Assessment 2 Flashcards
Which of the following Linux commands will show you how much disk space is in use?
A. top
B. df
C. lsof
D. ps
B. The df command will show you a system’s current disk utilization. Both the top command and the ps command will show you information about processes, CPU, and memory utilization, whereas lsof is a multifunction tool for listing open files.
What Windows tool provides detailed information, including information about USB host controllers, memory usage, and disk transfers?
A. Statmon
B. Resmon
C. Perfmon
D. Winmon
C. Perfmon, or Performance Monitor, provides the ability to gather detailed usage statistics for many items in Windows. Resmon, or Resource Monitor, monitors CPU, memory, and disk usage but does not provide information about things like USB host controllers and other detailed instrumentation. Statmon and winmon are not Windows built-in tools.
What type of network information should you capture to be able to provide a report about how much traffic systems in your network sent to remote systems?
A. Syslog data
B. WMI data
C. Resmon data
D. Flow data
D. Flow data provides information about the source and destination IP address, protocol,
and total data sent and would provide the detail needed. Syslog, WMI, and resmon data are all system log information and would not provide this information.
Which of the following technologies is best suited to prevent wired rogue devices from
connecting to a network?
A. NAC
B. PRTG
C. Port security
D. NTP
A. Network access control (NAC) can be set up to require authentication. Port security is
limited to recognizing MAC addresses, making it less suited to preventing rogue devices.
PRTG is a monitoring tool, and NTP is the Network Time Protocol.
As part of her job, Danielle sets an alarm to notify her team via email if her Windows server uses 80 percent of its memory and to send a text message if it reaches 90 percent utilization. What is this setting called?
A. A monitoring threshold
B. A preset notification level
C. Page monitoring
D. Perfmon calibration
A. A monitoring threshold is set to determine when an alarm or report action is taken. Thresholds are often set to specific values or percentages of capacity.
Chris is reviewing a file that is part of an exploit package. He notes that there is a file that has content with curly brackets ({}) around statements. What file type from the following list he most likely reviewing?
A. Plain text
B. JSON
C. XML
D. HTML
B. Chris is most likely reviewing a JSON file. HTML and XML typically use angle brackets
(< and >) rather than curly brackets. Plain text does not use or require either.
What term describes a system sending heartbeat traffic to a botnet command-and-control
server?
A. Beaconing
B. Zombie ping
C. CNCstatus
D. CNClog
A. Beaconing activity (sometimes called heartbeat traffic) occurs when traffic is sent to a botnet command-and-control system. The other terms are
Cameron wants to check if a file matches a known-good original. What technique can he use to do so?
A. Decrypt both the file and the original to compare them.
B. Use strings to compare the file content.
C. Hash both the file and the original and compare the hashes.
D. Check the file size and creation date.
C. Cameron should compare the hashes of the known-good original and the new file to see if they match. The files are not described as encrypted, so decrypting them won’t help. Strings can show text in binary files but won’t compare the files. File size and creation date are not
guarantees of a file being the same.
What can the MAC address of a rogue device tell you?
A. Its operating system version
B. The TTL of the device
C. What type of rogue it is
D. The manufacturer of the device
D. Hardware vendor ID codes are part of MAC addresses and can be checked for devices that have not had their MAC address changed. It is possible to change MAC addresses, so relying on only the MAC address is not recommended, but it can be useful to help identify
what a rogue device might be.
How can Jim most effectively locate a wireless rogue access point that is causing complaints
from employees in his building?
A. Nmap
B. Signal strength and triangulation
C. Connecting to the rogue AP
D. NAC
B. Locating a rogue AP is often best done by performing a physical survey and triangulating the likely location of the device by checking its signal strength. If the AP is plugged into the organization’s network, nmap may be able to find it, but connecting to it is unlikely to provide its location (or be safe!). NAC would help prevent the rogue device from connecting to an organizational network but won’t help locate it.
Which of the following tools does not provide real-time drive capacity monitoring for Windows?
A. Microsoft Configuration Manager
B. Resmon
C. SCOM
D. Perfmon
A. Microsoft Configuration Manager provides non-real-time reporting for disk space. Resmon, perfmon, and SCOM can all provide real-time reporting, which can help identify problems before they take a system down
One of the business managers in Geeta’s organization reports that she received an email with a link that appeared to be a link to the organization’s HR website, and that the website it went to when she clicked on it was very similar to the organization’s website. Fortunately, the manager noticed that the URL was different than usual. What technique best describes a link that is disguised to appear legitimate?
A. An obfuscated link
B. A symbolic link
C. A phishing link
D. A decoy link
A. Obfuscated links take advantage of tricks, including using alternate encodings, typos, and long URLs that contain legitimate links wrapped in longer malicious links. Symbolic links are a pointer used by Linux operating systems to point to an actual file using a filename and link. Phishing links and decoy links are not common terms.
Angela wants to review the syslog on a Linux system. What directory should she check to find it on most Linux distributions?
A. /home/log
B. /var/log
C. /log
D. /var/syslog
B. The syslog file is found in /var/log on most Linux hosts.
Laura wants to review headers in an email that one of her staff is suspicious of. What should she not have that person do if she wants to preserve the headers?
A. She shouldn’t have them print the email.
B. She shouldn’t have them reply to the email.
C. She shouldn’t have them forward the email to her.
D. She shouldn’t have them download the email.
C. Forwarding an email will remove the headers and replace them with new headers on the forwarded email—but not the original. Laura should use a “view headers” or “view original email” option if it exists to view and analyze the headers. Printing, replying, or downloading
an email will not impact the headers.
Which of the following is a key differentiator between a SIEM and a SOAR?
A. A SIEM does not provide a dashboard.
B. A SOAR provides automated response capabilities.
C. A SOAR does not provide log aggregation.
D. A SIEM provides log analysis.
B. SOAR tools focus on orchestration and response. SIEM tools typically do not focus on automated response. Both leverage log analysis and aggregation and will provide dashboards and reporting.
Which of the following options is not a valid way to check the status of a service in
Windows?
A. Use sc at the command line.
B. Use service ––status at the command line.
C. Use services.msc.
D. Query service status using PowerShell.
B. The service –status command is a Linux command. Windows service status can
be queried using sc, the Services snap-in for the Microsoft Management Console (MMC), or via a PowerShell query.
Avik has been asked to identify unexpected traffic on her organization’s network. Which of the following is not a technique she should use?
A. Protocol analysis
B. Heuristics
C. Baselining
D. Beaconing
D. Protocol analysis, using heuristic (behavior)-based detection capabilities, and building a network traffic baseline are all common techniques used to identify unexpected network traffic. Beaconing occurs when a system contacts a botnet command-and-control (C&C)
system, and it is likely to be a source of unexpected traffic.
Sofia suspects that a system in her datacenter may be sending beaconing traffic to a remote system. Which of the following is not a useful tool to help verify her suspicions?
A. Flows
B. A protocol analyzer
C. SNMP
D. An IDS or IPS
C. SNMP will not typically provide specific information about a system’s network traffic that would allow you to identify outbound connections. Flows, sniffers (protocol analyzers), and an IDS or IPS can all provide a view that would allow the suspect traffic to be captured.
Susan wants to use an email security protocol to determine the authenticity of an email. Which of the following options will ensure that her organization’s email server can determine if it should accept email from a sender?
A. DMARC
B. SPF
C. DKIM
D. POP3
A. DMARC (Domain-Based Message Authentication, Reporting, and Conformance) is a protocol that combines SPF and DKIM to prove that a sender is who they claim to be. DKIM validates that a domain is associated with a message, whereas SPF lists the servers that are authorized to send from your domain. POP3 is an email protocol but does not perform the function described.
Juan wants to see a list of processes along with their CPU utilization in an interactive format.
What built-in Linux tool should he use?
A. df
B. top
C. tail
D. cpugrep
B. The top command in Linux provides an interactive interface to view CPU utilization,
memory usage, and other details for running processes. df shows disk usage, tail displays the end of a file, and cpugrep is a made-up command.
Which of the following measures is not commonly used to assess threat intelligence?
A. Timeliness
B. Detail
C. Accuracy
D. Relevance
B. While higher levels of detail can be useful, it isn’t a common measure used to assess threat intelligence. Instead, the timeliness, accuracy, and relevance of the information are considered critical to determining whether you should use the threat information
Nandita has encountered an attacker who appears to be using a commonly available exploit package to attack her organization. The package seems to have been run with default configurations against her entire public-facing Internet presence from a single system. What type of threat actor is she most likely facing?
A. An APT
B. A hacktivist
C. A script kiddie
D. A nation-state actor
C. The lack of complexity and nuance most likely indicates that she has discovered an attack by an unskilled attacker, sometimes called a “script kiddie”
Which of the following activities follows threat data analysis in the threat intelligence cycle?
A. Gathering feedback
B. Threat data collection
C. Threat data review
D. Threat intelligence dissemination
D. Threat intelligence dissemination or sharing typically follows threat data analysis. The goal is to get the threat data into the hands of the organizations and individuals who need it.
Susan wants to start performing intelligence gathering. Which of the following options is
frequently conducted in the requirements gathering stage?
A. Review of security breaches or compromises your organization has faced
B. Review of current vulnerability scans
C. Review of current data handling standards
D. Review of threat intelligence feeds for new threats
A. Understanding what your organization needs is important for the requirements gathering phase of the intelligence cycle. Reviewing recent breaches and compromises can help to define what threats you are currently facing. Current vulnerability scans can identify where
you may be vulnerable but are less useful for threat identification. Data handling standards do not provide threat information, and intelligence feed reviews list new threats, but those are useful only if you know what type of threats you’re likely to face so that you can determine which ones you should target.
