Practice Test SYO - 701 Threats, Vulnerabilities and Mitigations

Question 1

Ahmed is a sales manager with a major insurance company. He has received an email that is encouraging him to click on a link and fill out a survey. He is suspicious of the email, but it does mention a major insurance association, and that makes him think it might be legitimate. What best describes this attack?

Answer 1

C. Spear phishing is targeted to a specific group, in this case insurance professionals. Although this is a form of phishing, the more specific answer is the one you will need to choose on questions like this. Phishing uses social engineering techniques to succeed but is once again a broader answer than spear phishing and thus is not the correct choice.

Question 2

The company that Yarif works for uses a third‐party IT support company to manage their cloud‐hosted web application infrastructure. How can Yarif best address concerns about potential threat vectors via the managed service provider (MSP)?

Conduct regular vulnerability scans.

Use shared incident response exercises to prepare.

Ensure appropriate contractual coverage for issues.

Require the MSP to have an annual pentest.

Answer 2

C. Using appropriate contractual terms is usually the best available option for handling third‐party vendor risk. The terms can include things like security practices, such as pentesting, incident response exercises, and vulnerability scanning, and can also have sufficient penalties to ensure ongoing compliance from responsible companies.

Question 3

Helen is concerned about ransomware attacks against workstations that she is responsible for. Which of the following hardening options is best suited to protecting her organization from ransomware?

Installing host‐based firewalls

Installing endpoint protection software

Installing a host‐based IPS software

Removing unnecessary software

Answer 3

B. Endpoint protection software like an endpoint detection and response (EDR) or extended detection and response (XDR) tool will provide the greatest protection against ransomware. Firewalls and intrusion prevention systems (IPSs) are less likely to prevent ransomware from being installed, and removing unnecessary software may reduce the attack surface but most ransomware is installed via attacks that leverage users.

Question 4

Julie wants to conduct a replay attack. What type of attack is most commonly associated with successful replay attacks?

SQL injection

An on‐path attack

Brute force

A DDoS

Answer 4

B. On‐path attacks that route traffic through a system or device that the attacker controls allow the attacker to both receive and modify traffic, making replay attacks more likely to succeed. SQL injection attacks are associated with web applications and databases. Brute‐force and distributed denial‐of‐service (DDoS) attacks are not typically associated with replay attacks.

Question 5

What is the primary concern for security professionals about legacy hardware?

Its likelihood of failure

Lack of patches and updates

Lack of vendor support

Inability to support modern protocols

Answer 5

B. The primary concern for security professionals around legacy hardware is their lack of patches and updates, meaning that security fixes and updates will not exist. While the hardware could fail, that would typically lead to replacement with more modern, supportable options and is a concern for the system administrators and owners. Lack of vendor support and inability to support modern protocols are primarily concerns for owners and system administrators.

Question 6

Coleen is the web security administrator for an online auction website. A small number of users are complaining that when they visit the website it does not appear to be the correct site. Coleen checks and she can visit the site without any problem, even from computers outside the network. She also checks the web server log and there is no record of those users ever connecting. Which of the following might best explain this?

Typo squatting

SQL injection

Cross‐site scripting

Cross‐site request forgery

Answer 6

A. From the description it appears that they are not connecting to the real web server but rather a fake server. That indicates typo squatting: having a URL that is named very similarly to a real site so that when users mistype the real site’s URL they will go to the fake site.

Question 7

Alice wants to prevent server‐side request forgery (SSRF) attacks. Which of the following will not be helpful for preventing them?

Removing all SQL code from submitted HTTP queries

Blocking hostnames like 127.0.01 and localhost

Blocking sensitive URLs like /admin

Applying allow list–based input filters

Answer 7

A. Server‐side request forgery (SSRF) attempts typically attempt to get HTTP data passed through and will not include SQL injection. Blocking sensitive hostnames, IP addresses, and URLs are all valid ways to prevent SSRF, as is the use of allow list–based input filters.

Question 8

Mahmoud is responsible for managing security at a large university. He has just performed a threat analysis for the network, and based on past incidents and studies of similar networks, he has determined that the most prevalent threat to his network are attackers who wish to breach the system, simply to prove they can or for some low‐level crime, such as changing a grade. Which term best describes this type of attacker?

