Exam 1 Flashcards

1
Q

You identified a critical vulnerability in one of your organization’s databases. You researched a solution, but it will require the server to be taken offline during the patch installation. You have received permission from the Change Advisory Board to implement this emergency change at 11 pm once everyone has left the office. It is now 3 pm; what action(s) should you take now to best prepare for implementing this evening’s change? (SELECT ALL THAT APPLY)

a. Validate the installation of the patch in a staging environment.
b. Document the change in the change management system
c. Take the opportunity to install a new feature pack that has been requested.
d. Ensure all stakeholders are informed of the planned outage.
e. Identify any potential risks associated with installing the patch.
f. Take the server offline at 10 PM in preparation for the change.

A

Validate the installation of the patch in a staging environment.

Document the change in the change management system

Ensure all stakeholders are informed of the planned outage.

Identify any potential risks associated with installing the patch.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Which of the following types of data breaches would require that the US Department of Health and Human Services and the media be notified if more than 500 individuals are affected by a data breach?

a. Credit card information
b. Protected health information
c. Personally identifiable information
d. Trade secret information

A

Protected health information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

You are reviewing the latest list of important web application security controls published by OWASP. Which of these items is LEAST likely to appear on that list?

a. Obscure web interface locations
b. Implement identity and authentication controls
c. Leverage security frameworks and libraries
d. Implement appropriate access controls

A

Obscure web interface locations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Jason has created a new password cracking tool using some Python code. When he runs the program, the following output is displayed:

Based on the output, what type of password cracking method does Jason’s new tool utilize?

a. Hybrid attack
b. Rainbow attack
c. Dictionary attack
d. Brute force attack

A

Hybrid attack

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

A new security appliance was installed on network as part of a managed service deployment. The vendor controls the appliance, and the IT team cannot log in or configure it. The IT team is concerned about the appliance receiving the necessary updates. Which of the following mitifations should be performed to minimize the concern for the applicance updates?

a. Vulnerability scanning
b. Configuration management
c. Scan and patch the device
d. Automatic updates

A

Vulnerability scanning

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Which type of threat will patches NOT effectively combat as a security control?

a. Malware with defined indicators of compromise
b. Discovered software bugs
c. Zero-day attacks
d. Known vulnerabilities

A

Zero-day attacks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Which of the following options places the correct phases of the Software Development Lifecycle’s waterfall method in the correct order?

a. Planning, requirements analysis, design, implementaiton, testing, deployment, and maintenance
b. Requirements analysis, planning, design, implementation, testing, deployment, maintenance
c. Planning, requirements analysis, design, implementation, deployment, testing, maintenance
d. Requirements analysis, planning, design, implementation, deployment, testing, maintenance

A

Requirements analysis, planning, design, implementation, testing, deployment, maintenance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Which of the following is typically used to secure the CAN bus in a vehicular network?

a. Airgap
b. Endpoint protection
c. UEBA
d. Anti-virus

A

Airgap

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

You have tried to email yourself a file named “passwords.xlsx” from your corporate workstation to your Gmail account. Instead of receiving the file in your email, you received a description of why this was a policy violation and what you can do to get the file released or resent. Which of the following DLP remediation actions has occurred?

a. Blocking
b. Alert only
c. Quarantine
d. Tombstone

A

Tombstone

Tombstone remediation quarantines and replaces the original file with one describing the policy violaiton

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Hilda needs a cost-effective backup solution that would allow for the restoration of data within a 24 hour RPO. The disaster recovery plan requires that backups occur during a specific timeframe each week, and then the backups should be transported to an off-site facility for storage. What strategy should Hilda choose to BEST been these requirements?

a. Conduct full backups daily to take
b. Create a daily incremental backup to tape
c. Create disk-to-disk snapshots of the server every hour
d. Configure replication of the data to a set of servers located at a hot site

A

Create a daily incremental backup to tape

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What should a vulnerability report include if a cybersecurity analyst wants it to reflect the assets scanned accurately?

a. Processor utilization
b. Organizational governance
c. Log disposition
d. Virtual hosts

A

Virtual hosts

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Which of the following is a senior role with the ultimate responsibility for maintaining confidentiality, integrity, and availability in a system?

a. Data owner
b. Privacy officer
c. Data custodian
d. Data steward

A

Data owner

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

A cybersecurity analyst conducts an incident response at a government agency when she discovers that attackers had exfiltrated PII. Which of the following typed of breaches has occurred?

a. Integrity breach
b. Financial breach
c. Proprietary breach
d. Privacy breach

A

Privacy breach

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

You just received a notification that your company’s email servers have been blocklisted due to reports of spam originating from your domain What information do you need to start investigating the source of the spam emails?

a. The full email header from one of the spam messages
b. The SMTP audit log from his company’s email server
c. Firewall logs showing the SMTP connections
d. Network flows for the DMZ containing the email servers

A

The full email header from one of the spam messages

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

You are conducting an incident response and have traced the attack source to some compromised user credentials. After performing log analysis, you discover that the attack was successfully authenticated from an unauthorized foreign country. Your management is now asking for you to implement a solution to help mitigate this type of attack from occurring again. Which of the following should you implement?

a. Single sign-on
b. Password complexity
c. Context-based authentication
d. Self-service password reset

