Cybersecurity - Final (MC)
Bob would like to digitally sign a message that he is sending to Alice. What key should he use to create the digital signature?
Bob's private key
Which one of the following is an example of an attrition attack?
Brute-force password attack
In what type of attack does the attacker place more information in a memory location that is allocated for that use?
Buffer overflow
What type of attack is typically associated with the STRCPY function?
Buffer overflow
Matt wants to prevent attackers from capturing data by directly connecting to the hardware communications components of a device he is building. What should he use to make sure that communications between the processor and other chips are not vulnerable?
Bus encryption
Kathleen needs to find data contained in memory but only has an image of an offline Windows system. Where does she have the best chance of recovering the information she needs?
%SystemRoot%\MEMORY.DMP
What flag does nmap use to enable operating system identification?
-o
Angela wants to review the syslog on a Linux system. Which directory should she check to find it on most Linux distributions?
/var/log
Elaine wants to check for user logins in a Linux system. What log location should she check first?
/var/log/auth.log
Which Cisco log level is the most critical?
0
Wayne is configuring a jump box server that system administrators will connect to from their laptops. Which of the following ports should definitely not be open on the jump box?
23
What ISO standard applies to information security management controls?
27001
What is the most recent version of CVSS that is currently available?
3.1
Rick is preparing a firewall rule that will allow network traffic from external systems to a web server running the HTTPS protocol. What TCP port must he allow to pass through the firewall?
443
Alaina wants to deploy a tool that can monitor the behavior of users while correlating that behavior centrally to determine if a security incident has occurred. What type of tool should she acquire?
A UEBA tool
Ben wants to reverse-engineer a malware sample. Which of the following tools will allow him to view assembly code for the program if he only has a binary executable?
A disassembler
During an incident response process, Michelle discovers that the administrative credentials....What is this type of ticket called?
A golden ticket
Ben sets up a system that acts like a vulnerable host in order to observe attacker behavior. What type of system has he set up?
A honeypot
Frederick's organization has been informed that data must be preserved due to pending legal action. What is this type of requirement called?
A legal hold
As part of her job, Danielle sets an alarm to notify her team via email if her Windows server uses 80 percent of its memory and to send a text message if it reaches 90 percent utilization. What is this setting called?
A monitoring threshold
Jason gathers threat intelligence that tells him that an adversary his organization considers a threat likes to use USB key drops to compromise their targets. What is this an example of?
A possible attack vector
Gabby connects to a Linux web server and executes an attack that gives her access to the account that the Apache web server runs as. If her next attack is aimed at a script that runs with root privileges, what type of attack has she attempted?
A privilege escalation attack
The application that Scott is writing has a flaw that occurs when two operations are attempted at the same time, resulting in unexpected results when the two actions do not occur in the expected order. What type of flaw does the application have?
A race condition
Ric is reviewing his organization's network design and is concerned that a known flaw in the border router could let an attacker disable their Internet connectivity. Which of the following is an appropriate compensatory control?
An alternate Internet connectivity method using a different router type
Gabby wants to insert data into the response from her browser to a web application. What type of tool should she use if she wants to easily make manual changes in what her browser sends out as she interacts with the website?
An interception proxy
During her forensic copy validation process, Danielle hashed the original, cloned the image files, and received the following MD5 sums. What is likely wrong?
An unknown change or problem occured
What forensic issue might the presence of a program like CCleaner indicate?
Antiforensic activities
Bill would like to run an internal vulnerability scan on a system for PCI DSS compliance purposes. Who is authorized to complete one of these scans?
Any Qualified Individual
What is the name of the application control technology built-in to Microsoft Windows?
AppLocker
What tool can administrators use to help identify the systems present on a network prior too conducting vulnerability scans?
Asset Inventory
Susan wants to manage access based on the job titles of members of her organization's staff. What kind of access control is best suited to this requirement?
Attribute-based access control
Gavin is investigating a security incident where attackers engaged in a denial of service attack. What leg of the CIA triad did this attack target?
Availability
Vincent is responding to a security incident that compromised one of his organization's web servers. He does not believe that the attackers modified or stole any information, but they did disrupt access to the organization's website. What cybersecurity objective did this attack violate?
Availability
Avik has been asked to identify unexpected traffic on her organization's network. Which of the following is not a tecchnique she should use?
Beaconing
What term describes a system sending heartbeat traffic to a botnet command and control server?
Beaconing
What term is used to refer to connections from compromised systems to command and control servers?
Beaconing
What type of assessment is particularly useful for identifying insider threats?
Behavior
Sayed is planning to prohibit a variety of files, including games, from being installed on the Windows workstations he manages. What technology is his best option to prevent known, unwanted files from being installed or copied to machines?
Blacklisting
A coalition of Universities banded together and created a cloud computing environment that is open to all member institutions. The services provided are basis IaaS components. What term best describes this cloud model?
Community cloud
What term describes an analysis of threat information that might include details such as whether it is confirmed by multiple independent sources or has been directly confirmed?
Confidence Level
What type of tool assists with the automated validation of systems?
