Exam 1 Flashcards
You identified a critical vulnerability in one of your organization’s databases. You researched a solution, but it will require the server to be taken offline during the patch installation. You have received permission from the Change Advisory Board to implement this emergency change at 11 pm once everyone has left the office. It is now 3 pm; what action(s) should you take now to best prepare for implementing this evening’s change? (SELECT ALL THAT APPLY)
a. Validate the installation of the patch in a staging environment.
b. Document the change in the change management system
c. Take the opportunity to install a new feature pack that has been requested.
d. Ensure all stakeholders are informed of the planned outage.
e. Identify any potential risks associated with installing the patch.
f. Take the server offline at 10 PM in preparation for the change.
Validate the installation of the patch in a staging environment.
Document the change in the change management system
Ensure all stakeholders are informed of the planned outage.
Identify any potential risks associated with installing the patch.
Which of the following types of data breaches would require that the US Department of Health and Human Services and the media be notified if more than 500 individuals are affected by a data breach?
a. Credit card information
b. Protected health information
c. Personally identifiable information
d. Trade secret information
Protected health information
You are reviewing the latest list of important web application security controls published by OWASP. Which of these items is LEAST likely to appear on that list?
a. Obscure web interface locations
b. Implement identity and authentication controls
c. Leverage security frameworks and libraries
d. Implement appropriate access controls
Obscure web interface locations
Jason has created a new password cracking tool using some Python code. When he runs the program, the following output is displayed:
Based on the output, what type of password cracking method does Jason’s new tool utilize?
a. Hybrid attack
b. Rainbow attack
c. Dictionary attack
d. Brute force attack
Hybrid attack
A new security appliance was installed on network as part of a managed service deployment. The vendor controls the appliance, and the IT team cannot log in or configure it. The IT team is concerned about the appliance receiving the necessary updates. Which of the following mitifations should be performed to minimize the concern for the applicance updates?
a. Vulnerability scanning
b. Configuration management
c. Scan and patch the device
d. Automatic updates
Vulnerability scanning
Which type of threat will patches NOT effectively combat as a security control?
a. Malware with defined indicators of compromise
b. Discovered software bugs
c. Zero-day attacks
d. Known vulnerabilities
Zero-day attacks
Which of the following options places the correct phases of the Software Development Lifecycle’s waterfall method in the correct order?
a. Planning, requirements analysis, design, implementaiton, testing, deployment, and maintenance
b. Requirements analysis, planning, design, implementation, testing, deployment, maintenance
c. Planning, requirements analysis, design, implementation, deployment, testing, maintenance
d. Requirements analysis, planning, design, implementation, deployment, testing, maintenance
Requirements analysis, planning, design, implementation, testing, deployment, maintenance
Which of the following is typically used to secure the CAN bus in a vehicular network?
a. Airgap
b. Endpoint protection
c. UEBA
d. Anti-virus
Airgap
You have tried to email yourself a file named “passwords.xlsx” from your corporate workstation to your Gmail account. Instead of receiving the file in your email, you received a description of why this was a policy violation and what you can do to get the file released or resent. Which of the following DLP remediation actions has occurred?
a. Blocking
b. Alert only
c. Quarantine
d. Tombstone
Tombstone
Tombstone remediation quarantines and replaces the original file with one describing the policy violaiton
Hilda needs a cost-effective backup solution that would allow for the restoration of data within a 24 hour RPO. The disaster recovery plan requires that backups occur during a specific timeframe each week, and then the backups should be transported to an off-site facility for storage. What strategy should Hilda choose to BEST been these requirements?
a. Conduct full backups daily to take
b. Create a daily incremental backup to tape
c. Create disk-to-disk snapshots of the server every hour
d. Configure replication of the data to a set of servers located at a hot site
Create a daily incremental backup to tape
What should a vulnerability report include if a cybersecurity analyst wants it to reflect the assets scanned accurately?
a. Processor utilization
b. Organizational governance
c. Log disposition
d. Virtual hosts
Virtual hosts
Which of the following is a senior role with the ultimate responsibility for maintaining confidentiality, integrity, and availability in a system?