What organizations did the U.S. government help create to help share knowledge between
organizations in specific verticals?
A. DHS
B. SANS
C. CERTs
D. ISACs
D. The U.S. government created the information sharing and analysis centers (ISACs). ISACs help infrastructure owners and operators share threat information, as well as provide tools and assistance to their members.
Which of the following threat actors typically has the greatest access to resources?
A. Nation-state actors
B. Organized crime
C. Hacktivists
D. Insider threats
A. Nation-state actors are government sponsored and typically have the greatest access to resources, including tools, money, and talent
Organizations like Anonymous, which target governments and businesses for political reasons, are examples of what type of threat actor?
A. Hacktivists
B. Military assets
C. Nation-state actors
D. Organized crime
A. Hacktivists execute attacks for political reasons, including those against governments and businesses. The key element in this question is the political reasons behind the attack
Jason gathers threat intelligence that tells him that an adversary his organization considers a threat likes to use USB key drops to compromise their targets. What is this an example of?
A. His organization’s attack surface
B. A possible attack vector
C. An example of adversary capability
D. A probability assessment
B. Attack vectors, or the means by which an attacker can gain access to their target, can
include things like USB key drops. You may be tempted to answer this question with adversary capability, but remember the definition: the resources, intent, or ability of the likely threat actor. Capability here doesn’t mean what they can do but their ability to do so. The attack surface might include the organization’s parking lot in this example, but this is not an example of an attack surface, and there was no probability assessment included in this
problem.
What type of assessment is particularly useful for identifying insider threats?
A. Behavioral
B. Instinctual
C. Habitual
D. IOCs
A. Behavioral assessments are very useful when you are attempting to identify insider
threats. Since insider threats are often hard to distinguish from normal behavior context
of the actions performed, such as after-hours logins, misuse of credentials, and logins from abnormal locations or in abnormal patterns, other behavioral indicators are often used.
Felix want to gather threat intelligence about an organized crime threat actor. Where is he most likely to find information published by the threat actor ?
A. Social media
B. Blogs
C. Government bulletins
D. The dark web
D. Threat actors like criminal organizations frequently operate via the dark web. Forums operate as clearinghouses for information, resources, and access via TOR-hosted sites. While social media, blogs, or government bulletins may provide information about a criminal organization, more likely to publish information themselves on the dark web.
Which of the following is not a common indicator of compromise?
A. Administrative account logins
B. Unexpected modifications of configuration files
C. Login activity from atypical countries or locations
D. Large outbound data transfers from administrative systems
A. Administrative logins themselves are not IOCs, but unexpected behavior associated with them or other atypical behavior is an indicator of compromise. Unexpected modifications of configuration files, login activity from atypical countries or locations, and large file transfers from administrative systems are all common indicators of compromise.
Nick wants to analyze attacker tactics and techniques. What type of tool can he deploy to most effectively capture actual attack data for analysis?
A. A firewall
B. A honeypot
C. A web application firewall
D. A SIEM
B. Nick should deploy a honeypot to capture attack tools and techniques for further analysis. Firewalls block traffic. A web application firewall is a firewall designed to protect web applications, and while it may capture useful information it is not as well suited to this purpose. A SIEM, or security information and event management tool, may also capture relevant attack data but it’s not specifically designed for the purpose l
Which of the following is not a common focus area for threat hunting activities?
A. Policies
B. Misconfigurations
C. Isolated networks
D. Business-critical assets
A. Threat hunters are less likely to look at policies. Instead, configurations and misconfigurations, isolated networks, and business-critical assets are all common focuses of threat hunte
What term describes an analysis of threat information that might include details such as whether it is confirmed by multiple independent sources or has been directly confirmed?
A. Threat quality level
B. STIX level
C. Confidence level
D. Assurance level
C. The confidence level of your threat information is how certain you are of the information. A high confidence threat assessment will typically be confirmed either by multiple independent and reliable sources or via direct verification.
What drove the creation of ISACs in the United States?
A. Threat information sharing for infrastructure owners
B. The Cybersecurity Act of 1994
C. Threat information collection network providers
D. The 1998 ISAC Act
A. ISACs were introduced in 1998 as part of a presidential directive, and they focus on
threat information sharing and analysis for critical infrastructure owners.
How is threat intelligence sharing most frequently used for vulnerability management?
A. To identify zero-day threats before they are released
B. As part of vulnerability feeds for scanning systems
C. As part of patch management processes to determine which patches are not installed
D. To perform quantitative risk assessment
B. Threat intelligence feeds often provide information about what vulnerabilities are being actively exploited as well as about new exploits. This can influence patching priorities and vulnerability management efforts. Zero-day threats aren’t known until they are released. Vulnerability management efforts help to determine what patches aren’t installed, but threat
intelligence doesn’t determine that. Threat intelligence isn’t directly leveraged for quantitative risk assessment as part of vulnerability management efforts in typical organizations.
OpenIOC uses a base set of indicators of compromise originally created and provided by which security company?
A. Mandiant
B. McAfee
C. CrowdStrike
D. Cisco
A. The threat indicators built into OpenIOC are based on Mandiant’s indicator list. You can extend and include additional indicators of compromise beyond the 500 built-in definitions
Advanced persistent threats are most commonly associated with which type of threat actor?
A. Insider threats
B. Nation-state actors
C. Organized crime
D. Hacktivists
B. Advanced persistent threats (APTs) are most commonly associated with nation-state actors. The complexity of their operations and the advanced tools that they bring typically require significant resources to leverage fully
What are the two types of insider threats?
A. Attack and defense
B. Approved and prohibited
C. Real and imagined
D. Intentional and unintentional
D. Insider threats may be intentional or unintentional.
Forensic data is most often used for what type of threat assessment data?
A. STIX
B. Behavioral
C. IOCs
D. TAXII
C. Forensic data is very helpful when defining indicators of compromise (IOCs). Behavioral threat assessments can also be partially defined by forensic data, but the key here is where the data is most frequently used.
Megan wants to use the Metasploit Framework to conduct a web application vulnerability scan. What module from the following list is best suited to her needs?
A. smb_login
B. Angry IP
C. nmap
D. wmap
D. The wmap scanner is a web application scanner module for the Metasploit Framework that can scan for vulnerable web applications. The smb_login tool looks for SMB shares, not web applications. Angry IP Scanner is not integrated with Metasploit, and nmap is a port scanner, not a full web application vulnerability scanner.
What flag does nmap use to enable operating system identification?
A. –os
B. –id
C. –O
D. –osscan
C. Nmap’s operating system identification flag is –O and it enables OS detection. –A also enables OS identification and other features. –osscan with modifiers like –limit and guess set specific OS identification features. –os and –id are not nmap flags.
What command-line tool can be used to determine the path that traffic takes to a
remote system?
A. Whois
B. traceroute
C. nslookup
D. routeview
B. Traceroute (or tracert on Windows systems) is a command-line tool that uses ICMP to trace the route that a packet takes to a host. Whois and nslookup are domain tools, and
routeview is not a command-line tool
Valerie wants to use a graphical interface to control nmap and wants to display her scans as a visual map to help her understand her target networks. What tool from the following list
should she use?
A. Angry IP Scanner
B. wmap
C. Zenmap
D. nmap-gs
C. Zenmap is a graphical user interface for nmap that also supports graphical output,
including visual maps of networks. Valerie can use Zenmap to control nmap and create the output she wants. Angry IP Scanner is a separate scanner and does not generate a visual map of networks—instead, it provides lists. Wmap is a plug-in for the Metasploit Framework and a stand-alone tool that is a web application and service vulnerability testing tool, and nmapgs was made up for this question
Susan runs an nmap scan using the following command:
nmap -O -Pn 192.168.1.0/255
What information will she see about the hosts she scans?
A. The hostname and service ports
B. The hostname, service ports, and operating system
C. The hostname and operating system
D. The hostname, uptime, and logged-in user
B. Along with the time to run the scan and time to live of packets sent, Susan will see
the hostname, service ports, and operating system using the scan flags above. The -O flag attempts to identify the operating system, while the -Pn flag skips pinging and scans all hosts in the network on their typically scanned ports.
Tuan wants to gather additional information about a domain that he has entered in Maltego.
What functionality is used to perform server-based actions in Maltego?
A. A worker
B. A query
C. A transform
D. A scan
C. Maltego calls its server-based functions for information gathering “transforms.”
Laura wants to conduct a search for hosts using Recon-ng but wants to leverage a search engine with API access to acquire existing data. What module should she use?
A. recon/companies-multi/whois_miner
B. import/nmap
C. recon/domains-hosts/shodan_hostname
D. import/list
C. While you may not know the full list of Recon-ng plug-ins, Shodan is a well-known
search engine. Laura could leverage API access to Shodan to gather information from previously performed searches. Both the import utilities will require her to have data she has already gathered, and the Whois miner can be assumed to use Whois information rather than an existing search engine dataset.
After running an nmap scan, Geoff sees ports 80 and 443 open on a system he scanned. What reasonable guess can he make about the system based on this result?
A. The system is a Windows system.
B. The system is running a database server.
C. The system is a Linux system.
D. The system is running a web server.
D. Ports 80 and 443 are commonly associated with unencrypted (port 80) and TLS encrypted (port 443) web servers. There is not enough information to determine if this might be a Windows or Linux system, and these are not typical ports for a database server.
What information is used to identify network segments and topology when conducting an nmap scan?
A. IP addresses
B. Hostnames
C. Time to live
D. Port numbers
C. The time to live (TTL) provided as part of responses is used to evaluate the number of hops in a network, and thus to derive a best guess at network topology. While IP addresses can sometimes be related to network topology, they’re less likely to be directly associated with it. Hostnames and port numbers have no correlation to topology.