Hacktivist

Nation‐state

Insider

Unskilled attacker

Answer 8

D. Unskilled attackers, often called script kiddies, tend to use premade tools in unsophisticated ways. Hacktivists take action based on political motivation, insiders operate from inside of an organization, and nation‐state actors are typically highly capable and well resourced.

Question 9

Frank is a network administrator for a small college. He discovers that several machines on his network are infected with malware. That malware is sending a flood of packets to a target external to the network. What best describes this attack?

SYN flood

DDoS

Botnet

Backdoor

Answer 9

B. His machines are part of a distributed denial‐of‐service (DDoS) attack. This scenario describes a generic DDoS, not a specific one like SYN flood, which would involve many SYN packets being sent without a full three‐way TCP handshake. These machines could be part of a botnet or they may just have a trigger that causes them to launch the attack at a specific time. The real key in this scenario is the DDoS attack. Finally, a backdoor gives an attacker access to the target system.

Question 10

Dennis uses an on‐path attack to cause a system to send traffic to his system and then forwards it to the actual server the traffic is intended for. What information will be visible from his system as it passed through it?

All traffic meant for remote systems

All traffic meant for local systems

Only unencrypted traffic

Only unencrypted traffic meant for his system

Answer 10

A. An on‐path attack redirects all traffic through an attacker’s system that would normally pass through a network gateway. Dennis will be able to see all traffic bound for remote systems, but some of it may be encrypted.

Question 11

Jake’s vulnerability scanner reports that the software his organization is running is vulnerable to a cryptographic downgrade attack. What concern should Jake have about this potential issue?

Attackers may be able to force use of a weaker encryption algorithm, making data easier to access.

Attackers may be able to force use of weaker hashing, making it easier to recover passwords.

Attackers may be able to force use of older versions of the software, including previously patched vulnerabilities.

Attackers may be able to force encryption to be turned off, causing information to be sent in plain text.

Answer 11

A. Cryptographic downgrade attacks like POODLE, FREAK, and Logjam all rely on flaws that cause software to use weaker encryption options. This could allow attackers to capture traffic encrypted with weaker encryption, potentially allowing them to decrypt the traffic and read it. They do not allow hashing changes to recover passwords, reversion to old versions of software, or encryption to be entirely turned off.

Question 12

Rick has three major categories of data and applications in use in his virtualization environment: highly sensitive; business sensitive; and unclassified, or public information. He wants to ensure that data and applications of different sensitivity are not compromised in the event of a breach. What mitigation technique is best suited to this type of requirement?

Application allow lists

Monitoring

Least privilege

Segmentation

Answer 12

D. Segmentation can be used to separate systems and applications of different sensitivity levels. A breach of one segmented group should not automatically mean that the other groupings are in immediate danger. Application allow lists control what applications can be installed but do not introduce separation between systems and applications. Monitoring would allow visibility but does not meet the goal Rick has. Least privilege is an effective practice to ensure only the rights required are in place, but again this does not meet the goal.

Question 13

Naomi is preparing a laptop for a traveling salesperson who frequently needs to connect to untrusted hotel networks. What hardening technique can she use to provide the greatest protection against network‐based attacks on untrusted networks?

Install an endpoint detection and response tool.

Install a host‐based firewall.

Install an extended detection and response tool.

Install a disk encryption tool.

Answer 13

B. A host‐based firewall is an excellent first line of defense for systems that will be deployed to untrusted networks. EDR and XDR are useful for preventing malicious software installs like ransomware, but they do not directly protect against network‐based attacks, and disk encryption is a confidentiality control, not a useful tool to prevent network‐based attacks.

Question 14

While conducting a vulnerability scan of her network, Susan discovers that a marketing staff member has set up their own server running a specialized marketing tool. After inquiring about the server, which is vulnerable due to missing patches, Susan discovers that the team set it up themselves because of a need that was not met by existing tools. What type of threat actor has Susan encountered?

An unskilled attacker

An insider threat

Shadow IT

A hacktivist

Answer 14

C. The marketing team has created a shadow IT solution—a solution put in place without central or formal IT support, typically done without IT’s assistance or awareness. This creates a risk to the organization due to lack of support and may bring additional risks like licensing and compliance risks. The team did not intend to create an issue and is not actively working against the organization, meaning that they are not unskilled attackers, insider threats, or hacktivists.

