CySA+ 002
1) jason:rover123 2) tamera:Purple6! 3) sahra:123Password 4) tim:cupcakes2 Based on this output what type of password cracking method does this utilize? a. Rainbow table b. Hybrid attack c. Dictionary attack d. Brute force attack
B. Hybrid attack
Where should a forensic analyst search to find a list of the wireless networks that a laptop has previously connected to with a company-owned laptop? a. Search the user's profile directory for the list b. Search the wireless adapter cache for the list c. List of the previously connected wireless networks is not stored on the laptop d. Search the registry for a complete list
d. Search the registry for a complete list
You have tried to email yourself a file named "passwords.xlsx" from your corporate workstation to your Gmail account. Instead of receiving the file in your email, you received a description of why this was a policy violation and what you can do to get the file released or resent. Which of the following DLP remediation actions has occurred? a. Quarantine b. Alert only c. Blocking d. Tombstone
d. Tombstone
Your company has just finished replacing all of its computers with brand new workstations. Colleen, one of your coworkers, has asked the company's owner if she can have the old computers that are about to be thrown away. Colleen would like to refurbish the old computers by reinstalling a new operating system and donating them to a local community center for disadvantaged children in the neighborhood. The owner thinks this is a great idea but is concerned that the private and sensitive corporate data on the old computer's hard drives might be placed at risk of exposure. You have been asked to choose the best solution to sanitize or destroy the data while ensuring the computers will still be usable by the community center. What type of data destruction or sanitization method do you recommend? a. Purging b. Shredding c. Degaussing d. Wiping
d. Wiping
You are conducting a quick nmap scan of a target network. You want to conduct an SYN scan, but you don't have raw socket privileges on your workstation. Which of the following commands should you use to conduct the SYN scan from your workstation? a. nmap -sX b. nmap -sS c. nmap -O d. nmap -sT
d. nmap -sT
Your company is making a significant investment in infrastructure-as-a-service (IaaS) hosting to replace its data centers. Which of the following techniques should be used to mitigate the risk of data remanence when moving virtual hosts from one server to another in the cloud? a. Zero-wipe drives before moving systems b. Use full-disk encryption c. Span multiple virtual disks to fragment data d. Use data masking
B. Use full-disk encryption
You are trying to find a rogue device on your wired network. Which of the following options would NOT help find the device? a. MAC validation b. Port scanning c. War walking d. Site surveys
c. War walking
Which of the following is exploited by an SQL injection to give the attacker access to a database? a. Database server b. Firewall c. Web application d. Operating system
c. Web application
Barrett needs to verify settings on a macOS computer to ensure that the configuration he expects is currently set on the system. What type of file is commonly used to store configuration settings for a macOS system? a. plists b. .profile files c. .config files d. registry
a. plists
Which protective feature is used to prevent a buffer overflow attack from specific applications by randomizing where a program's components are run from in memory? a. DLL b. ASLR c. DEP d. DLP
b. ASLR
Which of the following would be used to prevent a firmware downgrade? a. eFUSE b. TPM c. HSM d. SED
a. eFUSE
You are conducting a vulnerability scan of a hospital's enterprise network when you detect several devices that could be vulnerable to a buffer overflow attack. Upon further investigation, you determine that these devices are PLCs used to control the hospital's elevators. Unfortunately, there is not an update available from the elevator manufacturer for these devices. Which of the following mitigations do you recommend? a. Recommend immediate replacement of the PLCs with ones that aren't vulnerable to this type of attack b. Conduct a penetration test of the elevator control system to prove that the possibility of this kind of attack exists c. Recommend isolation of the elevator control system from the rest of the production network through the change control process d. Recommend immediate disconnection of the elevator's control system from the enterprise network
C. Recommend isolation of the elevator control system from the rest of the production network through the change control process
After 9 months of C++ programming, the team at Whammiedyne systems has released their new software application. Within just 2 weeks of release, though, the security team discovered multiple serious vulnerabilities in the application that must be corrected. To retrofit the source code to include the required security controls will take 2 months of labor and will cost $100,000. Which development framework should Whammiedyne use in the future to prevent this situation from occurring in other projects? a. Agile Model b. Waterfall Model c. DevOps d. DevSecOps
D. DevSecOps
You just received a notification that your company's email servers have been blocklisted due to reports of spam originating from your domain. What information do you need to start investigating the source of the spam emails? a. Network flows for the DMZ containing mail servers b. SMTP audit log from his company's email server c. Firewall logs showing the SMTP connections d. full email header from one of the spam messages