Murali wants to scan a network using nmap and has run a scan without any flags without discovering all of the hosts that he thinks should show. What scan flag can he use to scan without performing host discovery that will also determine if services are open on the
systems?
A. -sn
B. -PS
C. -Pn
D. -sL
C. The -Pn, or “no ping”, flag skips host discovery and performs a port scan. The -sn flag skips the port scan after discovery, sL lists hosts by performing DNS lookups, and -PS performs probes using a TCP SYN
Jaime is using the Angry IP Scanner and notices that it supports multiple types of pings to identify hosts. Why might she choose to use a specific type of ping over others?
A. To bypass firewalls
B. To allow better vulnerability detection
C. To prevent the scan from being flagged by DDoS protection tools
D. To leverage the faster speed of TCP pings over UDP pings
A. Some firewalls block ICMP ping but allow UDP or TCP pings. Jaime knows that choosing her ping protocol can help to bypass some firewalls. Angry IP Scanner is not a vulnerability scanner, and UDP pings are faster than TCP pings.
Hue wants to perform network footprinting as part of a reconnaissance effort. Which of the following tools is best suited to passive foot printing given a domain name as the starting
point for her efforts?
A. Traceroute
B. Maltego
C. Nmap
D. Angry IP Scanner
B. Hue knows that Maltego provides transforms that can identify hosts and IP addresses related to a domain and that it can then gather additional information using other OSINT transforms. Nmap and Angry IP Scanner are both active scanning tools, and traceroute won’t provide useful foot printing information given just a domain name.
Jack wants to scan a system using the Angry IP Scanner. What information does he need to run the scan?
A. The system’s IP address
B. The system’s Whois data
C. The system’s MAC address
D. The system administrator’s username and password
A. To conduct a port scan, all Jack needs is an IP address, hostname, or IP range.
Which of the following is not a reason that security professionals often perform packet
capture while conducting port and vulnerability scanning?
A. Work process documentation
B. To capture additional data for analysis
C. To prevent external attacks
D. To provide a timeline
C. A packet capture can’t prevent external attacks, although it might capture evidence of one. Packet capture is often used to document work, including the time that a given scan or process occurred, and it can also be used to provide additional data for further analysis.
What process uses information such as the way that a system’s TCP stack responds to
queries, what TCP options it supports, and the initial window size it uses?
A. Service identification
B. Fuzzing
C. Application scanning
D. OS detection
D. Operating system detection often uses TCP options support, IP ID sampling, and window size checks, as well as other indicators that create unique fingerprints for various operating systems. Service identification often leverages banners since TCP capabilities are not unique to a given service. Fuzzing is a code testing method, and application scanning is usually
related to web application security.
Li wants to use Recon-ng to gather data from systems. Which of the following is not a common use for Recon-ng?
A. Conducting vulnerability scans of services
B. Looking for sensitive files
C. Conducting OSINT gathering of Whois, DNS, and similar data
D. Finding target IP addresses
A. Recon-ng is not a vulnerability scanner. It does help with OSINT activities like looking
for sensitive files, conducting OSINT information gathering, and finding target IP addresses. Li knows that Recong-ng is an OSINT-focused tool and that vulnerability scanning is an active, rather than passive, information-gathering effort. While Recon-ng supports port scanning, it does not have a vulnerability scanner function.
Jason wants to conduct a port scan using the Metasploit Framework. What tool can he use from the framework to do this?
A. Angry IP Scanner
B. Recon-ng
C. Maltego
D. Nmap
D. Nmap support is built into MSF, allowing easy port scanning by simply calling nmap
as you would normally from the command line. Angry IP Scanner is not built in, and
both Recon-ng and Maltego are separate tools with OSINT and information management
capabilities.
Sally wants to use operating system identification using nmap to determine what OS a device is running. Which of the following is not a datapoint used by nmap to identify operating
systems?
A. TCP sequences
B. TCP timestamps
C. TCP OS header
D. TCP options
C. Operating system fingerprinting relies in many cases on knowing what the TCP stack for a given operating system does when it sends responses. You can read more detail about the many ways nmap tests for and filters the data at https://nmap.org/book/
osdetect-methods.html#osdetect-probes. Sally knows that banners are provided at
interactive logins or by services and that nmap uses network protocol data for OS detection.
Chris wants to perform network-based asset discovery. What limitation will he encounter if he relies on a port scanner to perform his discovery?
A. Port scanners cannot detect vulnerabilities.
B. Port scanners cannot determine what services are running on a given port.
C. Firewalls can prevent port scanners from detecting systems.
D. A port scanner can create a denial-of-service condition for many modern systems.
C. Firewalls can prevent responses to port scanners, making systems essentially invisible to the scanner. A port scanner alone is not sufficient for asset discovery in many networks. Port scanners often have some limited vulnerability detection built in, often relying on version information or fingerprinting, but not detecting vulnerabilities does not prevent discovery.
Port scanners make a best guess at services on a port based on information provided by the service. Port scanners do not typically cause problems for most modern applications and services but can under some circumstances. This shouldn’t stop a discovery port scan, though
Emily wants to gather open source intelligence and centralize it using an open source tool.
Which of the following tools is best suited to managing the collection of data for her OSINT
efforts?
A. The Metasploit Framework
B. Recon-ng
C. nmap
D. Angry IP Scanner
B. Recon-ng is a Python-based open source framework for open source intelligence gathering and web-based reconnaissance. The Metasploit Framework is a penetration testing and compromise tool with a multitude of other features, but it is not as well suited to information gathering as a core purpose. Nmap and the Angry IP Scanner are both port scanners
Tom is reviewing a vulnerability scan report and finds that one of the servers on his network suffers from an internal IP address disclosure vulnerability. What technology is likely in use on this network that resulted in this vulnerability?
A. TLS
B. NAT
C. SSH
D. VPN
B. Although the network can support any of these protocols, internal IP disclosure vulnerabilities occur when a network uses Network Address Translation (NAT) to map public and private IP addresses but a server inadvertently discloses its private IP address to remote systems.
Which one of the CVSS metrics would contain information about the type of account access that an attacker must have to execute an attack?
A. AV
B. C
C. PR
D. AC
C. The privileges required (PR) metric indicates the type of account access the attacker must have.
Which one of the following values for the CVSS attack complexity metric would indicate that the specified attack is simplest to exploit?
A. High
B. Medium
C. Low
D. Severe
C. An attack complexity of “low” indicates that exploiting the vulnerability does not require any specialized conditions.
Which one of the following values for the confidentiality, integrity, or availability CVSS
metric would indicate the potential for total compromise of a system?
A. N
B. L
C. M
D. H
D. A value of High (H) for an impact metric indicates the potential for complete loss of confidentiality, integrity, and/or a
What is the most recent version of CVSS that is currently available?
A. 2.0
B. 2.5
C. 3.1
D. 3.2
C. CVSS 3.1 is the most recent version of the standard as of the time this book was published in 2023.
Which one of the following metrics is not included in the calculation of the CVSS exploitability score?
A. Attack vector
B. Vulnerability age
C. Attack complexity
D. Privileges required
B. The CVSS exploitability score is computed using the attack vector (AV), attack complexity
(AC), privileges required (PR), and user interaction (UI) metrics. Vulnerability age is not an
included metric
Kevin recently identified a new software vulnerability and computed its CVSS base score as
6.5. Which risk category would this vulnerability fall into?
A. Low
B. Medium
C. High
D. Critical
B. Vulnerabilities with CVSS base scores between 4.0 and 6.9 fit into the medium risk
category
Tara recently analyzed the results of a vulnerability scan report and found that a vulnerability reported by the scanner did not exist because the system was actually patched as specified. What type of error occurred?
A. False positive
B. False negative
C. True positive
D. True negative
A. A false positive error occurs when the vulnerability scanner reports a vulnerability that
does not actually exist.
Which one of the following is not a common source of information that may be correlated with vulnerability scan results?
A. Logs
B. Database tables
C. SIEM
D. Configuration management system
B. It is unlikely that a database table would contain information relevant to assessing a vulnerability scan report. Logs, SIEM reports, and configuration management systems are much
more likely to contain relevant information
Which one of the following operating systems should be avoided on production networks?
A. Windows Server 2008 R2
B. Red Hat Enterprise Linux 9
C. Debian Linux 11
D. Ubuntu 22
A. Microsoft discontinued support for Windows Server 2008 R2 in 2020, and it is highly
likely that the operating system contains unpatchable vulnerabilities.
In what type of attack does the attacker place more information in a memory location than is
allocated for that use?
A. SQL injection
B. LDAP injection
C. Cross-site scripting
D. Buffer overflow
D. Buffer overflow attacks occur when an attacker manipulates a program into placing more data into an area of memory than is allocated for that program’s use. The goal is to overwrite other information in memory with instructions that may be executed by a different process running on the system.
The Dirty COW attack is an example of what type of vulnerability?
A. Malicious code
B. Privilege escalation
C. Buffer overflow
D. LDAP injection
B. In October 2016, security researchers announced the discovery of a Linux kernel vulnerability dubbed Dirty COW. This vulnerability, present in the Linux kernel for nine years, was extremely easy to exploit and provided successful attackers with administrative control of
affected systems.
Which one of the following protocols should never be used on a public network?
A. SSH
B. HTTPS
C. SFTP
D. Telnet
D. Telnet is an insecure protocol that does not make use of encryption. The other protocols
mentioned are all considered secure.
Betty is selecting a transport encryption protocol for use in a new public website she is creating. Which protocol would be the best choice?
A. SSL 2.0
B. SSL 3.0
C. TLS 1.0
D. TLS 1.3
D. TLS 1.3 is a secure transport protocol that supports web traffic. The other protocols listed
all have flaws that render them insecure and unsuitable for use.
