Sybex Testbank Flashcards
Grace ran a vulnerability scan and detected an urgent vulnerability in a public-facing web server. This vulnerability is easily exploitable and could result in the complete compromise of the server. Grace wants to follow best practices regarding change control while also mitigating this threat as quickly as possible. What would be Grace’s best course of action?
A. Initiate a high-priority change through her organization’s change management process and wait for the change to be approved.
B. Implement a fix immediately and document the change after the fact.
C. Schedule a change for the next quarterly patch cycle.
D. Initiate a standard change through her organization’s change management process.
B. Implement a fix immediately and document the change after the fact.
In this situation, Grace is facing a true emergency. Her web server has a critical vulnerability that is exposed to the outside world and may be easily exploited. Grace should correct the issue immediately, informing all relevant stakeholders of the actions that she is taking. She can then follow up by documenting the change as an emergency action in her organization’s change management process. All of the other approaches in this question introduce an unacceptable delay.
During a port scan of a server, Miguel discovered that the following ports are open on the internal network:
TCP port 25
TCP port 80
TCP port 110
TCP port 443
TCP port 1433
TCP port 3389
The scan results provide evidence that a variety of services are running on this server. Which one of the following services is not indicated by the scan results?
A. Web
B. Database
C. SSH
D. RDP
C. SSH
Web servers commonly run on ports 80 (for HTTP) and 443 (for HTTPS). Database servers commonly run on ports 1433 (for Microsoft SQL Server), 1521 (for Oracle), or 3306 (for MySQL). Remote Desktop Protocol services commonly run on port 3389. There is no evidence that SSH, which uses port 22, is running on this server.
While developing a web application, Chris sets his session ID length to 128 bits based on OWASP’s recommended session management standards. What reason would he have for needing such a long session ID?
A. To avoid duplication.
B. To allow for a large group of users.
C. To prevent brute-forcing.
D. All of the above.
C. To prevent brute-forcing.
OWASP recommends a large session ID value to avoid brute-force attacks. 2^128 is 340,282,366,920,938,463,463,374,607,431,768,211,456, a number that is far larger than you would need to avoid duplication of numbers, even for very large groups of users across the entire world. If you encounter a question like this and don’t know the answer, you can apply logic. In this case, the number is so large that it doesn’t make sense to use it for simply duplication avoidance, and any reasonable number of users—including the entire population of the world—would require fewer bits.
Kwame received an alert from his organization’s SIEM that it detected a potential attack against a web server on his network. However, he is unsure whether the traffic generating the alert actually entered the network from an external source or whether it came from inside the network. The NAT policy at the network perimeter firewall rewrites public IP addresses, making it difficult to assess this information based on IP addresses. Kwame would like to perform a manual log review to locate the source of the traffic. Where should he turn for the best information?
A. Application server logs
B. Database server logs
C. Firewall logs
D. Antimalware logs
C. Firewall logs
All of the data sources listed in this question may provide Kwame with further information about the attack. However, firewall logs would be best positioned to answer his specific question about the source of the attack. Since the firewall is performing network address translation (NAT), it would likely have a log entry of the original (pre-NAT) source IP address of the traffic.
Camilla is participating in the eradication and recovery stage of an incident response process. Which one of the following activities would not normally occur during this phase?
A. Vulnerability mitigation.
B. Restoration of permissions.
C. Verification of logging/communication to security monitoring.
D. Analysis of drive capacity consumption.
D. Analysis of drive capacity consumption.
Vulnerability mitigation, restoration of permissions, and the verification of logging and communication to security monitoring are all activities that normally occur during the eradication and recovery phase of incident response. The analysis of drive capacity consumption is the assessment of an indicator of compromise (IoC), which occurs during the detection and analysis phase of incident response.
After arriving at an investigation site, Brian determines that three powered-on computers need to be taken for forensic examination. What steps should he take before removing the PCs?
A. Power them down, take pictures of how each is connected, and log each system in as evidence.
B. Take photos of each system, power them down, and attach a tamper-evident seal to each PC.
C. Collect live forensic information, take photos of each system, and power them down.
D. Collect a static drive image, validate the hash of the image, and securely transport each system
C. Collect live forensic information, take photos of each system, and power them down.
Brian should determine whether he needs live forensic information, but if he is not certain, the safest path for him is to collect live forensic information, take photos so that he knows how each system was set up and configured, and then power them down. He would then log each system as evidence and will likely create forensic copies of the drives once he reaches his forensic work area or may use a portable forensic system to make drive images onsite. Powering a running system down can result in the loss of significant forensic information, meaning that powering a system down before collecting some information is typically not recommended. Collecting a static image of a drive requires powering the system down first.
Greg is concerned about the use of DDoS attack tools against his organization, so he purchased a mitigation service from his ISP. What portion of the threat model did Greg reduce?