Configuration management
Which one of the following is not one of the five core security functions defined by the NIST cybersecurity framework?
Contain
Which one of the phases of the incident response involves primarily active undertakings designed to limit the damage that an attacker might cause?
Containment, Eradication, and Recovery
What phase of the incident response process would include measures designed to limit the damage caused by an ongoing breach?
Containment, eradication, and recovery
Authentication that uses the IP address, geographical location, and time of day to help validate the user is known as what type of authentication?
Context-based
What approach to vulnerability scanning incorporates information from agents running on the target servers?
Continuous Monitoring
Every time Susan checks code into her organization's code repository it is tested, validated, then if accepted it is immediately put into production. What is the term for this?
Continuous delivery
What two files may contain encryption keys normally stored only in memory on a Window system?
Core dumps and hibernation files
Monica discovers that an attacker posted a message in a web forum that she manages that is attacking users who visit the site. Which one of the following attack types is most likely to have occurred?
Cross-site scripting
Cindy is conducting a cybersecurity risk assessment and is considering the impact that a failure of her city's power grid might have on the organization. What type of threat is she considering?
Environmental
What Windows tool allows you to review log files?
Event Viewer
Mike is looking for information about files that were changed on a Windows endpoint system. Which of the following is least likely to contain useful information for his investigation?
Event logs
What type of data can frequently be gathered from images taken on smartphones?
Exif
Renee is responding to a security incident that resulted in the unavailability of a website critical to her company's operations. She is unsure of the amount of time and effort that it will take to recover the website. How should Renee classify the recoverability effort?
Extended
What federal law requires the use of vulnerability scanning on information systems operated by federal government agencies?
FISMA
Kevin is using a service where a cloud provider offers a platform that executes his code in response to discrete events. He is billed based on the actual resources consumed during each code execution event. What term best describes this service?
FaaS
Ian finds entries in /var/log/faillog on a Linux system. What types of events will be in the log file?
Failed login attempts
Tara recently analyzed the results of a vulnerability scan report and found that a vulnerability reported by the scanner did not exist because the system was actually patched as specified. What type of error occurred?
False Positive
Rachel recently investigated a security alert from her intrusion detection system and, after exhaustive research, determined that the alert was not the result of an intrusion. What type of error occurred?
False positive
What type of testing focuses on inserting problems into the error handling processes and paths in an application?
Fault injection
What type of network information should you capture to be able to provide a report about how much traffic systems in your network sent to remote systems?
Flow data
Which one of the following is an example of a computer security incident?
Former employee crashes a server
Tom would like to deploy consistent security settings to all of his Windows systems simultaneously. What technology can he use to achieve this goal?
GPO
What step occurs first during the attack phase of the penetration test?
Gaining Access
Which type of organization is the most likely to face a regulatory requirement to conduct vulnerability scans?
Government Agency
Joe is authorizing a document that explains to system administrators one way that they might comply with the organization's requirement to encrypt all laptops. What type of document is Joe writing?
Guideline
Which one of the following security policy framework components does not contain mandatory guidance for individuals in the organization?
Guideline
Which one of the following values for the confidentiality, integrity, or availability CVSS metric would indicate the potential for total compromise of a system?
H
What law creates cybersecurity obligations for healthcare providers and others in the health industry?
HIPAA
Organizations like Anonymous, which target governments and businesses for political reasons, are examples of what type of threat actor?
Hacktivists
What type of analysis is best suited to identify a previously unknown malware package operating on a compromised system?
Heuristic Analysis
What minimum level of impact must a system have under FISMA before the organization is required to determine what information about the system is discoverable by adversaries?
High
Gary is the system administrator for a federal agency and is responsible for a variety of information systems. Which systems must be covered by vulnerability scanning programs?
High-, Moderate-, or Low-Impact Systems
Which one of the following security controls is built in to Microsoft Windows?
Host firewall
Which cloud computing deployment model requires the use of a unifying technology platform to tie together components from different providers?
Hybrid cloud
What software component is responsible for enforcing the separation of guest systems in a virtualized infrastructure?
Hypervisor
What organization manages the global IP address space?
IANA
Which party in a federated identity service model makes assertions about identities to service providers?
IDPs
Which one of the following terms is not typically used to describe the connection of physical devices to a network?
IDS
Forensic data is most often used for what type of threat assessment data?
IOCs
What organization did the US government help create to help share knowledge between organizations in specific verticals?
ISACs
Which one of the following control models describes the five core activities associated with IT service management as service strategy, service design, service transition, service operation, and continual service improvement?
ITIL
Under the shared responsibility model, in which tier of cloud computing is the customer responsible for securing the operating system?
IaaS
In which of the following cloud categories are customers typically charged based on the number of virtual server instances dedicated to their use?
IaaS and PaaS
Ben is preparing to conduct a cybersecurity risk assessment for his organization. If he chooses to follow the standard process proposed by NIST, which of the following steps would come first?
Identity Threats
Which one of the following is not a suggested criteria for evaluating containment strategies?
