Udemy CASP Practice Exam 6 Flashcards
You are attempting to exploit a network-based vulnerability against a RedHat Linux server. You execute the following commands and receive the results below:
Based on the output above, which of the following exploits are you using?
A. SMTP Exploit
B . FTP Exploit
C. SNMP Exploit
D. SMB Exploit
A. SMTP Exploit
Explanation:
OBJ-2.4: If you see a question like this, don’t let it confuse you. Look for keywords and phrases that you recognize to answer the question. As you look at the command issued in the first line, you may not recognize it. That is because this is an older exploit script that is being run with the parameters of support (the user account we are trying to exploit), DionTraining (our penetration testing machine’s name), and RedHat (our target/victim server). Ignoring this line, look at the second line where you see a keyword that you should recognize: Sendmail. Sendmail is a service that runs on Linux machines to “send mail” using the SMTP protocol over port 25. This is the key to answering this question. As you continue through the script, you see it performed a DNS name resolution from RedHat to the server’s IP, connected to the server, and successfully sent the exploit. This exploit conducts a buffer overflow against a vulnerable Sendmail server resulting in the server providing a remote callback to a listening port on the attacker’s machine (port 2525). This is why the attacker then telnets into their localhost over port 2525 and runs the whoami command to determine what user they are connected to the victimized server as. In this case, they are reported as the root user, which means this SMTP exploit was successful.
Dion Training has purchased a new office building and is outfitting their new conference room. Tamera installed a 10-foot screen and a projector in the conference room. Jason wants to install a device to allow team members the ability to watch movies or screencast presentations from their laptop to the project. To keep costs down, the device should be an all-in-one device that contains the CPU, RAM, storage, and peripherals in a single small form factor device with an integrated HDMI output, such as a Roku Streaming Stick or a Fire TV Stick. Which of the following types of operational technology would best meet these requirements?
A. SoC
B. ASIC
C. FPGA
D. ICS
A. SoC
Explanation:
OBJ-3.3: A System on a Chip (SoC) integrates practically all the components of a traditional chipset (which is comprised of as many as four chips that control communication between the CPU, RAM, storage, and peripherals) into a single chip. SoC includes the processor as well as a GPU (graphics processor), memory, USB controller, power management circuits, and wireless radios. A field programmable gate array (FPGA) is a type of processor that can be programmed to perform a specific function by a customer rather than at the time of manufacture. A FPGA can be configured by the end customer to run programming logic on the device for their specific use case or application. An application-specific integrated circuit (ASIC) is a type of processor designed to perform a specific function. ASICs are expensive to design and only work for a single application or function, such as the ASICs used to conduct switching in an Ethernet switch. Industrial control systems (ICS) provide mechanisms for workflow and process automation. These systems control machinery used in critical infrastructure, like power suppliers, water suppliers, health services, telecommunications, and national security services.
A network technician is selecting the best way to protect a branch office from as many different threats from the Internet as possible using a single device. Which of the following should meet these requirements?
A .Configure a UTM device
B. Configure a network based firewall
C. Configure a NIDS device
D. Configure a host based firewall
A .Configure a UTM device
Explanation:
OBJ-1.1: Since this is a branch office and you want to protect it from as many threats as possible, using a Unified Threat Management (UTM) device would be best. A UTM will protect you from most things using a single device. A network-based firewall would provide basic protection, but a UTM will include anti-virus and other protections beyond just a firewall’s capabilities. Host-based firewalls are great, but the network-based firewall or UTM device is configured to protect all devices on a network whereas a host-based firewall only protects the single host device. A network-based intrusion detection system (NIDS) can detect threats, but it cannot stop or prevent them.
Which protocol relies on mutual authentication of the client and the server for its security?
A. CHAP
B. RADIUS
C. Two factor authentication
D. LDAPS
D. LDAPS
Explanation:
OBJ-1.5: The Lightweight Directory Access Protocol (LDAP) uses a client-server model for mutual authentication. LDAP is used to enable access to a directory of resources (workstations, users, information, etc.). TLS provides mutual authentication between clients and servers. Since Secure LDAP (LDAPS) uses TLS, it provides mutual authentication.
You received an incident response report indicating a piece of malware was introduced into the company’s network through a remote workstation connected to the company’s servers over a VPN connection. Which of the following controls should be applied to prevent this type of incident from occurring again?