a. Data owner
b. Privacy officer
c. Data custodian
d. Data steward
Data owner
A cybersecurity analyst conducts an incident response at a government agency when she discovers that attackers had exfiltrated PII. Which of the following typed of breaches has occurred?
a. Integrity breach
b. Financial breach
c. Proprietary breach
d. Privacy breach
Privacy breach
You just received a notification that your company’s email servers have been blocklisted due to reports of spam originating from your domain What information do you need to start investigating the source of the spam emails?
a. The full email header from one of the spam messages
b. The SMTP audit log from his company’s email server
c. Firewall logs showing the SMTP connections
d. Network flows for the DMZ containing the email servers
The full email header from one of the spam messages
You are conducting an incident response and have traced the attack source to some compromised user credentials. After performing log analysis, you discover that the attack was successfully authenticated from an unauthorized foreign country. Your management is now asking for you to implement a solution to help mitigate this type of attack from occurring again. Which of the following should you implement?
a. Single sign-on
b. Password complexity
c. Context-based authentication
d. Self-service password reset
Context-based authentication
Which of the following vulnerability scans would provide the best results if you want to determine if the target’s configuration settings are correct?
a. Internal scan
b. Credentialied scan
c. External scan
d. Non-credentialed scan
Credentialed scan
Alexa is an analyst for a large bank that has offices in multiple staes. She wants to create an alert to detect if an employee from one bank office logs into a workstation located at an office in another state. What type of detection and analysis is Alexa configuring?
a. Anomaly
b. Trend
c. Heuristic
d. Behavior
Behavior
Your company is making a significant investment in infrastructure-as-a-service (IaaS) hosting to replace its data centers. Which of the following techniques should be used to mitigate the risk of data remanence when moving virtual hosts from one server to another in the cloud?
a. Span multiple virtual disks to fragment data
b. Use full-disk encryption
c. Zero-wipe drives before moving systems
d. Use data masking
Use full-disk encryption
A vulnerability scanner has reported that a vulnerability exists in the system. Upon validating the report, the analyst determines that this reported vulnerability does not exist on the system. What is the proper term for this situation?
a. True positive
b. True negative
c. False negative
d. False positive
False positive
You are analyzing the following network utilization report because you suspect one of the servers has been compromised.
Based on the report above, which of the following servers do you suspect has been compromised and should be investigated further?
a. marketing01
b. dbsvr01
c. web01
d. webdev02
dbsvr01
Which of the following functions is not provided by a TPM?
a. Secure generation of cryptographic keys
b. Sealing
c. Binding
d. Random number generation
e. Remote attestation
f. User authentication
User authentication
A company’s NetFlow collection system can handle up to 2 Gbps. Due to excessive load, this has begun to approach full utilization at various times of the day. If the security team does not have additional money in their budget to purchase a more capable collector, which of the following options could they use to collect useful data?
a. Enable NetFlow compression
b. Enable full packet capture
c. Enable QoS
d. Enabling sampling of the data
Enable sampling of the data
Which of the following types of encryption would ensure teh best security of a website?
a. SSLv1
b. SSLv3
c. TLS
d. SSLv2
TLS
OBJ-2.1: Transport Layer Security (TLS) is a widely adopted security protocol designed to facilitate privacy and data security for communications over the internet. A primary use case of TLS is encrypting the communication between web applications and servers, such as web browsers loading a website. TLS was developed in 1999 as SSLv3.1, but its name was changed to separate itself from Netscape, which developed the original SSL protocol. Because of this history, the terms TLS and SSL are often used interchangeably. Secure Socket Layer uses three versions: SSLv1, SSLv2, and SSLv3. All of these versions of SSL are considered obsolete and insecure.
A cybersecurity analyst has deployed a custom DLP signature to alert on any files that contain numbers in the format ofa social secuirty number (xxx-xx-xxxx). Which of the following contepts within DLP is being utilized?
a. Exact data match
b. Document matching
c. Classification
d. Statistical matching
Exact data match
OBJ-3.2: An exact data match (EDM) is a pattern matching technique that uses a structured database of string values to detect matches. For example, a company might have a list of actual social security numbers of its customers. But, since it is not appropriate to load these numbers into a DLP filter, they could use EDM to match the numbers’ fingerprints instead based on their format or sequence. Document matching attempts to match a whole document or a partial document against a signature in the DLP. Statistical matching is a further refinement of partial document matching that uses machine learning to analyze various data sources using artificial intelligence or machine learning. Classification techniques use a rule based on a confidentiality classification tag or label attached to the data. For example, the military might use a classification-based DLP to search for any files labeled as secret or top secret.
