51-100 Flashcards
Which of the following organizations sets frameworks and controls for optimal security configuration on systems?
a. ISO
b. GDPR
c. PCI DSS
d. NIST
d. NIST (National Institute of Standards and Technology)
Explanation:
NIST: NIST is a non-regulatory federal agency within the United States Department of Commerce. It develops and publishes standards, guidelines, and best practices for various areas, including cybersecurity and information security. Specifically, NIST Special Publication 800-53 provides a comprehensive set of security controls for federal information systems and organizations that need to adhere to federal regulations and guidelines.
Here’s a brief overview of the other options:
a. ISO (International Organization for Standardization): ISO publishes various standards, including those related to information security (e.g., ISO/IEC 27001), but it does not specifically focus on setting detailed frameworks and controls for optimal security configuration on systems. b. GDPR (General Data Protection Regulation): GDPR is a regulation in EU law on data protection and privacy for all individuals within the European Union and the European Economic Area. It primarily focuses on personal data protection and privacy, not on security configuration standards for systems. c. PCI DSS (Payment Card Industry Data Security Standard): PCI DSS is a set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment. While it includes specific requirements for securing systems that handle payment card information, it does not cover all aspects of general security configuration for systems.
An organization discovered files with proprietary financial data have been deleted. The files have been recovered from backup, but every time the Chief Financial Officer logs in to the file server, the same files are deleted again. No other users are experiencing this issue. Which of the following types of malware is MOST likely causing this behavior?
a. Logic bomb
b. Cryptomalware
c. Spyware
d. Remote access Trojan
a. Logic bomb
Explanation:
Logic bomb: A logic bomb is a type of malware that is typically set to execute or trigger upon a specific condition or event. In this case, it appears to trigger whenever the Chief Financial Officer logs in to the file server. The logic bomb could be programmed to delete specific files each time this event occurs, which explains why the files keep getting deleted even after they are restored from backup.
Here’s why the other options are less likely:
b. Cryptomalware: Cryptomalware (or ransomware) typically encrypts files to extort money from victims, rather than simply deleting them repeatedly. It doesn't usually target specific files repeatedly after restoration. c. Spyware: Spyware is designed to gather information covertly and send it to an external entity. It is not typically associated with behavior where files are deleted upon a specific user's login. d. Remote access Trojan (RAT): RATs provide unauthorized remote access to a computer system. While they can be used to perform various malicious actions, including file manipulation, the scenario described (specific files being deleted upon the CFO's login) aligns more closely with the characteristics of a logic bomb.
A security analyst has identified malware spreading through the corporate network and has activated the CSIRT. Which of the following should the analyst do NEXT?
a. Review how the malware was introduced to the network.
b. Attempt to quarantine all infected hosts to limit further spread.
c. Create help desk tickets to get infected systems reimaged.
d. Update all endpoint antivirus solutions with the latest updates.
b. Attempt to quarantine all infected hosts to limit further spread.
Explanation:
Quarantine infected hosts: This step is crucial to prevent the malware from spreading further within the network. By isolating or quarantining infected hosts, the analyst can contain the impact and prevent the malware from infecting additional systems or accessing sensitive data.
Here’s why the other options are not the immediate next step:
a. Review how the malware was introduced to the network: While investigating the initial infection vector is important for understanding the attack's root cause and preventing future incidents, it is not the immediate action needed to mitigate the current spread of the malware. c. Create help desk tickets to get infected systems reimaged: Reimaging infected systems is part of the remediation process, but it should follow containment efforts. Reimaging typically requires coordination and verification, which may take time and should not delay containment efforts. d. Update all endpoint antivirus solutions with the latest updates: Updating antivirus solutions is important for improving detection and prevention capabilities against known threats. However, during an active malware outbreak, containing the spread takes priority over updating antivirus signatures.
During an incident response, an analyst applied rules to all inbound traffic on the border firewall and implemented ACLs on each critical server. Following an investigation, the company realizes it is still vulnerable because outbound traffic is not restricted, and the adversary is able to maintain a presence in the network.
