Study Guide - Practice Exam 1 Flashcards
9- Kevin is configuring a web‐based SIEM application and would like it to trigger a vulnerability scan of a web server each time a certain event occurs in the SIEM. What technology would he configure on the SIEM to allow this action?
- API
- Webhook
- IPS
- CASB
Webhook
Webhooks allow one application to send a signal to another using a web request when a specific event occurs. The SIEM would be set up with a webhook based upon the event characteristics. That webhook would call the API on the vulnerability scanner (not the SIEM). This scenario does not call for the use of an intrusion prevention system (IPS) or a cloud access security broker (CASB).
Webhook
Webhooks allow you to send a signal from one application to another using a web request. For example, a webhook action in a threat intelligence platform could send a request to a vulnerability scanner’s API each time a new vulnerability is reported, triggering the desired scan
11- Saanvi is starting his incident response process and has been asked to immediately remediate the compromised web servers that were impacted to allow them to return to production. Why might he need to replace the drives in the systems and keep hashed copies of them?
- To prevent data loss
- Evidence retention
- To ensure proper data remanence prevention
- All of the above
Evidence retention
Retaining evidence may be required in the event of a criminal investigation or civil suit, and Saanvi may need to retain the original drives. He might opt to create copies of the drives for forensic purposes and will need to ensure that proper chain of custody and documentation is done, which may require engaging law enforcement before he takes any action.
Jacob discovers that systems in his datacenter have begun to connect to each other via SSH at regular intervals. Which of the following indicators of potentially malicious activity best matches this type of behavior?
- Beaconing
- Irregular peer‐to‐peer communication
- Scans
- Unusual traffic spikes
Irregular peer‐to‐peer communication
Systems in the same network segment or trust zone connecting to each other in abnormal ways is an example of irregular peer‐to‐peer communication. Servers are likely to connect to each other in known and expected ways, using services like database or HTTPS connections if they’re part of an established service architecture. Beaconing traffic typically leaves datacenters destined for command‐and‐control hosts. A single protocol like SSH at regular intervals is atypical for a scan or sweep, and the traffic is not described as a spike or high usage.
15- Kayla wants to check configuration information about a Windows system. Where does Windows store configuration information about the operating system like security settings?
- The user directory
- The system directory
- The Registry
- The Windows NT directory
The Registry
Windows stores information about things like security settings in the Windows Registry.
17- Jacinda wants to use data from her firewalls, EDR, and other security tools to help detect a potential incident. What type of information should she feed to her central security log and even management tools to help identify new attacks with known patterns?
- LFIs and RFIs
- OWASP feeds
- Kill chain models
- IoCs
IoCs
Indicator of compromise (IoC) feeds can be used to allow security monitoring systems to correlate log and other security information and to check it against known attack patterns and techniques. Jacinda can use this to identify newly identified attacks. LFIs and RFIs are local and remote file inclusions in the context of the CySA exam. OWASP does not provide threat data feeds, and the Cyber Kill Chain is an attack model.
LFI
local file inclusion
RFI
remote file inclusion
20- Which of the following is not typically involved in the initial phases of a CSIRT activation?
- Technical staff
- CSIRT leader
- Law enforcement
- First responder
Law enforcement
For most organizations, CSIRT activities initially involve internal resources. Law enforcement is involved only when it is believed that a crime has been committed, requiring participation of law enforcement officers.
22- Bob is evaluating the risk to his organization from advanced persistent threat (APT) attackers. He assesses the likelihood of this risk occurring to be medium and the impact high. How would this risk be categorized under most organizations’ risk evaluation matrices?
- Low risk
- Moderate risk
- Semi‐moderate risk
- High risk
High risk
Under the risk management matrix used by most organizations, a risk with a medium likelihood and high impact would be considered a high risk.
26- Gavin is responding to a security incident. He has taken actions to limit the amount of damage caused by the attack and is now moving on to remove malware installed by attackers on the network. What phase of the incident response process is Gavin beginning?
