CBROPS Practice Exam
log entries that show a response to a port scan a newly-discovered vulnerability in Apache web servers Explanation: As an incident category, the precursor is a sign that an incident might occur in the future. Examples of precursors are log entries that show a response to a port scan or a newly-discovered vulnerability in web servers using Apache.
A company is applying the NIST.SP800-61 r2 incident handling process to security events. What are two examples of incidents that are in the category of precursor? (Choose two.) multiple failed logins from an unknown source log entries that show a response to a port scan an IDS alert message being sent a newly-discovered vulnerability in Apache web servers a host that has been verified as infected with malware
the IP addresses or the logical location of essential systems or data Explanation: A network profile should include some important elements, such as the following:Total throughput - the amount of data passing from a given source to a given destination in a given period of timeSession duratio n - the time between the establishment of a data flow and its terminationPorts used - a list of TCP or UDP processes that are available to accept dataCritical asset address space - the IP addresses or the logical location of essential systems or data
A network administrator is creating a network profile to generate a network baseline. What is included in the critical asset address space element? the time between the establishment of a data flow and its termination the TCP and UDP daemons and ports that are allowed to be open on the server the IP addresses or the logical location of essential systems or data the list of TCP or UDP processes that are available to accept data
scope Explanation: The scope metric is impacted by an exploited vulnerability that can affect resources beyond the authorized privileges of the vulnerable component or that are managed by a different security authority.
A security analyst is investigating a cyber attack that began by compromising one file system through a vulnerability in a custom software application. The attack now appears to be affecting additional file systems under the control of another security authority. Which CVSS v3.0 base exploitability metric score is increased by this attack characteristic? privileges required scope attack complexity user interaction
HIDS (host-based intrusion detection system) Explanation: A host-based intrusion detection systems (HIDS) is a comprehensive security application that provides antimalware applications, a firewall, and monitoring and reporting.
A security professional is making recommendations to a company for enhancing endpoint security. Which security endpoint technology would be recommended as an agent-based system to protect hosts against malware? IPS HIDS baselining blacklisting
exploitation Explanation: The Cyber Kill Chain specifies seven steps (or phases) and sequences that a threat actor must complete to accomplish an attack: Reconnaissance - The threat actor performs research, gathers intelligence, and selects targets. Weaponization - The threat actor uses the information from the reconnaissance phase to develop a weapon against specific targeted systems. Delivery - The weapon is transmitted to the target using a delivery vector. Exploitation - The threat actor uses the weapon delivered to break the vulnerability and gain control of the target. Installation - The threat actor establishes a back door into the system to allow for continued access to the target. Command and Control (CnC) - The threat actor establishes command and control (CnC) with the target system. Action on Objectives - The threat actor is able to take action on the target system, thus achieving the original objective.
According to the Cyber Kill Chain model, after a weapon is delivered to a targeted system, what is the next step that a threat actor would take? action on objectives exploitation weaponization installation
NetFlow collects metadata from a network flow whereas Wireshark captures full data packets. Explanation: Wireshark captures the entire contents of a packet. NetFlow does not. Instead, NetFlow collects metadata, or data about the flow.
What is a key difference between the data captured by NetFlow and data captured by Wireshark? NetFlow provides transaction data whereas Wireshark provides session data. NetFlow data is analyzed by tcpdump whereas Wireshark data is analyzed by nfdump. NetFlow collects metadata from a network flow whereas Wireshark captures full data packets. NetFlow data shows network flow contents whereas Wireshark data shows network flow statistics.
A threat actor tries to gain the user password of a remote host by using a keyboard capture software installed on it by a Trojan. Explanation: Vulnerability exploits may be remote or local. In a local exploit, the threat actor has some type of user access to the end system, either physically or through remote access. The exploitation activity is within the local network.
What is an example of a local exploit? Port scanning is used to determine if the Telnet service is running on a remote server. A threat actor performs a brute force attack on an enterprise edge router to gain illegal access. A buffer overflow attack is launched against an online shopping website and causes the server crash. A threat actor tries to gain the user password of a remote host by using a keyboard capture software installed on it by a Trojan.
metrics for measuring the incident response capability and effectiveness Explanation: NIST recommends creating policies, plans, and procedures for establishing and maintaining a CSIRC. One component of the plan element is to develop metrics for measuring the incident response capability and its effectiveness.
What is specified in the plan element of the NIST incident response plan? organizational structure and the definition of roles, responsibilities, and levels of authority metrics for measuring the incident response capability and effectiveness priority and severity ratings of incidents incident handling based on the mission of the organization
software Explanation: The SANS Institute describes three components of the attack surface: Network Attack Surface - exploits vulnerabilities in networks Software Attack Surface - delivered through the exploitation of vulnerabilities in web, cloud, or host-based software applications Human Attack Surface - exploits weaknesses in user behavior
Which attack surface, defined by the SANS Institute, is delivered through the exploitation of vulnerabilities in web, cloud, or host-based applications? human network host software
next header Explanation: Hashing algorithms are used to provide message integrity, which ensures that data in transit has not changed or been altered.
Which field in the IPv6 header points to optional network layer information that is carried in the IPv6 packet? traffic class flow label next header version
availability Explanation: Confidentiality, integrity, and availability are the elements contained in the CIA triad. Availability means that all authorized users have uninterrupted access to important resources and data. In a DDoS attack, servers and services are overloaded and applications are no longer available to users.
Which information security component is compromised in a DDoS attack? accountability confidentiality integrity availability
0{4} Explanation: The regular expression 0{4} matches any string that contains 4 repetitions of zero or 4 consecutive zeros.
Which regular expression would match any string that contains 4 consecutive zeros? {0-4} [0-4] 0{4} ^0000
block listing Explanation: Block listing can be used on a local system or updated on security devices such as a firewall. Block lists can be manually entered or obtained from a centralized security system. Block lists are applications that are prevented from executing because they pose a security risk to the individual system and potentially the company.
Which security endpoint setting would be used by a security analyst to determine if a computer has been configured to prevent a particular application from running? services block listing baselining Allow listing
checksum destination port source port Explanation: The UPD header has four fields. Three of these fields are in common with the TCP header. These three fields are the source port, destination port, and checksum.
Which three fields are found in both the TCP and UDP headers? (Choose three.) window checksum options sequence number destination port source port
tcpdump
Which tool captures full data packets with a command-line interface only? nfdump NBAR2 tcpdump Wireshark
probabilistic Explanation: Probabilistic methods use powerful tools to create a probabilistic answer as a result of analyzing applications.
Which type of analysis relies on different methods to establish the likelihood that a security event has happened or will happen? deterministic statistical log probabilistic
reconnaissance
Which type of attack is carried out by threat actors against a network to determine which IP addresses, protocols, and ports are allowed by ACLs? social engineering denial of service phishing reconnaissance
statistical Explanation: Cisco Cognitive Intelligence utilizes statistical data for statistical analysis in order to find malicious activity that has bypassed security controls, or entered through unmonitored channels (including removable media), and is operating inside the network of an organization.
Which type of data is used by Cisco Cognitive Intelligence to find malicious activity that has bypassed security controls, or entered through unmonitored channels, and is operating inside an enterprise network? statistical session alert transaction
traffic fragmentation Explanation: In order to keep the malicious payload from being recognized by security sensors, such as IPS or IDS, perpetrators fragment the data into smaller packets.These fragments can be passed by sensors that do not reassemble the data before scanning.
Which type of evasion technique splits malicious payloads into smaller packets in order to bypass security sensors that do not reassemble the payloads before scanning them? pivoting traffic fragmentation protocol-level misinterpretation traffic insertion