Sy06 Exam Braindumps 301-350 Flashcards
A security analyst is investigating an incident to determine what an attacker was able to do on a compromised laptop. The analyst reviews the following SIEM log:
Host Event ID Event Source Description
PC1 865 Microsoft-windows- C:\adsf234\adsf234.exe was blocked by
SoftwareRestricitonPolicies Group Policy
PC1 4688 Microsoft-windows-Security- A new process has been created. New
Auditing Process Name: powershell.exe
Creator Process Name : outlook.exe
PC1 4688 Microsoft-windows-Security- A new process has been created. New
Auditing Process Name: lat.ps1
Name : powershell.exe
PC1 4625 Microsoft-windows-Security- An account failed to log on.
Auditing LogonType: 3
SecurityID:Null SID
Workstation Name: PC1
Authentication Package Name : NTLM
Which of the following describes the method that was used to compromise the laptop?
a. An attacker was able to move laterally from PC1 to PC2 using a pass-the-hash attack.
b. An attacker was able to bypass application whitelisting by emailing a spreadsheet attachment with an embedded PowerShell in the file.
c. An attacker was able to install malware to the C:\asdf234 folder and use it to gain administrator rights and launch Outlook.
d. An attacker was able to phish user credentials successfully from an Outlook user profile
b. An attacker was able to bypass application whitelisting by emailing a spreadsheet attachment with an embedded PowerShell in the file.
The SIEM log provides clues about the method used to compromise the laptop. Let’s break down the log events:
Event ID 865 (Software Restriction Policies): Indicates that C:\adsf234\adsf234.exe was blocked by Group Policy. This shows that there was an attempt to run an executable that was blocked. Event ID 4688 (Security Auditing): The first 4688 event shows that a new process, powershell.exe, was created, initiated by outlook.exe. The second 4688 event shows that another new process, lat.ps1, was created, with powershell.exe as the parent process. Event ID 4625 (Security Auditing): Indicates a failed login attempt using NTLM with LogonType 3 (network logon), which shows an unauthorized access attempt.
Given these events, let’s analyze the options:
a. An attacker was able to move laterally from PC1 to PC2 using a pass-the-hash attack.
There is no evidence in the logs of lateral movement or pass-the-hash activity.
b. An attacker was able to bypass application whitelisting by emailing a spreadsheet attachment with an embedded PowerShell in the file.
This option aligns with the logs showing powershell.exe being started by outlook.exe, indicating that a malicious email could have initiated a PowerShell script.
c. An attacker was able to install malware to the C:\asdf234 folder and use it to gain administrator rights and launch Outlook.
The logs show that adsf234.exe was blocked, not executed. There is no indication that this executable was successfully run to gain administrator rights.
d. An attacker was able to phish user credentials successfully from an Outlook user profile.
The logs do not indicate successful credential phishing. Instead, they show failed login attempts.
Based on the log analysis, the most accurate description of the method used to compromise the laptop is:
b. An attacker was able to bypass application whitelisting by emailing a spreadsheet attachment with an embedded PowerShell in the file.
This aligns with the evidence of powershell.exe being initiated by outlook.exe, which suggests a potential malicious email attachment.
A security analyst discovers that a company’s username and password database was posted on an Internet forum. The usernames and passwords are stored in plain text. Which of the following would mitigate the damage done by this type of data exfiltration in the future?
a. Create DLP controls that prevent documents from leaving the network.
b. Implement salting and hashing.
c. Configure the web content filter to block access to the forum.
d. Increase password complexity requirements.
b. Implement salting and hashing.
Here’s why:
Salting and Hashing: Storing passwords in plain text is a major security vulnerability. By implementing salting and hashing, passwords are transformed into a fixed-length string of characters, which does not directly reveal the original password. Salting adds an additional layer of security by adding a unique value to each password before hashing, making it more difficult for attackers to use precomputed tables (rainbow tables) to reverse the hash back to the original password. This makes it significantly harder for attackers to exploit the stolen password data.
The other options, while potentially useful in certain contexts, do not address the core issue of protecting passwords in storage:
DLP Controls: While Data Loss Prevention (DLP) controls can help prevent sensitive documents from leaving the network, they do not specifically address the secure storage of passwords. Web Content Filter: Configuring a web content filter to block access to the forum where the data was posted does not prevent the initial exposure of the passwords or secure them in storage. Password Complexity Requirements: Increasing password complexity can make passwords harder to guess but does not protect them if they are stored in plain text and subsequently stolen.
