JasonDion Practice Exam 2 Flashcards
In a network vulnerability assessment report, several zero-day and critical vulnerabilities were discovered. Why might this necessitate immediate action?
A. Because they indicate a need to hire more staff.
B. Because they signal a need to decrease the frequency of vulnerability assessments.
C. Because zero-day and critical vulnerabilities improve the system’s performance.
D. These vulnerabilities present significant risk due to no current security fix being available.
D. These vulnerabilities present significant risk due to no current security fix being available.
Zero-day and critical vulnerabilities are high-risk issues that can severely compromise a system’s security. One example of a zero-day virus that caused significant havoc is the “WannaCry” ransomware. It exploited a vulnerability in the Windows operating system, spreading rapidly across networks and encrypting files, demanding ransom payments in exchange for decryption. These types of vulnerabilities are significant threats, not performance enhancers. While additional resources might be needed for vulnerability management, the presence of critical vulnerabilities doesn’t directly indicate staffing needs. On the contrary, critical vulnerabilities might suggest a need for more frequent and thorough assessments.
You need to determine the best way to test operating system patches in a lab environment before deploying them to your automated patch management system. Unfortunately, your network has several different operating systems in use, but you only have one machine available to test the patches on. What is the best environment to utilize to perform the testing of the patches before deployment?
A. Choose a few existing workstations to test the patches.
B. Sandboxing.
C. Bypass testing and deploy patches directly into the production environment.
D. Virtualization.
D. Virtualization.
When you have a limited amount of hardware resources to utilize but have a requirement to test multiple operating systems, you should set up a virtualized environment to test the patch across each operating system before deployment. You should never deploy patches directly into production without testing them first in the lab even on just a few workstations.
Your organization is a financial services company. You have a team of security analysts who are responsible for gathering and analyzing intelligence about potential threats to your organization. The analysts recently published a report that identifies a new threat actor who is targeting financial services companies. The report includes information about the threat actor’s tactics, techniques, and procedures (TTPs). In which phase of the security intelligence cycle will this information be provided to those who need to act on it?
A. Dissemination
B. Analysis
C. Feedback
D. Collection
A. Dissemination
The dissemination phase refers to publishing information produced by analysis to consumers who need to develop the insights. The collection phase is usually implemented by administrators using various software suites, such as security information and event management (SIEM). This software must be configured with connectors or agents that can retrieve data from sources such as firewalls, routers, IDS sensors, and servers. The analysis phase focuses on converting collected data into useful information or actionable intelligence. The final phase of the security intelligence cycle is feedback and review, which utilizes both intelligence producers and intelligence consumers’ input. This phase aims to improve the implementation of the requirements, collection, analysis, and dissemination phases as the life cycle is developed.
Dion Training has just suffered a website defacement of its public-facing webserver. The CEO believes the company’s biggest competitor may have done this act of vandalism. The decision has been made to contact law enforcement so that evidence can be collected properly for use in a potential court case. Laura is a digital forensics investigator assigned to collect the evidence. She creates a bit-by-bit disk image of the web server’s hard drive as part of her evidence collection. What technology should Laura use after creating the disk image to verify the copy’s data integrity matches that of the original web server’s hard disk?
A. AES
B. 3DES
C. SHA-256
D. RSA
C. SHA-256
SHA-256 is the Secure Hash Algorithm with a 256-bit length output. This is one of the most common hash algorithms in use and is employed in many applications and protocols. SHA-256 and other hashing algorithms are used to ensure the data integrity of a file has not been altered. RSA, 3DES, and AES are all encryption algorithms. These algorithms can ensure confidentiality but not integrity.
An attacker recently compromised an e-commerce website for a clothing store. Which of the following methods did the attacker use to harvest an account’s cached credentials when the user logged into an SSO system?
