CSA+ Threat Management Ch1 Part 3/3
Aubrey is reviewing her firewall logs for signs of attacks in her role as a blue team member during a penetration test. Which of the following types of attack is she least likely to be able to identify using a stateful packet inspection firewall? A SYN flood A SQL injection attack A port scan A DDoS attack
B. Identifying a SQL injection attack requires the ability to see the content of the query. Most stateful packet inspection firewalls do not show full packet content and instead log a success or fail based on a port, IP address, and protocol based on a rule. A DDoS attack may also be difficult to identify, but the massive amount of traffic from multiple sources to a single service can help point out the issue.
Senior management in Adam's company recently read a number of articles about massive ransomware attacks that successfully targeted organizations like the one that Adam is a part of. Adam's organization already uses layered security solutions including a border IPS, firewalls between network zones, local host firewalls, antivirus software, and a configuration management system that applies recommended operating system best practice settings to their workstations. What should Adam recommend to minimize the impact of a similar ransomware outbreak at his organization? Honeypots Backups Anti-malware software A next-generation firewall appliance
B. In many cases, backups are the best method to minimize the impact of a ransomware outbreak. While preventative measures can help, malware packages continue to change more quickly than detective controls like anti-malware software and NGFW device manufacturers can react. A honeypot won't help Adam prevent ransomware, so it can be easily dismissed when answering this question.
While reviewing a malware sample, Adam discovers that code inside of it appears to be obfuscated. Which of the following encoding methods is commonly used to prevent code from being easily read by simply opening the file? QR coding Base64 Base128 XINT
B. Malware often uses base64 encoding as part of its obfuscation attempts. There are multiple base64 formats, but online decoders can help quickly check to see whether the obfuscated code is just base64 encoded. Packers and other tools may use multiple methods, making it difficult to figure out quickly.
Fred has been tasked with configuring his organization's NAC rules to ensure that employees only have access that matches their job functions. Which of the following NAC criteria are least suited to filtering based on a user's job? Time-based Rule-based Role-based Location-based
B. NAC solutions that implement employee job function-based criteria often use time-based controls to ensure that employees have access only when they are supposed to be working, role-based criteria because of their duties, and location-based rules to ensure that they access networks only where they work. Rule-based criteria typically focus on system health and configuration, thus focusing more on the computer or software than the user.
Lucca wants to lock down a Cisco router, and chooses to use documentation that Cisco provides. What type of documentation is this? Primary documentation OEM documentation Crowd-sourced documentation System documentation
B. Original equipment manufacturer (OEM) documentation is provided by the builder or creator of the equipment, device, or software. It typically includes information about default and recommended settings. Most organizations use OEM and expert consensus recommended configurations that have been modified to match the requirements of their environment.
Why does the U.S. government require Trusted Foundry and related requirements for technology? To control prices To ensure standards compatibility To prevent hardware-level compromise of devices To ensure U.S.-based supplier viability for strategic components
C. According to the Defense Microelectronics Activity (DMEA) website: "DMEA accredits suppliers in the areas of integrated circuit design, aggregation, broker, mask manufacturing, foundry, post processing, packaging/assembly and test services. These services cover a broad range of technologies and is intended to support both new and legacy applications, both classified and unclassified." This program acts to ensure that electronics are not compromised as part of their design process.
Angela captured the following packets during a reconnaissance effort run by her organization's red team. What type of information are they looking for? Window shows table with columns for number, time, source, destination (10.0.2.4, 10.0.2.15), protocol (HTTP), length (262, 575, 235), and info. Vulnerable web applications SQL injection Directory traversal attacks Passwords
C. Angela has captured part of a Nikto scan that targets a vulnerable .asp script that allows directory traversal attacks. If it was successful, the contents of files like boot.ini or /etc/passwd would be accessible using the web server.
