Quiz Flashcards
You received an incident response report indicating a piece of malware was introduced into the company’s network through a remote workstation connected to the company’s servers over a VPN connection. Which of the following controls should be applied to prevent this type of incident from occurring again?
NAC
You are deploying OpenSSL in your organization and must select a cipher suite. Which of the following ciphers should NOT be used with OpenSSL?
DES
Barrett needs to verify settings on a macOS computer to ensure that the configuration he expects is currently set on the system. What type of file is commonly used to store configuration settings for a macOS system?
plists
What describes the infrastructure needed to support the other architectural domains in the TOGAF framework?
Technical Architecture
Which of the following protocols is commonly used to collect information about CPU utilization and memory usage from network devices?
SNMP
You just visited an e-commerce website by typing in its URL during a vulnerability assessment. You discovered that an administrative web frontend for the server’s backend application is accessible over the internet. Testing this frontend, you discovered that the default password for the application is accepted. Which of the following recommendations should you make to the website owner to remediate this discovered vulnerability? (SELECT THREE)
- Create an allow list for the specific IP blocks that access the application
- Change username and default passwords
- Require 2FA to the application
A Consulting Group has recently received a contract to develop a networked control system for a self-driving car. The company’s CIO is concerned about the liability of a security vulnerability being exploited that may result in the death of a passenger or an innocent bystander. Which of the following methodologies would provide the single greatest mitigation if successfully implemented?
Formal Methods of verification
A company runs critical web applications. During a vulnerability scan, Riaan found a serious SQL injection vulnerability in one of their web applications. The system cannot be taken offline to remediate the vulnerability. Which of the following compensating controls should Riaan recommend using until the system can be remediated?
A Web Application Firewall (WAF)
Which tool should a malware analyst utilize to track the registry’s changes and the file system while running a suspicious executable on a Windows system?
Process Monitor
Which protocol is paired with OAuth2 to provide authentication of users in a federated identity management solution?
Open ID Connect
How does Chained Exploit work?
It combines several programs into one, including writing to a temporary file, netcat usage, and FTP usage. Chained exploits integrate more than one form of attack to accomplish their goal.
Someone is working to prevent any remote login attacks to the root account of a Linux system. What method would be the best option to stop attacks like this while still allowing normal users to connect using ssh?
Change ssh_config to deny root login
What information should be recorded on a chain of custody form during a forensic investigation?
Any person who worked with evidence during the investigation.
You have just completed identifying, analyzing, and containing an incident. You have verified that the company uses self-encrypting drives as part of its default configuration. As you begin the eradication and recovery phase, you must sanitize the storage devices’ data before restoring the data from known-good backups. Which of the following methods would be the most efficient to use to sanitize the affected hard drives.
Perform a Cryptographic erase of the drive.
What is included in an Endpoint Security Suite?
Endpoint security includes software host-based firewalls, host-based intrusion protection systems (HIPS), and anti-virus software.
What type of attack is common with programs written in C and C++?
Buffer overflows
What type of vulnerability scan should be used for devices that are routinely not connected to the network?
Agent based scanning
You need to perform an architectural review and select a view that focuses on the technologies, settings, and configurations used within the architecture. Which of the following views should you select?
Technical View
Someone attempted to visit a website and received a DNS response from the DNS cache server pointing to the wrong IP address. Which of the following attacks has occurred?
DNS Poisoning
You suspect that a service called explorer.exe on a Windows server is malicious, and you need to terminate it. Which of the following tools would NOT be able to terminate it?
A: Services.msc
B: wmic
C: sc
D: secpol.msc
D: secpol.msc
What type of monitoring uses a network tap?
Passive
Which of the following tools can NOT be used to conduct a banner grab from a web server on a remote host?
A: Netcat
B: ftp
C: telnet
D: wget
B: ftp
What is “Regression testing”?
Regression testing is re-running functional and non-functional tests to ensure that previously developed and tested software still performs after a change.
You are the first forensic analyst to arrive on the scene of a data breach. You have been asked to begin evidence collection on the server while waiting for the rest of your team to arrive. Which of the following evidence should you capture first?
backup tapes
You are reviewing the logs in your HIDS and see that entries were showing SYN packets received from a remote host targeting each port on your web server from 1 to 1024. Which of the following MOST likely occurred?
A Port Scan
A company runs critical web applications. During a vulnerability scan, they found a serious SQL injection vulnerability in one of their web applications. The system cannot be taken offline to remediate the vulnerability. Which of the following compensating controls should they recommend using until the system can be remediated?
Web Application Firewall
You are searching a Linux server for a possible backdoor during a forensic investigation. Which part of the file system should you search for evidence of a backdoor related to a Linux service?
/etc/xinetc.conf
You are investigating traffic involving three separate IP addresses (192.168.66.6, 10.66.6.10, and 172.16.66.1). Which REGEX expression would you use to be able to capture ONLY those three IP addresses in a single statement?
It would be:
\b(192.168.66.6)|(10.66.6.10)|(172.16.66.1)\b, which uses parenthesis and “OR” operators (|) to delineate the possible whole-word variations of the three IP addresses.
Which one of the following methods would provide the most current and accurate information about any vulnerabilities present in a system with a misconfigured operating system setting?
Agent-based monitoring
Which of the following is NOT a valid reason to conduct reverse engineering?
To allow a software developer to spot flaws in their source code
Describe what file carving is.
A process of extracting data from an image when that data has no associated file system metadata. A file-carving tool analyzes the disk at the sector/page level. It attempts to piece together data fragments from unallocated and slack space to reconstruct deleted files or at least bits of information from deleted files.
You are creating a script to filter some logs so that you can detect any suspected malware beaconing. Which of the following is NOT a typical means of identifying a malware beacon’s behavior on the network?
The beacons protocol
Someone is about to conduct forensics on a virtual machine. Which of the following processes should be used to ensure that all of the data is acquired forensically?
Suspend the machine and copy the contents of the directory it resides in.
What can you use to collect malicious contents without effecting your organizations network?
a Honeypot
You have received a laptop from a user who recently left the company. You went to the terminal in the operating system and typed ‘history’ into the prompt and see the following:
> for i in seq 255; ping -c 1 10.1.0$i; done
what best describes what actions were performed by this line of code?
A ping sweep being conducted on the subnet
An attacker has compromised a virtualized server. You are conducting forensic analysis as part of the recovery effort but found that the attacker deleted a virtual machine image as part of their malicious activity. Which of the following challenges do you now have to overcome as part of the recovery and remediation efforts?
You will need to perform “file carving” as the attack fragmented the contents across the host file system.
What type of digital forensic investigation is most challenging due to the on-demand nature of the analyzed assets?
Cloud services are due to the fact that instances are often created and destroyed again, with no real opportunity for forensic recovery of any data.
