Exam Questions Flashcards

1
Q

Tom is preparing to build a credit card processing system. As he creates his design, he realizes that the operating environment will not allow him to include one of the PCI DSS required elements. What type of control should Tom discuss implementing?

A. Technical control

B. Operational control

C. Administrative control

D. Compensating control

A

Answer:

D. Compensating controls are used to fulfill the same control objective as a required control when it is not feasible to implement that required control. The scenario describes a need for a compensating control. This control may be technical, operational, and/or administrative in nature.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Shane administers a Linux server running Apache. During the middle of his workday, tweets start to appear in his Twitter feed about compromises of Apache servers due to a flaw that had not been previously reported. What type of threat is this?

A. A local exploit

B. Advanced persistent threat

C. A zero-day exploit

D. A zero-knowledge threat

A

Answer:

C. Zero-day exploits take advantage of a security vulnerability that is not known until the exploit has been used—there is no time (zero days) between the discovery and the attack.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Juan is analyzing systems on his network for known indicators of compromise. What term best describes the work he is performing?

A. Threat hunting

B. Vulnerability scanning

C. Intrusion prevention

D. Data mining

A

Answer:

A. Threat hunting activities presume that a compromise has already taken place and search for indicators of that compromise. Vulnerability scanning activities probe systems for known vulnerabilities. Juan’s activity could be described as intrusion detection, but not as intrusion prevention because he is not taking any action to block future attacks. Data mining is a generic term used in machine learning activities and Juan is not leveraging data mining in this work.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Which one of the following controls may be used to attract the attention of intruders who gain access to a network segment so that they are distracted from high-value targets and may be monitored?

A. MAC

B. Honeypot

C. Intrusion prevention system

D. Rogue AP

A

Answer:

B. Honeypots are decoy systems used to attract the attention of intruders so that they may be monitored in a controlled environment. Mandatory access controls (MACs) are used to enforce system security policies. Intrusion prevention systems are designed to detect and block malicious activity. Rogue access points provide an unauthorized means of wireless access.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

While engaging in an attack, the attacker sends an email message to the targeted victim that contains malicious software as an attachment. What phase of the Cyber Kill Chain is occurring?

A. Weaponization

B. Delivery

C. Action on Objectives

D. Reconnaissance

A

Answer:

B. This is an example of delivering the payload to the victim, so it is from the Delivery stage of the Cyber Kill Chain.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Betsy receives many requests from IT staff members for remote access to internal systems through the DMZ. What type of system might Betsy place in the DMZ to accommodate these requests?

A. Jump box

B. Virtual machine

C. Honeypot

D. Firewall

A

Answer:

A. A jump box is a system designed to accept remote connection requests and act as an intermediary between those remote systems and local hosts. Virtual machines, honeypots, and firewalls may all exist in the DMZ but do not have the express purpose of providing remote administrative access.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Karen is configuring the host firewall on a web server that allows both encrypted and unencrypted web connections. It also must allow SSH access for users to securely drop off files. Which one of the following ports should not be open on the host firewall?

A. 22

B. 80

C. 443

D. 1433

A

Answer:

D. Port 1433 is used for Microsoft SQL Server and should not be exposed on a web server. Ports 22, 80, and 443 are required for SSH, HTTP, and HTTPS connectivity, respectively.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Jacob has been tasked with using NetFlow to monitor network traffic flows in his organization, but the systems he is using are unable to keep up with the volume of data. What is his best option to deal with the traffic without adding new hardware while retaining visibility into the entire network?

A. Switch to RMON monitoring

B. Use flow sampling

C. Decrease the number of flows allowed for each user

D. Use packet shaping to reduce traffic rates to one that the flow collector can keep up with

A

Answer:

B. Sampling is often used to retain flow visibility while reducing the overall flow rates to a reasonable level. Rates of 1:10, 1:100, or 1:1000 can significantly decrease the load that flows create while providing useful visibility. RMON does not provide visibility into flow data. Decreasing the number of flows per user would require reducing users’ ability to use the network, much like using packet shaping to reduce traffic rates would cause the network to be less usable—not a desirable option in almost any network!

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Brooke is helping her organization implement a new cloud service. She is configuring the operating system on a server built in the cloud provider’s environment. What cloud service model is in use?

A. PaaS

B. FaaS

C. SaaS

D. IaaS

A

Answer:

D. Infrastructure as a service (IaaS) is the only cloud service model where customers would configure operating systems themselves. In platform as a service (PaaS), function as a service (FaaS), and software as a service (SaaS) models, the cloud service provider is responsible for operating system configuration.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Barry joins a hotel wireless network and opens a web browser. No matter which page he visits, he is redirected to a web page requesting him to provide his name and room number. What type of network access control is the hotel using?