A. Golden ticket
B. Lateral movement
C. Pass the hash
D. Pivoting
C. Pass the hash
Pass the Hash (PtH) is the process of harvesting an account’s cached credentials when the user logs in to a single sign-on (SSO) system. This would then allow the attacker to use the credentials on other systems, as well. A golden ticket is a Kerberos ticket that can grant other tickets in an Active Directory environment. Attackers who can create a golden ticket can use it to grant administrative access to other domain members, even to domain controllers. Lateral movement is an umbrella term for a variety of attack types. Attackers can extend their lateral movement by a great deal if they can compromise host credentials. Pivoting is a process similar to lateral movement. When attackers pivot, they compromise one central host (the pivot) that allows them to spread out to other hosts that would otherwise be inaccessible.
You are working as a junior cybersecurity analyst and utilize a SIEM to support investigations into ongoing incidents. The SIEM is configured to collect data from numerous sources across the network, including network sensors, routers, switches, firewalls, hosts, and servers. Unfortunately, due to the number of data sources, you have data about a particular event being detected by different sensors and devices. Which of the following must you ensure to make sense of all the data being collected by your SIEM before analyzing it?
A. Data correlation
B. Data retention
C. Data recovery
D. Data sanitization
A. Data correlation
Data correlation is the first step in making sense of data from across numerous sensors. This will ensure the data is placed concerning other pieces of data within the system. For example, if your IDS detected an incident, host logs were collected, and your packet capture system collected the network traffic, the SIEM could be used to correlate all three pieces of information from these different systems to allow an analyst to understand the event better. By conducting data correlation, it allows an analyst to identify a pattern more clearly and take action. Data correlation should be performed as soon as the SIEM indexes the data.
Your organization has implemented several cybersecurity tools, but there is a lack of coordination among the team in managing and facilitating automation. Which of the following actions would most effectively address this issue?
A. Buying more tools.
B. Limiting team access to tools.
C. Ongoing automation.
D. Establishing clear roles and responsibilities for managing automation.
D. Establishing clear roles and responsibilities for managing automation.
Establishing clear roles and responsibilities ensures everyone knows who is in charge of what parts of the automation process, reducing confusion and increasing coordination. Ignoring automation would be counterproductive. Automation can help improve efficiency and free up staff to focus on more complex tasks. Limiting team access to tools can lead to silos, inhibit teamwork, and reduce overall efficiency in managing and facilitating automation. Simply buying more tools doesn’t necessarily improve coordination among the team. It may add complexity and could actually worsen the issue without proper management and integration.
You are reviewing the latest list of important web application security controls published by OWASP. Which of these items is LEAST likely to appear on that list?
A. Leverage security frameworks and libraries.
B. Implement identity and authentication controls.
C. Obscure web interface locations.
D. Implement appropriate access controls.
C. Obscure web interface locations.
The least likely option to appear in the list is to obscure web interface locations. This recommendation is based on security through obscurity and is not considered a good security practice. The other options are all considered best practices in designing web application security controls and creating software assurance in our programs.
When applying patches as part of vulnerability management, why is it crucial to communicate the patching schedule and potential impacts to relevant stakeholders?
A. To help management make effective risk base decisions on system disruptions due to patching.
B. To increase the company’s profitability.
C. To improve the company’s marketing strategies.
D. To enable stakeholders to plan company-wide meetings.
A. To help management make effective risk base decisions on system disruptions due to patching.
This communication allows stakeholders to understand potential impacts on system availability and to plan activities accordingly, reducing disruptions. Patching schedules have little to do with marketing strategies; the main goal is to manage system availability and reduce disruptions. While secure operations can contribute to profitability, communicating about patching specifically aims to manage system downtime and business impact. While communication is essential in any organization, the purpose of discussing patching schedules specifically is to manage potential system downtime.
Nicole’s organization does not have the budget or staff to conduct 24/7 security monitoring of their network. To supplement her team, she contracts with a managed SOC service. Which of the following services or providers would be best suited for this role?