Question 15

Henry wants to decommission a server that was used to store sensitive data. What step should he take to ensure the decommissioning process protects the organization’s data?

Reformat the drives as part of the decommissioning process.

Physically destroy the drives as part of the decommissioning process.

Remove the system from organizational inventory as part of the decommissioning process.

Physically destroy the entire system as part of the decommissioning process.

Answer 15

B. Since the drives stored sensitive data and no mention of encryption was made, the drives should be physically destroyed to ensure that no data leakage can occur. It is not necessary to destroy the entire system to ensure this. Reformatting drives does not wipe data, and simply removing the system from inventory is typically part of the process but does not protect organizational data.

Question 16

Paul has performed an nmap scan of a new network connected device. He notices TCP ports 22, 80, and 443 are open. If his hardening guidelines only allow encrypted management interfaces, what port or ports should he disable from this list?

22

80

22 and 80

80 and 443

Answer 16

B. Paul knows that SSH typically uses port 22, HTTP uses port 80, and HTTPS uses port 443. HTTP is the only unencrypted protocol from that list, and thus he should disable port 80.

Question 17

Which of the following protocols is most commonly associated with credential relaying attacks?

RDP

NTLM

SQL

TLS

Answer 17

B. While dated, NTLM was historically one of the most common targets of credential relay attacks. RDP, SQL, and TLS are less commonly associated with credential relay attacks. Modern protocols implement encryption, session, IDs, and one‐time passwords to prevent this type of attack.

Question 18

Derek wants to conduct a birthday attack against a digital signature. Which of the following best describes the process he would need to take to achieve his goal?

He needs to prepare both a correct and a malicious document and find ways to modify the correct document until its encryption matches the malicious document.

He needs to make sure all dates match in both a correct and a malicious document.

He needs to ensure that the file length and creation date match for both a correct document and a malicious document.

He needs to prepare both a correct and a malicious document, then find ways to modify the malicious document until its hash matches the hash of the correct document.

Answer 18

D. Derek knows that attacking a digital signature requires that hashes match for both an original document and a malicious document. He will modify the malicious document until he finds a way to convey the changes he needs while retaining the matching hash. This type of attack is why hashing algorithms needs to be resistant to birthday attacks.

Question 19

Ashley’s organization has recently come under attack and has suffered a DNS outage. As she investigated, she found that requests to her DNS servers were sent to open DNS resolvers using spoofed IP addresses with requests that would result in very large responses from the DNS resolvers to the IP addresses that appeared to be making the request. What type of attack targeted Ashley’s organization?

A reflected DDoS

A DNS flood

A mirrored DDoS

A supersized query attack

Answer 19

A. Ashley’s organization was the target of a reflected (and amplified) DDoS where attackers took advantage of DNS queries to make small amounts of spoofed traffic into very large amounts of data sent to her servers. DNS floods, mirrored DDoSs, and supersized query attacks were made up for this question.

Question 20

Kara wants to protect against the most common means of firmware‐based exploits. Which of the following is not a common firmware defense mechanism for the vendors of devices that use firmware?

Using signed firmware updates

Using input validation for user input

Encrypting firmware

Code review processes for firmware

Answer 20

C. Firmware is typically not encrypted, but it is commonly digitally signed. Using input validation and code review both help to keep firmware secure.

Question 21

Annie’s organization has been facing negative social media campaigns for months and is struggling to address them. Numerous bot posts about the company are providing incorrect information about the company. What type of attack is Annie’s company facing?

A misinformation campaign

A pretexting campaign

An impersonation campaign

A disinformation campaign

Answer 21

D. Annie’s company is facing a disinformation campaign. If users were simply getting facts wrong, this would be misinformation, but since bots are intentionally misstating information, it is disinformation. Pretexting would attempt to exploit human behaviors to explain why something needed to occur or why an attacker was asking for something. Impersonation occurs when an attacker pretends to be someone they are not.

Question 22

What threat vector is most impacted by how Windows handles autorun.inf files?

