CySA+ Exam Questions 2
Which of the following sets of Linux permissions would have the least permissive to most permissive? 777, 444, 111 544, 444, 545 711, 717, 117 111, 734, 747
111, 734, 747 (From least to most permissive, the best answer is 111, 734, and 747. Linux permissions are read "owner, group, other". They also have numbers that are 4 (read), 2 (write) and 1 (execute). If a number shown is 7, that is 4+2+1 (read/write/execute) permissions. Therefore, the least permission is 000, and the most permissive is 777. The permission set of 111 is execute-execute-execute. The permission set of 734 is read/write/execute-write/execute-read. The permission set of 747 is read/write/execute-read-read/write/execute.)
Which one of the following methods would provide the most current and accurate information about any vulnerabilities present in a system with a misconfigured operating system setting? On-demand vulnerability scanning Continuous vulnerability scanning Scheduled vulnerability scanning Agent-based monitoring
Agent-based monitoring (An agent-based monitoring solution would be the best choice to meet these requirements. Agent-based monitoring provides more details of the configuration settings for a system and can provide an internal perspective. While vulnerability scans can give you a snapshot of a system's status at a certain time, it will not remain current and accurate without continual rescanning.)
You have been asked to review the SIEM event logs for suspected APT activity. You have been given several indicators of compromise, such as a list of domain names and IP addresses. What is the BEST action to take in order to analyze the suspected APT activity? Use the IP addresses to search through the event logs Analyze the trends of the events while manually reviewing them to see if any indicators match Create an advanced query that includes all of the indicators and review any matches Scan for vulnerabilities with exploits known to previously have been used by an APT
Analyze the trends of the events while manually reviewing them to see if any indicators match (You should begin by analyzing the trends of the events while manually reviewing each of them to determine if any of the indicators match. If you only searched through the event logs using the IP addresses, this would not be sufficient as many APTs hide their activity by compromising and using legitimate networks and their IP addresses. If you only use the IP addresses to search the event logs, you would miss any events that correlated only to the domain names. If you create an advanced query will all of the indicators, your search of the event logs will find nothing because no single event will include all of these IPs and domain names. Finally, while scanning for vulnerabilities known to have been used by the APTs is a good practice, it would only be effective in determining how to stop future attacks from occurring, not for determining whether or not an attack has already occurred.)
Tim is working to prevent any remote login attacks to the root account of a Linux system. What method would be the best option to stop attacks like this while still allowing normal users to connect using ssh? Add an iptables rule blocking root logins Add root to the subdoers group Change sshd_config to deny root login Add a network IPS rule to block root logins
Change sshd_config to deny root login (Linux systems use the sshd (SSH daemon) to provide ssh connectivity. If Tim changes the sshd_config to deny root logins, it will still allow any authenticated non-root user to connect over ssh. The sshd service has a configuration setting that is named PermitRootLogin, and if you set this configuration setting to no or deny, all root logins will be denied by the ssh daemon. If you didn't know about this setting, you could still answer this question by using the process of elimination. An iptables rule is a Linux firewall rule, and this would simply block the port for ssh, not the root login. Adding root to the sudoers group won't help either since the sudoers group allows users to login as root. If you have a network IPS rule to attempt to block root logins, the IPS would have to be able to see the traffic being sent within the SSH tunnel. This is not possible since SSH connections are encrypted end-to-end by default. Therefore, the only possible right answer is to change the sshd_config setting to deny root logins.)
Which of the following elements is LEAST likely to be included in an organization's data retention policy? Minimum retention period Maximum retention period Description of information needing to be retained Classification of information
Classification of information (Data retention policies highlight what types of information an organization will maintain and the length of time they will maintain it. Data classification would not be covered in the retention policy, but instead would be a key part of your organization's data classification policy.)
