Practice Tests - Chapter 1: Domain 1.0: Security Operations Flashcards
4- What term is used to describe the groups of related organizations that pool resources to share cybersecurity threat information and analyses?
- SOC
- ISAC
- CERT
- CIRT
ISAC
The Department of Homeland Security collaborates with industry through information sharing and analysis centers (ISACs). These ISACs cover industries such as healthcare, financial, aviation, government, and critical infrastructure.
ISAC
Information Sharing and Analysis Centers
groups of related organizations that pool resources to share cybersecurity threat information and analyses
5- Singh incorporated the Cisco Talos tool into his organization’s threat intelligence program. He uses it to automatically look up information about the past activity of IP addresses sending email to his mail servers. What term best describes this intelligence source?
- Open source
- Behavioral
- Reputational
- Indicator of compromise
Reputational
This source provides information about IP addresses based on past behavior. This makes it a reputational source. A behavioral source would look at information about current behavior. This is a product offered by Cisco and is proprietary, not open source. It does not provide indicators that would help you determine whether your system had been compromised.
6- Jamal is assessing the risk to his organization from their planned use of AWS Lambda, a serverless computing service that allows developers to write code and execute functions directly on the cloud platform. What cloud tier best describes this service?
- SaaS
- PaaS
- IaaS
- FaaS
FaaS
This is an example of function‐as‐a‐service (FaaS) computing. A service like Lambda could also be described as platform‐as‐a‐service (PaaS), because FaaS is a subset of PaaS. However, the term FaaS is the one that best describes this service.
8- Fred believes that the malware he is tracking uses a fast flux DNS network, which associates many IP addresses with a single fully qualified domain name as well as using multiple download hosts. How many distinct hosts should he review based on the NetFlow shown here?
Date flow start Duration Proto Src IP Addr:Port Dst IP Addr:Port Packets Bytes Flows
2020-07-11 14:39:30.606 0.448 TCP 192.168.2.1:1451->10.2.3.1:443 10 1510 1
2020-07-11 14:39:30.826 0.448 TCP 10.2.3.1:443->192.168.2.1:1451 7 360 1
2020-07-11 14:45:32.495 18.492 TCP 10.6.2.4:443->192.168.2.1:1496 5 1107 1
2020-07-11 14:45:32.255 18.888 TCP 192.168.2.1:1496->10.6.2.4:443 11 1840 1
2020-07-11 14:46:54.983 0.000 TCP 192.168.2.1:1496->10.6.2.4:443 1 49 1
2020-07-11 16:45:34.764 0.362 TCP 10.6.2.4:443->192.168.2.1:4292 4 1392 1
2020-07-11 16:45:37.516 0.676 TCP 192.168.2.1:4292->10.6.2.4:443 4 462 1
2020-07-11 16:46:38.028 0.000 TCP 192.168.2.1:4292->10.6.2.4:443 2 89 1
2020-07-11 14:45:23.811 0.454 TCP 192.168.2.1:1515->10.6.2.5:443 4 263 1
2020-07-11 14:45:28.879 1.638 TCP 192.168.2.1:1505->10.6.2.5:443 18 2932 1
2020-07-11 14:45:29.087 2.288 TCP 10.6.2.5:443->192.168.2.1:1505 37 48125 1
2020-07-11 14:45:54.027 0.224 TCP 10.6.2.5:443->192.168.2.1:1515 2 1256 1
2020-07-11 14:45:58.551 4.328 TCP 192.168.2.1:1525->10.6.2.5:443 10 648 1
2020-07-11 14:45:58.759 0.920 TCP 10.6.2.5:443->192.168.2.1:1525 12 15792 1
2020-07-11 14:46:32.227 14.796 TCP 192.168.2.1:1525->10.8.2.5:443 31 1700 1
2020-07-11 14:46:52.983 0.000 TCP 192.168.2.1:1505->10.8.2.5:443 1 40 1
- 1
- 3
- 4
- 5
4
This flow sample shows four distinct hosts being accessed from 192.168.2.1. They are 10.2.3.1, 10.6.2.4, 10.6.2.5, and 10.8.2.5.
9- Which one of the following functions is not a common recipient of threat intelligence information?
- Legal counsel
- Risk management
- Security engineering
- Detection and monitoring
Legal counsel
Threat intelligence information is not commonly shared with legal counsel on a routine basis. CompTIA’s CySA+ objectives list the following common recipients: incident response, vulnerability management, risk management, security engineering, and detection and monitoring.
10- Alfonzo is an IT professional at a Portuguese university who is creating a cloud environment for use only by other Portuguese universities. What type of cloud deployment model is he using?