Removable devices

Open service ports

Unsecure Wi‐Fi

Watering hole attacks

Answer 22

A. Removable devices like USB thumb drives, digital picture frames, and even keyboards and mice with onboard storage rely on autorun.inf files to automatically run software they provide. While that functionality typically focuses on printing, opening folders, or running media players, it can also be leveraged to automatically run malware. For this reason, many organizations ban removable drives or prohibit autorun from working. Open service ports are commonly associated with applications and services, and autorun doesn’t set up or run these, nor does it impact Wi‐Fi. Watering hole attacks require attackers to compromise or gain access to a site that targets commonly visit so that they deliver malware to their targets.

Question 23

Raj wants to reduce the attack surface for a newly purchased laptop. What hardening technique will help him reduce the possibility of remote exploits while also decreasing the amount of ongoing patch management he needs to do for the system?

Encrypt the system’s boot drive.

Install EDR software.

Remove unnecessary software.

Change any default passwords.

Answer 23

C. Raj knows that removing unnecessary software reduces a system’s attack surface and also means that he won’t have to patch and maintain the software he removes. Encrypting a drive, installing EDR, and changing default passwords won’t reduce patch management, but EDR and changing default passwords could help with remote exploit prevention.

Question 24

Mary has discovered that a web application used by her company does not always handle multithreading properly, particularly when multiple threads access the same variable. This could allow an attacker who discovered this vulnerability to exploit it and crash the server. What type of error has Mary discovered?

Buffer overflow

Logic bomb

Race conditions

Improper error handling

Answer 24

C. A race condition can occur when multiple threads in an application are using the same variable and the situation is not properly handled. A buffer overflow is attempting to put more data in a buffer than it is designed to hold. A logic bomb is malware that performs its misdeed when some logical condition is met. As the name suggests, improper error handling is the lack of adequate or appropriate error handling mechanisms within software.

Question 25

Allan wants to detect brute‐force physical attacks. What should he do if he wants to detect the broadest range of physical attacks?

Deploy a monitored security camera system.

Hire a guard to patrol the facility.

Conduct regular inspections of the facility.

Set up an alarm system.

Answer 25

A. A monitored camera system will detect the broadest range of attacks. Guards will only detect brute‐force attacks when they are in the area, and cameras can cover more spaces at once. Inspections may miss attacks where camera recordings and monitoring can show failed and successful attacks. An alarm system won’t detect attacks by insiders, who may access spaces they have access to in order to perform malicious actions.

Question 26

Which of the following is not a common threat vector associated with SMS‐based attacks?

Malicious links

SMS‐based phishing

SMS‐delivered images

MFA exploits

Answer 26

C. Images are not a common threat vector via SMS. Malicious links, phishing via text, and multifactor authentication (MFA) exploits, including sending MFA notices until the recipient approves an MFA request, are all common SMS‐related threat vectors.

Question 27

Pete uses a technique that injects code into memory used by another process to allow him to control what the host program does. What is this technique called for Windows dynamically linked libraries?

WinBuff attacks

DLL injection

A SYRINGE attack

A memory traversal attack

Answer 27

B. DLL injection forces a process to load and run code from a dynamically linked library (DLL) that was not originally used by the application or software. This can be used to modify behaviors of the program or to perform malicious actions through the application. WinBuff, SYRINGE, and memory traversal were all made up for this question.

Question 28

Kathleen wants to control network traffic between subnets using her Cisco network devices. What built‐in capability can she use to allow or deny traffic based on port, protocol, and IP address?

A HIPS

ACLs

Least privilege lists

VLANs

Answer 28

B. Access control lists (ACLs) allow or deny traffic based on rules that include protocol, IP addresses, ports, and other details. They do not understand packet content and simply assess traffic based on these basic rules. A HIPS is a host‐based intrusion prevention system and is not installed between subnets. Least privilege is a concept, not an application or security tool, and VLANs are used to segment traffic but do not themselves control traffic this way. Instead, VLANs are often combined with ACLs to control network traffic and ensure segmentation.

Question 29

Dana wants to use documented and published IoCs as part of her threat‐hunting activities. What should she look for to integrate with her SIEM or other security tools?