A financial services company wants to donate some old hard drives from their servers to a local charity, but they are concerned about the possibility of residual data being left on the drives. Which of the following secure disposal methods would you recommend the company use? Secure erase Cryptographic erase Zero-fill Overwrite
Cryptographic erase (In a cryptographic erase (CE), the storage media is encrypted by default. To apply the erase operation, the encryption key itself is destroyed. CE is a feature of self-encrypting drives (SED) and is often used with solid-state devices. Zero-fill is a process that fills the entire storage device with zeroes. For SSDs and hybrid drives, zero-fill-based methods might not be reliable, because the device uses wear-leveling routines in the drive controller to communicate which locations are available for use to any software process accessing the device. A secure erase is a special utility provided with some solid-state drives that can perform the sanitization of flash-based devices. Overwrite is like zero-fill but can utilize a random pattern of ones and zeroes on the storage device. The most secure option would be a cryptographic erase (CE) for the scenario provided in the question.)
Which of the following provides a cryptographic authentication mechanism to positively identify an organization as the authorized sender of email for a particular domain name? SPF DKIM SMTP DMARC
DKIM (DomainKeys Identified Mail (DKIM) provides a cryptographic authentication mechanism. This can replace or supplement SPF. To configure DKIM, the organization uploads a public key as a TXT record in the DNS server. Sender Policy Framework (SPF) uses a DNS record published by an organization hosting an email service. The SPF record identifies the hosts authorized to send email from that domain and there must be only one per domain. SPF does not provide a cryptographic authentication mechanism like DKIM does, though. The Domain-Based Message Authentication, Reporting, and Conformance (DMARC) framework ensures that SPF and DKIM are being utilized effectively. DMARC relies on DKMI for the cryptographic authentication mechanism, making it the incorrect option for this question. The simple mail transfer protocol (SMTP) is a communication protocol for electronic mail transmission, which does not utilize cryptographic authentication mechanisms by default.)
A cybersecurity analyst is reviewing the logs of a Citrix NetScaler Gateway running on a FreeBSD 8.4 server and saw the following output:-=-=-=-=--=-=-=-=--=-=-=-=--=-=-=-=--=-=-=-=--=-=-=-=--=-=-=-=-10.1.1.1 - - [10/Jan/2020:13:23:51 +0000] "POST /vpn/../vpns/portal/scripts/newbm.pl HTTP/1.1" 200 143 "https://10.1.1.2/" "USERAGENT " 10.1.1.1 - - [10/Jan/2020:13:23:53 +0000] "GET /vpn/../vpns/portal/backdoor.xml HTTP/1.1" 200 941 "-" "USERAGENT" 10.1.1.1 - - [10/Jan/2020:16:12:31 +0000] "POST /vpns/portal/scripts/newbm.pl HTTP/1.1" 200 143 "https://10.1.1.2/" "USERAGENT"-=-=-=-=--=-=-=-=--=-=-=-=--=-=-=-=--=-=-=-=--=-=-=-=--=-=-=-=-What type of attack was most likely being attempted by the attacker? SQL injection Directory traversal XML injection Password spraying
Directory traversal (A directory traversal attack aims to access files and directories that are stored outside the webroot folder. By manipulating variables or URLs that reference files with "dot-dot-slash (../)" sequences and its variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system including application source code or configuration and critical system files. The example output provided comes from a remote code execution vulnerability being exploited in which a directory traversal is used to access the files. XML Injection is an attack technique used to manipulate or compromise the logic of an XML application or service. SQL injection is the placement of malicious code in SQL statements via web page input. Password spraying attempts to crack various user's passwords by attempting a compromised password against multiple user accounts.)
A penetration tester is conducting an assessment of a wireless network that is secure using WPA2 Enterprise encryption. Which of the following are major differences between conducting reconnaissance of a wireless network versus a wired network? (SELECT TWO) Encryption Network access control Port security Authentication
Encryption (Most wireless networks utilize end-to-end encryption, whereas wired networks do not. Physical accessibility is another major difference between wireless and wired networks since wireless networks can be accessed from a distance using powerful antennas. Authentication, MAC filtering, and network access control (NAC) can be implemented equally on both wired and wireless networks. Port security is only applicable to wired networks.)
An organization has hired a cybersecurity analyst to conduct an assessment of their current security posture. The analyst begins by conducting an external assessment against the organization's network to determine what information is exposed to a potential external attacker. What technique should the analyst perform first? DNS query log reviews Intranet portal reviews Enumeration Technical control audits
Enumeration (Scanning and enumeration is used to determine which ports are open and to identify the software and firmware/device type that is running on the host. This is also referred to as footprinting or fingerprinting. This technique is used to create a security profile of an organization by using a methodological manner to conduct the scanning. If this scan is conducted from outside of the organization's network, it can be used to determine the network devices and information available to an unauthorized and external attacker. A DNS query log review, intranet portal review, or technical control audit would all require internal access to the network, which is typical not accessible directly to an external attacker.)