- Public cloud
- Private cloud
- Hybrid cloud
- Community cloud
Community cloud
Community clouds are cloud computing environments available only to members of a collaborative community, such as a set of universities. Public clouds are available to any customers who want to use them. Private clouds are for the use of the organization building the cloud only. Hybrid clouds mix elements of public and private clouds in an enterprise computing strategy.
Remanence
The magnetic flux density remaining in a material after an external magnetic field is removed
12- The company that Maria works for is making significant investments in infrastructure‐as‐a‐service hosting to replace its traditional datacenter. Members of her organization’s management have Maria’s concerns about data remanence when Lauren’s team moves from one virtual host to another in their cloud service provider’s environment. What should she instruct her team to do to avoid this concern?
- Zero‐wipe drives before moving systems.
- Use full‐disk encryption.
- Use data masking.
- Span multiple virtual disks to fragment data.
Use full‐disk encryption.
Maria’s team should use full‐disk encryption or volume encryption and should secure the encryption keys properly. This will ensure that any data that remains cannot be exposed to future users of the virtual infrastructure. Although many cloud providers have implemented technology to ensure that this won’t happen, Maria can avoid any potential issues by ensuring that she has taken proactive action to prevent data exposure. Using a zero‐wipe is often impossible because virtual environments may move without her team’s intervention, data masking will not prevent unmasked data or temporary data stored on the virtual disks from being exposed, and spanning multiple virtual disks will still leave data accessible, albeit possibly in fragmented form.
Geoff is reviewing logs and sees a large number of attempts to authenticate to his VPN server using many different username and password combinations. The same usernames are attempted several hundred times before moving on to the next one. What type of attack is most likely taking place?
- Credential stuffing
- Password spraying
- Brute‐force
- Rainbow table
Password spraying
In a password spraying attack, the attacker tries a set of common passwords using many different accounts. The activity Geoff sees is consistent with this type of attack. Credential stuffing attacks seek to use username/password lists stolen from another site to log on to a different site. This would result in only one login attempt per username. Brute‐force attacks would result in thousands or millions of attempts per username. Rainbow table attacks take place offline and would not be reflected in the logs.
Credential stuffing
Credential stuffing attacks occur when an attacker takes a list of usernames and passwords that were stolen in the compromise of one website and uses them to attempt to gain access to a different, potentially unrelated, website. Credential stuffing attacks are successful when users reuse the same password across many different sites.
Password spraying
Password spraying attacks occur when an attacker uses a list of common passwords and attempts to log into many different user accounts with those common passwords. The attacker only needs to find one valid username/password combination to gain access to the system. This attack is successful when users do not choose sufficiently unique passwords
14- Kaiden is configuring a SIEM service in his IaaS cloud environment that will receive all of the log entries generated by other devices in that environment. Which one of the following risks is greatest with this approach in the event of a DoS attack or other outage?
- Inability to access logs
- Insufficient logging
- Insufficient monitoring
- Insecure API
Inability to access logs
The greatest risk in the event of a DoS attack is that the logs are stored in the same cloud environment that is under attack. Cybersecurity professionals may not be able to access those logs to investigate the incident.
15- Azra believes that one of her users may be taking malicious action on the systems she has access to. When she walks past the user’s desktop, she sees the following command on the screen:
user12@workstation:/home/user12# ./john -
wordfile:/home/user12/mylist.txt -format:lm hash.txt
What is the user attempting to do?
- They are attempting to hash a file.
- They are attempting to crack hashed passwords.
- They are attempting to crack encrypted passwords.
- They are attempting a pass‐the‐hash attack.
They are attempting to crack hashed passwords.
Azra’s suspicious user appears to be attempting to crack LANMAN hashes using a custom word list. The key clues here are the john application, the LM hash type, and the location of the word list.
