CYSA

Question 1

Your company just launched a new invoicing website for use by your five largest vendors. You are the cyber security analyst and have been receiving numerous phone calls that the webpage is timing out and the website overall is performing slowly. You have noticed that the website received three million requests in just 24 hours and the service has now become unavailable for use. What do you recommend be implemented to restore and maintain the availability of the new invoicing system?

Answer 1

Intrusion Detection System
•	 
Whitelisting
(CORRECT)
•	 
MAC filtering
•	 
VPN
EXPLANATION
By whitelisting the IP addresses for the five largest vendors, they will be the only ones who will be able to access the web server. This can be done by creating rules in the Access Control List (ACL) to deny ALL other users except these five vendors, thereby dropping large number of the requests from any other IP addresses, such as those from an attacker.

Question 2

Michelle is preparing to run an nmap scan of a targeted network. She wants to perform a quick scan but knows that a SYN scan isn’t possible because she doesn’t have raw socket privileges on the system she is going to conduct her scan from. What flag should she use to set her scan type?

Answer 2

-sX
•	 
-sT
(CORRECT)
•	 
-O
•	 
-sS
EXPLANATION
Nmap's TCP scan function is enabled using the -sT flag and is a quick way to scan when you are unable to get raw socket access to the scanner system. Fast scans are more frequently conducted using the -sS (SYN) scan, but it requires raw socket access.

Question 3

You have been asked to scan your company’s website using the OWASP ZAP tool. When you perform the scan, you received the following warning:

“The AUTOCOMPLETE output is not disabled in HTML FORM/INPUT containing password type input. Passwords may be stored in browsers and retrieved.”

You begin to investigate further by reviewing a portion of the HTML code from the website that is listed below:

Enter your username: <br></br>
<br></br>
Enter your Password: <br></br>
<br></br>

Based on your analysis, what do you recommend?

Answer 3

You should implement a scanner exception to ensure you don’t receive this false positive again during your next scan
()
•
You recommend that your company should update the browser’s GPO to solve this issue
(CORRECT)
•
You tell the system administrator to disable SSL and implement TLS
•
You tell the developer to review their code and implement a bug/code fix
EXPLANATION
Since the passwords could be stored in the browser, updating the GPO for the company’s web browsers would be the best option.

Question 4

Alexander needs to search for files that may have been deleted by a user. What two locations are most likely to contain those files on a Window system?

Answer 4

Registry, the recycle bin
•
Unallocated space, slack space
•	 
Recycle bin, unallocated space
()
•	 
Slack space, the recycle bin
(CORRECT)
EXPLANATION
Files that users have deleted are most likely to be found in the recycle bin or in slack space, which is the space left after a file has been written to a cluster, which may contain remnant data from previous files. Unallocated space is space that has not been partitioned and, thus, would typically not have been written to. Finally, the registry will not store files that have been deleted.

Question 5

What is the proper threat classification for a security breach that employs brute-force methods to compromise, degrade, or destroy systems?

Answer 5

Impersonation
•	 
Attrition
(CORRECT)
•	 
Loss or theft of equipment
•	 
Improper usage
EXPLANATION
Attrition attacks employ brute-force methods to compromise, degrade, or destroy systems, networks or services.

Question 6

John discovers a service running on one of the ports known as a “well-known” port while running a port scanner. What range of ports could this service be running on?

Answer 6

1-65,534
•	 
1-128
•	 
1-1023
(CORRECT)
•	 
1-512
EXPLANATION
The well-known ports are numbered from 1-1023. Ports above this number are called ephemeral ports. While these ports are commonly associated with specific services, they can be used for any service. Users or applications just need to be made aware of what port to access the service on.

Question 7

In what type of attack does the attacker begins with a normal user account and then seeks to gain additional access rights?

Answer 7

•	 
Spearphishing
•	 
Remote code exploitation
•	 
Privilege escalation
(CORRECT)
•	 
Cross-site Scripting
EXPLANATION
Privilege escalation attacks seek to increase the level of access that an attacker has to a target system.

Question 8

What two techniques are commonly used by port and vulnerability scanners to perform services system identification?

Answer 8

Comparing response fingerprints and registry scanning
•
Banner grabbing and comparing response fingerprints
(CORRECT)
•
Using the oslookup utility and UDP response timing
•
Banner grabbing and UDP response timing
()
EXPLANATION
Service and version identification is often performed by grabbing service banners and checking responses for services to known fingerprints of those services. UDP response timing, along with other TCP/IP stack fingerprinting techniques, are used to identify operating systems, while oslookup is not an actual utility.

Question 9

An new alert has been distributed throughout the information security community regarding a critical Apache vulnerability. What action could you take to ONLY identify the known vulnerability?

Answer 9

Perform a scan for the specific vulnerability on all web severs
(CORRECT)
•
Perform an unauthenticated vulnerability scan on all servers in the environment
•
Perform a web vulnerability scan on all servers in the environment
•
Perform an authenticated scan on all web servers in the environment
EXPLANATION
Since you wish to check for only the known vulnerability, you should scan for that specific vulnerability on all web servers. All web servers is chosen because Apache is a web server application.

Question 10

What role does the offensive participants perform in a table top exercise (TTX)?

Answer 10

System administrators
•	 
Blue team
•	 
Red Team
(CORRECT)
•	 
Security analysts
EXPLANATION
The red team performs the role of the attacker during a table top exercise (TTX) to help the security team become better at defending the network. This red team action can be done as part of a table top exercise or as part of a larger on-network penetration test.

Question 11

What popular open source port scanning tool is commonly used for host discovery and service identification?

