Practice Tests - Practice Test 2 Flashcards
3- Rowan ran a port scan against a network switch located on her organization’s internal network and discovered the results shown here. She ran the scan from her workstation on the employee VLAN. Which one of the following results should be of greatest concern to her?
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-26 19:25 EDT
Nmap scan report for 10.1.0.121
Host is up (0.058s latency).
Not shown: 966 closed ports
PORT STATE
22/tcp open
23/tcp open
80/tcp filtered
443/tcp open
631/tcp filtered
8192/tcp filtered
8193/tcp filtered
8194/tcp filtered
28201/tcp filtered
Nmap done: 1 IP address (1 host up) scanned in 5.29 seconds
- Port 22
- Port 23
- Port 80
- Ports 8192 to 8194
Port 23
Both ports 22 and 23 should be of concern to Rowan because they indicate that the network switch is accepting administrative connections from a general‐use network. Instead, the switch should accept administrative connections only from a network management VLAN. Of these two results, port 23 should be of the greatest concern because it indicates that the switch is allowing unencrypted telnet connections that may be subject to eavesdropping. The results from ports 80 and 8192 to 8194 are of lesser concern because they are being filtered by a firewall.
4- Evan is troubleshooting a vulnerability scan issue on his network. He is conducting an external scan of a website located on the web server shown in the diagram. After checking the web server logs, he saw no sign of the scan requests. Which one of the following causes is the least likely issue for him to troubleshoot?
(look up diagram in book)
- The scans are being blocked by an intrusion prevention system.
- The scans are being blocked by a rule within the web server application.
- The scans are being blocked by a network firewall.
- The scans are being blocked by a host firewall.
The scans are being blocked by a rule within the web server application.
All of the scenarios described here could result in failed vulnerability scans and are plausible on this network. However, the fact that the web server logs do not show any denied requests indicates that the issue is not with the web server application itself. If this were the case, Evan would see evidence of it in the web server logs.
5- Sam is looking for evidence of software that was installed on a Windows system. He believes that the programs were deleted and that the suspect used both registry and log cleaners to hide evidence. What Windows feature can’t he use to find evidence of the use of these programs?
- The MFT
- Volume shadow copies
- The shim (application compatibility) cache
- Prefetch files
The shim (application compatibility) cache
The shim cache is used by Windows to track scripts and programs that need specialized compatibility settings. It is stored in the registry at shutdown, which means that a thorough registry cleanup will remove program references from it. The master file table (MFT), volume shadow copies, and prefetch files can all contain evidence of deleted applications.
7- A port scan conducted during a security assessment shows the following results. What type of device has most likely been scanned?
Nmap scan report for EXAMPLE (192.168.1.79)
Host is up (1.00s latency).
Not shown: 992 closed ports
PORT STATE
21/tcp open
23/tcp open
80/tcp open
280/tcp open
443/tcp open
515/tcp open
631/tcp open
9100/tcp open
Nmap done: 1 IP address (1 host up) scanned in 124.20 seconds
- A wireless access point
- A server
- A printer
- A switch
A printer
Although TCP ports 21, 23, 80, and 443 are all common ports, 515 and 9100 are commonly associated with printers.
8- Which of the following is not one of the major categories of security event indicators described by NIST 800‐61?
- Alerts from IDS, IPS, SIEM, AV, and other security systems
- Logs generated by systems, services, and applications
- Exploit developers
- Internal and external sources
Exploit developers
NIST identifies four major categories of security event indicators: alerts, logs, publicly available information, and people both inside and outside the organization. Exploiting developers may provide some information but is not a primary source of security event information.
9- During an nmap scan of a network, Charles receives the following response from nmap:
Starting Nmap 7.80 ( https://nmap.org )
Nmap done: 256 IP addresses (0 hosts up) scanned in 29.74 seconds
What can Charles deduce about the network segment from these results?
- There are no active hosts in the network segment.
- All hosts on the network segment are firewalled.
- The scan was misconfigured.
- Charles cannot determine if there are hosts on the network segment from this scan.
Charles cannot determine if there are hosts on the network segment from this scan.
A host that is not running any services or that has a firewall enabled that prevents responses can be invisible to nmap. Charles cannot determine whether there are hosts on this network segment and may want to use other means such as ARP queries, DHCP logs, and other network layer checks to determine whether there are systems on the network.
