Practice Tests - Practice Test 1 Flashcards
4- During his investigation of a Windows system, Eric discovered that files were deleted and he wants to determine whether a specific file previously existed on the computer. Which of the following is the least likely to be a potential location to discover evidence supporting that theory?
- Windows registry
- Master File Table
- INDX files
- Event logs
Event logs
The Windows registry, Master File Tables, and INDX files all contain information about files, often including removed or deleted files. Event logs are far less likely to contain information about a specific file location.
5- As part of her SOC analyst duties, Emily is tasked with monitoring intrusion detection systems that cover her employer’s corporate headquarters network. During her shift, Emily’s IDS alarms report that a network scan has occurred from a system with IP address 10.0.11.19 on the organization’s WPA3 Enterprise wireless network aimed at systems in the finance division. What data source should she check first?
- Host firewall logs
- AD authentication logs
- Wireless authentication logs
- WAF logs
Wireless authentication logs
Since Emily’s organization uses WPA3 Enterprise, users must authenticate to use the wireless network. Associating the scan with an authenticated user will help incident responders identify the device that conducted the scan.
6- What does the Nmap response “filtered” mean in port scan results?
- Nmap cannot tell whether the port is open or closed.
- A firewall was detected.
- An IPS was detected.
- There is no application listening, but there may be one at any time.
Nmap cannot tell whether the port is open or closed.
When Nmap returns a response of “filtered,” it indicates that Nmap cannot tell whether the port is open or closed. Filtered results are often the result of a firewall or other network device, but a response of filtered does not indicate that a firewall or IPS was detected. When Nmap returns a “closed” result, it means that there is no application listening at that moment.
8- During her review of incident logs, Deepa discovers the initial entry via SSH on a front‐facing bastion host (A) at 8:02 a.m. If the network that Deepa is responsible for is designed as shown here, what is the most likely diagnosis if the second intrusion shows up on host B at 7:15 a.m.?
(look up diagram in book)
- Internal host B was previously compromised.
- Host A was compromised; then host B was compromised.
- Neither host B nor host A are synchronized to NTP properly.
- An internal threat compromised host B and then host A.
Neither host B nor host A are synchronized to NTP properly.
The likeliest issue is a problem with the Network Time Protocol (NTP) synchronization for both of the hosts, because of an improperly set time zone or another time issue. The ruleset only allows traffic initiated by host A, making it impossible for host B to be the source of a compromise of A. The other options are possible, but the most likely issue is an NTP problem.
10- Saanvi has been tasked with conducting a risk assessment for the midsize bank that he works at because of a recent compromise of their online banking web application. Saanvi has chosen to use the NIST 800‐30 risk assessment framework shown here. What likelihood of occurrence should he assign to breaches of the web application?
(look up diagram in the book)
- Low
- Medium
- High
- Cannot be determined from the information given
High
When an event of the type that is being analyzed has occurred within the recent past (often defined as a year), assessments that review that event will normally classify the likelihood of occurrence as high since it has already occurred.
11- Hank’s boss recently came back from a CEO summit event where he learned about the importance of cybersecurity and the role of vulnerability scanning. He asked Hank about the vulnerability scans conducted by the organization and suggested that instead of running weekly scans that they simply configure the scanner to start a new scan immediately after the prior scan completes. How should Hank react to this request?
- Hank should inform the CEO that this would have a negative impact on system performance and is not recommended.
- Hank should immediately implement the CEO’s suggestion.
- Hank should consider the request and work with networking and engineering teams on possible implementation.
- Hank should inform the CEO that there is no incremental security benefit from this approach and that he does not recommend it.
Hank should consider the request and work with networking and engineering teams on possible implementation.
The CEO’s suggestion is a reasonable approach to vulnerability scanning that is used in some organizations, often under the term continuous scanning. He should consider the request and the impact on systems and networks to determine a reasonable course of action.
16- Jake is building a forensic image of a compromised drive using the dd command with its default settings. He finds that the imaging is going very slowly. What parameter should he adjust first?
- if
- bs
- of
- count
bs
The most likely cause of this slowness is an incorrect block size. Block size is set using the bs flag and is defined in bytes. By default, dd uses a 512‐byte block size, but this is far smaller than the block size of most modern disks. Using a larger block size will typically be much faster, and if you know the block size for the device you are copying, using its native block size can provide huge speed increases. This is set using a flag like bs = 64k. The if and of flags adjust the input and output files, respectively, but there is no indication that these are erroneous. The count flag adjusts the number of blocks to copy and should not be changed if Jake wants to image the entire disk.