A. Likelihood
B. Total attack surface
C. Impact
D. Adversary capability
C. Impact
By purchasing a mitigation service, Greg is reducing the potential impact of a DDoS attack. This service can’t reduce the likelihood that an attacker will launch an attack or the capability of that adversary. Greg did not change his own infrastructure, so he did not reduce the total attack surface.
Scott has been asked to select a software development model for his organization and knows that there are a number of models that may make sense for what he has been asked to accomplish. Use your knowledge of SDLC models to identify an appropriate model for each of the following requirements.
Scott’s organization needs basic functionality of the effort to become available as soon as possible and wants to involve the teams that will use it heavily to ensure that their needs are met. What model should Scott recommend?
A. Waterfall
B. Spiral
C. Agile
D. Rapid Application Development
C. Agile
The Agile method is heavily driven by user stories and customer involvement. Sprints deliver functional code, meaning that some elements of the product may be ready early.
Isaac’s organization has deployed a security tool that learns how network users typically behave and then searches for differences that match attack behaviors. What type of system can automatically analyze this data to build detection capability like this?
A. Signature-based analysis
B. A Babbage machine
C. Machine learning
D. Artificial network analysis
C. Machine learning
Machine learning (ML) in systems like this relies on datasets to build profiles of behavior that it then uses to identify abnormal behavior. They also use behavioral data that is frequently associated with attacks and malware and use that to compare to the user behavior patterns. Signature-based analysis uses hashing or other related techniques to verify if files match a known malware package. The Babbage machine is a mechanical computer, and artificial network analysis was made up for this question.
Himari discovers the vulnerability shown here on several Windows systems in her organization. There is a patch available, but it requires compatibility testing that will take several days to complete. What type of file should Himari be watchful for because it may directly exploit this vulnerability?
A. Private key files
B. Word documents
C. Image files
D. Encrypted file
C. Image files
The vulnerability shown here affects PNG processing on systems running Windows. PNG is an acronym for Portable Network Graphics and is a common image file format.
Michelle wants to provide metrics for her security team’s incident response capabilities. Which of the following is not a common measure for teams like hers?
A. Mean time to detect.
B. Mean time to respond.
C. Mean time to remediate.
D. Mean time to compromise.
D. Mean time to compromise.
Mean time to compromise is not a typical metric or key performance indicator for security teams. Mean time to detect, mean time to respond, and mean time to remediate are all common metrics for teams.
Mika, a computer forensic examiner, receives a PC and its peripherals that were seized as forensic evidence during an investigation. After she signs off on the chain of custody log and starts to prepare for her investigation, one of the first things she notes is that each cable and port was labeled with a color-coded sticker by the onsite team. Why are the items labeled like this?
A. To ensure chain of custody.
B. To ensure correct reassembly.
C. To allow for easier documentation of acquisition.
D. To tamper-proof the system.
B. To ensure correct reassembly.
Reassembling the system to match its original configuration can be important in forensic investigations. Color-coding each cable and port as a system is disassembled before moving helps to ensure proper reassembly. Mika should also have photos taken by the onsite investigators to match her reassembly work to the onsite configuration.
Mika wants to run an Nmap scan that includes all TCP ports and uses service detection. Which of the following nmap commands should she execute?
A. nmap -p0 -all -SC
B. nmap -p 1-32768 -sVS
C. nmap -p 1-65535 -sV -sS
D. nmap -all -sVS
C. nmap -p 1-65535 -sV -sS
Scanning the full range of TCP ports can be done using a SYN scan (-sS) and declaring the full range of possible ports (1-65535). Service version identification is enabled with the -sV flag.
Jackie is reviewing the risk scores found in a vulnerability report and notes that the risk she is reviewing scores a 1.0. What recommendation should Jackie make about the vulnerability?
A. It should be patched immediately because the risk score is high.
B. The risk is very low and can likely be ignored.
C. The risk is low and should be patched in the next patch cycle.
D. It should be patched immediately because it is in the top 10 percent of risks.
C. The risk is low and should be patched in the next patch cycle.
While a risk as low as 1.0 on the CVSS scale is unlikely to cause immediate harm, if a patch is available and does not introduce additional risk, it should still be installed at the next patch window.
Nathan downloads a BIOS/UEFI update from Dell’s website, and when he attempts to install it on the PC, he receives an error that the hash of the download does not match the hash stored on Dell’s servers. What type of protection is this?
A. Full-disk encryption
B. Firmware protection
C. Operating system protection
D. None of the above
B. Firmware protection
BIOS and UEFI are the firmware that controls system startup. In Dell’s implementation of this technology, a SHA-256 hash of the new firmware is compared to a known good hash on Dell’s servers. If an issue is detected, administrators are notified so that they can take appropriate action.