A .SPF
B. NAC
C. ACL
D. MAC Filtering
B. NAC
Explanation:
OBJ-1.1: Network Access Control (NAC) is an approach to computer security that attempts to unify endpoint security technology (such as anti-virus, host intrusion prevention, and vulnerability assessment), user or system authentication, and network security enforcement. When a remote workstation connects to the network, NAC will place it into a segmented portion of the network (sandbox), scan it for malware and validate its security controls, and then based on the results of those scans, either connect it to the company’s networks or place the workstation into a separate quarantined portion of the network for further remediation. An access control list (ACL) is a network traffic filter that can control incoming or outgoing traffic. An ACL alone would not have prevented this issue. MAC Filtering refers to a security access control method whereby the MAC address assigned to each network card is used to determine access to the network. MAC filtering operates at layer 2 and is easy to bypass. Sender Policy Framework (SPF) is an email authentication method designed to detect forging sender addresses during email delivery.
A system administrator wants to verify that external IP addresses cannot collect software versioning from servers on the network. Which of the following should the system administrator do to confirm the network is protected?
A. Review the ID3 logs on the network
B. Use Nmap to query known port
C. Analyze packet capture
D. Utilize netstat to locate active connections
C. Analyze packet capture
Explanation:
OBJ-1.4: Packet captures contain every packet that is sent and received by the network. By using a program like Wireshark to analyze the packet captures, you can see what kind of information and metadata is contained within the packets. By conducting this type of packet analysis, an attacker (or cybersecurity analyst) can determine if software versions are being sent as part of the packets and their associated metadata.
An incident response team is publishing an incident summary report and is determining the evidence retention requirements for the data collected during a response. Which of the following incident response phases is currently being performed by the team?
A. Post incident activities
B. Preparation
C. Detection and analysis
D. Eradication and recovery
A. Post incident activities
Explanation:
OBJ-2.7: The post-incident activities phase is when report writing occurs, incident summary reports are published, evidence retention is determined, and lessons learned reports are created. An incident response has five stages: preparation, detection and analysis, containment, eradication and recovery, and post-incident activities.
Following a root cause analysis of an edge router’s unexpected failure, a cybersecurity analyst discovered that the system administrator had purchased the device from an unauthorized reseller. The analyst suspects that the router may be a counterfeit device. Which of the following controls would have been most effective in preventing this issue?
A. Verify that all routers are patches to the latest release
B. Conduct secure supply chain management training
C. Increase network vulnerability scan frequency
D. Ensure antivirus signatures are up to date
B. Conduct secure supply chain management training
Explanation:
OBJ-4.2: Anti-counterfeit training is part of the NIST 800-53r4 control set (SA-19(1)) and should be a mandatory part of your supply chain management training within your organization. All other options may produce security gains in the network. They are unlikely to reliably detect a counterfeit item or prevent its introduction into the organization’s supply chain. Training on detection methodologies (i.e., simple visual inspections) and training for acquisition personnel will better prevent recurrences.
Which of the following is the most important feature to consider when designing a system on a chip?
A. Space and power savings
B. Type of real time operating system in use
C. Ability to be reconfigured after manufacture
D. Ability to interfaces with industrial control systems
A. Space and power savings
Explanation:
OBJ-3.3: A system on a chip is an integrated circuit that integrates all or most components of a computer or other electronic system. These components almost always include a central processing unit, memory, input/output ports, and secondary storage – all on a single substrate or microchip, the size of a coin. This makes the savings of space and power the most important feature to consider when designing a system on a chip.
Tierra works as a cybersecurity analyst for a large multi-national oil and gas company. She responds to an incident at her company in which their public-facing web server has been defaced with the words, “Killers of the Arctic.” She believes this was done in response to her company’s latest oil drilling project in the Arctic Circle. Which threat actor is most likely to blame for the website defacement?
A. Script kiddie
B. Hacktivist
C. Organized crime
D. APT
B. Hacktivist
Explanation:
OBJ-2.1: It appears this hack was motivated by a pro-environmentalist agenda based on the message of the website defacement. This is an example of hacktivism. In 2012, five top multi-national oil companies were targeted by members of Anonymous as a form of digital protest against drilling in the Arctic, a practice that these hacktivists believe has contributed to the melting of the ice caps in that region.
Taylor needs to sanitize hard drives from some leased workstations before returning them to a supplier at the end of the lease period. The workstations’ hard drives contained sensitive corporate data. Which is the most appropriate choice to ensure that data exposure doesn’t occur during this process?