What do the following dd flags do:
- bs
- if
- of
- count
- bs - sets the block size different from default of 512-byte
- if: Specifies the input file or device
- of: Specifies the output file or device
- count - adjusts the number of blocks to copy, only if you dont want to copy whole disk
17- What purpose does a honeypot system serve when placed on a network as shown here?
(look up diagram in the book)
- It prevents attackers from targeting production servers.
- It provides information about the techniques attackers are using.
- It slows down attackers like sticky honey.
- It provides real‐time input to IDSs and IPSs.
It provides information about the techniques attackers are using.
A honeypot is used by security researchers and practitioners to gather information about techniques and tools used by attackers. A honeypot will not prevent attackers from targeting other systems, and unlike a tarpit, it is not designed to slow down attackers. Typically, honeypot data must be analyzed to provide useful information that can be used to build IDS and IPS rules.
23- Part of the forensic data that Susan was provided for her investigation was a Wireshark packet capture. The investigation is aimed at determining what type of media an employee was consuming during work. What is the more detailed analysis that Susan can do if she is provided with the data shown here?
(look up diagram in book)
- She can determine that the user was viewing a GIF.
- She can manually review the TCP stream to see what data was sent.
- She can export and view the GIF.
- She cannot determine what media was accessed using this data set.\
She can export and view the GIF.
Wireshark includes the ability to export packets. In this case, Susan can select the GIF89a detail by clicking that packet and then export the actual image to a file that she can view.
30- After finishing a forensic case, Sam needs to wipe a magnetic hard drive (HDD) that he is using to prepare it for the next case. Which of the following methods is best suited to preparing the hard drive that he will use if he wants to be in compliance with NIST SP 800‐88?
- Degauss the drive.
- Zero‐write the drive.
- Seven rounds: all ones, all zeros, and five rounds of random values.
- Use the ATA Secure Erase command.
Zero‐write the drive.
NIST SP800‐88, along with many forensic manuals, requires a complete zero wipe of the drive but does not require multiple rounds of wiping. Degaussing is primarily used for magnetic media‐like tapes and may not completely wipe a hard drive (and may, in fact, damage it). Using the ATA Secure Erase command is commonly used for SSDs.
31- After reading the NIST standards for incident response, Mateo spends time configuring the NTP service on each of his servers, workstations, and appliances throughout his network. What phase of the incident response process is he working to improve?
- Preparation
- Detection and analysis
- Containment, eradication, and recovery
- Post‐incident activity
Detection and analysis
NIST recommends that clock synchronization is performed for all devices to improve the ability of responders to conduct analysis, part of the detection and analysis phase of the NIST incident response process. Although this might occur in the preparation phase, it is intended to improve the analysis process.
32- Latisha is the ISO for her company and is notified that a zero‐day exploit has been released that can result in remote code execution on all Windows workstations on her network because of an attack against Windows domain services. She wants to limit her exposure to this exploit but needs the systems to continue to be able to access the Internet. Which of the following approaches is best for her response?
- Firewalling
- Patching
- Isolation
- Segmentation
Firewalling
Latisha knows that Windows domain services can be blocked using a network firewall. As long as she builds the correct ruleset, she can prevent external systems from sending this type of traffic to her Windows workstations. She may still want to segment her network to protect the most important workstations, but her first move should be to use her firewalls to prevent the traffic from reaching the workstations.
34- As part of the forensic investigation of a Linux workstation, Alex needs to determine what commands may have been issued on the system. If no anti‐forensic activities have taken place, what is the best location for Alex to check for a history of commands issued on the system?
- /var/log/commands.log
- $HOME/.bash_history
- $HOME/.commands.sqlite
- /var/log/authactions.log
$HOME/.bash_history
On Linux systems that use the Bash shell, $home/.bash_history will contain a log of recently performed actions. Each of the others was made up for this question.
35- Ben recently completed a risk analysis and determined that he should implement a new set of firewall rules to filter traffic from known suspect IP addresses. What type of risk management activity is he performing?
- Risk avoidance
- Risk acceptance
- Risk transference
- Risk mitigation
Risk mitigation
Implementing firewall rules is an attempt to reduce the likelihood of a risk occurring. This is, therefore, an example of a risk mitigation strategy.
39- What concept measures how easy data is to lose?
- Order of volatility
- Data transience
- Data loss prediction
- The Volatility Framework
Order of volatility
The order of volatility of data measures how easy the data is to lose. The Volatility Framework is a forensic tool aimed at memory forensics, while data transience and data loss prediction are not common terms.