If an attacker is able to compromise an Active Directory domain by utilizing an attack to grant administrative access to the domain controllers for all members of the domain, which type of attack is being used? Pass the hash Lateral movement Pivoting Golden ticket
Golden ticket (A golden ticket is a Kerberos ticket that can grant other tickets in an Active Directory environment. Attackers who can create a golden ticket can use it to grant administrative access to other domain members, even to domain controllers. Pass the Hash (PtH) is the process of harvesting an account's cached credentials when the user logs in to a single sign-on (SSO) system. This would then allow the attacker to use the credentials on other systems, as well. Lateral movement is an umbrella term for a variety of attack types. Attackers can extend their lateral movement by a great deal if they are able to compromise host credentials. Pivoting is a process similar to lateral movement. When attackers pivot, they compromise one central host (the pivot) that allows them to spread out to other hosts that would otherwise be inaccessible.)
You are going to perform a forensic disk image of a macOS laptop. What type of hard drive format should you expect to encounter? FAT32 exFAT HFS+ NTFS
HFS+ (The default macOS file system for the drive is HFS+ (Hierarchical File System Plus). While macOS does provide support for FAT32 and exFAT, they are not the default file system format used by macOS system. NTFS is not supported by macOS without additional drivers and software tools. This question may seem beyond the scope of the exam, but the objectives allow for "other examples of technologies, processes, or tasks pertaining to each objective may also be included on the exam although not listed or covered" in the bulletized lists of the objectives. The exam tests the equivalent to 4 years of hands-on experience in a technical cybersecurity job role. The content examples listed in the objectives are meant to clarify the test objectives and should not be construed as a comprehensive listing of all the content of this examination. Therefore, questions like this are fair game on test day. That said, your goal isn't to score 100% on the exam, it is to pass it. Don't let questions like this throw you off on test day. If you aren't sure, take your best guess and move on!)
You have been asked to recommend a capability to monitor all of the traffic entering and leaving the corporate network's default gateway. Additionally, the company's CIO requests the ability to block certain types of content before it leaves the network based on operational priorities. Which of the following solution should you recommend to meet these requirements? Configure IP filtering on the internal and external interfaces of the router Install a NIPS on the internal interface and a firewall on the external interface of the router Install a firewall on the router's internal interface and a NIDS on the router's external interface Installation of a NIPS on both the internal and external interfaces of the router
Install a NIPS on the internal interface and a firewall on the external interface of the router (Due to the requirements provided, you should install a NIPS on the internal interface of the gateway router and a firewall on the external interface of the gateway router. The firewall on the external interface will allow the bulk of the malicious inbound traffic to be filtered prior to reaching the network. Then, the NIPS can be used to conduct an inspection of the traffic entering the network and provide protection for the network using signature-based or behavior-based analysis. A NIPS is less powerful than a firewall and could easily "fail open" if it is overcome with traffic by being placed on the external interface. The NIPS being installed on the internal interface would also allow various content types to be quickly blocked using custom signatures developed by the security team. For the same reasons that we wouldn't want to place the NIPS on the external interface in the correct choice, we also wouldn't choose to install a NIPS on both the internal and external connections. IP filtering on both interfaces of the router will not provide the ability to monitor the traffic or to block traffic based on content type. Finally, we would not want to rely on a NIDS on the external interface alone, since it can only monitor and not provide the content blocking capabilities needed.)