Which of the following tools is useful for capturing Windows memory data for forensic analysis?
a. Nessus
b. dd
c. Wireshark
d. Memdump
Memdump
OBJ-4.4: The Memdump, Volatility framework, DumpIt, and EnCase are examples of Windows memory capture tools for forensic use. The dd tool is used to conduct forensic disk images. Wireshark is used for packet capture and analysis. Nessus is a commonly used vulnerability scanner.
Which of the following threats to a SaaS deployment would be the responsibility of the consumer to remediate?
a. Unpatched operating systems on the server
b. SQL injections
c. Cross-site scripting
d. An endpoint security failure
An endpoint security failure
OBJ-3.1: In a SaaS model, the consumer has to ensure that the endpoints being used to access the cloud are secure. Since the consumer owns the endpoint (laptop, desktop, tablet, smartphone, etc.), they are responsible for securing it. The entire concept behind using a SaaS product is that the service provider will patch the servers’ underlying operating systems, create secure software that isn’t vulnerable to SQL injection or cross-site scripting attacks, and ensure proper operations and maintenance of the backend systems.
Praveen is currenlty investigating activity from an attacker who compromised a host on the network. The individual appears to have used credentials belonging to a janitor. After breaching the system, the attacker entered some unrecognized commands with very long text strings and then began using the sudo command to carry out actions. What type of attack has just taken place?
a. Social engineering
b. Phishing
c. Privilege escalation
d. Session hijacking
Privelege escalation
OBJ-4.3: The use of long query strings points to a buffer overflow attack, and the sudo command confirms the elevated privileges after the attack. This indicates a privilege escalation has occurred. While the other three options may have been used as an initial access vector, they cannot be confirmed based on the question’s details. Only a privilege escalation is currently verified within the scenario due to the use of sudo.
Yoyodyne Systems has recently bought out its competitor, Whamiedyne Systems, which went out of business due to a series of data breaches. As a cybersecurity analyst for Yoyodyne, you are assessing Whamiedyne’s existing aplications and infrastructure. During your analysis, you discover the following URL is used to access an application:
https://www.whamiedyne.com/app/accountInfo?acct=12345
You change the URL to end with 12346 and notice that a different user’s account information is displayed. Which of the following type of vulnerabilities or threats have you discovered?
a. XML injection
b. SQL injection
c. Race condition
d. Insecure direct object reference
Insecure direct object reference
OBJ-2.2: This is an example of an insecure direct object reference. Direct object references are typically insecure when they do not verify whether a user is authorized to access a specific object. Therefore, it is important to implement access control techniques in applications that work with private information or other sensitive data types. Based on the URL above, you cannot determine if the application is vulnerable to an XML or SQL injection attack. An attacker can modify one or more of these four basic functions in a SQL injection attack by adding code to some input within the web app, causing it to execute the attacker’s own set of queries using SQL. An XML injection is similar but focuses on XML code instead of SQL queries. A race condition is a software vulnerability when the resulting outcome from execution processes is directly dependent on the order and timing of certain events. Those events fail to execute in the developer’s order and timing, which is not the case in this scenario.
You are going to perform a forensic disk image of a macOS laptop. What type of hard drive format should you expect to encounter?
a. NTFS
b. exFAT
c. FAT32
d. HFS+
HFS+
OBJ-4.4: The default macOS file system for the drive is HFS+ (Hierarchical File System Plus). While macOS does provide support for FAT32 and exFAT, they are not the default file system format used by the macOS system. NTFS is not supported by macOS without additional drivers and software tools.
During a security audit, you discovered that customer service employees have been sneding unencrypted confidential information to their personal email accounts via email. What technology could you employ to detect these occurrences in the future and send an automated alert to the security team?
a. DLP
b. SSL
c. MDM
d. UTM
DLP