D. Full email header from one of the spam messages
What should a vulnerability report include if a cybersecurity analyst wants it to reflect the assets scanned accurately? a. Organizational governance b. Processor utilization c. Virtual hosts d. Log disposition
D. Virtual hosts
Susan, a help desk technician at Dion Training, has received several trouble tickets today related to employees receiving the same email as part of a phishing campaign. She has determined that the email's malicious link is not being blocked by the company's security suite when a user clicks the link. Susan asks you what action can be performed to prevent a user from reaching the website associated with the phishing email's malicious link. What action do you recommend she utilize? a. Add the malicious domain name to your content filter and web proxy's block list b. Forward this phishing email to all employees with a warning not to click on the embedded links c. Enable TLS on your organization's mail server d. Block the IP address of the malicious domain in your firewall's ACL
a. Add the malicious domain name to your content filter and web proxy's block list
An SNMP sweep is being conducted, but the sweep receives no-response replies from multiple addresses that are believed to belong to active hosts. What does this indicate to a cybersecurity analyst? a. Any listed answers may be true b. The machines are not running SNMP servers c. The community string being used is invaliid d. The machines are unreachable
a. Any listed answers may be true
Dion Training wants to implement technology within their corporate network to BEST mitigate the risk that a zero-day virus might infect their workstations. Which of the following should be implemented FIRST? a. Application allow list b. Anti-malware solution c. Host-based firewall d. Intrusion detection system
a. Application allow list
Jay is replacing his organization's current vulnerability scanner with a new tool. As he begins to create the scanner's configurations and scanning policy, he notices a conflict in the settings recommended between different documents. Which of the following sources must Jay follow when trying to resolve these conflicts? a. Corporate policy b. Configuration settings from the prior system c. NIST guideline documents d. Vendor best practices
a. Corporate policy
Which of the following are valid concerns when migrating to a serverless architecture? (SELECT THREE) a. Dependency on the cloud service provider b. Limited disaster recovery options c. Management of VPC offerings d. Patching of the backend infrastructure e. Protection of endpoint security f. Management of physical servers
a. Dependency on the cloud service provider b. Limited disaster recovery options e. Protection of endpoint security
Sarah has reason to believe that systems on her network have been compromised by an APT. She has noticed many file transfers outbound to a remote site via TLS-protected HTTPS sessions from unknown systems. Which of the following techniques would most likely detect the APT? a. Endpoint forensics b. Endpoint behavior analysis c. Network traffic analysis d. Network forensics
a. Endpoint forensics
Which of the following are the two most important factors when determining a containment strategy? a. Ensuring the safety and security of all personnel b. Prevention of an ongoing intrusion or data breach c. Avoidance of alerting the attacker that they have been discovered d. Preservation of evidence e. Identification of whether the intrusion is the primary attack or a secondary one (i.e., part of a more complex campaign)
a. Ensuring the safety and security of all personnel b. Prevention of an ongoing intrusion or data breach
Which of the following technologies could be used to ensure that users who log in to a network are physically in the same building as the network they are attempting to authenticate on? (SELECT TWO) a. GPS location b. NAC c. Port security d. Geo-IP
a. GPS location b. NAC
Jack is assessing the likelihood of reconnaissance activities being performed against his organization. Which of the following would best classify the likelihood of a port scan being conducted against his DMZ? a. High b. Low c. None d. Medium
a. High
String query = "SELECT * FROM courses WHERE courseID='" + request.getParameter("id") + "' AND certification='" + request.getParameter("certification")+"'" If an attacker wanted to get a complete copy of the courses table and was able to substitute arbitrary strings for "id" and "certification", which of the following strings allow this to occur? a. id = "1' OR '1'=='1" and certification = "cysa' OR '1'=='1" b. certification = "cysa" OR '1'=='1" c. id = "1' OR '1'=='1" d. id = "1' OR '1'==1" and certification = "cysa' OR '1=='1"
a. id = "1' OR '1'=='1" and certification = "cysa' OR '1'=='1"
You have been asked to recommend a capability to monitor all of the traffic entering and leaving the corporate network's default gateway. Additionally, the company's CIO requests to block certain content types before it leaves the network based on operational priorities. Which of the following solution should you recommend to meet these requirements? a. Install a NIPS on the internal interface and a firewall on the external interface of the router b. Configure IP filtering on the internal and external interfaces of the router c. Installation of a NIPS on both the internal and external interfaces of the router d. Install a firewall on the router's internal interface and a NIDS on the router's external interface