Therefore, implementing salting and hashing is the most effective way to mitigate the damage of future data exfiltration incidents involving passwords.
Joe, an employee, receives an email stating he won the lottery. The email includes a link that requests a name, mobile phone number, address, and date of birth be provided to confirm Joe’s identity before sending him the prize. Which of the following BEST describes this type of email?
a. Spear phishing
b. Whaling
c. Phishing
d. Vishing
c. Phishing
Here’s an explanation:
Phishing: This is a broad term for fraudulent attempts to obtain sensitive information such as personal details, usernames, passwords, and credit card numbers by disguising as a trustworthy entity in electronic communications. In this case, the email pretending that Joe has won a lottery and asking for his personal information is a classic example of phishing.
The other options describe more specific types of phishing or related attacks:
Spear Phishing: This is a targeted form of phishing where the attacker customizes the email to a specific individual or organization, often using personal information to make the attack more convincing. There is no indication that Joe was specifically targeted; it seems more like a general phishing attempt. Whaling: This type of phishing targets high-profile individuals such as executives or senior officials. There is no indication that Joe is a high-profile individual, so this does not fit the description. Vishing: This is a form of phishing that uses voice communication (phone calls) instead of emails. Since the attack described involves an email, it does not qualify as vishing.
Therefore, the best description for the email Joe received is phishing.
A company deployed a WiFi access point in a public area and wants to harden the configuration to make it more secure. After performing an assessment, an analyst identifies that the access point is configured to use WPA3, AES, WPS, and RADIUS. Which of the following should the analyst disable to enhance the access point security?
a. WPA3
b. AES
c. RADIUS
d. WPS
d. WPS
Here’s an explanation:
WPA3: This is the latest and most secure WiFi encryption protocol currently available. Disabling WPA3 would reduce security. AES: Advanced Encryption Standard (AES) is a strong encryption algorithm used to protect WiFi communications. Disabling AES would weaken security. RADIUS: Remote Authentication Dial-In User Service (RADIUS) is used for authentication and authorization in a secure manner, especially in enterprise environments. Disabling RADIUS would decrease security. WPS: Wi-Fi Protected Setup (WPS) is a network security standard that attempts to allow users to easily secure a wireless home network. However, WPS has known vulnerabilities that can be exploited by attackers to gain unauthorized access to the network. Disabling WPS improves security by removing these vulnerabilities.
Therefore, disabling WPS is the best option to enhance the security of the WiFi access point.
Which of the following would be used to find the MOST common web-application vulnerabilities?
a. OWASP
b. MITRE ATT&CK
c. Cyber Kill Chain
d. SDLC
a. OWASP (Open Web Application Security Project)
Here’s an explanation:
OWASP: The Open Web Application Security Project provides a list of the top ten most critical web application security risks. It is widely used and recognized in the industry as a primary source for identifying common web-application vulnerabilities and understanding how to address them. MITRE ATT&CK: This framework provides a comprehensive matrix of tactics, techniques, and procedures used by attackers. While it is an excellent resource for understanding how attacks are carried out, it is not specifically focused on web-application vulnerabilities. Cyber Kill Chain: This model describes the stages of a cyber attack but does not specifically focus on web-application vulnerabilities. SDLC (Software Development Life Cycle): This is a process for planning, creating, testing, and deploying an information system. While secure SDLC practices help in mitigating vulnerabilities, it is not a resource for identifying the most common web-application vulnerabilities.
Therefore, OWASP is the most appropriate choice for finding the most common web-application vulnerabilities.
A network engineer is troubleshooting wireless network connectivity issues that were reported by users. The issues are occurring only in the section of the building that is closest to the parking lot. Users are intermittently experiencing slow speeds when accessing websites and are unable to connect to network drives. The issues appear to increase when laptop users return to their desks after using their devices in other areas of the building. There have also been reports of users being required to enter their credentials on web pages in order to gain access to them. Which of the following is the MOST likely cause of this issue?
a. An external access point is engaging in an evil-twin attack.
b. The signal on the WAP needs to be increased in that section of the building.
c. The certificates have expired on the devices and need to be reinstalled.
d. The users in that section of the building are on a VLAN that is being blocked by the firewall
a. An external access point is engaging in an evil-twin attack.
