JasonDion Practice Exam 4 Flashcards
You are conducting an incident response and want to determine if any account-based indicators of compromise (IoC) exist on a compromised server. Which of the following would you NOT search for on the server?
A. Unauthorized sessions.
B. Failed logins.
C. Malicious processes.
D. Off-hours usage.
C. Malicious processes.
A malicious process is one that is running on a system and is outside the norm. This is a host-based indicator of compromise (IOC) and not directly associated with an account-based IOC. Off-hours usage, unauthorized sessions, and failed logins are all account-based examples of an IOC. Off-hours usage occurs when an account is observed to log in during periods outside of normal business hours. An attacker often uses this to avoid detection during business hours. Unauthorized sessions occur when a device or service is accessed without authorization. For example, if a limited privilege user is signed into a domain controller. A failed login might be normal if a user forgets or incorrectly types their password, but repeated failures for one account could also be an indication of an attacked to crack a user’s password.
Which role validates the user’s identity when using SAML for authentication?
A. User agent
B. IdP
C. SP
D. RP
B. IdP
The IdP provides the validation of the user’s identity. Security assertions markup language (SAML) is an XML-based framework for exchanging security-related information such as user authentication, entitlement, and attributes. SAML is often used in conjunction with SOAP. SAML is a solution for providing single sign-on (SSO) and federated identity management. It allows a service provider (SP) to establish a trust relationship with an identity provider (IdP) so that the SP can trust the identity of a user (the principal) without the user having to authenticate directly with the SP. The principal’s User Agent (typically a browser) requests a resource from the service provider (SP). The resource host can also be referred to as the relying party (RP). If the user agent does not already have a valid session, the SP redirects the user agent to the identity provider (IdP). The IdP requests the principal’s credentials if not already signed in and, if correct, provides a SAML response containing one or more assertions. The SP verifies the signature(s) and (if accepted) establishes a session and provides access to the resource.
Which of the following techniques listed below are not appropriate to use during a passive reconnaissance exercise against a specific target company?
A. Registrar checks.
B. Banner grabbing.
C. BGP looking glass usage.
D. WHOIS lookups.
B. Banner grabbing.
Banner grabbing requires a connection to the host to grab the banner successfully. This is an active reconnaissance activity. All other options are considered passive processes and typically use information retrieved from third-parties that do not directly connect to an organization’s remote host.
You are searching a Linux server for a possible backdoor during a forensic investigation. Which part of the file system should you search for evidence of a backdoor related to a Linux service?
A. /etc/passwd
B. /etc/shadow/
C. $HOME/.ssh/
D. /etc/xinetd.conf
D. /etc/xinetd.conf
Linux services are started by xinetd, but some new versions use sytemctl. Therefore, the /etc/xinetd.conf should be analyzed for any evidence of a backdoor being started as part of the Linux services. Both the /etc/passwd and /etc/shadow files contain configurations specifically associated with individual user accounts. The /home/.ssh directory contains SSH keys for SSH-based logins.
Barrett needs to verify settings on a macOS computer to ensure that the configuration he expects is currently set on the system. What type of file is commonly used to store configuration settings for a macOS system?
A. .profile files
B. plists
C. .config files
D. The registry
B. plists
Preference and configuration files in macOS use property lists (plists) to specify the attributes, or properties, of an app or process. An example is the preferences plist for the Finder in the Library/Preferences/ folder of a user’s home folder. The file is named com.apple.finder.plist. The registry is used to store registration configuration settings on Windows systems. A profile (.profile) file is a UNIX user’s start-up file, like the autoexec.bat file of DOS. A configuration (.config) file is a configuration file used by various applications containing plain text parameters that define settings or preferences for building or running a program. This is commonly used in Windows systems.
You have been given access to a Windows system located on an Active Directory domain as part of a white box penetration test. Which of the following commands would provide information about other systems on this network?
A. net use
B. net config
C. net group
D. net user
A. net use
The net use command will list network shares that the workstation is using. This will help to identify file servers and print servers on the network. The net group command can only be used on domain controllers. The net config command will allow servers and workstations services to be controlled once they have already been identified. The net user command would show any user accounts on the local Windows workstation you are using.