A. In-band

B. Out-of-band

C. 802.1x

D. Agent-based

A

Answer:

A. This is an example of a captive portal network access control (NAC) solution, which is an in-band NAC because it inserts a device between Barry and the Internet. Out-of-band solutions, such as 802.1x, require that Barry’s system communicate with the network switch to support NAC. Agent-based solutions would require the installation of software on Barry’s computer.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Charles has been asked to secure the wired network that is normally a suite of offices that will be temporarily used by a visiting team from another company. If he wants to continue to allow members of his team to use the jacks, what technical means can he use to do this while also verifying the security posture of the systems that connect?

A. NAC

B. MAC filtering

C. Port security

D. HIPS

A

Answer:

A. A network access control (NAC) system can allow Charles to require network authentication while performing security posture assessments on the systems that connect. This will allow his team to authenticate and use the network if they have secure systems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Which one of the following components is built into most modern computer systems and is used to store disk encryption keys?

A. HSM

B. Trusted foundry

C. Root of trust

D. TPM

A

Answer:

D. The Trusted Platform Module (TPM) is a hardware chip found inside most modern computers that is used to store disk encryption keys. Hardware security modules (HSMs) also store encryption keys, but they are dedicated, costly devices. Trusted foundries are trusted sources for hardware, and the root of trust is a concept used to describe how trust flows through the components of a secure system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Which media disposition is typically the most expensive option from NIST’s options in NIST SP 800-88?

A. Clearing

B. Purging

C. Destruction

D. Obliteration

A

Answer:

C. Destruction is both the most effective and the costliest option identified in the NIST Guidelines for Media Sanitization. Clearing by using logical methods to clear addressable storage locations and using overwriting and cryptographic erase techniques for purging are both cheaper and easier to perform. Obliteration is not an option in the NIST listing.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What type of firewall is able to incorporate contextual information about the user and application when making permit/deny decisions?

A. NGFW

B. Perimeter firewall

C. Stateful inspection

D. Packet filter

A

Answer:

A. Next-generation firewalls (NGFWs) are able to incorporate contextual information about a connection attempt when making access control decisions. This capability is not available in packet filters or stateful inspection firewalls. While an NGFW may be a perimeter firewall, not all perimeter firewalls have next-generation capabilities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

During a network attack simulation exercise, which team is responsible for securing the targeted environment?

A. Red

B. White

C. Blue

D. Black

A

Answer:

C. During a network attack simulation, the blue team is responsible for securing the targeted environment and keeping the attacking (red) team out. The white team serves as referees. There is no black team during a network attack simulation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Laura is investigating a potential security breach within her organization. She believes that an attacker stole a file containing employee information. Which information security tenet would this attack violate?

A. Confidentiality

B. Integrity

C. Availability

D. Nonrepudiation

A

Answer:

A. The three pillars of information security are confidentiality, integrity, and availability. Attacks against confidentiality seek to disclose sensitive information. Attacks against integrity seek to alter information in an unauthorized manner. Attacks against availability seek to prevent legitimate use of information or systems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Which of the following incident response activities should not happen during the eradication phase of incident response?

A. Sanitization

B. Reconstruction/re-imaging

C. Secure disposal

D. Segmentation

A

Answer:

D. Segmentation occurs in the containment phase in the CompTIA incident response process. Bear in mind that CompTIA’s incident response process differs from the NIST standard, and places sanitization, reconstruction/re-imaging, and secure disposal in the eradication and recovery phase.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Karen is conducting a risk analysis for her organization and identifies that one potential threat is a widespread power outage that disrupts service to her organization’s datacenters. How should Karen classify this threat?

A. Accidental

B. Adversarial

C. Structural

D. Environmental

A

Answer:

D. Environmental threats are natural or man-made disasters outside the control of the organization. Accidental threats occur when an inadvertent action jeopardizes security. Adversarial threats occur when someone is actively seeking to attack the organization. Structural threats occur when there is an exhaustion of available resources.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Which of the following is not a law?

A. HIPAA

B. PCI DSS

C. FERPA

D. SOX

A

Answer:

B. PCI DSS is an information security standard required by major payment card brands for organizations that use their cards. HIPAA, SOX, and FERPA are all U.S. laws.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Which of the following is not typically involved in the initial phases of a CSIRT activation?

A. Technical staff

B. CSIRT leader

C. Law enforcement

D. First responder

A

Answer:

C. For most organizations, CSIRT activities initially involve internal resources. Law enforcement is involved only when it is believed that a crime has been committed, requiring participation of law enforcement officers.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Which one of the following activities would not normally occur during the attack phase of a penetration test?

A. System browsing

B. Network reconnaissance

C. Escalating privileges

D. Gaining access

A

Answer:

B. Network reconnaissance normally takes place during the discovery phase of a penetration test. The attack phase consists of gaining access, escalating privileges, system browsing, and installing additional tools.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Bob is evaluating the risk to his organization from advanced persistent threat (APT) attackers. He assesses the likelihood of this risk occurring to be medium and the impact high. How would this risk be categorized under most organizations’ risk evaluation matrices?

