Practice Tests - Practice Test 1 Flashcards
4- During his investigation of a Windows system, Eric discovered that files were deleted and he wants to determine whether a specific file previously existed on the computer. Which of the following is the least likely to be a potential location to discover evidence supporting that theory?
- Windows registry
- Master File Table
- INDX files
- Event logs
Event logs
The Windows registry, Master File Tables, and INDX files all contain information about files, often including removed or deleted files. Event logs are far less likely to contain information about a specific file location.
5- As part of her SOC analyst duties, Emily is tasked with monitoring intrusion detection systems that cover her employer’s corporate headquarters network. During her shift, Emily’s IDS alarms report that a network scan has occurred from a system with IP address 10.0.11.19 on the organization’s WPA3 Enterprise wireless network aimed at systems in the finance division. What data source should she check first?
- Host firewall logs
- AD authentication logs
- Wireless authentication logs
- WAF logs
Wireless authentication logs
Since Emily’s organization uses WPA3 Enterprise, users must authenticate to use the wireless network. Associating the scan with an authenticated user will help incident responders identify the device that conducted the scan.
6- What does the Nmap response “filtered” mean in port scan results?
- Nmap cannot tell whether the port is open or closed.
- A firewall was detected.
- An IPS was detected.
- There is no application listening, but there may be one at any time.
Nmap cannot tell whether the port is open or closed.
When Nmap returns a response of “filtered,” it indicates that Nmap cannot tell whether the port is open or closed. Filtered results are often the result of a firewall or other network device, but a response of filtered does not indicate that a firewall or IPS was detected. When Nmap returns a “closed” result, it means that there is no application listening at that moment.
8- During her review of incident logs, Deepa discovers the initial entry via SSH on a front‐facing bastion host (A) at 8:02 a.m. If the network that Deepa is responsible for is designed as shown here, what is the most likely diagnosis if the second intrusion shows up on host B at 7:15 a.m.?
(look up diagram in book)
- Internal host B was previously compromised.
- Host A was compromised; then host B was compromised.
- Neither host B nor host A are synchronized to NTP properly.
- An internal threat compromised host B and then host A.
Neither host B nor host A are synchronized to NTP properly.
The likeliest issue is a problem with the Network Time Protocol (NTP) synchronization for both of the hosts, because of an improperly set time zone or another time issue. The ruleset only allows traffic initiated by host A, making it impossible for host B to be the source of a compromise of A. The other options are possible, but the most likely issue is an NTP problem.
10- Saanvi has been tasked with conducting a risk assessment for the midsize bank that he works at because of a recent compromise of their online banking web application. Saanvi has chosen to use the NIST 800‐30 risk assessment framework shown here. What likelihood of occurrence should he assign to breaches of the web application?
(look up diagram in the book)
- Low
- Medium
- High
- Cannot be determined from the information given
High
When an event of the type that is being analyzed has occurred within the recent past (often defined as a year), assessments that review that event will normally classify the likelihood of occurrence as high since it has already occurred.
11- Hank’s boss recently came back from a CEO summit event where he learned about the importance of cybersecurity and the role of vulnerability scanning. He asked Hank about the vulnerability scans conducted by the organization and suggested that instead of running weekly scans that they simply configure the scanner to start a new scan immediately after the prior scan completes. How should Hank react to this request?
- Hank should inform the CEO that this would have a negative impact on system performance and is not recommended.
- Hank should immediately implement the CEO’s suggestion.
- Hank should consider the request and work with networking and engineering teams on possible implementation.
- Hank should inform the CEO that there is no incremental security benefit from this approach and that he does not recommend it.
Hank should consider the request and work with networking and engineering teams on possible implementation.
The CEO’s suggestion is a reasonable approach to vulnerability scanning that is used in some organizations, often under the term continuous scanning. He should consider the request and the impact on systems and networks to determine a reasonable course of action.
16- Jake is building a forensic image of a compromised drive using the dd command with its default settings. He finds that the imaging is going very slowly. What parameter should he adjust first?
