Udemy Exam 2

Question 1

A cybersecurity analyst is reviewing the logs of a proxy server and saw the following URL,

https://www.google.com/search?q=password+filetype%3Axls+site%3Adiontraining.com&pws=0&filter=p.

Which of the following is true about the results of this search? (SELECT THREE)

Personalization is turned off

Returns only files hosted at diontraining.com

Returns only Microsoft Excel spreadsheets

Excludes Microsoft Excel spreadsheets

All search filters are deactivated

Answer 1

The above example searches for files with the name “password” in them (q=password) and (+) have a filetype equal to xls (filetype%3Axls, %3A is the hex-code for ‘:’) and (+) limits the results to files hosted on diontraining.com (site%3Adiontraining.com) and (&) disables personalization (pws=0) and (&) deactivates the directory filtering function (filter=p). If you wanted to exclude Microsoft Excel spreadsheets, this would be done by typing -filetype%3Axls as part of the search query. To find related websites or pages, you would include the “related:” term to the query. To deactivate all filters from the search, the “filter=0” should be used. To deactivate the directory filtering function, the “filter=p” is used.

Question 2

Consider the following data:

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

{ “id”: “bundle–cf20f99b-3ed2-4a9f-b4f1-d660a7fc8241”,

“objects”: [

{

“aliases”: [

“Comment Crew”,

“Comment Group”,

“Shady Rat” ],

“created”: “2015-05-15T09:00:00.000Z”,

“description”: “APT1 is a single organization of operators that has conducted a cyber espionage campaign against a broad range of victims since at least 2006.”,

“first_seen”: “2006-06-01T00:00:00.000Z”,

“id”: “intrusion-set–da1065ce-972c-4605-8755-9cd1074e3b5a”,

“modified”: “2015-05-15T09:00:00.000Z”,

“name”: “APT1”,

“object_marking_refs”: [

“marking-definition–3444e29e-2aa6-46f7-a01c-1c174820fa67”

],

“primary_motivation”: “organizational-gain”,

“resource_level”: “government”,

“spec_version”: “2.1”,

“type”: “intrusion-set”

},

{

“aliases”: [

“Greenfield”,

“JackWang”,

“Wang Dong” ],

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Which of the following best describes the data presented above?

An XML entry describing an APT using the MITRE ATT&CK framework

A JSON excerpt describing a REST API call to a Trusted Automated eXchange of Indicator Information (TAXII) service

An XML entry describing an APT using the Structured Threat Information eXpression (STIX) framework

A JSON excerpt that describes an APT using the Structured Threat Information eXpression (STIX) format

Answer 2

The excerpt is a JSON object used by the STIX protocol to convey threat information. STIX (Structured Threat Information eXpression) is a standardized XML programming language for conveying data about cybersecurity threats in a common language that can be easily understood by humans and security technologies. Trusted Automated Exchange of Intelligence Information (TAXII™) is an application protocol for exchanging CTI over HTTPS. TAXII defines a RESTful API (a set of services and message exchanges) and a set of requirements for TAXII Clients and Servers. MITRE ATT&CK® is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for developing specific threat models and methodologies in the private sector, government, and the cybersecurity product and service community.

Question 3

Which term defines the collection of all points from which an adversary could interact with a system and cause it to function in a way other than how it was designed?

Attack surface
Threat model
Attack vector
Adversary capability set

Answer 3

The collection of all points from which an adversary may attack is considered the attack surface. The attack vector represents the specific points an adversary has chosen for a particular attack. The threat model defines the behavior of the adversary. An adversary capability set is the list of items an adversary can use to conduct their attack.

Question 4

In which operating system ring is a kernel rootkit typically installed?