- Containment
- Recovery
- Post‐Incident Activities
- Eradication
Eradication
The primary purpose of eradication is to remove any of the artifacts of the incident that may remain on the organization’s network. This may include the removal of any malicious code from the network, the sanitization of compromised media, and the securing of compromised user accounts.
30- Jim has been provided with a CVE number for a vulnerability. What does the CVE tell him?
- It tells him the severity of the risk.
- It allows him to look up the risk.
- It tells him how many hosts are affected.
- It allows him to provide a compliance report.
It allows him to look up the risk.
Common Vulnerabilities and Exposures (CVE) numbers are used to identify vulnerabilities and will allow Jim to look up and reference the vulnerability across vendor‐provided databases and other sources of information. The CVE number does not provide information about the vulnerability itself like severity, number of affected hosts, or compliance information.
31- Which of the following is not a reason to avoid imaging live systems?
- The drive may be modified by the forensic tool.
- The drive contents may change during the imaging process.
- Unallocated space will not be included.
- Capturing memory contents is more difficult.
Capturing memory contents is more difficult.
There are many reasons to avoid imaging live machines if it is not absolutely necessary, but one advantage that imaging a live machine is the ability to directly capture the contents of memory. Risks of capturing images from live machines include inadvertent modification of the systems, changes that may occur on the machine during imaging, the potential for malware to attack the imaging system or to detect and avoid it, and the fact that most live images don’t capture unallocated space.
33- Brian is a new hire to his company as a threat hunter and he is beginning by developing scenarios of potential attacks. What threat hunting activity is Brian performing?
- Reducing the attack surface area
- Establishing the hypothesis
- Profiling threat actors
- Gathering evidence
Establishing the hypothesis
Brian is developing potential scenarios that might result in a successful attack. This is an example of establishing a threat‐hunting hypothesis. Next, Brian should look for evidence of such an attack in an attempt to confirm or refute his hypothesis.
34- Rodney’s company wants to prevent phishing attacks from resulting in account compromise. Which of the following solutions will provide the most effective solution?
- Implement context‐aware authentication.
- Use enhanced password requirements.
- Add token‐based authentication.
- Set a shorter password lifespan.
Add token‐based authentication.
Multifactor authentication like token‐based authentication can help prevent phishing attacks that result in stolen credentials from resulting in attackers accessing systems. As long as attackers do not also acquire the token (often an app on a smartphone or a physical device kept in the user’s pocket), the attacker will not have all the factors they need to authenticate. Context‐aware authentication might help if attackers log in from places that legitimate users don’t, but enhanced password requirements and shorter password lifespans have a relatively small impact, if any.
35- The group of developers that Cynthia is part of tests each software component or function before integrating it into larger software modules. What is this process called?
- Code segmentation
- Unit testing
- UAT
- Fagan inspection
Unit testing
Unit testing tests the smallest testable parts of an application or program, ensuring that each component works properly before they are put together. UAT is user acceptance testing, Fagan inspection is a form of formal code review, and code segmentation is not a term used in software engineering or development.
37- Howard is analyzing the logs from his firewall and sees that the same IP address attempted blocked connections to the same server many different times. What is the most likely explanation for this activity?
- Denial‐of‐service (DoS) attack
- Port scan
- SQL injection
- Cross‐site scripting
Port scan
This is most likely a port scan being used to conduct reconnaissance and determine what ports are open on the server. A DoS attack would more likely use requests to a service allowed through the firewall. SQL injection and cross‐site scripting would be successful only against a web server that was allowed to receive connections through the firewall.
39- Angela wants to search for rogue devices on her network. Which of the following techniques will best help her identify systems if she has a complete hardware and systems inventory?
- MAC address vendor checking
- Site surveys
- Traffic analysis for unexpected behavior
- MAC address verification
MAC address verification
Since Angela already knows the MAC addresses of all the devices due to her systems inventory, she can simply search for associated MAC addresses that do not match the list.
40- What type of control can be put in place and documented if an existing security measure is too difficult to implement or does not fully meet security requirements?
- Cost limiting
- Administrative
- Compensating
- Break‐fix
Compensating
When existing controls are insufficient, do not resolve the issue, or are too difficult to implement, a compensating control is often put in place. It is important to document compensating controls, because they differ from the expected or typical control that would normally be in place.