Answer 11

nmap
(CORRECT)
•	 
dd
•	 
Windows Defender
•	 
services.msc
EXPLANATION
Nmap is a popular open source port scanning utility.

Question 12

What should a vulnerability report include if a cybersecurity analyst wants it to reflect the assests scanned accurately?

Answer 12

Virtual hosts
(CORRECT)
•	 
Organizational governance
•	 
Processor utilization
()
•	 
Log disposition
EXPLANATION
Vulnerability reports should include not just physical hosts but also virtual hosts. A common mistake of new cyber security analysts is to only include physical hosts, thereby missing a large number of assets on the network.

Question 13

The service desk has been receiving a large number of complaints from external users that a web application is responding slow to requests and frequently receives a “connection timed out” error when they attempt to submit information into the application. What software development best practice should have been implemented in order to have prevented this issue from occurring?

Answer 13

fuzzing
•	 
stress testing
(CORRECT)
•	 
input validation
•	 
regression testing
EXPLANATION
Stress testing is a software testing activity that determines the robustness of software by testing beyond the limits of normal operation. Stress testing is particularly important for "mission critical" software, but is used for all types of software. This stress testing is an important component in the capacity management process of IT service management and is used to ensure adequate resources are available to support the needs of the end user once the service or application goes into the production environment.

Question 14

You are conducting an incident response and have traced the source of the attack to some compromised user credentials. After performing log analysis, you have discovered that the attack successfully authenticated from an unauthorized foreign country. You management is now asking for you to implement a solution to help mitigate an attack using compromised credentials from occuring in the future. What should you implement?

Answer 14

Self-service password reset
•	 
Context-based authentication
(CORRECT)
•	 
Password complexity
•	 
Single sign-on
EXPLANATION
Context-based authentication can take a number of factors into consideration before permitting access to a user, including their location (country, state, etc), time of day, and other key factors to minimize the threat of compromised credentials being utilized in an attack.

Question 15

You are a cyber security analyst and have been asked to review the following packet of information:

23:12:23.154234 IP 172.18.10.3:25 > 192.168.10.45:3389 Flags [P.],
Seq 1834:1245, ack1, win 511, options [nop,nop],
TS val 263451334erc 482862734, length 125

After looking over the information on the packet, you discovered there is an unauthorized service running on the host.

What ACL should be implemented to prevent further access to the unauthorized service while maintaining full access to the approved services running on that host?

Answer 15

DENY TCP ANY HOST 172.18.10.3 EQ 25
•	 
DENY TCP ANY HOST 192.168.10.45 EQ 3389
(CORRECT)
•	 
DENY IP HOST 192.168.10.45 ANY EQ 25
•	 
DENY IP HOST 172.18.10.3 HOST 192.168.10.45 EQ 3389
EXPLANATION
Since the Questions asks you to prevent access to the unauthorized service, we need to block port 3389 from accepting connections on 192.168.10.45 (the host). This option will deny ANY workstation from connecting to this machine (host) over port 3389 (the Remote Desktop Protocol service, which is unauthorized).

Question 16

Your organization needs to institute an organizational vulnerability management program due to new regulations. The CIO assigns this new function to the information security team. What framework would BEST support the program?

Answer 16

SANS
•	 
SDLC
•	 
OWASP
•	 
NIST
(CORRECT)
EXPLANATION
NIST (National Institute of Standards and Technology) produced a useful patch and vulnerability management program framework in its Special Publication (NIST SP 800-40).

Question 17

What regulation protects the privacy of student educational records?

Answer 17

FERPA
(CORRECT)
•	 
GLBA
•	 
HIPAA
•	 
SOX
EXPLANATION
The Family Educational Rights and Privacy Act (FERPA) requires that educational institutions implement security and privacy controls for student educational records.

Question 18

Based on some old SIEM alerts, you have been asked to perform some forensic analysis on a particular host. You have noticed that some SSL network connections are occurring over ports other than port 443. Additionally, the SIEM alerts state that copies of svchost.exe and cmd.exe have been found in the %TEMP% folder on the host, as well as showing that RDP connections have previously connected with an IP address that is external to the corporate intranet. What threat might you have uncovered during your analysis?

Answer 18

APT
(CORRECT)
•	 
Ransomware
•	 
DDoS
•	 
Software vulnerability
EXPLANATION
The provided indicators of compromise appear to be from an Advanced Persistent Threat (APT). These attacks tend to go undetected for several weeks or months, and utilize secure communication to external IPs as well as Remote Desktop Protocol connections to provide the attackers with access to the infected host.

Question 19

If your DNS server allows __________ and is not properly secured, attackers may be able to get a full listing of your internal DNS information.

Answer 19

Split horizon
•	 
FQDN resolution
•	 
Remediate the threat
•	 
Zone tranfers
(CORRECT)
EXPLANATION
DNS zone transfers provide a full listing of DNS information. Improperly secured DNS servers may allow attackers to gather this data by performing a zone transfer.

Question 20

What port is most likely to be used in a web-based attack?

Answer 20

3389
•	 
389
•	 
443
(CORRECT)
•	 
21
EXPLANATION
Port 389 is used by LDAP, Port 21 is used by FTP, and port 3389 is used by RDP. Web-based attacks would likely appear on port 80 (HTTP) or port 443 (HTTPS)

Question 21

Cybersecurity risks results from the combination of a threat and a(n) _____________.

Answer 21

Exploit
•	 
Risk
•	 
Malicious Actor
•	 
Vulnerability
(CORRECT)
EXPLANATION
Cybersecurity risks result from the combination of a threat and a vulnerability. A vulnerability is a weakness in a device, system, application, or process that might allow an attack to take place. A threat in the world of cybersecurity is an outside force that may exploit a vulnerability

Question 22

Ellen is asked for a code that is sent to her via text (SMS) message during her login process. What concerns should she raise to the manager of her organization’s AAA services?