Ring 3
Ring 0
Ring 1
Ring 2

Answer 4

Rootkits are usually classed as either kernel mode or user mode. CPU architectures define several protection rings. Ring 0 has complete access to any memory location and, therefore, any hardware devices connected to the system. Processes that operate with ring 0 privileges are referred to as working in kernel mode. As this suggests, only the bootloader and the core of the operating system, plus some essential device drivers, are supposed to have this access level. Ring 3 is referred to as user mode (rings 1 and 2 are rarely implemented). Ring 3 is where the OS runs services and non-essential device drivers. It is also where applications run. In user mode, each process can use only memory locations allocated by the kernel and interacts with hardware via system calls to kernel processes. A kernel-mode rootkit can gain complete control over the system.

Question 5

What should a vulnerability report include if a cybersecurity analyst wants it to reflect the assets scanned accurately?

Organizational governance
Log disposition
Virtual hosts
Processor utilization

Answer 5

Vulnerability reports should include both the physical hosts and the virtual hosts on the target network. A common mistake of new cybersecurity analysts is to include physical hosts, thereby missing many network assets.

Question 6

Which of the following techniques listed below are not appropriate to use during a passive reconnaissance exercise against a specific target company?

WHOIS lookups
BGP looking glass usage
Banner grabbing
Registrar checks

Answer 6

Banner grabbing requires a connection to the host to grab the banner successfully. This is an active reconnaissance activity. All other options are considered passive processes and typically use information retrieved from third-parties that do not directly connect to an organization’s remote host. For support or reporting issues, include

Question 7

While conducting a security test to ensure that information about your company’s web server is protected from inadvertent disclosure, you request an HTML file from the webserver and receive the following output:

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

HTTP/1.1 404 Object Not Found

Server: Microsoft-IIS/6.0

Date: Tuesday, 5 Sep 2017 1034:12 GMT

Content-Type: text/html

Content-Length: 132

There is no web site configured at this address.

This page is a placeholder until construction begins.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Which of the following actions should you take to remediate this vulnerability?

Set “PerProcessLogging” to 1 in the URLScan.ini configuration file

Set “VerifyNormalization” to 1 in the URLScan.ini configuration file

Set “RemoveServerHeader” to 1 in the URLScan.ini configuration file

Set “EnableLogging” to 1 in the URLScan.ini configuration file

Answer 7

his output is an example of banner grabbing being conducted against your web server. To prevent valuable information from being sent in the response, you should configure the “RemoveServerHeader” in the Microsoft IIS configuration file (URLScan.ini). If you set “RemoveServerHeader” to 1, UrlScan will remove the server header on all responses, and the value of AlternateServerName will be ignored. If you set “EnableLogging” to 1, UrlScan will log its actions in a file called UrlScan.log that will be created in the same directory that contains UrlScan.dll. If you set “PerProcessLogging” to 1, UrlScan will append the process ID of the IIS process that is hosting UrlScan.dll to the log file name; for example, UrlScan.1234.log. If you set “VerifyNormalization” to 1, UrlScan verifies the URL’s normalization and will defend against canonicalization attacks, where a URL contains a double encoded string in the URL. Please note, this question may seem beyond the scope of the exam. Still, the objectives allow for “other examples of technologies, processes, or tasks about each objective may also be included on the exam although not listed or covered” in the objectives’ bulletized lists. The exam tests the equivalent of 4 years of hands-on experience in a technical cybersecurity job role. The content examples listed in the objectives are meant to clarify the test objectives and should not be construed as a comprehensive listing of this examination’s complete content. Therefore, questions like this are fair game on test day. That said, your goal isn’t to score 100% on the exam; it is to pass it. Don’t let questions like this throw you off on test day. If you aren’t sure, take your best guess, and move on!

Question 8

During a vulnerability scan, you notice that the hostname www.diontraining.com is resolving to www.diontraining.com.akamized.net instead. Based on this information, which of the following do you suspect is true?