42- Tom would like to use nmap to perform service fingerprinting and wants to request banner information from scanned services. What flag should he use?
- -oG
- -sS
- -b
- -sV
-sV
The -sV flag reports banner and version information. The -oG flag generates greppable output. The -sS flag requests a TCP SYN scan. The -b flag is used to detect servers supporting FTP bounce.
44- Insecure, Inc. has experienced multiple data breaches over the past 6 months and has recently hired Cynthia as an information security officer. Cynthia’s first task is to review Insecure, Inc.’s defenses with the goal of identifying appropriate defenses to put in place.
Cynthia knows that her new employers had two major breaches. Breach A occurred when an employee took home a USB external drive with sensitive customer information as well as corporate planning data for the following year. The employee left the drive in their car, and the car was broken into overnight. In the morning, the drive was gone. Insecure, Inc. is uncertain about the fate of the drive and is concerned that customer data as well as their top‐secret plans to best their competitors may have been exposed.
Breach B was caused when Insecure, Inc.’s new web application was attacked by unknown attackers who used a SQL injection attack to insert new data into their e‐commerce application. Insecure, Inc.’s website was quickly deluged with deal seekers, who put in hundreds of orders for Insecure’s newly inexpensive products—the attackers had managed to change the price for almost every product they sold. Insecure, Inc. managed to cancel most of the orders before they shipped, but they have had to deal with angry customers since the event.
Using this information, your task is to help Cynthia recommend the best defensive strategy for the following question.
If Cynthia wants to address the human side of the issues she has discovered, what solution would best help prevent future issues?
- Policy and awareness training
- Dual control and cross training
- Cross training and an awareness program
- Implementing a continuous improvement program
Policy and awareness training
It can be easy to forget how important policies and the standards and practices that derive from them are, but policies make up the foundation of an organization’s security practices. When combined with awareness training, it is far more likely that the employees that Cynthia works will avoid bad practices like taking unencrypted drives home or neglecting to use web application security development best practices.
PRNG
Psuedo Random Number Generator
48- What requirement of shared authentication is a key differentiator from SSO?
- It requires authentication for each site.
- It uses the same authentication key for each site.
- Shared authentication provides end‐to‐end encryption.
- The shared authentication standard is an open standard.
It requires authentication for each site.
The key difference between a shared authentication model and a single sign‐on (SSO) model is that shared authentication systems require users to enter credentials when authenticating to each site. Single sign‐on only requires a single sign‐on—exactly as the name says!
49- NIST’s data impact rating scale describes what category of data impact as “Sensitive personally identifiable information (PII) of taxpayers, employees, beneficiaries, etc. was accessed or exfiltrated?”
- Confidentiality breach
- Privacy breach
- Proprietary breach
- Integrity loss
Privacy breach
In NIST’s information impact categories classification scheme, this is a privacy breach, involving personally identifiable information. NIST defines four ratings: none, privacy breaches, proprietary information breaches, and integrity loss. Proprietary information breaches involve unclassified proprietary information, such as protected critical infrastructure information. Integrity losses occur when sensitive or proprietary information is changed or deleted. NIST does not use the broad term confidentiality breaches, instead preferring more specific definitions.
51- Which Windows tool provides detailed data, including counters, that can measure information about a system like energy consumption, disk usage, and network activity?
- Winmon
- Perfmon
- Sysctl
- NICmon
Perfmon
Perfmon (Performance Monitor) provides the ability to perform detailed data collection. Winmon is a name typically associated with malware, and sysctl is a Linux tool used for changing kernel parameters at runtime. NICmon was made up for this question.
52- Kyle used nslookup to determine the IP address for nytimes.com and received the following results:
A screenshot depicts a result screen. The result is as follows: (line 1). nytimes.com. (line 2). Server: 172.30.0.2. (line 3). Address: 172.30.0.2 # 53. (line 4). Non—authoritative answer: (line 5). Name: nytimes.com. (line 6). Address: 151.101.1.164. (line 7). Name: nytimes.com. (line 8). Address: 151.101.65.164. (line 9). Name: nytimes.com. (line 10). Address: 151.101.129.164. (line 11). Name: nytimes.com. (line 12). Address: 151.101.193.164
What is the IP address of the server that answered Kyle’s request?