Answer 22

SMS is secure, and she should not raise a concern.
•
SMS messages may be accessible to attackers via VoIP or other systems.
(CORRECT)
•
SMS should be encrypted to be secure.
•
SMS should be paired with a third factor.
EXPLANATION
NIST?s SP 800-63-3 recommends that SMS messages be deprecated as a means of delivering a second factor for multifactor authentication because they may be accessible to attackers. SMS is unable to be encrypted (at least without adding additional applications to phones), and a third factor is typically not a user-friendly recommendation.

Question 23

William is evaluating the potential impact of a confidentiality risk and determines that the disclosure of information contained on a system could have a limited adverse effect on the organization. Using FIPS 199, how should he classify the confidentiality impact?

Answer 23

Low
(CORRECT)
•	 
Moderate
•	 
Higjh
•	 
Medium
EXPLANATION
FIPS 199 classifies any risk where ?the unauthorized disclosure of information could be expected to have a limited adverse effect? as a low impact confidentiality risk.

Question 24

What security control provides Windows administrators with an efficient way to manage system configuration settings across a large number of devices?

Answer 24

HIPS
•	 
Anti-malware
•	 
GPO
(CORRECT)
•	 
Patch management
EXPLANATION
Patch management, host intrusion prevention systems (HIPS), and antimalware software all good host security controls, but only Group Policy Objects (GPOs) provide the ability to configure settings across multiple Windows devices.

Question 25

Which of the folllowing is NOT a part of the vulnerability management lifecycle?

Answer 25

Detection
•	 
Remediation
•	 
Testing
•	 
Investigating
(CORRECT)
EXPLANATION
The three phases of the vulnerability management lifecycle are detection, remediation, and testing.

Question 26

Which language would require the use of a decompiler during reverse engineering?

Answer 26

Ruby
•	 
Objective-C
(CORRECT)
•	 
Pyhton
•	 
Javascript
EXPLANATION
Ruby, Python, and Javascript are interpreted languages and do not require the use of a decompiler to view the source code.

Question 27

Barbie would like to implement a control that prevents unauthorized users from connecting to her company’s wireless network. What security control best meets this requirement?

Answer 27

Segmentation
•	 
IPS
•	 
Firewall
•	 
NAC
(CORRECT)
EXPLANATION
Network Access Control (NAC) prevents unauthorized users from connecting to a network. Firewalls and intrusion prevention systems (IPS) are meant to restrict access from external sources and block known attacks. They would not keep out an intruder who is already in range of the wireless network. Network segmentation would limit the access that an intruder has to network resources but would not block the connection.

Question 28

Chris needs to ensure that accessing a drive to analyze it does not change the contents of the drive. What tools should he use?

Answer 28

Hardware write blocker
(CORRECT)
•	 
Forensic drive duplicator
•	 
Software write monitor
•	 
Degausser
EXPLANATION
Hardware and software write blockers are designed to ensure that forensic software and tools cannot change a drive inadvertently by accessing it. Forensic drive duplicators copy drives and validate that they match the original, software write monitors are not used for forensic use like this, and a degausser is used to wipe magnetic media.

Question 29

What is NOT considered part of the Internet of Things?

Answer 29

A Windows 2016 server configured as a domain controller
(CORRECT)
•	 
Internet-connected television
•	 
ICS
•	 
SCADA systems
EXPLANATION
Supervisory control and data acquisition (SCADA) systems and industrial control systems (ICS) are examples of IoT implementations.

Question 30

You are working as a cyber security analyst and you just received a report that many of your servers are experiencing slow response times as a result of what appears to be a DDoS attack. What action do you recommend to solve this issue?

Answer 30

Inform management of the issue being experienced
(CORRECT)
•
Take no action, but continue to monitor the critical systems
•
Shutdown all of the interfaces on the affected servers
•
Inform users regarding the affected systems
EXPLANATION
During an incident response, the cyber security analyst should ensure management understands the current status of an incident and recommend the best way ahead. It is up to management to choose the plan of remediation based on a weighing of numerous factors, such as cost, risk, resourcing, threat, etc.

Question 31

A triple-homed firewall normally connects the Internet, a private network, and a _________ network.

Answer 31

GPO
•	 
Subnetted
•	 
NIDS
•	 
DMZ
(CORRECT)
EXPLANATION
Demilitarized zone (DMZ) networks are used to host systems that require access from external hosts.

Question 32

Nicole is investigating a security incident at a government agency and discovers that attackers obtained PII. What is the information impact of this incident?

Answer 32

Privacy breach
(CORRECT)
•	 
None
•	 
Integrity breach
•	 
Proprietary breach
EXPLANATION
In a privacy breach, sensitive personally identifiable information (PII) was accessed or exfiltrated.

Question 33

You have been asked to recommend a few technologies that are PKI X.509 compliant for use in some secure functions in the organization. What technology would NOT meet the compatibility requirement?

Answer 33

3DES
(CORRECT)
•	 
AES
•	 
PKCS
•	 
SSL/TLS
EXPLANATION
3DES is an older encryption method and is no longer considered secure. Public Key Infrastructure (PKI) relies on X.509 and its associated secure technologies, such as AES, PKCS, and SSL/TLS, in order to perform secure functions.

Question 34

In which tier of the NIST cybersecurity framework does an organization understand its dependencies and partners?

