Exam 3

Question 1

When peforming a vulnerability scan, Christina discovered an administrative interface to a storage system is exposed to the internet. She looks thorugh the firewall logs and attempts to determine whether any access attempts hvae occurred from external sources. Which of the following IP addresses in the firewall logs would indicate a connection attempt from an external source?

a. 172.16.1.100
b. 10.15.1.100
c. 192.186.1.100
d. 192.168.1.100

Answer 1

192.186.1.100

Private ranges

10. x.x.x
11. 16-31.x.x
12. 168.x.x

Question 2

In which phase of the security intelligence cycle is input collected from intelligence producers and consumers to improve the implementation of intelligence requirements?

a. Analysis
b. Feedback
c. Collection
d. Dissemination

Answer 2

Feedback

Question 3

A fornsic analyst needs to access a macOS encrypted drive that uses FileVault 2. Which of the following methods is NOT a means of unlocking the volume?

a. Conduct a brute-force attack against the FileVault 2 encryption
b. Extract the keys from iCloud
c. Acquire the recovery key
d. Retrieve the key from memory while the volume is mounted

Answer 3

Conduct a brute-force attack against the FileVault 2 encryption

Question 4

Based on some old SIEM alerts, you have been asked to perform a forensic analysis on a given host. You have notived that some SSL network connections are occurring over ports other than 443. The SIEM alerts indicate that copies of svchost.exe and cmd.exe have been found in the host’s %TEMPT% folder. The logs indicate that RDP connections have previously connected with an IP address that is external to the corporate intranet, as well. What threat might you have uncovered during your analysis?

a. Ransomeware
b. DDoS
c. Software vulnerability
d. APT

Answer 4

APT

Question 5

What tool can be used as an exploitation framework during your penetration tests?

a. nmap
b. nessus
c. autopsy
d. metasploit

Answer 5

Metasploit

Question 6

What is the term for the amount of risk that an organization is willing to accept or tolerate?

a. risk appetite
b. risk transference
c. risk deterrence
d. risk avoidance

Answer 6

Risk appetite

Risk avoidance - the response of deploying security controls to reduce the likelihood and/or impact of a threat scenario

Risk deterrence - the response of deploying security controls to reduce the likelihood and/or impact of a threat scenario

Risk transference - moves or shares the responsibility of risk to another entity

Question 7

Review the network diagram provided:

Which of the following ACL entries should be added to the firewall to allow only the system administrator’s computer (IT) to have SSH access to the FTP, Email, and Web servers in the DMZ?

a. 192.168.0.3/24, 172.16.1.4, ANY, TCP, ALLOW
b. 192.168.0.0/24, 172.16.1.4, 22, TCP, ALLOW
c. 172.16.1.4, 192.168.0.0/24, 22, TCP ALLOW
d. 172.16.1.0/24, 192.168.0.0/24, ANY, TCP, ALLOW

Answer 7

172.16.1.4, 192.168.0.0/24, 22, TCP ALLOW

Question 8

You have been asked to scan your company’s website using the OWASP ZAP tool. When you perform the scan, you received the following warning:

“The AUTOCOMPLETE output is not disabled in HTML FORM/INPUT containing password type input. Passwords may be stored inbrowsers and retrieved.”

You begin to investigate further by reviewing a portion of the HTML code from the website that is listed below:

Based on your analysis, which of the following actions should you take?

a. you recommend that the system administrator pushes out a GPO update to reconfigure the web browsers securtiy settings
b. this is a false positive and you should implement a scanner exception to ensure you don’t receive this again during your next scan
c. you recommend that the system administrator disabled SSL on the server and implements TLS instead
d. you tell the developer to review their code and implement a bug/code fix

Answer 8

You tell the developer to review their code and emplement a bug/code fix

Since your company owns the website, you can require the developer to implement a bug/code fix to prevent the form from allowing the AUTOCOMPLETE function to work on this website. The code change to perform is quite simple, simply adding “autocomplete=off” to the code’s first line. The resulting code would be

.

Question 9

Which party in a federation provides services to members of the federation?

a. SAML
b. RP
c. IdP
d. SSO

Answer 9

RP

Question 10

What sanitization technique uses only logical techniques to remove data, such as overwriting a hard drive with a random series of ones and zeroes?

a. degauss
b. destroy
c. purge
d. clear

Answer 10

Clear

Question 11

Fail to Pass Systems recently installed a break and inspect appliance that allows their cybersecurity analyst to observe HTTPS traffic entering and leaving their network. Consider the following output from a recorded session captured by that appliance:

Which of the following statements is true?

a. this is a normal request from a host to your web server in the screened subnet
b. the passwd file was just downloaded through a webshell by an attacker
c. the web browser used in the attack was Microsoft Edge
d. a request to issue the cat command for viewing the passwd occurred but additional analysis is required to verify if the file was downloaded

Answer 11

A request to issue the car command for viewing the passwd occurred but additional analysis is required to verify if the file was downloaded

Question 12

Which of the following lists represents the NIST cybersecurity framework’s four tiers, when ordered from least mature to most mature?

a. partial, risk informed, repeatable, adaptive
b. partial, risk informed, managed, adaptive
c. partial managed, risk informed, adaptive
d. partial, repeatable, risk informed, adaptive

Answer 12

Partial, risk informed, repeatable, adaptive

Question 13

You are a cybersecurity analyst working for an accounting firm that manages the accounting for multiple smaller firms. You have successfully detected an APT operating in your company’s network that appears to have been there for at least 8 months. In conducting a qualitative assessment of the impact, which of the following factors should be most prominently mentioned in your report to your firm’s executives? (SELECT TWO)

a. economic
b. downtime
c. detection time
d. recovery time
e. data integrity

Answer 13

Economic

Data integrity

The economic impact on the business should be your top factor. This would include any possible liability and damage that will be done to the company’s reputation. Data integrity would be the second most important factor to highlight in your report since an APT may have stolen significant amounts of money by altering your financial documentation and accounts’ data integrity.

Question 14

Which of the following types of information is protected by rules in the United States that specify the minimum frequency of vulnerability scanning required for device that process it?

a. insurance records
b. medical records
c. credit card data
d. driver’s license numbers

Answer 14

Credit card data

Question 15

The management at Steven’s work is concerned about rogue devices being attached to the network. Which of the follwing solutions would quickly provide the most accurate information that Steve could use to identify rogue devicces on a wired network?

a. a discovery scan using a port scanner
b. router and switch-based MAC address reporting
c. a physical survey
d. reviewing a central administration tool like an endpoint manager

Answer 15

Router and switch-based MAC address reporting