A

Context-based authentication

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Which of the following vulnerability scans would provide the best results if you want to determine if the target’s configuration settings are correct?

a. Internal scan
b. Credentialied scan
c. External scan
d. Non-credentialed scan

A

Credentialed scan

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Alexa is an analyst for a large bank that has offices in multiple staes. She wants to create an alert to detect if an employee from one bank office logs into a workstation located at an office in another state. What type of detection and analysis is Alexa configuring?

a. Anomaly
b. Trend
c. Heuristic
d. Behavior

A

Behavior

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Your company is making a significant investment in infrastructure-as-a-service (IaaS) hosting to replace its data centers. Which of the following techniques should be used to mitigate the risk of data remanence when moving virtual hosts from one server to another in the cloud?

a. Span multiple virtual disks to fragment data
b. Use full-disk encryption
c. Zero-wipe drives before moving systems
d. Use data masking

A

Use full-disk encryption

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

A vulnerability scanner has reported that a vulnerability exists in the system. Upon validating the report, the analyst determines that this reported vulnerability does not exist on the system. What is the proper term for this situation?

a. True positive
b. True negative
c. False negative
d. False positive

A

False positive

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

You are analyzing the following network utilization report because you suspect one of the servers has been compromised.

Based on the report above, which of the following servers do you suspect has been compromised and should be investigated further?

a. marketing01
b. dbsvr01
c. web01
d. webdev02

A

dbsvr01

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Which of the following functions is not provided by a TPM?

a. Secure generation of cryptographic keys
b. Sealing
c. Binding
d. Random number generation
e. Remote attestation
f. User authentication

A

User authentication

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

A company’s NetFlow collection system can handle up to 2 Gbps. Due to excessive load, this has begun to approach full utilization at various times of the day. If the security team does not have additional money in their budget to purchase a more capable collector, which of the following options could they use to collect useful data?

a. Enable NetFlow compression
b. Enable full packet capture
c. Enable QoS
d. Enabling sampling of the data

A

Enable sampling of the data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Which of the following types of encryption would ensure teh best security of a website?

a. SSLv1
b. SSLv3
c. TLS
d. SSLv2

A

TLS

OBJ-2.1: Transport Layer Security (TLS) is a widely adopted security protocol designed to facilitate privacy and data security for communications over the internet. A primary use case of TLS is encrypting the communication between web applications and servers, such as web browsers loading a website. TLS was developed in 1999 as SSLv3.1, but its name was changed to separate itself from Netscape, which developed the original SSL protocol. Because of this history, the terms TLS and SSL are often used interchangeably. Secure Socket Layer uses three versions: SSLv1, SSLv2, and SSLv3. All of these versions of SSL are considered obsolete and insecure.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

A cybersecurity analyst has deployed a custom DLP signature to alert on any files that contain numbers in the format ofa social secuirty number (xxx-xx-xxxx). Which of the following contepts within DLP is being utilized?

a. Exact data match
b. Document matching
c. Classification
d. Statistical matching

A

Exact data match

OBJ-3.2: An exact data match (EDM) is a pattern matching technique that uses a structured database of string values to detect matches. For example, a company might have a list of actual social security numbers of its customers. But, since it is not appropriate to load these numbers into a DLP filter, they could use EDM to match the numbers’ fingerprints instead based on their format or sequence. Document matching attempts to match a whole document or a partial document against a signature in the DLP. Statistical matching is a further refinement of partial document matching that uses machine learning to analyze various data sources using artificial intelligence or machine learning. Classification techniques use a rule based on a confidentiality classification tag or label attached to the data. For example, the military might use a classification-based DLP to search for any files labeled as secret or top secret.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Which of the following tools is useful for capturing Windows memory data for forensic analysis?

a. Nessus
b. dd
c. Wireshark
d. Memdump

A

Memdump

OBJ-4.4: The Memdump, Volatility framework, DumpIt, and EnCase are examples of Windows memory capture tools for forensic use. The dd tool is used to conduct forensic disk images. Wireshark is used for packet capture and analysis. Nessus is a commonly used vulnerability scanner.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Which of the following threats to a SaaS deployment would be the responsibility of the consumer to remediate?

a. Unpatched operating systems on the server
b. SQL injections
c. Cross-site scripting
d. An endpoint security failure

A

An endpoint security failure

OBJ-3.1: In a SaaS model, the consumer has to ensure that the endpoints being used to access the cloud are secure. Since the consumer owns the endpoint (laptop, desktop, tablet, smartphone, etc.), they are responsible for securing it. The entire concept behind using a SaaS product is that the service provider will patch the servers’ underlying operating systems, create secure software that isn’t vulnerable to SQL injection or cross-site scripting attacks, and ensure proper operations and maintenance of the backend systems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Praveen is currenlty investigating activity from an attacker who compromised a host on the network. The individual appears to have used credentials belonging to a janitor. After breaching the system, the attacker entered some unrecognized commands with very long text strings and then began using the sudo command to carry out actions. What type of attack has just taken place?