A. Clear, validate and document the sanitization of the drives
B. The drives must be destroyed to ensure no data loss
C. Clear the drives
D. Purge, validate and document the sanitization of the drives
D. Purge, validate and document the sanitization of the drives
Explanation:
OBJ-4.3: Purging the drives, validating that the purge was effective, and documenting the sanitization is the best response. Purging includes methods that eliminate information from being feasibly recovered even in a lab environment. For example, performing a cryptographic erasure (CE) would sanitize and purge the drives’ data without harming the drives themselves. Clearing them leaves the possibility that some tools would allow data recovery. Since the scenario indicates that these were leased drives that must be returned at the end of a lease, they cannot be destroyed.
Dion Training wants to have a new practice exam web application developed and is now accepting requests for proposals (RFPs) for the project. As part of the RFP, each development firm must submit a copy of their current financials to ensure they have enough resources to remain in business for the duration of the proposed project. What type of vendor risk is being mitigated by this requirement in the RFP process?
A .Vendor Lock In
B. vendor lockout
C. Vendor viability
D. Vendor visibility
C. Vendor viability
Explanation:
OBJ-4.2: This scenario describes one method of mitigating the risk of a vendor no longer being viable. Vendor viability occurs when a vendor has a viable and in-demand product and the financial means to remain in business on an ongoing basis. Vendor lockout occurs when a vendor’s product is developed in a way that makes it inoperable with other products, the ability to integrate it with other vendor products is not a feasible option or does not exist. Vendor Lock-in occurs when a customer is dependent on a vendor for products or services because switching is either impossible or would result in substantial complexity and costs. Vendor visibility is a term used to define how transparent a supplier is with their payment and shipment status details.
Which of the following vulnerabilities can be prevented by using proper input validation? (Select ANY that apply)
A .SQL Injection
B. XML Injection
C. Directory traversal
D. Cross site scripting
A .SQL Injection
B. XML Injection
C. Directory traversal
D. Cross site scripting
Explanation:
OBJ-1.3: Proper input validation can prevent cross-site scripting, SQL injection, directory traversal, and XML injections from occurring. When an application accepts string input, the input should be subjected to normalization or sanitization procedures before being accepted. Normalization means that a string is stripped of illegal characters or substrings and converted to the accepted character set. This can prevent SQL and XML injections from occurring. Input validation is also good at preventing cross-site scripting (XSS) in any forms that accept user input. Directory traversals can be prevented by conducting input validation in file paths or URLs accepted from the user. This prevents a canonicalization attack from disguising the nature of the malicious input that could cause a directory traversal.
A company wants to ensure that its mobile devices are configured to protect any data stored on them if they are lost or stolen. Which of the following should you enable and enforce through their MDM?
A. Enable SSO
B. Enable OS Updates
C. Full storage encryption
D. Remove backups
C. Full storage encryption
Explanation:
OBJ-3.1: Mobile device management (MDM) software suites are designed to manage the use of smartphones and tablets within an enterprise. Full storage encryption is used to encrypt the user and system data stored in the device’s internal storage. The encryption key is stored in a protected portion of the device and can be used to remotely wipe the device if it is lost or stolen. Single sign-on (SSO) is an authentication technology that allows a user to authenticate once and receive authorizations for multiple services. Operating system updates are made freely available by the software manufacturer to fix problems in a particular software version, including any security vulnerabilities. Updates can be classified as hotfixes (available only to selected customers and for a limited problem), patches (generally available), and service packs (installable collections of patches and software improvements). A backup is a copy of user and system data that can enable the recovery of data after data loss or a disaster.
You are working as a junior cybersecurity analyst and utilize a SIEM to support investigations into ongoing incidents. The SIEM is configured to collect data from numerous sources across the network, including network sensors, routers, switches, firewalls, hosts, and servers. Unfortunately, due to the number of data sources, you have data about a particular event being detected by different sensors and devices. Which of the following must you ensure to make sense of all the data being collected by your SIEM before analyzing it?
A. Data recovery
B. Data correlation
C. Data retention
D. Data sanitization
B. Data correlation
Explanation:
OBJ-2.6: Data correlation is the first step in making sense of data from across numerous sensors. This will ensure the data is placed concerning other pieces of data within the system. For example, if your IDS detected an incident, host logs were collected, and your packet capture system collected the network traffic, the SIEM could be used to correlate all three pieces of information from these different systems to allow an analyst to understand the event better. By conducting data correlation, it allows an analyst to identify a pattern more clearly and take action. Data correlation should be performed as soon as the SIEM indexes the data.
