CySA Online
While reviewing firewall logs, a security analyst at a military contractor notices a sharp rise in activity from a foreign domain known to have well-funded groups that specifically target the company's R&D department. Historical data reveals other corporate assets were previously targeted. This evidence MOST likely describes: (A. APT B. DNS harvesting C. Zero-day exploit D. Corporate espionage)
APT
A security administrator has uncovered a covert channel used to exfiltrate confidential data from an internal database server through a compromised corporate web server. Ongoing exfiltration is accomplished by embedding a small amount of data extracted from the database into the metadata of images served by the web server. File timestamps suggest that the server was initially compromised six months ago using a common server misconfiguration. Which of the following BEST describes the type of threat being used? (A. APT B. Zero-day attack C. Man-in-the-middle attack D. XSS)
APT - wrong ??? XSS
The Chief Information Security Officer (CISO) has decided that all accounts with elevated privileges must use a longer, more complicated passphrase instead of a password. The CISO would like to formally document management's intent to set this control level. Which of the following is the appropriate means to achieve this? (A. A control B. A standard C. A policy D. A guideline)
A policy
A staff member reported that a laptop has degraded performance. The security analyst has investigated the issue and discovered that CPU utilization, memory utilization, and outbound network traffic are consuming the laptop resources. Which of the following is the BEST course of actions to resolve the problem? (A. Identify and remove malicious processes. B. Disable scheduled tasks. C. Suspend virus scan. D. Increase laptop memory. E. Ensure the laptop OS is properly patched.)
Identify and remove malicious processes.
While reviewing three months of logs, a security analyst notices probes from random company laptops going to SCADA equipment at the company's manufacturing location. Some of the probes are getting responses from the equipment even though firewall rules are in place, which should block this type of unauthorized activity. Which of the following should the analyst recommend to keep this activity from originating from company laptops? (A. Implement a group policy on company systems to block access to SCADA networks. B. Require connections to the SCADA network to go through a forwarding proxy. C. Update the firewall rules to block SCADA network access from those laptop IP addresses. D. Install security software and a host-based firewall on the SCADA equipment.)
Implement a group policy on company systems to block access to SCADA networks.
A corporation has implemented an 802.1X wireless network using self-signed certificates. Which of the following represents a risk to wireless users? (A. Buffer overflow attacks B. Cross-site scripting attacks C. Man-in-the-middle attacks D. Denial of service attacks)
Man-in-the-middle attacks
During a tabletop exercise, it is determined that a security analyst is required to ensure patching and scan reports are available during an incident, as well as documentation of all critical systems. To which of the following stakeholders should the analyst provide the reports? (A. Management B. Affected vendors C. Security operations D. Legal)
Management
A logistics company's vulnerability scan identifies the following vulnerabilities on Internet-facing devices in the DMZ: •SQL injection on an infrequently used web server that provides files to vendors •SSL/TLS not used for a website that contains promotional information The scan also shows the following vulnerabilities on internal resources: •Microsoft Office Remote Code Execution on test server for a human resources system •TLS downgrade vulnerability on a server in a development network In order of risk, which of the following should be patched FIRST? (A. Microsoft Office Remote Code Execution B. SQL injection C. SSL/TLS not used D. TLS downgrade)
Microsoft Office Remote Code Execution
The security team has determined that the current incident response resources cannot meet management's objective to secure a forensic image for all serious security incidents within 24 hours. Which of the following compensating controls can be used to help meet management's expectations? (A. Separation of duties B. Scheduled reviews C. Dual control D. Outsourcing)
Outsourcing
An employee at an insurance company is processing claims that include patient addresses, clinic visits, diagnosis information, and prescription. While forwarding documentation to the supervisor, the employee accidentally sends the data to a personal email address outside of the company due to a typo. Which of the following types of data has been compromised? (A. PCI B. Proprietary information C. Intellectual property D. PHI)
PHI
A user received an invalid password response when trying to change the password. Which of the following policies could explain why the password is invalid? (A. Access control policy B. Account management policy C. Password policy D. Data ownership policy)
Password policy
A company has established an ongoing vulnerability management program and procured the latest technology to support it. However, the program is failing because several vulnerabilities have not been detected. Which of the following will reduce the number of false negatives? (A. Increase scan frequency. B. Perform credentialed scans. C. Update the security incident response plan. D. Reconfigure scanner to brute force mechanisms.)