In which of the following stages of the Cyber Kill Chain is the adversary currently operating?
a. Reconnaissance
b. Command and control
c. Actions on objective
d. Exploitation
b. Command and control
Explanation:
Command and control (C2): In the Cyber Kill Chain, the command and control phase involves the adversary establishing communication channels and maintaining control over compromised systems within the network. Even though inbound traffic rules and server ACLs were implemented to defend against initial intrusion attempts (which would typically fall under exploitation), the fact that the adversary still maintains a presence suggests they have successfully established control mechanisms to communicate outbound from compromised systems back to their command infrastructure.
Here’s why the other options are not correct in this context:
a. Reconnaissance: Reconnaissance involves gathering information about the target network and identifying potential vulnerabilities or entry points. While reconnaissance precedes exploitation, the scenario describes a situation where the adversary has already breached the network and is actively maintaining control. c. Actions on objective: Actions on objective involve the adversary achieving their goals, such as exfiltrating data or disrupting operations. While the adversary may eventually progress to this stage, the scenario indicates that they are currently focused on maintaining their presence through command and control. d. Exploitation: Exploitation involves the initial compromise of systems or networks. While this may have occurred earlier in the attack lifecycle, the current focus is on the ongoing control and persistence within the network, which aligns more closely with the command and control phase.
A recent security breach exploited software vulnerabilities in the firewall and within the network management solution. Which of the following will MOST likely be used to identify when the breach occurred through each device?
a. SIEM correlation dashboards
b. Firewall syslog event logs
c. Network management solution login audit logs
d. Bandwidth monitors and interface sensors
a. SIEM correlation dashboards
Explanation:
SIEM (Security Information and Event Management) correlation dashboards: SIEM systems collect and correlate logs from various sources, including firewalls and network management solutions. They provide a centralized platform to analyze and correlate events across the network and security infrastructure. In the context of a security breach that exploited vulnerabilities in these devices, SIEM correlation dashboards can help identify suspicious activities, anomalies, or specific events that indicate the breach.
Here’s why the other options are less likely to be used for identifying when the breach occurred:
b. Firewall syslog event logs: Firewall syslog event logs are useful for monitoring and analyzing firewall activities, such as traffic allowed or denied, but they may not provide comprehensive visibility into broader network management vulnerabilities or correlated events across different devices. c. Network management solution login audit logs: While login audit logs from the network management solution are important for tracking user access and activities within the management system, they may not directly correlate with the exploitation of vulnerabilities in the firewall or network devices themselves. d. Bandwidth monitors and interface sensors: Bandwidth monitors and interface sensors primarily monitor network traffic and performance metrics, such as bandwidth utilization and interface status. They are useful for network performance monitoring but typically do not provide the detailed event data needed to identify specific software vulnerabilities being exploited.
Which of the following is the FIRST environment in which proper, secure coding should be practiced?
a. Stage
b. Development
c. Production
d. Test
b. Development
Explanation:
Development: Secure coding practices should be integrated into the development phase of software or application lifecycle. This ensures that security considerations are addressed from the beginning of the development process. Developers should follow secure coding guidelines and practices to minimize vulnerabilities and reduce the risk of introducing security flaws into the software.
Here’s why the other options are less suitable:
a. Stage: The stage environment typically comes after development and is used for testing the application in an environment that closely mirrors production. While security testing and validation should occur in stage environments, secure coding practices should ideally be implemented earlier during development. c. Production: Production environments are where the live application or software is deployed and used by end-users. Secure coding practices should ideally prevent vulnerabilities from reaching production, as addressing security flaws at this stage can be more costly and risky. d. Test: While testing is crucial for identifying and validating software functionality and security, including security testing (e.g., penetration testing, vulnerability scanning), secure coding should ideally be applied during development to prevent vulnerabilities from being introduced in the first place.
A cloud service provider has created an environment where customers can connect existing local networks to the cloud for additional computing resources and block internal HR applications from reaching the cloud. Which of the following cloud models is being used?
a. Public
b. Community
c. Hybrid
d. Private
c. Hybrid
Explanation:
Hybrid cloud: In a hybrid cloud environment, organizations integrate their on-premises infrastructure (local networks in this case) with cloud services, allowing them to extend their capabilities and leverage cloud resources while maintaining control over sensitive data or applications that need to remain on-premises. In this scenario, the organization is selectively choosing which applications (in this case, internal HR applications) are allowed to access the cloud resources.