A. MSSP
B. IaaS
C. PaaS
D. SaaS
A. MSSP
A managed security service provider (MSSP) provides security as a service (SECaaS). IaaS, PaaS, and SaaS (infrastructure, platform, and software as a service) do not include security monitoring as part of their core service offerings. Security as a service or a managed service provider (MSP) would be better suited for this role. This question may seem beyond the exam scope. Still, the objectives allow for “other examples of technologies, processes, or tasks about each objective may also be included on the exam although not listed or covered” in the objectives’ bulletized lists. The exam tests the equivalent of 4 years of hands-on experience in a technical cybersecurity job role. The content examples listed in the objectives are meant to clarify the test objectives and should not be construed as a comprehensive listing of this examination’s content. Therefore, questions like this are fair game on test day. That said, your goal isn’t to score 100% on the exam; it is to pass it. Don’t let questions like this throw you off on test day. If you aren’t sure, take your best guess and move on!
During the massive SolarWinds supply chain attack of 2020, cybersecurity professionals worldwide had to react quickly to protect their networks. A specific annual cybersecurity conference often hosts a capture-the-flag (CTF) event where participants are challenged to solve a series of real-world scenarios for practicing their incident response skills. Which conference is this?
A. Pwn2Own
B. RSA Confernece
C. Black Hat
D. DEF CON
D. DEF CON
DEF CON is one of the world’s largest and most notable hacker conventions, held annually in Las Vegas, Nevada. Its capture-the-flag (CTF) event is a competitive and practical exercise in incident response. Pwn2Own is a computer hacking contest held annually at the CanSecWest security conference. However, its main focus is on discovering new vulnerabilities, not on incident response exercises. While the Black Hat conference is another renowned cybersecurity event, its primary focus is on revealing new vulnerabilities, not on practical incident response exercises like CTF. RSA Conference is a series of IT security conferences, but it does not host the capture-the-flag events for practical incident response exercises.
You are conducting a quick nmap scan of a target network. You want to conduct an SYN scan, but you don’t have raw socket privileges on your workstation. Which of the following commands should you use to conduct the SYN scan from your workstation?
A. nmap -sS
B. nmap -sT
C. nmap -sX
D. nmap -O
B. nmap -sT
The nmap TCP connect scan (-sT) is used when the SYN scan (-sS) is not an option. You should use the -sT flag when you d not have raw packet privileges on your workstation or if you are scanning an IPv6 network. This flag tells nmap to establish a connection with the target machine by issuing the connect system call instead of directly using an SYN scan. Normally, a fast scan using the -sS (SYN scan) flag is more often conducted, but it requires raw socket access on the scanning workstation. The -sX flag would conduct a Xmas scan where the FIN, PSH, and URG flags are used in the scan. The -O flag would conduct an operating system detection scan of the target system.
You identified a critical vulnerability in one of your organization’s databases. You researched a solution, but it will require the server to be taken offline during the patch installation. You have received permission from the Change Advisory Board to implement this emergency change at 11 pm once everyone has left the office. It is now 3 pm; what action(s) should you take now to best prepare for implementing this evening’s change? (SELECT ALL THAT APPLY)
A. Validate the installation of the patch in a staging environment.
B. Ensure all stakeholders are informed of the planned outage.
C. Identify any potential risks associated with installing the patch.
D. Take the opportunity to install a new feature pack that has been requested.
E. Document the change in the change management system.
F. Take the server offline at 10 pm in preparation for the change.
A. Validate the installation of the patch in a staging environment.
B. Ensure all stakeholders are informed of the planned outage.
C. Identify any potential risks associated with installing the patch.
E. Document the change in the change management system.
You should send out a notification to the key stakeholders to ensure they are notified of the planned outage this evening. You should test and validate the patch in a staging environment before installing it on the production server. You should identify any potential risks associated with installing this patch. You should also document the change in the change management system. You should not take the server offline before your change window begins at 11 pm, which could affect users who are relying on the system. You should not take this opportunity to install any additional software, features, or patches unless you have received approval from the Change Advisory Board (CAB).