16- Lucas believes that an attacker has successfully compromised his web server. Using the following output of ps, identify the process ID he should focus on:
root 507 0.0 0.1 258268 3288 ? Ssl 15:52 0:00 /usr/sbin/rsyslogd -n
message+ 508 0.0 0.2 44176 5160 ? Ss 15:52 0:00 /usr/bin/dbusdaemon –system –address=systemd: –nofork –nopidfile –systemd-activa
root 523 0.0 0.3 281092 6312 ? Ssl 15:52 0:00 /usr/lib/accountsservice/accounts-daemon
root 524 0.0 0.7 389760 15956 ? Ssl 15:52 0:00 /usr/sbin/NetworkManager –no-daemon
root 527 0.0 0.1 28432 2992 ? Ss 15:52 0:00 /lib/systemd/systemd-logind
apache 714 0.0 0.1 27416 2748 ? Ss 15:52 0:00 /www/temp/webmin
root 617 0.0 0.1 19312 2056 ? Ss 15:52 0:00 /usr/sbin/irqbalance –pid=/var/run/irqbalance.pid
root 644 0.0 0.1 245472 2444 ? Sl 15:52 0:01 /usr/sbin/VBoxService
root 653 0.0 0.0 12828 1848 tty1 Ss+ 15:52 0:00 /sbin/agetty –noclear tty1 linux
root 661 0.0 0.3 285428 8088 ? Ssl 15:52 0:00 /usr/lib/policykit-1/polkitd –no-debug
root 663 0.0 0.3 364752 7600 ? Ssl 15:52 0:00 /usr/sbin/gdm3
root 846 0.0 0.5 285816 10884 ? Ssl 15:53 0:00 /usr/lib/upower/upowerd
root 867 0.0 0.3 235180 7272 ? Sl 15:53 0:00 gdm-session-worker [pam/gdm-launch-environment]
Debian-+ 877 0.0 0.2 46892 4816 ? Ss 15:53 0:00 /lib/systemd/systemd –user
Debian-+ 878 0.0 0.0 62672 1596 ? S 15:53 0:00 (sd-pam)
- 508
- 617
- 846
- 714
714
The service running from the www directory as the user apache should be an immediate indication of something strange, and the use of webmin from that directory should also be a strong indicator of something wrong. Lucas should focus on the web server for the point of entry to the system and should review any files that the Apache user has created or modified. If local vulnerabilities existed when this compromise occurred, the attacker may have already escalated to another account!
17- Geoff is responsible for hardening systems on his network and discovers that a number of network appliances have exposed services, including telnet, FTP, and web servers. What is his best option to secure these systems?
- Enable host firewalls.
- Install patches for those services.
- Turn off the services for each appliance.
- Place a network firewall between the devices and the rest of the network.
Place a network firewall between the devices and the rest of the network.
Geoff’s only sure bet to prevent these services from being accessed is to put a network firewall in front of them. Many appliances enable services by default; since they are appliances, they may not have host firewalls available to enable. They also often don’t have patches available, and many appliances do not allow the services they provide to be disabled or modified.
18- While conducting reconnaissance of his own organization, Ian discovers that multiple certificates are self‐signed. What issue should he report to his management?
- Self‐signed certificates do not provide secure encryption for site visitors.
- Self‐signed certificates can be revoked only by the original creator.
- Self‐signed certificates will cause warnings or error messages.
- None of the above.
Self‐signed certificates will cause warnings or error messages.
Using self‐signed certificates for services that will be used by the general public or organizational users outside of a small testing group can be an issue because they will result in an error or warning in most browsers. The TLS encryption used for HTTPS will remain just as strong regardless of whether the certificate is provided by a certificate authority or self‐signed, and a self‐signed certificate cannot be revoked at all.
19- Brandon wants to perform a WHOIS query for a system he believes is located in Europe. Which NIC should he select to have the greatest likelihood of success for his query?
- AFRINIC
- APNIC
- RIPE
- LACNIC
RIPE
Brandon should select RIPE, the regional Internet registry for Europe, the Middle East, and parts of Central Asia. AFRINIC serves Africa, APNIC serves the Asia/Pacific region, and LACNIC serves Latin America and the Caribbean.
AFRINIC
the regional Internet registry for Africa
APNIC
the regional Internet registry for Asia/Pacific region
RIPE
the regional Internet registry for Europe, the Middle East, and parts of Central Asia
LACNIC
the regional Internet registry for Latin America and the Caribbean.
20- While reviewing Apache logs, Janet sees the following entries as well as hundreds of others from the same source IP address. What should Janet report has occurred?
[ 21/Jul/2020:02:18:33 -0500] - - 10.0.1.1 “GET /scripts/sample.php” “-“ 302 336 0
[ 21/Jul/2020:02:18:35 -0500] - - 10.0.1.1 “GET /scripts/test.php” “-“ 302 336 0
[ 21/Jul/2020:02:18:37 -0500] - - 10.0.1.1 “GET /scripts/manage.php” “-“ 302 336 0
[ 21/Jul/2020:02:18:38 -0500] - - 10.0.1.1 “GET /scripts/download.php” “-“ 302 336 0
[ 21/Jul/2020:02:18:40 -0500] - - 10.0.1.1 “GET /scripts/update.php” “-“ 302 336 0
[ 21/Jul/2020:02:18:42 -0500] - - 10.0.1.1 “GET /scripts/new.php” “-“ 302 336 0
- A denial‐of‐service attack
- A vulnerability scan
- A port scan
- A directory traversal attack
A vulnerability scan
Testing for common sample and default files is a common tactic for vulnerability scanners. Janet can reasonably presume that her Apache web server was scanned using a vulnerability scanner.
