Sybex Testbank

Question 1

Grace ran a vulnerability scan and detected an urgent vulnerability in a public-facing web server. This vulnerability is easily exploitable and could result in the complete compromise of the server. Grace wants to follow best practices regarding change control while also mitigating this threat as quickly as possible. What would be Grace’s best course of action?

A. Initiate a high-priority change through her organization’s change management process and wait for the change to be approved.

B. Implement a fix immediately and document the change after the fact.

C. Schedule a change for the next quarterly patch cycle.

D. Initiate a standard change through her organization’s change management process.

Answer 1

B. Implement a fix immediately and document the change after the fact.

In this situation, Grace is facing a true emergency. Her web server has a critical vulnerability that is exposed to the outside world and may be easily exploited. Grace should correct the issue immediately, informing all relevant stakeholders of the actions that she is taking. She can then follow up by documenting the change as an emergency action in her organization’s change management process. All of the other approaches in this question introduce an unacceptable delay.

Question 2

During a port scan of a server, Miguel discovered that the following ports are open on the internal network:

TCP port 25
TCP port 80
TCP port 110
TCP port 443
TCP port 1433
TCP port 3389

The scan results provide evidence that a variety of services are running on this server. Which one of the following services is not indicated by the scan results?

A. Web
B. Database
C. SSH
D. RDP

Answer 2

C. SSH

Web servers commonly run on ports 80 (for HTTP) and 443 (for HTTPS). Database servers commonly run on ports 1433 (for Microsoft SQL Server), 1521 (for Oracle), or 3306 (for MySQL). Remote Desktop Protocol services commonly run on port 3389. There is no evidence that SSH, which uses port 22, is running on this server.

Question 3

While developing a web application, Chris sets his session ID length to 128 bits based on OWASP’s recommended session management standards. What reason would he have for needing such a long session ID?

A. To avoid duplication.
B. To allow for a large group of users.
C. To prevent brute-forcing.
D. All of the above.

Answer 3

C. To prevent brute-forcing.

OWASP recommends a large session ID value to avoid brute-force attacks. 2^128 is 340,282,366,920,938,463,463,374,607,431,768,211,456, a number that is far larger than you would need to avoid duplication of numbers, even for very large groups of users across the entire world. If you encounter a question like this and don’t know the answer, you can apply logic. In this case, the number is so large that it doesn’t make sense to use it for simply duplication avoidance, and any reasonable number of users—including the entire population of the world—would require fewer bits.

Question 4

Kwame received an alert from his organization’s SIEM that it detected a potential attack against a web server on his network. However, he is unsure whether the traffic generating the alert actually entered the network from an external source or whether it came from inside the network. The NAT policy at the network perimeter firewall rewrites public IP addresses, making it difficult to assess this information based on IP addresses. Kwame would like to perform a manual log review to locate the source of the traffic. Where should he turn for the best information?

A. Application server logs
B. Database server logs
C. Firewall logs
D. Antimalware logs

Answer 4

C. Firewall logs

All of the data sources listed in this question may provide Kwame with further information about the attack. However, firewall logs would be best positioned to answer his specific question about the source of the attack. Since the firewall is performing network address translation (NAT), it would likely have a log entry of the original (pre-NAT) source IP address of the traffic.

Question 5

Camilla is participating in the eradication and recovery stage of an incident response process. Which one of the following activities would not normally occur during this phase?

A. Vulnerability mitigation.
B. Restoration of permissions.
C. Verification of logging/communication to security monitoring.
D. Analysis of drive capacity consumption.

Answer 5

D. Analysis of drive capacity consumption.

Vulnerability mitigation, restoration of permissions, and the verification of logging and communication to security monitoring are all activities that normally occur during the eradication and recovery phase of incident response. The analysis of drive capacity consumption is the assessment of an indicator of compromise (IoC), which occurs during the detection and analysis phase of incident response.

Question 6

After arriving at an investigation site, Brian determines that three powered-on computers need to be taken for forensic examination. What steps should he take before removing the PCs?