Dion Training wants to install a new accounting system and is considering moving to a cloud-based solution to reduce cost, reduce the information technology overhead costs, improve reliability, and improve availability. Your Chief Information Officer is supportive of this move since it will be more fiscally responsible. Still, the Chief Risk Officer is concerned with housing all of the company’s confidential financial data in a cloud provider’s network that might be shared with other companies. Since the Chief Information Officer is determined to move to the cloud, what type of cloud-based solution would you recommend to account for the Chief Risk Officer’s concerns?
A. PaaS in a hybrid cloud.
B. SaaS in a public cloud.
C. PaaS in a community cloud.
D. SaaS in a private cloud.
D. SaaS in a private cloud.
A SaaS (Software as a Service) solution best describes an accounting system or software used as part of a cloud service. This meets the CIO’s requirements. To mitigate the concerns of the Chief Risk Officer, you should use a private cloud solution. This type of solution ensures that the cloud provider does not comingle your data with other customers’ data and providers dedicated servers and resources for your company’s use only.
During a collaboration between a startup and a multinational corporation, the signed Memorandum of Understanding (MOU) has placed some limitations on the startup’s system access. What could this potentially lead to?
A. Potentially restricting ability to fully remediate vulnerabilities.
B. Greater market visibility for the startup.
C. An increase in the cybersecurity measures employed by the multinational corporation.
D. A reduction in overall project costs.
A. Potentially restricting ability to fully remediate vulnerabilities.
This situation could potentially lead to the startup having a restricted ability to fully remediate vulnerabilities within their systems. Due to the limitations placed by the MOU, the startup might not have the necessary access to apply patches, make configuration changes, or implement compensating controls as swiftly or comprehensively as needed. This could increase the time it takes to remediate vulnerabilities and potentially increase their exposure to risk. While the MOU outlines the agreement between the two parties, it does not inherently lead to cost reductions. While collaborating with a large corporation may increase visibility, this is unrelated to vulnerability management. The MOU does not directly affect the cybersecurity measures of the multinational corporation.
Ted, a file server administrator, has noticed that a large number of sensitive files have been transferred from a corporate workstation to an IP address outside of the local area network. Ted looks up the IP address and determines that it is located in a foreign country. Ted contacts his company’s security analyst, who verifies that the workstation’s anti-malware solution is up-to-date, and the network’s firewall is properly configured. What type of attack most likely occurred to allow the exfiltration of the files from the workstation?
A. Session hijacking
B. Impersonation
C. Zero-day
D. MAC spoofing
C. Zero-day
Since the firewall wall is properly configured and the anti-malware solution is up-to-date, this signifies that a zero-day vulnerability may have been exploited. A zero-day vulnerability is an unknown vulnerability, so a patch or virus definition has not been released yet. A zero-day vulnerability refers to a hole in software that is unknown to the vendor. Hackers then exploit this security hole before the vendor becomes aware and hurries to fix it. This exploit is therefore called a zero-day attack. Zero-day attacks can include the use of infiltrating malware, spyware or allowing unwanted access to user information.
Which of the following tools could be used to detect unexpected output from an application being managed or monitored?
A. A behavior-based analysis tool.
B. Manual analysis.
C. A log analysis tool.
D. A signature-based detection tool.
A. A behavior-based analysis tool.
A behavior-based analysis tool can capture/analyze normal behavior and then alert when an anomaly occurs. Configuring a behavior-based analysis tool requires more effort to set up properly, but it requires less work and manual monitoring once it is running. Signature-based detection is a process where a unique identifier is established about a known threat so that the threat can be identified in the future. Manual analysis requires a person to read all the output and determine if it is erroneous. A log analysis tool would only be useful to analyze the logs, but it would not detect unexpected output by itself. Instead, the log analysis tool would need to use a behavior-based or signature-based detection system.
How does timely and effective communication and reporting of vulnerabilities assist an organization in meeting the GDPR’s requirement of reporting data breaches within 72 hours of detection?