What is the utilization of insights gained from threat research and threat modeling to proactively discover evidence of an adversarial TTP within a network or system called?
A. Penetration testing
B. Incident response
C. Threat hunting
D. Information assurance
C. Threat hunting
Explanation:
OBJ-2.1: Threat hunting is the utilization of insights gained from threat research and threat modeling to proactively discover evidence of an adversarial TTP within a network or system. Penetration testing uses active tools and security utilities to evaluate security by simulating an attack on a system. A penetration test verifies that a threat exists, actively tests and bypasses security controls, and finally exploits vulnerabilities on the system. Information assurance (IA) is the practice of assuring information and managing risks related to the use, processing, storage, and transmission of information or data and the systems and processes used for those purposes. Incident response is an organized approach to addressing and managing the aftermath of a security breach or cyberattack, also known as an IT incident, computer incident, or security incident. The goal is to handle the situation to limit damage and reduce recovery time and costs.
A recent vulnerability scan found several vulnerabilities on an organization’s public-facing IP addresses. To reduce the risk of a breach, which of the following vulnerabilities should be prioritized for remediation?
A. A website utilizing a self signed SSL cert
B. A buffer overflow that is known to allow remote code execution
C. An HTTP response that reveals an internal IP address
D. A crypto graphically weak encryption cipher
B. A buffer overflow that is known to allow remote code execution
Explanation:
OBJ-2.3: The most serious vulnerability discovered is one that could allow remote code execution to occur. Since this buffer overflow vulnerability is known to allow remote code execution, it must be mitigated first to prevent a security breach most effectively. While the other issues should be addressed eventually, you need to prioritize the most critical one (remote code execution) on a public-facing IP address. A public-facing IP address means the device is accessible from the internet.
Which of the following authentication protocols was developed by Cisco to provide authentication, authorization, and accounting services?
A. TACAS+
B. CHAP
C. RADIUS
D. Kerberos
A. TACAS+
Explanation:
OBJ-1.5: TACACS+ is an extension to TACACS (Terminal Access Controller Access Control System) and was developed as a proprietary protocol by Cisco. The Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that operates on port 1812 and provides centralized Authentication, Authorization, and Accounting management for users who connect and use a network service, but Cisco did not develop it. Kerberos is a network authentication protocol designed to provide strong mutual authentication for client/server applications using secret-key cryptography developed by MIT. Challenge-Handshake Authentication Protocol (CHAP) is used to authenticate a user or network host to an authenticating entity. CHAP is an authentication protocol but does not provide authorization or accounting services.
Dion Training installed a new router 183 days ago and it stopped working today due to a faulty power supply. The network technicians replaced the power supply and the router was returned to service within 4 hours. Which of the following terms would BEST represent the 183 days in this scenario?
A. MTTR
B. RPO
C. RTRO
D. MTBF
D. MTBF
Explanation:
OBJ-4.1: The mean time between failures (MTBF) measures the average time between when failures occur on a device. The mean time to repair (MTTR) measures the average time it takes to repair a network device when it breaks. The recovery time objective (RTO) is the duration of time and a service level within which a business process must be restored after a disaster to avoid unacceptable consequences associated with a break in continuity. The recovery point objective (RPO) is the interval of time that might pass during a disruption before the quantity of data lost during that period exceeds the Business Continuity Plan’s maximum allowable threshold or tolerance.
During her login session, Sally is asked by the system for a code sent to her via text (SMS) message. Which of the following concerns should she raise to her organization’s AAA services manager?
A. SMS messages may be accessible to attackers via VOIP or other systems
B. SMS should be encrypted to be secure
C. SMS is a costly method of providing a second factor of authentication
D. SMS should be paired with a third factor
A. SMS messages may be accessible to attackers via VOIP or other systems
Explanation:
OBJ-1.5: NIST’s SP 800-63-3 recommends that SMS messages be deprecated as a means of delivering a second factor for multifactor authentication because they may be accessible to attackers. SMS is unable to be encrypted (at least without adding additional applications to phones). A third factor is typically not a user-friendly recommendation and would be better handled by replacing SMS with the proposed third factor. SMS is not a costly method since it can be deployed for less than $20/month at scale.