Here’s why this is the most likely cause:
Evil-twin attack: An evil-twin attack involves an attacker setting up a rogue access point that mimics the legitimate access point's SSID and settings. This can cause users' devices to connect to the rogue access point, leading to connectivity issues, slow speeds, and credential harvesting (users being required to enter their credentials on web pages). Signal on the WAP needs to be increased: If the signal strength was the issue, users would not experience credential prompts or intermittent connectivity specifically when returning from other areas of the building. Expired certificates: While expired certificates can cause connectivity issues, they are unlikely to lead to intermittent issues only in a specific section of the building and would not explain the need for users to re-enter credentials in this context. VLAN being blocked by the firewall: If a VLAN was being blocked, users would consistently face connectivity issues, not intermittent ones, and it would not specifically affect users moving from other areas.
Given the symptoms of credential prompts and intermittent connectivity near the parking lot, an evil-twin attack is the most plausible explanation.
A security administrator suspects there may be unnecessary services running on a server. Which of the following tools will the administrator MOST likely use to confirm the suspicions?
a. Nmap
b. Wireshark
c. Autopsy
d. DNSEnum
a. Nmap
Here’s why:
Nmap: Nmap is a powerful network scanning tool that can be used to discover hosts and services on a computer network. It is commonly used to identify open ports and the services running on those ports, making it ideal for checking which services are running on a server. Wireshark: Wireshark is a network protocol analyzer used for network troubleshooting, analysis, and protocol development. While it is useful for capturing and analyzing network traffic, it is not typically used to identify running services directly. Autopsy: Autopsy is a digital forensics tool used for analyzing hard drives and other media for evidence. It is not designed to identify running services on a server. DNSEnum: DNSEnum is a DNS enumeration tool used to gather information about DNS records and perform DNS reconnaissance. It is not used to identify running services on a server.
Therefore, Nmap is the best choice for confirming whether unnecessary services are running on a server.
A vulnerability has been discovered and a known patch to address the vulnerability does not exist. Which of the following controls works BEST until a proper fix is released?
a. Detective
b. Compensating
c. Deterrent
d. Corrective
b. Compensating
Here’s why:
Compensating: Compensating controls are alternative measures implemented to mitigate the risk when the primary control (such as a patch) is not available or feasible. In this context, a compensating control might involve implementing additional security measures, such as restricting access, using firewalls, or monitoring for suspicious activity, to reduce the risk posed by the vulnerability until a proper fix can be released. Detective: Detective controls are designed to identify and detect unwanted events or incidents. While useful for monitoring and alerting, they do not mitigate or reduce the risk of the vulnerability directly. Deterrent: Deterrent controls are intended to discourage or prevent an attacker from attempting to exploit a vulnerability. While they can reduce the likelihood of an attack, they do not address the underlying vulnerability. Corrective: Corrective controls are designed to fix or correct an issue after it has been identified. However, in this case, a corrective control (such as a patch) does not exist yet, so it is not applicable.
Therefore, compensating controls are the best option to mitigate the risk posed by the vulnerability until a proper fix is released.
While reviewing pcap data, a network security analyst is able to locate plaintext usernames and passwords being sent from workstations to network switches. Which of the following is the security analyst MOST likely observing?
a. SNMP traps
b. A Telnet session
c. An SSH connection
d. SFTP traffic
b. A Telnet session
Here’s why:
Telnet: Telnet is an older network protocol used for remote management that transmits data, including usernames and passwords, in plaintext. This makes it easy for anyone capturing network traffic to read the credentials. SNMP traps: SNMP (Simple Network Management Protocol) traps are messages sent from a device to a management system, typically containing status information or alerts. While SNMP v1 and v2c do not encrypt their data, SNMP v3 can be configured to do so. However, SNMP traps usually do not contain usernames and passwords in the way described. SSH connection: SSH (Secure Shell) is a protocol used for secure remote management and file transfers. SSH encrypts all data transmitted between the client and server, making it highly unlikely that a network security analyst would observe plaintext usernames and passwords. SFTP traffic: SFTP (SSH File Transfer Protocol) is a secure version of FTP that operates over an SSH connection. Like SSH, SFTP encrypts all data transmitted, so plaintext usernames and passwords would not be observable.