A. It ensures that all employees will always adhere to data protection regulations.
B. It proves that the organization is immune to data breaches.
C. It guarantees all vulnerabilities will be fixed within 72 hours.
D. It facilitates quicker identification of vulnerabilities enabling prompt reporting to the supervisory authority.
D. It facilitates quicker identification of vulnerabilities enabling prompt reporting to the supervisory authority.
By identifying and addressing vulnerabilities promptly, the organization can more effectively manage incidents and meet the GDPR’s 72-hour reporting requirement. Organizations that fail to report data breaches to the supervisory authority or to individuals affected by the breach may be subject to fines of up to €20 million or 4% of global annual turnover, whichever is greater. No organization is completely immune to data breaches, as new threats and vulnerabilities continuously evolve. While training and policies can encourage compliance, human errors or misconduct can still occur. While this would be ideal, the complexity of certain vulnerabilities may require more time for a comprehensive fix.
During your review of the firewall logs, you notice that an IP address from within your company’s server subnet had been transmitting between 125 to 375 megabytes of data to a foreign IP address overnight each day. You have determined this has been occurring for approximately 5 days, and the affected server has since been taken offline for forensic review. Which of the following is MOST likely to increase the impact assessment of the incident?
A. Forensic review of the server required fallback to a less efficient service.
B. IP addresses and other network-related configurations were exfiltrated.
C. PII of company employees and customers was exfiltrated.
D. Raw financial information about the company was accessed.
C. PII of company employees and customers was exfiltrated.
If the PII (Personally Identifiable Information) of the company’s employees or customers were exfiltrated or stolen during the compromise, this would increase the incident’s impact assessment. Loss of PII is a big issue for corporations and one that might garner media attention. While all of the options presented here are bad things that could increase the impact of the assessment, loss of PII is considered the MOST likely to increase the impact dramatically. Depending on the company’s size or organization, there may also be mandatory reporting requirements, fines, or restitution that must be paid.
What technology is NOT PKI x.509 compliant and cannot be used in various secure functions?
A. Blowfish
B. AES
C. SSL/TLS
D. PKCS
A. Blowfish
AES, PKCS, and SSL/TLS are all compatible with x.509 and can be used in a wide variety of functions and purposes. AES is used for symmetric encryption. PKCS is used as a digital signature algorithm. SSL/TLS is used for secure key exchange.
You are a cybersecurity analyst for a mid-sized company. One day, you decided to perform a routine scan of your internal network using the Angry IP Scanner tool. The output returned was as follows: IP Ping Hostname Ports TTL 192.168.1.1 34 ms router.domain.com 80, 443 64 192.168.1.2 40 ms pc1.domain.com 22, 80, 443 128 192.168.1.3 Timeout pc2.domain.com - - 192.168.1.4 45 ms unknown.device 21, 23, 25, 80, 443, 3389 64 Based on this output, which of the following represents a potential indicator of compromise (IoC) that should be investigated further?
A. The open ports 80 and 443 on 192.168.1.1.
B. The timeout response from 192.168.1.3.
C. The unknown device 192.168.1.4 with multiple open ports, including 21, 23, 25, and 3389.
D. The open port 22 on 192.168.1.2.
C. The unknown device 192.168.1.4 with multiple open ports, including 21, 23, 25, and 3389.
The unknown device at 192.168.1.4 is a potential indicator of compromise (IoC) due to several reasons. First, the device is unknown, which suggests that it’s not a recognized system within the network, thus raising suspicions. Secondly, it has multiple ports open, including 21 (FTP), 23 (Telnet), 25 (SMTP), 80 (HTTP), 443 (HTTPS), and 3389 (RDP). These ports being open could indicate services that are vulnerable to exploitation or are already being exploited, especially when they are on an unrecognized device. The combination of an unknown device and open ports commonly used for management or data transfer warrants further investigation. The open ports 80 and 443 on 192.168.1.1 represent standard web services (HTTP and HTTPS). If 192.168.1.1 is a web server or a network device with a web-based management interface (which is common), these ports would likely be open as part of normal operation. The timeout response from 192.168.1.3 is not necessarily an indicator of compromise. It could merely be that the system was offline or unreachable at the time of the scan. The open port 22 on 192.168.1.2 is for SSH, a secure method of remote administration commonly used in many environments. Although it should be secured and monitored, its mere presence isn’t an immediate indicator of compromise.