a. Install a NIPS on the internal interface and a firewall on the external interface of the router
Which of the following items represents a document that includes detailed information on when an incident was detected, how impactful the incident was, how it was remediated, the effectiveness of the incident response, and any identified gaps that might require improvement? a. Lessons learned report b. Chain of custody report c. Forensic analysis report d. Trends analysis report
a. Lessons learned report
Which analysis framework provides the most explicit detail regarding how to mitigate or detect a given threat? a. MITRE ATT&CK framework b. OpenIOC c. Lockheed Martin cyber kill chain d. Diamond Model of Intrusion Analysis
a. MITRE ATT&CK framework
Training Solutions has just installed a backup generator for their offices that use SCADA/ICS for remote monitoring of the system. The generator's control system has an embedded cellular modem that periodically connects to the generator's manufacturer to provide usage statistics. The modem is configured for outbound connections only, and the generator has no data connection with any of Dion Training's other networks. The manufacturer utilizes data minimization procedures and uses the data to recommend preventative maintenance service and ensure maximum uptime and reliability by identifying parts that need to be replaced. Which of the following cybersecurity risk is being assumed in this scenario? a. Minimal risk is assumed since the cellular modem is configured for outbound connections only b. High risk is assumed since the presence of a cellular modem could allow an attacker to remotely disrupt the generator c. Critical risk being assumed since the cellular modem represents a threat to the enterprise network if an attacker exploits the generator and then pivots to the production environment d. Medium risk is assumed since the manufacturer could use the data for purposes other than originally agreed upon
a. Minimal risk is assumed since the cellular modem is configured for outbound connections only
Jorge and Marta are working on a programming project together. During a code review, Marta explains her code to Jorge while looking at the code on her computer. Which of the following code review techniques is being used in this scenario? a. Over-the-shoulder b. Dual control c. Pair programming d. Tool-assisted review
a. Over-the-shoulder
Which of the following lists represents the NIST cybersecurity framework's four tiers, when ordered from least mature to most mature? a. Partial, Risk Informed, Repeatable, Adaptive b. Partial, Repeatable, Risk Informed, Adaptive c. Partial, Managed, Risk Informed, Adaptive d. Partial, Risk Informed, Managed, Adaptive
a. Partial, Risk Informed, Repeatable, Adaptive
As part of the reconnaissance stage of a penetration test, Kumar wants to retrieve information about an organization's network infrastructure without causing an IPS alert. Which of the following is his best course of action? a. Perform a DNS brute-force attack b. Use a nmap stealth scan c. Use a nmap ping sweep d. Perform a DNS zone transfer
a. Perform a DNS brute-force attack
The management at Steven's work is concerned about rogue devices being attached to the network. Which of the following solutions would quickly provide the most accurate information that Steve could use to identify rogue devices on a wired network? a. Router and switch-based MAC address reporting b. Physical survey c. Reviewing a central administration tool like an endpoint manager d. A discovery scan using a port scanner
a. Router and switch-based MAC address reporting
String query = "SELECT * FROM CUSTOMER WHERE CUST_ID='" + request.getParameter("id") + "'"; Whats the largest security issue with this line of code? a. SQL injection could occur because input validation is not being used on the id parameter b. * operator will allow retrieval of every data field about this customer in the CUSTOMER table c. Code is vulnerable to a buffer overflow attack d. Code is using parameterized queries
a. SQL injection could occur because input validation is not being used on the id parameter
Jonathan's team completed the first phase of their incident response process. They are currently assessing the time to recover from the incident. Using the NIST recoverability effort categories, the team has decided to predict the time to recover, but this requires additional resources. How should he categorize this using the NIST model? a. Supplemented b. Extended c. Non-recoverable d. Regular
a. Supplemented
What phase of the software development lifecycle is sometimes known as the acceptance, installation, and deployment phase? a. Training and transition b. Disposition c. Development d. Operations and maintenance
a. Training and transition
You are attempting to prioritize your vulnerability scans based on the data's criticality. This will be determined by the asset value of the data contained in each system. Which of the following would be the most appropriate metric to use in this prioritization? a. Type of data processed by the system b. Cost of hardware replacement of the system c. Depreciated hardware cost of the system d. Cost of acquisition of the system
a. Type of data processed by the system
Which technique would provide the largest increase in security on a network with ICS, SCADA, or IoT devices? a. User and entity behavior analytics b. Implement endpoint protection platforms c. Installation of anti-virus tools d. Use of a host-based IDS or IPS
