Exam 2 Flashcards
What type of information will a Cisco switch log be configured to capture logs at level 7?
a. debugging
b. warnings
c. emergencies
d. errors
Debugging
0-7; 0 is most severe and 7 least severe
0 - used for emergency; the system has become unstable
1 - an alert condition; a condition should be corrected immediately
2 - critical condition; failure in the system’s primary application ; requires attention
3 - error condition; something is happening to the system that is preventing the proper function
4 - warning condition; an error may occur if action is not taken
5 - notice condition; events are unusual but not errors
6 - information conditions; normal operational messages that require no action
7- debugging conditions; information useful to developers while debugging networks and applications
Joseph would like to prevent hosts from connecting to known malware distribution domains. What type of solution should be used without deploying endpoint protection software or an IPS solution?
a. anti-malware router filters
b. route poisoning
c. DNS sinkholing
d. subdomain allow listing
DNS sinkholing
DNS sinkholing - uses a list of known domains/IP addresses belonging to malicious hosts and uses an internal DNS server to create a fake reply
Route poisoning - prevents networks from sending data somewhere when the destination is invalid
Subdomain allow list - only applicable if you are blocking all traffic save for what is explicitly allowed
Anti-malware router filters - not applicable here
You want to search all the logs using REGEX to alert on any findings where a filename contains the word “password” (regardless of case). For example, “PASSWORD.txt,” “Password.log,” or “password.xlsx” should cause the alert to occur. Once deployed, this search will be conducted daily to find any instances of an employee saving their passwords in a file that could be easily found by an attacker. Which of the following commands would successfully do this?
a. grep “(PASSWORD)|(password)” logfile.log
b. grep \i password logfile.log
c. grep -i password logfile.log
d. grep password /i logfile.log
grep -i password logfile.log
-i - means the entire string is case insensitive
You have been asked to conduct a forensic disk image on an internal 500 GB hard drive. You connect a write blocker to the drive and begin to image it using dd to copy the contents to an external 500 GB hard drive. Before completing the image, the tool reports that the imaging failed. Which of the following is most likely the reason for the image failure?
a. the data on the source drive was modified during the imaging
b. the source drive is encrypted with BitLocker
c. the data cannot be copied using the RAW format
d. there are bad sectors on the destination drive
There are bad sectors on the destination drive
Since it is a bit by bit copy, the disk can be copied to RAW format even if it is encrypted
Which role validates the user’s identity when using SAML for authenticaiton?
a. SP
b. RP
c. User agent
d. IdP
IdP
IdP - Identity Provider
SP - Service Provider
RP - Relying Party
Consider the following file called firewall.log that contains 53,682 lines that logged every connection going into and out of this network. The log file is in the following data format, as shown below with the first two lines of the log file:
a. grep “10.1.0.10,” firewall.log | grep “23”
b. grep “10.1.0.10,” firewall.log | grep “23”
c. grep “10.1.0.10,” firewall.log | grep “23$”
d. grep “10.1.0.10,” firewall.log | grep “23$”
grep “10.1.0.10,” firewall.log | grep “23$”
You must escape the dot ( . ) in the IP address ( . ) and the comma ( , ) at the end ( \, )
23$ indicates that the port number should only be considered a match if it is at the end of the line. This ensures it only matches for destination ports
Barrett needs to verify settings on a macOS computer to ensure that the configuration he expects is currently set on the system. What type of file is commonly used to store configuration settings for a macOS system?
a. plists
b. the registry
c. .config files
d. .profile files
plists
Preference and configuration files in macOS use property lists (plists to specify attributes, or properties, of an app or process.
Registry is for Windows
.profile is a UNIX user’s start-up file
.config is a configuration file used by various applications containing plain text parameters that define settings or preferences for building or running a program
You have just run the following commands on your Linux workstation:
Which of the following options would be included as part of the output for the grep command issued? (Select ANY that apply)
a. Dion
b. DION
c. DIOn
d. dion
e. DIon
All would be part of the output
Consider the following data:
Which of the following best describes the data presented above?