- if
- bs
- of
- count
bs
The most likely cause of this slowness is an incorrect block size. Block size is set using the bs flag and is defined in bytes. By default, dd uses a 512‐byte block size, but this is far smaller than the block size of most modern disks. Using a larger block size will typically be much faster, and if you know the block size for the device you are copying, using its native block size can provide huge speed increases. This is set using a flag like bs = 64k. The if and of flags adjust the input and output files, respectively, but there is no indication that these are erroneous. The count flag adjusts the number of blocks to copy and should not be changed if Jake wants to image the entire disk.
What do the following dd flags do:
- bs
- if
- of
- count
- bs - sets the block size different from default of 512-byte
- if: Specifies the input file or device
- of: Specifies the output file or device
- count - adjusts the number of blocks to copy, only if you dont want to copy whole disk
17- What purpose does a honeypot system serve when placed on a network as shown here?
(look up diagram in the book)
- It prevents attackers from targeting production servers.
- It provides information about the techniques attackers are using.
- It slows down attackers like sticky honey.
- It provides real‐time input to IDSs and IPSs.
It provides information about the techniques attackers are using.
A honeypot is used by security researchers and practitioners to gather information about techniques and tools used by attackers. A honeypot will not prevent attackers from targeting other systems, and unlike a tarpit, it is not designed to slow down attackers. Typically, honeypot data must be analyzed to provide useful information that can be used to build IDS and IPS rules.
23- Part of the forensic data that Susan was provided for her investigation was a Wireshark packet capture. The investigation is aimed at determining what type of media an employee was consuming during work. What is the more detailed analysis that Susan can do if she is provided with the data shown here?
(look up diagram in book)
- She can determine that the user was viewing a GIF.
- She can manually review the TCP stream to see what data was sent.
- She can export and view the GIF.
- She cannot determine what media was accessed using this data set.\
She can export and view the GIF.
Wireshark includes the ability to export packets. In this case, Susan can select the GIF89a detail by clicking that packet and then export the actual image to a file that she can view.
30- After finishing a forensic case, Sam needs to wipe a magnetic hard drive (HDD) that he is using to prepare it for the next case. Which of the following methods is best suited to preparing the hard drive that he will use if he wants to be in compliance with NIST SP 800‐88?
- Degauss the drive.
- Zero‐write the drive.
- Seven rounds: all ones, all zeros, and five rounds of random values.
- Use the ATA Secure Erase command.
Zero‐write the drive.
NIST SP800‐88, along with many forensic manuals, requires a complete zero wipe of the drive but does not require multiple rounds of wiping. Degaussing is primarily used for magnetic media‐like tapes and may not completely wipe a hard drive (and may, in fact, damage it). Using the ATA Secure Erase command is commonly used for SSDs.
31- After reading the NIST standards for incident response, Mateo spends time configuring the NTP service on each of his servers, workstations, and appliances throughout his network. What phase of the incident response process is he working to improve?
- Preparation
- Detection and analysis
- Containment, eradication, and recovery
- Post‐incident activity
Detection and analysis
NIST recommends that clock synchronization is performed for all devices to improve the ability of responders to conduct analysis, part of the detection and analysis phase of the NIST incident response process. Although this might occur in the preparation phase, it is intended to improve the analysis process.
32- Latisha is the ISO for her company and is notified that a zero‐day exploit has been released that can result in remote code execution on all Windows workstations on her network because of an attack against Windows domain services. She wants to limit her exposure to this exploit but needs the systems to continue to be able to access the Internet. Which of the following approaches is best for her response?
- Firewalling
- Patching
- Isolation
- Segmentation
Firewalling
Latisha knows that Windows domain services can be blocked using a network firewall. As long as she builds the correct ruleset, she can prevent external systems from sending this type of traffic to her Windows workstations. She may still want to segment her network to protect the most important workstations, but her first move should be to use her firewalls to prevent the traffic from reaching the workstations.
34- As part of the forensic investigation of a Linux workstation, Alex needs to determine what commands may have been issued on the system. If no anti‐forensic activities have taken place, what is the best location for Alex to check for a history of commands issued on the system?