a. User and entity behavior analytics
What REGEX expression would provide the appropriate output when searching the logs for any traffic originating from 172.16.1.224 addresses within a /26 subnet? a. \b172\.16\.1\.(25[0-5]2[0-4][0-9]19[2-9])\b b. \b172\.16\.1\.(25[0-5]|2[0-4][0-9]?)\b c. \b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b d. \b172\.16\.1\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b
a. \b172\.16\.1\.(25[0-5]2[0-4][0-9]19[2-9])\b /26 subnet = 64 IPs = 172.16.1.192-172.16.1.255 \b - whole words 2[0-4][0-9] - 200-249 25[0-5] - 250-255 19[2-9] - 192-199
You work as a cybersecurity analyst at a software development firm. The software developers have begun implementing commercial and open source libraries into their codebase to minimize the time it takes to develop and release a new application. Which of the following should be your biggest concern as a cybersecurity analyst? a. Open-source libraries are inherently insecure because you don't known who wrote them b. Any security flaws present in the library will also be present in the developed application c. There are no concerns with using commercial or open-source libraries to speed up developments d. Whether or not the libraries being used in the projects are most up-to-date versions
b. Any security flaws present in the library will also be present in the developed application
Your organization recently suffered a large-scale data breach. The hackers successfully exfiltrated the personal information and social security numbers of your customers from your network. The CEO notified law enforcement about the breach. They will assist with the investigation and conduct evidence collection so that the hackers can be brought up on charges. What actions should your organization take in response to this event? a. Require all employees to commit to an NDA about the data breach in writing b. Ask a member of law enforcement to meet with your employees c. Block all employee access to social media from the company's network and begin monitoring your employee's email d. Require all employees to commit to an NDA about the data breach verbally
b. Ask a member of law enforcement to meet with your employees
You are interpreting a Nessus vulnerability scan report and identified a vulnerability in the system with a CVSS attack vector rating of A. Based on this information, which of the following statements would be true? a. Exploiting the vulnerability does not require any specialized conditions b. Attacker must have physical or logical access to the affected system c. Attack must have access to the local network that the system is connected to d. Exploiting the vulnerability requires the existence of specialized conditions
b. Attacker must have physical or logical access to the affected system
You are creating a script to filter some logs so that you can detect any suspected malware beaconing. Which of the following is NOT a typical means of identifying a malware beacon's behavior on the network? a. Beaconing interval b. Beacon's protocol c. Removal of known traffic d. Beacon's persistence
b. Beacon's protocol
What sanitization technique uses only logical techniques to remove data, such as overwriting a hard drive with a random series of ones and zeroes? a. Destroy b. Clear c. Degauss d. Purge
b. Clear
Which of the following automatically combines multiple disparate sources of information to form a complete picture of events for analysts to use during an incident response or when conducting proactive threat hunting? a. Continuous integratiion b. Data enrichment c. Deep learning d. Machine learning
b. Data enrichment
You are a security investigator at a high-security installation that houses significant amounts of valuable intellectual property. You are investigating the utilization of George's credentials and are trying to determine if his credentials were compromised or if he is an insider threat. In the break room, you overhear George telling a coworker that he believes he is the target of an ongoing investigation. Which of the following step in the preparation phase of the incident response was likely missed? a. Conduct background screenings on all applicants b. Development of a communication plan c. Developing a proper incident response form d. Creating a call list or escalation list
b. Development of a communication plan
A company's NetFlow collection system can handle up to 2 Gbps. Due to excessive load, this has begun to approach full utilization at various times of the day. If the security team does not have additional money in their budget to purchase a more capable collector, which of the following options could they use to collect useful data? a. Enable NetFlow compression b. Enable sampling of the data c. Enable QoS d. Enable full packet capture
b. Enable sampling of the data
An organization utilizes a BYOD policy with its employees. This allows the employees to store sensitive corporate data on their personally owned devices. Which of the following occurred if an employee accidentally left their device in the back of a taxi? a. an APT b. Failed deperimeterization management c. Failed data loss prevention d. A data breach
b. Failed deperimeterization management
Which of the following will an adversary do during the final phase of the Lockheed Martin kill chain? (SELECT FOUR) a. Release of malicious email b. Lateral movement through the environment c. Modify data d. Exfiltrate data e. Wait for a user to click on a malicious link f. Privilege escalation