In order to improve efficiency in your security operations, you want to minimize human engagement. Which of the following actions would be most effective in achieving this goal?
A. Implementing automation for routine tasks.
B. Increasing the number of security platforms.
C. Reducing staff training.
D. Limiting access to systems.
A. Implementing automation for routine tasks.
Automating routine tasks can help reduce the need for human engagement in security operations. It also allows staff to focus on higher-level tasks that require human judgment. Reducing staff training might lead to more errors and lower efficiency, as staff may not be up-to-date on latest trends and threats. Using multiple security platforms can lead to siloed information and an increased need for human engagement to manage and coordinate between the platforms. Limiting access can improve security but might not necessarily reduce the need for human engagement. In fact, it might increase the need for human oversight to manage access control.
You are analyzing the following network utilization report because you suspect one of the servers has been compromised.
-=-=-=-=-=–=-=-=-=-=–=-=-=-=-=–=-=-=-=-=–=-=-=-=-=–=-=-=-=-=-
IP Address Name Uptime Historical Current
192.168.20.2 web01 7D 12H 32M 06S 42.6 GB 44.1 GB
192.168.20.3 webdev02 4D 07H 12M 45S 1.95 GB 2.13 GB
192.168.20.4 dbsvr01 12D 02H 46M 14S 3.15 GB 24.6 GB
192.168.20.5 marketing01 2D 17H 18M 41S 5.2 GB 4.9 GB
-=-=-=-=-=–=-=-=-=-=–=-=-=-=-=–=-=-=-=-=–=-=-=-=-=–=-=-=-=-=-
Based on the report above, which of the following servers do you suspect has been compromised and should be investigated further?
A. webdev02
B. web01
C. dbsvr01
D. marketing01
C. dbsvr01
Due to the considerable increase in network utilization on dbsvr01, it should be suspected of compromise and further investigated. The server has a historical average utilization of only 3.15 GB per month, but this month there has been an increase to 24.6 GB of usage. This increase is nearly 8x more than the previous month when all of the other servers stayed relatively constant. This indicates a possible compromise of the database server (dbsvr01) and a data breach or data exfiltration.
Considering a scenario where an international space station’s proprietary operational software is discovered to have numerous zero-day and critical vulnerabilities, why would the unique implications of these specific vulnerabilities in such a high-stakes and isolated environment necessitate an immediate and expedited response?
A. Multiple zero-day and critical vulnerabilities implies a need for staff training on new software.
B. To empathize the need for higher internet bandwidth.
C. A large number of zero-day and critical vulnerabilities means that the system is becoming more secure.
D. These type of vulnerabilities pose the highest risk to the environment.
D. These type of vulnerabilities pose the highest risk to the environment.
These vulnerabilities are often exploitable, posing a severe threat to the system, and therefore require immediate remediation efforts. In reality, these vulnerabilities represent significant security risks and should be addressed immediately. While sufficient internet bandwidth is important, the discovery of critical vulnerabilities requires immediate security actions, not bandwidth upgrades. While staff training is a crucial aspect of maintaining a secure environment, the urgent need in this situation is to address the vulnerabilities.
You’re examining system logs for potential security incidents when you encounter the following command: nc -lvnp 4444 -e /bin/bash What does this command suggest?
A. SQL Injection
B. Potential Reverse Shell
C. XSS Attack
D. Directory Traversal
B. Potential Reverse Shell
The command represents a potential reverse shell using Netcat (nc). It listens (-l) verbosely (-v) on port 4444 (-p 4444) and executes the /bin/bash shell when a connection is made (-e /bin/bash). Cross-Site Scripting (XSS) involves injecting malicious scripts into trusted websites. This scenario involves shell commands, not web-based script injection. Directory traversal involves navigating through a filesystem and is not represented in this command. SQL injection involves the exploitation of a security vulnerability in an application’s database layer. This situation involves shell commands, not SQL statements.
During your review of the firewall logs, you notice that an IP address from within your company’s server subnet had been transmitting between 125 to 375 megabytes of data to a foreign IP address overnight each day. You have determined this has been occurring for approximately 5 days, and the affected server has since been taken offline for forensic review. Which of the following is MOST likely to increase the impact assessment of the incident?
