Module 4

Question 1

Which privacy protection uses four colors to indicate the expected sharing limitations that are to be applied by recipients of the information?
PCII
TLP
CISA
FOIA

Answer 1

TLP uses four colors (red, amber, green, and white) to indicate the expected sharing limitations that applied by the recipients.

TCP-Traffic Light Protocal

Question 2

What are the two concerns about using public information sharing centers?

Cost and availability
Regulatory approval and sharing
Privacy and speed
Security and privacy

Answer 2

Privacy and speed

Question 3

Which of the following tries to detect and stop an attack?

HIPS
RDE
HIDS
SOMA

Answer 3

HIPS

A host intrusion prevention system (HIPS) monitors endpoint activity to immediately react to block a malicious attack by following specific rules. Activity that a HIPS watches for includes an event that attempts to control other programs, terminate programs, and install devices and drivers. When a HIPS blocks action it then alerts the user so an appropriate decision about what to do can be made.

Question 4

Which boot security mode sends information on the boot process to a remote server?

UEFI Native Mode
Trusted Boot
Secure Boot
Measured Boot

Answer 4

Measured Boot
Computer’s firmware logs the boot process so OS can send it to a trusted server to assess the security for the highest degree of security in Measured Boot.

Question 5

What does Windows 10 Tamper Protection do?

Creates a secure backup copy of the registry
Limits access to the registry
Prevents any updates to the registry until the user approves the update.
Compresses and locks the registry

Answer 5

Limits access to the registry

The Windows 10 Tamper Protection security feature prevents Windows security settings from being changed or disabled by a threat actor who modifies the registry. Instead, the security settings can only be accessed directly through the Windows 10 user interface or through enterprise management software.

Question 6

Which of the following is part of the OS security configuration?

Giving all users administrator privileges
Enabling the most secure OS platform
Disabling default passwords and unnecessary ports
Installing the latest version of OS

Answer 6

Disabling default passwords and unnecessary ports are the primary steps for OS security configuration.

Question 7

Which of the following is a disadvantage of the secure boot process?

It makes third party non-vendor-approved software difficult to implement.
It slows down considerably, affecting the performance of the computer.
It requires an operating system like Microsoft OS to ensure secure boot.
It does not validate the boot process.

Answer 7

It makes third party non-vendor-approved software difficult to implement.

In a secure boot process, nonsystem vendor-approved hardware or software would not be initialized by the boot sequence, thereby affecting the implementation of such third-party software or custom hardware.

Question 8

While going through the network log, Sarah, a network security administrator, noticed substantial outbound network traffic. Which activity did Sarah perform?

Telnet
IOC
HTTP
STIX

Answer 8

Indicator of compromise (IOC) shows suspected malicious activity occurring on the network.

Question 9

Which of the following can be used to mitigate a limitation of public sharing centers in OSINT?

AIS
KRI
HTTPS
TTP

Answer 9

Automated indicator sharing (AIS) can be used to exchange cybersecurity threats between computers through computer-to-computer communication. This mitigates the limitation on the speed of sharing information through public sharing centers in open source intelligence.

Question 10

A company monitors the network activity of the organization and stores the logs in a database. You have been asked to identify whether there are any malicious activities in the network. Which of the following can denote the upper and lower bounds of their various network activities?

Threat maps
OSI model
TTP
KRI

Answer 10

A key risk indicator (KRI) is a matrix, stored in the logs, of upper and lower bounds of specific activity occurring across the network. This is a metric used to measure the probability of an event or threat in the network.

Question 11

John is a project manager with an IT firm, and his current project of developing an ERP application is in the development stage. Currently, the application is not yet mature or stable enough to be placed in a test environment. Which of the following secure coding review techniques is applicable for his project?

Perform static code analysis
Perform dynamic code analysis
Perform a static binary code analysis
Perform a structured manual analysis of code

Answer 11

The static code analysis should be performed before the source code compliance is done.

Question 12

Daniel accidentally installed a vulnerable application. Which of the following system exploitations would NOT be caused by the vulnerable application?

Executable files attack
Process spawning control
System tampering
Social engineering and phishing attacks

Answer 12

Social engineering and phishing attacks are prominently performed by the attacker without accessing the victim’s system.

Question 13

BC Technologies had its computer network compromised through a cybersecurity breach. A cybersecurity expert was employed to analyze and identify what caused the attack and the damage caused by the attack. He checked an available database for this purpose and found the threat actor behind the attack. He also found out the cybercriminal has been attempting to sell the company’s valuable data on the internet.

Which are the most probable methods used by the cybersecurity expert to get to this stage of the investigation?

The cybersecurity expert checked with CISCP and also investigated the dark web.
The cybersecurity expert checked the threat maps and used the MAR report.
The cybersecurity expert checked the threat maps and used TAXII.
The cybersecurity expert used STIX and checked with CISCP.

Answer 13

The cybersecurity expert checked with CISCP and also investigated the dark web.