21- Scott is part of the white team that is overseeing his organization’s internal red and blue teams during an exercise that requires each team to only perform actions appropriate to the penetration test phase they are in. During the reconnaissance phase, he notes the following behavior as part of a Wireshark capture. What should he report?
A screenshot of a table has seventeen rows and seven columns. The column headers are as follows: Number; Time; Source; Destination; Protocol; Length; and Info. The row-wise data are as follows: Row 1: Number, 2180; Time, 2.493035366; Source, 1 0 dot 0 dot 2 dot 4; Destination, 1 0 dot 0 dot 2 dot 1 5; Protocol, T C P; Length, 66; and Info, 80 right arrow 55554, left bracket, F I N, comma, A C K, right bracket, S e q equals 507, A c k equals 420, W I n equals 6880, L e n equals 0, T S v a l equals 127193, T S e c r equals 317472. Row 2: Number, 2181; Time, 2.493271630; Source, 1 0 dot 0 dot 2 dot 1 5; Destination, 1 0 dot 0 dot 2 dot 4; Protocol, T C P; Length, 66; and Info, 55554 right arrow 80, left bracket, F I N, comma, A C K, right bracket, S e q equals 420, A c k equals 508, W I n equals 30336, L e n equals 0, T S v a l equals 317472, T S e c r equals 127193. Row 3: Number, 2182; Time, 2.493462055; Source, 1 0 dot 0 dot 2 dot 4; Destination, 1 0 dot 0 dot 2 dot 1 5; Protocol, T C P; Length, 66; and Info, 80 right arrow 55554, left bracket, A C K, right bracket, S e q equals 508, A c k equals 421, W i n equals 6880, L e n equals 0, T S v a l equals 127193, T S e c r equals 317472. Row 4: Number, 2183; Time, 2.496331161; Source, 1 0 dot 0 dot 2 dot 1 5; Destination, 1 0 dot 0 dot 2 dot 4; Protocol, T C P; Length, 66; and Info, 55552 right arrow 80, left bracket, F I N, comma, A C K, right bracket, S e q equals 413, A c k equals 503, W I n equals 30336, L e n equals 0, T S v a l equals 317472, T S e c r equals 127192. Row 5: Number, 2184; Time, 2.496386675; Source, 1 0 dot 0 dot 2 dot 1 5; Destination, 1 0 dot 0 dot 2 dot 4; Protocol, T C P; Length, 74; and Info, 55556 right arrow 80, left bracket, S Y N, right bracket, S e q equals 0, W i n equals 29200, L e n equals 0, M S S equals 1460, S A C K underscore P E R M equals 1, T S v a l equals 317473, T S e c r equals 0, W S equals 128. Row 6: Number, 2185; Time, 2.496500116; Source, 1 0 dot 0 dot 2 dot 4; Destination, 1 0 dot 0 dot 2 dot 1 5; Protocol, T C P; Length, 66; and Info, 80 right arrow 55552, left bracket, A C K, right bracket, S e q equals 503, A c k equals 414, W i n equals 6880, L e n equals 0, T S v a l equals 127193, T S e c r equals 317473. Row 7: Number, 2186; Time, 2.496520426; Source, 1 0 dot 0 dot 2 dot 4; Destination, 1 0 dot 0 dot 2 dot 1 5; Protocol, T C P; Length, 74; and Info, 80 right arrow 55556, left bracket, S Y N, comma, A C K, right bracket, S e q equals 0, A c k equals 1, W i n equals 5792, L e n equals 0, M S S equals 1460 S A C K underscore P E R M equals 1, T S v a l equals 127193, T S e c r equals 317. Row 8: Number, 2187; Time, 2.496527886; Source, 1 0 dot 0 dot 2 dot 1 5; Destination, 1 0 dot 0 dot 2 dot 4; Protocol, T C P; Length, 66; and Info, 55556 right arrow 80, left bracket, S Y N, right bracket, S e q equals 1, A c k equals 1, W i n equals 29312, L e n equals 0, T S v a l equals 317473, T S e c r equals 127193. Row 9: Number, 2188; Time, 2.497238098; Source, 1 0 dot 0 dot 2 dot 1 5; Destination, 1 0 dot 0 dot 2 dot 4; Protocol, H T T P; Length, 492; and Info, GET, forward slash, t w i k i, forward slash, percent, 20 UNION percent 20 ALL percent 20 SELECT percent 20 NULL percent 2 C NULL, percent 2 C