Answer 34

Adaptive
•	 
Repeatable
(CORRECT)
•	 
Risk informed
•	 
Partial
EXPLANATION
In the repeatable tier (Tier 3) of the NIST CSF, the organization understands its dependencies and partners and receives information from these partners that enables collaboration and risk-based management decisions within the organization in response to events.

Question 35

TRUE or FALSE: CSIRTs should sometimes include human resource team members.

Answer 35

TRUE
(CORRECT)
•	 
FALSE
EXPLANATION
CSIRTs include human resources team members when investigating incidents that may include employee malfeasance.

Question 36

TRUE or FALSE: Organizations may decide not to remediate vulnerabilities because of conflicting business requirements.

Answer 36

TRUE
(CORRECT)
•	 
FALSE
EXPLANATION
Organizations may make risk-based decisions not to remediate vulnerabilities. In those cases, they should create a documented exception.

Question 37

Your company that is hiring a penetration tester to conduct an assessment, but wants to exclude social engineering from the list of authorized activities. What document given to the penetration testers should include this requirement?

Answer 37

Rules of Engagement
(CORRECT)
•	 
Memorandum of Understanding
•	 
Acceptable Use Policy
•	 
Service Level Agreement
EXPLANATION
While the network scope given in the contract documents will define what will be tested, the rules of engagement defines how that testing is to occur. Rules of engagement can state things like no social engineering is allowed, no external website scanning, etc.

Question 38

Jacob discovers a service running on one of the ports known as a registered port while running a port scanner. What does this tell him about the service?

Answer 38

The service’s name
•
It is running on a port between 1024 and 49151
(CORRECT)
•
The vulnerability status of the service
•
It isrunning on a well-known port (0-1023)
EXPLANATION
John knows that the ports known as “registered ports” exist between 1024 and 49151, and are assigned by the Internet Assigned Numbers Authority but that using one of those ports is not a guarantee that the service matches what is typically run on it. Discovering a service using a port scanner doesn?t necessarily identify the service CORRECTly, and ports between 0 and 1023 are known as the “well-known” or “system” ports.

Question 39

A cyber security analyst has noticed some unusual network traffic occurring from a certain host. This host has been communicating with a known malicious server over an encrypted web tunnel on port 443. The analyst runs a full antivirus scan of the host with an updated antivirus signature file, but the antivirus doesn’t find any sign of an infection. What has MOST likely occurred to the host?

Answer 39

Known malware attack
•	 
Zero-day attack
(CORRECT)
•	 
Cookie stealing
•	 
Session hijack
EXPLANATION
Since the latest antiivirus signatures were used and still found no signs of infection, it cannot be a known malware attack. Instead, this appears to be a zero-day attack because their is a clear sign of compromise (the web tunnel being established to a known malicious server) and the antivirus doesn't yet have a signature for this indicator of compromise.

Question 40

A software assurance laboratory is performing a dynamic assessment on an application by automatically generating random data sets and inputting them in an attempt to cause an error or failure condition. In what phase of the SDLC does fuzzing occur?

Answer 40

Planning phase
•	 
Static code analysis
•	 
Requirements phase
•	 
Prototyping phase
(CORRECT)
EXPLANATION
During the prototyping phase, security testers can implement fuzzing techniques to find vulnerabilities by conducitng a dynamic assessment on a given application.

Question 41

Edward’s IDS reports that ports 1 to 1024 received SYN packets from a remote host. What has likely happened to cause this traffic?

Answer 41

UDP probe
•	 
Remote host cannot find the right service port
•	 
Port scan
(CORRECT)
•	 
SYN flood
EXPLANATION
A SYN scan may connect to each possible open port on a remote system, triggering an IDS. While scanners support more stealthy scans, default scans may connect to each port in turn. Remote hosts will typically connect to only a single port associated with a service, a SYN flood normally sends many SYNs to a single system but doesn?t send them to unused ports, and a UDP probe will not send SYN packets.

Question 42

A network tap is typically associated with which type of monitoring?

Answer 42

Active
•	 
SNMP
•	 
Passive
(CORRECT)
•	 
Router-based
EXPLANATION
Network taps are devices that allow a copy of network traffic to be captured for analysis. They are often used for passive network monitoring where they can provide visibility without interfering with the network traffic itself.

Question 43

A cyber security technician has been running an intensive vulnerability scan to detect which ports might be open to exploitation. But, during the scan, one of the network services became disabled and this impacted the production server. What information source could be used to evaluate which network service was interrupted?

Answer 43

Syslog
(CORRECT)
•	 
NIDS
•	 
Firewall logs
•	 
Network mapping
EXPLANATION
The syslog server is a centralized log management solution. By looking through the logs on the syslog server, the technician could determine which service failed on which server, since all the logs are retained on the syslog server from all of the network devices and servers.

Question 44

You conducted a security scan and found that port 389 is being used when connecting to LDAP for user authentication instead of port 636. The security scanning software recommends that your remediate this by changing user authentication to port to 636 wherever technically possible. What should you do?

Answer 44

Change all devices and servers that support it to port 636, as encrypted services run by default on port 636.
(CORRECT)
•
Change all devices and servers that support it to port 636, as port 389 is a reserved port that requires root access and can expose the server to privilege escalation attacks.
•
CORRECT the audit; this finding is accurate, but the CORRECT remediation is to update encryption keys on each of the servers to match port 636.
•
CORRECT the audit; this finding is a well-known false positive; the services that typically run on 389 and 636 are identical.
EXPLANATION
LDAP can be run on either port 389 or port 636. Port 389 is the standard port for LDAP, but typically runs unencrypted LDAP services over this port. Instead, you should change all devices and servers that can technically support the change to port 636, since LDAP services over port 636 are encrypted by default.