Here’s why the other options are not correct:
a. Public cloud: A public cloud model involves cloud services provided over the public internet, where resources are shared among multiple customers. It does not typically involve direct integration with on-premises networks or the ability to selectively block specific applications from accessing cloud resources. b. Community cloud: A community cloud is a cloud infrastructure shared by several organizations with similar computing concerns (e.g., regulatory requirements). It does not inherently involve integration with existing on-premises networks as described in the scenario. d. Private cloud: A private cloud is dedicated to a single organization and can be located on-premises or off-premises. While it offers more control and security, it does not typically involve the integration of existing local networks with external cloud resources as described in the scenario.
An organization has developed an application that needs a patch to fix a critical vulnerability. In which of the following environments should the patch be deployed LAST?
a. Test
b. Staging
c. Development
d. Production
d. Production environment.
Explanation:
Production: The production environment is where the live application or software is accessed and used by end-users. Deploying patches directly to production without adequate testing in lower environments (such as test, staging, and development) can pose significant risks. These risks include introducing new issues, disrupting service availability, or causing downtime for users.
Here’s why the other options are not correct:
a. Test: The test environment is used to conduct functional testing, integration testing, and security testing of the application. Patches are typically deployed here first to verify that they do not introduce new issues or conflicts with existing functionality. b. Staging: The staging environment closely mirrors the production environment and is used for final testing before deployment to production. Patches are deployed here to validate their effectiveness and ensure they do not cause issues when applied to the actual production environment. c. Development: The development environment is where changes to the application are initially made and tested by developers. Patches may be developed and tested here first, but they should undergo thorough testing in higher environments (test, staging) before being deployed to production.
An organization is building backup server rooms in geographically diverse locations. The Chief Information Security Officer implemented a requirement on the project that states the new hardware cannot be susceptible to the same vulnerabilities in the existing server room. Which of the following should the systems engineer consider?
a. Purchasing hardware from different vendors
b. Migrating workloads to public cloud infrastructure
c. Implementing a robust patch management solution
d. Designing new detective security controls
a. Purchasing hardware from different vendors
Here’s why:
Avoiding Single Points of Failure: By purchasing hardware from different vendors, the organization reduces the risk that the same vulnerabilities will affect both the existing and new server rooms. Different vendors may use different hardware and software components, which can diversify the risk landscape. Vendor-Specific Vulnerabilities: Different hardware vendors have unique design and implementation processes. This means that a vulnerability found in one vendor's product may not exist in another vendor's product, reducing the likelihood of a common vulnerability across all server rooms.
While the other options are also important aspects of a comprehensive security strategy, they do not directly address the CISO’s requirement of ensuring that the new hardware is not susceptible to the same vulnerabilities as the existing hardware:
Migrating workloads to public cloud infrastructure: This is a strategic decision but does not directly address hardware vulnerabilities in server rooms. Implementing a robust patch management solution: This is crucial for maintaining security but does not address the inherent vulnerabilities in the hardware itself. Designing new detective security controls: While important, this focuses on detecting issues rather than preventing the same vulnerabilities in hardware.
Therefore, purchasing hardware from different vendors is the best choice to meet the requirement specified by the CISO.
A security analyst is working on a project to implement a solution that monitors network communications and provides alerts when abnormal behavior is detected.
Which of the following is the security analyst MOST likely implementing?
a. Vulnerability scans
b. User behavior analysis
c. Security orchestration, automation, and response
d. Threat hunting
b. User behavior analysis
Explanation:
User behavior analysis: This involves monitoring and analyzing patterns of user activity across the network to detect deviations from normal behavior. The goal is to identify potential security incidents or insider threats based on unusual actions or access patterns.
Here’s why the other options are less likely:
a. Vulnerability scans: Vulnerability scans are automated processes to identify weaknesses in systems, applications, or networks. They focus on identifying known vulnerabilities rather than detecting abnormal behavior in real-time. c. Security orchestration, automation, and response (SOAR): SOAR platforms integrate security tools and automate incident response workflows. While SOAR can include monitoring capabilities, it primarily focuses on automation and orchestration of response activities rather than detecting abnormal behavior. d. Threat hunting: Threat hunting involves proactive and iterative searching for threats within an environment based on indicators of compromise (IoCs) and knowledge of attacker tactics, techniques, and procedures (TTPs). It is more focused on actively seeking out threats rather than monitoring for abnormal behavior passively.