You want to provide controlled remote access to the remote administration interfaces of multiple servers hosted on a private cloud. What type of segmentation security solution is the best choice for this scenario? Airgap Jumpbox Bastion hosts Physical
Jumpbox (Installing a jumpbox as a single point of entry for the administration of servers within the cloud is the best choice for this requirement. The jumpbox only runs the necessary administrative port and protocol (typically SSH). Administrators connect to the jumpbox then use the jumpbox to connect to the admin interface on the application server. The application server's admin interface has a single entry in its ACL (the jumpbox) and denies connection attempts from any other hosts. A bastion host is a special-purpose computer on a network specifically designed and configured to withstand attacks. The computer generally hosts a single application. For example, a proxy server and all other services are removed or limited to reduce the threat to the computer. An airgap system is a network or single host computer with unique security requirements that may physically separated from any other network. Physical separation would prevent a system from accessing the remote administration interface directly and require an airgap system to reach the private cloud.)
Which of the following is NOT considered part of the Internet of Things? SCADA ICS Smart television Laptop
Laptop (Supervisory control and data acquisition (SCADA) systems, industrial control systems (ICS), internet-connected televisions, thermostats, and many other things examples of devices classified as the Internet of Things (IoT). A laptop would be better classified as a computer or host than as part of the Internet of Things. The Internet of things (IoT) is a system of interrelated computing devices, mechanical and digital machines provided with unique identifiers (UIDs) and the ability to transfer data over a network without requiring human-to-human or human-to-computer interaction.)
Your company is required to remain compliant with PCI-DSS due to the type of information processed by your systems. If there was a breach of this data, which type of disclosure would you be required to provide during your incident response efforts? Notification to local law enforcement Notification to your credit card processor Notification to federal law enforcement Notification to Visa and Mastercard
Notification to your credit card processor (Any organization that processes a credit card will be required to work with their credit card processor instead of working directly with the card issuers (Visa and Mastercard). Conducting notification to your bank or credit card processor is one of the first steps in the incident response effort for a breach of this type of data. Typically, law enforcement does not have to be notified of a data breach at a commercial organization.)
Jorge and Marta are working on a programming project together. During a code review, Marta explains to Jorge the code she wrote while he looks at the code on her computer. Which of the following code review techniques is being used in this scenario? Pair programming Dual control Over-the-shoulder Tool-assisted review
Over-the-shoulder (Over-the-shoulder code reviews rely on a programmer explaining their code to a peer. This provides a chance for a review of the code and a better understanding of the code for both programmers. In this example, Marta is explaining her code to Jorge, while he looks over her shoulder. Pair programming alternates between programmers, with one strategizing and reviewing it while the other enters the code into the computer. Dual control is a personnel security process that requires more than one employee available to perform a specific task. This is used with split knowledge and is not a form of code review. A tool-assisted review is conducted using a software tool or other form of automation.)
A penetration tester has been hired to conduct an assessment, but the company wants to exclude social engineering from the list of authorized activities. Which of the following documents would include this limitation? Acceptable use policy Service level agreement Rules of engagement Memorandum of understanding
Rules of engagement (While the network scope given in the contract documents will define what will be tested, the rules of engagement defines how that testing is to occur. Rules of engagement can state things like no social engineering is allowed, no external website scanning, etc. A memorandum of understanding (MOU) is a preliminary or exploratory agreement to express an intent to work together that is not legally binding and does not involve the exchange of money. A service level agreement contains the operating procedures and standards for a service contract. An acceptable use policy is a policy that governs employees' use of company equipment and Internet services.)
You are conducting an incident response and have already eradicated the malware from a victimized system. Which of the following actions should you perform as part of the recovery phase? Sanitization Reimaging Setting permissions Secure disposal
Setting permissions (Following an incident, all types of permissions should be reviewed and reinforced. This especially affects file and firewall ACLs and system privileges assigned to administrative user or group accounts. This is performed during the recovery phase. During the eradication phase, you would conduct sanitization, secure disposal, and reimaging.)
You are trying to find some files that were deleted by a user on a Windows workstation. What two locations are most likely to contain those deleted files? Slack space Unallocated space Recycle bin Registry
Slack space Recycle bin (Files that users have deleted are most likely to be found in the recycle bin or in slack space. Slack space is the space left after a file has been written to a cluster. Slack space may contain remnant data from previous files after the pointer to the files was deleted by a user. Unallocated space is space that has not been partitioned and therefore, would typically not have been written to. The registry will not store files that have been deleted but may contain a reference to the file, such as the name of the file.)