Question 45

Which tool would allow you to conduct operating system fingerprinting, which typically relies on responses to TCP/IP stack fingerprinting techniques?

Answer 45

scanf
•	 
msconfig
•	 
dd
•	 
nmap
(CORRECT)
EXPLANATION
OS identification relies on differences in how operating systems and even operating system versions respond, what TCP options they support, what order they sent packets in, and other details that, when combined, can provide a reasonably unique fingerprint for a TCP stack.

Question 46

———

You are a cyber security analyst who has been given the output from a system administrator’s Linux terminal.
Based on the output provided, which of the following statements is TRUE?
BEGIN OUTPUT
———
# nmap win2k12.local
Nmap scan report for win2k12 (192.168.2.15)
Host is up (0.132452s latency)
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http

# nc win2k12.local 80
220 win2k12.local BeverageCorp SMTP Server (Postfix/2.4.1)

# nc win2k12.local 22
SSH-2.0-OpenSSH_7.2 Debian-2

END OUTPUT

Answer 46

Your web server has been compromised
•
Your email server is running on a non-standard port
(CORRECT)
•
Your email server has been compromised
•
Your organization has a vulenrable version of the SSH server software installed
EXPLANATION
As shown in the output of the nmap scans, only two standard ports are being utilized: 22 (SSH) and 80 (HTTP). But, when netcat is run against port 80, the banner that is provided shows the SMTP server is running on port 80. SMTP is normally run on port 25 by default, so running it on port 80 means your email server (SMTP) is running on a non-standard port.

Question 47

What provides the detailed, tactical information that CSIRT members need when responding to an incident?

Answer 47

Procedures
(CORRECT)
•	 
Instructions
•	 
Guidelines
•	 
Policies
EXPLANATION
Procedures provide detailed, tactical information to the CSIRT. They represent the collective wisdom of team members and subject-matter experts.

Question 48

TRUE or FALSE: PCI DSS requires the use of an outside consultant to perform internal vulnerability scans.

Answer 48

TRUE
•	 
FALSE
(CORRECT)
EXPLANATION
PCI DSS only requires that internal scans be conducted by ?qualified personnel? and internal employees may be used.

Question 49

What secure coding practice helps to ensure characters like , /, and ? are not accepted from the data provided by users?

Answer 49

User input validation
(CORRECT)
•	 
Error message management
•	 
Risk assessment
•	 
User output validation
EXPLANATION
User input validation is a critical control in secure coding efforts. It seeks to remove dangerous inputs and to make sure that applications only receive the inputs that they expect and can handle.ÿ

Question 50

What technology is not PKI x.509 compliant and CANNOT be used in a variety of secure functions?

Answer 50

PKCS
•	 
SSL/TLS
•	 
AES
•	 
IDEA
(CORRECT)
EXPLANATION
AES, PKCS, and SSL/TLS are all compatible with x.509 and can be used in a wide variety of functions and purposes.

Question 51

What describes the infrastructure needed to support the other architectural domains in the TOGAF framework?

Answer 51

Technical architecture
(CORRECT)
•	 
Data architecture
•	 
Applications architecture
•	 
Business architecture
EXPLANATION
TOGAF divides architecture into four domains. Business architecture defines governance and organization and explains the interaction between enterprise architecture and business strategy. Applications architecture includes the applications and systems an organization deploys, the interactions between those systems, and their relation to business processes. Data architecture provides the organization?s approach to storing and managing information assets. Technical architecture describes the infrastructure needed to support the other architectural domains.

Question 52

Vulnerability scans must be conducted on a continuous basis in order to meet regulatory compliance requirements for the storage of PHI. During the last vulnerability scan, a cyber security analyst received a report of 2,592 possible vulnerabilities and was asked by the Chief Information Security Officer (CISO) for a plan to remediate all the known issues. What should the analyst do next?

Answer 52

The analyst should wait to perform any additional scanning until the current list of vulnerabilities have been remediatied fully.
•
The analyst should place any assets that contain PHI in a sandbox environment and then remediate all the vulnerabilities.
•
The analyst should filter the scan results to include only those items listed as critical in the asset inventory and remediate those vulnerabilities first.
(CORRECT)
•
The analyst should attempt to identify all the false positives and exceptions, then resolve all the remaining items.
EXPLANATION
PHI is an abbreviation for Personal Health Information. When attempting to remediate a large number of vulnerabilities, it is crucial to prioritize the vulnerabilities to determine which ones should be remediated first. In this case, the regulatory requirement is to ensure the security the PHI data, so those assets that are critical to that operation or machiens that are of the highest risk should be prioritized to receive remdiation first.

Question 53

A cyber security professional visited an e-commerce website by typing in its URL and found that the admininstrative web frontend for its backend e-commerce application is accessible over the Internet and is only being protected by the default password. What three things should the analyst recommend to the website owner in order to MOST securely remediate this discovered vulnerability?

Answer 53

Change the default password, whitelist all specific IP blocks, and require two-factor authentication
•
Red Team all corporate IP blocks, require an alphanumeric passphrase for the default password, and require two-factor authentication
•
Rename the URL to a more obscure name, whitelist all corporate IP blocks, and require two-factor authentication
•
Change the username and default password, whitelist specific source IP addresses, and require two-factor authentication for access
(CORRECT)
EXPLANATION
Since the application was only protected by the default password, the username and password should be changed immediately to increase the security of the application. Since this is an administrative frontend, only a few machines should require access and they should specifically have their IP addresses added to the whitelist and deny all other machines from accessing the administrative frontend. Finally, since this is an administrative frontend, it is a best practice to utilize two-factor authentication in order to most effectively secure the application from attack.

Question 54

What provides a standard nomenclature for describing security-related software flaws?