Susan wants to prevent attackers from running specific files and also wants to lock down other parts of the Windows operating system to limit the impact of attackers who have access to workstations she is responsible for. If she wants to do this on Windows 10 workstations, what tool should she use? Secpol.msc FileVault AppLocker
C. AppLocker is a tool available for Windows 10 systems that allows rules based on file attributes to limit what applications and files users can run, including executable files, scripts, Windows Installer files, DLLs, packaged applications, and packaged application installers. Secpol.msc is the security policy snap-in and controls other parts of the Windows security configuration. FileVault is the MacOS file encryption system, and GPed is a made-up program.
Chris has been asked to assess the technical impact of suspected reconnaissance performed against his organization. He is informed that a reliable source has discovered that a third party has been performing reconnaissance by querying WHOIS data. How should Chris categorize the technical impact of this type of reconnaissance? High Medium Low He cannot determine this from the information given.
C. Chris knows that domain registration information is publicly available and that his organization controls the data that is published. Since this does not expose anything that he should not expect to be accessible, Chris should categorize this as a low impact.
When Charleen attempts to visit a website, she receives a DNS response from the DNS cache server that her organization relies on that points to the wrong IP address. What attack has occurred? DNS brute forcing ARP spoofing DNS poisoning MAC spoofing
C. DNS poisoning uses modified DNS cache entries to redirect unsuspecting users to alternate IP addresses. This may be intentional if the DNS server owner wants to ensure that specific sites are blocked, but it can also be leveraged by attackers who manage to either take control of the DNS server or who manage to spoof or modify DNS updates.
Frank is creating the scope worksheet for his organization's penetration test. Which of the following techniques is not typically included in a penetration test? Reverse engineering Social engineering Denial-of-service attacks Physical penetration attempts
C. Denial-of-service attacks are rarely part of a penetration test because of the risk they create for the target organization. In specific cases where DoS attacks are permitted, they are sometimes aimed at a nonproduction instance or network to test DoS handling techniques.
During her normal daily review process, Jennifer detects an external system that is systematically conducting traceroute operations to each of the systems and devices in her network. What activity is most likely occurring? A regularly scheduled network scan from her company's ISP A vulnerability scan Network topology reconnaissance Router probes to determine the best routes via BGP discovery
C. Gathering traceroute information about each system in a network can help provide insight into the network's topology, including where routers, switches, and other devices may be located. It is not typical for ISPs to conduct unannounced scans, vulnerability scans would include additional scan traffic, and routers do not probe individual systems for BGP discovery.
When Casey scanned a network host, she received the results shown here. What does she know based on the scan results? Table shows columns for PORT, STATE (open), SERVICE (cisco-sscp, http), and VERSION. The device is a Cisco device. The device is running CentOS. The device was built by IBM. None of the above
D. Casey knows that she saw three open ports and that nmap took its best guess at what was running on those ports. In this case, the system is actually a Kali Linux system, a Debian-based distribution. This is not a Cisco device, it is not running CentOS, and it was not built by IBM.
Stacey encountered a system that shows as "filtered" and "firewalled" during an nmap scan. Which of the following techniques should she not consider as she is planning her next scan? Packet fragmentation Spoofing the source address Using decoy scans Spoofing the destination address
D. nmap has a number of built-in anti-firewall capabilities including packet fragmentation, decoy scans, spoofing of source IP and source port, and scan timing techniques that make detection less likely. Spoofing the target IP address won't help; her packets still need to get to the actual target!
While performing reconnaissance of an organization's network, Angela discovers that web.organization.com, www.organization.com, and documents.organization.com all point to the same host. What type of DNS record allows this? A CNAME An MX record An SPF record An SOA record
A. A canonical name (CNAME) is used to alias one name to another. MX records are used for mail servers, SPF records indicate the mail exchanges (MXes) that are authorized to send mail for a domain, and an SOA record is the Start of Authority record that notes where the domain is delegated from its parent domain.
