Implementation Flashcards
A company’s help desk received several AV alerts indicating Mimikatz attempted to run on the remote systems. Several users also reported that the new company flash drives they picked up in the break room only have 512KB of storage. Which of the following is most likely the cause?
The GPO blocking the flash drives is being bypassed by a malicious flash drive that is attempting to harvest plaintext credentials from memory.
The presence of Mimikatz alerts and reports of new company flash drives having only 512KB of storage indicate a potential security incident involving malicious activity. Mimikatz is a well-known tool used for extracting passwords and other sensitive information from memory.
A company is adding a clause to its AUP that states employees are not allowed to modify the operating system on mobile devices. Which of the following vulnerabilities is the organization addressing?
Jailbreaking
A systems administrator works for a local hospital and needs to ensure patient data is protected and secure. Which of the following data classifications should be used to secure patient data?
Sensitive
In the healthcare industry, patient data is typically classified as sensitive. This means that it is important to take extra precautions to protect it from unauthorized access, use, or disclosure.
A small business uses kiosks on the sales floor to display product information for customers. A security team discovers the kiosks use end-of-life operating systems. Which of the following is the security team most likely to document as a security implication of the current architecture?
Patch availability
Which of the following provides a catalog of security and privacy controls related to the United States federal information systems?
NIST 800-53
A security analyst is taking part in an evaluation process that analyzes and categorizes threat actors of real-world events in order to improve the incident response team’s process. Which of the following is the analyst most likely participating in?
MITRE ATT&CK
MITRE ATT&CK provides a comprehensive list of threat actor behaviors across various stages of the cyber attack lifecycle.
During a security incident, the security operations team identified sustained network traffic from a malicious IP address: 10.1.4.9. A security analyst is creating an inbound firewall rule to block the IP address from accessing the organization’s network. Which of the following fulfills this request?
access-list inbound deny ip source 10.1.4.9/32 destination 0.0.0.0/0
A security analyst is investigating a malware incident at a company. The malware is accessing a command-and-control website at www.comptia.com. All outbound Internet traffic is logged to a syslog server and stored in /logfiles/messages. Which of the following commands would be best for the analyst to use on the syslog server to search for recent traffic to the command-and-control website?
tail -500 /logfiles/messages | grep www.comptia.com
An administrator needs to inspect in-transit files on the enterprise network to search for PII, credit card data, and classification words. Which of the following would be the BEST to use?
NIPS solution
A security analyst needs to implement security features across smartphones, laptops, and tablets. Which of the following would be the MOST effective across heterogenous platforms?
Applying MDM software
An organization Chief Security Officer (CSO) wants to validate the business’s involvement in the incident response plan to ensure its validity and thoroughness? Which of the following will the CSO MOST likely use?
A tabletop exercise
A new security engineer has started hardening systems. One of the hardening techniques the engineer is using involves disabling remote logins to the NAS. Users are now reporting the inability to use SCP to transfer files to the NAS, even though the data is still viewable from the users’ PCs. Which of the following is the MOST likely cause of this issue?
TFTP was disabled on the local hosts.
A security analyst is reviewing the output of a web server log and notices a particular account is attempting to transfer large amounts of money:
GET http://yourbank.com/transfer.do?acctnum=087646958&amount=500000 HTTP/1.1
GET http://yourbank.com/transfer.do?acctnum=087646958&amount=5000000 HTTP/1.1
GET http://yourbank.com/transfer.do?acctnum=087646958&amount=1000000 HTTP/1.1
GET http://yourbank.com/transfer.do?acctnum=087646958&amount=500 HTTP/1.1
Which of the following types of attacks is MOST likely being conducted?
CSRF
During a recent security assessment, a vulnerability was found in a common OS. The OS vendor was unaware of the issue and promised to release a patch within the next quarter. Which of the following BEST describes this type of vulnerability?
Zero day
A network manager is concerned that business may be negatively impacted if the firewall in the datacenter goes offline. The manager would like to implement a high availability pair to:
remove the single point of failure
A large industrial system’s smart generator monitors the system status and sends alerts to third-party maintenance personnel when critical failures occur. While reviewing the network logs, the company’s security manager notices the generator’s IP is sending packets to an internal file server’s IP. Which of the following mitigations would be BEST for the security manager to implement while maintaining alerting capabilities?