A. Low risk

B. Moderate risk

C. Semi-moderate risk

D. High risk

A

Answer:

D. Under the risk management matrix used by most organizations, a risk with a medium likelihood and high impact would be considered a high risk.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Which of the following is not a common network issue?

A. Bandwidth consumption

B. Beaconing

C. Link aggregation

D. Unexpected traffic

A

Answer:

C. Bandwidth consumption, beaconing, and unexpected traffic are all common network issues that you should monitor for. Link aggregation refers to combining links to create a higher throughput link.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Richard wants to build DDoS detection capability into his network. Which of the following tools is not appropriate for that task?

A. Network bandwidth monitoring tools

B. IPS

C. Active performance monitoring tools

D. Network fuzzers

A

Answer:

D. Distributed denial-of-service (DDoS) attacks can be detected in many ways, including use of SIEM devices, IDSs and IPSs, network bandwidth and connection monitoring tools, and performance monitoring utilities. Fuzzers are used to send unexpected data to applications and won’t help detect a DDoS.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Which one of the following technologies is commonly used to integrate software as a service (SaaS) productivity platforms?

A. API

B. SOAR

C. SCAP

D. CI/CD

A

Answer:

A. Application programming interfaces (APIs) are used to programmatically integrate systems, including SaaS platforms. Security orchestration, automation, and response (SOAR) does integrate systems but specifically in the security, not productivity, space. The Security Content Automation Protocol (SCAP) also is used to integrate security, not productivity, systems. Continuous integration/continuous delivery (CI/CD) is an operational philosophy and not a specific technology.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

What concern may make active monitoring less attractive in some heavily used networks?

A. Active monitoring can’t monitor busy networks.

B. Active monitoring bypasses IPSs.

C. Active monitoring consumes additional bandwidth.

D. Active monitoring requires SNMP to be enabled.

A

Answer:

C. Although the bandwidth used for active monitoring is typically relatively low, it does add to the total network traffic load. If the monitoring traffic is not prioritized, information is available less quickly than desired, and if it is prioritized, it may compete with other important traffic.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Which one of the following analysis techniques requires samples of known malicious activity to identify future instances of the same activity?

A. Signature analysis

B. Trend analysis

C. Behavioral analysis

D. Anomaly analysis

A

Answer:

A. Signature analysis uses a fingerprint or signature to detect threats or other events. This means that a signature has to exist before it can be detected, but if the signature is well designed, it can reliably detect the specific threat or event.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Fiona is investigating the misuse of her company’s network and needs to capture network traffic for analysis. She wants to use a dedicated open source tool that is designed for packet capture and analysis. Which one of the following tools best meets her needs?

A. Nessus

B. Nmap

C. Wireshark

D. Nikto

A

Answer:

C. Wireshark is a protocol analyzer and can be used to capture network traffic in a standard format. Nessus and Nmap are vulnerability scanners. Nikto is a web application security scanner.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Bill is analyzing a system that is experiencing strange symptoms. He would like a list of the open network connections on that system. Which one of the following tools would be helpful in this scenario?

A. Traceroute

B. Netstat

C. Tcpdump

D. Wireshark

A

Answer:

B. The Netstat tool shows all open connections on a system. Tcpdump and Wireshark are capable of capturing traffic from open connections but will not display connections that are silent during the capture period. Traceroute shows the path between two systems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Which of the following is not a reason to avoid imaging live systems?

A. The drive may be modified by the forensic tool.

B. The drive contents may change during the imaging process.

C. Unallocated space will not be included.

D. Capturing memory contents is more difficult.

A

Answer:

D. There are many reasons to avoid imaging live machines if it is not absolutely necessary, but one advantage that imaging a live machine has is the ability to directly capture the contents of memory. Risks of capturing images from live machines include inadvertent modification of the systems, changes that may occur on the machine during imaging, the potential for malware to attack the imaging system or to detect and avoid it, and the fact that most live images don’t capture unallocated space.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Which incident response phase includes filing catch-up change requests in the organization’s change control process?

A. Eradication

B. Containment

C. Recovery

D. Postincident activities

A

Answer:

D. Organizational change management processes are often bypassed during an incident response process due to the urgency of the need to make quick changes. Once the incident response has been completed, changes are often filed as catch-up documentation as part of the postincident activities.

32
Q

Brian is a new hire to his company as a threat hunter and he is beginning by developing scenarios of potential attacks. What threat hunting activity is Brian performing?