NULL, percent 2 C NULL percent 2 C NULL PERCENT 23, H T T P, forward slash 1.1. Row 10: Number, 2189; Time, 2.497404022; Source, 1 0 dot 0 dot 2 dot 4; Destination, 1 0 dot 0 dot 2 dot 1 5; Protocol, T C P; Length, 66; and Info, 80 right arrow 55556, left bracket, A C K, right bracket, S e q equals 1, A c k equals 427, W I n equals 6880, L e n equals 0, T S v a l equals 127193, T S e c r equals 317473. Row 11: Number, 2190; Time, 2.497648036; Source, 1 0 dot 0 dot 2 dot 4; Destination, 1 0 dot 0 dot 2 dot 1 5; Protocol, H T T P; Length, 577; and Info, H T T P, forward slash 1.1, 404 Not Found, left parenthesis text, forward slash, h t m l, right parenthesis. Row 12: Number, 2191; Time, 2.497665375; Source, 1 0 dot 0 dot 2 dot 1 5; Destination, 1 0 dot 0 dot 2 dot 4; Protocol, T C P; Length, 66; and Info, 55556 right arrow 80, left bracket, A C K, right bracket, S e q equals 427, A c k equals 512, W I n equals 30336, L e n equals 0, T S v a l equals 317473, T S e c r equals 127194. Row 13: Number, 2192; Time, 2.497680491; Source, 1 0 dot 0 dot 2 dot 4; Destination, 1 0 dot 0 dot 2 dot 1 5; Protocol, T C P; Length, 66; and Info, 80 right arrow 55556, left bracket, F I N, comma, A C K, right bracket, S e q equals 512, A c k equals 427, W i n equals 6880, L e n equals 0, T S v a l equals 127194, T S e c r equals 317473. Row 14: Number, 2193; Time, 2.502043782; Source, 1 0 dot 0 dot 2 dot 1 5; Destination, 1 0 dot 0 dot 2 dot 4; Protocol, T C P; Length, 74; and Info, 55558 right arrow 80, left bracket, S Y N, right bracket, S e q equals 0, W i n equals 29200, L e n equals 0, M S S equals 1460, S A C K underscore P E R M equals 1, T S v a l equals 317474, T S e c r equals 0, W S equals 128. Row 15: Number, 2194; Time, 2.502267987; Source, 1 0 dot 0 dot 2 dot 4; Destination, 1 0 dot 0 dot 2 dot 1 5; Protocol, T C P; Length, 74; and Info, 80 right arrow 55558, left bracket, S Y N, comma, A C K, right bracket, S e q equals 0, A c k equals 1, W i n equals 5792, L e n equals 0, M S S equals 1460, S A C K underscore P E R M equals 1, T S v a l equals 127194, T S e c r equals 317. Row 16: Number, 2195; Time, 2.502294637; Source, 1 0 dot 0 dot 2 dot 1 5; Destination, 1 0 dot 0 dot 2 dot 4; Protocol, T C P; Length, 66; and Info, 55558 right arrow 80, left bracket, A C K, right bracket, S e q equals 1, A c k equals 1, W i n equals 29312, L e n equals 0, T S v a l equals 317474, T S e c r equals 127194. Row 17: Number, 2196; Time, 2.502356539; Source, 1 0 dot 0 dot 2 dot 1 5; Destination, 1 0 dot 0 dot 2 dot 4; Protocol, H T T P; Length, 499; and Info, GET, forward slash, t w i k i, forward slash, percent, 20 UNION percent 20 ALL percent 20 SELECT percent 20 NULL percent 2 C NULL, percent 2 C NULL, percent 2 C NULL percent 2 C NULL percent 2 C NULL PERCENT 23, H T T P, forward slash 1.1.
- The blue team has succeeded.
- The red team is violating the rules of engagement.
- The red team has succeeded.
- The blue team is violating the rules of engagement.
The red team is violating the rules of engagement.
This capture shows SQL injection attacks being attempted. We can determine this from the SQL keywords (e.g., UNION ALL) that appear in packets 2188 and 2196. Since this is the reconnaissance phase, the red team should not be actively attempting to exploit vulnerabilities and has violated the rules of engagement.
22- Jennifer analyzes a Wireshark packet capture from a network that she is unfamiliar with. She discovers that a host with IP address 10.11.140.13 is running services on TCP ports 636 and 443. What services is that system most likely running?