Segmentation
A security analyst is looking for a solution to help communicate to the leadership team the severity levels of the organization’s vulnerabilities. Which of the following would BEST meet this need?
CVSS
A security analyst is investigating a report from a penetration test. During the penetration test, consultants were able to download sensitive data from a back-end server. The back-end server was exposing an API that should have only been available from the company’s mobile application. After reviewing the back-end server logs, the security analyst finds the following entries:
10.35.45.53 - - [22/May/2020:06:57:31 +0100] ‘GET /api/cliend_id=1 HTTP/1.1” 403 1703
“http://www.example.com/api/” “PostmanRuntime/7.26.5”
10.35.45.53 - - [22/May/2020:07:00:58 +0100] ‘GET /api/cliend_id=2 HTTP/1.1” 403 1703
“http://www.example.com/api/” “PostmanRuntime/7.22.0”
10.32.40.13 - - [22/May/2020:08:08:52 +0100] ‘GET /api/cliend_id=1 HTTP/1.1” 302 21703
“http://www.example.com/api/” “CompanyMobileApp/1.1.1”
10.32.40.25 - - [22/May/2020:08:13:52 +0100] ‘GET /api/cliend_id=1 HTTP/1.1” 200 21703
“http://www.example.com/api/” “CompanyMobileApp/2.3.1”
10.35.45.53 - - [22/May/2020:08:20:18 +0100] ‘GET /api/cliend_id=2 HTTP/1.1” 200 22405
“http://www.example.com/api/” “CompanyMobileApp/2.3.0”Which of the following
Which of the following is the MOST likely cause of the security control bypass?
User-agent spoofing
A company recently experienced a significant data loss when proprietary information was leaked to a competitor. The company took special precautions by using proper labels; however, email filter logs do not have any record of the incident. An investigation confirmed the corporate network was not breached, but documents were downloaded from an employee’s COPE tablet and passed to the competitor via cloud storage. Which of the following is the BEST mitigation strategy to prevent this from happening in the future?
CASB
A company uses specially configured workstations for any work that requires administrator privileges to its Tier 0 and Tier 1 systems. The company follows a strict process to harden systems immediately upon delivery. Even with these strict security measures in place, an incident occurred from one of the workstations . The root cause appears to be that the SoC was tampered with or replaced. Which of the following MOST likely occurred?
A supply-chain attack
A security administrator wants to implement a program that tests a user’s ability to recognize attacks over the organization’s email system. Which of the following would be BEST suited for this task?
Phishing campaign
An organization has expanded its operation by opening a remote office. The new office is fully furnished with office resources to support up to 50 employees working on any given day. Which of the following VPN solutions would BEST support the new office?
Site-to-site
A security analyst discovers that a company’s username and password database were posted on an internet forum. The usernames and passwords are stored in plaintext. Which of the following would mitigate the damage done by this type of data exfiltration in the future?
Implement salting and hashing
A host was infected with malware. During the incident response, Joe, a user, reported that he did not receive any emails with links, but he had been browsing the internet all day. Which of the following would MOST likely show where the malware originated?
The DNS logs
A security analyst is reviewing logs on a server and observes the following output:
01/01/2020 03:33:23 admin attempted login with password sneak
01/01/2020 03:33:32 admin attempted login with password sneaked
01/01/2020 03:33:41 admin attempted login with password sneaker
01/01/2020 03:33:50 admin attempted login with password sneer
01/01/2020 03:33:59 admin attempted login with password sneeze
01/01/2020 03:34:08 admin attempted login with password sneezy
Which of the following is the security analyst observing?
A dictionary attack
A security administrator is trying to determine whether a server is vulnerable to a range of attacks. After using a tool, the administrator obtains the following output.
HTTP/1.0 200 OK
Content-Type: text/html
Server: Apache
root:s9fyf983#:0:1:System Operator:/:/bin/bash
daemon:*:1:1::/tmp:
user1:fi@su3FF:183:100:user:/home/users/user1:/bin/bash
Which of the following attacks was successfully implemented based on the output?
