JasonDion Practice Exam 1 Flashcards
In managing the cybersecurity of a multinational banking corporation, how would the use of a specific Key Performance Indicator such as ‘Time To Patch’ enhance the overall effectiveness and responsiveness of the vulnerability management process, especially considering the high-risk nature of the banking sector?
A. To assess employee performance across departments.
B. To identify new market opportunities.
C. It would give the organisation an accurate measurement of current patching efficiency.
D. To evaluate the company’s growth potential.
C. It would give the organisation an accurate measurement of current patching efficiency.
Time to patch is a key performance indicator (KPI) that measures the average amount of time it takes to patch a vulnerability. A low time to patch indicates that an organization is quickly fixing known vulnerabilities, which can help to reduce the risk of exploitation. Identifying market opportunities is typically not associated with vulnerability management KPIs; these KPIs aim to quantify the success of security practices. While important, this is not the primary purpose of vulnerability management KPIs; these KPIs measure the effectiveness of security management. While business growth is an important consideration, metrics and KPIs in vulnerability management specifically measure the effectiveness of security processes.
Your organization’s server is hit with a ransomware attack, encrypting critical business data. You’ve been asked to communicate with a third-party vendor who provides data backup services for your company. In this scenario, which stakeholder role do you MOST align with?
A. Executive Management.
B. Incident response communication.
C. Regulatory reporting.
D. Public relations.
B. Incident response communication.
As a part of incident response communication, you’d be coordinating with vendors, internal teams, and other relevant stakeholders to ensure an effective response to the incident. In this scenario, you’re dealing directly with a third-party vendor to respond to the incident, not handling public or media communications related to the incident. While executive management would be involved in high-level decisions and communication, your role in this scenario is more operational, focusing on addressing the incident. While it’s important to report significant incidents to regulatory bodies, your role in this scenario is not focused on this aspect.
Which analysis framework provides the most explicit detail regarding how to mitigate or detect a given threat?
A. OpenIOC
B. Diamond Model of Intrusion Analysis
C. Lockheed Martin cyber kill chain
D. MITRE ATT&CK framework
D. MITRE ATT&CK framework
The MITRE ATT&CK framework provides explicit pseudo-code examples for detecting or mitigating a given threat within a network and ties specific behaviors back to individual actors. The Diamond Model provides an excellent methodology for communicating cyber events and allowing an analyst to derive mitigation strategies implicitly. The Lockheed Martin cyber kill chain provides a general life cycle description of how attacks occur but do not deal with the specifics of how to mitigate. OpenIOC contains a depth of research on APTs but does not integrate the detections and mitigation strategy.
Your organization has experienced a significant cybersecurity incident, and an executive summary of the incident has been prepared. However, the board of directors has requested detailed evidence supporting the summary. Where would they typically find this information?
A. In the public relations communication.
B. In the executive summary.
C. In the regulatory reporting.
D. In the evidence section of the incident response report.
D. In the evidence section of the incident response report.
The evidence section typically contains all detailed information, data, and artifacts related to the incident, supporting the claims and conclusions made in the executive summary. Regulatory reporting is focused on providing information to regulatory bodies and usually does not include detailed evidence supporting an executive summary. The executive summary is meant to provide a high-level overview of the incident, and while it should be accurate, it typically does not include detailed evidence. Public relations communications are intended for external stakeholders and are not typically used for providing detailed evidence related to an incident.
Your company plans to test its web applications for vulnerabilities. Which tool would be appropriate for this task?
A. Wireshark
B. Burp Suite
C. Metasploit
D. Nmap
B. Burp Suite
Burp Suite is a robust penetration testing toolkit specifically tailored for assessing the security posture of web applications. It provides a broad array of features, including automated scanning, manual testing tools, and functionality for mapping application attack surfaces. By enabling penetration testers to probe for weaknesses, such as SQL injection, Cross-Site Scripting (XSS), and Cross-Site Request Forgery (CSRF), it serves as a critical tool in identifying potential vulnerabilities before they can be exploited by malicious actors. Nmap is a network scanning tool, not a web application vulnerability scanner like Burp Suite. Metasploit is a framework for penetration testing and exploits but does not specialize in web application vulnerability scanning like Burp Suite. While Wireshark is useful for network protocol analysis, it is not specifically designed for web application vulnerability testing.
