B.3.4 Security+ SY0-601 Domain 4: Operations and Incident Response

Question 1

Which of the following tools can be used to view and modify DNS server information in Linux?

Answer 1

dig

Question 2

Which command should you use to scan for open TCP ports on your Linux system?

Answer 2

nmap -sT

Question 3

You want to identify all devices on a network along with a list of open ports on those devices. You want the results displayed in a graphical diagram.
Which tool should you use?

Answer 3

Network mapper

Question 4

You need to enumerate the devices on your network and display the network’s configuration details.

Which of the following utilities should you use?

Answer 4

nmap

Question 5

You need to check network connectivity from your computer to a remote computer.

Which of the following tools would be the BEST option to use?

Answer 5

ping

Question 6

Which command should you use to display both listening and non-listening sockets on your Linux system?

Answer 6

netstat -a

Question 7

You want to use a tool to scan a system for vulnerabilities, including open ports, running services, and missing patches. Which tool should you use?

Answer 7

Nessus

Question 8

Which of the following tools can be used to see if a target has any online IoT devices without proper security?

Answer 8

Shodan

Question 9

You need to find the text string New Haven in 100 documents in a folder structure on a Linux server. Which command would you use?

Answer 9

grep

Question 10

Which of the following BEST describes PuTTy?

Answer 10

Open-source software that is developed and supported by a group of volunteers

Question 11

!= refers to Not Equal in which scripting language?

Answer 11

Python

Question 12

Which of the following BEST describes a constant?

Answer 12

Data or a value that does not change

Question 13

A conditional statement that selects the statements to run depending on whether an expression is true or false is known as which of the following?

Answer 13

If else statement

Question 14

You would like to simulate an attack on your network so you can test defense equipment and discover vulnerabilities in order to mitigate risk. Which tool would you use to simulate all the packets of an attack?

Answer 14

TCPReplay

Question 15

Which of the following are network-sniffing tools?

Answer 15

Cain and Abel, Ettercap, and TCPDump

Question 16

You want to use a tool to see packets on a network, including the source and destination of each packet. Which tool should you use?

Answer 16

Wireshark

Question 17

You are using a protocol analyzer to capture network traffic. You want to only capture the frames coming from a specific IP address.

Which of the following can you use to simplify this process?

Answer 17

Capture filters

Question 18

You want to check a server for user accounts that have weak passwords. Which tool should you use?

Answer 18

John the Ripper

Question 19

An attacker has gained access to the administrator’s login credentials. Which type of attack has most likely occurred?

Answer 19

Password cracking

Question 20

You are conducting a forensic investigation. The attack has been stopped. Which of the following actions should you perform first?

Answer 20

Document what is on the screen

Question 21

During a recent site survey, you found a rogue wireless access point on your network. Which of the following actions should you take first to protect your network while still preserving evidence?

Answer 21

Disconnect the access point from the network

Question 22

After a security event that involves a breach of physical security, what is the term used for the new measures, incident review, and repairs meant to stop a future incident from occurring?

Answer 22

Recovery

Question 23

What is the best definition of a security incident?

Answer 23

Violation of a security policy

Question 24

What is the purpose of audit trails?

Answer 24

To detect security-violating events

Question 25

As a security analyst, you suspect a threat actor used a certain tactic and technique to infiltrate your network. Which incident-response framework or approach would you utilize to see if other companies have had the same occurrence and what they did to remedy it?

Answer 25

Mitre Att@ck

Question 26

What is a Mitre Att@k?

Answer 26

A globally-accessible knowledge base of adversary tactics and techniques based on real-world observations

Question 27

As a security analyst, you have discovered the victims of a malicious attack have several things in common. Which tools would you use to help you identify who might be behind the attacks and prevent potential future victims? (Select two.)

Answer 27

Diamond Model of Intrusion Analysis Mitre Att@cks

Question 28

What is the primary goal of business continuity planning?

Answer 28

Maintain business operations with reduced or restricted infrastructure capabilities or resources

Question 29

When is a BCP or DRP design and development actually completed?

Answer 29

Never

Question 30

You are in charge of making sure the IT systems of your company survive in case of any type of disaster in any of your locations. Your document should include organizational charts, phone lists, and order of restore. Each business unit should write their own policies and procedures with guidelines from corporate management. Which of the following documents should you create for this purpose?