After an employee complains that her computer is running abnormally slow, so you conduct an analysis of the NetFlow data from her workstation. Based on the NetFlow data, you identify a significant amount of traffic from her computer to an IP address in a foreign country over port 6667 (IRC). Which of the following is the most likely explanation for this?
A. Malware has been installed on her computer and is using the IRC protocol to communicate
B. This is routine machine to machine communicastions in a corporate network
C. THe employee is using Internet Relay chat to communicate with her friends and family overseas
D. The computer has likely been compromised by an APT
A. Malware has been installed on her computer and is using the IRC protocol to communicate
Explanation:
OBJ-2.2: Internet Relay Chat (IRC) used to be extremely popular but was replaced by modern chat applications like Facebook Messenger, Google Hangouts, Slack, and numerous others. These days, IRC traffic is infrequent on most corporate networks. Therefore, this would be classified as suspicious and require additional investigation. The unencrypted nature of the protocol makes it easy to intercept and read communications on this port. Still, even so, many types of malware use IRC as a communication channel. Due to this cleartext transmission, an APT would avoid using IRC for their C2 channel to blend in with regular network traffic and avoid detection. IRC is not normally used for machine-to-machine communications in corporate networks. Because the scenario mentioned a connection to a foreign country, as part of your investigation, you should ask the employee if they have friends or family overseas in the country to rule out the possibility that this is acceptable traffic.
A software assurance laboratory performs a dynamic assessment on an application by automatically generating random data sets and inputting them to cause an error or failure condition. Which of the following is the laboratory performing?
A. Fuzzing
B. Security regression testing
C. User acceptance testing
D. Stress testing
A. Fuzzing
Explanation:
OBJ-1.3: Fuzzing or fuzz testing is an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program. The program is then monitored for exceptions such as crashes, failing built-in code assertions, or potential memory leaks. User Acceptance Testing is the process of verifying that a created solution/software works for the user. Security regression testing ensures that changes made to a system do not harm its security, are therefore of high significance, and the interest in such approaches has steadily increased. Stress testing verifies the system’s stability and reliability by measuring its robustness and error handling capabilities under heavy load conditions.
You are working for a brand new startup company that allows you to use your laptop, tablet, or other devices while at work. The company does provide some rules and guidelines that you must follow based on their policy. Which of the following policies should you look at to ensure you understand these rules and guidelines?
A. SLA
B. MOU
C. NDA
D. BYOD
D. BYOD
Explanation:
OBJ-4.1: BYOD (Bring Your Own Device) refers to the policy of permitting employees to bring personally owned devices to their workplace and to use those devices to access privileged company information and applications. A memorandum of understanding (MOU) is important because it defines the responsibilities of each party in an agreement, provides the scope and authority of the agreement, clarifies terms, and outlines compliance issues. A non-disclosure agreement (NDA) is a legal contract or part of a contract between at least two parties that outlines confidential material, knowledge, or information that the parties wish to share for certain purposes, but wish to restrict access to. A service level agreement (SLA) is a commitment between a service provider and a client for particular aspects of the service, such as quality, availability, or responsibilities.
You are conducting a password audit. Which of these options is the least complex password?
Dion Training is hiring a penetration testing firm to conduct an assessment of its corporate network. As part of the contract, the company has specified that it will not provide any network details to the penetration testing firm. Instead, the company wants to see how much information about the network can be found by the penetration testers using open-source research and scanning the corporate network. What type of assessment is this considered?
A. Semi trusted environment testing
B. Partially known environment testing
C. Known environment testing
D. Unknown environment testing
D. Unknown environment testing
Explanation:
OBJ-2.4: An unknown environment penetration test requires no previous information and usually takes the approach of an uninformed attacker. The penetration tester has no prior information about the target system or network in an unknown environment penetration test. These tests provide a realistic scenario for testing the defenses, but they can be costlier and more time-consuming to conduct as the tester is examining a system from an outsider’s perspective. A partially known environment tester has the user’s access and knowledge levels, potentially with elevated privileges on a system. These partially known environment penetration testers typically have some knowledge of a network’s internals, potentially including design and architecture documentation and an account internal to the network. A known environment test is known by several different names, including clear-box, open-box, auxiliary, or logic-driven testing. It falls on the opposite end of the spectrum from an unknown environment test because the penetration testers have full access to source code, architecture documentation, and so forth. A known environment penetration tester can also perform static code analysis, so familiarity with source code analyzers, debuggers, and similar tools are necessary for this type of testing. A semi-trusted environment test is made up term and is used as a distractor in this question.