You conducted a security scan and found that port 389 is being used when connecting to LDAP for user authentication instead of port 636. The security scanning software recommends that you remediate this by changing user authentication to port to 636 wherever possible. What should you do?
A. Conduct remediation actions to update encryption keys on each server to match port 636.
B. Change all devices and servers that support it to port 636 since port 389 is a reserved port that requires root access and can expose the server to privilege escalation attacks.
C. Mark this as a false positive in your audit report since the services that typically run on ports 389 and 636 are identical.
D. Change all devices and servers that support it to port 636 since encrypted services run by default on port 636.
D. Change all devices and servers that support it to port 636 since encrypted services run by default on port 636.
LDAP can be run on either port 389 or port 636. Port 389 is the standard port for LDAP but typically runs unencrypted LDAP services over this port. Instead, you should change all devices and servers that can technically support the change to port 636 since LDAP services over port 636 are encrypted by default.
You are conducting a review of a VPN device’s logs and found the following URL being accessed:
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
https://sslvpn/dana-na/../diontraining/html5acc/teach/../../../../../../etc/passwd?/diontraining/html5acc/teach/
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Based upon this log entry alone, which of the following most likely occurred?
A. The /etc/passwd file was downloaded using a directory traversal attack.
B. The /etc/passwd file was downloaded using a directory traversal attack if input validation of the URL was not conducted.
C. An SQL injection attack caused the VPN server to return the password file.
D. A XML injection attack caused the VPN server to return the password file.
B. The /etc/passwd file was downloaded using a directory traversal attack if input validation of the URL was not conducted.
The exact string used here was the attack string used in CVE-2019-11510 to compromise thousands of VPN servers worldwide using a directory traversal approach. However, its presence in the logs does not prove that the attack was successful, only that it was attempted. To verify that the attacker successfully downloaded the/etc/passwd file, a cybersecurity analyst would require additional information and correlation. If the server utilizes proper input validation on URL entries, then the directory traversal would be prevented. As no SQL or XML language elements are present, this is definitely not an SQL or XML injection attack.
You just completed an nmap scan against a workstation and received the following output:
-=-=-=-=-=-=–=-=-=-=-=-=–=-=-=-=-=-=–=-=-=-=-=-=-
# nmap diontraining012
Starting Nmap ( http://nmap.org )
Nmap scan report for diontraining012 (192.168.14.61)
Not shown: 997 filtered ports
PORT STATE
135/tcp open
139/tcp open
445/tcp open
Nmap done: 1 IP address (1 host up) scanned in 1.24 seconds
-=-=-=-=-=-=–=-=-=-=-=-=–=-=-=-=-=-=–=-=-=-=-=-=-
Based on these results, which of the following operating system is most likely being run by this workstation?
A. CentOS
B. Ubuntu
C. macOS
D. Windows
D. Windows
Evaluate the following log entry:
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Jan 11 05:52:56 lx1 kernel: iptables INPUT drop IN=eth0 OUT= MAC=00:15:5d:01:ca:55:00:15:5d:01:ca:ad:08:00 SRC=10.1.0.102 DST=10.1.0.10 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=3988 DF PROTO=TCP SPT=2583 DPT=23 WINDOW=64240 RES=0x00 SYN URGP=0
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Based on this log entry, which of the following statements are true?