10- Oskar is designing a vulnerability management program for his company, a hosted service provider. He would like to check all relevant documents for customer requirements that may affect his scanning. Which one of the following documents is least likely to contain this information?
- BPA
- SLA
- MOU
- BIA
BIA
The business impact assessment (BIA) is an internal document used to identify and assess risks. It is unlikely to contain customer requirements. Service level agreements (SLAs), business partner agreements (BPAs), and memorandums of understanding (MOUs) are much more likely to contain this information.
12- As part of her forensic analysis of a wiped thumb drive, Selah runs Scalpel to carve data from the image she created. After running Scalpel, she sees the following in the audit.log file created by the program. What should Selah do next?
(loook up diagram in book)
- Run a data recovery program on the drive to retrieve the files.
- Run Scalpel in filename recovery mode to retrieve the actual filenames and directory structures of the files.
- Review the contents of the scalpelout folder.
- Use the identified filenames to process the file using a full forensic suite.
Review the contents of the scalpelout folder.
You may not be familiar with Scalpel or other programs you encounter on the exam. In many cases, the problem itself will provide clues that can help you narrow down your answer. Here, pay close attention to the command‐line flags, and note the -o flag, a common way to denote an output file. In practice, Scalpel automatically creates directories for each of the file types that it finds. Selah simply needs to visit those directories to review the files that she has recovered. She does not need to use another program. The filenames and directory structures may not be recoverable when carving files.
15- When performing threat‐hunting activities, what are cybersecurity analysts most directly seeking?
- Vulnerabilities
- Indicators of compromise
- Misconfigurations
- Unpatched systems
Indicators of compromise
The defining characteristic of threat hunting is that you are searching out compromises that have already occurred. Therefore, you are looking for indicators of compromise (IoCs). Vulnerabilities, unpatched systems, and misconfigurations are all things that vulnerability management activities, rather than threat‐hunting activities, would seek to identify.
17- While analyzing a packet capture in Wireshark, Chris finds the packet shown here. Which of the following is he unable to determine from this packet?
(look up diagram in book)
- That the username used was gnome
- That the protocol used was FTP
- That the password was gnome123
- That the remote system was 137.30.120.40
That the username used was gnome
FTP sends the username in a separate packet. Chris can determine that this was an FTP connection, that the password was gnome123, and that the FTP server was 137.30.120.40.
20- Which stage of the incident response process includes activities such as adding IPS signatures to detect new attacks?
- Detection and analysis
- Containment, eradication, and recovery
- Postincident activity
- Preparation
Detection and analysis
Adding new signatures (prior to an incident) is part of the preparation phase because it prepares an organization to detect attacks.
22- Pranab is preparing to reuse media that contained data that his organization classifies as having “moderate” value. If he wants to follow NIST SP 800‐88’s guidelines, what should he do to the media if the media will not leave his organization’s control?
- Reformat it
- Clear it
- Purge it
- Destroy it
Clear it
NIST SP‐800‐88 recommends clearing media and then validating and documenting that it was cleared. Clearing uses logical techniques to sanitize data in user‐addressable storage locations and protects against noninvasive data recovery techniques. This level of security is appropriate to moderately sensitive data contained on media that will remain in an organization.
26- As part of her duties as a security operations center (SOC) analyst, Emily is tasked with monitoring intrusion detection sensors that cover her employer’s corporate headquarters network. During her shift, Emily’s IDS reports that a network scan has occurred from a system with IP address 10.1.1.19 on the organization’s unauthenticated guest wireless network aimed at systems on an external network. What should Emily’s first step be?
- Report the event to the impacted third parties.
- Report the event to law enforcement.
- Check the system’s MAC address against known assets.
- Check authentication logs to identify the logged‐in user.
Check the system’s MAC address against known assets.
In most organizations, Emily’s first action should be to verify that the system is not one that belongs to the organization by checking it against her organization’s asset inventory. If the system is a compromised system on the wrong network, she or her team will need to address it. In most jurisdictions, there is no requirement to notify third parties or law enforcement of outbound scans, and since the guest wireless is specifically noted as being unauthenticated, there will not be authentication logs to check.
27- Sai works in an environment that is subject to the Payment Card Industry Data Security Standard (PCI DSS). He realizes that technical constraints prevent the organization from meeting a specific PCI DSS requirement and wants to implement a compensating control. Which one of the following statements is not true about proper compensating controls?