You are scanning a CDN-hosted copy of the site

The scan will not produce any useful information

The server assumes you are conducting a DDoS attack

Nothing can be determined about this site with the information provided

Answer 8

This result is due to the company using a distributed server model that hosts content on Edge servers worldwide as part of a CDN. A content delivery network (CDN) is a geographically distributed network of proxy servers and their data centers that provide high availability and performance by distributing the service spatially relative to end-users. The requested content may be served from the Edge server’s cache or pull the content from the main diontraining.com servers. If you are scanning a web server or application hosted with a CDN, you need to be aware that you might be scanning an edge copy of the site and not receive accurate results. While an edge server usually maintains static content, it is still useful to determine if any vulnerabilities exist in that portion of the site content. Distributed denial-of-service (DDoS) attacks range from small and sophisticated to large and bandwidth-busting. While Akamai does provide excellent DDoS protection capabilities, nothing in this question indicates that the server is attempting to stop your scans or is assuming you are conducting a DDoS attack against it.

Question 9

Which of the following tools would you use to audit a multi-cloud environment?

Answer 9

ScoutSuite

Question 10

Prowler

Answer 10

Prowler is a cloud auditing tool, but it can only be used on AWS

Question 11

Pacu

Answer 11

Pacu is an exploitation framework that is used to test the security configurations of an AWS account

Question 12

OpenVAS

Answer 12

OpenVAS is a general-purpose vulnerability scanner but does not deal with cloud-specific issues

Question 13

Which analysis framework provides a graphical depiction of the attacker’s approach relative to a kill chain?

OpenIOC

MITRE ATT&CK framework

Diamond Model of Intrusion Analysis

Lockheed Martin cyber kill chain

Answer 13

The Diamond Model provides an excellent methodology for communicating cyber events and allowing analysts to derive mitigation strategies implicitly. The Diamond Model is constructed around a graphical representation of an attacker’s behavior.

Question 14

The MITRE ATT&CK framework

Answer 14

The MITRE ATT&CK framework provides explicit pseudo-code examples for detecting or mitigating a given threat within a network and ties specific behaviors back to individual actors.

Question 15

The Lockheed Martin cyber kill chain

Answer 15

The Lockheed Martin cyber kill chain provides a general life cycle description of how attacks occur but do not deal with the specifics of how to mitigate.

Question 16

OpenIOC

Answer 16

OpenIOC contains a depth of research on APTs but does not integrate the detections and mitigation strategy.

Question 17

Which of the following secure coding best practices ensures a character like < is translated into the < string when writing to an HTML page?

Answer 17

Output encoding involves translating special characters into some different but equivalent form that is no longer dangerous in the target interpreter, for example, translating the < character into the < string when writing to an HTML page.

Question 18

Input Validation

Answer 18

Input validation is performed to ensure only properly formed data is entering the workflow in an information system, preventing malformed data from persisting in the database and triggering the malfunction of various downstream components.

Question 19

Improper error handling

Answer 19

Improper error handling can introduce various security problems where detailed internal error messages such as stack traces, database dumps, and error codes are displayed to an attacker.

Question 20

A recent vulnerability scan found several vulnerabilities on an organization’s public-facing IP addresses. To reduce the risk of a breach, which of the following vulnerabilities should be prioritized for remediation?

An HTTP response that reveals an internal IP address

A website utilizing a self-signed SSL certificate

A buffer overflow that is known to allow remote code execution

A cryptographically weak encryption cipher

Answer 20

The most serious vulnerability discovered is one that could allow remote code execution to occur. Since this buffer overflow vulnerability is known to allow remote code execution, it must be mitigated first to prevent a security breach most effectively. While the other issues should be addressed eventually, you need to prioritize the most critical one (remote code execution) on a public-facing IP address. A public-facing IP address means the device is accessible from the internet.

Question 21

Which of the following is the most difficult to confirm with an external vulnerability scan?

Blind SQL injection

Cross-site scripting (XSS)

Unpatched web server

Cross-site request forgery (XSRF/CSRF)

Answer 21

Vulnerability scanners typically cannot confirm that a blind SQL injection with the execution of code has previously occurred.

XSS and CSRF/XSRF are typically easier to detect because the scanner can pick up information that proves a successful attack. The banner information can usually identify unpatched servers.

Question 22

Which one of the following methods would provide the most current and accurate information about any vulnerabilities present in a system with a misconfigured operating system setting?