- /var/log/commands.log
- $HOME/.bash_history
- $HOME/.commands.sqlite
- /var/log/authactions.log
$HOME/.bash_history
On Linux systems that use the Bash shell, $home/.bash_history will contain a log of recently performed actions. Each of the others was made up for this question.
35- Ben recently completed a risk analysis and determined that he should implement a new set of firewall rules to filter traffic from known suspect IP addresses. What type of risk management activity is he performing?
- Risk avoidance
- Risk acceptance
- Risk transference
- Risk mitigation
Risk mitigation
Implementing firewall rules is an attempt to reduce the likelihood of a risk occurring. This is, therefore, an example of a risk mitigation strategy.
39- What concept measures how easy data is to lose?
- Order of volatility
- Data transience
- Data loss prediction
- The Volatility Framework
Order of volatility
The order of volatility of data measures how easy the data is to lose. The Volatility Framework is a forensic tool aimed at memory forensics, while data transience and data loss prediction are not common terms.
Volatility Framework
a forensic tool aimed at memory forensics
a forensic tool that supports various operating systems and has capabilities for memory dump analysis, including extracting encryption keys and passphrases, analyzing user activity, and performing rootkit analysis
42- Charles is building an incident response playbook for his organization that will address command‐and‐control client‐server traffic detection and response. Which of the following information sources is least likely to be part of his playbook?
- DNS query logs
- Threat intelligence feeds
- Honeypot data
- Notifications from internal staff about suspicious behavior
Honeypot data
Relatively few organizations run honeypots because of the effort required to maintain and analyze the data they generate. DNS queries and other traffic logs, threat intelligence feeds, and notifications from staff are all common information sources for a variety of types of incident detection.
43- Carol recently fell victim to a phishing attack. When she clicked the link in an email message that she received, she was sent to her organization’s central authentication service and logged in successfully. She did verify the URL and certificate to validate that the authentication server was genuine. After authenticating, she was sent to a form that collected sensitive personal information that was sent to an attacker. What type of vulnerability did the attacker most likely exploit?
- Buffer overflow
- Session hijacking
- IP spoofing
- Open redirect
Open redirect
In an open redirect attack, users may be sent to a genuine authentication server and then redirected to an untrusted server through the OAuth flow. This occurs when the authentication server does not validate OAuth server requests prior to redirection.
47- During an incident investigation, Mateo is able to identify the IP address of the system that was used to compromise multiple systems belonging to his company. What can Mateo determine from this information?
- The identity of the attacker
- The country of origin of the attacker
- The attacker’s domain name
- None of the above
None of the above
Although it may be tempting to assign blame based on an IP address, attackers frequently use compromised systems for attacks. Some may also use cloud services and hosting companies where they can purchase virtual machines or other resources using stolen credit cards. Thus, knowing the IP address from which an attack originated will typically not provide information about an attacker. In some cases, deeper research can identify where an attack originated, but even then, knowing the identity of an attacker is rarely certain.
48- After a major compromise involving what appears to be an APT, Jaime needs to conduct a forensic examination of the compromised systems. Which containment method should he recommend to ensure that he can fully investigate the systems that were involved while minimizing the risk to his organization’s other production systems?
- Sandboxing
- Removal
- Isolation
- Segmentation
Removal
Completely removing the systems involved in the compromise will ensure that they cannot impact the organization’s other production systems. Although attackers may be able to detect this change, it provides the best protection possible for the organization’s systems.
51- Steve needs to perform an Nmap scan of a remote network and wants to be as stealthy as possible. Which of the following nmap commands will provide the stealthiest approach to his scan?
- nmap -P0 -sT 10.0.10.0/24
- nmap -sT -T0 10.0.10.0/24
- nmap -P0 -sS 10.0.10.0/24
- nmap -P0 -sS -T0 10.0.10.0/24
nmap -P0 -sS -T0 10.0.10.0/24
Nmap provides multiple scan modes, including a TCP SYN scan, denoted by the -sS flag. This is far stealthier than the full TCP connect scan, which uses the -sT flag. Turning off pings with the -P0 flag helps with stealth, and setting the scan speed using the -T flag to either a 0 for paranoid or a 1 for sneaky will help bypass many IDSs by falling below their detection threshold.