A. Reducing the attack surface area

B. Establishing the hypothesis

C. Profiling threat actors

D. Gathering evidence

A

Answer:

B. Brian is developing potential scenarios that might result in a successful attack. This is an example of establishing a threat-hunting hypothesis. Next, Brian should look for evidence of such an attack in an attempt to confirm or refute his hypothesis.

33
Q

Rodney’s company wants to prevent phishing attacks from resulting in account compromise. Which of the following solutions will provide the most effective solution?

A. Implement context-aware authentication.

B. Use enhanced password requirements.

C. Add token-based authentication.

D. Set a shorter password lifespan.

A

Answer:

C. Multifactor authentication like token-based authentication can help prevent phishing attacks that result in stolen credentials resulting in attackers accessing systems. As long as attackers do not also acquire the token (often an app on a smartphone or a physical device kept in the user’s pocket), the attacker will not have all the factors they need to authenticate. Context-aware authentication might help if attackers log in from places that legitimate users don’t, but enhanced password requirements and shorter password lifespans have a relatively small impact, if any.

34
Q

The group of developers that Cynthia is part of tests each software component or function before integrating it into larger software modules. What is this process called?

A. Code segmentation

B. Unit testing

C. UAT

D. Fagan inspection

A

Answer:

B. Unit testing tests the smallest testable parts of an application or program, ensuring that each component works properly before they are put together. UAT is user acceptance testing, Fagan inspection is a form of formal code review, and code segmentation is not a term used in software engineering or development.

35
Q

At what stage in the incident response process does a CSIRT move from primarily passive to primarily active work?

A. Preparation

B. Detection and Analysis

C. Containment, Eradication, and Recovery

D. Postincident Activity

A

Answer:

C. Once a security incident has been detected and analyzed, CSIRTs move into an active phase of containment, eradication, and recovery. Active measures seek to limit the damage, gather evidence, identify the attackers and systems they are using, and eradicate the effects of the incident.

36
Q

Howard is analyzing the logs from his firewall and sees that the same IP address attempted blocked connections to the same server many different times. What is the most likely explanation for this activity?

A. Denial-of-service attack

B. Port scan

C. SQL injection

D. Cross-site scripting

A

Answer:

B. This is most likely a port scan being used to conduct reconnaissance and determine what ports are open on the server. A DoS attack would more likely use requests to a service allowed through the firewall. SQL injection and cross-site scripting would be successful only against a web server that was allowed to receive connections through the firewall.

37
Q

Ron is reviewing Cisco router logs from his organization and would like an easy way to filter the logs down to those that are most critical. What Cisco log level represents an emergency situation?

A. 0

B. 1

C. 6

D. 7

A

Answer:

A. Cisco uses log level 0 for emergency situations. Log level 1 is for alerts. Log level 6 is for information, and log level 7 is for debugging.

38
Q

Angela wants to search for rogue devices on her network. Which of the following techniques will best help her identify systems if she has a complete hardware and systems inventory?

A. MAC address vendor checking

B. Site surveys

C. Traffic analysis for unexpected behavior

D. MAC address verification

A

Answer:

D. Since Angela already knows the MAC addresses of all the devices due to her systems inventory, she can simply search for associated MAC addresses that do not match the list.

39
Q

What type of control can be put in place and documented if an existing security measure is too difficult to implement or does not fully meet security requirements?

A. Cost limiting

B. Administrative

C. Compensating

D. Break-fix

A

Answer:

C. When existing controls are insufficient, do not resolve the issue, or are too difficult to implement, a compensating control is often put in place. It is important to document compensating controls, because they differ from the expected or typical control that would normally be in place.

40
Q

Tom would like to use nmap to perform service fingerprinting and wants to request banner information from scanned services. What flag should he use?

A. -oG

B. -sS

C. -b

D. -sV

A

Answer:

D. The –sV flag reports banner and version information. The –oG flag generates greppable output. The –sS flag requests a TCP SYN scan. The –b flag is used to detect servers supporting FTP bounce.

41
Q

Background: Insecure, Inc. has experienced multiple data breaches over the past 6 months and has recently hired Cynthia, a new information security officer. Cynthia’s first task is to review Insecure, Inc.’s defenses with the goal of identifying appropriate defenses to put in place.

Cynthia knows that her new employers had two major breaches. Breach A occurred when an employee took home a USB external drive with sensitive customer information as well as corporate planning data for the following year. The employee left the drive in their car, and the car was broken into overnight. In the morning, the drive was gone. Insecure, Inc. is uncertain about the fate of the drive and is concerned that customer data as well as their top-secret plans to best their competitors may have been exposed.

Breach B was caused when Insecure, Inc.’s new web application was attacked by unknown attackers who used a SQL injection attack to insert new data into their e-commerce application. Insecure, Inc.’s website was quickly deluged with deal seekers, who put in hundreds of orders for Insecure’s newly inexpensive products—the attackers had managed to change the price for almost every product they sold. Insecure, Inc. managed to cancel most of the orders before they shipped, but they have had to deal with angry customers since the event.