Which one of the following conditions would not result in a certificate warning during a vulnerability scan of a web server?
A. Use of an untrusted CA
B. Inclusion of a public encryption key
C. Expiration of the certificate
D. Mismatch in certificate name
B. Digital certificates are intended to provide public encryption keys, and this would not cause an error. The other circumstances are all causes for concern and would trigger an alert
during a vulnerability scan.
What type of attack depends on the fact that users are often logged into many websites simultaneously in the same browser?
A. SQL injection
B. Cross-site scripting
C. Cross-site request forgery
D. File inclusion
C. XSRF attacks work by making the reasonable assumption that users are often logged into many different websites at the same time. Attackers then embed code in one website that
sends a command to a second website.
Bonnie discovers entries in a web server log indicating that penetration testers attempted to access the following URL:
www.mycompany.com/sortusers.php?file=C:\uploads\attack.exe
What type of attack did they most likely attempt?
A. Reflected XSS
B. Persistent XSS
C. Local file inclusion
D. Remote file inclusion
C. This URL contains the address of a local file passed to a web application as an argument. It is most likely a local file inclusion (LFI) exploit, attempting to execute a malicious file that the testers previously uploaded to the server
Which one of the following terms is not typically used to describe the connection of physical devices to a network?
A. IoT
B. IDS
C. SCADA
D. ICS
B. Intrusion detection systems (IDSs) are a security control used to detect network or host attacks. The Internet of Things (IoT), supervisory control and data acquisition (SCADA) systems, and industrial control systems (ICSs) are all associated with connecting physical world
objects to a network.
Monica discovers that an attacker posted a message in a web forum that she manages that is attacking users who visit the site. Which one of the following attack types is most likely to have occurred?
A. SQL injection
B. Malware injection
C. LDAP injection
D. Cross-site scripting
D. In a cross-site scripting (XSS) attack, an attacker embeds scripting commands on a website that will later be executed by an unsuspecting visitor accessing the site. The idea is to trick a user visiting a trusted site into executing malicious code placed there by an untrusted third party
Alan is reviewing web server logs after an attack and finds many records that contain semicolons and apostrophes in queries from end users. What type of attack should he suspect?
A. SQL injection
B. LDAP injection
C. Cross-site scripting
D. Buffer overflow
A. In a SQL injection attack, the attacker seeks to use a web application to gain access to an underlying database. Semicolons and apostrophes are characteristic of these attacks.
What federal law requires the use of vulnerability scanning on information systems operated by federal government agencies?
A. HIPAA
B. GLBA
C. FISMA
D. FERPA
C. The Federal Information Security Management Act (FISMA) requires that federal agencies implement vulnerability management programs for federal information systems. The Health
Insurance Portability and Accountability Act (HIPAA) regulates the ways that healthcare
providers, insurance companies, and their business associates handle protected health (PHI) information. Similarly, the Gramm–Leach–Bliley Act (GLBA) governs how financial institutions handle customer financial records. The Family Educational Rights and Privacy Act
(FERPA), which is not covered in this chapter or on the CySA+ exam, allows parents to
access their children’s educational records.
Which one of the following industry standards describes a standard approach for setting up an information security management system?
A. OWASP
B. CIS
C. ISO 27002
D. ISO 27001
D. ISO 27001 describes a standard approach for setting up an information security management system, while ISO 27002 goes into more detail on the specifics of information security controls. The Open Web Application Security Project (OWASP) provides advice and tools focused on web application security. The Center for Internet Security (CIS) produces a set ofconfiguration benchmarks used to securely configure operating systems, applications,
and devices
What tool can administrators use to help identify the systems present on a network prior to conducting vulnerability scans?
A. Asset inventory
B. Web application assessment
C. Router
D. DLP
A. An asset inventory supplements automated tools with other information to detect systems present on a network. The asset inventory provides critical information for vulnerability scans.
Tonya is configuring vulnerability scans for a system that is subject to the PCI DSS compliance standard. What is the minimum frequency with which she must conduct scans?
A. Daily
B. Weekly
C. Monthly
D. Quarterly
D. PCI DSS requires that organizations conduct vulnerability scans on at least a quarterly basis, although many organizations choose to conduct scans on a much more frequent basis.
Which one of the following is not an example of a vulnerability scanning tool?
A. Nikto
B. Snort
C. Nessus
D. OpenVAS
B. Nessus and OpenVAS are network vulnerability scanning tools, while Nikto is a web application vulnerability scanner. Snort is an intrusion detection system.
Bethany is the vulnerability management specialist for a large retail organization. She completed her last PCI DSS compliance scan in March. In April, the organization upgraded their point-of-sale system, and Bethany is preparing to conduct new scans. When must she
complete the new scan?
A. Immediately.
B. June.
C. December.
D. No scans are required
A. PCI DSS requires that organizations conduct vulnerability scans quarterly, which would have Bethany’s next regularly scheduled scan scheduled for June. However, the standard also
requires scanning after any significant change in the payment card environment. This would include an upgrade to the point-of-sale system, so Bethany must complete a new compliance
scan immediately
Renee is configuring her vulnerability management solution to perform credentialed scans of servers on her network. What type of account should she provide to the scanner?
A. Domain administrator
B. Local administrator
C. Root
D. Read-only
D. Credentialed scans only require read-only access to target servers. Renee should follow the principle of least privilege and limit the access available to the scanner.
Jason is writing a report about a potential security vulnerability in a software product and wishes to use standardized product names to ensure that other security analysts understand the report. Which SCAP component can Jason turn to for assistance?
A. CVSS
B. CVE
C. CPE
D. OVAL
C. Common Platform Enumeration (CPE) is an SCAP component that provides standardized nomenclature for product names and versions.
Bill would like to run an internal vulnerability scan on a system for PCI DSS compliance purposes. Who is authorized to complete one of these scans?
A. Any employee of the organization
B. An approved scanning vendor
C. A PCI DSS service provider
D. Any qualified individual
D. Internal scans completed for PCI DSS compliance purposes may be conducted by any qualified individual.
Which type of organization is the most likely to face a regulatory requirement to conduct vulnerability scans?
A. Bank
B. Hospital
C. Government agency
D. Doctor’s office
C. The Federal Information Security Management Act (FISMA) requires that government
agencies conduct vulnerability scans. HIPAA, which governs hospitals and doctors’ offices, does not include a vulnerability scanning requirement, nor does GLBA, which covers financial institutions. Banks may be required to conduct scans under PCI DSS, but this is a contractual obligation and not a statutory requirement.
Which one of the following organizations focuses on providing tools and advice for secure web application development?
A. OWASP
B. CIS
C. NIST
D. Microsof
A. All of these organizations provide security tools and advice. However, only the Open Web Application Security Project (OWASP) has a dedicated focus on the development of secure web applications.
What term describes an organization’s willingness to tolerate risk in their computing environment?
A. Risk landscape
B. Risk appetite
C. Risk level
D. Risk adaptation
B. The organization’s risk appetite is its willingness to tolerate risk within the environment. If an organization is extremely risk-averse, it may choose to conduct scans more frequently to minimize the amount of time between when a vulnerability comes into existence and when it is detected by a scan.
Which one of the following factors is least likely to impact vulnerability scanning schedules?
A. Regulatory requirements
B. Technical constraints
C. Business constraints
D. Staff availability
D. Scan schedules are most often determined by the organization’s risk appetite, regulatory requirements, technical constraints, business constraints, and licensing limitations. Most scans are automated and do not require staff availability.
Barry placed all of his organization’s credit card processing systems on an isolated network dedicated to card processing. He has implemented appropriate segmentation controls to limit
the scope of PCI DSS to those systems through the use of VLANs and firewalls. When Barry goes to conduct vulnerability scans for PCI DSS compliance purposes, what systems must he scan?
A. Customer systems
B. Systems on the isolated network
C. Systems on the general enterprise network
D. Both B and C
B. If Barry is able to limit the scope of his PCI DSS compliance efforts to the isolated network, then that is the only network that must be scanned for PCI DSS compliance purposes.
Ryan is planning to conduct a vulnerability scan of a business-critical system using dangerous plug-ins. What would be the best approach for the initial scan?
A. Run the scan against production systems to achieve the most realistic results possible.
B. Run the scan during business hours.
C. Run the scan in a test environment.
D. Do not run the scan to avoid disrupting the business.
C. Ryan should first run his scan against a test environment to identify likely vulnerabilities and assess whether the scan itself might disrupt business activities
Which one of the following activities is not part of the vulnerability management life cycle?
A. Detection
B. Remediation
C. Reporting
D. Testing
C. Although reporting and communication are an important part of vulnerability
management, they are not included in the life cycle. The three life-cycle phases are detection,
remediation, and testing
What approach to vulnerability scanning incorporates information from agents running on the target servers?
A. Continuous monitoring
B. Ongoing scanning
C. On-demand scanning
D. Alerting
A. Continuous monitoring incorporates data from agent-based approaches to vulnerability detection and reports security-related configuration changes to the vulnerability management platform as soon as they occur, providing the ability to analyze those changes for potential
vulnerabilities.
Kolin would like to use an automated web application vulnerability scanner to identify any potential security issues in an application that is about to be deployed in his environment. Which one of the following tools is least likely to meet his needs?
A. ZAP
B. Nikto
C. Arachni
D. Burp Suite
A. The Zed Attack Proxy (ZAP) is a proxy server that may be used in web application penetration tests but it is not itself an automated vulnerability scanning tool. Nikto and Arachni are examples of dedicated web application vulnerability scanners. Burp Suite is a web proxy
used in penetration testing.
essica is reading reports from vulnerability scans run by different part of her organization using different products. She is responsible for assigning remediation resources and is having difficulty prioritizing issues from different sources. What SCAP component can help Jessica
with this task?