You are working as a junior cybersecurity analyst and utilize a SIEM to support investigations into ongoing incidents. The SIEM is configured to collect data from numerous sources across the network, including network sensors, routers, switches, firewalls, hosts, and servers. Unfortunately, due to the number of data sources, you have data about a particular event being detected by different sensors and devices. Which of the following must you ensure to make sense of all the data being collected by your SIEM before analyzing it?
A. Data sanitization
B. Data retention
C. Data recovery
D. Data correlation
D. Data correlation
Data correlation is the first step in making sense of data from across numerous sensors. This will ensure the data is placed concerning other pieces of data within the system. For example, if your IDS detected an incident, host logs were collected, and your packet capture system collected the network traffic, the SIEM could be used to correlate all three pieces of information from these different systems to allow an analyst to understand the event better. By conducting data correlation, it allows an analyst to identify a pattern more clearly and take action. Data correlation should be performed as soon as the SIEM indexes the data.
Sarah has reason to believe that systems on her network have been compromised by an APT. She has noticed many file transfers outbound to a remote site via TLS-protected HTTPS sessions from unknown systems. Which of the following techniques would most likely detect the APT?
A. Endpoint forensics.
B. Network forensics.
C. Endpoint behaviour analysis.
D. Network traffic analysis.
A. Endpoint forensics.
An advanced persistent threat (APT) is a stealthy computer network threat actor, typically a nation-state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period. APTs usually send encrypted traffic so that they are harder to detect through network traffic analysis or network forensics. This means that you need to focus on the endpoints to detect an APT. Unfortunately, APTs are very sophisticated, so endpoint behavioral analysis is unlikely to detect them easily, so Sarah will need to conduct endpoint forensics as her most likely method to detect an APT and their associated infections on her systems.
Why is regular vulnerability management reporting critical to an organization’s security posture?
A. It’s essential for enhancing the company’s brand image.
B. It’s key to improving the company’s stock performance.
C. It’s primarily important for increasing employee productivity.
D. To aid in effective prioritization and remediation.
D. To aid in effective prioritization and remediation.
Regular reporting provides ongoing visibility into system vulnerabilities, aiding in effective prioritization and remediation strategies. While strong security can enhance a company’s reputation, the primary objective of vulnerability management reporting is to ensure effective security management. While robust security can indirectly contribute to a company’s overall performance, the immediate goal of vulnerability management reporting is to aid in maintaining a secure system. While productivity is a vital organizational goal, the primary aim of vulnerability management reporting is to maintain awareness of the system’s security status.
Edward’s bank recently suffered an attack where an employee made an unauthorized modification to a customer’s bank balance. Which tenet of cybersecurity was violated by this employee’s actions?
A. Integrity
B. Authentication
C. Availability
D. Confidentiality
A. Integrity
The CIA Triad is a security model that helps people think about various parts of IT security. Integrity ensures that no unauthorized modifications are made to the information. The attack described here violates the integrity of the customer’s bank account balance. Confidentiality is concerned with unauthorized people seeing the contents of the data. In this scenario, the employee is authorized to see the bank balance but not change its value. Availability is concerned with the data being accessible when and where it is needed. Again, this wasn’t affected by the employee’s actions. Authentication is concerned with only authorized people accessing the data. Again, this employee was authorized to see the balance.
A cybersecurity analyst just finished conducting an initial vulnerability scan and is reviewing their results. To avoid wasting time on results that are not really a vulnerability, the analyst wants to remove any false positives before remediating the findings. Which of the following is an indicator that something in their results would be a false positive?
A. A scan result showing a version that is different from the automated asset inventory.
B. Items classified by the system as Low or as For Informational Purposes Only.
C. An HTTPS entry that indicates the web page is securely encrypted.
D. A finding that shows the scanner compliance plug-ins are not up-to-date.
B. Items classified by the system as Low or as For Informational Purposes Only.
When conducting a vulnerability scan, it is common for the report to include some findings that are classified as “low” priority or “for informational purposes only.” These are most likely false positives and can be ignored by the analyst when starting their remediation efforts. A HTTPS entry that indicates the web page is securely encrypted is not a false positive but a true negative (a non-issue). A scan result showing a different version from the automated asset inventory should be investigated and is likely a true positive. A finding that shows the scanner compliance plug-ins are not up-to-date would likely also be a true positive that should be investigated.