A. Forensic review of the server required fallback to a less efficient service.
B. PII of company employees and customers was exfiltrated.
C. IP addresses and other network-related configurations were exfiltrated.
D. Raw financial information about the company was accessed.
B. PII of company employees and customers was exfiltrated.
If the PII (Personally Identifiable Information) of the company’s employees or customers were exfiltrated or stolen during the compromise, this would increase the incident’s impact assessment. Loss of PII is a big issue for corporations and one that might garner media attention. While all of the options presented here are bad things that could increase the impact of the assessment, loss of PII is considered the MOST likely to increase the impact dramatically. Depending on the company’s size or organization, there may also be mandatory reporting requirements, fines, or restitution that must be paid.
Your organization is preparing for its required quarterly PCI DSS external vulnerability scan. Who is authorized to perform this scan?
A. Only employees of the company.
B. Any qualified individual.
C. Anyone.
D. Only an approved scanning vendor.
D. Only an approved scanning vendor.
The Payment Card Industry Data Security Standard (PCI DSS) is a prescriptive framework. It is not a law but a formal policy created by the credit card industry that organizations must follow to accept credit and bank cards for payment. Quarterly required external vulnerability scans must be run by a PCI DSS approved scanning vendor (ASV). This question may seem beyond the scope of the exam. Still, the objectives allow for “other examples of technologies, processes, or tasks about each objective may also be included on the exam although not listed or covered” in the objectives’ bulletized lists. The exam tests the equivalent of 4 years of hands-on experience in a technical cybersecurity job role. The content examples listed in the objectives are meant to clarify the test objectives and should not be construed as a comprehensive listing of this examination’s content. Therefore, questions like this are fair game on test day. That said, your goal isn’t to score 100% on the exam; it is to pass it. Don’t let questions like this throw you off on test day. If you aren’t sure, take your best guess and move on!
You are troubleshooting a network connectivity issue and need to determine the packet’s flow path from your system to the remote server. Which of the following tools would best help you identify the path between the two systems?
A. tracert
B. nbtstat
C. netstat
D. ipconfig
A. tracert
The TRACERT (trace route) diagnostic utility determines the route to a destination by sending Internet Control Message Protocol (ICMP) echo packets to the destination. In these packets, TRACERT uses varying IP Time-To-Live (TTL) values. When the TTL on a packet reaches zero (0), the router sends an ICMP “Time Exceeded” message back to the source computer. The ICMP “Time Exceeded” messages that intermediate routers send back show the route. The ipconfig tool displays all current TCP/IP network configuration values on a given system. The netstat tool is a command-line network utility that displays network connections for Transmission Control Protocol, routing tables, and some network interface and network protocol statistics on a single system. The nbtstat command is a diagnostic tool for NetBIOS over TCP/IP used to troubleshoot NetBIOS name resolution problems.
Your security team is analyzing a recent cyber attack on your organization’s network. They want to understand the attacker’s behavior, tactics, techniques, and procedures. Which framework is BEST suited for this purpose?
A. MITRE ATT&CK
B. OWASP Testing Guide
C. Diamond Model of Intrusion Analysis
D. Cyber Kill Chain
A. MITRE ATT&CK
The MITRE ATT&CK framework provides a comprehensive matrix of tactics, techniques, and procedures (TTPs) used by attackers, making it a powerful tool for understanding attacker behavior. The Diamond Model focuses on the relationship between the adversary, victim, infrastructure, and capability, rather than the detailed tactics, techniques, and procedures used by the attacker. While the Cyber Kill Chain can provide some insight into an attacker’s actions, it primarily describes the linear progression of a cyberattack, not the detailed tactics, techniques, and procedures used. The OWASP Testing Guide is focused on web application security testing, not on understanding attacker behavior.
Which of the following types of capabilities would an adversary need to identify and exploit zero-day vulnerabilities?