A. An attempted connection to the telnet service was prevented.
B. An attempted connection to the ssh service was prevented.
C. The packet was blocked outbound from the network.
D. Packets are being blocked inbound to and outbound from the network.
E. MAC filtering is enabled on the firewall.
F. The packet was blocked inbound to the network.
A. An attempted connection to the telnet service was prevented.
F. The packet was blocked inbound to the network.
Firewall log formats will vary by vendors, but this example is a commonly used format from the Linux iptable firewall tool. This log starts with the date and time of the event and provides some key pieces of information. For example, the word “drop” shows the action this log entry recorded. In this case, the firewall dropped a packet due to an ACL rule being applied. You can also see that the packet was detected on the inbound connection over eth0, so we know that packets are being scanned and blocked when they are headed inbound to the network. Next, we see the MAC address of the source device of the packet, the source (SRC) IP address, and the destination (DST) IP address. Further down, we see the source (SPT) and destination ports (DPT). In this case, the DPT is 23 and is a well-known port for telnet. Based on this single log entry, we cannot tell if packets are also being blocked when they are attempting to leave the network or if they are blocking connections to the ssh service (port 22) is also being conducting.
You’re an incident response team member at a prominent financial institution. A recent intrusion, such as the infamous Equifax breach, has potentially exposed customer financial data. As part of your incident response duties, you need to liaise with the legal department to address potential liabilities and discuss the way forward. What primarily makes this interaction imperative?
A. To request additional funding for cybersecurity tools.
B. To educate them about cybersecurity.
C. To ensure compliance with data breach laws.
D. To inform them of the technical details of the breach.
C. To ensure compliance with data breach laws.
Data breach laws and regulations require institutions to take certain actions in the event of a data breach, which could include notifying affected customers and regulatory bodies within a specific time frame. Though educating everyone about cybersecurity is beneficial, it’s not the primary reason for communicating with the legal department in this situation. The main aim is to ensure the company’s response aligns with legal requirements. Although securing funding for improved cybersecurity could be a long-term goal, it’s not the primary reason to communicate with the legal department after a breach. Legal should be involved to ensure regulatory compliance and address potential liabilities. While it’s important to share some details with the legal team, they typically do not need to know the intricate technical aspects of the breach. The focus should be more on legal implications and steps to manage potential liabilities.
Which of the following policies should contain the requirements for removing a user’s access when an employee is terminated?
A. Data ownership policy.
B. Account management policy.
C. Data retention policy.
D. Data classification policy.
B. Account management policy.
You are reverse engineering a piece of malware recovered from a retailer’s network for analysis. They found that the malicious code was extracting track data from their customer’s credit cards during processing. Which of the following types of threats would you classify this malware as?
A. Rootkit
B. Ransomware
C. Keylogger
D. POS malware
D. POS malware
Which analysis framework provides a graphical depiction of the attacker’s approach relative to a kill chain?
A. Diamond Model of Intrusion Analysis
B. Lockheed Martin cyber kill chain
C. OpenIOC
D. MITRE ATT&CK framework
A. Diamond Model of Intrusion Analysis
The Diamond Model provides an excellent methodology for communicating cyber events and allowing analysts to derive mitigation strategies implicitly. The Diamond Model is constructed around a graphical representation of an attacker’s behavior. The MITRE ATT&CK framework provides explicit pseudo-code examples for detecting or mitigating a given threat within a network and ties specific behaviors back to individual actors. The Lockheed Martin cyber kill chain provides a general life cycle description of how attacks occur but do not deal with the specifics of how to mitigate. OpenIOC contains a depth of research on APTs but does not integrate the detections and mitigation strategy.
Your organization’s primary operating system vendor just released a critical patch for your servers. Your system administrators have recently deployed this patch and verified the installation was successful. This critical patch was designed to remediate a vulnerability that can allow a malicious actor to execute code on the server over the Internet remotely. You ran a vulnerability scan of the network and determined that all servers are still being reported as having the vulnerability. You verified all your scan configurations are correct. Which of the following might be the reason that the scan report still showing the servers as vulnerable? (SELECT ALL THAT APPLY)