Data exfiltration analysis indicates that an attacker managed to download system configuration notes from a web server. The web-server logs have been deleted, but analysts have determined that the system configuration notes were stored in the database administrator’s folder on the web server. Which of the following attacks explains what occurred? (Choose two.)
a. Pass-the-hash
b. Directory traversal
c. SQL injection
d. Privilege escalation
e. Cross-site scripting
f. Request forgery
b. Directory traversal
d. Privilege escalation
Here’s the reasoning:
Directory Traversal: This attack involves navigating through directories in a file system to access files and directories that are outside the web root directory. In this case, it explains how the attacker could access the database administrator's folder on the web server, which should not have been directly accessible through the web server. Privilege Escalation: This attack involves gaining elevated access to resources that are normally protected from an application or user. In this scenario, the attacker may have used privilege escalation to gain the necessary permissions to access or download the system configuration notes from the database administrator's folder.
The other options are less likely to explain this specific incident:
Pass-the-hash: This is a network attack where an attacker captures a password hash and reuses it to authenticate as the user. It doesn't directly explain accessing specific files on a web server. SQL injection: While this could be used to manipulate a database, it doesn't directly explain accessing files stored in a directory structure on the web server. Cross-site scripting (XSS): This is a client-side attack that targets users of a web application, not the server's file system. Request forgery: This involves tricking a user into making unwanted requests. It doesn't directly explain how the attacker accessed specific files on the web server.
A junior security analyst is conducting an analysis after passwords were changed on multiple accounts without users’ interaction. The SIEM have multiple login entries with the following text:
suspicious event - user: scheduledtasks successfully authenticate on AD on abnormal time suspicious event - user: scheduledtasks failed to execute c:\weekly_checkups\amazing-3rdparty-domain-assessment.py suspicious event - user: scheduledtasks failed to execute c:\weekly_checkups\secureyourAD-3rdparty-compliance.sh suspicious event - user: scheduledtasks successfully executed c:\weekly_checkups\amazing-3rdparty-domain-assessment.py
Which of the following is the MOST likely attack conducted on the environment?
a. Malicious script
b. Privilege escalation
c. Domain hijacking
d. DNS poisoning
a. Malicious script
Explanation:
The events indicate that a user named scheduledtasks successfully authenticated on Active Directory (AD) at abnormal times, which suggests unauthorized access or misuse of credentials associated with a scheduled task. There are failed attempts to execute scripts (amazing-3rdparty-domain-assessment.py and secureyourAD-3rdparty-compliance.sh) from a directory (c:\weekly_checkups\), indicating attempts to run potentially malicious scripts on the system. Finally, there is a successful execution of the amazing-3rdparty-domain-assessment.py script by the scheduledtasks user, which implies that a malicious script was successfully executed on the system.
Based on these indicators, the events point towards an attack where an unauthorized user or process (scheduledtasks) gained access to the system, likely through compromised credentials or a vulnerability, and executed malicious scripts (amazing-3rdparty-domain-assessment.py) as part of their attack.
A customer service representative reported an unusual text message that was sent to the help desk. The message contained an unrecognized invoice number with a large balance due and a link to click for more details. Which of the following BEST describes this technique?
a. Vishing
b. Whaling
c. Phishing
d. Smishing
d. Smishing
Explanation:
Smishing (SMS phishing) is a type of phishing attack where attackers use SMS (text messages) to deceive victims into providing sensitive information or clicking on malicious links. In this case, the text message containing an unrecognized invoice number and a link to click for more details is an attempt to trick the recipient into visiting a malicious website or downloading malware onto their device. Phishing typically refers to email-based attacks that aim to deceive users into disclosing personal information, clicking on malicious links, or downloading attachments that contain malware. Vishing (Voice phishing) involves attackers using voice communication (phone calls) to deceive individuals into revealing sensitive information. Whaling targets high-profile individuals or executives within an organization, attempting to trick them into revealing sensitive information or authorizing fraudulent transactions.