Charleen works for a U.S. government contractor that uses NIST's definitions to describe threat categories. How should she categorize the threat posed by competitors that might seek to compromise her organization's website? Adversarial Accidental Structural Environmental
A. Adversarial threats are individuals, groups, and organizations that are attempting to deliberately undermine the security of an organization. Adversaries may include trusted insiders, competitors, suppliers, customers, business partners, or even nation-states.
As part of her malware analysis process, Kara builds a diagram of the components of the suspected malware package. At each stage, she unpacks, de-obfuscates, and identifies each subcomponent, adding it to her diagram. What is this process known as? Flow diagram shows suspected malware leads to system resources and packer identified, system resources leads to components and (config.ini, suspect.dll), packer identified leads to file unpacked, which leads to base64decoded. Decomposition Disassembly Reverse archiving Fingerprinting
A. Kara is performing a decomposition process on the malware she is investigating. Decomposition helps to understand a software package or program and can sometimes provide information more quickly than a static or dynamic analysis, because it does not have to run a program to analyze how it behaves and does not require intensive manual review of the underlying code or disassembly of compiled code.
Which of the following tools is not typically associated with the reconnaissance phase of a penetration test? Metasploit nmap Nessus Maltego
A. Metasploit is primarily an exploitation tool. While it has modules that can be used for reconnaissance, it is primarily used to target discovered vulnerabilities. nmap, Nessus, and Maltego are all commonly used to discover information about an organization or individuals.
Which sources are most commonly used to gather information about technologies a target organization uses during intelligence gathering? OSINT searches of support forums and social engineering Port scanning and social engineering Social media review and document metadata Social engineering and document metadata
A. Since organizations often protect information about the technologies they use, searches of support forums and social engineering are often combined to gather information about the technologies they have in place. Port scanning will typically not provide detailed information about services and technologies. Social media review may provide some hints, but document metadata does not provide much information about specific technologies relevant to a penetration test or attack.
After receiving a penetration test report, Rick has decided to implement anti-harvesting techniques for his organization's DNS. Which of the following sets of techniques is best suited to preventing bulk and automated information gathering? CAPTCHA and proxy services Rate limiting and CAPTCHA Not publishing TLD zone files and blacklisting CAPTCHA and blacklisting
B. Both using CAPTCHAs to prevent bots and implementing a reasonable rate-limiting policy can limit the bulk collection of data. Privacy and proxy services help keep registrant data private. Blacklisting is useful to temporarily block abusive IP addresses or networks but can result in long-term issues if it is broadly used or if a legitimate site is blocked. Finally, not publishing TLD zone files can help limit WHOIS abuse, but not all TLDs can avoid doing so.
While reviewing Shodan scan data for his organization, Adam finds the following information. What type of system has he discovered? Image shows BAS SCADA with options for server: BAS SCADA service HTTPserv:00001, date: Mon, 07 Aug 2017 13:35:26 GMT, content-length: 879, et cetera. A botnet administration system A control and data acquisition system A noncaching web server A NAS
B. Adam has discovered a supervisory control and data acquisition system (SCADA). Typically, BAS indicates that the system is used for building automation.
Alex has been asked to implement network controls to ensure that users who authenticate to the network are physically in the building that the network they are authenticating to serves. What technology and tool should he use to do this? Geo-IP and port security GPS location and NAC GPS location and port-security Geo-IP and NAC
B. Alex should implement a network access control (NAC) solution that requires GPS location. Geographic IP location will not help when users do not receive IP addresses until they connect to the network!
Angela wants to gather detailed information about the hosts on a network passively. If she has access to a Wireshark pcap file from the network, which of the following tools can she use to provide automated analysis of the file? ettercap NetworkMiner Sharkbait dradis
B. Angela can use NetworkMiner, a tool that can analyze existing packet capture files to do OS identification and which identifies and marks images, files, credentials, sessions, DNS queries, parameters, and a variety of other details. Ettercap can perform passive TCP stack fingerprinting but is primarily a man-in-the-middle tool, dradis is an open source collaboration platform for security teams, and Sharkbait is not a security tool or term.