Using this information, your task is to help Cynthia recommend the best defensive strategy for each of the following questions.

Cynthia wants to ensure that data cannot be lost in the same way as the loss that occurred during Breach A. Which of the following would make a lost drive not a major concern?

A. Encrypt the drive with SHA1.

B. Encrypt the drive with AES256.

C. Encrypt the drive with DES.

D. Encrypt the drive with MD5.

A

Answer:

B. Encrypting a drive with strong encryption like AES256 will make the loss of a drive less of an issue. In general, strong encryption with a key that has not also been exposed can make confidentiality risks like this negligible. Both MD5 and SHA1 are not encryption methods—they are hashes. DES is an older, weaker encryption method, and it would not provide strong protection for the drive.

42
Q

Background: Insecure, Inc. has experienced multiple data breaches over the past 6 months and has recently hired Cynthia, a new information security officer. Cynthia’s first task is to review Insecure, Inc.’s defenses with the goal of identifying appropriate defenses to put in place.

Cynthia knows that her new employers had two major breaches. Breach A occurred when an employee took home a USB external drive with sensitive customer information as well as corporate planning data for the following year. The employee left the drive in their car, and the car was broken into overnight. In the morning, the drive was gone. Insecure, Inc. is uncertain about the fate of the drive and is concerned that customer data as well as their top-secret plans to best their competitors may have been exposed.

Breach B was caused when Insecure, Inc.’s new web application was attacked by unknown attackers who used a SQL injection attack to insert new data into their e-commerce application. Insecure, Inc.’s website was quickly deluged with deal seekers, who put in hundreds of orders for Insecure’s newly inexpensive products—the attackers had managed to change the price for almost every product they sold. Insecure, Inc. managed to cancel most of the orders before they shipped, but they have had to deal with angry customers since the event.

Using this information, your task is to help Cynthia recommend the best defensive strategy for each of the following questions.

If Cynthia wants to address the human side of the issues she has discovered, what solution would best help prevent future issues?

A. Policy and awareness training

B. Dual control and cross training

C. Cross training and an awareness program

D. Implementing a continuous improvement program

A

Answer:

A. It can be easy to forget how important policies and the standards and practices that derive from them are, but policies make up the foundation of an organization’s security practices. When combined with awareness training, it is far more likely that the employees that Cynthia works with will avoid bad practices like taking unencrypted drives home or neglecting to use web application security development best practices.

43
Q

Background: Insecure, Inc. has experienced multiple data breaches over the past 6 months and has recently hired Cynthia, a new information security officer. Cynthia’s first task is to review Insecure, Inc.’s defenses with the goal of identifying appropriate defenses to put in place.

Cynthia knows that her new employers had two major breaches. Breach A occurred when an employee took home a USB external drive with sensitive customer information as well as corporate planning data for the following year. The employee left the drive in their car, and the car was broken into overnight. In the morning, the drive was gone. Insecure, Inc. is uncertain about the fate of the drive and is concerned that customer data as well as their top-secret plans to best their competitors may have been exposed.

Breach B was caused when Insecure, Inc.’s new web application was attacked by unknown attackers who used a SQL injection attack to insert new data into their e-commerce application. Insecure, Inc.’s website was quickly deluged with deal seekers, who put in hundreds of orders for Insecure’s newly inexpensive products—the attackers had managed to change the price for almost every product they sold. Insecure, Inc. managed to cancel most of the orders before they shipped, but they have had to deal with angry customers since the event.

Using this information, your task is to help Cynthia recommend the best defensive strategy for each of the following questions.

What technical solution can Cynthia use to detect and possibly stop both SQL injection attacks and denial-of-service attacks against her web applications?

A. An IDS

B. A PRNG

C. DLP

D. An IPS

A

Answer:

D. Cynthia’s design should include an intrusion prevention system (IPS). An in-line IPS with the right signatures installed can detect and stop attacks, including SQL injection, cross-site scripting, and even denial-of-service (DoS) attacks. An intrusion detection system (IDS) could detect the attacks but can’t stop them, whereas data loss prevention (DLP) systems are designed to prevent data from exiting an organization. A PRNG, or pseudo-random number generator, is not a security technology.

44
Q

Kevin ran a port scan on a system and determined that it is listening on port 1433. What type of server is Kevin most likely scanning?

A. Web server

B. Database server

C. AAA server

D. Email server

A

Answer:

B. Port 1433 is used by Microsoft SQL Server, so Kevin is most likely scanning a database server.

45
Q

What requirement of shared authentication is a key differentiator from SSO?