a. Social engineering
b. Phishing
c. Privilege escalation
d. Session hijacking

A

Privelege escalation

OBJ-4.3: The use of long query strings points to a buffer overflow attack, and the sudo command confirms the elevated privileges after the attack. This indicates a privilege escalation has occurred. While the other three options may have been used as an initial access vector, they cannot be confirmed based on the question’s details. Only a privilege escalation is currently verified within the scenario due to the use of sudo.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Yoyodyne Systems has recently bought out its competitor, Whamiedyne Systems, which went out of business due to a series of data breaches. As a cybersecurity analyst for Yoyodyne, you are assessing Whamiedyne’s existing aplications and infrastructure. During your analysis, you discover the following URL is used to access an application:

https://www.whamiedyne.com/app/accountInfo?acct=12345

You change the URL to end with 12346 and notice that a different user’s account information is displayed. Which of the following type of vulnerabilities or threats have you discovered?

a. XML injection
b. SQL injection
c. Race condition
d. Insecure direct object reference

A

Insecure direct object reference

OBJ-2.2: This is an example of an insecure direct object reference. Direct object references are typically insecure when they do not verify whether a user is authorized to access a specific object. Therefore, it is important to implement access control techniques in applications that work with private information or other sensitive data types. Based on the URL above, you cannot determine if the application is vulnerable to an XML or SQL injection attack. An attacker can modify one or more of these four basic functions in a SQL injection attack by adding code to some input within the web app, causing it to execute the attacker’s own set of queries using SQL. An XML injection is similar but focuses on XML code instead of SQL queries. A race condition is a software vulnerability when the resulting outcome from execution processes is directly dependent on the order and timing of certain events. Those events fail to execute in the developer’s order and timing, which is not the case in this scenario.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

You are going to perform a forensic disk image of a macOS laptop. What type of hard drive format should you expect to encounter?

a. NTFS
b. exFAT
c. FAT32
d. HFS+

A

HFS+

OBJ-4.4: The default macOS file system for the drive is HFS+ (Hierarchical File System Plus). While macOS does provide support for FAT32 and exFAT, they are not the default file system format used by the macOS system. NTFS is not supported by macOS without additional drivers and software tools.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

During a security audit, you discovered that customer service employees have been sneding unencrypted confidential information to their personal email accounts via email. What technology could you employ to detect these occurrences in the future and send an automated alert to the security team?

a. DLP
b. SSL
c. MDM
d. UTM

A

DLP

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

A SOC analyst has detected the repeated usage of a compromised user credential on the company’s email server. The analyst sends you an email asking you to check the server for indicators of compromise since the email server is critical to continued business operations. Which of the following was likely overlooked by your organization during the incident response preparation phase?

a. Develop a communications plan that includes provisions for how to operate in a compromised environment
b. Prepare a jump bag kit for use in the investigation
c. Perform a data criticality and prioritization analysis
d. Conduct training on how to search for indicators of compromise

A

Develop a communications plan that includes provisions for how to operate in a compromised environment

32
Q

You are analyzing a Linux server that you suspect has been tampered with by an attacker. You wet to the terminal and typed ‘history’ into the prompt and see the output:

> echo 127.0.0.1 diontraining.com >> /etc/hosts

Which of the following best describes what actions were perfomed by this line of code?

a. Attempted to overwrite the host file and deleted all data except this entry
b. Routed traffic destined for the localhost to the diontraining.com domain
c. Added the website to the system’s allow list in the hosts file
d. Routed traffic destined for the diontraining.com domain to the localhost

A

Routed traffic destined for the diontraining.com domain to the localhost

33
Q

Which term defines the collection of all points from which an adversary could interact with a system and cause it to function in a way other thanhow it was designed?

a. Adversary capability set
b. Attack surface
c. Threat model
d. Attack vector

A

Attack surface

OBJ-1.2: The collection of all points from which an adversary may attack is considered the attack surface. The attack vector represents the specific points an adversary has chosen for a particular attack. The threat model defines the behavior of the adversary. An adversary capability set is the list of items an adversary can use to conduct its attack.

34
Q

Dion training is concerned with the possibility of a data breach causing a financial loss to the company. After performing a risk analysis, the COO decides to purchase data breach insurance to protect the company from an incident. Which of the following best describes the compay’s risk response?

a. Acceptance
b. Transference
c. Avoidance
d. Mitigation

A

Transference

OBJ-5.2: Transference (or sharing) means assigning risk to a third party (such as an insurance company or a contract with a supplier that defines liabilities). Avoidance means that the company stops doing an activity that is risk-bearing. Risk mitigation is the overall process of reducing exposure to or the effects of risk factors, such as patching a vulnerable system. Acceptance means that no countermeasures are put in place either because the risk level does not justify the cost or because there will be an unavoidable delay before the countermeasures are deployed.

35
Q

You are conducting a forensic analysis of a hard disk and need to access a file that appears to have been deleted. Upon analysis, you have determined that the file’s data fragments exist scattered across the unallocated and slack space of the drive. Which technique could you use to revocer the data?

a. Carving
b. Hashing
c. Overwrite
d. Recovery

A

Carving

OBJ-4.4: File carving is the process of extracting data from an image when that data has no associated file system metadata. A file-carving tool analyzes the disk at the sector/page level. It attempts to piece together data fragments from unallocated and slack space to reconstruct deleted files or at least bits of information from deleted files. File carving depends heavily on file signatures or magic numbers—the sequence of bytes at the start of each file identifies its type. Hashing is a function that converts an arbitrary length string input to a fixed-length string output. Overwrite is a method of writing random bits or all zeros over a hard disk to sanitize it. Recovery is a generic term in forensics, cybersecurity incident response, and other portions of the IT industry, therefore it is not specific enough to be the correct option.