Therefore, the presence of plaintext usernames and passwords in network traffic strongly suggests the use of Telnet.
An attacker replaces a digitally signed document with another version that goes unnoticed. Upon reviewing the document’s contents, the author notices some additional verbiage that was not originally in the document but cannot validate an integrity issue. Which of the following attacks was used?
a. Cryptomalware
b. Hash substitution
c. Collision
d. Phishing
(Community : C 71%, B 29%)
c. Collision
Here’s why:
Cryptomalware: Cryptomalware typically refers to malware that encrypts files on a victim's system, often for the purpose of extortion (ransomware). This attack does not involve modifying a document while maintaining a valid digital signature. Hash substitution: Hash substitution involves replacing a legitimate hash with a fraudulent one. However, if the original hash value is known or retrievable, the attack can be detected because the substituted hash will not match the recalculated hash of the document. Collision: A collision attack occurs when two different inputs produce the same hash value. In the context of digital signatures, if an attacker can create a modified document that hashes to the same value as the original document, they can replace the original document with the modified one without invalidating the digital signature. This allows the attacker to change the document's contents without being detected through normal integrity checks, as the hash (and therefore the digital signature) appears to be correct. Phishing: Phishing is a social engineering attack where an attacker attempts to trick individuals into providing sensitive information or performing certain actions by pretending to be a trustworthy entity. This does not involve modifying digital documents directly.
In this case, the attack method that best explains how the document was modified without invalidating the digital signature is a collision attack.
(Braindump : b. Hash substitution)
A security analyst notices that specific files are being deleted each time a systems administrator is on vacation. Which of the following BEST describes the type of malware that is running?
a. Fileless virus
b. Logic bomb
c. Keylogger
d. Ransomware
b. Logic bomb
Here’s why:
Fileless virus: A fileless virus operates in memory and does not typically delete files as described in the scenario. It focuses on executing malicious code without leaving traditional traces like files on disk. Logic bomb: A logic bomb is a type of malicious code that is triggered by a specific event or condition. In this case, the condition triggering the deletion of files is the absence of the systems administrator (when they are on vacation). This fits the scenario where files are systematically deleted only during the administrator's absence. Keylogger: A keylogger is a type of malware that records keystrokes, usually to capture passwords or other sensitive information typed by users. It does not typically involve file deletion based on specific conditions related to an administrator's absence. Ransomware: Ransomware encrypts files and demands payment for decryption. It does not selectively delete files based on the presence or absence of specific individuals like a systems administrator on vacation.
Therefore, based on the behavior described in the scenario, the type of malware that is likely running is a logic bomb.
Which of the following involves the inclusion of code in the main codebase as soon as it is written?
a. Continuous monitoring
b. Continuous deployment
c. Continuous validation
d. Continuous integration
(Braindump : d. Continuous integration)
b. Continuous deployment
a. Continuous monitoring:
Definition: Continuous monitoring involves the ongoing surveillance, assessment, and analysis of systems and networks to ensure that security controls and processes remain effective over time.
Use: It is primarily used in cybersecurity contexts to detect and respond to security threats and vulnerabilities in real-time.
b. Continuous deployment:
Definition: Continuous deployment is a software engineering approach in which every code change that passes automated testing is automatically deployed to production without manual intervention.
Use: It allows teams to release software updates frequently, ensuring that new features and bug fixes reach users quickly. This practice requires a robust automated testing and deployment pipeline.
c. Continuous validation:
Definition: Continuous validation is the process of continuously testing and validating software applications throughout the development lifecycle to ensure they meet requirements and quality standards.
Use: It ensures that each stage of development, from planning to deployment, includes rigorous testing and validation procedures to identify and address issues early.
d. Continuous integration:
Definition: Continuous integration (CI) is a software development practice where team members frequently integrate their code changes into a shared repository. Each integration triggers an automated build and automated tests to detect integration errors quickly.
Use: CI aims to improve collaboration among team members and increase the speed of software delivery. It helps maintain code quality by catching bugs early in the development process.