- LDAPS and HTTPS
- FTPS and HTTPS
- RDP and HTTPS
- HTTP and Secure DNS
LDAPS and HTTPS
TCP port 636 is often used for secure LDAP, and secure HTTP typically uses TCP 443. Although other services could use these ports, Jennifer’s best bet is to presume that they will be providing the services they are typically associated with.
28- Wang submits a suspected malware file to malwr.com and receives the following information about its behavior. What type of tool is malwr.com?
Signatures
A process attempted to delay the analysis task.
File has been identified by at least one AntiVirus on VirusTotal as malicious
The binary likely contains encrypted or compressed data.
Creates a windows hook that monitors keyboard input (keylogger)
Creates an Alternate Data Stream (ADS)
Installs itself for autorun at Windows startup
- A reverse‐engineering tool
- A static analysis sandbox
- A dynamic analysis sandbox
- A decompiler sandbox
A dynamic analysis sandbox
Wang’s screenshot shows behavioral analysis of the executed code. From this, you can determine that malwr is a dynamic analysis sandbox that runs the malware sample to determine what it does while also analyzing the file.
30- Sarah has been asked to assess the technical impact of suspected reconnaissance performed against her organization. She is informed that a reliable source has discovered that a third party has been performing reconnaissance by querying WHOIS data. How should Sarah categorize the technical impact of this type of reconnaissance?
- High.
- Medium.
- Low.
- She cannot determine this from the information given.
Low.
Sarah knows that domain registration information is publicly available and that her organization controls the data that is published. Since this does not expose anything that she should not expect to be accessible, she should categorize this as a low impact.
What does an ICMP echo request indicate?
Indicates that someone is doing a ping sweep
32- Ryan’s passive reconnaissance efforts resulted in the following packet capture. Which of the following statements cannot be verified based on the packet capture shown for the host with IP address 10.0.2.4?
check picture in book
- The host does not have a DNS entry.
- It is running a service on port 139.
- It is running a service on port 445.
- It is a Windows system.
The host does not have a DNS entry.
While the system responded on common Windows ports, you cannot determine whether it is a Windows system. It did respond, and both ports 139 and 445 were accessible. When the host the Wireshark capture was conducted from queried DNS, it did not receive a response, indicating that the system does not have a DNS entry (or at least, it doesn’t have one that is available to the host that did the scan and ran the Wireshark capture).
34- What purpose does a honeypot system serve when placed on a network as shown in the following diagram?
See picture in book
- It prevents attackers from targeting production servers.
- It provides information about the techniques attackers are using.
- It slows down attackers like sticky honey.
- It provides real‐time input to IDSs and IPSs.
It provides information about the techniques attackers are using.
A honeypot is used by security researchers and practitioners to gather information about techniques and tools used by attackers. A honeypot will not prevent attackers from targeting other systems, and unlike a tarpit, it is not designed to slow down attackers. Typically, honeypot data must be analyzed to provide useful information that can be used to build IDS and IPS rules.
35- A tarpit, or a system that looks vulnerable but actually is intended to slow down attackers, is an example of what type of technique?
- A passive defense
- A sticky defense
- An active defense
- A reaction‐based defense
An active defense
Tarpits are a form of active defense that decoy or bait attackers. Passive defenses include cryptography, security architecture, and similar options. Sticky defenses and reaction‐based defenses were made up for this question.
36- Susan needs to test thousands of submitted binaries. She needs to ensure that the applications do not contain malicious code. What technique is best suited to this need?
- Sandboxing
- Implementing a honeypot
- Decompiling and analyzing the application code
- Fagan testing
Sandboxing
Susan’s best option is to use an automated testing sandbox that analyzes the applications for malicious or questionable behavior. Although this may not catch every instance of malicious software, the only other viable option is decompiling the applications and analyzing the code, which would be incredibly time‐consuming. Since she doesn’t have the source code, Fagan inspection won’t work (and would take a long time too), and running a honeypot is used to understand hacker techniques, not to directly analyze application code.
37- Manesh downloads a new security tool and checks its MD5. What does she know about the software she downloaded if she receives the following message?
root@demo:~# md5sum -c demo.md5
demo.txt: FAILED
md5sum: WARNING: 1 computed checksum did NOT match
- The file has been corrupted.
- Attackers have modified the file.
- The files do not match.
- The test failed and provided no answer.
The files do not match.
Manesh knows that the file she downloaded and computed a checksum for does not match the MD5 checksum that was calculated by the providers of the software. She does not know if the file has been corrupted or if attackers have modified the file, but she may want to contact the providers of the software to let them know about the issue—and she definitely shouldn’t execute or trust the file!