55- Which one of the following document categories provides the highest‐level authority for an organization’s cybersecurity program?
- Policy
- Standard
- Procedure
- Framework
Policy
Policies are the highest‐level component of an organization’s governance documentation. They are set at the executive level and provide strategy and direction for the cybersecurity program. Standards and procedures derive their authority from policies. Frameworks are not governance documents but rather provide a conceptual structure for organizing a program. Frameworks are usually developed by third‐party organizations, such as ISACA or ITIL.
56- Mateo is planning a vulnerability scanning program for his organization and is scheduling weekly scans of all the servers in his environment. He was approached by a group of system administrators who asked that they be given direct access to the scan reports without going through the security team. How should Mateo respond?
- Mateo should provide the administrators with access.
- Mateo should deny the administrators access because the information may reveal critical security issues.
- Mateo should offer to provide the administrators with copies of the report after they go through a security review.
- Mateo should deny the administrators access because it would allow them to correct security issues before they are analyzed by the security team.
Mateo should provide the administrators with access.
Vulnerability scanning information is most effective in the hands of individuals who can correct the issues. The point of scans is not to “catch” people who made mistakes. Mateo should provide the administrators with access. The security team may always monitor the system for unremediated vulnerabilities, but they should not act as a gatekeeper to critical information.
59- Fran is trying to run a vulnerability scan of a web server from an external network, and the scanner is reporting that there are no services running on the web server. She verified the scan configuration and attempted to access the website running on that server using a web browser on a computer located on the same external network and experienced no difficulty. What is the most likely issue with the scan?
- A host firewall is blocking access to the server.
- A network firewall is blocking access to the server.
- An intrusion prevention system is blocking access to the server.
- Fran is scanning the wrong IP address.
An intrusion prevention system is blocking access to the server.
The most likely issue is that an intrusion prevention system (IPS) is detecting the scan as an attack and blocking the scanner. If this were a host or network firewall issue, Fran would most likely not be able to access the server using a web browser. It is less likely that the scan is misconfigured given that Fran double‐checked the configuration.
60- During a regulatory compliance assessment, Manish discovers that his organization has implemented a multifactor authentication requirement for systems that store and handle highly sensitive data. The system requires that users provide both a password and a four‐digit PIN. What should Manish note in his findings about this system?
- The multifactor system provides two independent factors and provides an effective security control.
- The factors used are both the same type of factor, making the control less effective.
- The system uses only two factors and is not a true multifactor system. To qualify as multifactor, it should include at least three factors.
- The multifactor system’s use of a four‐digit PIN does not provide sufficient complexity, and additional length should be required for any PIN for secure environments.
The factors used are both the same type of factor, making the control less effective.
The biggest issue in this scenario is that both factors are knowledge‐based factors. A true multifactor system relies on more than one type of distinct factor including something you know, something you have, or something you are (and sometimes somewhere you are). This system relies on two things you know, and attackers are likely to acquire both from the same location in a successful attack.
61- Which one of the following mechanisms may be used to enhance security in a context‐based authentication system?
- Time of day
- Location
- Device fingerprint
- All of the above
All of the above
Context‐based authentication may leverage a wide variety of information. Potential attributes include time of day, location, device fingerprint, frequency of access, user roles, user group memberships, and IP address/reputation
62- Latisha’s organization has faced a significant increase in successful phishing attacks, resulting in compromised accounts. She knows that she needs to implement additional technical controls to prevent successful attacks. Which of the following controls will be the most effective while remaining relatively simple and inexpensive to deploy?
- Increased password complexity requirements
- Application or token‐based multifactor authentication
- Biometric‐based multifactor authentication
- OAuth‐based single sign‐on
Application or token‐based multifactor authentication
Application or token‐based multifactor authentication ensures that the exposure of a password because of successful phishing email does not result in the compromise of the credential. Password complexity increases fail to add security since complex passwords can still be compromised by phishing attacks, biometric multifactor authentication is typically expensive to implement and requires enrollment, and OAuth‐based single sign‐on will not prevent phishing attacks; instead, it can make it easier for attackers to move between multiple services.