a. a JSON excerpt describing a REST API call to a Trusted Automated eXchange of Indicator Information (TAXII) service
b. a JSON excerpt that describes an APT using the Structured Threat Information eXpression (STIX) format
c. an XML entry describing an APT using the Structured Threat Information eXpression (STIX) framework
d. an XML entry describing an APT usnig the MITRE ATT&CK framework
A JSON excerpt that describes an APT using the Structured Threat Information eXpression (STIX) format
TAXII is an application protocol for exchanging CTI over HTTPS
TAXII defines a RESTful API (a set of services and message exchanges) and a set of requirements for TAXII Clients and Servers
MITRE ATT&CKis a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations
An electronics store was recently the victim of a robbery where an employee was injured, and some property was stolen. The store’s IT department hired an external supplier to expand its network to include a physical access control system. The system has video surveillance, intruder alarms, and remotely monitored locks using an appliance-based system.Which of the following long-term cybersecurity risks might occur based on these actions?
a. these devices should be scanned for viruses before installation
b. these devices are insecure and should be isolated from the internet
c. these devices should be isolated from the rest of the enterprise network
d. there are no new risks due to the install and the company has a stronger physical security posture
These devices should be isolated from the rest of the enterprise
Because these devices receive updates more slowly, and because they introduce more potential targets, they should be isolated from the rest of the production network.
You want to provide controlled remote access to the remote administration interfaces of multiple servers hosted on a private cloud. What type of segmentation security solution is the best choice for this scenario?
a. airgap
b. jumpbox
c. bastion hosts
d. physical
Jump box
Jumpbox - a single PC/server used to connect to other/critical devices. Using a jumpbox limits access and prevents unnecessary administrative work setting up devices to connect to critical infrastructure
Bastion host - a special-purpose computer on the network specifically designed and configured to whichstand attacks
Airgap - A network or single host computer with inique security requirements that may be physically separated from any other network
What containment technique is the strongest possible response to an incident?
a. segmentation
b. isolating affected systems
c. enumeration
d. isolating the attacker
Isolating affected systems
Segmentation - refers to the isolation of a machine using network technologies and architecture. VLANs, routing/subnetting
Enumeration - refers to the process of extracting user names, machine names, network resources, shares, and services from a system
Which type of media sanitization would you classify degaussing as?
a. destruction
b. purging
c. erasing
d. clearing
Purging
Purging - degaussing is a type of purging; eliminates information from being feasibly recovered even in a laboratory environment
Clearing - prevents data from being retrieved without the use of state-of-the-art laboratory techniques. Often involves overwriting data one or more times
Destruction - a physical process that may involve shredding media to pieces, disintegrating it into parts, pulverizing it to powder, or incinerating it to ash
Erasing - deleting the data file’s pointer on a storage device
A recent threat has been announced in the cybersecurity world, stating a critical vulnerability in a particular operating system’s kernel. Unfortunately, your company has not maintained a current asset inventory, so you are unsure oh how many of your servers may be affected. What should you do to find all of the affected servers within your network?
a. conduct an OS fingerprinting scan across the network
b. conduct a service discovery scan on the network
c. manually review the syslog server’s log
d. conduct a packet capture of data traversing the server network
Conduct an OS fingerprinting scan across the network
A penetration tester is conducting an assessment of a wireless network that is secure using WPA2 Enterprise encryption. Which of the following are major differences between conducting reconnaissance of a wireless network versus a wired network? (SELECT TWO)
a. MAC filtering
b. port security
c. network access control
d. encryption
e. authentication
f. physical accessibility
Encryption and Physical accessibility
OBJ-1.4: Most wireless networks utilize end-to-end encryption, whereas wired networks do not. Physical accessibility is another major difference between wireless and wired networks since wireless networks can be accessed from a distance using powerful antennas. Authentication, MAC filtering, and network access control (NAC) can be implemented equally on wired and wireless networks. Port security is only applicable to wired networks.