Which of the following type of sites would be used if your organization plans to switch to teleworking and remote operations in the event of a disaster?
A. Warm site
B. Cloud Site
C. Hot Site
D. Cold Site
B. Cloud Site
Explanation;
OBJ-4.4: A cloud site is a virtual recovery site that allows you to create a recovery version of your organization’s enterprise network in the cloud. Cloud sites are useful when your disaster recovery plan includes migrating to a telework or remote operations environment. A hot site is a real-time replication of an existing network environment. All data generated and stored at the primary site is immediately replicated and backed up at the disaster recovery site. A warm site is a type of facility an organization uses to recover its technology infrastructure when its primary data center goes down. A warm site features an equipped data center but no customer data. A cold site is a backup facility with little or no hardware equipment installed. A cold site is essentially an office space with basic utilities such as power, cooling system, air conditioning, and communication equipment, etc.
Tamera just purchased a Wi-Fi-enabled Nest Thermostat for her home. She has hired you to install it, but she is worried about a hacker breaking into the thermostat since it is an IoT device. Which of the following is the BEST thing to do to mitigate Tamera’s security concerns? (Select TWO)
A. Upgrade the firmware of the wireless access point to the latest version to improve the security of the network
B. Disable wireless connectivity to the thermostat to ensure a hacker cannot access it
C. Configure the thermostat to use a segregated part of the network by install it into a screened subnet
D. Enable two factor authentication on the devices website (if supported by the company)
E. Configure the thermostat to use the WEP encryption standard for additional confidentiality
F. Configure the thermostat to connect to the wireless network using WPA2 encryption and a long, strong password
C. Configure the thermostat to use a segregated part of the network by install it into a screened subnet
F. Configure the thermostat to connect to the wireless network using WPA2 encryption and a long, strong password
Explanation;
OBJ-3.3: The BEST options are to configure the thermostat to use the WPA2 encryption standard (if supported) and place any Internet of Things (IoT) devices into a DMZ/screened subnet to segregate them from the production network. While enabling two-factor authentication on the device’s website is a good practice, it will not increase the IoT device’s security. While disabling the wireless connectivity to the thermostat will ensure it cannot be hacked, it also will make the device ineffective for the customer’s normal operational needs. WEP is considered a weak encryption scheme, so you should use WPA2 over WEP whenever possible. Finally, upgrading the wireless access point’s firmware is good for security, but it isn’t specific to the IoT device’s security. Therefore, it is not one of the two BEST options.
A company has had several virus infections over the past few months. The root cause was determined to be known vulnerabilities in the software applications in use by the company. What should an administrator implement to prevent future outbreaks?
A. incident response team
B. Patch management
C. Accept use policies
D. Host based intrusion detection systems
B. Patch management
Explanation:
OBJ-3.2: Since the viruses exploited known vulnerabilities, there should be patches available from the manufacturer/vendor. Patch management is the process of distributing and applying updates to the software to prevent vulnerabilities from being exploited by an attacker or malware. Proper patch management is a technical control that would prevent future outbreaks. An acceptable use policy (AUP) is a document stipulating constraints and practices that a user must agree to for access to a corporate network or the Internet. While some items in the AUP might help prevent a malware infection (such as not allowing users to download and run programs from the internet), it is considered an administrative control, and choosing a technical control like patch management would better protect the network. An incident response team or emergency response team is a group of people who prepare for and respond to any emergency incident, such as a natural disaster or an interruption of business operations. An incident response team will respond to the virus infections, but they would not prevent them from occurring. Host-based intrusion detection systems (HIDS) help organizations to identify threats inside the network perimeter by monitoring host devices for malicious activity that, if left undetected, could lead to serious breaches. A HIDS may detect the effects of a virus infection, such as a client becoming a zombie in a botnet, but it will not prevent these outbreaks from occurring.
Dion Training is analyzing their student practice exam experience. During the analysis, the staff measured the current resiliency of the system by calculating the MTTR and MTBF for the system. The MTTR was measured at 9.1 hours and the MTBF was measured at 3.2 years. Susan, the Chief Operations Officer, stated that the MTTR should be at most 4 hours and the MTBF should be at least 4 years. The team at Dion Training will use all of these measurements and goals to create a technical implementation plan to reach Susan’s requirements. Based on the measurements and goals provided, which of the following types of analysis has the team at Dion Training just performed?