Threat feeds

A real‐time blackhole list

A vulnerability feed

An IP reputation feed

Answer 29

A. Both commercial and private threat feeds can be used by security tools like SIEM, EDR, and XDR systems to provide them with current information about indicators of compromise. A real‐time blackhole list (RBL) and an IP reputation feed are examples of specific threat feeds but are not as broad as threat feeds. Vulnerability definitions are typically integrated with vulnerability scanners, but again are a narrower option than a threat feed.

Question 30

You are responsible for software testing at Acme Corporation. You want to check all software for bugs that might be used by an attacker to gain entrance into the software or your network. You have discovered a web application that would allow a user to attempt to put a 64‐bit value into a 4‐byte integer variable. What is this type of flaw?

Answer 30

Placing a larger integer value into a smaller integer variable is an integer overflow.

Question 31

Amanda is assessing the potential for issues with her organization’s recently adopted IaaS vendor. What cloud vulnerability should she worry about if her system administrators do not effectively manage security groups in AWS?

Insecure APIs

Misconfigurations

Malicious insiders

MFA‐based attacks

Answer 31

B. Security groups are used like firewall rules in Amazon Web Services (AWS), and since Amanda’s system administrators are not effectively managing security groups, this is most likely to create a misconfiguration issue. Application programming interfaces (APIs) are provided by the vendor, and thus their security is typically a vendor issue or a misconfiguration issue. Malicious insiders are not mentioned, and security group misconfiguration does not drive multifactor authentication (MFA)‐based attacks.

Question 32

Jared’s organization runs Linux servers, and recent vulnerability scans show that the servers are vulnerable to an issue that is described as follows:

CVE-2018-5703: tcp_v6_syn_recv_sock function in net/ipv6/tcp_ipv6.c in
the Linux kernel through 4.14.11 allows attackers to cause a denial of
service (slab out-of-bounds write)

What is Jared’s best option to remediate a kernel vulnerability like this?

Answer 32

The Linux kernel is part of the operating system and needs to be handled with an OS PATCH. There is no application to patch, installing a HIPS might help, but the issue is dated 2018, meaning that a patch likely exists. If there wasn’t a patch and this was a new vulnerability, segmentation might be a useful immediate response to reduce risk.

Question 33

What is the primary difference in threat vectors between agent client‐based and agentless software deployments?

Agentless software does not consume resources and thus cannot result in a resource consumption‐based denial‐of‐service condition.

Client‐based software provides a better view of system resources and is able to manage its resource consumption better to avoid issues.

Agentless software does not have an agent that may be potentially vulnerable to attack.

Client‐based software allows for greater security because it can be patched.

Answer 33

C. Agentless software does not have an agent installed that can be targeted. That means that the server or control system is the only target for attackers. Agentless software can still consume resources as queries and actions are taken by the server or control plane. Client‐based software often has better insights into systems, and may offer additional security features if it is a security tool. Client‐based software and agentless software can both be patched to address security issues.

Question 34

Eric is conducting a penetration test and wants to release a malicious update for an organization’s application. The organization uses public key encryption to sign updates. What does Eric need to deliver an update that systems will accept?

The private key for the signing certificate

A collision with the hashed value of a legitimate update

The public key for the signing certificate

A collision with the hashed value of a malicious update

Answer 34

A. In order to deliver a malicious update that uses a signing certificate, Eric will need to gain access to the private key for the signing certificate. The public key is exactly that—public—and having it will not allow Eric to sign the update. Hashes and collisions are not needed for this type of exploit.

Question 35

Jared has discovered malware on the workstations of several users. This particular malware provides administrative privileges for the workstation to an external hacker. What best describes this malware?

Trojan horse

Logic bomb

Multipartite virus

Rootkit

Answer 35

D. Rootkits provide administrative access to systems, thus the “root” in rootkit. A Trojan horse combines malware with a legitimate program. A logic bomb performs its malicious activity when some condition is met. A multipartite virus infects the boot sector and a file.

Question 36

Michelle discovers that a number of systems throughout her organization are connecting to a changing set of remote systems on TCP port 6667. What is the most likely cause of this, if she believes the traffic is not legitimate and that the systems are infected with malware?