A. CVSS
B. CVE
C. CPE
D. XCCDF
A. The Common Vulnerability Scoring System (CVSS) provides a standardized approach for measuring and describing the severity of security vulnerabilities. Jessica could use this scoring system to prioritize issues raised by different source systems.
Sarah would like to run an external vulnerability scan on a system for PCI DSS compliance purposes. Who is authorized to complete one of these scans?
A. Any employee of the organization
B. An approved scanning vendor
C. A PCI DSS service provider
D. Any qualified individual
B. While any qualified individual may conduct internal compliance scans, PCI DSS requires the use of a scanning vendor approved by the PCI SSC for external compliance scans.
Jen identified a missing patch on a Windows server that might allow an attacker to gain remote control of the system. After consulting with her manager, she applied the patch. From a risk management perspective, what has she done?
A. Removed the threat
B. Reduced the threat
C. Removed the vulnerability
D. Reduced the vulnerability
C. By applying the patch, Jen has removed the vulnerability from her server. This also has the effect of eliminating this particular risk. Jen cannot control the external threat of an attacker attempting to gain access to her server
You notice a high number of SQL injection attacks against a web application run by your organization and you install a web application firewall to block many of these attacks before they reach the server. How have you altered the severity of this risk?
A. Reduced the magnitude
B. Eliminated the vulnerability
C. Reduced the probability
D. Eliminated the threat
C. Installing a web application firewall reduces the probability that an attack will reach the web server. Vulnerabilities may still exist in the web application and the threat of an external attack is unchanged. The impact of a successful SQL injection attack is also unchanged by a
web application firewall.
Aziz is responsible for the administration of an e-commerce website that generates
$100,000 per day in revenue for his firm. The website uses a database that contains sensitive information about the firm’s customers. He expects that a compromise of that database would result in $500,000 of fines against his firm.Aziz is assessing the risk of a SQL injection attack against the database where the attacker
would steal all of the customer personally identifiable information (PII) from the database. After consulting threat intelligence, he believes that there is a 5% chance of a successful attack in any given year.
3. What is the asset value (AV)?
A. $5,000
B. $100,000
C. $500,000
D. $600,000
C. The asset at risk in this case is the customer database. Losing control of the database would result in a $500,000 fine, so the asset value (AV) is $500,000
Aziz is responsible for the administration of an e-commerce website that generates
$100,000 per day in revenue for his firm. The website uses a database that contains sensitive information about the firm’s customers. He expects that a compromise of that database would result in $500,000 of fines against his firm.Aziz is assessing the risk of a SQL injection attack against the database where the attacker would steal all of the customer personally identifiable information (PII) from the database.
After consulting threat intelligence, he believes that there is a 5% chance of a successful
attack in any given year
What is the exposure factor (EF)?
A. 5%
B. 20%
C. 50%
D. 100%
D. The attack would result in the total loss of customer data stored in the database, making the exposure factor (EF) 100%
Aziz is responsible for the administration of an e-commerce website that generates
$100,000 per day in revenue for his firm. The website uses a database that contains sensitive information about the firm’s customers. He expects that a compromise of that database would result in $500,000 of fines against his firm.Aziz is assessing the risk of a SQL injection attack against the database where the attacker would steal all of the customer personally identifiable information (PII) from the database.
After consulting threat intelligence, he believes that there is a 5% chance of a successful
attack in any given year
What is the single loss expectancy (SLE)?
A. $5,000
B. $100,000
C. $500,000
D. $600,000
C. We compute the single loss expectancy (SLE) by multiplying the asset value (AV)
($500,000) and the exposure factor (EF) (100%) to get an SLE of $500,000
Aziz is responsible for the administration of an e-commerce website that generates
$100,000 per day in revenue for his firm. The website uses a database that contains sensitive information about the firm’s customers. He expects that a compromise of that database would result in $500,000 of fines against his firm.Aziz is assessing the risk of a SQL injection attack against the database where the attacker
would steal all of the customer personally identifiable information (PII) from the database. After consulting threat intelligence, he believes that there is a 5% chance of a successful attack in any given year What is the annualized rate of occurrence (ARO)?
A. 0.05
B. 0.20
C. 2.00
D. 5.00
A. Aziz’s threat intelligence research determined that the threat has a 5% likelihood of occurrence each year. This is an ARO of 0.0
Aziz is responsible for the administration of an e-commerce website that generates
$100,000 per day in revenue for his firm. The website uses a database that contains sensitive information about the firm’s customers. He expects that a compromise of that database
would result in $500,000 of fines against his firm. Aziz is assessing the risk of a SQL injection attack against the database where the attacker would steal all of the customer personally identifiable information (PII) from the database. After consulting threat intelligence, he believes that there is a 5% chance of a successful attack in any given year What is the annualized loss expectancy (ALE)?
A. $5,000
B. $25,000
C. $100,000
D. $500,000
B. We compute the annualized loss expectancy (ALE) by multiplying the SLE ($500,000) and
the ARO (0.05) to get an ALE of $25,000.
Grace recently completed a risk assessment of her organization’s exposure to data breaches and determined that there is a high level of risk related to the loss of sensitive personal information. She is considering a variety of approaches to managing this risk.Grace’s first idea is to add a web application firewall to protect her organization against SQL
injection attacks. What risk management strategy does this approach adopt?
A. Risk acceptance
B. Risk avoidance
C. Risk mitigation
D. Risk transference
C. Installing new controls or upgrading existing controls is an effort to reduce the probability or magnitud
Grace recently completed a risk assessment of her organization’s exposure to data breaches and determined that there is a high level of risk related to the loss of sensitive personal information. She is considering a variety of approaches to managing this risk.Business leaders are considering dropping the customer activities that collect and store
sensitive personal information. What risk management strategy would this approach use?
A. Risk acceptance
B. Risk avoidance
C. Risk mitigation
D. Risk transference
B. Changing business processes or activities to eliminate a risk is an example of risk
avoidance.
Grace recently completed a risk assessment of her organization’s exposure to data breaches and determined that there is a high level of risk related to the loss of sensitive personal information. She is considering a variety of approaches to managing this risk. The business decided to install the web application firewall and continue doing business. They still were worried about other risks to the information that were not addressed by the firewall and consider purchasing an insurance policy to cover those risks. What strategy does
this use?
A. Risk acceptance
B. Risk avoidance
C. Risk mitigation
D. Risk transference
D. Insurance policies use a risk transference strategy by shifting some or all of the financial
risk from the organization to an insurance company.
Grace recently completed a risk assessment of her organization’s exposure to data breaches and determined that there is a high level of risk related to the loss of sensitive personal information. She is considering a variety of approaches to managing this risk.In the end, risk managers found that the insurance policy was too expensive and opted not
to purchase it. They are taking no additional action. What risk management strategy is being
used in this situation?
A. Risk acceptance
B. Risk avoidance
C. Risk mitigation
D. Risk transference
A. When an organization decides to take no further action to address remaining risk, they
are choosing a strategy of risk acceptance
Which of the following is a formal process that allows organizations to open their systems to inspection by security researchers in a controlled environment?
A. Edge discovery
B. Passive discovery
C. Security controls testing
D. Bug bounty
D. Bug bounty programs provide a formal process that allows organizations to open their systems to inspection by security researchers in a controlled environment that encourages attackers to report vulnerabilities in a responsible fashion. Edge discovery scanning identifies any systems or devices with public exposure by scanning IP addresses belonging to the
organization. Passive discovery techniques monitor inbound and outbound traffic to detect devices that did not appear during other discovery scans. Security controls testing verifies that the organization’s array of security controls are functioning properly.
Which of the following is often used to assist with the prevention of XSS and SQL injection attacks?
A. Secure session management
B. Input validation
C. SLOs
D. Maintenance windows
B. Input validation helps prevent a wide range of problems, from cross-site scripting (XSS)
to SQL injection attacks. Secure session management ensures that attackers cannot hijack
user sessions or that session issues don’t cause confusion among users. Organizations that
offer technology services to customers may define service level objectives (SLOs) that set
formal expectations for service availability, data preservation, and other key requirements.
Many organizations choose to consolidate many changes in a single period of time known as
a maintenance window. Maintenance windows typically occur on evenings and weekends or
during other periods of time where business activity is low
Which of the following is designed specifically to support penetration testing and the reverse engineering of malware?
A. Immunity debugger
B. GDB
C. SDLC
D. Parameterized queries
A. The Immunity debugger is designed specifically to support penetration testing and the reverse engineering of malware. GNU debugger (GDB) is a widely used open source debugger for Linux that works with a variety of programming languages. The software development life cycle (SDLC) describes the steps in a model for software development throughout its life.
Parameterized queries prevent SQL injection attacks by precompiling SQL queries so that new code may not be inserted when the query is executed.
Jason gathers threat intelligence that notes that an adversary that his organization considers a threat likes to use USB key drops to compromise their targets. What is this an example of?
A. His organization’s attack surface
B. A possible attack vector
C. An example of adversary capability
D. A probability assessment
B. Attack vectors, or the means by which an attacker can gain access to their target can
include things like USB key drops. You may be tempted to answer this question with adversary capability, but remember the definition: the resources, intent, or ability of the likely threat actor. Capability here doesn’t mean what they can do, but their ability to do so. The attack surface might include the organization’s parking lot in this example, but this is not an example of an attack surface, and there was no probability assessment included in this
problem
What type of assessment is particularly useful for identifying insider threats?
A. Behavioral
B. Instinctual
C. Habitual
D. IOCs
A. Behavioral assessments are very useful when you are attempting to identify insider
threats. Since insider threats are often hard to distinguish from normal behavior, context of the actions performed, such as afterhours logins, misuse of credentials, logins from abnormal locations or in abnormal patterns, and other behavioral indicators, are
often used.