You are analyzing a Linux server that you suspect has been tampered with by an attacker. You went to the terminal and typed ‘history’ into the prompt and see the output:
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> echo 127.0.0.1 diontraining.com»_space; /etc/hosts
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Which of the following best describes what actions were performed by this line of code?
A. Added the website to system’s whitelist in the hosts file.
B. Attempted to overwrite the host file and deleted all data except this entry.
C. Routed traffic destined for the diontraining.com domain to the localhost.
D. Routed traffic destined for the localhost to the diontraining.com domain.
C. Routed traffic destined for the diontraining.com domain to the localhost.
Based on the output provided, it appears that the attacker has attempted to route all traffic destined for diontraining.com to the IP address specified (127.0.0.1). This is typically done to prevent a system from communicating with a specific domain to redirect a host to a malicious site. In this example, the IP/domain name pair of 127.0.0.1 and diontraining.com is being written to the /etc/hosts file. Modifying your hosts file enables you to override the domain name system (DNS) for a domain on a specific machine. The command echo»_space; redirects the output of the content on the left of the»_space; to the end of the file on the right of the»_space; symbol. If the > were used instead of»_space;, then this command would have overwritten the host file completely with this entry. The hosts file is not a system whitelist file.
During an incident response, your team identified that an attacker performed a scan on your network, then delivered malware via a phishing email, which was exploited to install a backdoor on the system. The attacker then executed commands to exfiltrate data. Which framework would BEST represent this attack sequence?
A. Cyber Kill Chain
B. OWASP Testing Guide
C. Diamond Model of Intrusion Analysis
D. MITRE ATT&CK
A. Cyber Kill Chain
The Cyber Kill Chain is a model developed by Lockheed Martin that describes the stages of a cyberattack from reconnaissance (scanning the network) through delivery (phishing email), exploitation (using malware), installation (installing a backdoor), command and control (executing commands), and actions on objectives (exfiltrating data). The Diamond Model focuses on the relationship between four main elements of an attack: adversary, infrastructure, victim, and capability, rather than the stages of an attack. While the MITRE ATT&CK framework does detail a variety of tactics, techniques, and procedures used by attackers, it does not describe a linear progression of an attack like the Cyber Kill Chain does. The OWASP Testing Guide provides a framework for web application security testing, not a model describing the stages of a cyberattack.
Dion Training is concerned with the possibility of employees accessing another user’s workstation in secured areas without their permission. Which of the following would BEST be able to prevent this from happening?
A. Require a username and a password for user logins.
B. Install security cameras in secure areas to monitor logins.
C. Enforce a policy that requires passwords to be changed every 30 days.
D. Require biometric identification for user logins.
D. Require biometric identification for user logins.
The BEST choice is to implement biometric identification for user logins, such as a fingerprint reader or a retina scanner. This would ensure that even if an employee could discover another employee’s username and password, they would be prevented from logging into the workstation without the employee’s finger or eye to scan. Enforcing short password retention can limit the possible damage when a password is disclosed, but it won’t prevent a login during the valid period. Security cameras may act as a deterrent or detective control, but they cannot prevent an employee from logging into the workstation as another employee. Security cameras could be used to determine who actually logged in (after the fact), though.
If an administrator cannot fully remediate a vulnerability, which of the following should they implement?
A. An engineering tradeoff.
B. A policy.
C. A compensating control.
D. Access requirements.
C. A compensating control.
Based on the question’s wording, a compensating control would be most accurate for the given scenario. Compensating controls may be considered when an entity cannot meet a requirement explicitly, as stated due to legitimate technical or documented business constraints but has sufficiently mitigated the risk associated with the requirement by implementing other controls. Access requirements are a form of logical controls that can be implemented to protect a system and could be a form of a compensating control if used appropriately. A policy is a statement of intent and is implemented as a procedure or protocol within an organization. An engineering tradeoff is a situational decision that involves diminishing or losing one quality, quantity, or property of a set or design in return for gains in other aspects. Often, an engineering tradeoff occurs when we trade security requirements for operational requirements or vice versa.
What SCAP component could be used to create a checklist to be used by different security teams within an organization and then report results in a standardized fashion?