As part of an externally accessible information review by their security team, Bob and Lisa receive information that the security team gathered including the following entry: Query Results: Router: Ashburn, VA - US Command: show bgp ipv4 unicast 10.81.254.195 BGP routing table entry for 10.64.0.0/11 Versions: Process bRIB/RIB SendTblVer Speaker 287479994 287479994 Last Modified: Feb 22 09:16:16.154 for 8w0d Paths: (13 available, best #13) Advertised to update-groups (with more than one peer): 0.1 0.14 0.29 0.30 0.33 0.34 0.36 0.45 Advertised to peers (in unique update groups): 10.250.31.182 Path #1: Received by speaker 0 Not advertised to any peer 7922 10.242.151.65 (metric 6710) from (129.250.0.162) Origin IGP, metric 4294967294, localpref 98, valid, confed-internal Received Path ID 0, Local Path ID 0, version 0 Community: 2914:390 2914:1006 2914:2000 2914:3000 65504:7922 Originator: 10.250.0.162, Cluster list: 10.250.0.9 .... Path #13: Received by speaker 0 Advertised to update-groups (with more than one peer): 0.1 0.14 0.29 0.30 0.33 0.34 0.36 0.45 Advertised to peers (in unique update groups): 10.250.31.182 7922 What type of tool could they use to gather this publicly available information about their systems in the future? nmap A BGP looking glass A BGP reflector A route/path assimilator
B. BGP looking glasses provide a public view of route information to hosts and networks. This can provide information to penetration testers about network connectivity. While nmap has many capabilities, it doesn't provide route lookups. BGP route reflectors (also known as BGP speakers, advertise routes to peers) and route/path assimilators were made up for this question.
Greg configures his next-generation firewall security device to forge DNS responses for known malicious domains. This results in users who attempt to visit sites hosted by those domains to see a landing page that Greg controls that advises them they were prevented from visiting a malicious site. What is this technique known as? DNS masquerading DNS sinkholing DNS re-sequencing DNS hierarchy revision
B. Greg's implementation is a form of DNS sinkholing that sends traffic to an alternate address, which acts as the sinkhole for traffic that would otherwise go to a known bad domain.
Geoff's remote scans of a target organization's class C network block using nmap (nmap -sS 10.0.10.1/24) show only a single web server. If Geoff needs to gather additional reconnaissance information about the organization's network, which of the following scanning techniques is most likely to provide additional detail? Use a UDP scan. Perform a scan from on-site. Scan using the -p 1-65535 flag. Use nmap's IPS evasion techniques.
B. Performing a scan from an on-site network connection is the most likely to provide more detail. Many organizations have a strong external network defense but typically provide fewer protections for on-site network connections to allow internal users to access services. It is possible that the organization uses services found only on less common ports or UDP only services, but both of these options have a lower chance of being true than for an on-site scan to succeed. nmap does provide firewall and IPS evasion capabilities, but this is also a less likely scenario.
What is a document that lists sensitive data-handling rules, contact information, black-box testing, and status meeting schedules called during a penetration test? The "get out of jail free" card The rules of engagement Executive sign-off A penetration test standard
B. The rules of engagement are the rules that a penetration test or other security assessment are conducted under. They typically list what type of assessment, when, where, and how it will be conducted; what communication and notification will be done; and other details that are critical to ensure that the assessment is done in a way that meets the organization's needs.
What command could Amanda run to find the process with the highest CPU utilization if she did not have access to htop? ps top proc load
B. The top command will show a dynamic, real-time list of running processes. If Amanda runs this, she will immediately see that two processes are consuming 99 percent of a CPU each and can see the command that ran the program.