Perform credentialed scans
After a recent security breach, it was discovered that a developer had promoted code that had been written to the production environment as a hotfix to resolve a user navigation issue that was causing issues for several customers. The code had inadvertently granted administrative privileges to all users, allowing inappropriate access to sensitive data and reports. Which of the following could have prevented this code from being released into the production environment? (A. Cross training B. Succession planning C. Automate reporting D. Separation of duties)
Separation of duties
Joe, an analyst, has received notice that a vendor who is coming in for a presentation will require access to a server outside the network. Currently, users are only able to access remote sites through a VPN connection. Which of the following should Joe use to BEST accommodate the vendor? (A. Allow incoming IPSec traffic into the vendor's IP address. B. Set up a VPN account for the vendor, allowing access to the remote site. C. Turn off the firewall while the vendor is in the office, allowing access to the remote site. D. Write a firewall rule to allow the vendor to have access to the remote site.)
Set up a VPN account for the vendor, allowing access to the remote site.
A security analyst is performing a stealth black-box audit of the local WiFi network and is running a wireless sniffer to capture local WiFi network traffic from a specific wireless access point. The SSID is not appearing in the sniffing logs of the local wireless network traffic. Which of the following is the best action that should be performed NEXT to determine the SSID? (A. Set up a fake wireless access point. B. Power down the wireless access point. C. Deauthorize users of that access point. D. Spoof the MAC addresses of adjacent access points.)
Set up a fake wireless access point.
Malicious users utilized brute force to access a system. An analyst is investigating these attacks and recommends methods to management that would help secure the system. Which of the following controls should the analyst recommend? (A. Multifactor authentication B. Network segmentation C. Single sign-on D. Encryption E. Complexity policy F. Biometrics G. Obfuscation)
1. Multifactor authentication 2. Complexity policy 3. Biometrics
After an internal audit, it was determined that administrative logins need to use multifactor authentication or a 15-character key with complexity enabled. Which of the following policies should be updates to reflect this change? (A. Data ownership policy B. Password policy C. Data classification policy D. Data retention policy E. Acceptable use policy F. Account management policy)
1. Password policy 2. Account management policy
A security analyst is assisting with a computer crime investigation and has been asked to secure a PC and deliver it to the forensic lab. Which of the following items would be MOST helpful to secure the PC? (A. Tamper-proof seals B. Faraday cage C. Chain of custody form D. Drive eraser E. Write blockers F. Network tap G. Multimeter)
1. Tamper-proof seals 2. Faraday cage 3. Chain of custody form
A security analyst is reviewing output from a CVE-based vulnerability scanner. Before conducting the scan, the analyst was careful to select only Windows-based servers in a specific datacenter. The scan revealed that the datacenter includes 27 machines running Windows 2003 Server Edition (Win2003SE). In 2015, there were 36 new vulnerabilities discovered in the Win2003SE environment. Which of the following statements are MOST likely applicable? (A. Remediation is likely to require some form of compensating control. B. Microsoft's published schedule for updates and patches for Win2003SE have continued uninterrupted. C. Third-party vendors have addressed all of the necessary updates and patches required by Win2003SE. D. The resulting report on the vulnerability scan should include some reference that the scan of the datacenter included 27 Win2003SE machines that should be scheduled for replacement and deactivation. E. Remediation of all Win2003SE machines requires changes to configuration settings and compensating controls to be made through Microsoft Security Center's Win2003SE Advanced Configuration Toolkit.)
1. The resulting report on the vulnerability scan should include some reference that the scan of the datacenter included 27 Win2003SE machines that should be scheduled for replacement and deactivation. 2. Remediation of all Win2003SE machines requires changes to configuration settings and compensating controls to be made through Microsoft Security Center's Win2003SE Advanced Configuration Toolkit.