- The control must include a clear audit mechanism.
- The control must meet the intent and rigor of the original requirement.
- The control must provide a similar level of defense as the original requirement provides.
- The control must be above and beyond other requirements.
The control must include a clear audit mechanism.
The PCI DSS compensating control procedures do not require that compensating controls have a clearly defined audit mechanism, although this is good security practice. They do require that the control meet the intent and rigor of the original requirement, provide a similar level of defense as the original requirement, and be above and beyond other requirements.
29- Which of the following factors is not typically considered when determining whether evidence should be retained?
Media life span
Likelihood of civil litigation
Organizational retention policies
Likelihood of criminal prosecution
Media life span
Incident data should be retained as necessary regardless of media life span. Retention is often driven by the likelihood of civil or criminal action, as well as by organizational standards.
32- As part of her postincident recovery process, Alicia creates a separate virtual network as shown here to contain compromised systems she needs to investigate. What containment technique is she using?
(look up diagram)
- Segmentation
- Isolation
- Removal
- Reverse engineering
Segmentation
The firewall rules continue to allow access to the compromised systems, while preventing them from attacking other systems. This is an example of segmentation. Segmentation via VLANs, firewall rules, or other logical methods can help to protect other systems, while allowing continued live analysis.
differences:
- Segmentation
- Isolation
- Removal
- Segmentation: on its own network segment with limited or no connectivity outside of segment
- Isolation: removed from internal networks usually internal and internet (External)
- Removal: complete shut down
Scalpel
file carving tool
34- The Windows system that Abdul is conducting live forensics on shows a partition map, as shown here. If Abdul believes that a hidden partition was deleted resulting in the unallocated space, which of the following type of tool is best suited to identifying the data found in the unallocated space?
(look up diagram in book)
- File carving
- Wiping
- Partitioning
- Disk duplication
File carving
A file carving tool, such as Scalpel, is designed to identify files in a partition or volume that is missing its index or file allocation table. A wiping tool is used to completely remove data from a disk. Partitioning tools are used to modify the volume structure of a disk. Disk duplication tools are used to create forensic images, among other purposes.
File carving
a forensic analysis technique used to recover files when the original filesystem is no longer intact or available
35- During a postmortem forensic analysis of a Windows system that was shut down after its user saw strange behavior, Pranab concludes that the system he is reviewing was likely infected with a memory‐resident malware package. What is his best means of finding the malware?
- Search for a core dump or hibernation file to analyze.
- Review the INDX files and Windows registry for signs of infection.
- Boot the system and then use a tool like the Volatility Framework to capture live memory.
- Check volume shadow copies for historic information prior to the reboot.
Search for a core dump or hibernation file to analyze.
Pranab’s best option is to look for a hibernation file or core dump that may contain evidence of the memory‐resident malware. Once a system has been shut down, a memory‐resident malware package will be gone until the system is re‐infected, making reviews of the registry, INDX files, and volume shadow copies unlikely to be useful. Since the system was shut down, he won’t get useful memory forensics from a tool like the Volatility Framework unless the machine is re‐infected.
37- Jessie needs to prevent port scans like the scan shown here. Which of the following is a valid method for preventing port scans?
(look up diagram in book)
- Not registering systems in DNS
- Using a firewall to restrict traffic to only ports required for business purposes
- Using a heuristic detection rule on an IPS
- Implementing port security
Using a heuristic detection rule on an IPS
An intrusion prevention system (or other device or software with similar capabilities) to block port scans based on behavior is the most effective method listed. Not registering systems in DNS won’t stop IP‐based scans, and port scans will still succeed on the ports that firewalls allow through. Port security is a network switch–based technology designed to limit which systems can use a physical network port.
38- What information can be gathered by observing the distinct default values of the following TCP/IP fields during reconnaissance activities: initial packet size, initial TTL, window size, maximum segment size, and flags?
- The target system’s TCP version.
- The target system’s operating system.
- The target system’s MAC address.
- These fields are useful only for packet analysis.
The target system’s operating system.
Operating system fingerprinting relies on the differences between how each operating system (and sometimes OS versions) handles and sets various TCP/IP fields, including initial packet size, initial TTL, window size, maximum segment size, and the don’t fragment, sackOK, and nop flags.
42- After finishing a forensic case, Lucas needs to wipe the media that he is using to prepare it for the next case. Which of the following methods is best suited to preparing the SSD that he will use?