Which of the following authentication protocols was developed by Cisco to provide authentication, authorization, and accounting services?
a. CHAP
b. TACACS+
c. Kerberos
d. RADIUS
TACACS+
TACACS - Terminal Access Controller Access Control System
RADIUS - Remote Authentication Dial-In User Service; provides these services but was not created by Cisco
Kerberos - Mutual authentication for client/server applications using secret-key cryptography
CHAP - Challenge-Handshake Authentication Protocol for not provide authorization or accounting services
You need to determine the bestw ay to test operating system patches in a lab environment before deploying them to your automated patch management system. Unfortunately, your network has several different operating systems in use, byt you only have one machine available to test the patches on. What is the best environment to utilize to perform the testing of the patches before deployment?
a. Virtualization
b. Purchae additional workstations
c. Sandboxing
d. Bypass testing and deploy patches directly into the production environment
Virtualization
Which of the following vulnerabilities is the greatest threat to data confidentiality?
a. HTTP TRACE/TRACK methods enabled
b. Web application SQL injection vulnerability
c. SSL Server with SSLv3 enabled vulnerability
d. phpinfo information disclosure vulnerability
Web application SQL injection vulnerability
Fail To Pass Systems has just been the victim of another embarrassing data breach. Their database administrator needed to work from home this weekend, so he downloaded the corpirate database to his work laptop. On his way home, he left the laptop in an Uber, and a few days later, the data was posted on the Internet. Which of the following mitigations would have provided the greatest protection against this data breach?
a. Require data at rest encryption on all endpoints
b. Require all new employees to sign an NDA
c. Require data masking for any information stored in the database
d. Require a VPN to be utilized for all telework employees
Require data at rest encryption on all endpoints
Which of the following technologies is NOT a shared authentication protocol?
a. LDAP
b. OpenID Connect
c. OAuth
d. Facebook Connect
LDAP
Jorge is working with an application team to remediate a critical SQL injection vulnerability on a public-facing server. The team is worried that deploying the fix will require several hours of downtime and block customer transactions from being completed by the server. Which of the following is the BEST action for Jorge to recommend?
a. Wait until the next scheduled maintenance window to remediate the vulnerability
b. Schedule an emergency maintenance for an off-peak time later in the day to remediate the vulnerability
c. Remediate the vulnerability immediately
d. Delay the remediation until the next major update of the SQL server occurs
Schedule an emergency maintenance for an off-peak time later in the day to remediate the vulnerability
During which phase of the incident response process does an organizaiton assemble an incident response toolkit?
a. Post-incident activity
b. Preparation
c. Containment, eradication, and recovery
d. Detection and analysis
Preparation
Evaluate the following log entry:
Based on this log entry, which of the following statements are true?
a. The packet was blocked inbound to the network
b. MAC filtering is enabled on the firewall
c. packets are being blocked inbound to and outbound from the network
d. an attempted connection to the telnet service was prevented
e. the packet was blocked outbound from the network
f. an attempted connection to the ssh service was prevented
The packet was blocked inbound to the network
An attempted connection to the telnet service was prevented
You are creating a script to filter some logs so that you can detect any suspected malware beaconing. Which of he following is NOT a typical means of identifying a malware beacon’s behavior on the network?
a. the beacon’s persistence
b. the beacon’s protocol
c. the beaconing interval
d. the removal of known traffic
the beacon’s protocol
What method might a system administrator use to replicate the DNS information from one DNS server to another, but could also be used maliciously by an attacker?
a. DNSSEC
b. DNS registration
c. CNAME
d. zone transfers
Zone transfers
DNSSEC - strengthens authentication in DNS using digital signatures based on public-key cryptography
Dion Training wants to require students to log on using multifactor authentication to increase the security of the authorization and authentication process. Currently, students log in to diontraining.com using a username and password. What proposed solution would best meet the goal of enabling multifactor authentication for the student login process?
a. require students to choose an image to serve as a secondary password after logon
b. require students to enter a cognitive password requirement (such as ‘What is your dog’s name?)
c. require students to enter a unique six-digit number that is sent to them by SMS after entering their username and password
d. require students to create a unique pin that is entered after their username and password is accepted
Require students to enter a unique six-digit number that is sent to them by SMS after entering their username and password
Dion Consulting Group has just won a contract to provide updates to an employee payroll system originally written years ago in C++. During your assessment of the source code, you notice the command “strcpy” is being used in the application. Whihc of the following provides is cause for concernm and what mitigation would you recommend to overcome it?
a. strcpy could allow a buffer overflow to occur; upgrade the operating system to run ASLR to prevent a buffer overflow
b. strcpy could allow a buffer overflow to occur; you should rewrite the entire system in java
c. strcpy would allow an integer overflow to occur; upgrade the operating system to run ASLR to prevent a buffer overflow
d. strcpy could allow an integer overflow to occur; you should rewrite the entire system in java
strcpy could allow a buffer overflow to occur; upgrade the operating system to run ASLR to prevent a buffer overflow
strcpy - a built-in function that does not provide a default mechanism for checking if data will overwrite the boundaries of a buffer
Buy making sure your operating system supports ASLR, you can make it impossible for a buffer overflow to work by randomizing where objects in memroy are being loaded.