STRIDE, PASTA, and LIDDUN are all examples of what?
A. Zero-day rating systems
B. Vulnerability assessment tools
C. Adversary analysis tools
D. Threat classification tools
D. STRIDE, PASTA, and LIDDUN are all examples of threat classification tools. LIDDUN focuses on threats to privacy, STRIDE is a Microsoft tool, and PASTA is an attacker-centric
threat modeling tool.
What type of software testing tool executes the code as it is being tested?
A. Static analysis
B. Dynamic analysis
C. Compilation
D. Decompilation
B. Dynamic analysis techniques actually execute the code during the testing process. Static code analysis tools and techniques analyze the structure and content of code without executing the code itself. Compilation is the process of transforming source code into an executable and decompilation attempts to reverse that process. Neither compilation nor
decompilation executes the code
Adam is conducting software testing by reviewing the source code of the application. What type of code testing is Adam conducting?
A. Mutation testing
B. Static code analysis
C. Dynamic code analysis
D. Fuzzing
B. Adam is conducting static code analysis by reviewing the source code. Dynamic code analysis requires running the program, and both mutation testing and fuzzing are types of dynamic analysis.
During testing, Tiffany slowly increases the number of connections to an application until it fails. What is she doing?
A. Regression testing
B. Unit testing
C. Stress testing
D. Fagan testing
C. Tiffany is stress-testing the application. Stress testing intentionally goes beyond the application’s normal limits to see how it responds to extreme loads or other abnormal conditions beyond its normal capacity. Unit testing tests individual components of an applications, while
regression testing is done to ensure that new versions don’t introduce old bugs. Fagan testing
is a formal method of code inspection.
Which one of the following is an example of a computer security incident?
A. User accesses a secure file
B. Administrator changes a file’s permission settings
C. Intruder breaks into a building
D. Former employee crashes a server
D. A former employee crashing a server is an example of a computer security incident
because it is an actual violation of the availability of that system. A user accessing a secure file and an administrator changing file permission settings are examples of security events but are not security incidents. An intruder breaking into a building may be a security event, but it is not necessarily a computer security event unless they perform some action affecting a computer
During what phase of the incident response process would an organization implement defenses designed to reduce the likelihood of a security incident?
A. Preparation
B. Detection and analysis
C. Containment, eradication, and recovery
D. Post-incident activity
A. Organizations should build solid, defense-in-depth approaches to cybersecurity during the preparation phase of the incident response process. The controls built during this phase serve
to reduce the likelihood and impact of future incidents.
Alan is responsible for developing his organization’s detection and analysis capabilities. He would like to purchase a system that can combine log records from multiple sources to detect potential security incidents. What type of system is best suited to meet Alan’s security
objective?
A. IPS
B. IDS
C. SIEM
D. Firewall
C. A security information and event management (SIEM) system correlates log entries from multiple sources and attempts to identify potential security incidents.
Ben is working to classify the functional impact of an incident. The incident has disabled email service for approximately 30 percent of his organization’s staff. How should Ben classify the functional impact of this incident according to the NIST scale?
A. None
B. Low
C. Medium
D. High
C. The definition of a medium functional impact is that the organization has lost the ability to provide a critical service to a subset of system users. That accurately describes the situation that Ben finds himself in. Assigning a low functional impact is only done when the organization can provide all critical services to all users at diminished efficiency. Assigning a high
functional impact is only done if a critical service is not available to all users.
What phase of the incident response process would include measures designed to limit the damage caused by an ongoing breach?
A. Preparation
B. Detection and analysis
C. Containment, eradication, and recovery
D. Post-incident activity
C. The containment protocols contained in the containment, eradication, and recovery
phases are designed to limit the damage caused by an ongoing security incident.
What common criticism is leveled at the Cyber Kill Chain?
A. Not all threats are aimed at a kill.
B. It is too detailed.
C. It includes actions outside the defended network.
D. It focuses too much on insider threats.
C. The Kill Chain includes actions outside the defended network which many defenders cannot take action on, resulting in one of the common criticisms of the model. Other criticisms include the focus on a traditional perimeter and on antimalware-based techniques, as well as a lack of focus on insider threats.
Karen is responding to a security incident that resulted from an intruder stealing files from a government agency. Those files contained unencrypted information about protected critical infrastructure. How should Karen rate the information impact of this loss?
A. None
B. Privacy breach
C. Proprietary breach
D. Integrity loss
C. In a proprietary breach, unclassified proprietary information is accessed or exfiltrated.
Protected critical infrastructure information (PCII) is an example of unclassified proprietary
information.
Matt is concerned about the fact that log records from his organization contain conflicting timestamps due to unsynchronized clocks. What protocol can he use to synchronize clocks
throughout the enterprise?
A. NTP
B. FTP
C. ARP
D. SSH
A. The Network Time Protocol (NTP) provides a common source of time information that
allows the synchronizing of clocks throughout an enterprise
Which one of the following document types would outline the authority of a CSIRT responding to a security incident?
A. Policy
B. Procedure
C. Playbook
D. Baseline
A. An organization’s incident response policy should contain a clear description of the authority assigned to the CSIRT while responding to an active security incident.
A cross-site scripting attack is an example of what type of threat vector?
A. Impersonation
B. Email
C. Attrition
D. Web
D. A web attack is an attack executed from a website or web-based application—for
example, a cross-site scripting attack used to steal credentials or redirect to a site that
exploits a browser vulnerability and installs malware.
What phase of the Cyber Kill Chain includes creation of persistent backdoor access for
attackers?
A. Delivery
B. Exploitation
C. Installation
D. C2
C. The installation phase of the Cyber Kill Chain focuses on providing persistent backdoor access for attackers. Delivery occurs when the tool is put into action either directly or indirectly, whereas exploitation occurs when a vulnerability is exploited. Command-and-Control
(C2) uses two-way communications to provide continued remote control.
Robert is finishing a draft of a proposed incident response policy for his organization. Who would be the most appropriate person to sign the policy?
A. CEO
B. Director of security
C. CIO
D. CSIRT leader
A. The incident response policy provides the CSIRT with the authority needed to do their
job. Therefore, it should be approved by the highest possible level of authority within the
organization, preferably the CEO.
Which one of the following is not an objective of the containment, eradication, and recovery phase of incident response?
A. Detect an incident in progress.
B. Implement a containment strategy.
C. Identify the attackers.
D. Eradicate the effects of the incident.
A. Detection of a potential incident occurs during the detection and analysis phase of incident response. The other activities listed are all objectives of the containment, eradication,
and recovery phase.
Renee is responding to a security incident that resulted in the unavailability of a website critical to her company’s operations. She is unsure of the amount of time and effort that it will
take to recover the website. How should Renee classify the recoverability effort?
A. Regular
B. Supplemented
C. Extended
D. Not recoverable
C. Extended recoverability effort occurs when the time to recovery is unpredictable. In those
cases, additional resources and outside help are typically needed
Which one of the following is an example of an attrition attack?
A. SQL injection
B. Theft of a laptop
C. User installs file sharing software
D. Brute-force password attack
D. An attrition attack employs brute-force methods to compromise, degrade, or destroy systems, networks, or services—for example, a DDoS attack intended to impair or deny access
to a service or application or a brute-force attack against an authentication mechanism
Who is the best facilitator for a post-incident lessons learned session?
A. CEO
B. CSIRT leader
C. Independent facilitator
D. First responder
C. Lessons learned sessions are most effective when facilitated by an independent party who
was not involved in the incident response effort
Which one of the following elements is not normally found in an incident response policy?
A. Performance measures for the CSIRT
B. Definition of cybersecurity incidents
C. Definition of roles, responsibilities, and levels of authority
D. Procedures for rebuilding systems
D. Procedures for rebuilding systems are highly technical and would normally be included in a playbook or procedure document rather than an incident response policy.
- An on-path attack is an example of what type of threat vector?
A. Attrition
B. Impersonation
C. Web
D. Email
B. An impersonation attack involves the replacement of something benign with something malicious—for example, spoofing, on-path (man-in-the-middle) attacks, rogue wireless access
points, and SQL injection attacks all involve impersonation.
Tommy is the CSIRT team leader for his organization and is responding to a newly discovered security incident. What document is most likely to contain step-by-step instructions that he might follow in the early hours of the response effort?
A. Policy
B. Baseline
C. Playbook
D. Textbook
C. Incident response playbooks contain detailed, step-by-step instructions that guide the early response to a cybersecurity incident. Organizations typically have playbooks prepared for high-severity and frequently occurring incident types.
Hank is responding to a security event where the CEO of his company had her laptop stolen. The laptop was encrypted but contained sensitive information about the company’s employees. How should Hank classify the information impact of this security event?
A. None
B. Privacy breach
C. Proprietary breach
D. Integrity loss
A. The event described in this scenario would not qualify as a security incident with measurable information impact. Although the laptop did contain information that might cause a privacy breach, that breach was avoided by the use of encryption to protect the contents of
the laptop
Susan needs to track evidence that has been obtained throughout its life cycle. What documentation does she need to create and maintain if she expects the evidence to be used in a legal case?
A. Forensic hashes
B. Legal hold
C. Chain of custody
D. IoC ratings
C. Susan needs to track the chain of custody for the evidence and should ensure that a
proper chain of custody is maintained. This is especially important when dealing with data that may become part of legal proceedings. Forensic hashes are typically generated as part of forensic processes to ensure that the original and copies of forensic data match, but a hash
alone does not provide chain-of-custody tracking. Legal holds require organizations to preserve data but don’t track chain of custody, and IoC ratings are unrelated to this question
Hui wants to comply with a legal hold but knows that her organization has a regular process that purges logs after 45 days due to space limitations. What should she do if the logs are covered by the legal hold?