Which of the following can reduce vulnerabilities by avoiding code reuse?
a. Memory management
b. Stored procedures
c. Normalization
d. Code obfuscation
d. Code obfuscation
Explanation:
Code obfuscation is a technique used to modify code to make it more difficult to understand, reverse-engineer, or reuse without authorization. By obfuscating code, developers can reduce vulnerabilities associated with exposing sensitive logic or algorithms that could be exploited by attackers. It doesn’t prevent code reuse entirely but makes it harder for malicious actors to understand and exploit vulnerabilities in reused code.
Let’s briefly explain the other options for clarity:
a. Memory management: While important for preventing vulnerabilities like memory leaks or buffer overflows, it primarily concerns efficient use of memory resources and doesn’t directly relate to avoiding code reuse.
b. Stored procedures: These are precompiled SQL statements stored in a database, used to improve performance and security by reducing the risk of SQL injection attacks. They are not directly related to avoiding code reuse in the context of software development.
c. Normalization: This refers to organizing data in a database to reduce redundancy and improve data integrity. It is crucial for database design but doesn’t address avoiding code reuse in software development.
In contrast, code obfuscation specifically aims to make code more resistant to reverse engineering and reuse, thus indirectly reducing vulnerabilities associated with exposed code logic.
The technology department at a large global company is expanding its Wi-Fi network infrastructure at the headquarters building. Which of the following should be closely coordinated between the technology, cybersecurity, and physical security departments? Select 1
a. Authentication protocol
b. Encryption type
c. WAP placement
d. VPN configuration
c. WAP placement
Explanation:
WAP (Wireless Access Point) placement involves determining where access points will be installed throughout the building. This decision impacts both network coverage and security. Technology department: Responsible for implementing the network infrastructure and ensuring adequate coverage. Cybersecurity department: Ensures that WAP placement doesn't compromise network security by considering factors like signal reach, interference, and segregation of network segments. Physical security department: Ensures that access points are placed in physically secure locations to prevent tampering or unauthorized access.
While authentication protocols, encryption types, and VPN configurations are crucial aspects of network security and operations, WAP placement directly impacts network coverage, reliability, and security, making it essential for coordination among these departments during the expansion of the Wi-Fi network infrastructure.
Which of the following is an example of risk avoidance?
a. Installing security updates directly in production to expedite vulnerability fixes
b. Buying insurance to prepare for financial loss associated with exploits
c. Not installing new software to prevent compatibility errors
d. Not taking preventive measures to stop the theft of equipment
Risk avoidance refers to taking actions to eliminate or withdraw from the risk altogether. Among the given options:
c. Not installing new software to prevent compatibility errors
This option best exemplifies risk avoidance because by choosing not to install new software, the organization avoids the potential risk of encountering compatibility issues that could lead to operational disruptions or vulnerabilities. This approach eliminates the risk rather than managing or mitigating it, which aligns with the principle of risk avoidance in risk management strategies.
A security administrator needs to block a TCP connection using the corporate firewall. Because this connection is potentially a threat, the administrator does not want to send back an RST. Which of the following actions in the firewall rule would work BEST?
a. Drop
b. Reject
c. Log alert
d. Permit
an RST (Reset) packet, the best action to use in the firewall rule is:
a. Drop
Explanation:
Drop: This action silently drops the packets of the blocked connection without sending any response back to the source. This means the connection is terminated without notifying the sender, which can help avoid revealing information about the firewall's configuration or the existence of the protected network. Reject: This action sends back an ICMP "port unreachable" message (RST packet for TCP) to the sender, indicating that the connection attempt was actively refused. Since the administrator wants to avoid sending an RST, this option is not suitable. Log alert: This action logs the event but still sends an ICMP message indicating the port is unreachable, similar to "reject". Permit: This action allows the connection through, which is the opposite of what the administrator wants to achieve in this case.
Therefore, a. Drop is the most appropriate action to block the TCP connection while minimizing response to the sender.