An alternate service port for web traffic

Botnet command‐and‐control via IRC

Downloads via a peer‐to‐peer network

Remote‐access Trojans

Answer 36

B. This question combines two pieces of knowledge: how botnet command‐and‐control works, and that IRC’s default port is TCP 6667. Although this could be one of the other answers, the most likely answer given the information available is a botnet that uses Internet Relay Chat (IRC) as its command‐and‐control channel. 6667 is not a common alternate web traffic port, peer‐to‐peer network traffic is commonly done via HTTP or HTTPS in modern infections, and a remote access‐Trojan is likely to behave differently and use another port as well.

Question 37

Susan performs a vulnerability scan of a small business network and discovers that the organization’s consumer‐grade wireless router has a vulnerability in its web server. What issue should she address in her findings?

Firmware patch management

Default configuration issues

An unsecured administrative account

Weak encryption settings

Answer 37

A. Software updates for consumer‐grade wireless routers are typically applied as firmware updates, and Susan should recommend that the business owner regularly upgrade their wireless router firmware. If updates are not available, they may need to purchase a new router that will continue to receive updates and configure it appropriately. This is not a default configuration issue nor an unsecured administrative account—neither is mentioned, nor is encryption.

Question 38

What two files are commonly attacked using offline brute‐force attacks?

The Windows Registry and the Linux /etc/passwd file

The Windows SAM and the Linux /etc/passwd file

The Windows SAM and the Linux /etc/shadow file

The Windows Registry and the Linux /etc/shadow file

Answer 38

C. The Windows Security Account Manager (SAM) file and the /etc/shadow file for Linux systems both contain passwords and are popular targets for offline brute‐force attacks.

Question 39

You have noticed that when in a crowded area, data from your cell phone is stolen. Later investigation shows a Bluetooth connection to your phone, one that you cannot explain. What describes this attack?

Bluejacking

Bluesnarfing

An evil twin attack

A remote‐access Trojan

Answer 39

B. Bluesnarfing involves accessing data from a Bluetooth device when it is in range. Bluejacking involves sending unsolicited messages to Bluetooth devices when they are in range. Evil twin attacks use a rogue access point whose name is similar or identical to that of a legitimate access point. Nothing in this scenario points to a remote‐access Trojan being the cause of the stolen data.

Question 40

Which of the following situations is not associated with race conditions?

Time‐of‐check

Time‐of‐change

Target‐of‐evaluation

Time‐of‐use

Answer 40

B. There are three common situations associated with race conditions: time‐of‐check (TOC), time‐of‐use (TOU), and target‐of‐evaluation. Time‐of‐change is not commonly associated with race conditions.

Question 41

Una’s company is assessing threats to their supply chain and wants to consider the most likely issues that their server hardware supplier may create. Which of the following is not a common concern for organizations assessing hardware providers?

Malicious hardware design

Injection of malicious firmware

Inability to deliver hardware in a timely manner

Malicious software added to default OS images

Answer 41

A. While malicious hardware does exist, few organizations face it as a common threat due to the complexity of the attack and the fact that most hardware providers want to avoid the reputational harm that compromised hardware would create. Malicious firmware and software added to the OS image as well as an inability to deliver hardware in a timely manner are all common concerns with hardware providers.

Question 42

Ryan needs to verify that no unnecessary ports and services are available on his systems, but he cannot run a vulnerability scanner. What is his best option?

Passive network traffic capture to detect services

A configuration review

Active network traffic capture to detect services

Log review

Answer 42

B. Configuration reviews, either using automated tool or manual validation, can be a useful proactive way to ensure that unnecessary ports and services are not accessible. Configuration management tools can also help ensure that expected configurations are in place. Neither passive nor active network packet capture will show services that are not accessed, meaning that open ports could be missed, and log review won’t show all open ports either.

Question 43

Tori believes that the system she is investigating may have a rootkit resident on the system. What type of behavior is most likely to indicate a rootkit’s presence?

Unusual network traffic

Network scanning

Displaying a ransom notice

Deletion of files

Answer 43

A. Rootkits are designed to help retain control of and access to a system without users noticing. That means that obtrusive behaviors like network scanning, displaying ransom notices, or deletion of files are unusual for rootkits to perform. Other malware components beyond the rootkit may perform these as part of a malicious actor’s toolkit.

Question 44

Drew wants to address a recent Windows vulnerability that has a CVE rating of 9.6. What should his first step be to address the vulnerability?

Isolate the impacted systems.