During Geoff's configuration of his organization's network access control policies, he sets up client OS rules that include the following statements: ALLOW Windows 7 version *, Windows 10 version * ALLOW OSX version * ALLOW iOS 8.1, iOS 9 version * ALLOW Android 7.* After deploying this rule, he discovers that many devices on his network cannot connect. What issue is most likely occurring? Insecure clients Incorrect NAC client versions OS version mismatch Patch-level mismatch
C. Geoff built a reasonable initial list of operating system versions, but many devices on a modern network will not match this list, causing operating system version mismatch issues with the matching rules he built. He may need to add broader lists of acceptable operating systems, or his organization may need to upgrade or replace devices that cannot be upgraded to acceptable versions.
As part of a penetration testing exercise, Lauren is placed on the defending team for her organization. What is this team often called? The red team The white team The blue team The yellow team
C. Internal security teams are typically referred to as the blue team for penetration testing and security exercises. Red teams are attackers, while the white team establishes the rules of engagement and performance metrics for the test.
Jennifer is an Active Directory domain administrator for her company and knows that a quickly spreading botnet relies on a series of domain names for command and control and that preventing access to those domain names will cause the malware infection that connects to the botnet to fail to take further action. Which of the following actions is her best option if she wants to prevent off-site Windows users from connecting to botnet command-and-control systems? Force a BGP update. Set up a DNS sinkhole. Modify the hosts file. Install an anti-malware application
C. Jennifer can push an updated hosts file to her domain-connected systems that will direct traffic intended for known bad domains to the localhost or a safe system. She might want to work with a security analyst or other IT staff member to capture queries sent to that system to track any potentially infected workstations. A DNS sinkhole would work only if all the systems were using local DNS, and off-site users are likely to have DNS settings set by the local networks they connect to. Anti-malware applications may not have an update yet or may fail to detect the malware, and forcing a BGP update for third-party networks is likely a bad idea!
Geoff wants to prevent spammers from harvesting his organization's public LDAP directory. What technology should he implement? A firewall An IDS Set hard limits Require authentication
C. LDAP directory servers typically support both soft and hard limits on queries, including the size of the query and how many queries can be conducted in a given time period. Setting a hard limit prevents LDAP users from exceeding the number set. A firewall would be useful to prevent access, and an IDS could show abuse. Requiring authentication isn't useful for a public service.
Lauren submits a suspected malware file to malwr.com and receives the following information about its behavior. What type of tool is malwr.com? Sheet shows signatures with markings for process attempted to delay analysis task, file has been identified by at least one AntiVirus on VirusTotal as malicious, binary likely contains encrypted or compressed data, et cetera. A reverse-engineering tool A static analysis sandbox A dynamic analysis sandbox A decompiler sandbox
C. Lauren's screenshot shows behavioral analysis of the executed code. From this, you can determine that malwr is a dynamic analysis sandbox that runs the malware sample to determine what it does while also analyzing the file.
Chris wants to limit the ability of attackers to conduct passive fingerprinting exercises on his network. Which of the following practices will help to mitigate this risk? Implement an IPS. Implement a firewall. Disable promiscuous mode for NICs. Enable promiscuous mode for NICs.
C. Passive fingerprinting relies on the ability of a system to capture traffic to analyze. Preventing systems from using promiscuous mode will provide attackers with very little data when performing passive fingerprinting. Both intrusion prevention systems and firewalls can help with active fingerprinting but will do nothing to stop passive fingerprinting.
After a popular website is hacked, Chris begins to hear reports that email addresses from his company's domain are listed in the hacker's data dump. Chris knows that the list includes passwords and is concerned that his users may have used the same password for the site and their own company account. If the hackers recovered MD5 hashed passwords, how can he check them against the strong password hashes his company uses? Reverse the MD5 hashes and then rehash using the company's method and compare. Reverse the MD5 and strong company hashes and then compare the password. Use rainbow tables to recover the passwords from the dump and then rehash using the company's strong method and compare. Chris cannot accomplish this task; hashes cannot be reversed.
C. Rainbow tables exist for most reasonable MD5 passwords, which means that Chris can likely recover the majority of the passwords belonging to his users relatively quickly. Once he is done, he can apply his company's strong hashing method and compare them to the existing hashed passwords his organization stores. He may still be better off simply asking all of the impacted users to change their passwords if they reused them for the site and should consider multifactor authentication to avoid the issue in the future.