A. Power them down, take pictures of how each is connected, and log each system in as evidence.

B. Take photos of each system, power them down, and attach a tamper-evident seal to each PC.

C. Collect live forensic information, take photos of each system, and power them down.

D. Collect a static drive image, validate the hash of the image, and securely transport each system

Answer 6

C. Collect live forensic information, take photos of each system, and power them down.

Brian should determine whether he needs live forensic information, but if he is not certain, the safest path for him is to collect live forensic information, take photos so that he knows how each system was set up and configured, and then power them down. He would then log each system as evidence and will likely create forensic copies of the drives once he reaches his forensic work area or may use a portable forensic system to make drive images onsite. Powering a running system down can result in the loss of significant forensic information, meaning that powering a system down before collecting some information is typically not recommended. Collecting a static image of a drive requires powering the system down first.

Question 7

Greg is concerned about the use of DDoS attack tools against his organization, so he purchased a mitigation service from his ISP. What portion of the threat model did Greg reduce?

A. Likelihood
B. Total attack surface
C. Impact
D. Adversary capability

Answer 7

C. Impact

By purchasing a mitigation service, Greg is reducing the potential impact of a DDoS attack. This service can’t reduce the likelihood that an attacker will launch an attack or the capability of that adversary. Greg did not change his own infrastructure, so he did not reduce the total attack surface.

Question 8

Scott has been asked to select a software development model for his organization and knows that there are a number of models that may make sense for what he has been asked to accomplish. Use your knowledge of SDLC models to identify an appropriate model for each of the following requirements.

Scott’s organization needs basic functionality of the effort to become available as soon as possible and wants to involve the teams that will use it heavily to ensure that their needs are met. What model should Scott recommend?

A. Waterfall
B. Spiral
C. Agile
D. Rapid Application Development

Answer 8

C. Agile

The Agile method is heavily driven by user stories and customer involvement. Sprints deliver functional code, meaning that some elements of the product may be ready early.

Question 9

Isaac’s organization has deployed a security tool that learns how network users typically behave and then searches for differences that match attack behaviors. What type of system can automatically analyze this data to build detection capability like this?

A. Signature-based analysis
B. A Babbage machine
C. Machine learning
D. Artificial network analysis

Answer 9

C. Machine learning

Machine learning (ML) in systems like this relies on datasets to build profiles of behavior that it then uses to identify abnormal behavior. They also use behavioral data that is frequently associated with attacks and malware and use that to compare to the user behavior patterns. Signature-based analysis uses hashing or other related techniques to verify if files match a known malware package. The Babbage machine is a mechanical computer, and artificial network analysis was made up for this question.

Question 10

Himari discovers the vulnerability shown here on several Windows systems in her organization. There is a patch available, but it requires compatibility testing that will take several days to complete. What type of file should Himari be watchful for because it may directly exploit this vulnerability?

A. Private key files
B. Word documents
C. Image files
D. Encrypted file

Answer 10

C. Image files

The vulnerability shown here affects PNG processing on systems running Windows. PNG is an acronym for Portable Network Graphics and is a common image file format.

Question 11

Michelle wants to provide metrics for her security team’s incident response capabilities. Which of the following is not a common measure for teams like hers?

A. Mean time to detect.
B. Mean time to respond.
C. Mean time to remediate.
D. Mean time to compromise.

Answer 11

D. Mean time to compromise.

Mean time to compromise is not a typical metric or key performance indicator for security teams. Mean time to detect, mean time to respond, and mean time to remediate are all common metrics for teams.

Question 12

Mika, a computer forensic examiner, receives a PC and its peripherals that were seized as forensic evidence during an investigation. After she signs off on the chain of custody log and starts to prepare for her investigation, one of the first things she notes is that each cable and port was labeled with a color-coded sticker by the onsite team. Why are the items labeled like this?

A. To ensure chain of custody.
B. To ensure correct reassembly.
C. To allow for easier documentation of acquisition.
D. To tamper-proof the system.

Answer 12

B. To ensure correct reassembly.

Reassembling the system to match its original configuration can be important in forensic investigations. Color-coding each cable and port as a system is disassembled before moving helps to ensure proper reassembly. Mika should also have photos taken by the onsite investigators to match her reassembly work to the onsite configuration.

Question 13

Mika wants to run an Nmap scan that includes all TCP ports and uses service detection. Which of the following nmap commands should she execute?