- 172.30.0.2
- 151.101.1.164
- 151.101.65.164
- 151.101.193.164
172.30.0.2
The DNS server that answered Kyle’s request is identified in the first line of the response. The IP addresses that appear at the bottom are the server’s response to Kyle’s query.
57- Which one of the following criteria would normally be considered least important when making decisions about the scope of vulnerability scanning programs?
- Regulatory requirements
- Data classification
- Operating system type
- Corporate policy
Operating system type
The most important criteria when making decisions about the scope of vulnerability management programs are regulatory requirements, corporate policy, asset classification, and data classification.
58- Bernie is designing a PCI DSS–compliant vulnerability management program for his business. Who may conduct the internal scans required by the standard?
- Scans must be conducted by an approved scanning vendor (ASV).
- Scans must be conducted by an internal audit group or an ASV.
- Scans must be conducted by a PCI DSS–certified individual.
- Scans may be conducted by any qualified individual.
Scans may be conducted by any qualified individual.
PCI DSS only requires that internal scans be conducted by a qualified individual. External scans must be conducted by an approved scanning vendor (ASV).
59- Which one of the following elements of the Security Content Automation Protocol (SCAP) provides a standard nomenclature for describing security‐related software flaws?
- CVSS
- CPE
- CVE
- OVAL
CVE
Common Vulnerabilities and Exposures (CVE) provides a standard nomenclature for describing security‐related software flaws. Common Vulnerability Scoring System (CVSS) provides a standardized approach for measuring and describing the severity of security‐related software flaws. Common Platform Enumeration (CPE) provides a standard nomenclature for describing product names and versions. Open Vulnerability and Assessment Language (OVAL) is a language for specifying low‐level testing procedures used by checklists.
62- Donna’s organization has received a legal hold notice. Which of the following is not something she will have to do as part of the notice?
- Document a chain of custody.
- Change deletion and destruction processes to preserve data.
- Ensure that all data covered by the hold is preserved.
- Produce the data when required by the legal case.
Document a chain of custody.
Donna must take steps to preserve the data required by the case, including identifying the data, ensuring it is preserved, changing deletion and destruction processes to retain the data, and producing it when required. She does not have to document a chain of custody for the data.
64- Gary is the cybersecurity manager for a federal government agency subject to FISMA. He is evaluating the potential confidentiality impact of a system and decides that the unauthorized disclosure of information stored on the system could have a serious adverse impact on citizens served by his agency. How should Gary rate the confidentiality impact?
- Low
- Moderate
- High
- Critical
Moderate
The system should be rated as moderate impact for confidentiality if “the unauthorized disclosure of information stored on the system could have a serious adverse impact on organizational operations, organizational assets, or individuals,” according to Federal Information Processing Standards (FIPS) 199.
66- The system administrators in Yariv’s organization are not installing patching in a timely manner. When asked, they note that they are busy with other tasks, and that their business units require the systems to always be available. Which of the following action plans is most likely to help change this behavior?
- Changing business requirements
- Compensating controls
- Implementing configuration management
- Instituting a training program
Instituting a training program
Training programs help increase awareness and compliance with organizational policies and practices. Yariv should institute a training program to ensure that administrators understand why timely patching is needed. Changing business requirements might help resolve the need for systems to always be online but won’t resolve the issue of administrators not finding time to patch. Configuration management still requires administrators to participate, and compensating controls are only useful if they are implemented, thus running into the same time issue.
67- Oliver is developing a prioritization scheme for vulnerability remediation. Which one of the following is not generally accepted as an important criterion for prioritizing remediation?
- Vulnerability severity
- Age of vulnerability
- Criticality of system
- Difficulty of remediation
Age of vulnerability
The most commonly accepted criteria for vulnerability prioritization include criticality of the systems and information affected by the vulnerability, difficulty of remediating the vulnerability, severity of the vulnerability, and exposure of the vulnerability.