Continuous vulnerability scanning

Scheduled vulnerability scanning

On-demand vulnerability scanning

Agent-based monitoring

Answer 22

An agent-based monitoring solution would be the best choice to meet these requirements. Agent-based monitoring provides more details of the configuration settings for a system and can provide an internal perspective. While vulnerability scans can give you a snapshot of a system’s status at a certain time, it will not remain current and accurate without continual rescanning.

Question 23

A cybersecurity analyst at Yoyodyne Systems just finished reading a news article about their competitor, Whamiedyne Systems, being hacked by an unknown threat actor. Both companies sell to the same basic group of consumers over the internet since their products are used interchangeably by consumers. Which of the following is a valid cybersecurity concern for Yoyodyne Systems?

The same vulnerability will be compromised on their servers

The attacker will conduct a man-in-the-middle attack

The attacker will conduct a SQL injection against their database

They may now be vulnerable to a credential stuffing attack

Answer 23

The largest and most immediate cybersecurity concern that the analyst should have is credential stuffing. Credential stuffing occurs when an attacker tests username and password combinations against multiple online sites. Since both companies share a common consumption group, it is likely that some of Yoyodyne’s consumers also had a user account at Whamiedyne. If the attackers compromised the username and passwords from Whamiedyne’s servers, they might attempt to use those credentials on Yoyodyne’s servers, too. There is no definitive reason to believe that both companies are using the same infrastructure. Therefore, the same vulnerability that was exploited by the attacker may not exist at Yoyodyne. The question doesn’t mention an SQL database. Therefore, there is no direct threat of an SQL injection. A man-in-the-middle (MitM) attack occurs when the attacker sits between two communicating hosts and transparently captures, monitors, and relays all communications between the host. Nothing in this question indicates that a MitM was utilized or is a possible threat.

Question 24

Question 25
Incorrect
A cybersecurity analyst is conducting a port scan of 192.168.1.45 using nmap. During the scan, the analyst found numerous ports open, and nmap could not determine the Operating System version of the system installed at 192.168.1.45. The analyst asks you to look over the results of their nmap scan results:

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Starting NMAP 7.60 at 2020-06-12 21:23:15

NMAP scan report for 192.168.1.45

Host is up (0.78s latency).

Not shown: 992 closed ports

PORT STATE SERVICE

21/tcp open ftp

23/tcp open telnet

25/tcp open smtp

80/tcp open http

139/tcp open netbios-ssn

515/tcp open

631/tcp open ipp

9100/tcp open

MAC Address: 00:0C:29:18:6B:DB

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Which of the following operating systems is most likely used by the host?

Answer 24

Based on the open ports, it is likely that the host is a networked printer. Port 515 is used as an LPR/LPD port for most printers and older print servers. Port 631 is used for IPP for most modern printers and CUPS-based print servers. Port 9100 is used as a RAW port for most printers and is also known as the direct-IP port. If any of these three ports are found, the host is likely a printer. If ports 135, 139, 445 are found, this is usually a good indication of a Windows file server. Port such as FTP, telnet, SMTP, and http is used by both Windows and Linux servers; therefore, they are not as helpful to indicate which operating system is in use by the host.

Question 25

Which of the following will an adversary so during the installation phase of the Lockheed Martin kill chain? (SELECT FOUR)

“Time stomp” on a malware file to appear as if it is part of the operating system

Collect user credentials

Install a webshell on a server
Open two-way
communications channel to an established C2 infrastructure

Create a point of presence by adding services, scheduled tasks, or AutoRun keys

Install a backdoor/implant on a client victim

Answer 25

During the installation phase, the adversary is taking actions to establish a footprint on the target system and is attempting to make it difficult for a defender to detect their presence. The attack may also attempt to confuse any attempts to remove the adversary from the system if the detection of their presence occurs. Due to this, an attacker will attempt to install multiple backdoors, implants, web shells, scheduled tasks, services, or AutoRun keys to maintain their access to the target. “Time stomping” I also conducted to hide the presence of malware on the system. Opening up two-way communication with an established C2 infrastructure occurs in the command and control phase. Collecting user credentials occurs in the actions on objectives phase.