A. XCCDF
B. CCE
C. CPE
D. CVE
A. XCCDF
XCCDF (extensible configuration checklist description format) is a language that is used in creating checklists for reporting results. The Common Vulnerabilities and Exposures (CVE) system provides a reference-method for publicly known information-security vulnerabilities and exposures. The Common Configuration Enumeration (CCE) provides unique identifiers to system configuration issues to facilitate fast and accurate correlation of configuration data across multiple information sources and tools. Common Platform Enumeration (CPE) is a standardized method of describing and identifying classes of applications, operating systems, and hardware devices present among an enterprise’s computing assets.
If a company’s Service Level Objectives (SLOs) mandate that critical vulnerabilities be patched within a specific timeframe, why would monitoring adherence to this SLO be a valuable Key Performance Indicator (KPI) for vulnerability management?
A. Adherence to this SLO indicates the company’s overall profitability.
B. Keeping track of the SLO can inform the company about the need for new hardware.
C. To measure the effectiveness of the vulnerability management program.
D. Monitoring adherence to SLOs can help the company evaluate its brand image.
C. To measure the effectiveness of the vulnerability management program.
By tracking this KPI, an organization can measure how effectively and promptly the vulnerability management team is addressing high-risk security issues. While brand image is an important business consideration, adherence to vulnerability management SLOs primarily indicates the effectiveness of security processes. Hardware needs and the speed of vulnerability remediation are distinct considerations; tracking this KPI primarily provides insights about the latter. While profitability is vital for a business, tracking SLO adherence primarily gives insights into the effectiveness of the vulnerability management process.
Which analysis framework makes no allowance for an adversary retreat in its analysis?
A. Diamond Model of Intrusion Analysis.
B. MITRE ATT&CK framework.
C. Lockheed Martin cyber kill chain.
D. AlienVault (AT&T Cybersecurity) Cyber Kill Chain.
C. Lockheed Martin cyber kill chain.
The Lockheed Martin cyber kill chain implicitly assumes a unidirectional workflow. Therefore, it fails to consider that an adversary may retreat during an attack. MITRE and Diamond’s models are more dynamic systems that allow for a broader range of adversary behaviors. AlienVault was specifically designed to avoid the rigidity of the Lockheed Martin cyber kill chain.
After the SolarWinds supply chain attack, a software company that also used SolarWinds’ software decided to deploy an intrusion detection system (IDS) to monitor network traffic and alert for any signs of malicious activity. In the context of this scenario, what incident response activity is the software company performing?
A. Recovery.
B. Implementing compensating controls.
C. Containment.
D. Eradication.
B. Implementing compensating controls.
By deploying an intrusion detection system (IDS), the software company is implementing compensating controls to augment their existing security measures and to protect against potential breaches. Eradication involves removing the components of an attack from the network. The company is not eradicating a threat in this scenario; rather, it’s implementing controls to detect potential threats. Recovery involves restoring systems to normal operation. While IDS can be part of a recovery plan, in this scenario, the company is implementing IDS as a proactive measure, not as part of recovery from a specific incident. Containment involves taking steps to prevent an intrusion from spreading further. In this scenario, the company is implementing compensating controls, not containing an existing breach.
Which of the following is NOT a host-related indicator of compromise?
A. Beaconing.
B. Memory consumption.
C. Drive capacity consumption.
D. Processor consumption.
A. Beaconing.
Beaconing is considered a network-related indicator of compromise. Memory consumption, processor consumption, and drive capacity consumption are all classified as host-related indicators of compromise.
Fail to Pass Systems has just become the latest victim in a large scale data breach by an APT. Your initial investigation confirms a massive exfiltration of customer data has occurred. Which of the following actions do you recommend to the CEO of Fail to Pass Systems in handling this data breach?
A. Purchase a cyber insurance policy, alter the date of the incident in the log files, and file an insurance claim.
B. Conduct a ‘hack-back’ of the attacker in order to retrieve the stolen information.
C. Provide a statement to the press the minimizes the scope of the breach.
D. Conduct notification to all affected customers within 72 hours of the the discovery of the breach.
D. Conduct notification to all affected customers within 72 hours of the the discovery of the breach.
Generally speaking, most laws require notification within 72 hours, such as the GDPR. All other options are either unethical, constitute insurance fraud, or are illegal. Conducting a hack-back is considered illegal, and once data has been taken, it is nearly impossible to steal it back as the attacker probably has a backup of it. Providing an incorrect statement to the press is unethical, and if your company is caught lying about the extent of the breach, it could further hurt your reputation. Purchasing a cyber insurance policy and altering the log file dates to make it look like the attack occurred after buying the policy would be insurance fraud. This is unethical and illegal.