A. It requires authentication for each site.

B. It uses the same authentication key for each site.

C. Shared authentication provides end-to-end encryption.

D. The shared authentication standard is an open standard.

A

Answer:

A. The key difference between a shared authentication model and a single sign-on (SSO) model is that shared authentication systems require users to enter credentials when authenticating to each site. Single sign-on only requires a single sign-on—exactly as the name says!

46
Q

NIST’s data impact rating scale describes what category of data impact as “Sensitive personally identifiable information (PII) of taxpayers, employees, beneficiaries, etc., was accessed or exfiltrated”?

A. Confidentiality breach

B. Privacy breach

C. Proprietary breach

D. Integrity loss

A

Answer:

B. In NIST’s classification scheme, this is a privacy breach, involving personally identifiable information. NIST defines four ratings: none, privacy breaches, proprietary information breaches, and integrity loss. Proprietary information breaches involve unclassified proprietary information, such as protected critical infrastructure information. Integrity losses occur when sensitive or proprietary information is changed or deleted. NIST does not use the broad term confidentiality breaches, instead preferring more specific definitions.

47
Q

What Windows tool provides detailed data, including counters, that can measure information about a system like energy consumption, disk usage, and network activity?

A. Winmon

B. Perfmon

C. Sysctl

D. Resmon

A

Answer:

B. Perfmon (Performance Monitor) provides the ability to perform detailed data collection, unlike resmon’s (Resource Monitor) high-level view, which does not include the use of counters. Winmon is a name typically associated with malware, and sysctl is a Linux tool used for changing kernel parameters at runtime.

48
Q

A part of his forensic investigation, Alex signs and notes in his log when the drive copy he prepared is transferred to legal counsel. What is this process known as?

A. Handoff documentation

B. Chain-of-custody tracking

C. Asset tracking

D. Forensic certification

A

Answer:

B. Chain-of-custody tracking indicates who has access to and authority over drives, devices, and forensic data throughout their life cycle. This is a critical element in investigations that may end up in court or that will involve law enforcement.

49
Q

Ryan uses the following command as part of his forensic image preparation:

root@demo:~# md5sum image1.raw
441fb68910e08fd0ed2db3bdb4e49233 image1.raw
What task has he performed?

A. Encryption

B. Image creation

C. Hashing

D. Secure wipe

A

Answer:

C. Ryan has created an MD5 hash of his image file. This can be compared to the original, or if it is the original, it can be compared to figure copies to validate their integrity.

50
Q

Ryan uses the following command later in his forensic investigation and receives the response shown. What has occurred?

root@demo:~# md5sum -c image1.md5 image1v2.md5
image1.raw: FAILED
md5sum: WARNING: 1 computed checksum did NOT match
image1.raw: OK

A. The hash was miscalculated.

B. No hash was created.

C. The files are the same.

D. The files are different.

A

Answer:

D. Hashes are compared to verify that the files are the same. Since MD5 returns a warning that the checksum did not match, we know that the files are different.

51
Q

Ed is preparing an incident response report, and he discovers that some systems were not properly configured to use NTP. What critical element of incident reports may suffer based on this?

A. The root cause analysis

B. The chronology of events

C. The postrecovery validation report

D. The documentation of specific actions taken to remediate issues

A

Answer:

B. NTP (Network Time Protocol) is used to ensure that events that are logged and other actions taken that use system time line up properly. Without NTP enabled, it may be significantly more difficult to determine when events occurred, making the chronological view of events harder, or even impossible, to build.

52
Q

Which one of the following criteria would normally be considered least important when making decisions about the scope of vulnerability scanning programs?

A. Regulatory requirements

B. Data classification

C. Operating system type

D. Corporate policy

A

Answer:

C. The most important criteria when making decisions about the scope of vulnerability management programs are regulatory requirements, corporate policy, asset classification, and data classification.

53
Q

Bernie is designing a PCI DSS–compliant vulnerability management program for his business. Who may conduct the internal scans required by the standard?

A. Scans must be conducted by an approved scanning vendor (ASV).

B. Scans must be conducted by an internal audit group or an ASV.

C. Scans must be conducted by a PCI DSS–certified individual.

D. Scans may be conducted by any qualified individual.

A

Answer:

D. PCI DSS only requires that internal scans be conducted by a qualified individual. External scans must be conducted by an approved scanning vendor (ASV).

54
Q

Which one of the following elements of the Security Content Automation Protocol (SCAP) provides a standard nomenclature for describing security-related software flaws?

A. CVSS

B. CPE

C. CVE

D. OVAL

A

Answer:

C. Common Vulnerabilities and Exposures (CVE) provides a standard nomenclature for describing security-related software flaws. Common Vulnerability Scoring System (CVSS) provides a standardized approach for measuring and describing the severity of security-related software flaws. Common Platform Enumeration (CPE) provides a standard nomenclature for describing product names and versions. Open Vulnerability and Assessment Language (OVAL) is a language for specifying low-level testing procedures used by checklists.

