypted Cleartext Login, which has a medium severity level. FTP Unencrypted Cleartext Login is a vulnerability that allows an attacker to intercept or sniff FTP login credentials that are sent in cleartext over an unencrypted connection. An attacker can use these credentials to access or modify files or data on the FTP server. TCP timestamps and UDP timestamps are vulnerabilities that allow an attacker to estimate the uptime of a system or network by analyzing the timestamp values in TCP or UDP packets. Anonymous FTP Login Reporting is a vulnerability that allows an attacker to access an FTP server anonymously without providing any username or password.

 The correct answer is B, as it identifies the type of attack performed by Thomas in the above scenario. Eavesdropping is a type of attack that involves intercepting and listening to the communication between two parties without their knowledge or consent. Thomas performed eavesdropping by sniffing communication between the administrator and an application server to retrieve the admin credentials. Option A is incorrect, as it does not identify the type of attack performed by Thomas in the above scenario. Vishing is a type of attack that involves using voice calls to trick people into revealing sensitive information or performing malicious actions. Thomas did not use voice calls but sniffed network traffic. Option C is incorrect, as it does not identify the type of attack performed by Thomas in the above scenario. Phishing is a type of attack that involves sending fraudulent emails or messages that appear to be from legitimate sources to lure people into revealing sensitive information or performing malicious actions. Thomas did not send any emails or messages but sniffed network traffic. Option D is incorrect, as it does not identify the type of attack performed by Thomas in the above scenario. Dumpster diving is a type of attack that involves searching through trash or discarded items to find valuable information or resources. Thomas did not search through trash or discarded items but sniffed network traffic.

References: Section 2.2

Dashboard is the SIEM function that allowed Camden to view suspicious behavior and make correct decisions during a security incident. SIEM (Security Information and Event Management) is a system or software that collects, analyzes, and correlates security data from various sources, such as logs, alerts, events, etc., and provides a centralized view and management of the security posture of a network or system. SIEM can be used to detect, prevent, or respond to security incidents or threats. SIEM consists of various functions or components that perform different tasks or roles. Dashboard is a SIEM function that provides a graphical user interface (GUI) that displays various security metrics, indicators, alerts, reports, etc., in an organized and interactive manner. Dashboard can be used to view suspicious behavior and make correct decisions during a security incident. In the scenario, Camden monitored the behavior of the organizational network using SIEM from a control room. The SIEM detected suspicious activity and sent an alert to Camden. Based on the severity of the incident displayed on the screen, Camden made the correct decision and immediately launched defensive actions to prevent further exploitation by attackers. This means that he used the dashboard function of SIEM for this purpose. Application log monitoring is a SIEM function that collects and analyzes application logs, which are records of events or activities that occur within an application or software. Log retention is an SIEM function that stores and preserves logs for a certain period of time or indefinitely for future reference or analysis. Data aggregation is an SIEM function that combines and normalizes data from different sources into a common format or structure.