68- What regulatory schemes specifically require the use of vulnerability scanning?
- FISMA and PCI DSS
- PCI DSS and HIPAA
- HIPAA and GLBA
- GLBA and FISMA
FISMA and PCI DSS
The Federal Information Security Management Act (FISMA) and the Payment Card Industry Data Security Standard (PCI DSS) both require the use of vulnerability scanning. The Gramm–Leach–Bliley Act (GLBA) and Health Insurance Portability and Accountability Act (HIPAA) have no such requirement.
71- Which of the following types of staff are not frequently part of a CSIRT?
- Technical subject matter experts
- IT support staff
- Legal counsel
- Comptrollers
Comptrollers
Technical subject matter experts (SMEs), IT support staff, legal counsel, human resources staff members, and public relations and marking staff are all frequently part of the CSIRT. Comptrollers are rarely part of the response process
72- Greg has implemented a honeypot as part of his defenses. What term best describes this type of defense?
- A darknet defense
- A Trojan Horse defense
- An active defense
- A tarpit defense
An Active Defense
Greg has implemented a honeypot, which is a type of active defense used to capture information about attacker behavior. A darknet is a network that is otherwise unused that is monitored for attack traffic and scans to identify potential malicious actors. A Trojan Horse is a form of malware, and a tarpit is a defensive technique that is used to slow down attackers.
73- Olivia has requested that her development team run their web application security testing tools against their web applications, despite the fact that they just installed the most recent patches. What is this type of testing called?
- Regression testing
- Patch state validation
- WAV testing
- HTTP checking
Regression testing
Regression testing focuses on ensuring that changes have not reintroduced problems or created new issues. Olivia has asked her team to do regression testing to make sure that the patches have not created new problems or brought an old problem back.
74- What type of testing directly targets error handing paths, particularly those that are rarely used or might otherwise be missed during normal testing?
- Fuzzing
- Mutation testing
- Fault injection
- Fagan inspection
Fault injection
Fault injection directly injects faults into the error handling paths of an application and focuses on areas that might otherwise be missed. Fuzzing sends unexpected data, whereas mutation testing modifies the program itself to see how it handles unexpected behaviors. Fagan inspection is a formal inspection process.
Diamond Model of Intrusion Analysis
- adversary
- capability
- infrastructure
- victim
76- Which one of the following is not considered a core feature of the Diamond model of intrusion analysis?
- Adversary
- Methodology
- Victim
- Infrastructure
Methodology
Methodology is considered a meta‐feature, rather than a core feature of the Diamond model. The four core features, which correspond to the four vertices of the diamond, are the adversary, capability, infrastructure, and victim.
77- Martin is looking for ways to optimize his organization’s incident response effort. He would like to automatically pull information from DNS records when his SIEM triggers an alert, saving incident analysts the time of looking up those records. What term best describes this activity?
- Threat feed combination
- Webhook
- Data enrichment
- Single pane of glass
Data enrichment
This is best described as data enrichment, saving human analysts the tedious time of investigating routine details of an incident. There is no indication in the scenario that Martin is combining information from multiple threat feeds, using webhooks, or creating a single pane of glass environment.
80- Bonnie ran a vulnerability scan against one of her servers and received a report that the server contains buffer overflow vulnerabilities in the operating system. Which one of the following would be the most effective defense?
- Input validation
- Firewall
- Operating system patching
- Intrusion prevention system
Operating system patching
Buffer overflow vulnerabilities in an operating system require a vendor‐supplied patch to correct. Input validation would not be an effective defense. Although firewalls and intrusion prevention systems may block an attack, they would not resolve the underlying problem.
What a good way to mitigate an XSS vulnerability
Input Validation
85- Marek wants to engage with appropriate groups as he communicates about an incident. Which group should he involve if he believes that a crime was committed during the incident?
- Legal counsel
- Public relations
- Law enforcement
- Regulatory agencies
Law enforcement
While Marek may choose to involve others, if a crime was committed during an incident Marek is most likely to involve law enforcement.