Question 26

Which of the following technologies is NOT a shared authentication protocol?

OAuth
Facebook Connect
OpenID Connect
LDAP

Answer 26

LDAP can be used for single sign-on but is not a shared authentication protocol. OpenID, OAuth, and Facebook Connect are all shared authentication protocols. Open ID Connect (OIDC) is an authentication protocol that can be implemented as special types of OAuth flows with precisely defined token fields. OAuth is designed to facilitate the sharing of information (resources) within a user profile between sites.

Question 27

While performing a vulnerability scan, Christina discovered an administrative interface to a storage system is exposed to the internet. She looks through the firewall logs and attempts to determine whether any access attempts have occurred from external sources. Which of the following IP addresses in the firewall logs would indicate a connection attempt from an external source?

192.186.1.100
172.16.1.100
10.15.1.100
192.168.1.100

Answer 27

This question tests your ability to determine if an IP address is a publicly routable IP (external connection) or private IP (internal connection). During your CompTIA A+, Network+, and Security+ studies, you should have learned that private IP addresses are either 10.x.x.x, 172.16-31.x.x, or 192.168.x.x. All other IP addresses are considered publicly routable over the internet (except localhost and APIPA addresses). Therefore, the answer must be 192.186.1.100 since it is not a private IP address.

Question 28

You are a cybersecurity analyst and your company has just enabled key-based authentication on its SSH server. Review the following log file:

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

BEGIN LOG

Sep 09 13:15:24 diontraining sshd[3423]: Failed password for root from 192.168.3.2 port 45273 ssh2

Sep 09 15:43:15 diontraining sshd[3542]: Failed password for root from 192.168.2.24 port 43543 ssh2

Sep 09 15:43:24 diontraining sshd[3544]: Failed password for jdion from 192.168.2.24 port 43589 ssh2

Sep 09 15:43:31 diontraining sshd[3546]: Failed password for tmartinez from 192.168.2.24 port 43619 ssh2

Sep 09 15:43:31 diontraining sshd[3546]: Failed password for jdion from 192.168.2.24 port 43631 ssh2

Sep 09 15:43:37 diontraining sshd[3548]: Failed password for root from 192.168.2.24 port 43657 ssh2

END LOG

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Which of the following actions should be performed to secure the SSH server?

Disable password authentication for SSH

Disable anonymous SSH logon

Disable remote root SSH logons

Disable SSHv1

Answer 28

It is common for attackers to log in remotely using the ssh service and the root or other user accounts. The best way to protect your server is to disable password authentication over ssh. Since your company just enabled key-based authentication on the SSH server, all legitimate users should be logging in using their RSA key pair on their client machines, not usernames and passwords. Based on the logs, you see the server is running SSHv2, so there is no need to disable SSHv1 (it may already be disabled). You don’t want to fully disable remote root SSH logins, either, since this would make it difficult for administrators to conduct their work. Finally, based on the logs, it doesn’t appear that anonymous SSH logins are an issue, either, as we don’t see any anonymous attempts in the logs.

Question 29

You just received a notification that your company’s email servers have been blacklisted due to reports of spam originating from your domain. What information do you need to start investigating the source of the spam emails?

The full email header from one of the spam messages

The SMTP audit log from his company’s email server

Firewall logs showing the SMTP connections

Network flows for the DMZ containing the email servers

Answer 29

You should first request a copy of one of the spam messages, including the full email header. By reading through the full headers of one of the messages, you can determine where the email originated from, whether it was from your email system or external, and if it was a spoofed email or a legitimate email. Once this information has been analyzed, you can then continue your analysis based on those findings, whether that be analyzing your email server, the firewalls, or other areas of concern. If enough information cannot be found by analyzing the email headers, you will need to conduct more research to determine the best method to solve the underlying problem.

Question 30

Which of the following is NOT a means of improving data validation and trust?