A. Developed
B. Integrated
C. Advanced
D. Acquired and augmented
A. Developed
According to the MITRE ATT&CK framework, developed capabilities can identify and exploit zero-day vulnerabilities. Acquired and augmented refers to the utilization of commodity malware and techniques (i.e., script kiddies). Advanced capabilities refer to those that can introduce vulnerabilities through the supply chain in proprietary and open-source products. Integrated capabilities involve non-cyber tools such as political or military assets.
Which of the following roles should be assigned to the incident response team? (SELECT FOUR)
A. Human resources
B. Legal
C. Public relations
D. Facility maintenance
E. Accounting
F. Management
A. Human resources
B. Legal
C. Public relations
F. Management
Human Resources has a role to play in that the discoveries made during incident handling may affect employees and employment law. Privacy concerns regarding how to intercept and monitor data may also necessitate HR and Legal involvement. For various reasons, the company may decide to go public with the knowledge of the breach. Therefore, public relations personnel are needed. Management has a crucial role to play in being able to allocate resources to remediate the incident. System administrators and security analysts should also be on the team since they know what constitutes a normal baseline for the systems. In general, positions such as facility maintenance and accounting are not required as part of the core incident response team. In special circumstances, though, they may be asked to augment the team. For example, if a breach of a SCADA/ICS system occurs, the facility maintenance employee who operates and services the machine might be a useful addition. Similarly, if a payroll or accounting system was breached, having an accounting department representative could help the response and remediation efforts.
Which of the following techniques would allow an attacker to get a full listing of your internal DNS information if your DNS server is not properly secured?
A. Split horizon
B. DNS poisoning
C. Zone transfers
D. FQDN resolution
C. Zone transfers
A DNS zone transfer provides a full listing of DNS information. If your organization’s internal DNS server is improperly secured, an attacker can gather this information by performing a zone transfer. Fully qualified domain name (FQDN) resolution is a normal function of DNS that converts a domain name like www.diontraining.com to its corresponding IP address. Split horizon is a method of preventing a routing loop in a network. DNS poisoning is a type of attack which uses security gaps in the Domain Name System (DNS) protocol to redirect internet traffic to malicious websites.
What is a buffer overflow vulnerability?
A. A weakness allowing an attacker to overflow an application’s buffer, causing it to crash or execute arbitrary code.
B. An issue with a website’s user interface.
C. A problem with the encryption of data.
D. An issue with the database query operation.
A. A weakness allowing an attacker to overflow an application’s buffer, causing it to crash or execute arbitrary code.
A buffer overflow vulnerability indeed allows an attacker to overflow the buffer, possibly leading to a crash or the execution of arbitrary code. Database query operations might be vulnerable to SQL Injection, not buffer overflows. While important for user experience and potential phishing attacks, user interface issues are not directly related to buffer overflow vulnerabilities. Encryption problems are related to cryptography, not buffer overflow vulnerabilities.
You are analyzing the logs of a forensic analyst’s workstation and see the following:
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
root@DionTraining:/home# dd if=/dev/sdc of=/dev/sdb bs=1M count=1000
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
What does the bs=1M signify in the command list above?
A. Removes error messages and other incorrect data.
B. Sends output to a blank sector.
C. Sets the block size.
D. Sets the beginning sector.
C. Sets the block size.
The dd command is used in forensic data acquisition to forensically create a bit by bit copy of a hard drive to a disk image. The bs operator sets the block size when using the Linux dd command. This question may seem beyond the scope of the exam. Still, the objectives allow for “other examples of technologies, processes, or tasks about each objective may also be included on the exam although not listed or covered” in the objectives’ bulletized lists. The exam tests the equivalent of 4 years of hands-on experience in a technical cybersecurity job role. The content examples listed in the objectives are meant to clarify the test objectives and should not be construed as a comprehensive listing of this examination’s content. Therefore, questions like this are fair game on test day. That said, your goal isn’t to score 100% on the exam; it is to pass it. Don’t let questions like this throw you off on test day. If you aren’t sure, take your best guess and move on!
Dion Training wants to require students to logon using multifactor authentication in an effort to increase the security of the authorization and authentication process. Currently, students login to diontraining.com using a username and password. What proposed solution would best meet the goal of enabling multifactor authentication for the student login process?