Rick's security research company wants to gather data about current attacks and sets up a number of intentionally vulnerable systems that allow his team to log and analyze exploits and attack tools. What type of environment has Rick set up? A tarpit A honeypot A honeynet A blackhole
C. Rick's team has set up a honeynet, which is a group of systems set up to attract attackers while capturing the traffic they send and the tools and techniques they use. A honeypot is a single system set up in a similar way, while a tarpit is a system set up to slow down attackers. A blackhole is often used on a network as a destination for traffic that will be silently discarded.
Allan needs to immediately shut down a service called Explorer.exe on a Windows server. Which of the following methods is not a viable option for him? Use sc. Use wmic. Use secpol.msc. Use services.msc.
C. Windows services can be started and stopped using sc (sc stop 'service') or wmic (wmic service where name='service' call ChangeStartmode Disabled) or via the services.msc GUI. secpol.msc controls security policy and will not allow Allan to stop a service.
A system that Jeff is responsible for has been experiencing consistent denial-of-service attacks using a version of the Low Orbit Ion Cannon (LOIC) that leverages personal computers in a concerted attack by sending large amounts of traffic from each system to flood a server, thus making it unable to respond to legitimate requests. What type of firewall rule should Jeff use to limit the impact of a tool like this if bandwidth consumption from the attack itself is not the root problem? IP-based blacklisting Drop all SYN packets. Use a connection rate or volume-limiting filter per IP. Use a route-blocking filter that analyzes common LOIC routes.
C. Since LOIC can leverage hundreds or thousands of hosts, limiting each connecting host to a connection rate and volume through filters like those provided by the iptables hashlimit plug-in can help. IP-based blacklisting may work for smaller botnets but is difficult to maintain for larger attacks and may eventually block legitimate traffic. Dropping all SYN packets would prevent all TCP connections, and route blocking filters are not a method used to prevent this type of attack. While he's setting up firewall rules, Jeff may also want to investigate a denial-of-service mitigation partner or service in case the attackers move to more advanced methods or do overwhelm his link!
What occurs when Alex uses the following command to perform an nmap scan of a network? nmap -sP 192.168.2.0/24 A secure port scan of all hosts in the 192.168.0.0 to 192.168.2.255 network range A scan of all hosts that respond to ping in the 192.168.0.0 to 192.168.255.255 network range A scan of all hosts that respond to ping in the 192.168.2.0 to 192.168.2.255 network range A SYN-based portscan of all hosts in the 192.168.2.0 to 192.168.2.255 network range
C. The -sP flag for nmap indicates a ping scan, and /24 indicates a range of 255 addresses. In this case, that means that nmap will scan for hosts that respond to ping in the 192.168.2.0 to 192.168.2.255 IP address range.