b. Lateral movement through the environment c. Modify data d. Exfiltrate data f. Privilege escalation
Which type of monitoring would utilize a network tap? a. SNMP b. Passive c. Active d. Router-based
b. Passive
Which of the following actions should you perform during the post-incident activities of an incident response? a. Ensure confidentiality of the lessons learned report by not sharing it beyond the incident response team who handled the investigation b. Perform evidence retention under the timescale defined by the regulatory or legal impact of the incident c. Sanitize storage devices that contain any dd images collected to prevent liability arising from evidence collection d. Create an incident summary reporting with in-depth technical recommendations for future resourcing and budgeting
b. Perform evidence retention under the timescale defined by the regulatory or legal impact of the incident
Which of the following options places the correct phases of the Software Development Lifecycle's waterfall method in the correct order? a. Planning, Requirements Analysis, Design, Implementation, Deployment, Testing, Maintenance b. Planning, Requirements Analysis, Design, Implementation, testing, deployment, and maintenance c. Requirements analysis, planning, design, implementation, deployment, testing, maintenance d. Requirements analysis, planning, design, implementation, testing, deployment and maintenance
b. Planning, Requirements Analysis, Design, Implementation, testing, deployment, and maintenance P-RA-D-I-T-D-M
You are a cybersecurity analyst working for an accounting firm that manages the accounting for multiple smaller firms. You have successfully detected an APT operating in your company's network that appears to have been there for at least 8 months. In conducting a qualitative assessment of the impact, which of the following factors should be most prominently mentioned in your report to your firm's executives? (SELECT TWO) a. Detection time b. Downtime c. Data integrity d. Economic e. Recovery time
c. Data integrity d. Economic
Acme Systems has suffered a data breach. Your analysis of suspicious log activity traced the source of the data breach to an employee in the accounting department's personally-owned smartphone connected to the company's wireless network. The smartphone has been isolated from the network now, but the employee refuses to allow you to image their smartphone to complete your investigation forensically. According to the employee, the company's BYOD policy does not require her to give you her device, and it is an invasion of their privacy. Which of the following phases of the incident response process is at fault for creating this situation? a. Eradication and recovery b. Preparation c. Containment d. Detection and analysis
b. Preparation
Training Systems has just been the victim of another embarrassing data breach. Their database administrator needed to work from home this weekend, so he downloaded the corporate database to his work laptop. On his way home, he left the laptop in an Uber, and a few days later, the data was posted on the internet. Which of the following mitigations would have provided the greatest protection against this data breach? a. Require data masking for any information stored in the database b. Require data at rest encryption on all endpoints c. Require all new employees to sign an NDA d. Require a VPN to be utilized for all telework employees
b. Require data at rest encryption on all endpoints
echo 127.0.0.1 training.com >> /etc/hosts Which of the following best describes what actions were performed by this line of code? a. Attempted to overwrite the host file and delete all data except this entry b. Routed traffic destined for the training.com domain to the localhost c. Added the website to the system's allow list in the hosts file d. Routed traffic destined for the localhost to the training.com domain
b. Routed traffic destined for the training.com domain to the localhost
Which of the following is NOT a part of the security incident validation effort? a. Permissions b. Sanitization c. Patching d. Scanning
b. Sanitization
You are in the recovery steps of an incident response. Your analysis revealed that the attacker exploited an unpatched vulnerability on a public-facing web server as the initial intrusion vector in this incident. Which of the following mitigations should be implemented first during the recovery? a. Disable unused user account and reset the administrator credentials b. Scan the network for additional instances of this vulnerability and patch the affected assets c. Restrict shell commands by user or host to ensure least privilege is followed d. Restrict host access to peripheral protocols like USB and Bluetooth
b. Scan the network for additional instances of this vulnerability and patch the affected assets
Which of the following lists the UEFI boot phases in the proper order? a. Boot device select, Security, Pre-EFI initialization, Driver execution environment, Transient system load, Runtime b. Security, Pre-EFI Initialization, Driver execution environment, Boot device select, Transient system load, Runtime c. Driver execution environment, Boot device select, Security, Transient system load, Pre-EFI initialization, Runtime d. Pre-EFI initialization, Security, Boot device select, Transient system load, Driver execution environment, Runtime