Answer 30

Business continuity plan

Question 31

Which of the following components are the SIEM's way of letting the IT team know that a pre-established parameter is not within the acceptable range?

Answer 31

Alerts

Question 32

Over the past few days, a server has gone offline and rebooted automatically several times. You would like to see a record of when each of these restarts has occurred. Which log type should you check?

Answer 32

System

Question 33

You would like to see only the last 15 lines of /home/user/logfile on your Linux machine. Which command line interface (CLI) command would you use?

Answer 33

tail -n 15 /home/user/logfile

Question 34

You would like to add some entries into the system log file. Which command would you use?

Answer 34

logger

Question 35

Some users report that frequent system crashes have started happening on their workstations. Upon further investigation, you notice that these users all have the same application installed that has been recently updated. Where would you go to conduct a root cause analysis?

Answer 35

Application log

Question 36

Which log file type is one of the most tedious to parse but can tell you exactly when users log onto your site and what their location is?

Answer 36

Web server logs

Question 37

You suspect cache poisoning or spoofing has occurred on your network. Users are complaining of strange web results and being redirected to undesirable sites. Which log would help you determine what is going on?

Answer 37

DNS logs

Question 38

You suspect a bad video driver is causing a user's system to randomly crash and reboot. Where would you go to identify and confirm your suspicions?

Answer 38

Dump files

Question 39

After an intrusion has occurred and the intruder has been removed from the system, which of the following is the best step or action to take next?

Answer 39

Back up all logs and audits regarding the incident

Question 40

Which of the following is an important aspect of evidence-gathering?

Answer 40

Back up all log files and audit trails

Question 41

Which of the following is a standard for sending log messages to a central logging server?

Answer 41

Syslog

Question 42

You are worried about email spoofing. What can be put throughout an email's header that provides the originating email account or IP address and not a spoofed one?

Answer 42

X-headers

Question 43

You are running a packet sniffer on your workstation so you can identify the types of traffic on your network. You expect to see all the traffic on the network, but the packet sniffer only seems to be capturing frames that are addressed to the network interface on your workstation. Which of the following must you configure in order to see all of the network traffic?

Answer 43

Configure the network interface to use promiscuous mode

Question 44

Which of the following accurately describes what a protocol analyzer is used for? (Select two.)

Answer 44

A passive device that is used to copy frames and allow you to view frame contents A device that does NOT allow you to capture, modify, and retransmit frames (to perform an attack)

Question 45

You want to identify traffic that is generated and sent through a network by a specific application running on a device. Which tool should you use?

Answer 45

Protocol analyzer

Question 46

You want to know which protocols are being used on your network. You'd like to monitor network traffic and sort traffic by protocol. Which tool should you use?

Answer 46

Packet sniffer

Question 47

You are concerned about attacks directed against the firewall on your network. You would like to examine the content of individual frames sent to the firewall. Which tool should you use?

Answer 47

Packet sniffer

Question 48

Your organization recently purchased 20 Android tablets for use by the organization's management team. To increase the security of these devices, you want to ensure that only specific apps can be installed. Which of the following would you implement?

Answer 48

App whitelisting

Question 49

Which of the following items would you secure in the Perimeter layer of the security model?

Answer 49

Firewalls

Question 50

You are configuring web threat protection on the network and want to prevent users from visiting www.videosite.org. Which of the following needs to be configured?

Answer 50

Website filtering

Question 51

You want to allow RDP 3389 traffic into your network for a group of users to access a particular workstation that has a special application in your office. Which endpoint security tool would you use to make this happen?

Answer 51

Firewall rules

Question 52

You need to remotely wipe an android phone for one of your rogue users. Which endpoint tool would you use?

Answer 52

Mobile device management (MDM)

Question 53

You are implementing security at a local high school that is concerned with students accessing inappropriate material on the internet from the library's computers. The students use the computers to search the internet for research paper content. The school budget is limited. Which content filtering option would you choose?

Answer 53

Restrict content based on content categories

Question 54

You are investigating the use of website and URL content filtering to prevent users from visiting certain websites. Which benefits are the result of implementing this technology in your organization? (Choose two.)