36
Q

Which of the following secure coding practices ensures a character like < is translated into the &lt string when writing to an HTML page?

a. Input validation
b. Error handling
c. Output encoding
d. Session management

A

Output encoding

OBJ-2.2: Output encoding involves translating special characters into some different but equivalent form that is no longer dangerous in the target interpreter, for example, translating the < character into the < string when writing to an HTML page. Input validation is performed to ensure only properly formed data is entering the workflow in an information system, preventing malformed data from persisting in the database and triggering the malfunction of various downstream components. Improper error handling can introduce various security problems where detailed internal error messages such as stack traces, database dumps, and error codes are displayed to an attacker. The session management implementation defines the exchange mechanism that will be used between the user and the web application to share and continuously exchange the session ID.

37
Q

What techniques are commonly used by port and vulnerability scanners to enumerate the services running on a target system?

a. Banner grabbing and UDP response timing
b. Using the -O option in nmap and UDP response timing
c. Banner grabbing and comparing response fingerprints
d. Comparing response fingerprints and registry scanning

A

Banner grabbing and comparing response fingerprints

OBJ-1.4: Service and version identification are often performed by conducting a banner grab or by checking responses for services to known fingerprints for those services. UDP response timing and other TCP/IP stack fingerprinting techniques are used to identify operating systems only. Using nmap -O will conduct an operating system fingerprint scan, but it will not identify the other services being run.

38
Q

Which of the following is the correct usage of the tcpdump command to create a packet capture filter for all traffic going to and from the server located at 10.10.1.1?

a. tcpdump -i eth0 src 10.10.1.1
b. tcpdump -i eth0 host 10.10.1.1
c. tcpdump -i eth0 proto 10.10.1.1
d. tcpdump -i eth0 dst 10.10.1.1

A

tcpdump -i eth0 host 10.10.1.1

The host option specifies a filter to capture all traffic going to (destination) and from (source) the designated IP address. If the DST filter is used, this only captures data going to the designated IP address. If the SRC filter is used, this only captures data going from the designated IP. If the proto filter is used, this will capture all traffic going to or from a designated port, such as FTP if proto 21 was used.

39
Q

You received an incident response report indicating a piece of malware was introduced into the company’s network through a remote workstation connected to the company’s servers over a VPN connection. Which of the following controls should be applied to prevent this type of incident from occurring again?

a. NAC
b. ACL
c. SPF
d. MAC filtering

A

NAC

OBJ-2.1: Network Access Control (NAC) is an approach to computer security that attempts to unify endpoint security technology (such as anti-virus, host intrusion prevention, and vulnerability assessment), user or system authentication, and network security enforcement. When a remote workstation connects to the network, NAC will place it into a segmented portion of the network (sandbox), scan it for malware and validate its security controls, and then based on the results of those scans, either connect it to the company’s networks or place the workstation into a separate quarantined portion of the network for further remediation. An access control list (ACL) is a network traffic filter that can control incoming or outgoing traffic. An ACL alone would not have prevented this issue. MAC Filtering refers to a security access control method whereby the MAC address assigned to each network card is used to determine access to the network. MAC filtering operates at layer 2 and is easy to bypass. Sender Policy Framework (SPF) is an email authentication method designed to detect forging sender addresses during email delivery.

40
Q

A cybersecurity analyst reviews the logs of a proxy server and saw the following URL, https://www.google.com/search?q=*%40diontraining.com. Which og the following is true about the results of this search?

a. Returns all web pages containing the text diontraining.com
b. Returns all web pages hosted at diontraining.com
c. Returns all web pages containing an email address affiliated with diontraining.com
d. Returns no useful results for an attacker

A

Returns all web pages containing an email address affiliated with diontraining.com

OBJ-1.3: Google interprets this statement as @diontraining.com and understands that the user is searching for email addresses since %40 is the hex code for the @ symbol. The * is a wild card character meaning that any text could be substituted for the * in the query. This type of search would provide an attacker with a list of email addresses associated with diontraining.com, which could be used as part of a spear phishing campaign. To return all web pages hosted at diontraining.com, you should use the “site:” modifier in the query. To return all web pages with the text diontraining.com, enter “diontraining.com” into the Google search bar with no modifiers to return those results.

41
Q

You have been hired to investigate a possible insider threat from a user named Terri. Which command would you use to review all sudo commands ever issued by Terri (whose login account is terri and UID=1003) on a Linux system? (Select the MOST efficient command?)

a. journalctl_UID=1003 | grep -e [Tt]erri | grep -e 1003 | grep sudo
b. journalctl_UID=1003 | grep -e [Tt]erri | grep sudo
c. journalctl_UID=1003 | grep -e 1003 | grep sudo
d. journalctl_UID=1003 | grep sudo