A. nmap -p0 -all -SC
B. nmap -p 1-32768 -sVS
C. nmap -p 1-65535 -sV -sS
D. nmap -all -sVS

Answer 13

C. nmap -p 1-65535 -sV -sS

Scanning the full range of TCP ports can be done using a SYN scan (-sS) and declaring the full range of possible ports (1-65535). Service version identification is enabled with the -sV flag.

Question 14

Jackie is reviewing the risk scores found in a vulnerability report and notes that the risk she is reviewing scores a 1.0. What recommendation should Jackie make about the vulnerability?

A. It should be patched immediately because the risk score is high.
B. The risk is very low and can likely be ignored.
C. The risk is low and should be patched in the next patch cycle.
D. It should be patched immediately because it is in the top 10 percent of risks.

Answer 14

C. The risk is low and should be patched in the next patch cycle.

While a risk as low as 1.0 on the CVSS scale is unlikely to cause immediate harm, if a patch is available and does not introduce additional risk, it should still be installed at the next patch window.

Question 15

Nathan downloads a BIOS/UEFI update from Dell’s website, and when he attempts to install it on the PC, he receives an error that the hash of the download does not match the hash stored on Dell’s servers. What type of protection is this?

A. Full-disk encryption
B. Firmware protection
C. Operating system protection
D. None of the above

Answer 15

B. Firmware protection

BIOS and UEFI are the firmware that controls system startup. In Dell’s implementation of this technology, a SHA-256 hash of the new firmware is compared to a known good hash on Dell’s servers. If an issue is detected, administrators are notified so that they can take appropriate action.

Question 16

Joe discovered a critical vulnerability in his organization’s database server and received permission from his supervisor to implement an emergency change after the close of business. He has eight hours before the planned change window. In addition to planning the technical aspects of the change, what else should Joe do to prepare for the change?

A. Ensure that all stakeholders are informed of the planned outage.
B. Document the change in his organization’s change management system.
C. Identify any potential risks associated with the change.
D. All of the above.

Answer 16

D. All of the above.

Joe has time to conduct some communication and change management before making the change. Even though this change is urgent, Joe should take advantage of that time to communicate with stakeholders, conduct a risk assessment, and initiate change management processes. These tasks will likely be abbreviated forms of what Joe would do if he had time to plan a change normally, but he should make every effort to complete them.

Question 17

Ling recently completed the security analysis of a web browser deployed on systems in her organization and discovered that it is susceptible to a zero-day integer overflow attack. Who is in the best position to remediate this vulnerability in a manner that allows continued use of the browser?

A. Ling
B. The browser developer
C. The network administrator
D. The domain administrator

Answer 17

B. The browser developer

Ling or the domain administrator could remove the software from the system, but this would not allow continued use of the browser. The network administrator could theoretically block all external web browsing, but this is not a practical solution. The browser developer is the only one in a good situation to correct an overflow error because it is a flaw in the code of the web browser.

Question 18

Syslog, APIs, email, STIX/TAXII, and database connections are all examples of what for a SOAR?

A. IOCs
B. Methods of data ingestion
C. SCAP connections
D. Attack vectors

Answer 18

B. Methods of data ingestion

SOAR systems offer many ways to ingest data, and syslog, APIs, email, STIX/TAXII feeds, and database connections are all common ways for data to be acquired.

Question 19

Aadesh is creating a vulnerability management program for his company. He has limited scanning resources and would like to apply them to different systems based on the sensitivity and criticality of the information that they handle. What criteria should Aadesh use to determine the vulnerability scanning frequency?

A. Data remanence
B. Data privacy
C. Data classification
D. Data sovereignty

Answer 19

C. Data classification

Data classification is a set of labels applied to information based on their degree of sensitivity and/or criticality. It would be the most appropriate choice in this scenario. Data retention requirements dictate the length of time that an organization should maintain copies of records. Data remanence is an issue where information thought to be deleted may still exist on systems. Data privacy may contribute to data classification but does not encompass the entire field of data sensitivity and criticality in the same manner as data classification. For example, a system may process proprietary business information that would be very highly classified and require frequent vulnerability scanning. Unless that system also processed personally identifiable information, it would not trigger scans under a system based solely on data privacy.

Question 20

Adam works for a large university and sees the following graph in his PRTG console when looking at a yearlong view. What behavioral analysis could he leverage based on this pattern?