Encrypting data in transit
Implementing Tripwire
Using MD5 checksums for files
Decrypting data at rest

Answer 30

Encrypting data in transit leads to more integrity and confidentiality of the data, and therefore trust. Hashing files using MD5 to check against known valid checksums would provide integrity, and therefore validation and trust. Implementing a file integrity monitoring program, such as Tripwire, would also improve data validation and trust. Decrypting data at rest does not improve data validation, or trust since the data at rest could be modified when decrypted.

Question 31

You are reverse engineering a malware sample using the Strings tool when you notice the code inside appears to be obfuscated. You look at the following line of output on your screen:

ZWNobygiSmFzb24gRGlvbiBjcmVhdGVkIHRoaXMgQ29tcFRJQSBDeVNBKyBwcmFjdGljZSBleGFtIHF1ZXN0aW9uLiBJZiB5b3UgZm91bmQgdGhpcyBxdWVzdGlvbiBpbiBzb21lb25lIGVsc2UncyBjb3Vyc2UsIHRoZXkgc3RvbGUgaXQhIik7=

Based on the output above, which of the following methods do you believe the attacker used to prevent their malicious code from being easily read or analyzed?

Base64
SQL
QR coding
XML

Answer 31

While there are many different formats used by attackers to obfuscate their malicious code, Base64 is by far the most popular. If you see a string like the one above, you can decode it using an online Base64 decoder. In fact, I recommend you copy the string above and decode it to see how easy it is to reverse a standard Base64 encoded message. Some more advanced attackers will also use XOR and a key shift in combination with Base64 to encode the message and make it harder to decode, but using a tool like CyberChef can help you decode those. Structured Query Language (SQL) is used to communicate with a database. Extensible Markup Language (XML) is a markup language that defines a set of rules for encoding documents in a human-readable and machine-readable format. SQL and XML are not considered obfuscation techniques. A QR Code is a two-dimensional version of the barcode, known from product packaging in the supermarket. QR coding is the process of converting some data into a single QR code. QR coding might be considered a form of obfuscation, but it is not shown in this question’s example output.

Question 32

You are the first forensic analyst to arrive on the scene of a data breach. You have been asked to begin evidence collection on the server while waiting for the rest of your team to arrive. Which of the following evidence should you capture first?

Backup tapes

ARP cache

Image of the server’s SSD

L3 cache

Answer 32

When collecting evidence, you should always follow the order of volatility. This will allow you to collect the most volatile evidence (most likely to change) first and the least volatile (least likely to change) last. You should always begin collecting the CPU registers and cache memory (L1/L2/L3/GPU). The contents of system memory (RAM), including a routing table, ARP cache, process tables, kernel statistics, and temporary file systems/swap space/virtual memory. Next, you would move onto the collection of data storage devices like hard drives, SSDs, and flash memory devices. After that, you would move onto less volatile data such as backup tapes, external media devices (hard drives, DVDs, etc.), and even configuration data or network diagrams.

Question 33

You need to determine the best way to test operating system patches in a lab environment before deploying them to your automated patch management system. Unfortunately, your network has several different operating systems in use, but you only have one machine available to test the patches on. What is the best environment to utilize to perform the testing of the patches before deployment?

Sandboxing

Purchase additional workstations

Virtualization

Bypass testing and deploy patches directly into the production environment

Answer 33

When you have a limited amount of hardware resources to utilize but have a requirement to test multiple operating systems, you should set up a virtualized environment to test the patch across each operating system before deployment. You should never deploy patches directly into production without testing them first in the lab.

Question 34

You are analyzing the logs of a forensic analysts workstation and see the following:

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

root@DionTraining:/home# dd if=/dev/sdc of=/dev/sdb bs=1M count=1000

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

What does the bs=1M signify in the command list above?