A

journalctl_UID=1003 | grep sudo

OBJ-3.1: journalctl is a command for viewing logs collected by systemd. The systemd-journald service is responsible for systemd’s log collection, and it retrieves messages from the kernel, systemd services, and other sources. These logs are gathered in a central location, which makes them easy to review. If you specify the parameter of _UID=1003, you will only receive entries made under the authorities of the user with ID (UID) 1003. In this case, that is Terri. Using the piping function, we can send that list of entries into the grep command as an input and then filter the results before returning them to the screen. This command will be sufficient to see all the times that Terri has executed something as the superuser using privilege escalation. If there are too many results, we could further filter the results using regular expressions with grep using the -e flag. Since the UID of 1003 is only used by Terri, it is unnecessary to add [Tt]erri to your grep filter as the only results for UID 1003 (terri) will already be shown. So, while all four of these would produce the same results, the most efficient option to accomplish this is by entering “journalctl _UID=1003 | grep sudo” in the terminal. Don’t get afraid when you see questions like this; walk through each part of the command step by step and determine the differences. In this question, you may not have known what journalctl is, but you didn’t need to. You needed to identify which grep expression was the shortest that would still get the job done. By comparing the differences between the options presented, you could likely take your best guess and identify the right one.

42
Q

You are investigating a suspected compromise. You have noticed several files that you don’t recognize. HOw can you quickly and effectively check if the files hvae been infected with malware?

a. Scan the files using a local anti-virus/anti-malware engine
b. Run the Strings tool against each file to identify common malware identifiers
c. Submit the files ot an open-source intelligence provider like VirusTotal
d. Disassemble the files and conduct static analysis on them using IDS Pro

A

Submit the files to an open-source intelligence provider like VirusTotal

OBJ-4.2: The best option is to submit them to an open-source intelligence provider like VirusTotal. VirusTotal allows you to quickly analyze suspicious files and URLs to detect types of malware. It then automatically shares them with the security community, as well. Disassembly and static analysis would require a higher level of knowledge and more time to complete. Running the Strings tool can help identify text if the code is not encoded in a specific way within the malware, but you have to know what you are looking for, such as a malware signature. You should never scan the files using a local anti-virus or anti-malware engine if you suspect the workstation or server has already been compromised because the scanner may also be compromised.

43
Q

Which of the following must be combined with a threat to create risk?

a. Vulnerability
b. Mitigation
c. Malicious actor
d. Exploit

A

Vulnerability

44
Q

You are attempting to prioritize your vulnerability scans based on the data’s criticality. This will be determined by the asset value of the data contained in each system. Which of the following would be the most appropriate metric to use in this prioritization?

a. The depreciated hardware cost of the system
b. The cost of acquisition of the system
c. The cost of hardware replacement of the system
d. The type of data processed by the sustem

A

The type of data processed by the system

OBJ-4.2: The data’s asset value is a metric or classification that an organization places on data stored, processed, and transmitted by an asset. Different data types, such as regulated data, intellectual property, and personally identifiable information, can determine its value. The cost of acquisition, cost of hardware replacement, and depreciated costs refer to the financial value of the hardware or system itself. This can be significantly different from the value of the information and data that the system stores and processes.

45
Q

Fail to Pass Systems has suffered a data breach. Your analysis of suspicious log activity traced the source of the data breach to an employee in the accounting department’s personally-owned smartphone connected to the company’s wireless network. the smartphone has been idolated from the network now, but the employee refuses to allow you to image their smartphone to complete your investigation forensically. According to the employee, the company’s BYOD policy does not require her to give you her device, and it is an invasion of their privacy. Which of the following phases of the incident response process is at fault for creating this situation?

a. Containment phase
b. Preparation phase
c. Detection and analysis phase
d. Eradication and recovery phase

A

Preparation phase

OBJ-5.1: As part of the preparation phase, obtaining authorization to seize devices (including personally owned electronics) should have been made clear and consented to by all employees. If the proper requirements were placed into the BYOD policy before the incident occurred, this would have prevented this situation. Either the employee would be willing to hand over their device for imaging following the BYOD policy, or they would never have connected their device to the company wireless network in the first place if they were concerned with their privacy and understood the BYOD policy. Based on the scenario provided, the detection and analysis phase was conducted properly since the analyst was able to identify the breach and detect the source. The containment phase would be responsible for the segmentation and isolation of the device which has occurred. Eradication and recovery would involve patching, restoring, mitigating, and remediating the vulnerability, which was the employee’s smartphone. Evidence retention is conducted in post-incident activities, but this cannot be done due to the lack of proper preparation concerning the BYOD policy.

46
Q

A cybersecurity analyst is reviewing the logs of an authentication server and saw the following output:

What type of attack was most likely being attempted by the attacker?

a. Brute force
b. Password spraying
c. Credential stuffing
d. Impersonation

A

Brute force

Brute force: Uses multiple passwords against a single user account

Password spraying: Uses one or two passwords against multiple user accounts

Credential stuffing: automated injection of breached username/password pairs to fain user account fraudulently. A subset of brute force attacks. Large numbers of spilled credentials are entered into websites until they are matched to an existing account.

Impersonation: the act of pretending to be another person for fradulent purposes

47
Q

As a newly hired cybersecurity analyst, you are attempting to determine your organization’s current public-facing attack surface. Which of the following methodologies or tools generates a current and historical view of the company’s public-facing IP space?

a. Review network diagrams
b. Shodan.io
c. nmap
d. Google hacking

A

Shodan.io

48
Q

Which of the following toolscould be used to detect unexpected output from an application being managed or monitored?

a. A signature-based detection tool
b. Manual analysis
c. A behavior-based analysis tool
d. A log analysis tool

A

A behavior-based analysis tool

A behavior-based analysis tool can capture/analyze normal behavior and then alert when an anomaly occurs.