Question 14

You have been assigned to decide the process used for software application development at your company. Since the products need to be developed and deployed as each module is completed, you chose to go with agile application development. Your manager has requested you consider SecDevOps.

Which of the following is a significant and key feature of using SecDevOps that can be considered for selecting this project’s development model?

Reuse of code
Quarantine
Rigid process
Automation

Answer 14

Automation is a key feature in SecDevOps.

Question 15

A learning management system application has been written in Python. While running the application code, the specific program or application that converts the program into machine language is called what?

Operating system
Application software
Compiler
Antimalware

Answer 15

A compiler converts the high-level language code into binary, which is understood by the computer.

Question 16

An IOC occurs when what metric exceeds its normal bounds?

a. IRR
b. LRG
c. EXR
d. KRI

Answer 16

d. KRI

Question 17

Oskar has been receiving emails about critical threat intelligence information from a public information sharing center. His team leader has asked him to look into how the process can be automated so that the information can feed directly into the team’s technology security. What technology will Oskar recommend?

a. Automated Indicator Sharing (AIS)
b. Bidirectional Security Protocol (BSP)
c. Linefeed Access
d. Lightwire JSON Control

Answer 17

a. Automated Indicator Sharing (AIS)

Question 18

Which of the following is an application protocol for exchanging cyberthreat intelligence over HTTPS?

a. STIX
b. AIP-TAR
c. TAXII
d. TCP-Over-Secure (ToP)

Answer 18

c. TAXII

Question 19

What are the two limitations of private information sharing centers?

a. Access to data and participation
b. Government approval and cost
c. Timing of reports and remote access
d. Bandwidth and CPU

Answer 19

a. Access to data and participation

Question 20

Which of the following is NOT a limitation of a threat map?

a. Many maps claim that they show data in real time, but most are simply a playback of previous attacks.
b. Because threat maps show anonymized data, it is impossible to know the identity of the attackers or the victims.
c. They can be difficult to visualize.
d. Threat actors usually mask their real locations, so what is displayed on a threat map is incorrect.

Answer 20

c. They can be difficult to visualize.

Question 21

Luka has been asked by his supervisor to monitor the dark web for any IOCs concerning their organization. The next week, Luca reports that he was unable to find anything because looking for information on the dark web is different from using the regular web. Which of the following is FALSE about looking for information on the dark web?

a. It is necessary to use Tor or IP2.
b. Dark web search engines are identical to regular search engines.
c. Dark web merchants open and close their sites without warning.
d. The naming structure is different on the dark web.

Answer 21

b. Dark web search engines are identical to regular search engines.

Question 22

Which of the following is NOT an improvement of UEFI over BIOS?

a. Stronger boot security
b. Networking functionality in UEFI
c. Access larger hard drives
d. Support of USB 3.0

Answer 22

d. Support of USB 3.0

Question 23

Which of the following is NOT an important OS security configuration?

a. Employing least functionality
b. Disabling default accounts
c. Disabling unnecessary services
d. Restricting patch management

Answer 23

d. Restricting patch management

Question 24

Which stage conducts a test that will verify the code functions as intended?

a. Production stage
b. Testing stage
c. Staging stage
d. Development stage

Answer 24

c. Staging stage

Question 25

Which model uses a sequential design process?

a. Secure model
b. Agile model
c. Rigid model
d. Waterfall model

Answer 25

d. Waterfall model

Question 26

Which of the following is NOT an advantage of an automated patch update service?

a. Downloading patches from a local server instead of using the vendor’s online update service can save bandwidth and time because each computer does not have to connect to an external server.
b. Administrators can approve updates for “detection” only; this allows them to see which computers require the update without installing it.
c. Users can disable or circumvent updates just as they can if their computer is configured to use the vendor’s online update service.
d. Administrators can approve or decline updates for client systems, force updates to install by a specific date, and obtain reports on what updates each computer needs.

Answer 26

c. Users can disable or circumvent updates just as they can if their computer is configured to use the vendor’s online update service.

Question 27

What type of analysis is heuristic monitoring based on?

a. Dynamic analysis
b. Static analysis
c. Code analysis
d. Input analysis

Answer 27

a. Dynamic analysis

Question 28

Which of these is a list of preapproved applications?

a. Greenlist
b. Redlist
c. Blacklist
d. Whitelist

Answer 28

d. Whitelist

Question 29

What is the advantage of a secure cookie?

a. It cannot be stored on the local computer without the user’s express permission.
b. It is sent to the server over HTTPS.
c. It is analyzed by AV before it is transmitted.
d. It only exists in RAM and is deleted once the web browser is closed.

Answer 29

b. It is sent to the server over HTTPS.

Question 30

Which of the following is FALSE about a quarantine process?

a. It holds a suspicious application until the user gives approval.
b. It can send a sanitized version of the attachment.
c. It can send a URL to the document that is on a restricted computer.
d. It is most often used with email attachments.

Answer 30

a. It holds a suspicious application until the user gives approval.