Sets the block size
Sets the beginning sector
Sends output to a blank sector
Removes error messages and other incorrect data

Answer 34

The dd command is used in forensic data acquisition to forensically create a bit by bit copy of a hard drive to a disk image. The bs operator sets the block size when using the Linux dd command. This question may seem beyond the scope of the exam. Still, the objectives allow for “other examples of technologies, processes, or tasks about each objective may also be included on the exam although not listed or covered” in the objectives’ bulletized lists. The exam tests the equivalent of 4 years of hands-on experience in a technical cybersecurity job role. The content examples listed in the objectives are meant to clarify the test objectives and should not be construed as a comprehensive listing of this examination’s content. Therefore, questions like this are fair game on test day. That said, your goal isn’t to score 100% on the exam; it is to pass it. Don’t let questions like this throw you off on test day. If you aren’t sure, take your best guess and move on!

Question 35

Fail to Pass Systems recently installed a break and inspect appliance that allows their cybersecurity analysts to observe HTTPS traffic entering and leaving their network. Consider the following output from a recorded session captured by the appliance:

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

POST /www/default.php HTTP/1.1

HOST: .123

Content-Length: 147

Cache-Control: no-cache

Origin: chrome-extension://ghwjhwrequsds
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:24.0) Gecko/20100101 Firefox/24.0

Content-Type: multipart/form-data; boundary=—-

WebKitFormBoundaryaym16ehT29q60rUx

Accept:/

Accept-Language: zh, en-us; q=0.8, en; q=0.6

Cookie: security=low; PHPSESSID=jk3j2kdso8x73kdjhehakske

——WebKitFormBoundaryaym16ehT29q60rUx

Content-Disposition: form-data; name=”q”

cat /etc/passwd

——WebKitFormBoundaryaym16ehT29q60rUx

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Which of the following statements is true?

A request to issue the command “cat /etc/passwd” occurred but additional analysis is required to verify if the file was downloaded

This is a normal request from a host to your web server in the DMZ

The web browser used in the attack was Microsoft Edge

The /etc/passwd file was just downloaded through a webshell by an attacker

Answer 35

This is a post request to run the “cat /etc/passwd” command from an outside source. It is not known from the evidence provided if this command were successful or not, but it should be analyzed further as this is not what would be expected, normal traffic. While the browser’s default language was configured for Chinese (zh), this is easily changed and cannot be used to draw authoritative conclusions about the threat actor’s true location or persona. The User-Agent used is listed as Mozilla, which is used by both Firefox and Google Chrome. For an in-depth analysis of the full attack this code snippet was taken from, please visit https://www.rsa.com/content/dam/en/solution-brief/asoc-threat-solution-series-webshells.pdf. This 6-page article is definitely worth your time to look over and learn how a remote access web shell is used as an exploit.

Question 36

Your company is required to remain compliant with PCI-DSS due to the type of information processed by your systems. If there was a breach of this data, which type of disclosure would you be required to provide during your incident response efforts?

Notification to Visa and Mastercard

Notification to local law enforcement

Notification to federal law enforcement

Notification to your credit card processor

Answer 36

Any organization that processes a credit card will be required to work with their credit card processor instead of working directly with the card issuers (Visa and Mastercard). Conducting notification to your bank or credit card processor is one of the first steps in the incident response effort for a breach of this type of data. Typically, law enforcement does not have to be notified of a data breach at a commercial organization.

Question 37

Jay is replacing his organization’s current vulnerability scanner with a new tool. As he begins to create the scanner’s configurations and scanning policy, he notices a conflict in the settings recommended between different documents. Which of the following sources must Jay follow when trying to resolve these conflicts?

Configuration settings from the prior system

Corporate policy
NIST guideline documents

Vendor best practices

Answer 37

Policies are formalized statements that apply to a specific area or task. Policies are mandatory, and employees who violate a policy may be disciplined. Guidelines are general, non-mandatory recommendations. Best practices are considered procedures that are accepted as being correct or most effective but are not mandatory to be followed. Configuration settings from the prior system could be helpful, but this is not a mandatory compliance area like a policy. Therefore, Jay should first follow the policy before the other three options if there is a conflict.