b. Security, Pre-EFI Initialization, Driver execution environment, Boot device select, Transient system load, Runtime
Following an incident, the incident response team has generated many recommendations for additional controls and items to be purchased to prevent future recurrences. Which of the following approaches best describes what the organization should do next? a. Immediately procure and install all of them because the adversary may reattack at any time b. Submit a prioritized list with all of the recommendations for review, procurement, and installation c. Conduct a cost/benefit analysis of each recommendation against the company's current fiscal posture d. Contract an outside security consultant to provide an independent assessment of the network and outsource the remediation efforts
b. Submit a prioritized list with all of the recommendations for review, procurement, and installation
Which of the following will an adversary do during the exploitation phase of the Lockheed Martin kill chain? (SELECT THREE) a. Select backdoor implant and appropriate C2 infrastructure for operation b. Take advantage of a software, hardware or human vulnerability c. Wait for a user to click on a malicious link d. A backdoor/implant is placed on a victim's client e. Wait for a malicious email attachment to be opened f. A webshell is installed on a web server
b. Take advantage of a software, hardware or human vulnerability c. Wait for a user to click on a malicious link e. Wait for a malicious email attachment to be opened
You have been hired to investigate a possible insider threat from a user named Terri. Which of the following commands would successfully look through all the log files in "/var/log" for any references to "Terri" or "terri" on a Linux server? a. find /var/log/ -name *.log -exec grep -H -e "'Terri' OR 'terri'" {} \; 2>/dev/null b. find /var/log/ -exec grep -H -e "[Tt]erri" {} \; 2>/dev/null c. find /var/log/ -name "*.log" -exec grep -H -e "[Tt]erri" {} \; 2>/dev/null d. find /var/log/ -exec grep -H -e "'terri' OR 'Terri'" {} \; 2>/dev/null
b. find /var/log/ -exec grep -H -e "[Tt]erri" {} \; 2>/dev/null
Which of the following ensures multi-threaded processing is conducted securely? a. Trusted execution b. Secure enclave c. Atomic execution d. Processor security extensions
c. Atomic execution
You were conducting a forensic analysis of an iPad backup and discovered that only some of the information is within the backup file. Which of the following best explains why some of the data is missing? a. Backup is encrypted b. Backup is stored in iCloud c. Backup is a differential backup d. Backup was interrupted
c. Backup is a differential backup
Which of the following is NOT a host-related indicator of compromise? a. Memory consumption b. Processor consumption c. Beaconing d. Drive capacity consumption
c. Beaconing
Alexa is an analyst for a large bank that has offices in multiple states. She wants to create an alert to detect if an employee from one bank office logs into a workstation located at an office in another state. What type of detection and analysis is Alexa configuring? a. Anomaly b. Heuristic c. Behavior d. Trend
c. Behavior
Which term is used in software development to refer to the method in which app and platform updates are committed to a production environment rapidly? a. Continuous integration b. Continuous monitoring c. Continuous deployment d. Continuous delivery
c. Continuous delivery
You have been asked to provide some training to some system administrators about the importance of proper patching of a system before deployment. To demonstrate the effects of deploying a new system without patching it first, you ask the system administrators to provide you with an image of a brand-new server they plan to deploy. How should you deploy the image to demonstrate the vulnerabilities exposed while maintaining the security of the corporate network? a. Deploy the vulnerable image to a virtual machine on a physical server, create an ACL to restrict all incoming connections to the system, then scan it for vulnerabilities b. Utilize a server with multiple virtual machine snapshots installed on it, restore from a known compromised image, then scan it for vulnerabilities c. Deploy the system image within a virtual machine, ensure it is in an isolated sandbox environment, then scan it for vulnerabilities d. Deploy the image to a brand new physical server, connect it to the corporate network, then conduct a vulnerability scan to demonstrate how many vulnerabilities are now on the network
c. Deploy the system image within a virtual machine, ensure it is in an isolated sandbox environment, then scan it for vulnerabilities
Dion Consulting Group has recently received a contract to develop a networked control system for a self-driving car. The company's CIO is concerned about the liability of a security vulnerability being exploited that may result in the death of a passenger or an innocent bystander. Which of the following methodologies would provide the single greatest mitigation if successfully implemented? a. Peer review of source code b. DevSecOps c. Formal methods of verification d. Rigorous user acceptance testing
c. Formal methods of verification
Which of the following is not a recognized adversarial attack vector according to the MITRE ATT&CK framework? a. Physical b. Human c. Informational d. Cyber
c. Informational
Which of the following is NOT a part of the vulnerability management lifecycle? a. Testing b. Remediation c. Investigating d. Detection
c. Investigating