Volatility Framework
a forensic tool aimed at memory forensics
a forensic tool that supports various operating systems and has capabilities for memory dump analysis, including extracting encryption keys and passphrases, analyzing user activity, and performing rootkit analysis
42- Charles is building an incident response playbook for his organization that will address command‐and‐control client‐server traffic detection and response. Which of the following information sources is least likely to be part of his playbook?
- DNS query logs
- Threat intelligence feeds
- Honeypot data
- Notifications from internal staff about suspicious behavior
Honeypot data
Relatively few organizations run honeypots because of the effort required to maintain and analyze the data they generate. DNS queries and other traffic logs, threat intelligence feeds, and notifications from staff are all common information sources for a variety of types of incident detection.
43- Carol recently fell victim to a phishing attack. When she clicked the link in an email message that she received, she was sent to her organization’s central authentication service and logged in successfully. She did verify the URL and certificate to validate that the authentication server was genuine. After authenticating, she was sent to a form that collected sensitive personal information that was sent to an attacker. What type of vulnerability did the attacker most likely exploit?
- Buffer overflow
- Session hijacking
- IP spoofing
- Open redirect
Open redirect
In an open redirect attack, users may be sent to a genuine authentication server and then redirected to an untrusted server through the OAuth flow. This occurs when the authentication server does not validate OAuth server requests prior to redirection.
47- During an incident investigation, Mateo is able to identify the IP address of the system that was used to compromise multiple systems belonging to his company. What can Mateo determine from this information?
- The identity of the attacker
- The country of origin of the attacker
- The attacker’s domain name
- None of the above
None of the above
Although it may be tempting to assign blame based on an IP address, attackers frequently use compromised systems for attacks. Some may also use cloud services and hosting companies where they can purchase virtual machines or other resources using stolen credit cards. Thus, knowing the IP address from which an attack originated will typically not provide information about an attacker. In some cases, deeper research can identify where an attack originated, but even then, knowing the identity of an attacker is rarely certain.
48- After a major compromise involving what appears to be an APT, Jaime needs to conduct a forensic examination of the compromised systems. Which containment method should he recommend to ensure that he can fully investigate the systems that were involved while minimizing the risk to his organization’s other production systems?
- Sandboxing
- Removal
- Isolation
- Segmentation
Removal
Completely removing the systems involved in the compromise will ensure that they cannot impact the organization’s other production systems. Although attackers may be able to detect this change, it provides the best protection possible for the organization’s systems.
51- Steve needs to perform an Nmap scan of a remote network and wants to be as stealthy as possible. Which of the following nmap commands will provide the stealthiest approach to his scan?
- nmap -P0 -sT 10.0.10.0/24
- nmap -sT -T0 10.0.10.0/24
- nmap -P0 -sS 10.0.10.0/24
- nmap -P0 -sS -T0 10.0.10.0/24
nmap -P0 -sS -T0 10.0.10.0/24
Nmap provides multiple scan modes, including a TCP SYN scan, denoted by the -sS flag. This is far stealthier than the full TCP connect scan, which uses the -sT flag. Turning off pings with the -P0 flag helps with stealth, and setting the scan speed using the -T flag to either a 0 for paranoid or a 1 for sneaky will help bypass many IDSs by falling below their detection threshold.
55- Which one of the following document categories provides the highest‐level authority for an organization’s cybersecurity program?
- Policy
- Standard
- Procedure
- Framework
Policy
Policies are the highest‐level component of an organization’s governance documentation. They are set at the executive level and provide strategy and direction for the cybersecurity program. Standards and procedures derive their authority from policies. Frameworks are not governance documents but rather provide a conceptual structure for organizing a program. Frameworks are usually developed by third‐party organizations, such as ISACA or ITIL.
56- Mateo is planning a vulnerability scanning program for his organization and is scheduling weekly scans of all the servers in his environment. He was approached by a group of system administrators who asked that they be given direct access to the scan reports without going through the security team. How should Mateo respond?
- Mateo should provide the administrators with access.
- Mateo should deny the administrators access because the information may reveal critical security issues.
- Mateo should offer to provide the administrators with copies of the report after they go through a security review.
- Mateo should deny the administrators access because it would allow them to correct security issues before they are analyzed by the security team.
Mateo should provide the administrators with access.
Vulnerability scanning information is most effective in the hands of individuals who can correct the issues. The point of scans is not to “catch” people who made mistakes. Mateo should provide the administrators with access. The security team may always monitor the system for unremediated vulnerabilities, but they should not act as a gatekeeper to critical information.