A. Business impact analysis
B. Privacy impact analysis
C. Gap analysis
D. Tradeoff analysis
C. Gap analysis
Explanation:
OBJ-4.1: A gap analysis measures the difference between the current state and desired state to assess the scope of work included in a project. By measuring ALE, MTTR, MTBF, TCO, and other factors, the organization can identify how closely it is performing to the desired outcomes or requirements. A tradeoff analysis compares potential benefits to potential risks and determines a course of action based on adjusting factors that contribute to each area. A business impact analysis describes the collaborative effort to identify those systems and software that perform essential functions, meaning the organization cannot run without them. A privacy impact assessment is conducted by an organization for it to determine where its privacy data is stored and how that privacy data moves throughout an information system. It evaluates the impacts that may be realized by a compromise to the confidentiality, integrity, and/or availability of the data.
You are attending a cybersecurity conference and just watched a security researcher demonstrating the exploitation of a web interface on a SCADA/ICS component. This caused the device to malfunction and be destroyed. You recognize that the same component is used throughout your company’s manufacturing plants. Which of the following mitigation strategies would provide you with the most immediate protection against this emergent threat?
A. Logically or physically isolate the SCADA/ICS component from the enterprise network
B> Replace the affected SCADA/ICS components with more secure models, from a different manufacturer
C. Evaluate if the web interface must remain open for the system to function; if it isnt needed, block the web interface
D. Demand that the manufacturer of the component release a patch immediately and deploy the patch as soon as possible
C. Evaluate if the web interface must remain open for the system to function; if it isnt needed, block the web interface
Explanation:
OBJ-3.3: The most immediate protection against this emergent threat would be to block the web interface from being accessible over the network. Before doing this, you must evaluate whether the interface needs to remain open for the system to function properly. If it is not needed, you should block it to minimize the SCADA/ICS component’s attack surface. Ideally, your SCADA/ICS components should already be logically or physically isolated from the enterprise network. Since the question doesn’t mention the networks as an area of concern, we can assume they are already following the industry best practice of logical or physical segmentation between the SCADA/ICS network and the enterprise network. On the exam, make sure you focus on the question being asked. In this case, the question focuses on the web interface. Developing a patch can be a time-consuming process, therefore waiting for the manufacturer to provide a patch will not provide immediate protection to your components. The same is true for replacing the affected components. Even if you could get the company to authorize the funding for such a purchase, it would take time to order, ship, receive, and install the new components. Additionally, you would cause unwanted downtime in the factory during the installation of the components, making it an ineffective option when simply blocking the web interface is free, quick, and effective.
An internet marketing company decided that they didn’t want to follow the rules for GDPR because it would create too much work for them. They wanted to buy insurance, but no insurance company would write them a policy to cover any fines received. They considered how much the fines might be and decided to ignore the regulation and its requirements. Which of the following risk strategies did the company choose?
A. Avoidance
B. Mitigation
C. Transference
D. Acceptance
D. Acceptance
Explanation:
OBJ-4.1: The internet marketing company initially tried to transfer the risk (buy insurance) but then decided to accept the risk. To avoid the risk, the company would have changed how it did business or would prevent European customers from signing up on their mailing list using geolocation blocks.
The local electric power plant contains both business networks and ICS/SCADA networks to control their equipment. Which technology should the power plant’s security administrators look to implement first as part of configuring better defenses for the ICS/SCADA systems?
A. Log consolidation
B. Automated patch deployment
C. Intrusion prevention system
D. Antivirus software
C. Intrusion prevention system
Explanation:
OBJ-3.3: Since this question is focused on the ICS/SCADA network, the best solution would be implementing an Intrusion Prevention System. ICS/SCADA machines utilize very specific commands to control the equipment and to prevent malicious activity. You could set up strict IPS rules to prevent unknown types of actions from being allowed to occur. Log consolidation is a good idea, but it won’t prevent an issue and therefore isn’t the most critical thing to add first. Automated patch management should not be conducted, as ICS/SCADA systems must be tested before conducting any patches. Often, patches will break ICS/SCADA functionality. Anti-virus software may or may not be able to run on the equipment, as well, since some ICS/SCADA systems often do not rely on standard operating systems like Windows.
What is the biggest disadvantage of using single sign-on (SSO) for authentication?