William evaluates the potential impact of a confidentiality risk and determines that the disclosure of information contained on a system could have a limited adverse effect on the organization. Using FIPS 199, how should he classify the confidentiality impact? a. Medium b. Moderate c. Low d. High
c. Low FIPS 199 classes Low - the unauthorized disclosure of information could be expected to have a limited adverse effect Moderate - serious adverse effect High - severe catastrophic adverse effect expected
According to Lockheed Martin's white paper "Intel Driven Defense," which of the following technologies could degrade an adversary's effort during the C2 phase of the kill chain? a. Port security b. Anti-virus c. NIPS d. Firewall ACL
c. NIPS
You have just completed identifying, analyzing, and containing an incident. You have verified that the company uses self-encrypting drives as part of its default configuration. As you begin the eradication and recovery phase, you must sanitize the storage devices' data before restoring the data from known-good backups. Which of the following methods would be the most efficient to use to sanitize the affected hard drives? a. Use a secure erase (SE) utility on the storage devices b. Incinerate and replace the storage devices c. Perform a cryptographic erase (CE) on the storage devices d. Conduct zero-fill on the storage devices
c. Perform a cryptographic erase (CE) on the storage devices
You just finished conducting a remote scan of a class C network block using the following command "nmap -sS 202.15.73.0/24". The results only showed a single web server. Which of the following techniques would allow you to gather additional information about the network? a. Use an IPS technique b. Use a UDP scan c. Perform a scan from on-site d. Scan using the -p 1-65535 flag
c. Perform a scan from on-site
Which type of media sanitization would you classify degaussing as? a. Erasing b. Clearing c. Purging d. Destruction
c. Purging Clearing - prevents data retrieval without using lab techniques, involves overwriting data one or more times with repetitive or randomized data. Erasing - erases the data file's pointer on a storage device
According to Lockheed Martin's white paper "Intel Driven Defense," which of the following technologies could degrade an adversary's effort during the actions on the objectives phase of the kill chain? a. Honeypot b. NIPS c. Quality of service d. Audit log
c. Quality of service
During her login session, Sally is asked by the system for a code sent to her via text (SMS) message. Which of the following concerns should she raise to her organization's AAA services manager? A. SMS is a costly method of providing a second factor of authentication b. SMS should be paired with a third factor c. SMS messages may be accessible to attackers via VoIP or other systems d. SMS should be encrypted to be secure
c. SMS messages may be accessible to attackers via VoIP or other systems
Which of the following categories would contain information about a French citizen's race or ethnic origin? a. DLP b. PHI c. SPI d. PII
c. SPI
Christina is auditing the security procedures related to the use of a cloud-based online payment service. She notices that the access permissions are set so that a single person can not add funds to the account and transfer funds out of the account. What security principle is most closely related to this scenario? a. Dual control authentication b. Security through obscurity c. Separation of duties d. Least privilege
c. Separation of duties
Which of the following does a User-Agent request a resource from when conducting a SAML transaction? a. Single sign-on (SSO) b. Relying party (RP) c. Service provider (SP) d. Identity provider (IdP)
c. Service provider (SP)
Which of the following is NOT a valid reason to conduct reverse engineering? a. To commit industrial espionage b. To determine how a piece of malware operates c. To allow the software developer to spot flaws in their source code d. To allow an attacker to spot vulnerabilities in an executable
c. To allow the software developer to spot flaws in their source code
A new security appliance was installed on a network as part of a managed service deployment. The vendor controls the appliance, and the IT team cannot log in or configure it. The IT team is concerned about the appliance receiving the necessary updates. Which of the following mitigations should be performed to minimize the concern for the appliance and updates? a. Configuration management b. Scan and patch the device c. Vulnerability scanning d. Automatic updates
c. Vulnerability scanning
You have been hired to investigate a possible insider threat from a user named Terri. Which command would you use to review all sudo commands ever issued by Terri (whose login account is terri and UID=1003) on a Linux system? (Select the MOST efficient command) a. journalctl_UID=1003 | grep -e [Tt]erri | grep sudo b. journalctl_UID=1003 | grep -e 1003 | grep sudo c. journalctl_UID=1003 | grep sudo d. journalctl_UID=1003 | grep -e [Tt]erri | grep -e 1003 | grep sudo
c. journalctl_UID=1003 | grep sudo
\b[A-Za-z0-9_%+-]+@[A-Za-z0-9.-]+\.[A-Za-z] {2,6}\b Which of the strings would be included in the output of the search? a. [email protected] b. www.diontraining.com c. [email protected] d. [email protected]
c. support@diontraining
Which of the following is the correct usage of the tcpdump command to create a packet capture filter for all traffic going to and from the server located at 10.10.1.1? a. tcpdump -i eth0 dst 10.10.1.1 b. tcpdump -i eth0 src 10.10.1.1 c. tcpdump -i eth0 host 10.10.1.1 d. tcpdump -i eth0 proto 10.10.1.1