A. Identify unexpected traffic during breaks like the low point at Christmas.
B. He can determine why major traffic drops happen on weekends.
C. He can identify top talkers.
D. Adam cannot make any behavioral determinations based on this chart.

Answer 20

A. Identify unexpected traffic during breaks like the low point at Christmas.

Adam will quickly note that weekends see small drops, but Christmas vacation and summer break both see significant drops in overall traffic. He can use this as a baseline to identify unexpected traffic during those times or to understand what student and faculty behavior mean to his organization’s network usage.

Question 21

Latisha is the ISO for her company and is notified that a zero-day exploit has been released that can result in remote code execution on all Windows workstations on her network because of an attack against Windows domain services. She wants to limit her exposure to this exploit but needs the systems to continue to be able to access the Internet. Which of the following approaches is best for her response?

A. Firewalling
B. Patching
C. Isolation
D. Segmentation

Answer 21

A. Firewalling

Latisha knows that Windows domain services can be blocked using a network firewall. As long as she builds the correct ruleset, she can prevent external systems from sending this type of traffic to her Windows workstations. She may still want to segment her network to protect the most important workstations, but her first move should be to use her firewalls to prevent the traffic from reaching the workstations.

Question 22

Helen is seeking to protect her organization against attacks that involve the theft of user credentials. In most organizations, which one of the following threats poses the greatest risk of credential theft?

A. DNS poisoning
B. Phishing
C. Telephone-based social engineering
D. Shoulder surfing

Answer 22

B. Phishing

Although all the techniques listed may be used to engage in credential theft, phishing is, by far, the most common way that user accounts become compromised in most organizations.

Question 23

Scott needs to ensure that the system he just rebuilt after an incident is secure. Which type of scan will provide him with the most useful information to meet his goal?

A. An authenticated vulnerability scan from a trusted internal network.
B. An unauthenticated vulnerability scan from a trusted internal network.
C. An authenticated scan from an untrusted external network.
D. An unauthenticated scan from an untrusted external network.

Answer 23

A. An authenticated vulnerability scan from a trusted internal network.

Since Scott needs to know more about potential vulnerabilities, an authenticated scan from a trusted internal network will provide him with the most information. He will not gain a real attacker’s view, but in this case, having more detail is important.

Question 24

Mila ran a vulnerability scan of a server in her organization and found the vulnerability shown here. What is the use of the service affected by this vulnerability?

A. Web server
B. Database server
C. Email server
D. Directory server

Answer 24

C. Email server

The Post Office Protocol v3 (POP3) is used for retrieving email from an email server.

Question 25

Alex has been asked to assess the likelihood of reconnaissance activities against her organization (a small, regional business). Her first assignment is to determine the likelihood of port scans against systems in her organization’s screened subnet (otherwise known as a DMZ). How should she rate the likelihood of this occurring?

A. Low.
B. Medium.
C. High.
D. There is not enough information for Alex to provide a rating.

Answer 25

C. High.

Alex knows that systems that are exposed to the Internet like screened subnet (DMZ) systems are constantly being scanned. She should rate the likelihood of the scan occurring as high. In fact, there is a good chance that a scan will be occurring while she is typing up her report!

Question 26

After receiving complaints about a system on Anastasia’s network not performing correctly, she decides to investigate the issue by capturing traffic with Wireshark. The captured traffic is shown here. What type of issue is Anastasia most likely seeing?

A. A link failure.
B. A failed three-way handshake.
C. A DDoS.
D. A SYN flood.

Answer 26

D. A SYN flood.

The repeated SYN packets are likely a SYN flood that attempts to use up resources on the target system. A failed three-way handshake might initially appear similar but will typically not show this volume of attempts. A link failure would not show traffic from a remote system, and a DDoS would involve more than one system sending traffic.

Question 27

Harry is developing a vulnerability scanning program for a large network of sensors used by his organization to monitor a transcontinental gas pipeline. What term is commonly used to describe this type of sensor network?

A. WLAN
B. VPN
C. P2P
D. SCADA

Answer 27

D. SCADA

A supervisory control and data acquisition (SCADA) network is a form of industrial control system (ICS) that is used to maintain sensors and control systems over a large geographic area.

Question 28

You are reviewing the methods that your organization uses to communicate with the media during an incident response effort. Which one of the following is not a commonly accepted practice?