A. The wrong IP address range was scanned during your vulnerability assessment.
B. The vulnerability assessment scan is returning a false positive.
C. You conducted the vulnerability scan without waiting long enough after the patch was installed.
D. This critical patch did not remediate the vulnerability.
B. The vulnerability assessment scan is returning a false positive.
D. This critical patch did not remediate the vulnerability.
There are two reasonable choices presented: (1) the vulnerability assessment scan is returning a false positive, or (2) this critical patch did not remediate the vulnerability. It is impossible to know which is based on the description in the question. If the patch was installed successfully, as the question states, then it is possible that the critical patch was coded incorrectly and did not actually remediate the vulnerability. While most operating system vendors test their patches before release to prevent this, they are sometimes rushed into production with extremely critical patches. The patch does not actually remediate the vulnerability on all systems. When this occurs, the vendor will issue a subsequent patch to fix it and supersede the original patch. The other option is that the vulnerability assessment tool is incorrectly configured and is returning a false positive. This can occur when the signature used to detect the vulnerability is too specific or too generic to actually detect whether the system was patched for the vulnerability or not. The other options are incorrect, as you do not have to wait a certain period of time after installation before scanning. It is assumed that you are scanning the same IP range both times as you have verified your scan configuration.
A vulnerability scanner has reported that a vulnerability exists in the system. Upon validating the report, the analyst determines that this reported vulnerability does not exist on the system. What is the proper term for this situation?
A. False positive
B. True negative
C. True positive
D. False negative
A. False positive
A false positive occurs when a scanner detects a vulnerability, but the vulnerability does not actually exist on the scanned system. A true positive occurs when a scanner detects a vulnerability, and the vulnerability exists on the scanned system. A true negative occurs when a scanner does not detect a vulnerability because the vulnerability does not exist on the scanned system. A false negative occurs when a scanner does not detect a vulnerability, but the vulnerability actually exists on the scanned system.
What is the primary importance of the ‘Mean Time to Detect’ (MTTD) metric in the context of incident response?
A. It gauges the impact of an incident on the organization.
B. It determines the severity of an incident.
C. It measures the effectiveness of detection mechanisms.
D. It calculates the total duration of the incident response process.
C. It measures the effectiveness of detection mechanisms.
The MTTD metric evaluates the efficiency of an organization’s detection systems by measuring the time it takes to identify a potential incident. The MTTD metric does not directly measure the impact of an incident. It focuses on the detection capabilities of the organization. MTTD measures the time taken to detect an incident, not the severity of the incident. While MTTD contributes to the overall timeline of incident response, it specifically refers to the time from when an incident occurs to when it is detected, not the total duration of the response process.
Which analysis framework provides the most explicit detail regarding how to mitigate or detect a given threat?
A. Diamond Model of Intrusion Analysis
B. OpenIOC
C. MITRE ATT&CK framework
D. Lockheed Martin cyber kill chain
C. MITRE ATT&CK framework
The MITRE ATT&CK framework provides explicit pseudo-code examples for detecting or mitigating a given threat within a network and ties specific behaviors back to individual actors. The Diamond Model provides an excellent methodology for communicating cyber events and allowing an analyst to derive mitigation strategies implicitly. The Lockheed Martin cyber kill chain provides a general life cycle description of how attacks occur but do not deal with the specifics of how to mitigate. OpenIOC contains a depth of research on APTs but does not integrate the detections and mitigation strategy.
What is a reverse proxy commonly used for?
A. To obfuscate the origin of a user within a network.
B. Allowing access to a virtual private cloud.
C. Directing traffic to internal services if the contents of the traffic comply with the policy.
D. To prevent the unauthorized use of cloud services from the local network.
C. Directing traffic to internal services if the contents of the traffic comply with the policy.
A reverse proxy is positioned at the cloud network edge and directs traffic to cloud services if the contents of that traffic comply with the policy. This does not require the configuration of the users’ devices. This approach is only possible if the cloud application has proxy support. You can deploy a reverse proxy and configure it to listen for client requests from a public network, like the internet. The proxy then creates the appropriate request to the internal server on the corporate network and passes the server’s response back to the external client. They are not generally intended to obfuscate the source of communication, nor are they necessarily specific to the cloud. A cloud access security broker (CASB) can be used to prevent unauthorized use of cloud services from the local network.