A. Require students to create a unique pin that is entered after their username and password are accepted.
B. Require students to enter a unique six-digit number that is sent to them by SMS after entering their username and password.
C. Require students to enter a cognitive password requirement (such as ‘What is your dog’s name?’).
D. Require students to choose an image to serve as a secondary password after logon.
B. Require students to enter a unique six-digit number that is sent to them by SMS after entering their username and password.
All of the options presented are knowledge factors (something you know) except the six-digit number sent by SMS to your smartphone. This SMS sent number is an example of a possession factor or something you have. In this case, it verifies you have your smartphone. By combining this possession factor with the already in use knowledge factor (username and password), you can establish multifactor security for the login process.
Which of the following type of solutions would you classify an FPGA as?
A. Root of trust.
B. Hardware security module.
C. Anti-tamper.
D. Trusted platform module.
C. Anti-tamper.
A field-programmable gate array (FPGA) is an anti-tamper mechanism that makes use of a type of programmable controller and a physically unclonable function (PUF). The PUF generates a digital fingerprint based on the unique features of the device. This means that tampering with a device, such as removing the chip or adding an unknown input/output mechanism, can be detected. A remedial action like using zero-filling cryptographic keys can be performed automatically. A hardware security module (HSM) is an appliance for generating and storing cryptographic keys. It is a solution that may be less susceptible to tampering and insider threats than a traditional software-based storage solution. A trusted platform module (TPM) is a specification for hardware-based storage of digital certificates, cryptographic keys, hashed passwords, and other user and platform identification information. A hardware root of trust (RoT) or trust anchor is a secure subsystem that can provide attestation to declare something as true.
During a vulnerability scan, you notice that the hostname www.diontraining.com is resolving to www.diontraining.com.akamized.net instead. Based on this information, which of the following do you suspect is true?
A. The scan will not produce any useful information.
B. The server assumes you are conducting a DDoS attack.
C. You are scanning a CDN-hosted copy of the site.
D. Nothing can be determined about this site with the information provided.
C. You are scanning a CDN-hosted copy of the site.
This result is due to the company using a distributed server model that hosts content on Edge servers worldwide as part of a CDN. A content delivery network (CDN) is a geographically distributed network of proxy servers and their data centers that provide high availability and performance by distributing the service spatially relative to end-users. The requested content may be served from the Edge server’s cache or pull the content from the main diontraining.com servers. If you are scanning a web server or application hosted with a CDN, you need to be aware that you might be scanning an edge copy of the site and not receive accurate results. While an edge server usually maintains static content, it is still useful to determine if any vulnerabilities exist in that portion of the site content. Distributed denial-of-service (DDoS) attacks range from small and sophisticated to large and bandwidth-busting. While Akamai does provide excellent DDoS protection capabilities, nothing in this question indicates that the server is attempting to stop your scans or is assuming you are conducting a DDoS attack against it.
Which party in a federation provides services to members of the federation?
A. SAML
B. SSO
C. RP
D. IdP
C. RP
Relying parties (RPs) provide services to members of a federation. An identity provider (IdP) provides identities, makes assertions about those identities, and releases information about the identity holders. The Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data between parties between an identity provider and a service provider (SP) or a relying party (RP). Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single ID and password to any of several related yet independent software systems across a federation. SAML and SSO are not parties. Therefore, they cannot possibly be the right answer to this question.
In the Colonial Pipeline ransomware attack, the DarkSide ransomware group fulfilled their intent by encrypting files and demanding a ransom. Which phase of the Cyber Kill Chain does this represent?
A. Command and Control
B. Reconnaissance
C. Actions and Objectives
D. Weaponization
C. Actions and Objectives
The Actions and Objectives phase of the Cyber Kill Chain involves fulfilling the adversary’s intent, such as data exfiltration, data destruction, or encryption for ransom. This is represented in the Colonial Pipeline attack by the DarkSide ransomware group encrypting files and demanding a ransom. Reconnaissance involves gathering information about the target system, not fulfilling the adversary’s intent. Weaponization involves creating a malicious payload, not fulfilling the adversary’s intent. Command and Control involves maintaining communication with the compromised system, not fulfilling the adversary’s intent.