Management wants to scan servers for vulnerabilities on a periodic basis. Management has decided that the scan frequency should be determined only by vendor patch schedules and the organization's application deployment schedule. Which of the following would force the organization to conduct an out-of- cycle vulnerability scan? (A. Newly discovered PII on a server. B. A vendor releases a critical patch update. C. A critical bug fix in the organization's application. D. False positives identified in production.)
A vendor releases a critical patch update.
A security administrator uses FTK to take an image of a hard drive that is under investigation. Which of the following processes are used to ensure the image is the same as the original disk? (A. Validate the folder and file directory listings on both. B. Check the hash value between the image and the original. C. Boot up the image and the original systems to compare. D. Connect a write blocker to the imaging device. E. Copy the data to a disk of the same size and manufacturer.)
B. Check the hash value between the image and the original. C. Boot up the image and the original systems to compare. ?? D. Connect a write blocker to the imaging device. ?? Wrong. The answer is B and D. You would use a write-blocker to prevent writing to the drive during the imaging process.
An analyst is reviewing the following log from the company web server: 15.34.24 GET /directory/listening.php?user=admin&pass=admin1 15.34.27 GET /directory/listening.php?user=admin&pass=admin2 15.34.29 GET /directory/listening.php?user=admin&pass=1admin 15.34.35 GET /directory/listening.php?user=admin&pass=1admin Which of the following is this an example of? (A. Online rainbow table attack B. Offline brute force attack C. Offline dictionary attack D. Online hybrid attack)
B. Offline brute force attack https://resources.infosecinstitute.com/online-dictionary-attack-with-hydra/ D. Online hybrid attack https://hashcat.net/wiki/doku.php?id=hybrid_attack Answer: D - Explanation: This is an example of an online hybrid attack. A hybrid attack is a combination of attacks. In this example, we have a combination of a dictionary attack and a brute-force attack. A brute force attack is a trial-and-error method used to obtain information such as a user password or personal identification number (PIN). In a brute force attack, automated software is used to generate a large number of consecutive guesses as to the value of the desired data. A dictionary attack uses a list of words to use as passwords. The combination or hybrid attack adds characters or numbers or even other words to the beginning or end of the password guesses. In this example we have a password guess of 'admin'. From the word admin, we have four combinations, 'admin1, 1admin, admin2, 2admin'.
A cybersecurity analyst is reviewing Apache logs on a web server and finds that some logs are missing. The analyst has identified that the systems administrator accidentally deleted some log files. Which of the following actions or rules should be implemented to prevent this incident from reoccurring? (A. Personnel training B. Separation of duties C. Mandatory vacation D. Backup server)
Backup server
The following IDS log was discovered by a company's cybersecurity analyst: 141.21.15.254----[21/APRIL 2016:00:17:20+1200] "GET /index.php?username=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA HTTP /1.1" 200, 2731 "http://www.comptia.com/cgibin/form/commentary/noframe/read/209" "Mozilla/4.0 (compatible:MSIE 6.0: Window NT 5.1: Hotbar 4.4.7.0)" Which of the following was launched against the company based on the IDS log? (A. SQL injection attack B. Cross-site scripting attack C. Buffer overflow attack D. Online password crack attack)
Buffer overflow attack
A large multinational corporation with networks in 30 countries wants to establish an understanding of their overall public-facing network attack surface.Which of the following security techniques would be BEST suited for this? (A. External penetration B. Internal vulnerability scan C.External vulnerability scan D.Internal penetration)
C.External vulnerability scan Explanation: In this question, we need to determine the public-facing network attack surface. We therefore need to perform a vulnerability scan from outside the network; in other words, an external vulnerability scan. A vulnerability scan is the automated process of proactively identifying security vulnerabilities of computing systems in a network in order to determine if and where a system can be exploited and/or threatened. While public servers are important for communication and data transfer over the Internet, they open the door to potential security breaches by threat agents, such as malicious hackers. Vulnerability scanning employs software that seeks out security flaws based on a database of known flaws, testing systems for the occurrence of these flaws and generating a report of the findings that an individual or an enterprise can use to tighten the network's security. Vulnerability scanning typically refers to the scanning of systems that are connected to the Internet but can also refer to system audits on internal networks that are not connected to the Internet in order to assess the threat of rogue software or malicious employees in an enterprise.