Identity of attacker
Bethany is the vulnerability management specialist for a large retail organization. She completed her last PCI DSS compliance scan in March. In April, the organization upgraded their point-of-sale system, and Bethany is preparing to conduct new scans. When must she complete the new scan?
Immediately
A man-in-the-middle attack is an example of what type of threat vector?
Impersonation
What type of attack occurs when an attacker takes advantage of OAuth open redirects to take on the identity of a legitimate user?
Impersonation
Which one of the following activities is not normally conducted during the recovery validation phase?
Implement new firewall rules
During a web application test, Ben discovers that the application shows SQL code as part of an error provided to application users. What should he note in his report?
Improper error handling
What process is used to ensure that an application can handle very high numbers of concurrent users or sessions?
Load testing
While analyzing a malware injection, Joseph notes that the malware had encrypted files, thereby preventing the organization's main web application server from serving files. What type of impact has he noted?
Localized, immediate impact
Which one of the following criteria is not normally used when evaluating the appropriateness of a cybersecurity incident containment strategy?
Log records generated by the strategy
Which one of the following values for the CVSS attack complexity metric would indicate that the specified attack is the simplest to exploit?
Low
During a forensic investigation Ben asks Chris to sit with him and to sign off on the actions he has taken. What is he doing?
Maintaining chain of custody
Tony wants to check the digital signature of an email. What key does he need to verify that an email is from his friend Mal?
Mal's public key
OpenIOC uses a base set of indicators of compromise originally created and provided by which security company?
Mandiant
Carl does not have the ability to capture data from a cell phone using mobile forensic or imaging software, and the phone does not have removable storage. Fortunately, the phone was not set up with a PIN or screen lock. What is his best option to ensure he can see email and other data stored there?
Manual Access
Ben is working to classify the functional impact of an incident... How should Ben classify the functional impact of this incident according to the NIST scale? Ch. 11, 4
Medium
Kevin recently identified a new security vulnerability and computed its CVSS base score as 6.5. Which risk category would this vulnerability fall into?
Medium
Before Ben send a Word document, he uses the built-in Document Inspector to verify that the file does not contain hidden content. What is this process called?
Metadata Scrubbing
Which of the following options is the most likely used for the host listed int he dhcpd.conf entry? host db1 {option host-name "sqldb1.example.com";hardware ethernet 8a:00:83:aa:21:9ffixed address 10.1.240.10
Microsoft SQL Server
Which of the following tools does not provide real-time drive capacity monitoring for Windows?
Microsoft endpoint configuration manager
Colin would like to select a web application firewall that is open source and protects against a wide range of attacks. Which one of the following tools would be best suited to his needs?
ModSecurity
Brian is seeking to determine the appropriate impact categorization for a federal information system as he plans the vulnerability scanning controls for that system. After consulting management, he discovers that the system contains information that, if disclosed improperly, would have a serious adverse impact on the organization. How should this system be categorized?
Moderate Impact
A member of Susan's team recently fell for a phishing scam and provided his password and personal information to a scammer. What layered security approach is not an appropriate layer for Susan to implement to protect her organization from future issues?
Multitiered firewalls
Which of the following technologies is best suited to prevent wired rogue devices from connecting to a network?
NAC
Tom is reviewing a vulnerability scan report and finds that one of the servers on his network suffers from an internal IP address disclosure vulnerability. What protocol is likely in use on this network that resulted in this vulnerability?
NAT
Alfonso is connected that users might leave his organization and then share sensitive information that they retained with future employees. What security control would best protect against this risk?
NDA
What type of firewall provides the greatest degree of contextual information and can include information about users and applications in its decision-making process?
NGFW
Matt is concerned about the fact that log records from his organization contain conflicting timestamps due to unsynchronized clocks. What protocol can he use to synchronize clocks throughout the enterprise?
NTP
Advanced persistent threats are most commonly associated with which type of threat actor?
Nation-state actors
Which of the following threat actors typically has the greatest access to resources?
Nation-state actors
What tool would you use to capture IP traffic information to provide flow and volume information about a network?
Netflow
Robert's Organization has a Bring Your Own Device (BYOD) policy, and he would like to ensure that devices connected to the network under this policy have current antivirus software. What technology can best assist him with this goal?
Network Access Control
Hank is responding to a security event where the CEO of his company had her laptop stolen. The laptop was encrypted but contained sensitive information about the company's employees. How should Hank classify the information impact of this security event?
None
In which cloud computing service model does the customer share responsibility with the cloud provider for the datacenter security?
None of the above
Which of the following objectives is not one of the three main objectives that information security professionals must achieve to protect their organizations against cybersecurity threats?
Nonrepudiation
What process uses information such as the way that a system's TCP stack responds to queries, what TCP options it supports, and the initial window size it uses?
OS Detection
Which of the following is not a common attack against Kerberos?
Open redirect-based attacks
What type of firewall rule error occurs when a service is decommissioned but the related firewall rules are not removed?
Orphaned rule
Kristen wants to implement a code review but has a distributed team that works at various times during the day..... What type of review process will work best for her needs?