69- Adam finds entries in his authentication logs for many of the systems in his network that all have logins for the same userID with a variety of passwords. What type of attack has he discovered?
- A session hijacking attack
- An on‐path (man‐in‐the‐middle) attack
- A credential stuffing attack
- A password spraying attack
A password spraying attack
Password spraying attacks try many passwords for a limited number of accounts. Credential stuffing attacks try compromised usernames and passwords across many sites to try to use them elsewhere. Session hijacking requires a valid session to try to leverage to conduct malicious activities. An on‐path (man‐in‐the‐middle) attack would require the attacker to redirect traffic through a system that they control to allow them to be able to read and/or modify the traffic before it continues on to the legitimate destination. Adam could mitigate the password spraying attack by using back‐off algorithms that allow only a limited number of failures before delaying further logins or locking out the account until it is manually unlocked.
70- You are reviewing the methods that your organization uses to communicate with the media during an incident response effort. Which one of the following is not a commonly accepted practice?
- Inform the media immediately of developments in the investigation.
- Conduct practice sessions for incident responders who communicate with the media.
- Establish media briefing procedures in advance of an incident.
- Maintain an incident response status document.
Inform the media immediately of developments in the investigation.
Communications with the media should be carefully planned and timed to share relevant information at the appropriate moment. Organizations should not have a default policy of immediately sharing all information, as that might result in adverse publicity, create legal risk, or hinder the investigation. The other activities listed here are all best practices for incident communications.
73- Precompiled SQL statements that only require variables to be input are an example of what type of application security control?
- Parameterized queries
- Encoding data
- Input validation
- Appropriate access controls
Parameterized queries
A parameterized query (sometimes called a prepared statement) uses a prebuilt SQL statement to prevent SQL‐based attacks. Variables from the application are fed to the query, rather than building a custom query when the application needs data. Encoding data helps to prevent cross‐site scripting attacks, as does input validation. Appropriate access controls can prevent access to data that the account or application should not have access to, but they don’t use precompiled SQL statements.
Root Cause Analysis Steps
- Identify the problems and events that occurred as part of the incident, and describe them as well as possible.
- Establish a timeline of events. This helps to determine what happened and in what order to help identify the root cause (or causes).
- Differentiate between each of the events and causal factors. In short, you need to determine which cause is a root cause, which are results of the root cause, and which are causal factors, or events that contributed to the issue but were not the root cause.
- Document the root‐cause analysis, often through the use of a diagram or chart.
78- Seth is trying to identify activities in his organization that might be automated to improve efficiency. Which one of the following activities is least likely to benefit from automation?
- Threat hunting
- Intrusion analysis
- Qualitative risk assessment
- Data backup
Qualitative risk assessment
It is likely that Seth’s organization will find some efficiencies by adding automation to their technical activities, including threat hunting, intrusion analysis, and data backup. Qualitative risk analysis is a nontechnical activity and focuses on human thought. It is, therefore, the least likely candidate for automation of the activities on this list.
79- Rae wants to detect forged sender addresses to decrease the amount of spam that her organization receives. Which of the following techniques or methods will most directly fit her needs?
- Spamhaus
- DKIM
- SPF
- RBL
DKIM
DomainKeys Identified Mail (DKIM) uses digital signatures to validate that the claimed domain of the sender is the actual sender’s domain. Sender Policy Framework (SPF) records identify the mail servers that can send email from your domain but do not prove the sender’s domain. Spamhaus is an antispam organization, and an RBL is a real‐time black hole list, which is a list of untrusted or spam sending hosts.
85- As part of his forensic investigation, Alex signs and notes in his log when the drive copy he prepared is transferred to legal counsel. What is this process known as?
- Handoff documentation
- Chain of custody tracking
- Asset tracking
- Forensic certification
Chain of custody tracking
Chain of custody tracking determines who has access to and authority over drives, devices, and forensic data throughout its life cycle. This is a critical element in investigations that may end up in court or that will involve law enforcement.