Study Guide - Assessment Test

Question 1

1- After running an nmap scan of a system, you receive scan data that indicates the following three ports are open:

• 22/TCP
• 443/TCP
• 1521/TCP

What services commonly run on these ports?

• SMTP, NetBIOS, MS‐SQL
• SSH, LDAPS, LDAP
• SSH, HTTPS, Oracle
• FTP, HTTPS, MS‐SQL

Answer 1

SSH, HTTPS, Oracle

These three TCP ports are associated with SSH (22), HTTPS (443), and Oracle databases (1521). Other ports mentioned in the potential answers are SMTP (25), NetBIOS (137–139), LDAP (389), LDAPS (636) and MS‐SQL (1433/1434).

Question 2

4- Which of the following vulnerability scanning methods will provide the most accurate detail during a scan?

• Black box/unknown environment
• Authenticated
• Internal view
• External view

Answer 2

Authenticated

An authenticated, or credentialed, scan provides the most detailed view of the system. Black‐box assessments presume no knowledge of a system and would not have credentials or an agent to work with on the system. Internal views typically provide more detail than external views, but neither provides the same level of detail that credentials can allow. To learn more on this topic, see Chapter 6.

Question 3

Security researchers recently discovered a flaw in the Chakra JavaScript scripting engine in Microsoft’s Edge browser that could allow remote execution or denial of service via a specifically crafted website. The CVSS 3.1 score for this vulnerability reads:

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
What is the attack vector and the impact to integrity based on this rating?

• System, 9, 8
• Browser, High
• Network, High
• None, High

Answer 3

Network, High

When reading the CVSS score, AV is the attack vector. Here, N means network. Confidentiality (C), integrity (I), and availability (A) are listed at the end of the listing, and all three are rated as High in this CVSS rating. To learn more on this topic, see Chapter 7.

Question 4

Alice is a security engineer tasked with performing vulnerability scans for her organization. She encounters a false positive error in one of her scans. What should she do about this?

• Verify that it is a false positive, and then document the exception.
• Implement a workaround.
• Update the vulnerability scanner.
• Use an authenticated scan, and then document the vulnerability.

Answer 4

Verify that it is a false positive, and then document the exception.

When Alice encounters a false positive error in her scans, her first action should be to verify it. This may involve running a more in‐depth scan like an authenticated scan, but it could also involve getting assistance from system administrators, checking documentation, or other validation actions. Once she is done, she should document the exception so that it is properly tracked. Implementing a workaround is not necessary for false positive vulnerabilities, and updating the scanner should be done before every vulnerability scan. Using an authenticated scan might help but does not cover all the possibilities for validation she may need to use. To learn more on this topic, see Chapter 7.

Question 5

Which phase of the incident response process is most likely to include gathering additional evidence such as information that would support legal action?

• Preparation
• Detection and Analysis
• Containment, Eradication, and Recovery
• Post‐incident Activity and Reporting

Answer 5

Containment, Eradication, and Recovery

The Containment, Eradication, and Recovery phase of an incident includes steps to limit damage and document what occurred, including potentially identifying the attacker and tools used for the attack. This means that information useful to legal actions is most likely to be gathered during this phase. To learn more on this topic, see Chapter 9.

Question 6

Which of the following descriptions explains an integrity loss?

• Systems were taken offline, resulting in a loss of business income.
• Sensitive or proprietary information was changed or deleted.
• Protected information was accessed or exfiltrated.
• Sensitive personally identifiable information was accessed or exfiltrated

Answer 6

Sensitive or proprietary information was changed or deleted.

Integrity breaches involve data being modified or deleted. Systems being taken offline is an availability issue, protected information being accessed might be classified as a breach of proprietary information, and sensitive personally identifiable information breaches would typically be classified as privacy breaches. To learn more on this topic, see Chapter 9.

Question 7

Hui’s incident response program uses metrics to determine if their subscription to and use of IoC feeds is meeting the organization’s requirements. Which of the following incident response metrics is most useful if Hui wants to assess their use of IoC feeds?

• Alert volume metrics
• Mean time to respond metrics
• Mean time to detect metrics
• Mean time to remediate metrics

Answer 7

Mean time to detect metrics

IoCs are used to improve detection, and Hui knows that gathering mean time to detect metrics will help the organization determine if their use of IoC feeds is improving detection speed. Alert volume is driven by configuration and maintenance of alerts, and it would not determine if the IoC usage was appropriate. Response time and remediation time are better used to measure the organization’s processes and procedures. To learn more on this topic, see Chapter 12.

Question 8

Abdul’s monitoring detects regular traffic sent from a system that is suspected to be compromised and participating in a botnet to a set of remote IP addresses. What is this called?

• Anomalous pings
• Probing
• Zombie chatter
• Beaconing

Answer 8

Beaconing

Regular traffic from compromised systems to command‐and‐control nodes is known as beaconing. Anomalous pings could describe unexpected pings, but they are not typically part of botnet behavior, zombie chatter is a made‐up term, and probing is part of scanning behavior in some cases. To learn more on this topic, see Chapter 4.

Question 9

What term is used to describe the retention of data and information related to pending or active litigation?

• Preservation
• Legal hold
• Criminal hold
• Forensic archiving

Answer 9

Legal hold

The term legal hold is used to describe the retention of data and information related to a pending or active legal investigation. Preservation is a broader term used to describe retention of data for any of a variety of reasons including business requirements. Criminal hold and forensic archiving were made up for this question. To learn more on this topic, see Chapter 13.

Question 10

During a forensic investigation Maria discovers evidence that a crime has been committed. What do organizations typically do to ensure that law enforcement can use data to prosecute a crime?