Over-the-shoulder
What compliance obligation applies to merchants and service providers who work with credit card information?
PCI DSS
Which one of the CVSS metrics would contain information about the number of times that an attacker must successfully authenticate to execute an attack?
PR
Chris is reviewing NetFlow logs while monitoring for systems that are participating in a botnet. Which of the following types of data will he not be able to see in his NetFlow records?
Packet payload
Gina gained access to a client's AWS account during a penetration test. She would like to determine what level of access she had to the account. Which of the following tools would best meet her need?
Pacu
Precompiled SQL statements that only require variables to be input are an example of what type of application security control?
Parameterized queries
Shelly is writing a document that describes the steps that incident response teams will follow upon first notice of a potential incident. What type of document is she creating?
Procedure
Which one of the following elements is not normally found in an incident response policy?
Procedures for rebuilding systems
Vic is planning a redesign of his organization's firewall strategy and is planning to issue an RFP for a firewall vendor. Which one of the following vendors would not be able to meet Vic's needs?
Proofpoint
Karen is responding to a security incident that resulted from an intruder stealing files from a government agency. Those files contained unencrypted information about protected critical infrastructure. How should Karen rate the information impact of this loss?
Proprietary breach
Using TLS to protect application traffic helps satisfy which of the OWASP best practices?
Protect data
Tony purchases virtual machines from Microsoft Azure and uses them exclusively for use by his organization. What model of cloud computing is this?
Public cloud
Tonya is configuring vulnerability scans for a system that is subject to the PCI DSS compliance standard. What is the minimum frequency with which she must conduct scans?
Quarterly
When performing 802.1x authentication, what protocol does thee authenticator use to communicate with the authentication server?
RADIUS
Which format does dd produce files in while disk imaging?
RAW
Kathleen wants to build a public API for a modern service-oriented architecture. What model is likely her best choice?
REST
Renee is configuring her vulnerabilty management solution to perform credentialed scans of her network. What type of account should she provide to the scanner?
Read-Only
Barry is participating in a cybersecurity wargame exercise. His role is to attempt to break into adversary systems. What team is he on?
Red Team
You notice a high number of SQL injection attacks against a web application run by your organization, and you install a web application firewall to block many of these attacks before they reach the server. How have you altered the severity of this risk?
Reduced the probability
Which of the following is not a common DNS anti-harvesting technique?
Registering Manually.
After a major patch is released for the web application that he is responsible for, Sam proceeds to run his web application security scanner against the web application to verify that it is still secure. What is the term for the process Sam is conducting?
Regression testing
After observing the attacker, Alice decides to remove the Internet connection entirely, leaving the systems running but inaccessible from outside the quarantine VLAN. What strategy is she now pursuing?
Removal
Jen identified a missing patch on a windows server that might allow an attacker to gain remote control of the system. After consulting with her manager, she applied the patch. From a risk management perspective, what has she done?
Removed the vulnerability
Which of the following activities is not part of the vulnerability management life cycle?
Reporting
Amanda would like to run a security configuration scan of her Microsoft Azure cloud environment. Which one of the following tools would be most appropriate for her needs?
ScoutSuite
Which type of Windows log is most likely to contain information about a file being deleted?
Security Logs
Alice is responding to a cybersecurity incident and notices a system that she suspects is compromised. She places this system on a quarantine VLAN with limited access to other networked systems. What containment strategy is Alice pursuing?
Segmentation
What containment strategy moves compromised systems to a separate VLAN attached to the enterprise network?
Segmentation
Ben's successful attack on an authenticated user required him to duplicate the cookies that the web application put in place to identify the legitimate user. What type of attack did Ben conduct?
Session hijacking
Which of the following conditions is not likely to trigger an alert during an automated cloud security assessment?
Sharing of API keys among different developers
Which one of the following is not a common use of formal incident reports?
Sharing with other organizations
How can Jim most effectively locate a wireless rogue access point that is causing complaints from employees in his building?
Signal strength and triangulation
What type of malware prevention is most effective against known viruses?
Signature detection
File carving is used to find file remnants found in clusters on disks that have been only partially rewritten by new files. What is the technical term for where these files are found?
Slack
Which one of the following is not an example of a vulnerability scanning tool?
Snort
During an information gathering exercise, Chris is asked to find out detailed personal information about his target's employees. What is frequently the best place to find this information?
Social Media
Kevin is reviewing netflow records from his network. Which one of the following pieces of information would those records not contain?
Source MAC address
During testing, Tiffany slowly increases the number of connections to an application until it fails. What is she doing?
Stress testing
Juan is configuring a new device that will join his organization's wireless network. The wireless network uses 802.1x authentication. What type of agent must be running on the device for it to join this network?
Supplicant
What is the piece of software running on a device that enables it to connect to a NAC-protected network?
Supplicant
Barry placed all of his organization's credit card processing systems on an isolated network dedicated to card processing. He has implemented appropriate segmentation controls to limit the scope of PCI DSS to those systems through the use of VLANs and firewalls. When Barry goes to conduct vulnerability scans for PCI DSS compliance purposes, what systems must he scan?