A. The identity provider issues the authorization
B. It introduces a single point of failure
C. Systems must be configured to utilize the federation
D. Users need to authenticate with each server as they log on
B. It introduces a single point of failure
Explanation:
OBJ-1.5: Single sign-on is convenient for users since they only need to remember one set of credentials. Unfortunately, single sign-on also introduces a single point of failure. If the identity provider is offline, then the user cannot log in to any of the resources they may wish to utilize across the web. Additionally, if the single sign-on is compromised, the attacker now has access to every site that the user would have access to using the single set of credentials.
You have just installed a new hard disk drive into your computer, but the motherboard does not recognize it within the BIOS/UEFI. You have verified the drive is properly connected to the motherboard and the power supply with the correct cables, but it still is not recognized. Which of the following actions would BEST solve this problem?
A. Configure a RAID in the BIOS/UEFI
B. Format the new hard drive as FAT-32
C. Update the firmware of the motherboard
D. Format the new hard drive as NTFS
C. Update the firmware of the motherboard
Explanation:
OBJ-3.2: This type of error (drive not recognized) is usually the result of the motherboard’s firmware not supporting a newer hard drive model or the cables not being properly connected. Since we already established that the cables were properly connected, we have to consider the firmware as the issue. To troubleshoot this issue, you should restart the computer and enter the BIOS/UEFI configuration. If the BIOS/UEFI does not recognize the hard drive, then the motherboard’s firmware will need to be updated. If the BIOS/UEFI cannot detect the hard drive, then the operating system cannot detect the drive either (since it relies on the underlying BIOS/UEFI to make the connection). This means that you cannot format the hard drive or configure a RAID.
Which of the following vulnerabilities is the greatest threat to data confidentiality?
A. phpinfo information disclosure vulnerability
B. Web application SQL injection vulnerability
C. HTTP TRACE/TRACK methods enabled
D. SSL Server with SSLv3 enabled vulnerability
B. Web application SQL injection vulnerability
Explanation:
OBJ-2.3: Each vulnerability mentioned poses a significant risk, but the greatest threat comes from the SQL injection. An SQL injection could allow an attacker to retrieve our data from the backend database directly. Using this technique, the attacker could also alter the data and put it back, and nobody would notice everything that had been changed, thereby also affecting our data integrity. The HTTP TRACE/TRACK methods are normally used to return the full HTTP request to the requesting client for proxy-debugging purposes and allow the attacker to access sensitive information in the HTTP headers. Since this only exposes information in the headers, it minimizes the risk to our system’s data confidentiality. An SSL server with SSLv3 enabled is not ideal since this is an older encryption type, but it still provides some confidentiality. The phpinfo information disclosure vulnerability prints out detailed information on both the system and the PHP configuration. This information by itself doesn’t disclose any information about the data stored within the system, though, so it isn’t a great threat to our data’s confidentiality.
A cybersecurity analyst has received an alert that sensors continuously observe well-known call home messages at their network boundary. Still, the organization’s proxy firewall is properly configured to successfully drop the messages before leaving the network. Which of the following is MOST likely the cause of the call home messages being sent?
A. An attacker is performing reconnaissance of the organizations workstations
B. A malicious insider is trying to exfiltrate information to a remote network
C. Malware is running on a company workstation or server
D. An infected workstation is attempting to reach a command and control server
D. An infected workstation is attempting to reach a command and control server
Explanation:
OBJ-2.2: A call home message is an indicator of compromise known as beaconing. Beaconing usually occurs after a stage 1 malware program has been implanted on an organization’s workstation or server, but that isn’t the most correct answer to this question. Instead, beaconing indicates that a workstation or server is infected and tries to communicate with the attacker’s command and control server. This beaconing will continue until the infected system (workstation or server) is found and cleared of the malware or until the botnet gives the infected host further instructions to perform (such as to attack). “Malware is running on a company workstation or server” is incorrect because we do not have positive verification of that based on this scenario. A beacon does not have to be malware. For example, it can simply be a single ping packet or DNS request being sent out every day at a certain time using the Windows task scheduler. Be careful on the exam to answer the question being asked and choose the “most” accurate answer. Since the call home signal is coming from the internal network and attempting to connect to an external server, it cannot be evidence of an attacker performing reconnaissance on your workstations. Also, nothing in the question is indicative of an insider threat trying to exfiltrate information since a call home message is generally minimal in size and not large enough to exfiltrate data.