- Degauss the drive.
- Zero‐write the drive.
- Use a PRNG.
- Use the ATA Secure Erase command.
Use the ATA Secure Erase command.
The ATA Secure Erase command wipes all of an SSD, including host‐protected area partitions and remapped spare blocks. Degaussing is used for magnetic media such as tapes and is not effective on SSDs, whereas zero writing or using a pseudorandom number generator to fill the drive will not overwrite data in the host‐protected area or spare blocks, which are used to wear‐level most SSDs.
ATA Secure Erase
command wipes all of an SSD, including host‐protected area partitions and remapped spare blocks
only on SSDs!
45- Rachel discovered the vulnerability shown here when scanning a web server in her organization. Which one of the following approaches would best resolve this issue?
(look up diagram in book)
- Patching the server
- Performing input validation
- Adjusting firewall rules
- Rewriting the application code
Patching the server
The vulnerability description mentions that this is a cross‐site scripting (XSS) vulnerability. Normally, XSS vulnerabilities are resolved by performing proper input validation in the web application code. However, in this particular case, the XSS vulnerability exists within Microsoft IIS server itself and not in a web application. Therefore, it requires a patch from Microsoft to correct it.
52- Captured network traffic from a compromised system shows it reaching out to a series of five remote IP addresses that change on a regular basis. Since the system is believed to be compromised, the system’s Internet access is blocked, and the system is isolated to a quarantine VLAN.
When forensic investigators review the system, no evidence of malware is found. Which of the following scenarios is most likely?
- The system was not infected, and the detection was a false positive.
- The beaconing behavior was part of a web bug.
- The beaconing behavior was due to a misconfigured application.
- The malware removed itself after losing network connectivity.
The malware removed itself after losing network connectivity.
Recurring beaconing behavior with a changing set of systems is a common characteristic of more advanced malware packages. It is most likely that this system was compromised with malware that deleted itself when its ability to check in with a command‐and‐control (C2) system was removed, thus preventing the malware from being captured and analyzed by incident responders.
57- During an nmap port scan using the -sV flag to determine service versions, Ling discovers that the version of SSH on the Linux system she is scanning is not up‐to‐date. When she asks the system administrators, they inform her that the system is fully patched and that the SSH version is current. What issue is Ling most likely experiencing?
- The system administrators are incorrect.
- The nmap version identification is using the banner to determine the service version.
- nmap does not provide service version information, so Ling cannot determine version levels in this way.
- The systems have not been rebooted since they were patched.
The nmap version identification is using the banner to determine the service version.
Although nmap provides service version identification, it relies heavily on the information that the services provide. In some cases, fully patched services may provide banner information that does not show the minor version or may not change banners after a patch, leading to incorrect version identification.
59- Carla is performing a penetration test of a web application and would like to use a software package that allows her to modify requests being sent from her system to a remote web server. Which one of the following tools would not meet Carla’s needs?
- Nessus
- Burp Suite
- Zed Attack Proxy (ZAP)
- Tamper Data
Nessus
Carla is looking for a tool from a category known as interception proxies. They run on the tester’s system and intercept requests being sent from the web browser to the web server before they are released onto the network. This allows the tester to manually manipulate the request to attempt the injection of an attack. Burp Suite, ZAP, and Tamper Data are all examples of interception proxies. Nessus is a vulnerability scanner and, while useful in penetration testing, does not serve as an interception proxy.
61- Maria wants to use a security benchmark that is widely used throughout the industry to baseline her systems as part of a hardening process. Which of the following organizations provides a set of freely available benchmarks for operating systems?
- The Center for Internet Security
- CompTIA
- PCI SSC
- OWASP
The Center for Internet Security
The Center for Internet Security (CIS) provides a range of free security baselines for Windows, Linux, macOS, and applications and services of many types. CompTIA, the Payment Card Industry Security Standards Council (PCI SSC), and the Open Web Application Security Project (OWASP) do not.
PCI SSC
Payment Card Industry Security Standards Council
62- Sally’s organization wants to prioritize their vulnerability remediation efforts. Which of the following items is not typically critical to prioritization of remediation efforts?