Systems on the Isolated Network
Cyn wants to send threat information via a standardized protocol specifically designed to exchange cyberthreat information. What should she choose?
TAXII
Beth would like to identify the processes running on her system that have active network connections. Which tool can she use?
TCP View
Betty is selecting a transport encryption protocol for use in a new public website she is creating. Which protocol should be the best choice?
TLS 1.1
What term describes a chip that is built into a computer that stores encryption keys specific to the system that is used for hardware authentication?
TPM
Which one of the following protocols should never be used on a public network?
Telnet
Selah believes that an organization she is penetration testing may have exposed information about their systems on their website in the past. What site might help her find an older copy of their website?
The Internet Archive
While reviewing a Wireshark traffic capture, Mike discovers the following information. What does he know about the user's device based on this TCP stream?
The device is a Samsung SM-N95OU
Michelle is analyzing a Wireshark traffic capture, and follows the TCP stream for a TIFF file download. What concern should she raise from the information displayed in the stream viewer?
The file is an executable
Cameron builds a malware signature using a hash of the binary that he found on an infected system. What problem is he likely to encounter with modern malware when he tries to match hashes with other infected systems?
The malware may be polymorphic
What can the MAC address of a rogue device tell you?
The manufacturer of the device
While Susan is monitoring a router via network flows, she sees a sudden drop in network traffic levels to zero, and the traffic chart flows a flat line. What has likely happened?
The monitored link failed
Which one of the following parties is not commonly the target of external communications during an incident?
The perpetrator
Jennifer wants to preform memory analysis and forensics for Windows, MacOS, and Linux systems. Which of the following is best suited to her needs?
The volatility frameork
STRIDE, PASTA, and LINDDUN are all examples of what?
Threat classification tools
What drove the creation of ISACs in the United States?
Threat information sharing for infrastructure owners
Which of the following activities follows threat data analysis in the threat intelligence cycle?
Threat intelligence dissemination
Grace is the CSIRT team leader for a business unit within NASA, a federal agency. What is the minimum amount of time that Grace must retain incident handling records?
Three years
While studying an organization's risk management process under the NIST cybersecurity framework, Rob determines that the organization adapts its cybersecurity practices based on lessons learned and predictive indicators derived from previous and current cybersecurity activities. What tier should he assign based on this measure?
Tier 4
Which one of the following data protection techniques is reversible when conducted property?
Tokenization
Which one of the following US government classification levels requires the highest degree of security control?
Top Secret
What command-line tool can be used to determine the path that traffic takes to a remote system?
Traceroute
Charles is reviewing flow logs for his organization and notices that traffic has seen a 20 percent increase on the second Thursday of each month, after which the traffic returns to normal. What type of analysis is Charles conducting?
Trend Analysis
James wants to monitor a Linux system's filesystem for unauthorized changes. What open source tool can he use to perform this task?
Tripwire
Which one of the following is a file integrity monitoring tool?
Tripwire
Gabby is designing a multifactor authentication system for her company... How many distinct factors will she have implemented when she is done?
Two
What process checks to ensure that functionality meets customer needs?
UAT
What monitoring technique focuses on the behavior of end users?
UEBA
Which of the following is not a potential issue with live imaging of a system?
Unallocated apace will be captures
Which of the following options is not a valid way to check the status of a service in Windows?
Use service --status at the command line
Which of the following is not one of the three vital statistics of endpoints?
User account activity
Which one of the following is not an example of infrastructure as code?
Using a cloud provider's web interface to provision resources
What technique should network administrators use on switches to limit the exposure of sensitive network traffic?
VLAN pruning
In what type of attack does the attacker seek to gain access to resources assigned to a different virtual machine?
VM escape
Tommy is assessing the security of several database servers in his datacenter and realizes that one of them is missing a critical Oracle security patch. What type of situation has Tommy detected?
Vulnerability
Which of the following metrics is not included in the calculation of the CVSS exploitability score?
Vulnerability Age
Kevin would like to implement a specialized firewall that can protect against SQL ijection, cross-site scripting, and similar attacks. What technology should he choose?
WAF
A cross-site scripting attack is an example of what type of threat vector?
Web
Alex wants to prohibit software that is not expressly allowed by his organization's desktop management team from being installed on workstations. What type of tool should he use?
Whitelisting
Fred wants to ensure that only software that has been preapproved runs on workstations he manages. What solution will best fit this need?
Whitelisting
Which lookup tool provides information about a domain's registrar and physical location?
Whois
Which one of the following operating systems should be avoided on production networks?
Windows Server 2003
Which one of the following tools is a protocol analyzer?
Wireshark
What language is STIX based on?
XML
What method used to replicate DNS information between DNS servers can also be used to gather large amounts of information about an organization's systems?
Zone Transfer
What technique is being used in this command? dig axfr @dns-server example.com
Zone Transfer
What method is used to replicate DNS information for DNS servers but is also a tempting exploit target for attackers?