A. Inform the media immediately of developments in the investigation.
B. Conduct practice sessions for incident responders who communicate with the media.
C. Establish media briefing procedures in advance of an incident.
D. Maintain an incident response status document.

Answer 28

A. Inform the media immediately of developments in the investigation.

Communications with the media should be carefully planned and timed to share relevant information at the appropriate moment. Organizations should not have a default policy of immediately sharing all information, as that might result in adverse publicity, create legal risk, or hinder the investigation. The other activities listed here are all best practices for incident communications.

Question 29

Kathleen’s forensic analysis of a laptop that is believed to have been used to access sensitive corporate data shows that the suspect tried to overwrite the data they downloaded as part of antiforensic activities by deleting the original files and then copying other files to the drive. Where is Kathleen most likely to find evidence of the original files?

A. The MBR
B. Unallocated space
C. Slack space
D. The FAT

Answer 29

C. Slack space

When clusters are overwritten, original data is left in the unused space between the end of the new file and the end of the cluster. This means that copying new files over old files can leave remnant data that may help Kathleen prove that the files were on the system by examining slack space.

Question 30

Barry’s organization is running a security exercise and Barry was assigned to conduct offensive operations. What term best describes Barry’s role in the process?

A. Red team
B. Purple team
C. Blue team
D. White team

Answer 30

A. Red team

In a security exercise, the red team is responsible for offensive operations, whereas the blue team is responsible for defensive operations. The white team serves as the neutral referees, whereas the purple team combines elements of the red team and blue team.

Question 31

Megan wants to check memory utilization on a macOS-based system. What Apple tool can she use to do this?

A. Activity Monitor.
B. MemControl.
C. Running memstat from the command line.
D. Running memctl from the command line.

Answer 31

A. Activity Monitor.

macOS has a built-in memory monitoring tool as part of Activity Monitor. It will show you details, including how much memory the system has, what is used by applications and the operating system, how much space is taken up by cached files to improve system performance, how much space is used on your disk for swap space, and how efficiently your memory is being used in the form of a statistic called memory pressure.

Question 32

What information is typically included in a list of affected hosts in a vulnerability management report?

A. Hostname and IP address.
B. IP address and MAC address.
C. Hostname and MAC address.
D. Hostname and subnet mask.

Answer 32

A. Hostname and IP address.

The hostname and IP address are commonly used to identify each vulnerable host in a vulnerability report. The hardware (MAC) address is not typically listed, and subnet masks are also not typically listed.

Question 33

Donna is working with a system engineer who wants to remediate vulnerabilities in a server that he manages. Of the report templates shown here, which would be most useful to the engineer?

A. Qualys Top 20 Report
B. PCI Technical Report
C. Executive Report
D. Technical Report

Answer 33

D. Technical Report

The Technical Report will contain detailed information on a specific host and is designed for an engineer seeking to remediate the system. The PCI Technical Report would focus on credit card compliance issues, and there is no indication that this server is used for credit card processing. The Qualys Top 20 Report and Executive Report would contain summary information more appropriate for a management audience and cover an entire network, rather than provide detailed information on a single system.

Question 34

Angela wants to access the decryption key for a BitLocker-encrypted system, but the system is currently turned off. Which of the following methods is a viable method if a Windows system is turned off?

A. Hibernation file analysis
B. Memory analysis
C. Boot-sector analysis
D. Brute-force cracking

Answer 34

A. Hibernation file analysis

If the system that Angela is attempting to access had mounted the encrypted volume before going to sleep and there is a hibernation file, Angela can use hibernation file analysis tools to retrieve the BitLocker key. If the system did not hibernate or the volume was not mounted when the system went to sleep, she will not be able to retrieve the keys. Memory analysis won’t work with a system that is off, the boot sector does not contain keys, and brute-force cracking is not a viable method of cracking BitLocker keys because of the time involved.

Question 35

Fred believes that the malware he is tracking uses a fast flux DNS network, which associates many IP addresses with a single fully qualified domain name as well as using multiple download hosts. How many distinct hosts should he review based on the NetFlow shown here?