55
Q

Which of the following is not a Linux memory forensic tool?

A. fmem

B. LiME

C. The Volatility Framework

D. DumpIt

A

Answer:

D. DumpIt is a Windows-only memory forensics tool. LiME and fmem are both Linux kernel modules that allow access to physical memory, and the Volatility Framework is a multiplatform tool with support for a broad range of memory forensics activities.

56
Q

The NIST Cybersecurity framework includes three major measures. Which three major measures are included in the measures that allow an organization to evaluate which tier they are at?

A. Risk management process, integrated risk management program, external participation

B. Risk management program, risk tolerance, controls structure

C. Risk management process, incident response program, external data sources

D. Risk management program, vulnerability management program, external data sources

A

Answer:

A. NIST uses three critical measures to determine an organization’s tier in the framework: how mature their risk management process is, whether there is an integrated risk management program, and if the organization is effectively participating with external partners.

57
Q

Bryan is preparing to conduct a vulnerability scan and wishes to use credentialed scanning for maximum effectiveness. What type of account should Bryan use to perform this scanning in a secure manner?

A. Domain administrator

B. Root user

C. Local administrator

D. Read-only user

A

Answer:

D. Credentialed scanning should always be performed with a read-only account to limit the potential impact on the system should the scanner malfunction or the account become compromised.

58
Q

Gary is the cybersecurity manager for a federal government agency subject to FISMA. He is evaluating the potential confidentiality impact of a system and decides that the unauthorized disclosure of information stored on the system could have a serious adverse impact on citizens served by his agency. How should Gary rate the confidentiality impact?

A. Low

B. Moderate

C. High

D. Critical

A

Answer:

B. The system should be rated as moderate impact for confidentiality if “the unauthorized disclosure of information stored on the system could have a serious adverse impact on organizational operations, organizational assets, or individuals,” according to FIPS 199.

59
Q

What major Kerberos-centric concern faces administrators of an Active Directory forest or domain if the AD server itself is compromised?

A. All Kerberos tickets will be invalidated.

B. Attackers can create a “golden ticket.”

C. There is no way to notify users of the issue.

Previously issued user tickets will be exposed.

A

Answer:

B. Kerberos generating tickets, also known as golden tickets, can be created if attackers are able to gain domain administrator or local administrator access to the AD controller. This would allow attackers to set arbitrary ticket lifespans and to act as any user in the domain or forest.

60
Q

Which of the following is not a common attack against LDAP servers?

A. Exploiting of insecure binding

B. Directory harvesting

C. LDAP injection

D. Silver ticket attacks

A

Answer:

D. LDAP attacks often focus on insecure binding methods, harvesting directory information by taking advantage of improper ACLs, LDAP injection, or denial-of-service attacks. Silver ticket attacks are associated with Kerberos, where the term is used to describe compromised service account credentials.

61
Q

Oliver is developing a prioritization scheme for vulnerability remediation. Which one of the following is not generally accepted as an important criterion for prioritizing remediation?

A. Vulnerability severity

B. Age of vulnerability

C. Criticality of system

D. Difficulty of remediation

A

Answer:

B. The most commonly accepted criteria for vulnerability prioritization include criticality of the systems and information affected by the vulnerability, difficulty of remediating the vulnerability, severity of the vulnerability, and exposure of the vulnerability.

62
Q

What regulatory schemes specifically require the use of vulnerability scanning?

A. FISMA and PCI DSS

B. PCI DSS and HIPAA

C. HIPAA and GLBA

D. GLBA and FISMA

A

Answer:

A. The Federal Information Security Management Act (FISMA) and the Payment Card Industry Data Security Standard (PCI DSS) both require the use of vulnerability scanning. The Gramm–Leach–Bliley Act (GLBA) and Health Insurance Portability and Accountability Act (HIPAA) have no such requirement.

63
Q

What type of term describes review of code by running it?

A. The Run/Test method

B. Runtime inspection

C. Static code analysis

D. Dynamic code analysis

A

Answer:

D. Testing code by running it is known as dynamic code analysis. Static code analysis looks at the source code for an application. Runtime is when a program is running, but runtime inspection is not a common term used in software engineering. There is no Run/Test method.

64
Q

After completing a vulnerability scan, Bob received a report of a blind SQL injection vulnerability. Bob worked with the application developer to inspect the vulnerability and determined that the attack was not possible. What type of error occurred?

A. True positive

B. True negative

C. False positive

D. False negative

A

Answer:

C. This scenario describes a false positive error—the condition where a scanner reports a vulnerability but that vulnerability does not actually exist.

65
Q

Which of the following types of staff are not frequently part of a CSIRT?