Zone Transfers
What security control can be used to clearly communicate to users the level of protection required for different data types?
classification policies
What type of security policy often serves as a backstop for issues not addressed in other policies?
code of conduct
During an incident response, what is the highest priority of first responders?
containing the damage
Tamara is a cybersecurity analyst for a private business that is suffering a security breach. She believes the attackers have compromised a database containing sensitive information. Which one of the following activities should be Tamara's first priority?
containment
Which one of the following statements is not true about compensating controls under PCI DSS?
controls used to fulfill one PCI DSS requirement may be used to compensate for the absence of a control needed to meet another requirement
Which one of the following is not a common use of the NIST cybersecurity framework?
create specific technology requirements for an organization
A US company stores data in an EU data center and finds that it is now subject to the requirements of GDPR. This is an example of
data sovereignty
Joe would like to determine the appropriate disposition of a flash drive used to gather highly sensitive evidence during an incident response effort. He does not need to reuse the drive but wants to return it to its owner, an outside contractor. What is the appropriate disposition?
destroy
Which of the following Linux commands will show you how much disk space is in use?
df
Server logs are an example of _____ evidence.
documentary
What incident response activity focuses on removing any artifacts of the incident that may remain on the organization's network?
eradication
During what phase of continuous security monitoring does the organization define metrics?
establish
Which component of a syslog message contains the timestamp?
header
Cameron wants to be able to detect a denial-of-service attack against his web server. Which of the following tools should he avoid?
iPerf
Which one of the following is not typically found in a cybersecurity incident report?
identity of the attacker
Which one of the following tools does not provide useful information for DNS harvesting?
ifconfig
Chris wants to decrease the threat of malicious email links in email. What technique can he use to decrease their likelihood of success without having a significant business impact?
implement DNS blackholing using a DNS reputation service
Alice confers with other team members and decides that even allowing limited access to other systems is an unacceptable risk and decides instead to prevent the quarantine VLAN from accessing any other systems by putting firewall rules in place that limit access to other enterprise systems. The attacker can still control the system to allow Alice to continue monitoring the incident. What strategy is she now pursuing?
isolation
Darren is updating the organization's risk management process. What type of control is Darren creating?
managerial
Which evidence source should be collected first when considering the order of volatility?
memory contents
Sondra determines that an attacker has gained access to a server containing critical business files and wishes to ensure that the attacker cannot delete those files. Which one of the following strategies would meet Sondra's goal?
none of the above
What Linux file permissions group is used to describe the permissions assigned to any user of the system?
o
What type of investigation would typically be launched in response to a report of high network latency?
operational
Three of these choices are data elements found in NetFlow data. Which is not?
packet contents
What three options are most likely to be used to handle a memory leak?
patching, service restarts, and system reboots
What Windows tool provides detailed information including information about USB host controllers, memory usage, and disk transfers?
perfmon
Which one of the following documents must normally be approved by the CEO or similarly high-level executive?
policy
Greg recently conducted an assessment of his organization's security controls and discovered a potential gap: the organization does not use full-disk encryption on laptops. What type of control gap exists in this case?
preventive
During what phase of ediscovery does an organization share information with the other side?
production
Lynda is disposing of a drive containing sensitive information that was collected during the response to a cybersecurity incident. The information is categorized as a high security risk and she wishes to reuse the media during a future incident. What is the appropriate disposition for this information?
purge
Asa believes that her organization is taking data collected from customers for technical support and using it for marketing without their permission. What principle is most likely being violated?
purpose limitation
Which one of the following data elements would not normally be included in an evidence log?
record of handling
Ben is responding to a security incident and determines that the attacker is using systems on Ben's network to attack a third party. Which one of the following containment approaches will prevent Ben's systems from being used in this manner?
removal
Which one of the following would not normally be found in an organizations information security policy?
requirement to use AES-256 encryption
Which one of the following is not a purging activity?
resetting to factory state
Which one of the following pieces of information is most critical to conducting a solid incident recovery effort?
root cause of the attack
Which one of the following activities does CompTIA classify as part of the recovery validation effort?
scanning
What law governs the financial records of publicly traded companies?
sox
Allan is developing a document that lists the acceptable mechanisms for securely obtaining remote administrative access to servers in his organization. What type of document is Allan writing?
standard
Which of the following issues makes both cloud and virtualized environments more difficult to perform forensics on?
systems mat be ephemeral
Susan needs to capture network traffic from a Linux server that does not use a GUI. What packet capture utility is found on many Linux systems and works from the command line?
tcpdump
Tina is creating a set of firewall rules designed to block denial-of-service attacks from entering her organization's network. What type of control is Tina designing?
technical control
Juan wants to see a list of processes along with their CPU utilization in an interactive format. What built-in Linux tool should he use?
top
Ian wants to view all of the data about current memory consumption on his Linux system but wants to be able to read it one page at a time. Which of the following commands will allow him to do so?
top | more
SIEMs correlate security information received from other devices.
true
What DLP technique tags sensitive content and then watches for those tags in data leaving the organization?
watermarking
What type of technology prevents a forensic examiner from accidentally corrupting evidence while creating an image of a disk?
write blocker
What command is used to apply operating system updates on some Linux distributions?
yum
Which one of the following is not an objective of the containment, eradication, and recovery phase of incident response?