Which of the following actions would be recommended to improve an incident response process?
a. Train the team to identify the difference between events and incidents.
b. Modify access so the IT team has full access to the compromised assets.
c. Contact the authorities if a cybercrime is suspected.
d. Restrict communication surrounding the response to the IT team.
a. Train the team to identify the difference between events and incidents.
Explanation:
Incident response effectiveness often hinges on the ability of the team to quickly identify and prioritize incidents from normal events. Training team members to distinguish between events (which are regular occurrences in IT operations) and incidents (which are security breaches or potential security breaches) is crucial. This training helps in promptly identifying incidents that require immediate action, thereby reducing response times and minimizing potential damage from security breaches.
Option b, modifying access for the IT team to have full access to compromised assets, could potentially be necessary during incident response but is not a broad recommendation for improving the entire process.
Option c, contacting authorities if cybercrime is suspected, is a specific step that may be part of incident response but doesn’t encompass the whole process.
Option d, restricting communication surrounding the response to the IT team, goes against best practices of incident response, which often involve cross-functional teams and communication with various stakeholders.
A cybersecurity administrator needs to implement a Layer 7 security control on a network and block potential attacks. Which of the following can block an attack at Layer 7? (Choose two.)
a. HIDS
b. NIPS
c. HSM
d. WAF
e. NAC
f. NIDS
b. NIPS (Network-based Intrusion Prevention System)
d. WAF (Web Application Firewall)
Here’s why:
NIPS (Network-based Intrusion Prevention System): A NIPS can analyze network traffic and block malicious activities at various layers, including Layer 7. It can detect and prevent attacks such as SQL injection, cross-site scripting (XSS), and other web application attacks. WAF (Web Application Firewall): A WAF specifically focuses on monitoring, filtering, and blocking HTTP/HTTPS traffic to and from a web application. It operates at Layer 7 and is designed to protect web applications by detecting and blocking attacks like SQL injection, XSS, and other web-based threats.
The other options do not operate at Layer 7 in a manner that allows them to block attacks:
HIDS (Host-based Intrusion Detection System): Detects suspicious activity on a specific host but does not block Layer 7 attacks. HSM (Hardware Security Module): Manages digital keys and performs cryptographic operations, not related to blocking Layer 7 attacks. NAC (Network Access Control): Controls access to the network but does not specifically block Layer 7 attacks. NIDS (Network-based Intrusion Detection System): Monitors network traffic for suspicious activity but does not block attacks, and its focus is not specifically on Layer 7.
A business operations manager is concerned that a PC that is critical to business operations will have a costly hardware failure soon. The manager is looking for options to continue business operations without incurring large costs. Which of the following would mitigate the manager’s concerns?
a. Implement a full system upgrade.
b. Perform a physical-to-virtual migration.
c. Install uninterruptible power supplies.
d. Purchase cybersecurity insurance.
b. Perform a physical-to-virtual migration.
Here’s why:
Cost-Effective: Physical-to-virtual (P2V) migration allows the business to continue using the existing system by running it as a virtual machine (VM) on more reliable hardware, often without the need to purchase new physical hardware immediately. Business Continuity: Virtual machines can be easily backed up, replicated, and moved to different hosts, ensuring business operations can continue seamlessly even if there is a hardware failure. Scalability and Flexibility: Virtual environments can be adjusted more easily to changing business needs compared to physical hardware.
The other options are less suitable for this specific concern:
Implement a full system upgrade: This could be costly and might not be necessary if the main concern is the hardware reliability of a single PC. Install uninterruptible power supplies (UPS): This addresses power-related issues, not hardware failures. Purchase cybersecurity insurance: This would help mitigate financial losses due to cyber incidents but does not address the concern of hardware failure directly.
An organization has activated an incident response plan due to a malware outbreak on its network. The organization has brought in a forensics team that has identified an internet-facing Windows server as the likely point of initial compromise. The malware family that was detected is known to be distributed by manually logging on to servers and running the malicious code. Which of the following actions would be BEST to prevent reinfection from the infection vector?
a. Prevent connections over TFTP from the internal network.
b. Create a firewall rule that blocks a 22 from the internet to the server.
c. Disable file sharing over port 445 to the server.
d. Block port 3389 inbound from untrusted networks.
d. Block port 3389 inbound from untrusted networks.
The SMB Protocol (in all its version) doesn’t provide functionality to execute files at the remote systems. Its main objective is to support the sharing of file and print resource between machines.