Directory traversal
A manufacturing company has several one-off legacy information systems that cannot be migrated to a newer OS due to software compatibility issues. The OSs are supported by the vendor, but the industrial software is no longer supported. The Chief Information Security Officer has created a resiliency plan for these systems that will allow OS patches to be installed in a non-production environment while also creating backups of the systems for recovery. Which of the following resiliency techniques will provide these capabilities?
Full backups
Which of the following BEST describes data streams that are compiled through artificial intelligence that provides insight on current cyberintrusions, phishing, and other malicious cyberactivity?
Threat feeds
A security analyst is investigating an incident to determine what an attacker was able to do on a compromised laptop. The analyst reviews the following SIEM log.
Which of the following describes the method that was used to compromised the laptop?
An attacker was able to bypass the application approve list by emailing a spreadsheet attachment with an embedded PowerShell in the file
Based on the provided log information, it appears that the attacker was able to use PowerShell to execute a script (lat.ps1) on the compromised laptop (PC1), with the creator process being Outlook. Additionally, a blocked executable (asdf234.exe) was attempted to be executed on PC1 but was blocked by Group Policy.
Therefore, it is likely that the attacker used a technique to bypass the application approve list in order to execute the PowerShell script.
There is no evidence provided in the log information that suggests the attacker was able to move laterally from PC1 to PC2 using a pass-the-hash attack, install malware to the C:\asdf234 folder to gain administrator rights, or phish user credentials successfully from an Outlook user profile.
Therefore, based on the available information, the most likely method used to compromise the laptop is that the attacker was able to bypass the application approve list by emailing a spreadsheet attachment with an embedded PowerShell in the file.
A security analyst is using OSINT to gather information to verify whether company data is available publicly. Which of the following is the BEST application for the analyst to use?
theharvester
Which of the following is the BEST reason to maintain a functional and effective asset management policy that aids in ensuring the security of an organization?
To provide data to quantify risk based on the organization’s systems
The BEST reason to maintain a functional and effective asset management policy that aids in ensuring the security of an organization is to provide data to quantify risk based on the organization’s systems.
Asset management policies help organizations keep track of their assets, such as hardware and software, and identify any vulnerabilities or risks associated with them. By quantifying these risks, organizations can prioritize their security efforts and allocate resources accordingly to ensure that their assets are properly protected.
While keeping software and hardware fully patched for known vulnerabilities, only allowing approved devices onto the business network, and standardizing by selecting one laptop model for all users in the organization are all important aspects of maintaining a secure environment, they are only part of a comprehensive asset management policy.
The IT department’s on-site developer has been with the team for many years. Each time an application is released, the security team is able to identify multiple vulnerabilities. Which of the following would BEST help the team ensure the application is ready to be released to production?
Submit the application to QA before releasing it
A security administrator is managing administrative access to sensitive systems with the following requirements.
-Common login accounts most not be used for administrative duties.
-Administrative accounts must be temporal in nature.
-Each administrative account must be assigned to one specific user.
-Accounts must have complex passwords.
-Audit trails and loggings must be enabled on all systems.
Which of the following is the security analyst observing?
PAM
Which of the following types of controls is a turnstile?
Physical
A global pandemic is forcing a private organization to close some business units and reduce staffing at others. Which of the following would be BEST to help the organization’s executives determine their next course of action?
A business continuity plan
Which of the following measures the average time that equipment will operate before it breaks?
MTBF
A small, local company experienced a ransomware attack. The company has one web-facing server and a few workstations. Everything is behind an ISP firewall. A single web-facing server is set up on the router to forward all ports so that the server is viewable from the internet. The company uses an older version of third-party software to manage the website. The assets were never patched. Which of the following would be done to prevent an attack like this from happening again? (Select THREE)
Use the latest version of software
Implement a screened subnet for the web server
Install an endpoint security solution
Which of the following is an administrative control that would be MOST effective to reduce the occurrence of malware execution?
Security awareness training
Which of the following technologies is used to actively monitor for specific file types being transmitted on the network?