Rick is reviewing flows of a system on his network and discovers the following flow logs. What is the system doing? ICMP "Echo request" Date flow start Duration Proto Src IP Addr:Port->Dst IP Addr:Port Packets Bytes Flows 2017-07-11 04:58:59.518 10.000 ICMP 10.1.1.1:0->10.2.2.6:8.0 11 924 1 2017-07-11 04:58:59.518 10.000 ICMP 10.2.2.6:0->10.1.1.1:0.0 11 924 1 2017-07-11 04:58:59.518 10.000 ICMP 10.1.1.1:0->10.2.2.7:8.0 11 924 1 2017-07-11 04:58:59.518 10.000 ICMP 10.2.2.7:0->10.1.1.1:0.0 11 924 1 2017-07-11 04:58:59.518 10.000 ICMP 10.1.1.1:0->10.2.2.8:8.0 11 924 1 2017-07-11 04:58:59.518 10.000 ICMP 10.2.2.8:0->10.1.1.1:0.0 11 924 1 2017-07-11 04:58:59.518 10.000 ICMP 10.1.1.1:0->10.2.2.9:8.0 11 924 1 2017-07-11 04:58:59.518 10.000 ICMP 10.2.2.9:0->10.1.1.1:0.0 11 924 1 2017-07-11 04:58:59.518 10.000 ICMP 10.1.1.1:0->10.2.2.10:8.0 11 924 1 2017-07-11 04:58:59.518 10.000 ICMP 10.2.2.10:0->10.1.1.1:0.0 11 924 1 2017-07-11 04:58:59.518 10.000 ICMP 10.1.1.1:0->10.2.2.6:11.0 11 924 1 2017-07-11 04:58:59.518 10.000 ICMP 10.2.2.11:0->10.1.1.1:0.0 11 924 1 A port scan A failed three-way handshake A ping sweep A traceroute
C. The increasing digit of the IP address of the target system (.6, .7, .8) and the ICMP protocol echo request indicate that this is a ping sweep. This could be part of a port scan, but the only behavior that is shown here is the ping sweep. This is ICMP and cannot be a three-way handshake, and a traceroute would follow a path, rather than a series of IP addresses.
Charles is investigating a process that he believes may be malicious. What Linux command can he use to determine what files that process has open? ps procmap lsof filemap
C. The lsof command, or "list open files", can report on open files and which process opened them. Charles can use lsof to find his answer: quickly!
While reviewing the auth.log file on a Linux system she is responsible for, Tiffany discovers the following log entries: Aug 6 14:13:06 demo sshd[5273]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=127.0.0.1 user=root Aug 6 14:13:06 demo sshd[5273]: PAM service(sshd) ignoring max retries; 6 > 3 Aug 6 14:13:07 demo sshd[5280]: Failed password for root from 127.0.0.1 port 38463 ssh2 Aug 6 14:13:07 demo sshd[5280]: error: maximum authentication attempts exceeded for root from 127.0.0.1 port 38463 ssh2 [preauth] Aug 6 14:13:07 demo sshd[5280]: Disconnecting: Too many authentication failures [preauth] Which of the following has not occurred? A user has attempted to re-authenticate too many times. PAM is configured for three retries and will reject any additional retries in the same session. Fail2ban has blocked the ssh login attempts. Root is attempting to log in via ssh from the local host.
C. This output shows a brute-force attack run against the localhost's root account using ssh. This resulted in the root user attempting to re-authenticate too many times, and PAM has blocked the retries. Fail2ban is not set up for this service. Thus, this is the one item that has not occurred. If it was enabled, the fail2ban log would read something like this: 2017-07-11 12:00:00,111 fail2ban.actions: WARNING [ssh] Ban 127.0.0.1 2017-07-11 12:00:00,111 fail2ban.actions: WARNING [ssh] Unban 127.0.0.1
Chris operates the point-of-sale network for a company that accepts credit cards and is thus required to be compliant with PCI-DSS. During his regular assessment of the point-of-sale terminals, he discovers that a recent Windows operating system vulnerability exists on all of them. Since they are all embedded systems that require a manufacturer update, he knows that he cannot install the available patch. What is Chris's best option to stay compliant with PCI-DSS and protect his vulnerable systems? Replace the Windows embedded point-of-sale terminals with standard Windows systems. Build a custom operating system image that includes the patch. Identify, implement, and document compensating controls. Remove the POS terminals from the network until the vendor releases a patch.
C. When a vulnerability exists and a patch has not been released or cannot be installed, compensating controls can provide appropriate protection. In the case of PCI-DSS (and other compliance standards), documenting what compensating controls were put in place and making that documentation available is an important step for compliance.
Fred conducts an SNMP sweep of a target organization and receives no-response replies from multiple addresses that he believes belong to active hosts. What does this mean? The machines are unreachable. The machines are not running SNMP servers. The community string he used is invalid. Any or all of the above may be true.