After a significant security breach involving customer data leakage, your organization conducts a comprehensive review. The aim is to comprehend the contributing factors that led to this incident and to establish measures to avert such incidents in the future. Which term best describes this specific post-incident activity?
A. Lessons learned.
B. Forensic analysis.
C. Root cause analysis.
D. Incident response plan.
A. Lessons learned.
The lessons learned process involves a thorough review after an incident to identify what happened, what was done well, and what needs to be improved to prevent similar incidents in the future. An incident response plan is a set of procedures and processes to handle and manage an incident effectively. It is used in preparation for potential incidents, not in post-incident activity. Forensic analysis involves a meticulous examination of all evidence related to an incident to understand its origin, extent, and impact. It does not inherently focus on the improvement of future responses. Root cause analysis seeks to identify the initial cause of an issue, but does not involve a broad review of the incident response process.
As part of your organization’s proactive threat hunting, you’re considering gathering threat intelligence from the deep web and dark web. What could be a significant benefit of this approach?
A. Increasing the organization’s web presence.
B. Discovering potential threats before they impact your organisation.
C. Eliminating all cyber threats.
D. Avoiding the need for other security measures.
B. Discovering potential threats before they impact your organisation.
Gathering threat intelligence from the deep web and dark web can help your organization identify emerging threats or planned attacks before they affect your network. While gathering intelligence can help identify and mitigate threats, it does not guarantee the elimination of all cyber threats. Gathering threat intelligence is a part of a broader security strategy and should be used in conjunction with other security measures, not in lieu of them. Gathering threat intelligence from the deep web and dark web is not related to increasing an organization’s web presence; it’s about identifying potential cyber threats.
Which of the following is a characteristic of the Deep Web?
A. Accessible through standard browsers.
B. Predominantly used for illegal activities.
C. Contains information not indexed by standard search engines.
D. Only includes encrypted data.
C. Contains information not indexed by standard search engines.
The Deep Web contains information that is not indexed by standard search engines, making it invisible to conventional searches. The Deep Web does not only include encrypted data. It includes all data not indexed by search engines, whether encrypted or not. The Deep Web is not typically accessible through standard browsers. It requires specific software (like Tor) for access. While some illegal activities do occur on the Deep Web, it is also used for many legitimate purposes.
You are conducting a grep search on a log file using the following REGEX expression:
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
\b[A-Za-z0-9_%+-]+@[A-Za-z0-9.-]+.[A-Za-z]{2,6}\b
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Which of the following strings would be included in the output of the search?
A. support@diontraining.com
B. www.diontraining.com
C. jason_dion@dion.training
D. jason.dion@diontraining.com
A. support@diontraining.com
In the above REGEX, the \b parameter identifies that we are looking for whole words. The strategic use of the + operator indicates the three places where the word is broken into parts. The first part [A-Za-z0-9_%+-] is composed of upper or lower case alphanumeric symbols _%+-. After the first part of the word and the at sign (@) is specified, follows by another word ([A-Za-z0-9.-]), a period (.), and another purely alphabetic (non-numeric) string that is 2-6 characters in length. This finds a standard email format of something@something.com (but could be @something.co, @something.org, @something.money, or other options as long as the top-level domain is between 2 and 6 characters). The option of www.diontraining.com is wrong because it does not have an @ sign in the string. The option of jason.dion@diontraining.com is wrong because you cannot use a period before the @ symbol, only letters, numbers, and some specified symbols ( _ % + - ). The option of jason_dion@dion.training is wrong because the last word (training) is longer than 6 characters in length. As a cybersecurity analyst, you must get comfortable creating regular expressions and understanding what type of output they generate.
In the aftermath of a security incident, you as an incident responder have documented a series of recommended actions to prevent similar occurrences in the future. Where would these recommendations typically be documented in an incident response report?