Answer 54

Patch
•	 
SOX
•	 
CVE
(CORRECT)
•	 
Vulnerability
EXPLANATION
Common Vulnerabilities and Exposures (CVE) is an element of the Security Content Automation Protocol (SCAP) that provides a standard nomenclature for describing security flaws.

Question 55

What is NOT a means of improving data validation and trust?

Answer 55

Using MD5 checksums for files
•	 
Implementing Tripwire
•	 
Decrypting data at rest
(CORRECT)
•	 
Encrypting data in transit
EXPLANATION
While encrypting data, hashing files using MD5 to check against known valid checksums, and implementing a file integrity monitor are all methods of improving data validation and trust, decrypting data at rest does not improve your ability to trust it!

Question 56

Your organization wants to update its Acceptable User Policy (AUP) to incorporate its newly implemented password standard that requires the sponsored authentication of guest wireless devices. What should be added to the AUP to support this new requirement?

Answer 56

Network authentication of all guest users should occur using 802.1x backed by a RADIUS server
•
Guests using the wireless network should provide valid identification when registering their wireless devices
(CORRECT)
•
Sponsored guest passwords must be at least 14 characters in length, contain uppercase and lowercase letters, and contain atleast 2 symbols
•
Wireless infrastructure should use open authentication standards
EXPLANATION
Sponsored authentication of guest wireless devices requires a guest user to provide valid identification when registering their wireless devices and an employee to validate their need for access (thereby ?sponsoring? the guest).

Question 57

An incident responder is reverse engineering a piece of malware recovered from a retailer’s network for analysis. They found that the malicious code was extracting track data in memory. What type of threat did the incident responder MOST likely uncover?

Answer 57

Ransomware
•	 
Rootkit
•	 
Key logger
•	 
POS malware
(CORRECT)
EXPLANATION
POS malware focuses on retail terminals like cash registers and other Point of Sale systems.

Question 58

A cybersecurity analyst has received an alert that well-known “call home” messages are continuously observed by network sensors at the network boundary. The good news is that the proxy firewall was properly configured to successfully drop the messages prior to them leaving the network. These “call home” messages have been determined to be a true positive. What is MOST likely the cause?

Answer 58

Attackers are running reconnaissance on company resources
•
An infected system is running a command that is attempting to reach a botnet’s command and control server
(CORRECT)
•
Malware is running on a company workstation or server
•
A malicious insider is trying to exfiltrate information to a remote network
EXPLANATION
The “call home” message is indicative of beaconing. This usually occurs after a stage 1 malware has been implanted on a company’s workstation or server, but the more CORRECT answer is that this infected system is running a command that is attempting to reach a botnet’s command and control server. This beaconing will continue until the infected host (workstation or server) is found and cleared of the malware, or until the botnet gives the infected host further instructions (such as to attack).

Question 59

What is the term for the company’s willingness to tolerate risk in their computing environment?

Answer 59

risk avoidance
•	 
risk acceptance
•	 
risk appetite
(CORRECT)
•	 
risk mitigation
EXPLANATION
An organization's willingness to tolerate risk in their computing environment is known as the organization's risk appetite.

Question 60

Which authentication protocol was designed by Cisco to provide authentication, authorization, and accounting services?

Answer 60

CHAP
•	 
RADIUS
•	 
TACACS+
(CORRECT)
•	 
Kerberos
EXPLANATION
Cisco?s TACACS+ is an extension to TACACS, the Terminal Access Controller Access Control System. RADIUS and Kerberos are both authentication protocols but were not designed by Cisco. CHAP is the Challenge-Handshake Authentication Protocol.

Question 61

What protocol is commonly used to collect information about CPU utilization and memory usage from network devices?

Answer 61

SNMP
(CORRECT)
•	 
Netflow
•	 
MIB
•	 
SMTP
EXPLANATION
Simple Network Management Protocol (SNMP) is commonly used to gather information from routers, switches, and other network devices. It provides information about a device?s status including CPU and memory utilization as well as many other useful details about the device. Netflow provides information about network traffic, MIB is a management information block, and SMTP is the Simple Mail Transfer Protocol.

Question 62

A recent vulnerability scan found several vulnerabilities on an organization’s public internet-facing IP addresses. In order to reduce the risk of a breach, what vulnerability should be prioritized for remediation first?

Answer 62

An HTTP response that reveals an internal IP address
•
A cryptographically weak encryption cipher
•
A buffer overflow that is known to allow remote code execution
(CORRECT)
•
A website utilizing a self-signed SSL certificate
EXPLANATION
The most serious vulnerability discovered is one that could allow remote code execution to occur. Since this buffer overflow is known to allow remote code execution, it must be mitigated first to most effectively prevent a security breach.

Question 63

Lynne’s company recently suffered an attack where an employee made an unauthorized modification to payroll records. What tenet or objective of cybersecurity objective did this attack violate?

Answer 63

Availability
•	 
Confidentiality
•	 
Authentication
•	 
Integrity
(CORRECT)
EXPLANATION
Integrity ensures that no unauthorized modifications are made to information. The attack described here violates the integrity of payroll information.

Question 64

Johnny wants to make sure he receives logs for his Cisco devices that indicate when they shut down due to failure. What level of log level message should Johnny configure his devices in order to receive these types of messages?

Answer 64

7
•	 
2
•	 
0
(CORRECT)
•	 
5
EXPLANATION
Cisco log levels range from 0 for emergencies to 7 for debugging.

Question 65

Joe and Mary work together to review Joe’s code with Mary explaining the code he wrote as he reviews it. What code review technique are Joe and Mary using?