Your company was recently the victim of a cross-site scripting attack. The system administrators claim this wasn’t possible since they performed input validation using REGEX to alert on any strings that contain the term “[Ss]cript” in them. Which of the following statements concerning this attack is true?
a. the server has insufficient logging and monitoring configured
b. the attacker has modified the logs to cover their tracks and prevent a successful investigation
c. a SQL injection must have occurred since their input validation would have prevented or
from being used</p>
<p>d. the REGEX expression to filter using "[Ss]cript" is insufficient since an attacker could use SCRIPT or SCRipt or %53CrIPT to evade it.</p>
</p></script>
The REGEX expression to filter using “[Ss]cript” is insufficient since an attacker could use SCRIPT or SCRipt or %53CrIPT to evade it.
You are reviewing a rule within your organization’s IDS. You see the following output:
Based on this rule, which of the following malicious packets would this IDS alert on?
a. any malicious outbound packets
b. any malicious inbound packets
c. a malicious outbound TCP packet
d. a malicious inbound TCP packet
A malicious inbound TCP packet
Dion Training’s new COO is reviewing the organization’s current information security policy. She notives that it was first created three years ago. Since that time, the organization has undergone multiple audits and assessments that required revisions to the policy. Which of the following is the most reasonable frequency to conduct a formal review of the organization’s policies to ensure they remain up to date?
a. every 5 years
b. annually
c. monthly
d. quarterly
Annually
Annual reviews are an industry standard and are typically sufficient unless circumstances happen that might require an update or revision sooner.
You are reverse engineering a malware sample using the Strings tool when you notice the code inside appears to be obfuscated. You look at the following line of output on your screen.
Based on the output above, which of the following methods do you believe the attacker used to prevent their malicious code from being easily read or analyzed?
a. Base64
b. XML
c. SQL
d. QR coding
Base64
Consider the following snippet from a log file collected on the host with the IP address of 10.10.3.6.
a. port scan targetting 10.10.3.2
b. fragmentation attack targeting 10.10.3.6
c. port scan targetting 10.10.3.6
d. denial of service attack targeting 10.10.3.6
Port scan targeting 10.10.3.6
You are a cybersecurity analyst who has been given the output from a system administrator’s Linux terminal. Based on the output providd, which of the following statements is correct?
a. your email server is running out of a non-standard port
b. your email server has been compromised
c. your web server has been compromised
d. your organization has a vulnerable version of the SSH server software installed
Your email server is running on a non-standard port
A cybersecurity analyst conducts proactive threat hunting on a network by correlating and searching the Sysmon and Windows Event logs. The analyst uses the following query as part of their hunt:
Based on the query above, which of the following potential indicators of compromise is the threat hunter relying on?
a. irregular peer-to-peer communication
b. processor consumption
c. unauthorized software
d. data exfiltration
Unauthorized software
A cybersecurity analyst is analyzing an employee’s workstation that is acting abnormaly. The analyst runs the netstat command and reviews the following output:
Based on this output, which of the following entries is suspicious? (SELECT THREE)
a. TCP 192.168.1.4:59515 208.50.77.89:80 ESTABLISHED
b. TCP 192.168.1.4:53 91.198.117.247:443 CLOSE_WAIT
c. TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
d. TCP 192.168.1.4:53 208.71.44.30:80 ESTABLISHED
e. TCP 0.0.0.0:53 0.0.0.0:0 LISTENING
f. TCP 192.168.1.4:59518 69.171.227.67:43 ESTABLISHED
TCP 192.168.1.4:53 91.198.117.247:443 CLOSE_WAIT
TCP 192.168.1.4:53 208.71.44.30:80 ESTABLISHED
TCP 0.0.0.0:53 0.0.0.0:0 LISTENING
Port 53 is used for DNS servers to receive requests, and an employee’s workstation running DNS would be unusual. If the Foreign Address uses port 53, this would indicate the workstation was conducting a normal DNS lookup, but based on the network traffic direction, this is not the case.
