section 3-4 Flashcards
A well-known organization has been experiencing attacks from APTs. The organization is concerned that custom malware is being created and emailed into the company or installed on USB sticks that are dropped in parking lots. Which of the following is the best defense against this scenario?
a.
Configuring signature-based antivirus to update every 30 minutes.
b.
Enforcing S/MIME for email and automatically encrypting USB drives upon insertion.
c.
Implementing application execution in a sandbox for unknown software.
d.
Fuzzing new files for vulnerabilities if they are not digitally signed.
c.
Implementing application execution in a sandbox for unknown software.Your Answer: Correct
Implementing application execution in a sandbox for unknown software allows for the safe execution and analysis of potentially malicious code in an isolated environment, preventing it from affecting the main system. This approach is effective against custom malware introduced through emails or USB sticks.
A security analyst receives alerts about an internal system sending a large amount of unusual DNS queries to systems on the internet over short periods of time during non-business hours. Which of the following is most likely occurring?
a.
A worm is propagating across the network.
b.
Data is being exfiltrated.
c.
A logic bomb is deleting data.
d.
Ransomware is encrypting files.
b.
Data is being exfiltrated.Your Answer: Correct
Unusual DNS queries, especially during non-business hours, often indicate data exfiltration. Attackers may use DNS tunneling to stealthily transfer data out of the network.
An analyst is working on an email security incident in which the target opened an attachment containing a worm. The analyst wants to implement mitigation techniques to prevent further spread. Which of the following is the best course of action for the analyst to take?
a.
Apply a DLP solution.
b.
Implement network segmentation.
c.
Utilize email content filtering.
d.
Isolate the infected attachment.
b.
Implement network segmentation.Your Answer: Correct
While isolating the infected attachment can stop the immediate threat from that specific file, implementing network segmentation provides a broader defense by containing the worm and preventing it from spreading to other parts of the network. This approach is more comprehensive and effective in mitigating further spread of the infection.
A network administrator has been alerted that web pages are experiencing long load times. After determining it is not a routing or DNS issue, the administrator logs in to the router, runs a command, and receives the following output CPU 0 percent busy, from 300 sec ago. 1 sec ave 99 percent busy. 5 sec ave 97 percent busy. 1 min ave 83 percent busy. Which of the following is the router experiencing?
a.
DDoS attack.
b.
Memory leak.
c.
Buffer overflow.
d.
Resource exhaustion.
c.
The CIRT.Your Answer: Correct
The Computer Incident Response Team (CIRT) is responsible for responding to security incidents, investigating breaches, and mitigating their impact.
The SIEM at an organization has detected suspicious traffic coming from a workstation in its internal network. An analyst in the SOC investigates the workstation and discovers malware associated with a botnet is installed on the device. A review of the logs on the workstation reveals that the privileges of the local account were escalated to a local administrator. To which of the following groups should the analyst report this real-world event?
a.
The NOC team.
b.
The vulnerability management team.
c.
The CIRT.
d.
The red team.
d.
A RAT.Your Answer: Correct
A Remote Access Trojan (RAT) allows attackers to control an infected system remotely. The scenario described aligns with typical RAT behavior.
A large financial services firm recently released information regarding a security breach within its corporate network that began several years before. During the time frame in which the breach occurred, indicators show an attacker gained administrative access to the network through a file downloaded from a social media site and subsequently installed it without the user’s knowledge. Since the compromise, the attacker was able to take command and control of the computer systems anonymously while obtaining sensitive corporate and personal employee information. Which of the following methods did the attacker most likely use to gain access?
a.
A bot.
b.
A fileless virus.
c.
A logic bomb.
d.
A RAT.
a.
A RAT.Your Answer: Correct
A Remote Access Trojan (RAT) is designed to give attackers control over the infected systems. RATs often operate stealthily, evading traditional antivirus detection, and are typically used to establish external communications with command-and-control servers during off-peak hours to avoid detection.
A security analyst is investigating multiple hosts that are communicating to external IP addresses during the hours of 200 am - 400 am. The malware has evaded detection by traditional antivirus software. Which of the following types of malware is MOST likely infecting the hosts?
a.