Your company has noticed a significant increase in the mean time to detect (MTTD) and mean time to respond (MTTR) to incidents. What is a potential impact of these increased metrics?
A. It improves the company’s public image.
B. It increases the legal protection against cyber attacks.
C. It results in a decrease in security alert volume.
D. It might lead to a greater impact of security incidents.
D. It might lead to a greater impact of security incidents.
An increase in MTTD and MTTR suggests a slower reaction to incidents, which can allow threats to cause more damage before they are detected and addressed. These metrics don’t provide legal protection. They measure organizational effectiveness in detecting and responding to incidents. MTTD and MTTR metrics don’t directly impact the volume of security alerts. They measure the speed of detection and response. Increased MTTD and MTTR are unlikely to improve a company’s public image; in fact, they might harm the company’s reputation if they result in a significant breach.
Your organization has experienced a cyber attack that exploited a zero-day vulnerability. After the incident, what action would provide the MOST valuable insights to prevent similar attacks in the future?
A. Immediate public disclosure of the incident.
B. Increased frequency of law enforcement communication.
C. Increased alert volume.
D. Root cause analysis.
D. Root cause analysis.
Conducting a root cause analysis can help understand how the vulnerability was exploited, which is key to preventing similar attacks in the future. While transparency is important, immediate public disclosure without a comprehensive understanding of the situation might not prevent future attacks and could even lead to additional issues. Merely increasing the alert volume may not help prevent future attacks. It’s more important to understand the nature of the attack and take targeted actions. Communicating with law enforcement might help with the investigation but wouldn’t necessarily prevent similar attacks in the future.
You are investigating traffic involving three separate IP addresses (192.168.66.6, 10.66.6.10, and 172.16.66.1). Which REGEX expression would you use to be able to capture ONLY those three IP addresses in a single statement?
A. \b[192.168.66.6]|[10.66.6.10]|[172.16.66.1]\b
B. \b(192.168.66.6)+(10.66.6.10)+(172.16.66.1)\b
C. \b[192.168.66.6]+[10.66.6.10]+[172.16.66.1]\b
D. \b(192.168.66.6)|(10.66.6.10)|(172.16.66.1)\b
D. \b(192.168.66.6)|(10.66.6.10)|(172.16.66.1)\b
The correct option is \b(192.168.66.6)|(10.66.6.10)|(172.16.66.1)\b, which uses parenthesis and “OR” operators (|) to delineate the possible whole-word variations of the three IP addresses. Using square braces indicates that any of the letters contained in the square braces are matching criteria. Using the + operator indicates an allowance for one more instance of the preceding element. In all cases, the period must have an escape () sequence preceding it as the period is a reserved operator internal to REGEX.
John is a cybersecurity consultant that wants to sell his services to an organization. In preparation for his first meeting with the client, John wants to conduct a vulnerability scan of their network to show the client how much they need his services. What is the most significant issue with John conducting this scan of the organization’s network?
A. John does not have permission to perform the scan.
B. The client’s infrastructure design is unknown to John.
C. John does not know what operating systems and applications are in use.
D. The IP range of the client systems is unknown by John.
A. John does not have permission to perform the scan.
All options listed are an issue, but the most significant issue is that John does not have the client’s permission to perform the scan. A vulnerability scan may be construed as a form of reconnaissance, penetration testing, or even an attack on the organization’s systems. A cybersecurity analyst should never conduct a vulnerability scan on another organization’s network without explicit written permission. In some countries, a vulnerability scan against an organization’s network without their permission is considered a cybercrime and could result in jail time for the consultant.
Which of the following Wireshark filters should be applied to a packet capture to detect applications that send passwords in cleartext to a REST API located at 10.1.2.3?