Detect an Incident in progress
Charlene executes the following command against the file shown. What entries will it return? grep -v error /var/log/boot.log
All lines without the string "error" in them
Jason has user rights on his Linux workstation, but he wants to read his department's financial reports,....What type of attack is this?
Privilege escalation
The Dirty COW attack is an example of what type of vulnerability?
Privilege escalation
Jeff is investigating a system compromise and knows that the first event was reported on October 5th. What forensic tool capability should he use to map other events found in logs and files to this date?
A timeline
Ben works with a team that includes a dozen security analysts....What type of system could he implement to ensure that releases follow the proper testing and implementation process?
A workflow orchestration system
Alice wants to copy a drive without any chance of it being modified by the copying process. What type of device should she use to ensure that this does not happen during her data acquisition process?
A write blocker
Megan is trying to prevent impersonation attacks from impacting her company but receives a "No DMARC record found" error when she checks a frequent business partner's DNS information. What do they need to do to enable DMARC? Ch. 10, 17
All of the above
Sarah would like to run an external vulnerability scan on a system for PCI DSS compliance purposes. Who is authorized to complete one of these scans?
An Approved Scanning Vendor
Angela is concerned about attackers enumerating her organization's LDAP directory. What LDAP control should she recommend to help limit the impact of this type of data gathering?
ACLs
Which tool is not commonly used to generate the hash of a forensic copy?
AES
What type of credential is commonly used to restrict access to an API?
API key
Brian is selecting a CASB for his organization and he would like to use an approach that interacts with the cloud provider directly. Which CASB approach is most appropriate for his needs?
API-based CASB
Gabby wants to select a threat framework for her organization, and identifying threat actor tactics in a standardized way is an important part of her selection process. Which threat model would be her best choice?
ATT&CK
What router technology can be used to perform basic firewall functionality?
Access control lists
Which of the following technologies is NTLM associated with?
Active Directory
During passive intelligence gathering, you are able to run netstat on a workstation located at your target's headquarters. What information would you not be able to find using netstat on a Windows system?
Active IPX Connections
Which one of the following categories of threat requires that cybersecurity analysts consider the capability, intent, and targeting of the threat source?
Adversarial
Alex is conducting a forensic examination of a Window system and wants to determine if an application was installed. Where can he find the Windows installer log files for a user named Jim?
C:\Windows\Jim\AppData\Local\Temp
Robert is finishing a draft of a proposed incident response policy for his organization. Who would be the most appropriate person to sign the policy?
CEO
Which one of the following individuals would not normally be found on the incident response team?
CEO
Jason is writing a report about a potential security vulnerability in a software product and wishes to use standardized product names to ensure that other security analysts understand the report. Which SCAP component can Jason turn to for assistance?
CPE
Which one of the following would not commonly be available as an IaaS service offering?
CRM
Jessica is reading reports from vulnerability scans run by different parts of her organization using different products. She is responsible for assigning remediation resources and is having difficulty prioritizing issues from different sources. What SCAP component can help Jessica with this task?
CVSS
Which one of the following statements about cloud computing is incorrect?
Cloud computing customers provision resources through the service provider's sales team
Renee is configuring her organization's email servers and would like to communicate security policies to other email servers about how they should handle email from her domain. Which protocol would best meet her needs?
DMARC
Susan wants to use an email security protocol to determine the authenticity of the email. Which of the following options will ensure that her organization's email server can determine if it should accept email from a sender?
DMARC
Under the shared responsibility model, which component always remains the responsibility of the customer, regardless of the cloud service model used?
Data
Tim has assigned an analyst to add third-party.......What is the analyst doing? Chapter 10 number 10
Data enrichment
Which one of the following policies would typically answer questions about when an organization should destroy records?
Data retention policy
Which one of the following is not a common source of information that may be correlated with vulnerability scan results?
Database tables
Which one of the following services is not an example of FaaS computing?
DeepLens
Which of the following measures is not commonly used to assess threat intelligence?
Detail
During his investigation, Jeff, a certified forensic examiner, is provided with a drive image created by an IT staff member and is asked to add it to his forensic case. What is the most important issue that Jeff could encounter if the case goes to court and his procedures are questioned?
Inability to certify chain of custody
Ben's organization uses an IP reputation service to block outbound access to all site that are flagged with a negative reputation score. What issue could this cause?
Inadvertent blocking of sites due to false positives
Which one of the following statements about incline CASB is incorrect?
Incline CASB solutions can monitor activity but cannot actively enforce policy
Which one of the following conditions would not result in a certificate warning during a vulnerability scan of a web server?
Inclusion of a public encryption key
Which one of the following is a characteristic of DevOps approaches to technology?
Increasing the frequency of application releases
Who is the best facilitator for a post-incident lessons-learned session?