- A list of affected hosts
- The risk score of the vulnerability
- The vulnerability’s name or CVE
- The organization or individual that discovered the vulnerability
The organization or individual that discovered the vulnerability
Figuring out which vulnerabilities should receive attention first means that organizations need to understand the scope and impact of the vulnerability, both of which can be more easily determined with a risk score and a list of affected hosts. Knowing the vulnerability’s name, or even better its CVE identifier, allows it to be researched. Who discovered it is not relevant to remediation prioritization.
65- Yuri wants to check if an IP address is known to be malicious. Which of the following options is the most useful way for him to manually check current information about an IP address or hostname?
- The SANS Top 2
- AbuseIPDB
- WHOIS
- Cuckoo Sandbox
AbuseIPDB
The only service that provides reputational information from this list is the AbuseIPDB. The SANS Top 20 are a set of lists of critical controls, vulnerabilities, and other items. WHOIS is a lookup services allowing IP addresses and hostnames to be resolved, and Cuckoo Sandbox is an open‐source sandbox tool.
AbuseIPDB
provides reputational information about IP addresses
70- Which of the following is not a common inhibitor to remediation of vulnerabilities?
- Legacy systems
- Organizational policies
- The potential to degrade functionality
- Organizational governance processes
Organizational policies
Organizational policies are often used to drive remediation processes by defining set timelines for patching for based on risk and other factors. Common inhibitors to remediation include MOUs and SLAs, which may require specific performance or uptime; organizational governance processes that slow down actions; concerns about business process interruptions or degrading functionality, legacy, and proprietary systems.
71- Greg wants to assess the confidence levels for his threat intelligence data. What three common items are most frequently used to determine confidence in threat intelligence?
- Timeliness, source quality, and cost
- Accuracy, threat actor, and likelihood
- Timeliness, relevance, and accuracy
- Accuracy, source quality, and cost
Timeliness, relevance, and accuracy
Greg knows that timeliness, relevance, and accuracy are the key factors typically used to assess threat intelligence confidence levels.
72- Valerie’s incident response process includes moving a compromise system to a separate VLAN that retains access to the Internet but does not allow contact with other systems on her network. What containment process has she implemented?
- Segmentation
- IoC‐based response
- Isolation
- Sanitization
Segmentation
Valerie has segmented her network to prevent the compromise from spreading, but without fully isolating the system. This can be useful to prevent attackers from knowing that they have been detected. IoC‐based response is not a common term, and sanitization is the process of wiping and rebuilding a system to prevent hidden or remnant threats.
74- Beena wants to ensure that her vulnerability management program is performing as expected. What technique should she use to look at its performance over time so she can see if she has problematic behaviors or practices?
- A regularly created list of the top 10 most common vulnerabilities
- A report showing remediation and patching trends
- A list of zero‐day vulnerabilities and the time to remediate them
- A list of service level objectives
A report showing remediation and patching trends
Trends help to determine if there is a new or increasing problem with patching. Beena can review the trends to see if her organization’s performance is stable, improving, or if issues are occurring. A list of the top 10 vulnerabilities does not provide this. A list of zero‐day vulnerabilities and the time to remediate them does not help her assess performance, nor does a list of service level objectives without data about whether they were met and how often.
75- Selah wants to use appropriate metrics to determine how well her incident response process is working. Which of the following metrics is not commonly used to assess incident response processes?
- Mean time to remediate
- Meant time to detect
- Mean time to respond
- Mean time to defend
Mean time to defend
Mean time to detect, respond, and remediate are all commonly used measures. Use of active defenses is less common, and thus mean time to defend is not a commonly used measure; instead, time to respond in general is measured.
80- What phase of incident response needs to happen before customer communications can occur?
- Perform stakeholder identification.
- Document lessons learned.
- Prepare a timeline.
- Conduct a root‐cause analysis.
Perform stakeholder identification.
Before communications occur with external parties such as customers, the stakeholders must be identified to ensure that communications go to the appropriate people or organizations. Since communications often happen during the investigation, having lessons learned, a timeline, or a root‐cause analysis ready may not occur until after at least some customer communication has needed to happen.
84- Bob’s organization wants to adopt passwordless authentication. What will they need to provide to users to adopt this solution?
- PINs
- Biometric identifiers
- Hardware tokens
- New passwords
Hardware tokens
Passwordless authentication requires either hardware tokens or authentication applications, typically deployed to mobile devices like phones. PINs are still a knowledge factor, new passwords would not be passwordless, and biometric identifiers are not provided to users; they are set up for users based on their biometric data.