You are conducting an investigation on a suspected compromise. You have noticed several files that you don't recognize. How can you quickly and effectively check if the files have been infected with malware? Submit the files to an open-source intelligence provider like VirusTotal Disassembly the files and conduct static analysis on them using IDA Pro Run the Strings tool against each file to identify common malware identifiers Scan the files using a local anti-virus/anti-malware engine
Submit the files to an open-source intelligence provider like VirusTotal (The best option is to submit them to an open-source intelligence provider like VirusTotal. VirusTotal allows you to quickly analyze suspicious files and URLs to detect types of malware. It then automatically shares them with the security community, as well. Disassembly and static analysis would require a higher level of knowledge and more time to complete. Running the Strings tool can help identify text if the code is not encoded in a specific way within the malware, but you have to know what you are looking for, such as a malware signature. You should never scan the files using a local anti-virus or anti-malware engine if you suspect the workstation or server has already been compromised, because the scanner may also be compromised.)
Rory is about to conduct forensics on a virtual machine. Which of the following processes should be used to ensure that all of the data is acquired forensically? Suspend the machine and copy the contents of the directory it resides in Perform a live acquisition of the virtual machine's memory Suspend the machine and make a forensic copy of the drive it resides on Shutdown the virtual machine off and make a forensic copy of its disk image
Suspend the machine and copy the contents of the directory it resides in (The best option is to suspend the machine and copy the contents of the directory as long as you ensure you protect the integrity of the files by conducting a hash on them before and after copying the files. This procedure will store the virtual machine's RAM and disk contents. Since a virtual machine stores all of its data in a single file/folder on a host's hard drive, you can simply copy then entire Copying the folder will give all the information needed, but the virtual machine should not be powered off because creating a copy of the drive is not necessary because the files would still have to be validated. Live acquisition relies on a specialist hardware or software tool that can capture the contents of memory while the computer is running. This is unnecessary for a virtual machine since suspending a virtual machine writes the entire contents of memory to a file on the hard disk. Shutting down the machine is a bad idea since this runs the risk that the malware will detect the shutdown process and perform anti-forensics to try to remove traces of itself. While you could image the entire drive the virtual machine resides on, it is unnecessary, will take much longer, and will require you to shutdown the host machine to conduct the bit-by-bit copy.)
Which of the following authentication protocols was developed by Cisco to provide authentication, authorization, and accounting services? RADIUS CHAP TACACS+ Kerberos
TACACS+ (TACACS+ is an extension to TACACS (Terminal Access Controller Access Control System) and was developed as a proprietary protocol by Cisco. The Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that operates on port 1812 and provides centralized Authentication, Authorization, and Accounting management for users who connect and use a network service, but it was not developed by Cisco. Kerberos is an open-source network authentication protocol designed by Matte Challenge-Handshake Authentication Protocol (CHAP) is used to authenticate a user or network host to an authenticating entity. CHAP is an authentication protocol but does not provide authorization or accounting services.)
You are creating a script to filter some logs so that you can detect any suspected malware beaconing. Which of the following is NOT a typical means of identifying a malware beacons behavior on the network? The beacon's persistence The beacon's protocol The beaconing interval The removal of known traffic
The beacon's protocol (The beacon's protocol is not typically a means of identifying a malware beacon. A beacon can be sent over numerous protocols, including ICMP, DNS, HTTP, and numerous others. Unless you specifically knew the protocol being used by the suspected beacon, filtering out beacons by the protocol seen in the logs could lead you to eliminate malicious behavior prematurely. Other factors like the beacon's persistence (if it remains after a reboot of the system) and the beacon's interval (how much time elapses between beaconing)are much better indicators for fingerprinting a malicious beacon. The removal of known traffic by the script can also minimize the amount of data the cybersecurity analyst needs to analyze, therefore making it easier to detect the malicious beacon without wasting their time reviewing non-malicious traffic.)
Which of the following programs was designed to secure the manufacturing infrastructure for information technology vendors providing hardware to the military? Trusted Foundry (RF) Supplies Assured (SA) Supply Secure (SS) Trusted Access Program (TAP)
Trusted Foundry (RF) (The Trusted Foundry program, also called the trusted suppliers program, is a United States Department of Defense program designed to secure the manufacturing infrastructure for information technology vendors providing hardware to the military. Trusted Foundry was created to provide a chain of custody for classified/unclassified integrated circuits, ensure there is no reasonable threat related to supply disruption, prevent intentional/unintentional modification of integrated circuits, and protect integrated circuits from reverse engineering and vulnerability testing.)