D. Since SNMP does not reliably report on closed UDP ports and SNMP servers don't respond to requests with invalid community strings, any of these answers could be true. This means that receiving "no response" to an SNMP query can mean that the machines are unreachable (often due to a firewall), they are not running SNMP, or the community string that was used is incorrect.
Geoff wants to gather a list of all Windows services and their current state using a command-line tool. What tool can he use to gather this information for later processing? svcctl -l service list service -l sc query
D. The Windows service controller, sc, provides command-line control of services. Commands include start, stop, pause, query, and other service-related commands. Using sc query provides a list of services, their display name, type, state, exit codes, checkpoint, and wait hint codes. Geoff can use output like this to check for unexpected services running on the system if he has local command-line access for only a limited period of time.
How can Saria remediate the issue shown here in the MBSA screenshot? Window shows Microsoft Baseline Security Analyzer with columns for score, user (administrator, DefaultAccount, guest, defaultuser0), weak password (weak), locked out, and disabled. Force all users to set a complex password. Set a minimum password age. Enforce password expiration. This is not a problem.
D. The accounts shown are disabled, and disabled accounts with a weak password are typically not a problem. If they are an issue, Saria's best option would be to delete the accounts unless they are required for a specific purpose.
What command can Amanda use to terminate the process? term stop end kill
D. The kill command is used to end processes in Linux. Amanda should issue the kill -9 command followed by the process ID of the processes she wants to end (the -9 flag is the signal and means "really try hard to kill this process"). Since she has run both top and htop, she knows that she needs to end processes 3843 and 3820 to stop stress from consuming all of her resources. A little research after that will show her that stress is a stress testing application, so she may want to ask the user who ran it why they were using it if it wasn't part of their job!
While reviewing a system she is responsible for, Amanda notices that the system is performing poorly and runs htop to see a graphical representation of system resource usage. She sees the following information: Image shows options for tasks: 104, 254 thr; 3 running, Load average: 1.65 0.76 0.33, and uptime: 02:16:45, and table shows columns for PID, USER, PRI, NI, VIRT, RES, SHR, S, CPU percent, MEM percent, TIME plus, and command.What issue should Amanda report to the system administrator? High network utilization High memory utilization Insufficient swap space High CPU utilization
D. This view of htop shows both CPU1 and CPU2 are maxed out at 100 percent. Memory is just over 60 percent used. Almost all swap space is available.
As part of his active reconnaissance activities, Frank is provided with a shell account accessible via ssh. If Frank wants to run a default nmap scan on the network behind the firewall shown here, how can he accomplish this? Flow diagram shows external host leads to shell host: 192.168.34.11 via firewall with marking for internal protected network 192.168.34.0-192.168.34.255. ssh -t 192.168.34.11 nmap 192.168.34.0/24 ssh -R 8080:192.168.34.11:8080 [remote account:remote password] ssh -proxy 192.168.11 [remote account:remote password] Frank cannot scan multiple ports with a single ssh command.
D. While ssh port forwarding and ssh tunneling are both useful techniques for pivoting from a host that allows access, nmap requires a range of ports open for default scans. He could write a script and forward the full range of ports that nmap checks, but none of the commands listed will get him there. If Frank has access to proxychains, he could do this with two commands!
Ryan's passive reconnaissance efforts resulted in the following packet capture. Which of the following statements cannot be verified based on the packet capture shown for the host with IP address 10.0.2.4? Window shows table with columns for number, time, source, destination (10.0.2.15, 10.0.2.4), protocol (ARP, DNS, TCP), length, and info. The host does not have a DNS entry. It is running a service on port 139. It is running a service on port 445. It is a Windows system.
D. While the system responded on common Windows ports, you cannot determine whether it is a Windows system. It did respond, and both ports 139 and 445 were accessible. When the host the Wireshark capture was conducted from queried DNS, it did not receive a response, indicating that the system does not have a DNS entry (or at least, it doesn't have one that is available to the host that did the scan and ran the Wireshark capture).