Answer 54

Enforcement of the organization's internet usage policy An increase in bandwidth availability

Question 55

You are configuring web threat protection on the network and have identified a website that contains malicious content. Which of the following should you configure?

Answer 55

Web threat filtering

Question 56

Which of the following types of proxies can be used for web filtering?

Answer 56

Transparent

Question 57

You need to limit a compromised application from causing harm to other assets in your network. Which strategy should you employ?

Answer 57

Isolation

Question 58

You have detected and identified a security event. What's the first step you should complete?

Answer 58

Containment

Question 59

You need to limit the impact of a security breach for a particular file server with sensitive company data. Which strategy would you employ?

Answer 59

Segmentation

Question 60

Which of the following Security Orchestration, Automation, and Response (SOAR) system automation components is often used to document the processes and procedures that are to be used by a human during a manual intervention?

Answer 60

Playbook

Question 61

Which of the following roles would be MOST likely to use a protocol analyzer to identify frames that might cause errors?

Answer 61

Security operations team

Question 62

As a security analyst, you are looking for a platform to compile all your security data generated by different endpoints. Which tool would you use?

Answer 62

SOAR

Question 63

You would like to enhance your incident-response process and automate as much of it as possible. Which of the following elements would you need to include? (Select two.)

Answer 63

Runbooks Playbooks

Question 64

Your company is about to begin litigation, and you need to gather information. You need to get emails, memos, invoices, and other electronic documents from employees. You'd also like to get printed, physical copies of documents. Which tool would you use to gather this information?

Answer 64

Legal hold

Question 65

What is the most important element related to evidence in addition to the evidence itself?

Answer 65

Chain of custody document

Question 66

The chain of custody is used for which purpose?

Answer 66

Listing people coming into contact with the evidence

Question 67

You have been asked to draft a document related to evidence-gathering that contains details about personnel in possession and control of evidence from the time of discovery up through the time of presentation in court. Which type of document is this?

Answer 67

Chain of custody

Question 68

What is a Chain of Custody?

Answer 68

A document related to evidence-gathering that contains details about personnel in possession and control of evidence from the time of discovery up through the time of presentation in court

Question 69

By default, events received from the source computers in Event Subscription are saved in which log?

Answer 69

Forwarded Events log

Question 70

As a security analyst, you are configuring your environment to be able to properly gather digital forensic information. Which of the following must be set up to help create a timeline of events?

Answer 70

Make sure all client computers have their time set accurately by a time server

Question 71

Prepare to Document means establishing the process you will use to document your network. Which of the following makes this documentation more useful?

Answer 71

Have a printed hard copy kept in a secure location

Question 72

Which area of focus helps to identify weak network architecture or design?

Answer 72

Documentation

Question 73

Documenting procedures and processes are part of which milestone in the NSA's Manageable Network Plan?

Answer 73

Document Your Network

Question 74

When you conduct a forensic investigation, which of the following initial actions is appropriate for preserving evidence?

Answer 74

Document what is on the screen

Question 75

A forensic investigator gathers potential evidence from many software, hardware, and other sources. There is an order in which the evidence needs to be gathered. The order of volatility describes the process of capturing data based on the volatility of said data. Place the following items in the correct order of volatility in the gathering of potential evidence.

Answer 75

Random Access Memory (RAM) Swap/page file Hard drive Remote logs Archived data

Question 76

Your computer system is a participant in an asymmetric cryptography system. You've created a message to send to another user. Before transmission, you hash the message and encrypt the hash using your private key. You then attach this encrypted hash to your message as a digital signature before sending it to the other user. In this example, which protection does the hashing activity provide?

Answer 76

Integrity

Question 77

You want to store your computer-generated audit logs in case they are needed in the future for examination or to be used as evidence in the event of a security incident. Which method can you use to ensure that the logs you put in storage have not been altered when you use them in the future?

Answer 77

Create a hash of each log

Question 78

What does the hashing of log files provide?

Answer 78

Proof that the files have not been altered

Question 79

How can a criminal investigator ensure the integrity of a removable media device found while collecting evidence?

Answer 79

Create a checksum using a hashing algorithm

Question 80

You have downloaded a file from the internet. You generate a hash and check it against the original file's hash to ensure the file has not been changed. Which information security goal is this an example of?

Answer 80

Integrity