A. Notify counsel that the logs will be deleted automatically in 45 days.
B. Delete the logs now to allow longer before space is filled up.
C. Identify a preservation method to comply with the hold.
D. Make no changes; holds allow ongoing processes to continue as normal.
C. Hui knows that she needs to preserve the logs per the legal hold notice and will need to identify a method to preserve the logs while maintaining operations for her organization. Failing to do so can have significant legal repercussions.
Juan wants to validate the integrity of a drive that he has forensically imaged as part of an incident response process. Which of the options should he select?
A. Compare a hash of the original drive to the drive image.
B. Compare the file size on disk of the original drive to the space taken up by the
drive image.
C. Compare the vendor’s drive size listing to the space taken up by the drive image.
D. Use PGP to encrypt the drive and image and make sure that both encrypted versions match.
A. Hashes are used to validate drive images and other forensic artifacts. Comparing a hash of the original and the image is commonly used to ensure that they match. None of the other options will validate a drive image, and encrypting a drive will modify it, spoiling the
evidence
Kathleen wants to determine if the traffic she is seeing is unusual for her network. Which of the following options would be most useful to determine if traffic levels are not typical for this time of day in a normal week?
A. Heuristics
B. Baselines
C. Protocol analysis
D. Network flow logs
B. A baseline for traffic patterns and levels would allow Kathleen to determine if the traffic was typical or if something unusual was going on. Heuristics focus on behaviors, and Kathleen wants to see if traffic levels are different, not behaviors. Protocol analysis looks at whether there is an unusual protocol or data, and network flow logs are useful for determining which systems are sending traffic to where and via what protocol.
Renee wants to adopt an open IoC feed. What issue is Renee most likely to need to address when adopting it?
A. The cost of the IoC feed
B. The quality of the feed
C. The update frequency of the feed
D. The level of detail in the feed
B. Open feed data can vary in quality and reliability. That means Renee will have to put processes in place to assess the quality and reliability of the IoC information she is receiving. An open feed implies that it is free. Open feeds are generally active, and IoC detail levels vary as IoCs are created and updated, regardless of the type of feed.
Chris wants to use an active monitoring approach to test his network. Which of the following techniques is appropriate?
A. Collecting NetFlow data
B. Using a protocol analyzer
C. Pinging remote systems
D. Enabling SNMP
C. Active monitoring is focused on reaching out to gather data using tools like ping and
iPerf. Passive monitoring using protocol analyzers collects network traffic and router-based
monitoring using SNMP, and flows gather data by receiving or collecting logged information.
Which of the following is not information commonly found in an IoC?
A. IP addresses
B. Domain names
C. System images
D. Behavior-based information
C. System images are not typically part of an IOC. Hashes of malicious software may be,
as well as IP addresses, hostnames, domains, and behavior- based information, among other
common details
Cameron wants to be able to detect a denial-of-service attack against his web server. Which of the following tools should he avoid?
A. Log analysis
B. Flow monitoring
C. iPerf
D. IPS
C. Log analysis, flow monitoring, and deploying an IPS are all appropriate solutions to help detect denial-of-service attacks. iPerf is a performance testing tool used to establish the maximum bandwidth available on a network connection.
Sameer finds log information that indicates that a process that he believes is malicious starts at the same time every day on a Linux system. Where should he start looking for an issue like this?
A. He should review the system log.
B. He should check the Task Scheduler.
C. He should check cron jobs.
D. He should check user directories.
C. While there could be other issues, a recurring scheduled task is most likely to be set as a cron job, and Sameer should start his search there. The Task Scheduler is a Windows tool, system logs may or may not contain information about the process, and searching user directories would not provide indications of what process was starting a
Jim uses an IoC feed to help detect new attacks against his organization. What should he do
first if his security monitoring system flags a match for an IoC?
A. Shut down the system that caused the alert
B. Review the alert to determine why it occurred
C. Check network logs to identify the remote attacker
D. Run a port scan to determine if the system is compromised
B. Reviewing why the alert occurred is Jim’s first step. IoCs in isolation may not indicate
a compromise or attack, so validating the alert is an important first step. shutting down
a system due to an alert could cause an outage or prevent forensic investigation. There is
nothing in question to indicate that this is a network-based attack that will have been logged,
and port scans are also not indicated by the question
While monitoring network traffic to his web server cluster, Mark notices a significant
increase in traffic. He checks the source addresses for inbound traffic and finds that the traffic is coming from many different systems all over the world. What should Mark identify this as if he believes that it may be an attack?
A. A denial-of-service attack
B. A distributed network scan
C. A DNS-based attack
D. A distributed denial-of-service attack
D. The behavior described with a significant increase in traffic from many systems all
over the world is most likely a distributed denial-of-service attack if it is malicious. Mark’s challenge will be in determining if it is an attack or if some other event has occurred that is driving traffic to his website—a post that goes viral can be difficult to differentiate from an attack in some cases!
Valentine wants to check for unauthorized access to a system. What two log types are most likely to contain this information?
A. Authentication logs and user creation logs
B. System logs and application logs
C. Authentication logs and application logs
D. System logs and authentication logs
A. Valentine knows that unauthorized access often involves the creation of unauthorized user
accounts and authentication events that allowed access to the system. System logs contain system events, but not authentication or user creation information. Application logs track application events and also typically won’t show this type of information.
Sayed notices that a remote system has attempted to log into a system he is responsible for
multiple times using the same administrator’s user ID but different passwords. What has
Sayed most likely discovered?
A. A user who forgot their password
B. A broken application
C. A brute-force attack
D. A misconfigured service
C. A series of attempted logins from the remote system with the same username but different
passwords is a common indicator of a brute-force attack. While more sophisticated attackers will use multiple remote systems and will spread attempts over time, a simple brute-force
attack will appear exactly like this. Sayed can verify this by checking in with the administrator whose username is being used.
While Susan is monitoring a router via network flows, she sees a sudden drop in network traffic levels to zero, and the traffic chart shows a flat line. What has likely happened?
A. The sampling rate is set incorrectly.
B. The router is using SNMP.
C. The monitored link failed.
D. A DDoS attack is occurring
C. The most likely answer is that the link has failed. Incorrectly set sampling rates will not
provide a good view of traffic, and a DDoS attack is more likely to show large amounts of traffic. SNMP is a monitoring tool and would not result in flow data changing.
Leo wants to monitor his application for common issues. Which of the following is not a typical method of monitoring for application issues?
A. Up/down logging
B. System logging
C. Performance logging
D. Transactional logging
B. System logging is typically handled separately from application logging. Up/down, performance, transactional logs, and service logging are all common forms of monitoring used to ensure applications are performing correctly
Greg notices that a user account on a Linux server he is responsible for has connected to 10 machines via SSH within seconds. What type of IoC best matches this type of behavior?
A. Bot-like behavior
B. Port scanning
C. Denial of service
D. Escalation of privileges
A. Actions performed more quickly than a typical user would perform them can be an
indicator of bot-like behavior. If the user performing the actions does not typically run scripts or connect to multiple machines, Greg may want to investigate more deeply, including checking logs on the remote systems to see what authentication was attempted. SSH connections alone are not indicators of port scanning, escalation of privilege, or denial-of-service
attacks
Arun wants to monitor for unusual database usage. Which of the following is most likely to
be indicative of a malicious actor?
A. Increases in cached hits to the database
B. Decreases in network traffic to the database
C. Increases in disk reads for the database
D. Decreases in database size
C. An attacker is likely to attempt to gather information from the entire database, meaning that cached hits will not make up the full volume of queries. Thus, disk reads from a database may be a more important indicator of compromise than an increase in cached hits that may simply be more typical usage
Valerie is concerned that an attacker may have gained access to a system in her datacenter. Which of the following behaviors is not a common network-based IoC that she should monitor for?
A. Traffic to unexpected destinations
B. Unusual volumes of outbound traffic
C. Increases in system memory consumption
D. Outbound traffic at unusual times
C. Valerie is specifically looking for network-related IoCs, and system memory consumption is a host- or system-related IoC, not a network-related IoC.
Alex has noticed that the primary disk for his Windows server is quickly filling up. What should he do to determine what is filling up the drive?
A. Check the filesystem logs.
B. Check the security logs.
C. Search for large files and directories.
D. Search for file changes.
C. The first step in Alex’s process should be to identify where the files that are filling the
drive are located and what they are. A simple search can help with this by sorting by large directories and files. Windows does not have a filesystem log that would record this, and security logs are focused on security events, not filesystem information. Searching for files that have changed requires a tool that tracks changes, which is not part of a default Windows
installation
Joseph wants to be notified if user behaviors vary from normal on systems he maintains. He uses a tool to capture and analyze a week of user behavior and uses that to determine if unusual behavior occurs. What is this practice called?
A. Pattern matching
B. Baselining
C. Fingerprinting
D. User modeling
B. Joseph has created a user behavior baseline, which will allow him to see if there are exceptions to the normal behaviors and commands that users run. Pattern matching, fingerprinting, and user modeling are not terms used to describe this process.
- After running an nmap scan of a system, you receive scan data that indicates the following
three ports are open:
22/TCP
443/TCP
1521/TCP
What services commonly run on these ports?
A. SMTP, NetBIOS, MS-SQL
B. SSH, LDAPS, LDAP
C. SSH, HTTPS, Oracle
D. FTP, HTTPS, MS-SQL
C. These three TCP ports are associated with SSH (22), HTTPS (443), and Oracle databases
(1521). Other ports mentioned in the potential answers are SMTP (25), NetBIOS (137–139),
LDAP (389), LDAPS (636) and MS-SQL (1433/1434). To learn more on this topic, see
Chapter 1.