Question 38

Which of the following tools can NOT be used to conduct a banner grab from a web server on a remote host?

telnet

ftp

netcat

wget

Answer 38

FTP cannot be used to conduct a banner grab. A cybersecurity analyst or penetration tester uses a banner grab to gain information about a computer system on a network and the services running on its open ports. Administrators can use this to take inventory of the systems and services on their network. This is commonly done using telnet, wget, or netcat.

Question 39

What key data point should be included in a vulnerability report to help prioritize remediation efforts for multiple vulnerabilities?

Vulnerability age

Vendor reputation

Risk score

Patch availability

Answer 39

Risk score provides a numeric representation of the potential impact of a vulnerability, taking into account factors such as severity, ease of exploitation, and potential harm. This can help prioritize remediation efforts. While patch availability is an important factor in the remediation process, it does not help prioritize which vulnerabilities should be addressed first. The age of a vulnerability is not the primary factor for the prioritization of remediation efforts. The reputation of the vendor is not typically a key consideration in prioritizing vulnerabilities for remediation.

Question 40

Your organization has experienced a significant cybersecurity incident, and an executive summary of the incident has been prepared. However, the board of directors has requested detailed evidence supporting the summary. Where would they typically find this information?

In the regulatory reporting

In the executive summary

In the evidence section of the incident response report

In the public relations communication

Answer 40

The evidence section typically contains all detailed information, data, and artifacts related to the incident, supporting the claims and conclusions made in the executive summary. The executive summary is meant to provide a high-level overview of the incident, and while it should be accurate, it typically does not include detailed evidence. Public relations communications are intended for external stakeholders and are not typically used for providing detailed evidence related to an incident. Regulatory reporting is focused on providing information to regulatory bodies and usually does not include detailed evidence supporting an executive summary.

Question 41

Following a cyber incident in your organization, you’ve been tasked with informing all relevant stakeholders about the event, its impact, and how it was handled. The stakeholders range from internal teams to external partners and customers. In the context of incident response, what is this process known as?

Root cause analysis

Stakeholder identification and communication

Incident declaration and escalation

Incident response reporting

Answer 41

This involves determining who needs to be aware of the incident and making sure they receive appropriate information about it. This refers to the process of officially recognizing an incident and escalating it through the organization’s hierarchy for response, not communicating the incident to all stakeholders. This refers to the process of determining the primary cause(s) of an incident, not communicating about the incident to stakeholders. While this may include communication to some stakeholders, it primarily refers to the process of documenting and analyzing an incident, not the overall communication process.

Question 42

As part of an incident response team, you’ve just managed a major security incident that affected your organization’s operations. The management wants to know how long it took from when the incident was first detected to when the response was initiated. What key metric would best provide this information?

Mean time to remediate

Alert volume

Mean time to respond

Mean time to detect

Answer 42

The mean time to respond is a key metric that measures the average time taken to initiate a response after a security incident has been detected. The mean time to detect refers to the average time it takes to discover a security incident, not the time it takes to initiate a response to it. The mean time to remediate measures how long it takes to resolve a security incident after it has been detected, not the time it takes to initiate the response. The alert volume measures the number of alerts generated by your security systems, not the time taken to initiate a response to a security incident.

Question 43

Following a significant data breach, a multinational corporation has hired a third-party firm to systematically search through its IT systems to identify the intrusion’s origin and extent. This external firm is also expected to provide a detailed report on their findings. Which of the following post-incident activities BEST describes what the corporation is performing in this scenario?

Root cause analysis

Incident response plan

Forensic analysis

Lessons learned

Answer 43

In this scenario, the corporation is conducting a forensic analysis, which is a detailed and systematic examination of an incident to understand its origin, extent, and impact. Root cause analysis is a method used to identify the primary cause or causes of an incident. Although this may be part of the overall process, the scenario specifically mentions a detailed and systematic examination, which aligns more with forensic analysis. Lessons learned is the process of reflecting on a completed incident to identify what was done well and what needs improvement for future incidents. While it’s a part of post-incident activity, it’s not the specific activity described in this scenario. An incident response plan is a set of procedures and processes to handle and manage an incident effectively. Although a plan likely guides their steps, the specific activity described here is forensic analysis.