A. Technical subject matter experts

B. IT support staff

C. Legal counsel

D. Comptrollers

A

Answer:

D. Technical subject matter experts, IT support staff, legal counsel, human resources staff members, and public relations and marking staff are all frequently part of the CSIRT. Comptrollers are rarely part of the response process.

66
Q

Which of the following is not well suited to identifying network scans and probes?

A. IPS

B. SNMP traps

C. Firewall

D. SIEM

A

Answer:

B. IPS and firewall devices can detect scans and probes, and may have built-in detection methods. A SIEM can pull data from multiple sources, identifying scans and probes against a variety of devices. SNMP traps provide information about the state of a device but are not useful when attempting to detect network scans or probes.

67
Q

Olivia has requested that her development team run their web application security testing tools against their web applications, despite the fact that they just installed the most recent patches. What is this type of testing called?

A. Regression testing

B. Patch state validation

C. WAV testing

D. HTTP checking

A

Answer:

A. Regression testing focuses on ensuring that changes have not reintroduced problems or created new issues. Olivia has asked her team to do regression testing to make sure that the patches have not created new problems or brought an old problem back.

68
Q

What type of testing directly targets error handing paths, particularly those that are rarely used or might otherwise be missed during normal testing?

A. Fuzzing

B. Mutation testing

C. Fault injection

D. Fagan inspection

A

Answer:

C. Fault injection directly injects faults into the error handling paths of an application and focuses on areas that might otherwise be missed. Fuzzing sends unexpected data, whereas mutation testing modifies the program itself to see how it handles unexpected behaviors. Fagan inspection is a formal inspection process.

69
Q

Which of the following pieces of information does Windows not capture by default about USB devices when they are plugged in?

A. The capacity of the device

B. The device name

C. The device serial number

D. The unit’s vendor ID

A

Answer:

A. Windows captures quite a bit of useful data about USB devices when they are connected, but it does not capture the device’s capacity. The device name, serial number, vendor, brand, and even the user ID of the currently logged-in user when it was plugged in are captured.

70
Q

When searching a Windows system for forensic data, where can point-in-time details of prior actions taken on the machine sometimes be found?

A. The Windows Registry

B. Autorun keys

C. Hibernation files

D. Volume shadow copies

A

Answer:

D. Windows workstations can be a treasure trove of forensic information. Volume shadow copies are manual or automatic copies of files or volumes kept by Windows systems for backup.

71
Q

Bonnie ran a vulnerability scan against one of her servers and received a report that the server contains buffer overflow vulnerabilities in the operating system. Which one of the following would be the most effective defense?

A. Input validation

B. Firewall

C. Operating system patching

D. Intrusion prevention system

A

Answer:

C. Buffer overflow vulnerabilities in an operating system require a vendor-supplied patch to correct. Input validation would not be an effective defense. While firewalls and intrusion prevention systems may block an attack, they would not resolve the underlying problem.

72
Q

Which one of the following protocols would not generate a network vulnerability report if run on a production system?

A. SSLv2

B. SSLv3

C. TLS 1.1

D. All three would generate a vulnerability.

A

Answer:

D. None of these protocols should be used on a secure network. All versions of SSL contain unfixable vulnerabilities, as do TLS versions earlier than 1.2.

73
Q

Chelsea’s company runs an industrial control system (ICS) from a vendor that no longer provides support. The system has a newly discovered vulnerability to buffer overflow attacks. What would be the best way to defend this system?

A. Apply a patch

B. Rewrite the code

C. Place it on a segmented network

D. Use encryption

A

Answer:

C. Network segmentation is a strong security control for ICS networks. Chelsea does not have access to the source code so she cannot rewrite it. No patch is available because the vendor no longer provides support. Encryption would not provide a defense against a buffer overflow attack.

74
Q

What component of a virtualized infrastructure is responsible for ensuring that software running on one virtualized system does not receive access to areas of memory that are reserved for use by another virtualized system?

A. Hypervisor

B. Virtual guest

C. Virtual host

D. Physical hardware

A

Answer:

A. In a virtualized datacenter, the virtual host hardware runs a special operating system known as a hypervisor that mediates access to the underlying hardware resources.

75
Q

Frank received a phone call from a user who is traveling and accessing the Wi-Fi network at a hotel. The user tried to access a corporate website and received an error message that the certificate was invalid. No other users are receiving this error. What is the most likely explanation for this error message?

A. The company’s website is using an expired certificate.

B. The company’s website has an incorrect certificate installed.

C. The hotel uses a captive portal.

D. Another user on the hotel network is attempting to eavesdrop on the connection.

A

Answer:

C. The most likely scenario is that the hotel is running a captive portal and the user must authenticate before trying to access other websites. While the other scenarios are possible, they are not as likely. If the error was with the company’s certificate, other users would be reporting the same problem. It is possible that another hotel guest is attempting to trick the user into accepting a false certificate, but this is unlikely.