• Securely wipe drives to prevent further issues
• Document a chain of custody for the forensic data
• Only perform forensic investigation on the original storage media
• Immediately implement a legal hold

Answer 10

Document a chain of custody for the forensic data

Documenting a proper chain of custody will allow law enforcement to be more likely to use forensic data successfully in court. Wiping drives will cause data loss, forensic examination is done on copies, not original drives, and legal holds are done to preserve data when litigation is occurring or may occur.

Question 11

Oscar’s manager has asked him to ensure that a compromised system has been completely purged of the compromise. What is Oscar’s best course of action?

• Use an antivirus tool to remove any associated malware.
• Use an antimalware tool to completely scan and clean the system.
• Wipe and rebuild the system.
• Restore a recent backup.

Answer 11

Wipe and rebuild the system.

The most foolproof means of ensuring that a system does not remain compromised is to wipe and rebuild it. Without full knowledge of when the compromise occurred, restoring a backup may not help, and both antimalware and antivirus software packages cannot always ensure that no remnant of the compromise remains, particularly if the attacker created accounts or otherwise made changes that wouldn’t be detected as malicious software. To learn more on this topic, see Chapter 11.

Question 12

Which of the following actions is not a common activity during the recovery phase of an incident response process?

• Reviewing accounts and adding new privileges
• Validating that only authorized user accounts are on the systems
• Verifying that all systems are logging properly
• Performing vulnerability scans of all systems

Answer 12

Reviewing accounts and adding new privileges

The recovery phase does not typically seek to add new privileges. Validating that only legitimate accounts exist, that the systems are all logging properly, and that systems have been vulnerability scanned are all common parts of an incident response recovery phase. To learn more on this topic, see Chapter 11.

Question 13

A statement like “Windows workstations must have the current security configuration template applied to them before being deployed” is most likely to be part of which document?

• Policies
• Standards
• Procedures
• Guidelines

Answer 13

Standards

This statement is most likely to be part of a standard. Policies contain high‐level statements of management intent; standards provide mandatory requirements for how policies are carried out, including statements like that provided in the question. A procedure would include the step‐by‐step process, and a guideline describes a best practice or recommendation. To learn more on this topic, see Chapter 8.

Question 14

A firewall is an example of what type of control?

• Preventive
• Detective
• Responsive
• Corrective

Answer 14

Preventive

The main purpose of a firewall is to block malicious traffic before it enters a network, therefore preventing a security incident from occurring. For this reason, it is best classified as a preventive control. To learn more on this topic, see Chapter 8.

Question 15

Cathy wants to collect network‐based indicators of compromise as part of her security monitoring practice. Which of the following is not a common network‐related IoC?

• Bandwidth consumption
• Rogue devices on the network
• Scheduled updates
• Activity on unexpected ports

Answer 15

Scheduled updates

Scheduled updates are a normal activity on network connected devices. Common indicators of potentially malicious activity include bandwidth consumption, beaconing, irregular peer‐to‐peer communication, rogue devices, scans, unusual traffic spikes, and activity on unexpected ports. To learn more on this topic, see Chapter 3.

Question 16

Nick wants to analyze a potentially malicious software package using an open source, locally hosted tool. Which of the following tools is best suited to his need if he wants to run the tool as part of the process?

• Strings
• A SIEM
• VirusTotal
• Cuckoo Sandbox

Answer 16

Cuckoo Sandbox

Cuckoo Sandbox is the only item from the list of potential answers that is a locally installed and run sandbox that analyzes potential malware by running it in a safe sandbox environment. To learn more on this topic, see Chapter 3.

Question 17

Which software development life cycle model uses linear development concepts in an iterative, four‐phase process?

Waterfall
Agile
RAD
Spiral

Answer 17

Spiral

The Spiral model uses linear development concepts like those used in Waterfall but repeats four phases through its life cycle: requirements gathering, design, build, and evaluation. To learn more on this topic, see Chapter 8.

Question 18

Waterfall

Answer 18

• sequential model where each phase is followed by the next
• no overlap between phases
• best suited for projects with a fixed scope, known timeframe, and stable technology

Question 19

Agile

Answer 19

• an iterative and incremental process that breaks work into smaller units
• focused on adapting to needs rather than predicting them
• Work is done in short sessions called sprints

Question 20

RAD

Answer 20

• Rapid Application Development
• uses prototypes and iterative development to quickly build a working product
• emphasizes user feedback and adaptation
• less focus on up-front planning

Five Phases

• Business modeling
• Data modeling
• Process modeling
• Application generation
• Testing and turnover

Question 21

Spiral

Answer 21

• uses linear development concepts in an iterative process, revisiting four phases multiple times
• also emphasizing risk assessment

The four phases include:

• identification
• design
• build
• evaluation

Question 22

Common Ports to know from books

• 20, 21
• 22
• 23
• 25
• 53
• 67, 68
• 80
• 110
• 123
• 135
• 137, 139
• 143
• 161, 162
• 389
• 443
• 445
• 515
• 631
• 636
• 1433
• 1521
• 1723
• 3306
• 3389

Answer 22

• 20, 21 - FTP
• 22 - SSH
• 23 - Telnet
• 25 - SMTP
• 53 - DNS
• 67, 68 - DHCP
• 80 - HTTP
• 110 - POP3
• 123 - NTP
• 135 - Microsoft Remote Procedure Call (MSRPC)
• 137, 139 - NetBIOS
• 143 - IMAP
• 161, 162 - SMNP
• 389 - LDAP
• 443 - HTTPS
• 445 - SMB
• 515 - LPR/LPD (print service)
• 631 - IPP (print service)
• 636 - LDAPS
• 1433 - SQL Server
• 1521 - Oracle
• 1723 - Point-to-Point Tunneling Protocol
• 3306 - MySQ
• 3389 - RDP