A RAT.
b.
Ransomware.
c.
Polymorphic.
d.
A worm.
a.
A RAT.Correct
A Remote Access Trojan (RAT) is designed to give attackers control over the infected systems. RATs often operate stealthily, evading traditional antivirus detection, and are typically used to establish external communications with command-and-control servers during off-peak hours to avoid detection.
Malware spread across a company’s network after an employee visited a compromised industry blog. Which of the following best describes this type of attack?
a.
Impersonation.
b.
Disinformation.
c.
Watering-hole.
d.
Smishing.
c.
Watering-hole.Your Answer: Correct
A watering-hole attack targets users by compromising websites they are likely to visit.
An administrator finds that all user workstations and servers are displaying a message that is associated with files containing an extension of .ryk. Which of the following types of infections is present on the systems?
a.
Virus.
b.
Trojan.
c.
Spyware.
d.
Ransomware.
d.
Ransomware.Your Answer: Correct
The extension .ryk and the message displayed indicate a ransomware infection, where files are encrypted, and a ransom is demanded for their release.
A systems administrator receives the following alert from a file integrity monitoring tool The hash of the cmd.exe file has changed. The systems administrator checks the OS logs and notices that no patches were applied in the last two months. Which of the following most likely occurred?
a.
The end user changed the file permissions.
b.
A cryptographic collision was detected.
c.
A snapshot of the file system was taken.
d.
A rootkit was deployed./A change in the hash of a critical system file like cmd.exe without any recent patches suggests that the file may have been tampered with maliciously. A rootkit can alter system files to hide its presence and gain persistent access to the system, which is consistent with this type of alert.
d.
A rootkit was deployed./A change in the hash of a critical system file like cmd.exe without any recent patches suggests that the file may have been tampered with maliciously. A rootkit can alter system files to hide its presence and gain persistent access to the system, which is consistent with this type of alert.
The spread of misinformation surrounding the outbreak of a novel virus on election day led to eligible voters choosing not to take the risk of going to the polls. This is an example of
a.
Prepending.
b.
An influence campaign.
c.
A watering-hole attack.
d.
Intimidation.
e.
Information elicitation.
b.
An influence campaign.Correct Answer
An influence campaign is an effort to affect the opinions and behaviors of a target audience, in this case, spreading misinformation to deter voters from going to the polls.
An attacker posing as the Chief Executive Officer calls an employee and instructs the employee to buy gift cards. Which of the following techniques is the attacker using?
a.
Smishing.
b.
Phishing.
c.
Impersonating.
d.
Vishing.
d.
Vishing.Correct Answer
Vishing (voice phishing) is a type of social engineering attack where the attacker uses the phone to trick someone into giving sensitive information or performing certain actions.
An employee receives a text message from an unknown number claiming to be the company’s Chief Executive Officer and asking the employee to purchase several gift cards. Which of the following types of attacks does this describe?
a.
Vishing.
b.
Smishing.
c.
Pretexting.
d.
Phishing.
b.
Smishing.Correct Answer
Smishing is a type of social engineering attack where the attacker uses SMS text messages to trick victims into revealing personal information or performing actions such as purchasing gift cards.
After a security awareness training session, a user called the IT help desk and reported a suspicious call. The suspicious caller stated that the Chief Financial Officer wanted credit card information in order to close an invoice. Which of the following topics did the user recognize from the training?
a.
Insider threat.
b.
Email phishing.
c.
Social engineering.
d.
Executive whaling.
c.
Social engineering.Correct Answer
Social engineering: Manipulating people into divulging confidential information.
An engineer moved to another team and is unable to access the new team’s shared folders while still being able to access the shared folders from the former team. After opening a ticket, the engineer discovers that the account was never moved to the new group. Which of the following access controls is most likely causing the lack of access?
a.
Role-based.
b.
Discretionary.
c.
Time of day.
d.
Least privilege.
a.
Role-based.Correct
Role-based access control (RBAC) restricts access based on the user’s role within an organization. Since the engineer was not moved to the new group, their role-based permissions did not update, causing the lack of access to the new team’s folders.