Data loss prevention
Data loss prevention is the technology used to actively monitor for specific file types being transmitted on the network. Data loss prevention (DLP) tools are designed to detect and prevent unauthorized data exfiltration by monitoring and inspecting data as it moves across the network, including email, web traffic, and other network channels. DLP systems can identify specific file types, such as credit card numbers, social security numbers, and other sensitive data, and prevent them from leaving the network.
File integrity monitoring (FIM) is a security control that monitors changes to critical system files, including configuration files, log files, and executable files. FIM is used to detect unauthorized changes to files, such as those made by malware, but it does not actively monitor for specific file types being transmitted on the network.
Honeynets are a type of security tool that are designed to detect and analyze malware by creating a network of decoy systems that are designed to attract attackers. Honeynets are not used to actively monitor for specific file types being transmitted on the network.
Tcpreplay is a utility used for testing and validating network equipment by replaying real traffic from pcap files. It is not used for actively monitoring for specific file types being transmitted on the network.
A security analyst reviews a company’s authentication logs and notices multiple authentication failures. The authentication failures are from different usernames that share the same IP address. Which of the following password attacks is MOST likely happening?
Spraying
The password attack that is MOST likely happening in this scenario is spraying. Spraying is a type of password attack where an attacker tries a small number of commonly used passwords against a large number of usernames. In this case, the attacker is attempting to authenticate with different usernames that share the same IP address, which indicates that they are trying to test a small number of passwords against a large number of accounts.
Dictionary attacks and brute-force attacks are different types of password attacks that involve testing a large number of passwords against a single account or a small number of accounts.
A dictionary attack uses a list of common passwords, while a brute-force attack tries all possible password combinations.
Rainbow table attacks involve precomputing hashes of common passwords and storing them in a database, which can be used to quickly crack passwords. However, this type of attack is less likely in this scenario because the attacker is attempting to authenticate with multiple usernames, indicating that they are trying to test a small number of passwords against a large number of accounts rather than cracking a specific password.
An employee received multiple messages on a mobile device. The message were instructing the employee to pair the device to an unknown device. Which of the following BEST describes what a malicious person might be doing to cause this issue to occur?
Bluesnarfing
Which of the following BEST describes the situation where a successful onboarded employee who is using a fingerprint reader is denied access at the company’s main gate?
Crossover error rate
Which of the following will provide the BEST physical security countermeasures to stop intruders? (Choose two.)
Access control vestibule
Fencing
Ann, a customer, received a notification from her mortgage company stating her PII may be shared with partners, affiliates, and associates to maintain day-to-day operations. Which of the following documents did Ann receive?
An annual privacy notice
An analyst is trying to identify insecure services that are running on the internal network. After performing a port scan, the analyst identifies that a server has some insecure services enabled on default ports. Which of the following BEST describes the services that are currently running and the secure alternatives for replacing them? (Choose three.)
SNMPv2, SNMPv3
HTTP, HTTPS
Telnet, SSH
While reviewing the wireless router, a systems administrator of a small business determines someone is spoofing the MAC address of an authorized device. Given the table below
Which of the following should be the administrator’s NEXT step to detect if there is a rogue system without impacting availability?
Physically check each system
An engineer wants to inspect traffic to a cluster of web servers in a cloud environment. Which of the following solutions should the engineer implement?
WAF
A research company discovered that an unauthorized piece of software has been detected on a small number of machines in its lab. The researchers collaborate with other machines using port 445 and, on the internet, using port 443. The unauthorized software is starting to be seen on additional machines outside of the lab and is making outbound communications using HTTPS and SMB. The security team has been instructed to resolve the problem as quickly as possible causing minimal disruption to the researchers. Which of the following contains the BEST course of action in this scenario?
Place the unauthorized application in a blocklist
An information security manager for an organization is completing a PCI DSS self-assessment for the first time. Which of the following is the MOST likely reason for this type of assessment?
The organization is expecting to process credit card information
A well-known organization has been experiencing attacks from APTs. The organization is concerned that custom malware is being created and emailed into the company or installed on USB sticks that are dropped in parking lots. Which of the following is the BEST defense against this scenario?
Implementing application execution in a sandbox for unknown software
Which of the following supplies non-repudiation during a forensics investigation?
Using a SHA-2 signature of a drive image