Date flow start Duration Proto Src IP Addr:Port Dst IP Addr:Port Packets Bytes Flows
2020-07-11 14:39:30.606 0.448 TCP 192.168.2.1:1451->10.2.3.1:443 10 1510 1
2020-07-11 14:39:30.826 0.448 TCP 10.2.3.1:443->192.168.2.1:1451 7 360 1
2020-07-11 14:45:32.495 18.492 TCP 10.6.2.4:443->192.168.2.1:1496 5 1107 1
2020-07-11 14:45:32.255 18.888 TCP 192.168.2.1:1496->10.6.2.4:443 11 1840 1
2020-07-11 14:46:54.983 0.000 TCP 192.168.2.1:1496->10.6.2.4:443 1 49 1
2020-07-11 16:45:34.764 0.362 TCP 10.6.2.4:443->192.168.2.1:4292 4 1392 1
2020-07-11 16:45:37.516 0.676 TCP 192.168.2.1:4292->10.6.2.4:443 4 462 1
2020-07-11 16:46:38.028 0.000 TCP 192.168.2.1:4292->10.6.2.4:443 2 89 1
2020-07-11 14:45:23.811 0.454 TCP 192.168.2.1:1515->10.6.2.5:443 4 263 1
2020-07-11 14:45:28.879 1.638 TCP 192.168.2.1:1505->10.6.2.5:443 18 2932 1
2020-07-11 14:45:29.087 2.288 TCP 10.6.2.5:443->192.168.2.1:1505 37 48125 1
2020-07-11 14:45:54.027 0.224 TCP 10.6.2.5:443->192.168.2.1:1515 2 1256 1
2020-07-11 14:45:58.551 4.328 TCP 192.168.2.1:1525->10.6.2.5:443 10 648 1
2020-07-11 14:45:58.759 0.920 TCP 10.6.2.5:443->192.168.2.1:1525 12 15792 1
2020-07-11 14:46:32.227 14.796 TCP 192.168.2.1:1525->10.8.2.5:443 31 1700 1
2020-07-11 14:46:52.983 0.000 TCP 192.168.2.1:1505->10.8.2.5:443 1 40 1

A. 1
B. 3
C. 4
D. 5

Answer 35

C. 4

This flow sample shows four distinct hosts being accessed from 192.168.2.1. They are 10.2.3.1, 10.6.2.4, 10.6.2.5, and 10.8.2.5.

Question 36

Bounds checking, removing special characters, and forcing strings to match a limited set of options are all examples of what web application security technique?

A. SQL injection prevention
B. Input validation
C. XSS prevention
D. Fuzzing

Answer 36

B. Input validation

Input validation involves a variety of techniques, including checking the minimum and maximum range for numeric input, checking the length of input strings, removing special characters, and providing limited options for drop-down menus and other strings.

Question 37

Rick wants to validate his recovery efforts and intends to scan a web server he is responsible for with a scanning tool. What tool should he use to get the most useful information about system vulnerabilities?

A. Wapiti
B. Nmap
C. OpenVAS
D. ZAP

Answer 37

C. OpenVAS

Of the tools listed, only OpenVAS is a full-system vulnerability scanner. Wapiti is a web application scanner, ZAP is an attack proxy used for testing web applications, and Nmap is a port scanner.

Question 38

Jenna is helping her organization choose a set of security standards that will be used to secure a variety of operating systems. She is looking for industry guidance on the appropriate settings to use for Windows and Linux systems. Which one of the following tools will serve as the best resource?

A. ISO 27001
B. OWASP
C. PCI DSS
D. CIS benchmarks

Answer 38

D. CIS benchmarks

All of these resources provide valuable information to security professionals seeking to design a security program according to industry standards. However, only the Center for Internet Security (CIS) provides detailed baseline standards that include step-by-step instructions for configuring systems to meet specific security requirements. The CIS benchmarks are widely used as a resource for securing systems in various industries.

ISO 27001 is a standard for information security management systems (ISMS), which outlines a framework for managing and protecting sensitive information. While it may include some guidance on securing systems, it is not specific to Windows or Linux and is more focused on overall information security management.

Open Web Application Security Project (OWASP) is a nonprofit organization that provides a variety of resources for web application security, including a list of the top 10 most critical web application security risks. While it may include some guidance on securing systems, it is not specific to Windows or Linux and is more focused on web application security.

Payment Card Industry Data Security Standard (PCI DSS) is a standard for securing credit card information. There is no indication in the scenario that Jenna’s organization handles credit card data, so this would not be an appropriate standard for her to use.