You have been investigating how a malicious actor was able to exfiltrate confidential data from a web server to a remote host. After an in-depth forensic review, you determine that the web server's BIOS had been modified by the installation of a rootkit. After you remove the rootkit and reflash the BIOS to a known good image, what should you do in order to prevent the malicious actor from affecting the BIOS again? Install an anti-malware application Install a host-based IDS Utilize secure boot Utilize file integrity monitoring
Utilize secure boot (Since you are trying to protect the BIOS, utilizing secure boot is the best choice. Secure boot is a security system offered by UEFI. It is designed to prevent a computer from being hijacked by a malicious OS. Under secure boot, UEFI is configured with digital certificates from valid OS vendors. The system firmware checks the operating system boot loader using the stored certificate to ensure that it has been digitally signed by the OS vendor. This prevents a boot loader that has been changed by malware (or an OS installed without authorization) from being used. The TPM can also be invoked to compare hashes of key system state data (boot firmware, boot loader, and OS kernel) to ensure they have not been tampered with by a rootkit. The other options are all good security practices, but they only apply once you have already booted into the operating system. This makes them ineffective against boot sector or rootkit attacks.)
You have been tasked to create some baseline system images in order to remediate vulnerabilities found in different operating systems. Before any of the images can be deployed, they must be scanned for malware and vulnerabilities. You must ensure the configurations meet industry-standard benchmarks and that the baselining creation process can be repeated frequently. What vulnerability option would BEST create the process requirements to meet the industry-standard benchmarks? Utilizing an operating system SCAP plugin Utilizing an authorized credential scan Utilizing a non-credential scan Utilizing a known malware plugin
Utilizing an operating system SCAP plugin (Security Content Automation Protocol (SCAP) is a multi-purpose framework of specifications that supports automated configuration, vulnerability and patch checking, technical control compliance activities, and security measurement. It is an industry-standard and support testing for compliance. The other options will not allow for a truly repeatable process since individual scans would occur each time, instead of comparing against a known good baseline.)
A new security appliance was installed on a network as part of a managed service deployment. The vendor is who controls the appliance and the IT team is not able to log in or configure it. The IT team is concerned about the appliance receiving necessary updates. Which of the following mitigations should be performed to minimize the concern for the appliance and updates? Configuration management Vulnerability scanning Scan and patch the device Automatic updates
Vulnerability scanning (The best option here is vulnerability scanning as this allows the IT team to know what risks their network is taking on and where subsequent mitigations may be possible. Configuration management, automatic updates, and patching could be a possible solution, these are not viable options without gaining administrative access to the appliance. Therefore, it is best for the analyst to continue to conduct vulnerability scanning of the device to understand the risks associated with it, and then make recommendations to add additional compensating controls like firewall configurations, adding a WAF, providing segmentation, and other configurations outside the appliance to minimize the vulnerabilities it presents.)
Which of the following is exploited by an SQL injection to give the attacker access to a database? Operating system Web application Database server Firewall
Web application (SQL injections target the data stored in enterprise databases by exploiting flaws in client-facing applications. These vulnerabilities being exploited are most often found in web applications. The database server or operating system would normally be exploited by a remote code execution, a buffer overflow, or another type of server-side attack. The firewall would not be subject to an SQL injection.)
Which of the following vulnerabilities is the greatest threat to data confidentiality? HTTP TRACE/TRACK methods enabled SSL Server with SSLv3 enabled vulnerability phpinfo information disclosure vulnerability Web application SQL injection vulnerability
Web application SQL injection vulnerability (Each vulnerability mentioned poses a significant risk, but the greatest threat comes from the SQL injection. An SQL injection could allow an attacker to retrieve our data from the backend database directly. Using this technique, the attacker could also alter the data and put it back, and nobody would notice everything that had been changed, thereby also affecting our data integrity. The HTTP TRACE/TRACK methods are normally used to return the full HTTP request back to the requesting client for proxy-debugging purposes and allow the attacker to gain access to sensitive information in the HTTP headers. Since this only exposes information in the headers, it minimizes the risk to our system's data confidentiality. An SSL server with SSLv3 enabled is not ideal since this is an older encryption type, but it still provides some level of confidentiality. The phpinfo information disclosure vulnerability prints out detailed information on both the system and the PHP configuration. This information by itself doesn't disclose any information about the data stored within the system, though, so it isn't a great threat to our data's confidentiality.)