What type of system allows attackers to believe they have succeeded with their attack, thus
providing defenders with information about their attack methods and tools?
A. A honeypot
B. A sinkhole
C. A crackpot
D. A darknet
A. Honeypots are systems that are designed to look like attractive targets. When they
are attacked, they simulate a compromise, providing defenders with a chance to see how attackers operate and what tools they use. DNS sinkholes provide false information to
malicious software, redirecting queries about command-and-control (C&C) systems to allow remediation. Darknets are segments of unused network space that are monitored to detect traffic—since legitimate traffic should never be aimed at the darknet, this can be used to detect attacks and other unwanted traffic. Crackpots are eccentric people—not a system
you’ll run into on a network. To learn more on this topic, see Chapter 4.
What cybersecurity objective could be achieved by running your organization’s web servers
in redundant, geographically separate datacenters?
A. Confidentiality
B. Integrity
C. Immutability
D. Availability
D. Redundant systems, particularly when run in multiple locations and with other protections to ensure uptime, can help provide availability. To learn more on this topic, see
Chapter 1.
Which of the following vulnerability scanning methods will provide the most accurate detail
during a scan?
A. Black box/unknown environment
B. Authenticated
C. Internal view
D. External view
B. An authenticated, or credentialed, scan provides the most detailed view of the system.
Black-box assessments presume no knowledge of a system and would not have credentials
or an agent to work with on the system. Internal views typically provide more detail than
external views, but neither provides the same level of detail that credentials can allow.
To learn more on this topic, see Chapter 6.
Security researchers recently discovered a flaw in the Chakra JavaScript scripting engine in
Microsoft’s Edge browser that could allow remote execution or denial of service via a specifically crafted website. The CVSS 3.1 score for this vulnerability reads:
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
What is the attack vector and the impact to integrity based on this rating?
A. System, 9, 8
B. Browser, High
C. Network, High
D. None, High
C. When reading the CVSS score, AV is the attack vector. Here, N means network. Confidentiality (C), integrity (I), and availability (A) are listed at the end of the listing, and all three are
rated as High in this CVSS rating. To learn more on this topic, see Chapter 7
Alice is a security engineer tasked with performing vulnerability scans for her organization.
She encounters a false positive error in one of her scans. What should she do about this?
A. Verify that it is a false positive, and then document the exception.
B. Implement a workaround.
C. Update the vulnerability scanner.
D. Use an authenticated scan, and then document the vulnerability.
A. When Alice encounters a false positive error in her scans, her first action should be to
verify it. This may involve running a more in-depth scan like an authenticated scan, but it
could also involve getting assistance from system administrators, checking documentation,
or other validation actions. Once she is done, she should document the exception so that it
is properly tracked. Implementing a workaround is not necessary for false positive vulnerabilities, and updating the scanner should be done before every vulnerability scan. Using an
authenticated scan might help but does not cover all the possibilities for validation she may
need to use. To learn more on this topic, see Chapter 7.
Which phase of the incident response process is most likely to include gathering additional
evidence such as information that would support legal action?
A. Preparation
B. Detection and Analysis
C. Containment, Eradication, and Recovery
D. Post-incident Activity and Reporting
C. The Containment, Eradication, and Recovery phase of an incident includes steps to limit
damage and document what occurred, including potentially identifying the attacker and tools
used for the attack. This means that information useful to legal actions is most likely to be
gathered during this phase. To learn more on this topic, see Chapter 9.
Which of the following descriptions explains an integrity loss?
A. Systems were taken offline, resulting in a loss of business income.
B. Sensitive or proprietary information was changed or deleted.
C. Protected information was accessed or exfiltrated.
D. Sensitive personally identifiable information was accessed or exfiltrated.
B. Integrity breaches involve data being modified or deleted. Systems being taken offline is an
availability issue, protected information being accessed might be classified as a breach of proprietary information, and sensitive personally identifiable information breaches would typically be classified as privacy breaches. To learn more on this topic, see Cha
Hui’s incident response program uses metrics to determine if their subscription to and use
of IoC feeds is meeting the organization’s requirements. Which of the following incident
response metrics is most useful if Hui wants to assess their use of IoC feeds?
A. Alert volume metrics
B. Mean time to respond metrics
C. Mean time to detect metrics
D. Mean time to remediate metrics
C. IoCs are used to improve detection, and Hui knows that gathering mean time to detect
metrics will help the organization determine if their use of IoC feeds is improving detection
speed. Alert volume is driven by configuration and maintenance of alerts, and it would not
determine if the IoC usage was appropriate. Response time and remediation time are better
used to measure the organization’s processes and procedures. To learn more on this topic, see
Chapter 12
Abdul’s monitoring detects regular traffic sent from a system that is suspected to be compromised and participating in a botnet to a set of remote IP addresses. What is this called?
A. Anomalous pings
B. Probing
C. Zombie chatter
D. Beaconing
D. Regular traffic from compromised systems to command-and-control nodes is known as
beaconing. Anomalous pings could describe unexpected pings, but they are not typically
part of botnet behavior, zombie chatter is a made-up term, and probing is part of scanning
behavior in some cases. To learn more on this topic, see Chapter 4.
What term is used to describe the retention of data and information related to pending or
active litigation?
A. Preservation
B. Legal hold
C. Criminal hold
D. Forensic archiving
B. The term legal hold is used to describe the retention of data and information related
to a pending or active legal investigation. Preservation is a broader term used to describe
retention of data for any of a variety of reasons including business requirements. Criminal
hold and forensic archiving were made up for this question. To learn more on this topic, see
Chapter 13.
What industry standard is used to describe risk scores?
A. CRS
B. CVE
C. RSS
D. CVSS
D. The Common Vulnerability Scoring System, or CVSS, is used to rate and describe risks.
CVE, Common Vulnerabilities and Exposures, classifies vulnerabilities. RSS, or Really Simple
Syndication, is used to create feeds of websites. CRS was made up for this question. To learn
more on this topic, see Chapter 12
During a forensic investigation Maria discovers evidence that a crime has been committed. What do organizations typically do to ensure that law enforcement can use data to prosecute
a crime?
A. Securely wipe drives to prevent further issues
B. Document a chain of custody for the forensic data
C. Only perform forensic investigation on the original storage media
D. Immediately implement a legal hold
B. Documenting a proper chain of custody will allow law enforcement to be more likely to use forensic data successfully in court. Wiping drives will cause data loss, forensic examination is done on copies, not original drives, and legal holds are done to preserve data when litigation is occurring or may occur.
Oscar’s manager has asked him to ensure that a compromised system has been completely purged of the compromise. What is Oscar’s best course of action?
A. Use an antivirus tool to remove any associated malware.
B. Use an antimalware tool to completely scan and clean the system.
C. Wipe and rebuild the system.
D. Restore a recent backup.
C. The most foolproof means of ensuring that a system does not remain compromised is to wipe and rebuild it. Without full knowledge of when the compromise occurred, restoring a
backup may not help, and both antimalware and antivirus software packages cannot always ensure that no remnant of the compromise remains, particularly if the attacker created accounts or otherwise made changes that wouldn’t be detected as malicious software. To learn more on this topic, see Chapter 11.
A firewall is an example of what type of control?
A. Preventive
B. Detective
C. Responsive
D. Corrective
A. The main purpose of a firewall is to block malicious traffic before it enters a network,
therefore preventing a security incident from occurring. For this reason, it is best classified a preventive control. To learn more on this topic, see Chapter 8.
Cathy wants to collect network-based indicators of compromise as part of her security monitoring practice. Which of the following is not a common network-related IoC?
A. Bandwidth consumption
B. Rogue devices on the network
C. Scheduled updates
D. Activity on unexpected ports
C. Scheduled updates are a normal activity on network connected devices. Common indicators of potentially malicious activity include bandwidth consumption, beaconing, irregular
peer-to-peer communication, rogue devices, scans, unusual traffic spikes, and activity on
unexpected ports. To learn more on this topic, see Chapter 3.
Which of the following actions is not a common activity during the recovery phase of an incident response process?
A. Reviewing accounts and adding new privileges
B. Validating that only authorized user accounts are on the systems
C. Verifying that all systems are logging properly
D. Performing vulnerability scans of all systems
A. The recovery phase does not typically seek to add new privileges. Validating that only legitimate accounts exist, that the systems are all logging properly, and that systems have been vulnerability scanned are all common parts of an incident response recovery phase.
To learn more on this topic, see Chapter 11
A statement like “Windows workstations must have the current security configuration template applied to them before being deployed” is most likely to be part of which document?
A. Policies
B. Standards
C. Procedures
D. Guidelines
B. This statement is most likely to be part of a standard. Policies contain high-level statements of management intent; standards provide mandatory requirements for how policies
are carried out, including statements like that provided in the question. A procedure would
include the step-by-step process, and a guideline describes a best practice or recommendation.
To learn more on this topic, see Chapter 8.
Nick wants to analyze a potentially malicious software package using an open source, locally
hosted tool. Which of the following tools is best suited to his need if he wants to run the tool
as part of the process?
A. Strings
B. A SIEM
C. VirusTotal
D. Cuckoo Sandbox
D. Cuckoo Sandbox is the only item from the list of potential answers that is a locally
installed and run sandbox that analyzes potential malware by running it in a safe sandbox
environment. To learn more on this topic, see Chapter 3
Which software development life cycle model uses linear development concepts in an iterative, four-phase process?
A. Waterfall
B. Agile
C. RAD
D. Spiral
D. The Spiral model uses linear development concepts like those used in Waterfall but
repeats four phases through its life cycle: requirements gathering, design, build, and evaluation. To learn more on this topic, see Chapter 8