Which of the following BEST describes data streams that are compiled through artificial intelligence that provides insight on current cyberintrusions, phishing, and other malicious cyberactivity?
a. Intelligence fusion
b. Review reports
c. Log reviews
d. Threat feeds
d. Threat feeds
Explanation:
Threat feeds refer to data streams compiled through artificial intelligence and other methods to provide real-time or near-real-time information about current cyber threats, intrusions, phishing campaigns, malware, and other malicious activities. These feeds aggregate data from various sources such as security researchers, threat intelligence platforms, cybersecurity vendors, and global cybersecurity communities. They are used by security teams to enhance their threat detection and response capabilities by staying informed about the latest threats and trends in the cybersecurity landscape. Intelligence fusion involves integrating multiple sources of intelligence to produce enhanced insights, which can include threat feeds but encompasses broader intelligence sources beyond just cyber threats. Review reports and log reviews are more specific activities related to examining historical data or logs to identify security incidents or trends, rather than ongoing streams of real-time threat information.
Therefore, d. Threat feeds specifically describes the ongoing data streams compiled through AI to provide insight into current cyberintrusions, phishing, and other malicious cyberactivity.
A security team discovered a large number of company-issued devices with non-work-related software installed. Which of the following policies would MOST likely contain language that would prohibit this activity?
a. NDA
b. BPA
c. AUP
d. SLA
c. AUP (Acceptable Use Policy)
Explanation:
Acceptable Use Policy (AUP): This policy defines the acceptable ways in which company resources, including devices like computers and mobile phones, can be used. It typically includes guidelines on software installation, specifying that only approved or necessary software for work purposes should be installed. AUPs often prohibit the installation of unauthorized or non-work-related software to maintain security, compliance, and operational efficiency. NDA (Non-Disclosure Agreement): This document outlines confidentiality obligations related to sensitive company information and does not typically address device usage or software installation. BPA (Business Partnership Agreement): This agreement governs the relationship between business partners and may not directly address device usage or software installation. SLA (Service Level Agreement): This agreement defines the level of service expected from a vendor and does not typically address device usage or software installation.
Therefore, c. AUP is the correct choice as it directly pertains to defining appropriate use of company resources, including devices, which would encompass the prohibition of non-work-related software installations.
Which of the following would be the BEST resource for a software developer who is looking to improve secure coding practices for web applications?
a. OWASP
b. Vulnerability scan results
c. NIST CSF
d. Third-party libraries
a. OWASP
Explanation:
OWASP (Open Web Application Security Project) is a nonprofit organization focused on improving the security of software. It provides resources, tools, and best practices for secure coding, particularly for web applications. OWASP offers guidelines, cheat sheets, and extensive documentation on common vulnerabilities and how to mitigate them through secure coding practices. Vulnerability scan results provide information about existing vulnerabilities in applications but do not necessarily focus on educating developers on secure coding practices. NIST CSF (Cybersecurity Framework) is a framework developed by the National Institute of Standards and Technology (NIST) to help organizations manage and improve their cybersecurity posture. It provides a framework for risk management but is not specifically focused on secure coding practices for developers. Third-party libraries are external code components that developers integrate into their applications. While important for security, they do not directly educate developers on secure coding practices for web applications.
Therefore, a. OWASP is the best resource for a software developer looking to improve secure coding practices specifically for web applications.
Ann, a customer, received a notification from her mortgage company stating her PII may be shared with partners, affiliates, and associates to maintain day-to-day business operations. Which of the following documents did Ann receive?
a. An annual privacy notice
b. A non-disclosure agreement
c. A privileged-user agreement
d. A memorandum of understanding
a. An annual privacy notice
Explanation:
Annual privacy notice: Financial institutions are required to send out annual privacy notices to their customers explaining how their personal information (PII) is shared and with whom. These notices inform customers about their rights regarding their personal data and the company's practices related to data sharing and privacy. Non-disclosure agreement (NDA): This is a legal contract between two parties to keep certain information confidential. It is typically used in business partnerships or employment contexts to protect sensitive information but does not apply to customer notifications about data sharing. Privileged-user agreement: This is an agreement that specifies the responsibilities and acceptable use policies for users with elevated access privileges within an organization. It is not related to customer notifications about data sharing. Memorandum of understanding (MOU): An MOU is a document that outlines the terms and details of an agreement between parties before the final agreement is signed. It is used to formalize a relationship between parties but is not related to notifying customers about data sharing practices.
Therefore, a. An annual privacy notice is the document Ann received, as it is the one that explains how her PII may be shared with partners, affiliates, and associates for business operations.