41- Susan is reviewing files on a Windows workstation and believes that cmd.exe has been replaced with a malware package. Which of the following is the best way to validate her theory?
- Submit cmd.exe to VirusTotal.
- Compare the hash of cmd.exe to a known good version.
- Check the file using the National Software Reference Library.
- Run cmd.exe to make sure its behavior is normal.
Submit cmd.exe to VirusTotal.
Susan’s best option is to submit the file to a tool like VirusTotal that will scan it for virus‐like behaviors and known malware tools. Checking the hash either by using a manual check or by using the National Software Reference Library can tell her if the file matches a known good version but won’t tell her if it includes malware. Running a suspect file is the worst option on the list.
42- Nishi is deploying a new application that will process sensitive health information about her organization’s clients. To protect this information, the organization is building a new network that does not share any hardware or logical access credentials with the organization’s existing network. What approach is Nishi adopting?
- Network interconnection
- Network segmentation
- Virtual LAN (VLAN) isolation
- Virtual private network (VPN)
Network segmentation
The strategy outlined by Nishi is one of network segmentation—placing separate functions on separate networks. She is explicitly not interconnecting the two networks. VPNs and VLANs are also technologies that could assist with the goal of protecting sensitive information, but they use shared hardware and would not necessarily achieve the level of isolation that Nishi requires.
43- Bobbi is deploying a single system that will be used to manage a sensitive industrial control process. This system will operate in a stand‐alone fashion and not have any connection to other networks. What strategy is Bobbi deploying to protect this SCADA system?
- Network segmentation
- VLAN isolation
- Airgapping
- Logical isolation
Airgapping
Bobbi is adopting a physical, not logical, isolation strategy. In this approach, known as air‐gapping, the organization uses a stand‐alone system for the sensitive function that is not connected to any other system or network, greatly reducing the risk of compromise. VLAN isolation and network segmentation involve a degree of interconnection that is not present in this scenario.
46- Which one of the following technologies is not typically used to implement network segmentation?
- Host firewall
- Network firewall
- VLAN tagging
- Routers and switches
Host firewall
Host firewalls operate at the individual system level and, therefore, cannot be used to implement network segmentation. Routers and switches may be used for this purpose by either physically separating networks or implementing VLAN tagging. Network firewalls may also be used to segment networks into different zones.
47- Ian has been asked to deploy a secure wireless network in parallel with a public wireless network inside his organization’s buildings. What type of segmentation should he implement to do so without adding additional costs and complexity?
- SSID segmentation
- Logical segmentation
- Physical segmentation
- WPA segmentation
Logical segmentation
Ian knows that deploying multiple access points in the same space to deploy a physically segmented wireless network would significantly increase both the costs of deployment and the complexity of the network due to access points causing conflicts. His best choice is to logically segment his networks using one set of access points. SSID and WPA segmentation are both made‐up terms for this question.
49- What major issue would Charles face if he relied on hashing malware packages to identify malware packages?
- Hashing can be spoofed.
- Collisions can result in false positives.
- Hashing cannot identify unknown malware.
- Hashing relies on unencrypted malware samples.
Hashing cannot identify unknown malware.
Relying on hashing means that Charles will be able to identify only the specific versions of malware packages that have already been identified. This is a consistent problem with signature‐based detections, and malware packages commonly implement polymorphic capabilities that mean that two instances of the same package will not have identical hashes due to changes meant to avoid signature‐based detection systems.
52- Angela is a security practitioner at a midsize company that recently experienced a serious breach due to a successful phishing attack. The company has committed to changing its security practices across the organization and has assigned Angela to determine the best strategy to make major changes that will have a significant impact right away.
Angela has decided to roll out a multifactor authentication system. What are the two most common factors used in MFA systems?
- Location and knowledge
- Knowledge and possession
- Knowledge and biometric
- Knowledge and location
Knowledge and possession
The most common factors for multifactor systems today are knowledge factors (like a password) and possession factors, which can include a token, an authenticator application, or a smartcard.
53- Angela is a security practitioner at a midsize company that recently experienced a serious breach due to a successful phishing attack. The company has committed to changing its security practices across the organization and has assigned Angela to determine the best strategy to make major changes that will have a significant impact right away.
Angela’s multifactor deployment includes the ability to use text (SMS) messages to send the second factor for authentication. What issues should she point to?
- VoIP hacks and SIM swapping.
- SMS messages are logged on the recipient’s phones.
- PIN hacks and SIM swapping.