Signature-based detection is a process where a unique identifier is established about a known threat so that the threat can be identified in the future.

Manual analysis requires a person to read all the output and determine if it is erroneous.

A log analysis tool would only be useful to analyze the logs, but it would not detect unexpected output by itself. Instead, the log analysis tool would need to use a behavior-based or signature-based detection system.

49
Q

The incident response team leader has asked you to perform a forensic examination ona workstation suspected of being infected with malware. You remember from your training that you must collect digital evidence in the proper order to protect it from being changed during your evidence collection efforts. Which of the following describes the correct sequence to collect the data from the workstation?

a. CPU cache, RAM, Swap, Hard drive
b. Hard drive, Swap, CPU cache, RAM
c. RAM, CPU cache, Swap, Hard drive
d. Swap, RAML, CPU cache, Hard drive

A

CPU cache, RAM, Swap, Hard drive

You should collect the most volatile memory first.

50
Q

An organization is conducting a cybersecurity training exercise. What team is Jason assigned to if eh has been asked to monitor and manage the defenders’ and attackers’ techincal environment during the exercise?

a. White team
b. Red team
c. Purple team
d. Blue team

A

White team

White team - acts as judges, resolve problems that arise, handle all requests for information or questions, and ensured that the compettion runs fairly and does not cause operational problems.

Red team - A grup authorized and organized to emulate a potential adversary’s attack or exploitation capabilities

Blue team - A group of people responsible for defending an enterprise’s use of information systems by maintaining its security posture against a group of mock attackers

Purple team - Made up of blue and red team members and work together

51
Q

Review the network diagram below.

Which of the following ACL entries should be added to the firewall to allow only the Human Resources (HR) computer to have SMB access to the file server (Files)?

a. 192.168.1.12, 172.16.1.3, 445, UDP, DENY
b. 172.16.1.3, 192.168.1.12, 445, TCP, ALLOW
c. 172.16.1.12/24, 192.168.1.3/24, 445, TCP, ALLOW
d. 172.16.1.3, 192.168.1.12, ANY, TCP, ALLOW

A

172.16.1.3, 192.168.1.12, 445, TCP, ALLOW

OBJ-3.2: The ACL should be created with 172.16.1.3 as the Source IP, 192.168.1.12 as the Destination IP, 445 as the port number operating over TCP, and the ALLOW condition set. This is the most restrictive option presented (only the HR and Files server are used), and the minimal number of ports are opened to accomplish our goal (only port 445 for the SMB service).

52
Q

Which of the following BEST describes when a third-party takes components produced by a legitimate manufacturer and assembles an unauthorized replica sold in the general marketplace?

a. Entrepreneurship
b. Counterfeiting
c. Recycling
d. Capitalism

A

Counterfeiting

53
Q

Which of the following would be used to prevent a firmware downgrade?

a. eFUSE
b. SED
c. TPM
d. HSM

A

eFUSE

eFUSE - Intel-designed mechanism to allow software instructions to blow a transistor in the hardware chip to prevent firmware downgrades.

SED - Self-encryting drives; Uses cryptographic operations performed by the drive controller to encrypt a storage device’s contents

TPM - Trusted platform module; a specification for hardware-based storage of digital certificates, cryptographic keys, hashed passwords, and other user and platform identification information.

HSM - Hardware security module; an appliance for generating and storing cryptographic keys

54
Q

William evaluates the potential impact of a confidentiality risk and determines that the disclosure of information contained on a system could have a limited adverse effect on the organization. Using FIPS 199, how should he classify the data?

a. Low
b. High
c. Moderate
d. Medium

A

Low

Low - A low impact confidentiality risk

Moderate - A moderate impact

High - A severe or catastrophic impact

Medium is not an impact measurement.

55
Q

After 9 months of C++ programming, the team at Whammiedyne systems has released their new software application. Within just 2 weeks of release, though, the security team discovered multiple serious vulnerabilities in the application that must be corrected. To retrofit the sourcecode to include the required security controls will take 2 months of labor and will cost $100,000. Which development framework should Whammiedyne use in the future to prevent this situation from occurring in other projects?

a. DevSecOps
b. Waterfall model
c. DevOps
d. Agile Model

A

DevSecOps

DevSecOps - acombination of software development, security operations, and systems operations and refers to the practice of integrating each discipline with the others.

Waterfall Model - cascades the phases of the SDLC (software development life cycle) so that each phase will start only when all of the tasks identified in the previous phase are complete.

DevOps - incorporates IT staff but does not inlucde security personnel

Agile model - focuses on iterative and incremental development to account for evolving requirements and expectations

56
Q

A cybersecurity analyst is analyzing what they believe to be an active intrusion into their networlk. The indicator of compromise maps to suspected nation-state group that has strong financial motives., APT 38. Unfortunately, the analyst finds their data correlation lacking and cannot determine which assets have been affected, so they begin to review the list of network assets online. The following servers are currently online: PAYROLL_DB, DEV_SERVER7. FIREFLY, DEATHSTAR, THOR, and DION. Which of the following actions should the analyst conduct first?

a. Conduct a Nessus scan of the FIREFLY server
b. Hardening the DEV_SERVER7 server
c. Logically isolate the PAYROLL_DB server from the production network
d. Conduct a data criticality and prioritization analysis

A

Conduct a data criticality and prioritization analysis

Because we do not know what type of data is stored on these servers, the data analysis should be performed first.