Answer 65

Tool assisted review
•	 
Pair programming
•	 
Dual control
•	 
Over-the-shoulder
(CORRECT)
EXPLANATION
Over-the-shoulder code reviews rely on a programmer explaining their code to a peer, providing a chance for review and better understanding for both coders. Pair programming alternates between programmers, with one strategizing and reviewing it while the other writes code. Dual control is a personnel security process, and tool-assisted reviews are conducted using a software tool.

Question 66

What is NOT a vulnerability scanning tool?

Answer 66

Zap
(CORRECT)
•	 
Nessus
•	 
Nexpose
•	 
QualysGuard
EXPLANATION
Zap is an application proxy. Nessus, QualysGuard, and Nexpose are all vulnerability scanners.

Question 67

You have been asked to remediate a vulnerability in a server. Once you have located a patch for the vulnerability, what should happen you do NEXT?

Answer 67

Establish continuous monitoring
•
Rescan the server to ensure the vunlnerability still exists
•
Submit a Request for Change to begin the change management process
(CORRECT)
•
Start the incident response process
EXPLANATION
Before any changes to a baseline occurs, a Request for Change for be submitted which in turn starts the change management process. Once approved, the patch should be installed on the server, then the server should be rescanned to ensure the vulnerability no longer exists.

Question 68

A software assurance laboratory is performing a dynamic assessment on an application by automatically generating random data sets and inputting them in an attempt to cause an error or failure condition. What software assessment capability was the lab performing?

Answer 68

Static code analysis
•	 
Known bad data
•	 
Sequential data sets
•	 
Fuzzing
(CORRECT)
EXPLANATION
Fuzzing or fuzz testing is an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program. The program is then monitored for exceptions such as crashes, or failing built-in code assertions or for finding potential memory leaks.

Question 69

Betsy has been asked to perform an architectural review and uses a view that focuses on the technologies, settings, and configurations used in the architecture. What view is she using?

Answer 69

Technical view
(CORRECT)
•	 
Logical view
•	 
Operational view
•	 
Acquisition view
EXPLANATION
Technical views focus on technologies, settings, and configurations. Operational views look at how a function is performed or what it accomplishes, while a logical view describes how systems interconnect. Acquisition views focus on the procurement process.

Question 70

You are a cyber security analyst and just received the following results from a scan:
Large image

Answer 70

173.12.15.23 might be infected with a trojan
•
192.168.3.145 might be infected with a trojan
•
This appears to be normal network traffic
(CORRECT)
•
192.168.3.145 might be infected with a worm
EXPLANATION
This appears to be normal network traffic. First, a DNS lookup was performed for a website, then a connection was made to the website. The findal two entry appears to be inbound requests to portd 443 and port 8080, both of which were sent the RST by the firewall of the host since it isn?t running those services.

Question 71

Which type of attacker is considered to be sophisticated, highly organised attackers who are typically sponsored by a nation-state?

Answer 71

Ethical hacker
•	 
Advanced Persistent Threat
(CORRECT)
•	 
Script kiddies
•	 
Hacktivists
EXPLANATION
Advanced Persistent Threat (APT) attackers are sophisticated and have access to financial and technical resources typically provided by a government.

Question 72

What version of web encryption should be used currently in order to avoid the security vulnerabilities from earlier versions?

Answer 72

SSLv1
•	 
SSLv3
•	 
SSLv2
•	 
TLS
(CORRECT)
EXPLANATION
No version of SSL should be used. Administrators should instead configure TLS.

Question 73

Your organization’s primary operating system vendor just released a critical patch for your servers. Your system administrators have recently deployed this patch and verified the installation was successful. The critical patch designed to remediate a vulnerability that can allow a malicious actor to remotely execute code on the server from over the Internet. However, you just ran a vulnerability assessment scan of the network and found that all of the servers are still being reported as having the vulnerability. Why is the scan report still showing a vulnerability even though the patch was installed by the system administrators?

Answer 73

You scanned the wrong IP range during your vulnerability assessment
•
You did not wait enough time after applying the patch before running the vulnerability assessment scan
•
Your vulnerability assessment scan is returning false positives
•
The critical patch did not remediate the vulnerability
(CORRECT)
EXPLANATION
If the patch was installed properly (which the Question states it was), then the only reasonable answer is that the critical patch was coded ly and does not actually remediate the vulnerability. While most operating system vendors do test their patches prior to release, with extremely critical patches, sometimes they are rushed into release to the customers and the patch doesn’t actually remediate the vulnerability and a second patch will be required.

Question 74

A cyber security analyst is configuring a penetration testing application to ensure the scan complies with information defined in the SOW for an upcoming assessment of a client’s network. What information is traditionally found in the SOW?

Answer 74

Timing of the scan
•	 
Maintenance windows
•	 
Excluded hosts
(CORRECT)
•	 
Contents of the executive summary report
EXPLANATION
It is routine and normal that the Scope of Work (SOW) contains the list of excluded hosts. This ensures that the penetration tester does not affect hosts, workstations, or servers outside of their scope of the assessment.

Question 75

Liberty Beverages allows its visiting business partners from SodaCorp to use an available Ethernet port in the Liberty Beverage conference rooms when they are in the building. This access is provided to allow employees of SodaCorp to have the ability to establish a VPN connection back to the SodaCorp network. You have been tasked to ensure that SodaCorp employees can gain direct Internet access from the Ethernet port in the conference room only. But, if a Liberty Beverage employee uses the same Ethernet port, they should be able to access Liberty’s internal network, as well. What should you use to ensure this capability?