Disable the service.

Check to see if a patch is available.

Install a host‐based firewall.

Answer 44

C. The first step for most organizations when addressing a known vulnerability is to check whether a patch is available. Organizations will also assess the potential risks associated with the patch: has it been widely deployed and tested, are there known issues, and is there a likelihood of disruption due to patching? If there are known issues, other solutions like isolation or deploying additional security controls such as a host‐based firewall or firewall rule, or even disabling the service if possible, may be employed.

Question 45

Clay is decommissioning a server and wants to ensure that the system is properly decommissioned. Once the drives have been wiped or destroyed, what step typically comes next?

Wiping memory

Removing the system from inventory

Removing the system from management

Removing memory

Answer 45

B. Systems are typically removed from management when they are shut down and before disks are wiped. Once they’re off and will not return to service, they are wiped and then removed from inventory. Memory wipes and removal are not typical steps in decommissioning processes.

Question 46

Eden wants to check errors related to a new security tool installed on her Windows workstation. What log file in Windows contains errors with installed software?

The application log

The security log

The setup log

The system log

Answer 46

A. The application log typically contains information about software that is installed on a Windows workstation, including errors that Eden is trying to identify. The security log contains security events like logins and file deletions. The setup log contains information about the installation of Windows, and the system log contains system‐related events like bootup errors.

Question 47

Bob is conducting a penetration test against a client’s environment and he discovers TCP port 515 exposed to the Internet. What should he report to his client as a potential attack surface?

Answer 47

TCP port 515 is the LPR port, commonly used for print services. Bob knows that exposing printers to the Internet is not a common practice and should recommend that the print server be segmented away from the Internet so that only internal systems that need to can send print jobs to it.

Question 48

Zoie wants to check for instances of concurrent session usage for her web application. Where should she look for these indicators?

Her firewall logs

Her antivirus (AV) logs

Her authentication logs

Her web application server logs

Answer 48

D. Zoie’s best option is to review web application server logs to identify session IDs that are the same coming from different IP addresses. She will not see session IDs in firewall, AV, or authentication logs.

Question 49

Casey is worried about downgrade attacks against her Apache web servers. What should she do to most effectively prevent downgrade attacks?

Prevent TLS fallback.

Require current web browsers.

Run the most current version of Apache.

Use an IDS.

Answer 49

A. Preventing fallback options from being used for encryption may stop some clients from connecting but will most effectively prevent downgrade attacks. Current browsers may be needed for this, but requiring that does not prevent attackers from using a downgrade attack if fallback options are allowed. Current web server software does not prevent settings from being weak. An IDS can detect downgrade attempts but cannot stop them.

Question 50

Which of the following is an attack that seeks to attack a website, based on the website’s trust of an authenticated user?

XSS

XSRF

Buffer overflow

Directory traversal

Answer 50

B. Cross‐site request forgery (XSRF or CSRF) sends forged requests to a website, supposedly from a trusted user. Cross‐site scripting (XSS) is the injection of scripts into a website to exploit the users. A buffer overflow tries to put more data in a variable than the variable can hold. Directory traversal attempts to change directories through URL manipulation to access files that should not normally be accessible to the web server or application.

Question 51

Mary wants to harden workstations she is responsible for against malware attacks. Which of the following is not a common solution to this?

Installing EDR

Limiting administrative access

Installing antivirus

Using disk encryption

Answer 51

D. Disk encryption does not prevent malware attacks under most circumstances. Use of endpoint detection and response tools, antivirus tools, and limiting administrative access are all common ways to counter malware.

Question 52

Spyware is an example of what type of malware?

Trojan

Unwanted programs

RAT

Ransomware

Answer 52

B. Spyware and adware are both common examples of unwanted programs. Though not directly malicious, they can pose risks to user privacy as well as create annoyances like pop‐ups or other unwanted behaviors. Trojans appear to be legitimate programs or are paired with them, RATs provide remote access and are a subcategory of Trojans, and ransomware demands payment or other actions to avoid damage to files or reputation.

Question 53

Olivia has provisioned a new virtual machine in a cloud environment and is conducting forensic exercises to practice cloud forensic activities. She discovers data on her newly provisioned drive when she begins to analyze the drive. What issue has Olivia encountered?