Independent facilitator
Who is the most effective person to lead a lessons learned review?
Independent facilitator
What phase of the cyber kill chain includes creation of persistent backdoor access for attackers?
Installation
What common criticism is leveled at the cyber kill chain?
It includes actions outside the defended network
Susan needs to explain what a jump box is to a member of her team. What should she tell them?
It is a system used to access and manage systems or devices in another security zone.
What toolkit enables attackers to easily automate evil twin attacks?
KARMA
Where do published vulnerabilities fit in the Johari window?
Known to others/known to us
Which of the following technologies is not a shared authentication technology?
LDAP
Jeff is investigating a system that is running malware that he believes encrypts its data on the drive. What process should he use to have the best chance of viewing that data in an unencrypted form?
Live imaging
The 2013 Yahoo breach resulted in almost 1 billion MD5 hashed passwords being exposed. What user behavior creates the most danger when this type of breach occurs?
Password reuse
Which of the following is not a common technique used to defend against command and control (C2) capabilities deployed by attackers?
Patching against zero-day attacks
Which one of the following is an example of an operational security control?
Penetration Tests
Charles is worried about users conducting SQL injection attacks. Which of the following solutions will best address his concerns?
Performing user input validation
Chris wants to use an active monitoring approach to test his network. Which of the following techniques is appropriate?
Pinging remote systems
During what phase of penetration test should the testers obtain written authorization to conduct the test?
Planning
Which of the following is not a reason that penetration testers often perform packet capture while conducting port and vulnerability scanning?
Plausible Deniability
Tommy is the CSIRT team leader....What document is most likely to contain step-by-step instructions that he might follow in the early hours of the response effort? Ch. 11, 19
Playbook
Which one of the following document types would outline the authority of a CSIRT responding to a security incident?
Policy
Michelle has a security token that her company issues her. What type of authentication factor does she have?
Possession
During what phase of the incident response process would an organization implement defenses designed to reduce the likelihood of a security incident?
Preparation
Jim was originally hired into the helpdesk at his current employer but has since then moved into finance....What is this issue called?
Privilege creep
Chris is in charge of his organization's Windows security standard, including their Windows 7 security standard, and has recently decommissioned the organization's last Windows 7 system. What is the next step in his security standard's life cycle?
Retiring the Windows 7 standard
Which of the following methods is not an effective method for preventing brute-force password guessing attacks via login portals?
Returning an HTTP error
Susan wants to start performing intelligence gathering. Which of the following options is frequently conducted in the requirements gathering stage?
Review of security breaches or compromises your organization has faced
During a Fagan code inspection, which process can redirect to the planning stage?
Rework
What term describes an organization's willingness to tolerate risk in their comping environment?
Risk Appetite
Paul recently completed a risk assessment and determined that his network was vulnerable to hackers connecting to open ports on servers. He implemented a network firewall to reduce the likelihood of a successful attack. What risk management strategy did Paul choose to pursue?
Risk Mitigation
What security design is best suited to protect authentication and authorization for a network that uses TACACS+?
Route management traffic over a dedicated network
Ryan is planning to conduct a vulnerability scan of a business critical system using dangerous plug-ins. What would be the best approach for the initial scan?
Run the Scan in a Test Environment
Alan is responsible for developing his organization's detection and analysis capabilities... What type of system is best suited to meet Alan's security objective? Ch. 11, 3
SIEM
Which of the following is not a reason to avoid using SMS as a second factor for authentication?
SMS cannot send unique tokens
What protocol is used to transport email between servers?
SMTP
Sofia suspects that a system in her datacenter may be sending beaconing traffic to a remote system. Which of the following is not a useful tool to help verify her suspicions?
SNMP
What are SNMP alert messages called?
SNMP traps
What security technology best assists with the automation of security workflows?
SOAR
What NIST publication contains guidance on cybersecurity incident handling?
SP 800-61
What language can you use to query logs that are stored in a relational database?
SQL
Alan is reviewing web server logs after an attack and finds many records that contain semicolons and apostrophes in queries from end users. What type of attack should he suspect?
SQL injection
Helen designed a new payroll system that she offers to her customers. She hosts the payroll system in AWS and her customers access it through the web. What tier of cloud computing best describes Helen's service?
SaaS
Which one of the following tools may be used to isolate an attacker so that they may not cause damage to production systems but may still be observed by cybersecurity analysts?
Sandbox
Which of the following techniques might be used to automatically detect and block malicious software that does not match known malware signatures?
Sandboxing
Susan's team has been writing code for a major project for a year and recently released their third version of the code....What type of tool should Susan implement to help avoid this issue in the future?
Source control management
Which one of the following factors is least likely to impact vulnerability scanning schedules?
Staff Availability
Adam is conducting software testing by reviewing the source code of the application. What type of code testing is Adam conducting?
Static code analysis
Chris is responsible for monitoring his organization's file shares and security and has discovered that employees are consistently retaining access to files after they change positions. Where should he focus his efforts if his organization's account life cycle matches the following?
Step 3