Answer 75

MAC
•	 
ACL
•	 
NAC
(CORRECT)
•	 
SIEM
EXPLANATION
NAC should be used, so that the laptop being connected can be scanned and determine if it meets the normal baseline for a Liberty Beverage laptop. If it does, it can be given access to the company's internal network. If not, it can be placed in a different subnet and given access only to the Internet.

Question 76

You have been asked in by the Security Operations Center Manager to look over a recent network utilization report because he fears that something may be wrong. The report is as follows:

IP Address Server Name Server Uptime Historical Current

192. 168.20.2 web01 7D 12H 32M 06S 42.6 GB 44.1 GB
193. 168.20.3 webdev02 4D 07H 12M 45S 1.95 GB 2.13 GB
194. 168.20.4 dbsvr01 12D 02H 46M 14S 3.15 GB 24.6 GB
195. 168.20.5 marketing01 . 2D 17H 18M 41S 5.2 GB 4.9 GB

Based on the report provided, what server do you think your cyber security analysts need to investigate further?

Answer 76

webdev02
•	 
web01
•	 
marketing01
•	 
dbsvr01
(CORRECT)
EXPLANATION
You should consider investigating the dbsvr01 due to the very large increase in network utilization. The server has a historical average utilization of only 3.15 GB per month, but this month there has been an increase to 24.6 GB of usage. This is indicative of a possible data breach and data exfiltration.

Question 77

TRUE or FALSE: Discovery scans provide organizations with an automated way to identify hosts on a network and build an asset inventory.

Answer 77

FALSE
•	 
TRUE
(CORRECT)
EXPLANATION
Discovery scans provide organizations with an automated way to identify hosts on a network and build an asset inventory.

Question 78

What technique is a penetration tester using if they are reviewing data and publicly available information to gather intelligence about target organization without scanning or other technical information gathering activities.

Answer 78

Vulnerability scanning
•	 
Patch management
•	 
Active footprinting
•	 
Passive footprinting
(CORRECT)
EXPLANATION
Passive footprinting combines publicly available data from a variety of sources about an organization and does not use active scanning or data gathering methods.

Question 79

What method might a system administrator use to replicate the DNS information from one DNS server to another, but could also be used maliciously by an attacker?

Answer 79

DNS registration
•	 
DNSSEC
•	 
Zone tranfers
(CORRECT)
•	 
AXR
EXPLANATION
Zone transfers provide an easy way to send all the DNS information from one DNS server to another, but it could also be used by an attacker for reconnaissance against your organization. For this reason, most administrators disable zone transfers from untrusted servers. (AXR was a made up term to confuse you with AXFR, which is the command used to conduct a zone transfer.)

Question 80

Timmy, a cyber security analyst, has just received some unusual alerts on his SIEM dashboard. He wants to collect the payloads that the hackers are sending toward the target systems without impacting his company’s business operation. What should he implement to most effectively collect these payloads?

Answer 80

Sandboxing
•	 
Jump box
•	 
Honeypot
(CORRECT)
•	 
Virtualization
EXPLANATION
A honeypot is system intentionally designed to appear vulnerable. It acts as a type of bait for hackers to go after and allows security analysts to observer and the hacker's methods, techniques, and payloads.

Question 81

What phase of the software development lifecycle is sometimes known as the acceptance, installation, and deployment phase?

Answer 81

Disposition
•	 
Development
•	 
Training and Transition
(CORRECT)
•	 
Operations and Maintenance
EXPLANATION
The Training and Transition phase ensures that end users are trained on the software and that the software has entered general use. Because of these activities, this phase is sometimes called the acceptance, installation, and deployment phase.ÿ

Question 82

What containment techniques is the strongest possible response to an incident?

Answer 82

Removal
(CORRECT)
•	 
Isolating the attacker
•	 
Segmentation
•	 
Isolating affected systems
EXPLANATION
Removal of a compromised system is the strongest available containment technique. The affected system is completely disconnected from other networks.

Question 83

John is a cybersecurity analyst who has been asked to review several SIEM event logs for APT activity. He was given several pieces of information, including lists of indicators for domain names and some IP addresses. What is the BEST action for John to take in order to analyze the possible APT activity?

Answer 83

Analyze the trends of the events while manually reviewing them to see if any indicators match
(CORRECT)
•
Use the IP addresses to search through the event logs
•
Scan for vulnerabilities with exploits known to previously have been used by an APT
•
Create an advanced query that includes all of the indicators and review any matches
EXPLANATION
While all of the answers could provide some insight into the APT?s actions, only ?Analyze the trends of the events while manually reviewing them to see if any indicators match? effectively will answer this Question. If you only use the IP addresses to search the event logs, you would miss any events that correlated only to the domain names. If you create an advanced query will ALL of the indicators, your search of the event logs will find nothing, because no single event will include ALL of these IPs and domain names. Finally, while scanning for vunlerabilities known to have been used by the APTs is a good practice, it would only be effective in determining how to stop future attacks from occuring, not for piecing together whether or not an attack has already occured.

Question 84

Mary Beth is preparing her organization for the required quarterly PCI DSS external vulnerability scan. Who can perform this scan?

Answer 84

Anyone
•	 
Only an approved scanning vendor
(CORRECT)
•	 
Only employees of the company
•	 
Any qualified individual
EXPLANATION
Quarterly required external vulnerability scans must be run by a PCI DSS approved scanning vendor (ASV).

Question 85

What is NOT a good source of information to validate scan results?

Answer 85

An analyst's "gut feeling"
(CORRECT)
•	 
SIEM systems
•	 
Log files
•	 
Configuration Management Systems
EXPLANATION
Vulnerability scans should never take place in a vacuum. Analysts should correlate scan results with other information sources including logs, SIEM systems, and configuration management systems.