A. In the evidence section.
B. In the recommendations section.
C. In the executive summary.
B. In the recommendations section.
This section is typically where any suggested actions or strategies are outlined, based on the analysis and lessons learned from the incident. The executive summary provides a high-level overview of the incident and does not typically contain detailed recommendations for future action. The evidence section typically contains all detailed information, data, and artifacts related to the incident, not recommendations for future action. In the root cause analysis Incorrect. The root cause analysis focuses on identifying the underlying causes of the incident, not providing recommendations for future action.
Your company is adopting a new BYOD policy for tablets and smartphones. Which of the following would allow the company to secure the sensitive information on personally owned devices and the ability to remote wipe corporate information without the user’s affecting personal data?
A. Containerization.
B. Touch ID.
C. Face ID.
D. Long and complex passwords.
A. Containerization.
Containerization is the logical isolation of enterprise data from personal data while co-existing in the same device. The major benefit of containerization is that administrators can only control work profiles that are kept separate from the user’s personal accounts, apps, and data. This technology basically creates a secure vault for your corporate information. Highly targeted remote wiping is supported with most container-based solutions.
An organization wants to get an external attacker’s perspective on their security status. Which of the following services should they purchase?
A. Penetration test.
B. Vulnerability scan.
C. Patch management.
D. Asset management.
A. Penetration test.
Penetration tests provide an organization with an external attacker’s perspective on their security status. The NIST process for penetration testing divides tests into four phases: planning, discovery, attack, and reporting. The penetration test results are valuable security planning tools, as they describe the actual vulnerabilities that an attacker might exploit to gain access to a network. A vulnerability scan provides an assessment of your security posture from an internal perspective. Asset management refers to a systematic approach to the governance and realization of value from the things that a group or entity is responsible for over their whole life cycles. It may apply both to tangible assets and intangible assets. Patch management is the process that helps acquire, test, and install multiple patches (code changes) on existing applications and software tools on a computer, enabling systems to stay updated on existing patches and determining which patches are the appropriate ones.
Evaluate the following log entry:
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Jan 11 05:52:56 lx1 kernel: iptables INPUT drop IN=eth0 OUT= MAC=00:15:5d:01:ca:55:00:15:5d:01:ca:ad:08:00 SRC=10.1.0.102 DST=10.1.0.10 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=3988 DF PROTO=TCP SPT=2583 DPT=23 WINDOW=64240 RES=0x00 SYN URGP=0
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Based on this log entry, which of the following statements are true?
A. An attempted connection to the telnet service was prevented.
B. The packet was blocked inbound to the network.
C. MAC filtering is enabled on the firewall.
D. An attempted connection to the ssh service was prevented.
E. The packet was blocked from the network.
F. Packets are being blocked inbound to and outbound from the network.
A. An attempted connection to the telnet service was prevented.
B. The packet was blocked inbound to the network.
Firewall log formats will vary by vendors, but this example is a commonly used format from the Linux iptable firewall tool. This log starts with the date and time of the event and provides some key pieces of information. For example, the word “drop” shows the action this log entry recorded. In this case, the firewall dropped a packet due to an ACL rule being applied. You can also see that the packet was detected on the inbound connection over eth0, so we know that packets are being scanned and blocked when they are headed inbound to the network. Next, we see the MAC address of the source device of the packet, the source (SRC) IP address, and the destination (DST) IP address. Further down, we see the source (SPT) and destination ports (DPT). In this case, the DPT is 23 and is a well-known port for telnet. Based on this single log entry, we cannot tell if packets are also being blocked when they are attempting to leave the network or if they are blocking connections to the ssh service (port 22) is also being conducting.
A major cyber incident has occurred at your organization. As a part of the incident response team, you have been tasked with analyzing the incident, including who caused it, what systems were affected, when it occurred, where it originated from, and why it happened. What kind of report are you preparing?
A. Regulatory reporting.
B. Root cause analysis report.
C. Incident declaration report.
D. Incident response report.
D. Incident response report.
An incident response report includes comprehensive details of the incident, including who, what, when, where, and why. While a root cause analysis report may include some of these details, it primarily focuses on the underlying cause of the incident. Regulatory reports are usually a part of compliance with legal requirements and do not typically contain a detailed analysis of the incident. An incident declaration report usually precedes the incident response and does not typically contain detailed analysis of the incident.
A cybersecurity analyst is attempting to perform an active reconnaissance technique to audit their company’s security controls. Which DNS assessment technique would be classified as active?