c. tcpdump -i eth0 host 10.10.1.1
Which of the following functions is not provided by a TPM? a. Sealing b. Secure generation of cryptographic keys c. User authentication d. Remote attestation e. Binding f. Random number generation
c. user authentication
When using tcpdump, which option or flag would you use to record the ethernet frames during a packet capture? a. -n b. -X c. -nn d. -e
d. -e
Which level of logging should you configure on a Cisco device to be notified whenever they shut down due to a failure? a. 5 b. 2 c. 7 d. 0
d. 0
\b(25[0-5] | 2[0-4][0-9] | [01]?[0-9][0-9]?)\. Which of the following strings would NOT be included in the output of this search? a. 205.255.255.001 b. 001.02.3.40 c. 1.2.3.4 d. 37.259.129.207
d. 37.259.129.207
Your company has created a baseline image for all of its workstations using Windows 10. Unfortunately, the image included a copy of Solitaire, and the CIO has created a policy to prevent anyone from playing the game on the company's computers. You have been asked to create a technical control to enforce the policy (administrative control) that was recently published. What should you implement? a. Application hardening b. Application allow list c. Disable removable media d. Application block list
d. Application block list
You have been asked to conduct a forensic disk image on an internal 500 GB hard drive. You connect a write blocker to the drive and begin to image it using dd to copy the contents to an external 500 GB USB hard drive. Before completing the image, the tool reports that the imaging failed. Which of the following is most likely the reason for the image failure? a. Data cannot be copied using the RAW format b. Data on the source drive was modified during the imaging c. Source drive is encrypted with Bitlocker d. Bad sectors on the destination drive
d. Bad sectors on the destination drive
During which incident response phase is the preservation of evidence performed? a. Detection and analysis b. Preparation c. Post-incident activity d. Containment, eradication and recovery
d. Containment, eradication and recovery
Your organization is updating its incident response communications plan. A business analyst in the working group recommends that if the company discovers they are the victims of a data breach, they should only notify the affected parties to minimize media attention and bad publicity. Which of the following recommendations do you provide in response to the business analyst's statement? a. First responder should contact law enforcement upon confirmation of a security incident for a forensic team to preserve the chain of custody b. An externally hosted website should be prepared in advance to ensure that when an incident occurs, victims have timely access to notifications from a non-compromised resource c. The HR department should have information security personnel who are involved in the investigation of the incident sign non-disclosure agreements so the company cannot be held liable for customer data that is viewed during an investigation d. Guidance from laws and regulations should be considered when deciding who must be notified to avoid fines and judgments from non-compliance
d. Guidance from laws and regulations should be considered when deciding who must be notified to avoid fines and judgments from non-compliance
In 2014, Apple's implementation of SSL had a severe vulnerability that, when exploited, allowed an attacker to gain a privileged network position that would allow them to capture or modify data in an SSL/TLS session. This was caused by poor programming in which a failed check of the connection would exit the function too early. Based on this description, what is this an example of? a. Insufficient logging and monitoring b. Insecure object reference c. Use of insecure functions d. Improper error handling
d. Improper error handling
An organization wants to choose an authentication protocol that can be used over an insecure network without implementing additional encryption services. Which of the following protocols should they choose? a. TACACS+ b. PAP c. RADIUS D. Kerberos
d. Kerberos
You are conducting an incident response and want to determine if any account-based indicators of compromise (IoC) exist on a compromised server. Which of the following would you NOT search for on the server? a. Off-hours usage b. Failed logins c. Unauthorized sessions d. Malicious processes
d. Malicious processes
You received an incident response report indicating a piece of malware was introduced into the company's network through a remote workstation connected to the company's servers over a VPN connection. Which of the following controls should be applied to prevent this type of incident from occurring again? a. MAC filtering b. SPF c. ACL d. NAC
d. NAC
You are in the recovery steps of an incident response. Throughout the incident, your team never successfully determined the root cause of the network compromise. Which of the following options would you LEAST likely perform as part of your recovery and remediation actions? a. Review and enhance patch management policies b. Disable unused user accounts c. Restrict host access to peripheral protocols like USB or Bluetooth d. Proactively sanitize and reimage all of your routers and switches
d. Proactively sanitize and reimage all of your routers and switches
Which one of the following is an open-source forensic tool suite? a. Helix b. FTK c. EnCase d. SIFT
d. SIFT