A. http.request.method==”POST”
B. ip.proto==tcp
C. ip.dst==10.1.2.3
D. http.request.method==”POST” && ip.dst==10.1.2.3
D. http.request.method==”POST” && ip.dst==10.1.2.3
Filtering the available PCAP with just the http “post” methods would display any data sent when accessing a REST API, regardless of the destination IP. Filtering the available PCAP with just the desired IP address would show all traffic to that host (10.1.2.3). Combining both of these can minimize the data displayed to only show things posted to the API located at 10.1.2.3. The ip.proto==tcp filter would display all TCP traffic on a network, regardless of the port, IP address, or protocol being used. It would simply produce too much information to analyze.
Which term defines the collection of all points from which an adversary could interact with a system and cause it to function in a way other than how it was designed?
A. Attack surface
B. Threat model
C. Adversary capability set
D. Attack vector
A. Attack surface
The collection of all points from which an adversary may attack is considered the attack surface. The attack vector represents the specific points an adversary has chosen for a particular attack. The threat model defines the behavior of the adversary. An adversary capability set is the list of items an adversary can use to conduct their attack.
You are an analyst and have been asked to review and categorize the following output from a packet analysis in Wireshark:
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Source Destination Protocol Length Info
192.168.3.145 4.4.2.2 DNS 74 Standard query 0xaed A test.diontraining.com
4.4.2.2 192.168.3.145 DNS 90 Standard query response 0x3aed A test.diontraining.com A 173.12.15.23
192.168.3.145 173.12.15.23 TCP 78 48134 -80 [SYN] seq=0 Win=65635 Len=0 MSS=1426 WS=16 TSVal=486234134 Tsecr=0 SACK_PERM=1
173.12.15.23 192.168.3.145 TCP 78 80-48134 [SYN,ACK] seq=0 Ack=1 Win=65535 Len=0 MSS=1426 WS=4 TSVal=0 Tsecr=0 SACK_PERM=1 a1=486234134 Tsecr=240612
192.168.3.145 192.168.3.255 NBNS 92 Namequery NB WORKGROUP
34.250.23.14 192.168.3.145 TCP 60 443 - 48134 [RST] Seq=1 Win=0 Len=0
Based on your review, what does this scan indicate?
A. 192.168.3.145 might be infected with malware.
B. 173.12.15.23 might be infected with malware.
C. 192.168.3.145 might be infected and beaconing to a C2 server.
D. 173.12.15.23 might be infected and beaconing to a C2 server.
E. This appears to be normal network traffic.
E. This appears to be normal network traffic.
This appears to be normal network traffic. The first line shows that a DNS lookup was performed for a website (test.diontraining.com). The second line shows the response from the DNS server with the IP address of the website. The third line begins a three-way handshake between an internal host and the website. The fourth line is the SYN-ACK response from the website to the internal host as part of this handshake. The fifth line is a standard Windows NetBIOS query within the local area network to translate human-readable names to local IP addresses. The sixth and seventh lines appear to be inbound requests to port 443 and port 8080, both of which were sent the RST by the internal host’s firewall since it is not running those services on the host. None of this network traffic appears to be suspicious.
An independent cybersecurity researcher has contacted your company to prove a buffer overflow vulnerability exists in one of your applications. Which technique would have been most likely to identify this vulnerability in your application during development?
A. Pair programming
B. Dynamic code analysis
C. Static code analysis
D. Manual Peer Review
C. Static code analysis
Buffer overflows are most easily detected by conducting a static code analysis. Manual peer review or pair programming methodologies might have been able to detect the vulnerability. Still, they do not have the same level of success as a static code analysis using proper tools. DevSecOps methodology would also improve the likelihood of detecting such an error but still rely on a human to human interactions and human understanding of source code to detect the fault. Dynamic code analysis also may have detected this if the test found exactly the right condition. Still, again, a static code analysis tool is designed to find buffer overflows more effectively.
Matt is creating a scoping worksheet for an upcoming penetration test for his organization. Which of the following techniques is NOT usually included in a penetration test?
A. Denial-of-service attacks
B. Reverse Engineering
C. Social Engineering
D. Physical penetration attempts
A. Denial-of-service attacks
A denial-of-service or DoS attack isn’t usually included as part of a penetration test. This type of attack contains too much risk for an organization to allow it to be included in an assessment scope. Social engineering, physical penetration attempts, and reverse engineering are all commonly included in a penetration test’s scope.