A. Using maltego.
B. A whois query.
C. A zone transfer.
D. A DNS forward or reverse lookup.
C. A zone transfer.
DNS zone transfer, also sometimes known by the inducing DNS query type AXFR, is a DNS transaction type. It is one of the many mechanisms available for administrators to replicate DNS databases across a set of DNS servers. DNS zone transfers are an active technique. Performing a whois query is a passive reconnaissance technique that performs a query of the databases that store the registered users or assignees of an Internet resource, such as a domain name, an IP address block, or an autonomous system, but is also used for a wider range of other information. Performing a DNS forward and reverse lookup zones is an active technique that allows the resolution of names to IP addresses and IP addresses to names. This can be conducted as a passive technique. Maltego is used for open-source intelligence and forensics. It focuses on providing a library for data discovery from open sources and visualizing that information in a graph format suitable for link analysis and data mining. It collects this information passively since it can acquire the information from whois lookup servers, a DNS lookup tool using public DNS servers, or even emails and hostnames one can acquire from TheHarvester.
Which of the following physical security controls would be the most effective in preventing an attacker from driving a vehicle through the glass doors at the front of the organization’s headquarters?
A. Bollards.
B. Intrusion alarm.
C. Security guards.
D. Mantraps.
A. Bollards.
Bollards are a physical security control that is designed to prevent a vehicle-ramming attack. Bollards are typically designed as a sturdy, short, vertical post. Some organizations have installed more decorative bollards created out of cement and are large enough to plant flowers or trees inside. Mantraps are designed to prevent individuals from tailgating into the building. Security guards and intrusion alarms could detect this from occurring but not truly prevent them.
Dion FutureScope AI system has multiple vulnerabilities. One of them has a high likelihood of being exploited and could lead to a minor loss of non-sensitive data. Another one has a moderate likelihood of being exploited but could lead to a significant loss of sensitive data. Which vulnerability should be addressed first?
A. The vulnerability with the moderate likelihood of exploitation and significant potential data loss.
B. Both vulnerabilities should be addressed simultaneously.
C. The vulnerability with the high likelihood of exploitation and minor data loss.
D. Neither vulnerability needs to be addressed until an attack occurs.
A. The vulnerability with the moderate likelihood of exploitation and significant potential data loss.
This vulnerability has the potential for more significant harm due to the potential loss of sensitive data, and thus should be addressed first. While it’s ideal to address all vulnerabilities as soon as possible, prioritization helps manage resources and efforts efficiently. This is a risky approach as waiting for an attack to occur could lead to data loss and other potential damages. Although this vulnerability has a high likelihood of being exploited, it only leads to minor non-sensitive data loss.
Which of the following is the default nmap scan type when you do not provide a flag when issuing the command?
A. A TCP FIN scan.
B. A TCP SYN scan.
C. A TCP connect scan.
D. A UDP scan.
B. A TCP SYN scan.
By default, Nmap performs an SYN Scan, though it substitutes a connect scan if the user does not have proper privileges to send raw packets (requires root access on Unix). A UDP scan requires the -sU flag to be issued when launching a nmap scan. A TCP FIN scan requires the -sF flag to be issued when launching a nmap scan.
The incident response team leader has asked you to perform a forensic examination on a workstation suspected of being infected with malware. You remember from your training that you must collect digital evidence in the proper order to protect it from being changed during your evidence collection efforts. Which of the following describes the correct sequence to collect the data from the workstation?
A. Hard drive, Swap, CPU cache, RAM.
B. Swap, RAML, CPU cache, Hard drive.
C. CPU cache, RAM, Swap, Hard drive.
D. RAM, CPU cache, Swap, Hard drive.
C. CPU cache, RAM, Swap, Hard drive.
The order of volatility states that you should collect the most volatile (least persistent) data first and the least volatile (most persistent) data last. The most volatile data resides in the CPU Cache since this small memory cache is overwritten quickly during computer operations. Next, you should collect the data in the system memory (RAM) since it will be erased if the workstation is shut down or the power is lost. Third, you should collect the Swap file, a form of temporary memory located on the hard disk. These files are also overwritten frequently during operations. Finally, you should collect the data from the hard disk, as it is the least volatile and remains on the hard disk until a command is given to delete it. Data on a hard disk remains even when power is removed from the workstation.