57
Q

Which of the following sets of Linux permissions would have the least permissive to most permissive?

a. 544, 444, 545
b. 777, 444, 111
c. 111, 737, 747
d. 711, 717, 117

A

111, 737, 747

4+2+1 (read/write/execute)

58
Q

Your organization has recently suffered a data breach due to a server being exploited. As part of the remediation efforts, the company wants to ensure that the default administrator password on each of the 1250 workstations on the network is changed. What is the easiest way to perfrom this password change requirement?

a. Deploy a new group policy
b. Create a new security group
c. Utilize the key escrow process
d. Revoke the digital certificate

A

Deploy a new group policy

59
Q

Which of the following is usually not considered when evaluating the attack surface of an organization?

a. Websites and cloud entities
b. External and internal users
c. Software applications
d. Software development lifecycle model

A

Software development lifecycle model

60
Q

A popular game allows for in-app purchases to acquire extra lives in the game. When a player purchases the extra lives, the number of lives is written to a configuration gile on the gamer’s phone. A hacker loves the games but hates having to buy lives all the time, so they developed an exploit that allows a player to purchase 1 life for $0.99 and then modifies the content of the configuration file to claim 100 lives were purchased before the application reading the number of lives purchased from the file. Which of the following type of vulnerabilities did the hacker exploit?

a. Sensitive data exposure
b. Broken authentication
c. Dereferencing
d. Race condition

A

Race condition

Race condition - this occurs when the outcome from execution processes is directly dependent on the order and timing of certain events. In this case, the hacker’s exploit races to modify the connfig file before the application does.

Dereferencing - attempts to access a pointer that references an object at a particular memory location

61
Q

What document typically contains high-level statements of management intent?

a. Guideline
b. Standard
c. Policy
d. Procedure

A

Policy

Policies - high-level statements of management intent

Procedures - describe exactly how to use the standards and guidelines to implement the coutnermeasures that support the policy.

Standards - describe specific product, confguration, or other mechanisms to secure the systems

Guideline - a recommendation that can specify the methodology that is to be used

62
Q

What tool is used to collect wireless packet data?

a. Aircrack-ng
b. Nessus
c. John the Ripper
d. Netcat

A

Aircrack-ng

63
Q

An analyst suspects that a trojan has victimized a Linux system. Which command should be run to determine where the current bash shell is being executed from?

a. dir bash
b. which bash
c. printenv bash
d. ls -l bash

A

which bash

ls - list the current directory and show any files or folders named bash

dir - lists the contents of a directory

printenv - prints the value of the specified environment variable specified, bash in the above case

64
Q

Which of the following provides a cryptographic authentication mechanism to positively identify an organization as the authorized sender of email for a particular domian name?

a. SMTP
b. DKIM
c. DMARC
d. SPF

A

DKIM

DKIM - DomainKeys Identified Mail; provides cruptographis authentication mechanism. To configure DKIM, the organization uploads a public key as a TXT record in the DNS server.

SPF - Sender Policy Framework; uses a DNS record published by an organization hosting an email service. Identifies the hosts authorized to send emials from that domain. Must only be one per domain.

DMARC - Domain-Based Message Authenticcation, Reporting, and Confromance framework; ensures that SPF and DKIM are being utilized properly

SMTP - Simple Mail Transfer Protocol; a communication protocol for electronic mail transmission, which does not utilize cryptographic authentication mechanisms by default

65
Q

When using the netstat command during an analysis, which of the following connection status messages indicates whether an active connection between two systems exists?

a. LAST_ACK
b. LISTENING
c. CLOSE_WAIT
d. ESTABLISHED

A

ESTABLISHED

ESTABLISHED - an active and established connection is created between two systems

LISTENING - the socket is waiting for an incoming connection from the second system

LAST_ACK - indicates that the remote end has shut down the connection, and the socket is closed and waiting for an acknowledgement

CLOSE_WAIT - indicates that the remote end has shut down the connection and is waiting for the socket to close

66
Q

An organization has hired a cybersecurity analyst to conduct an assessment of its current security posture. The analyst begins by conducting an external assessment against the organization’s network to determine what information is exposed to a potential external attacker. What technique should the analyst perform first?

a. DNS query log review
b. Enumeration
c. Technical control audits
d. Intranet portal reviews

A

Enumeration

Enumeration is used to determine open ports and identify the software and firmware/device types running on the host.