You just visited an e-commerce website by typing in its URL during a vulnerability assessment. You discovered that an administrative web frontend for the server's backend application is accessible over the internet. Testing this frontend, you discovered that the default password for the application is accepted. Which of the following recommendations should you make to the owner of the website in order to remediate this discovered vulnerability? (SELECT THREE) Rename the URL to a more obscure name Require two-factor authentication for access to the application Conduct a penetration test against the organization's IP space Whitelist all specific IP blocks that use this application Change the username and default password Require an alphanumeric passphrase for the application's default password
Whitelist all specific IP blocks that use this application Change the username and default password Require two-factor authentication for access to the application (First, you should change the username and default password since using default credentials is extremely insecure. Second, you should implement a whitelist for any specific IP blocks that should have access to the administrative web frontend of this application, since it should only be a few system administrators and power users. Next, you should implement two-factor authentication for access to the application, since two-factor authentication provides more security than a simple username and password combination. You should not rename the URL to a more obscure name since security by obscurity is not considered a good security practice. You also should not require an alphanumeric passphrase for the application's default password. Since it is a default password, you can not change the password requirements for it without the vendor conducting a software update to the application. Finally, while it may be a good idea to conduct a penetration test against the organization's IP space to identify other vulnerabilities, it will not have any positive effect on remediating this identified vulnerability.)
Which of the following would be used to prevent a firmware downgrade? SED eFUSE TPM HSM
eFUSE (eFUSE is an Intel-designed mechanism to allow a software instruction to blow a transistor in the hardware chip. One use of this is to prevent firmware downgrades, implemented on some games consoles and smartphones. Each time the firmware is upgraded, the updater blows an eFUSE. When there is a firmware update, the updater checks that the number of blown eFUSEs is not less than the firmware version number. A self-encrypting drive (SED) uses cryptographic operations performed by the drive controller to encrypt the contents of a storage device. A trusted platform module (TPM) is a specification for hardware-based storage of digital certificates, cryptographic keys, hashed passwords, and other user and platform identification information. The TPM is implemented either as part of the chipset or as an embedded function of the CPU. A hardware security module (HSM) is an appliance for generating and storing cryptographic keys. A HSM solution may be less susceptible to tampering and insider threats than software-based storage.)
Which of the following tools can NOT be used to conduct a banner grab from a web server on a remote host? netcat telnet wget ftp
ftp (FTP cannot be used to conduct a banner grab. A banner grab is used by a cybersecurity analyst or penetration tester to gain information about a computer system on a network and the services running on its open ports. Administrators can use this to take inventory of the systems and services on their network. This is commonly done using telnet, wget, or netcat.)
Natalie wants to create a backup of the permissions before making changes to the Linux workstation she is going to remediate. What Linux tool can she use to back up the permissions of the system's complete directory structure? chbkup getfacl aclman iptables
getfacl (The getfacl command allows backups of directories, to include permissions, which are saved to a text file. The setfacl command is used to restore the permissions from the backup created. The aclman and chbkup are not legitimate Linux commands. The iptables command is used to configure the Linux firewall, not the file permissions of the directory structure. This question may seem beyond the scope of the exam, but the objectives allow for "other examples of technologies, processes, or tasks pertaining to each objective may also be included on the exam although not listed or covered" in the bulletized lists of the objectives. The exam tests the equivalent to 4 years of hands-on experience in a technical cybersecurity job role. The content examples listed in the objectives are meant to clarify the test objectives and should not be construed as a comprehensive listing of all the content of this examination. Therefore, questions like this are fair game on test day. That said, your goal isn't to score 100% on the exam, it is to pass it. Don't let questions like this throw you off on test day. If you aren't sure, take your best guess and move on!)