The only feasible option left is logging through RDP and manually executing the file.
Which of the following uses SAML for authentication?
a. TOTP
b. Federation
c. Kerberos
d. HOTP
b. Federation
Explanation: Federation often uses Security Assertion Markup Language (SAML) for authentication. SAML is an open standard for exchanging authentication and authorization data between parties, particularly between an identity provider and a service provider, which is a key aspect of federated identity management.
The SOC for a large MSSP is meeting to discuss the lessons learned from a recent incident that took much too long to resolve. This type of incident has become more common in recent weeks and is consuming large amounts of the analysts’ time due to manual tasks being performed. Which of the following solutions should the SOC consider to BEST improve its response time?
a. Configure a NIDS appliance using a Switched Port Analyzer.
b. Collect OSINT and catalog the artifacts in a central repository.
c. Implement a SOAR with customizable playbooks.
d. Install a SIEM with community-driven threat intelligence.
c. Implement a SOAR with customizable playbooks.
Here’s why SOAR (Security Orchestration, Automation, and Response) with customizable playbooks is the most appropriate choice:
Automation: SOAR platforms enable automation of repetitive tasks and workflows in incident response. This can significantly reduce the time analysts spend on manual tasks such as data enrichment, response coordination, and remediation actions. Customizable Playbooks: SOAR platforms allow organizations to create and customize playbooks tailored to their specific incident response processes and workflows. Analysts can define automated actions based on predefined conditions and responses, ensuring consistent and efficient handling of incidents. Integration: SOAR platforms integrate with various security tools, allowing seamless communication and automated response across the security infrastructure. This integration further enhances the efficiency of incident response operations.
In contrast, let’s briefly review why the other options are less suitable:
a. Configure a NIDS appliance using a Switched Port Analyzer: While network intrusion detection systems (NIDS) are important for detecting network-based attacks, configuring them using a Switched Port Analyzer (SPAN) focuses on monitoring network traffic. This does not directly address the need for automation and response orchestration.
b. Collect OSINT and catalog the artifacts in a central repository: Open Source Intelligence (OSINT) gathering and artifact cataloging are valuable for threat intelligence and analysis, but they do not directly improve incident response time, especially in terms of automation and process efficiency.
d. Install a SIEM with community-driven threat intelligence: SIEM (Security Information and Event Management) systems are crucial for centralized logging and correlation of security events. While they provide insights into security incidents, they do not inherently automate incident response processes like a SOAR platform does.
Business partners are working on a security mechanism to validate transactions securely. The requirement is for one company to be responsible for deploying a trusted solution that will register and issue artifacts used to sign, encrypt, and decrypt transaction files. Which of the following is the BEST solution to adopt?
a. PKI
b. Blockchain
c. SAML
d. OAuth
a. PKI (Public Key Infrastructure)
Here’s why PKI is the best choice:
Secure Transaction Signing: PKI provides a robust framework for managing digital certificates and keys, which are essential for securely signing, encrypting, and decrypting transaction files. Certificate Authority (CA): PKI involves a hierarchical system where a trusted Certificate Authority (CA) issues digital certificates that validate the identity of entities (such as business partners) and bind their public keys to their identities. This ensures the authenticity and integrity of transactions. Encryption and Decryption: PKI supports asymmetric encryption, where entities have a public-private key pair. This allows for secure encryption of transaction data using the recipient's public key and decryption using their private key, ensuring confidentiality. Non-repudiation: PKI enables digital signatures, which provide non-repudiation by linking the identity of the signer to the signed data, preventing the signer from later denying involvement.
In contrast, let’s briefly discuss why the other options are less suitable:
b. Blockchain: While blockchain technology provides decentralized and tamper-resistant transaction records, it is more commonly used for distributed ledger purposes rather than issuing digital certificates and managing keys for encryption.
c. SAML (Security Assertion Markup Language): SAML is primarily used for exchanging authentication and authorization data between parties, typically in web-based single sign-on (SSO) scenarios. It is not designed for managing keys or issuing certificates for transaction signing.
d. OAuth (Open Authorization): OAuth is an authorization framework that allows third-party applications to access resources without sharing credentials. It is used for access delegation rather than transaction signing and encryption.