67
Q

What is a reverse proxy commonly used for?

a. To obfuscate the origin of a user within a network
b. To prevent the unauthorized use of cloud services from the local network
c. Directing traffic to internal services if the contents of the traffic comply with the policy
d. Allowing access to a virtual private network

A

Directing traffic to internal services if the contents of the traffic comply with the policy

68
Q

Which of the following will an adversary do during the exploitation phase of the Lockheed Martin kill chain?

a. take advantage of a software, hardware, or human vulnerability
b. Select backdoor implant and appropriate command and control infrastructure for operation
c. A webshell is installed on a web server
d. Wait for a malicious email attachment to be opened
e. A backdoor/implant is placed on a victim’s client
f. Wait for a user to click on a malicious link

A

Take advantage of a software, hardware, or human vulnerability

Wait for a malicious email attachment to be opened

Wait for a user to click on a malicious link

69
Q

A cybersecurity analyst is reviewing the logs for his company’s server and sees the following output:

Based on this potential indicator of compromise (IoC), which of the following hypothesis should you make to begin threat hunting?

a. Beaconing is establiching a connection to a C2 server
b. Data exfiltration is occurring over the network
c. Unauthorized privileges are being utilized
d. A common protocol is being used over a non-standard port

A

Unauthorized privileges are being utilized

OBJ-4.3: This appears to be an indication that unauthorized privileges are being used. The first binary, svchost.exe, executes from an odd location that indicates it might be malicious). The process svchost.exe doesn’t usually reside in the inetsrv folder in a Windows system since this folder contains the Windows IIS web server files. Additionally, this file then spawned a binary that appears to be masquerading as a Windows process, the WMI Provider Host called wmiprvse.exe. This appears to be the beginning of a privilege escalation attack. Based on the output above, there is no evidence that data is being exfiltrated or stolen from the network. Based on the output above, there is no evidence that any network protocol is currently used over a non-standard port. Finally, there is no evidence of beaconing or network activity in this output.

70
Q

You hvae evidence to believe that an attacker was scanning your network from an IP address at 172.16.1.224. This network is part of a /26 subnet. You wish to quickly filter through several logs using a REGEX for anything that came from that subnet. What REGEX expression would provide the appropriate output when searching the logs for any traffic originating from only IP addresses within that subnet?

a. \b172.16.1.(25[0-5]|2[0-4][0-9]?\b
b. \b172.16.1.(25[0-5]|2[0-4][0-9]|01]01?[0-9][0-9]?)\b
c. \b(25[0-5]|2[0-4][0-9]|01]01?[0-9][0-9]?).(25[0-5]|2[0-4][0-9]|01]01?[0-9][0-9]?).(25[0-5]|2[0-4][0-9]|01]01?[0-9][0-9]?).(25[0-5]|2[0-4][0-9]|01]01?[0-9][0-9]?)\b
d. \b172.16.1.(25[0-5]|2[0-4][0-9]|19[2-9])\b

A

\b172.16.1.(25[0-5]|2[0-4][0-9]|19[2-9])\b

71
Q

Which of the following techniques would be the most appropriate solution to implementing a multi-factor authenticaiton system?

a. Fingerprint and retinal scan
b. Password and security question
c. Smartcard and pin
d. Username and password

A

Smartcard and pin

72
Q

Dion consulting group has been hired to analyze the cybersecurity model for a new videogame console system. The manufacturer’s team has come up with four recommendations to prevent intellectual property theft and piracy. As the cybersecurity consultant on the project, which of the following would you recommend they implement first?

a. Ensure that each individual console has a unique key for decrypting individual licenses and tracking which console has purchased which game.
b. Ensure that all screen capture content is visibly watermarked
c. Ensure that all game for the console are distributed as encrypted so that they can only be decrypted on the game console.
d. Ensure that all games require excessive storage sizes so that it is difficult for unauthoried parties to distribute

A

Ensure that each individual console has a unique key for decrypting individual licenses and tracking which console has purchased which game.

73
Q

Which of the following types of output encoding is being used in the following output?

a. ASCII
b. Hex
c. XML
d. Base64

A

Base64

Base64 encoding is commonly used to convert binary data, such as ASCII text characters, into an encoded string to bypass detection mechanisms in a network. While a Base64 string won’t always end with an equal or double equal sign, it is common to see them used. This is because the equal signs are used to pad the string to the proper length and complement the final processing of the message’s encoding.

74
Q

Your service desk has received many complaints from external users that a web application is responding slowly to requests and frequently receives a “connection timed out” error message when they attempt to submit information to the application. Which software development best practice should have been implemented to prevent this from occurring?

a. Input validation
b. Fuzzing
c. Regression testing
d. Stress testing

A

Stress testing

Stress testing - a software testing activity that determines the robustness of software by testing beyond normal operating limits

Regression testing - confirms that a recent program or code change has not adversly affected existing features

Input validation - ensures any user input has undergoen cleansing to ensure it is properly formatted, correct, and useful

Fuzzing - an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program

75
Q

Dion Consulting Group has recently been awarded a contract to provide cybersecurity services for a major hospital chain in 48 cities across the United States.You are conducting a vulnerability scan of the hospital’s enterprise network when you detect several devices that could be vulnerable to a buffer overflow attack. Upon further investigation, you determing that these devices are PLCs used to control the hopital’s elevators. Unfortunately, there is not an update available from the elevator manufacturer for these devices. Which of the following mitigations do you recommend?

a. Recommend immediate replacement of the PLCs with ones that are not vulnerable to this type of attack
b. Recommend immediate disconnection of the elevator’s control system from the enterprise network
c. Conduct a penetration test of the elevator control system to prove that the possibility of this kind of attack exists
d. Recommend isolaiton of the elevator control system from the rest of the production network through the change control process

A

Recommend isolaiton of the elevator control system from the rest of the production network through the change control process