- VoIP hacks and PIN hacks.
VoIP hacks and SIM swapping.
NIST has pointed out that SMS is a relatively insecure way to delivering codes as part of a multifactor authentication system. The two most common attacks against SMS message delivery are VoIP hacks, where SMS messages may be delivered to a VoIP system, which can be accessed by an attacker, and SIM swapping attacks, where a SIM card is cloned and SMS messages are also delivered to an attacker.
54- What purpose does the OpenFlow protocol serve in software‐defined networks?
- It captures flow logs from devices.
- It allows software‐defined network controllers to push changes to devices to manage the network.
- It sends flow logs to flow controllers.
- It allows devices to push changes to SDN controllers to manage the network.
It allows software‐defined network controllers to push changes to devices to manage the network.
OpenFlow is used to allow software‐defined network (SDN) controllers to push changes to switches and routers, allowing flow control, network traffic partitioning, and testing of applications and configurations.
OpenFlow
OpenFlow is an API (application programming interface) that allows for the central control of networks, which makes networks programmable through software-defined networking (SDN).
The OpenFlow protocol is used to allow software-defined network (SDN) controllers to push changes to switches and routers, allowing flow control, network traffic partitioning, and testing of applications and configurations
55- Rick’s security research company wants to gather data about current attacks and sets up a number of intentionally vulnerable systems that allow his team to log and analyze exploits and attack tools. What type of environment has Rick set up?
- A tarpit
- A honeypot
- A honeynet
- A blackhole
A honeynet
Rick’s team has set up a honeynet—a group of systems set up to attract attackers while capturing the traffic they send and the tools and techniques they use. A honeypot is a single system set up in a similar way, whereas a tarpit is a system set up to slow down attackers. A blackhole is often used on a network as a destination for traffic that will be silently discarded.
56- Kalea wants to prevent DoS attacks against her serverless application from driving up her costs when using a cloud service. What technique is not an appropriate solution for her need?
- Horizontal scaling
- API keys
- Setting a cap on API invocations for a given timeframe
- Using timeouts
Horizontal scaling
Scaling a serverless system is a useful way to handle additional traffic but will not prevent denial‐of‐service (DoS) attacks from driving additional cost. In fact, horizontal scaling will add additional costs as it scales. API keys can be used to prevent unauthorized use of the serverless application, and keys can be deprovisioned if they are abused. Capping API invocations and using timeouts can help limit the maximum number of uses and how much they are used, both of which can help prevent additional costs.
57- What is the key difference between virtualization and containerization?
- Virtualization gives operating systems direct access to the hardware, whereas containerization does not allow applications to directly access the hardware.
- Virtualization lets you run multiple operating systems on a single physical system, whereas containerization lets you run multiple applications on the same system.
- Virtualization is necessary for containerization, but containerization is not necessary for virtualization.
- There is not a key difference; they are elements of the same technology.
Virtualization lets you run multiple operating systems on a single physical system, whereas containerization lets you run multiple applications on the same system.
Virtualization allows you to run multiple operating systems on the same underlying hardware, whereas containerization lets you deploy multiple applications on the same operating system on a single system. Containerization can allow direct hardware access, whereas virtualization typically does not. Virtualization is not necessary for containerization, although it is often used, but containerization can get performance improvements from bare‐metal installations. Finally, there is a key difference, as noted in option B.
58- Brandon is designing the hosting environment for containerized applications. Application group A has personally identifiable information, application group B has health information with different legal requirements for handling, and application group C has business‐sensitive data handling requirements. What is the most secure design for his container orchestration environment given the information he has?
- Run a single, highly secured container host with encryption for data at rest.
- Run a container host for each application group and secure them based on the data they contain.
- Run a container host for groups A and B, and run a lower‐security container host for group C.
- Run a container host for groups A and C, and run a health information–specific container host for group B due to the health information it contains.
Run a container host for each application group and secure them based on the data they contain.
Workloads in a secure containerization environment should be distributed in a way that allows hosts to run containers of only a specific security level. Since Brandon has three different security levels in his environment, he should use separate hosts that can be configured to secure the data appropriately while also limiting the impact if a container is breached.
61- Facebook Connect, CAS, Shibboleth, and AD FS are all examples of what type of technology?
- Kerberos implementations
- Single sign‐on implementations
- Federation technologies
- OAuth providers
Single sign‐on implementations
All of these are examples of single sign‐on (SSO) implementations. They allow a user to use a single set of credentials to log in to multiple different services and applications. When federated, SSO can also allow a single account to work across a variety of services from multiple organizations.