A VM escape issue

Improper chain of custody

A resource reuse issueImproper legal hold

Answer 53

C. Olivia has encountered a resource reuse issue. It is likely that the drive was reallocated without being securely wiped and that the previous user did not encrypt their drives. While this is unlikely with major cloud service providers now, it has been observed in the past and could still occur. There is no indication that a VM escape occurred that would run software on the host hypervisor, and no procedural issues around chain of custody or legal hold are described in the question.

Question 54

A penetration tester calls a staff member for her target organization and introduces herself as a member of the IT support team. She asks if the staff member has encountered a problem with their system, then proceeds to ask for details about the individual, claiming she needs to verify that she is talking to the right person. What type of social engineering attack is this?

Answer 54

Pretexting is a type of social engineering that involves using a false motive and lying to obtain information. Here, the penetration tester lied about their role and why they are calling (impersonation), and then built some trust with the user before asking for personal information.

Question 55

When a multithreaded application does not properly handle various threads accessing a common value, and one thread can change the data while another thread is relying on it, what flaw is this?

Memory leak

Buffer overflow

Integer overflow

Time‐of‐check/time‐of‐use

Answer 55

D. If access is not handled properly, a time‐of‐check (TOC)/time‐of‐use (TOU) condition can exist where the memory is checked, changed, then used. Memory leaks occur when memory is allocated but not deallocated. A buffer overflow is when more data is put into a variable than it can hold. An integer overflow occurs when an attempt is made to put an integer that is too large into a variable, such as trying to put a 64‐bit integer into a 32‐bit variable.

Question 56

Kathleen’s IPS flags traffic from two IP addresses as shown here:

Source IP: 10.11.94.111
http://example.com/home/show.php?SESSIONID=a3fghbby
Source IP: 192.168.5.34
http://example.com/home/show.php?SESSIONID=a3fghbby

What type of attack should she investigate this as?

A SQL injection attack

A cross‐site scripting attack

A session replay attack

A server‐side request forgery attack

Answer 56

C. Session IDs should be unique for distinct users and systems. A very basic type of session replay attack involves providing a victim with a session ID and then using that session ID once they have used the link and authenticated themselves. Protections such as session timeouts and encrypting session data, as well as encoding the source IP, hostname, or other identifying information in the session key, can all help prevent session replay attacks.

Question 57

Craig wants to control the applications employees can install on the laptops they are issued. If he wants the greatest level of control and is not concerned about flexibility or overhead to manage his solution, which of the following will best meet his needs?

An access control list

Application allow list

An application deny list

Segmentation

Answer 57

B. An application allow list provides the greatest control over what applications are installed on devices. Application deny lists are useful for preventing specific software from being installed but cannot handle the breadth of possible applications that users may find and use. Access control lists (ACLs) are used like firewall rules to apply rules to network traffic, and segmentation is used to separate systems based on various factors like data sensitivity or trust levels.

Question 58

While reviewing logs, Chris sees an Apache web log that includes the following entry:

https://www.example.com/viewer.php?filename=../../../etc/passwd%00.png

What type of attack has Chris most likely uncovered, and what file will it return?

A replay attack, password00.png

A directory traversal attack, password00.png

A replay attack, passwd

A directory traversal attack, passwd

Answer 58

D. This is a directory traversal attack. The characteristic /../../ is the first indicator you should pay attention to. The %00 is a null byte, meaning that many applications will stop reading when they encounter it. You might not know that detail as you take the exam, but you should know that attackers would look for the passwd file, not a PNG of a password!

Question 59

Jill is concerned about supply chain attacks against her organization’s service providers. Which of the following should be her most significant concern about her software‐as‐a‐service (SaaS) service provider as she documents her supply chain risks?

Compromise of the SaaS vendor, leading to access to her data

Attacks against the SaaS vendor, leading to hours of downtime

Lack of availability of hardware from her SaaS vendor for delivery

Software vulnerabilities in tools provided by the vendor

Answer 59

A. Data exposure is typically a more significant risk than downtime, particularly when the downtime is limited to hours. SaaS vendors do not typically sell or deliver hardware, as they provide services. Software vulnerabilities may exist, but without a known impact, compromise leading to data loss remains the most significant issue.