An analyst is preparing for a technical security compliance check on all Apache servers. Which of the following will be the BEST to use? (A. CIS benchmark B. Nagios C. OWASP D. Untidy E. Cain & Abel)
CIS benchmark
A security analyst has performed various scans and found vulnerabilities in several applications that affect production data. Remediation of all exploits may cause certain applications to no longer work. Which of the following activities would need to be conducted BEFORE remediation? (A. Fuzzing B. Input validation C. Change control D. Sandboxing)
Change control
A new zero-day vulnerability was discovered within a basic screen capture app, which is used throughout the environment. Two days after discovering the vulnerability, the manufacturer of the software has not announced a remediation or if there will be a fix for this newly discovered vulnerability. The vulnerable application is not uniquely critical, but it is used occasionally by the management and executive management teams. The vulnerability allows remote code execution to gain privileged access to the system. Which of the following is the BEST course of actions to mitigate this threat? (A. Work with the manufacturer to determine the time frame for the fix. B. Block the vulnerable application traffic at the firewall and disable the application services on each computer. C. Remove the application and replace it with a similar non-vulnerable application. D. Communicate with the end users that the application should not be used until the manufacturer has resolved the vulnerability.)
Communicate with the end users that the application should not be used until the manufacturer has resolved the vulnerability.
During a red team engagement, a penetration tester found a production server. Which of the following portions of the SOW should be referenced to see if the server should be part of the testing engagement? (A. Authorization B. Exploitation C. Communication D. Scope)
Communication
A company allows employees to work remotely. The security administration is configuring services that will allow remote help desk personnel to work secure outside the company's headquarters. Which of the following presents the BEST solution to meet this goal? (A. Configure a VPN concentrator to terminate in the DMZ to allow help desk personnel access to resources. B. Open port 3389 on the firewall to the server to allow users to connect remotely. C. Set up a jump box for all help desk personnel to remotely access system resources. D. Use the company's existing web server for remote access and configure over port 8080.)
Configure a VPN concentrator to terminate in the DMZ to allow help desk personnel access to resources.
During a quarterly review of user accounts and activity, a security analyst noticed that after a password reset the head of human resources has been logging in from multiple locations, including several overseas. Further review of the account showed access rights to a number of corporate applications, including a sensitive accounting application used for employee bonuses. Which of the following security methods could be used to mitigate this risk? (A. RADIUS identity management B. Context-based authentication C. Privilege escalation restrictions D. Elimination of self-service password resets)
Context-based authentication
A cybersecurity analyst develops a regular expression to find data within traffic that will alarm on a hit. ^(?:4[0-9]{12}{?:[0-9]{3}}(?:5[1-5][0-9]{2})$ The SIEM alarms on seeing this data in cleartext between the web server and the database server. '4554-8795-1596-7948' '3723-159786-57984' Which of the following types of data would the analyst MOST likely be concerned with, and to which type of data classification does it belong? (A. Credit card numbers that are PCI B. Social security numbers that are PHI C. Credit card numbers that are Pll D. Social security numbers that are Pll)
Credit card numbers that are PCI
A company decides to move three of its business applications to different outsourced cloud providers. After moving the applications, the users report the applications time out too quickly and too much time is spent logging back into the different web-based applications throughout the day. Which of the following should a security architect recommend to improve the end-user experience without lowering the security posture? (A. Configure directory services with a federation provider to manage accounts. B. Create a group policy to extend the default system lockout period. C. Configure a web browser to cache the user credentials. D. Configure user accounts for self-service account management.)
Create a group policy to extend the default system lockout period.
A cyber incident response team finds a vulnerability on a company website that allowed an attacker to inject malicious code into its web application. There have been numerous unsuspecting users visiting the infected page, and the malicious code executed on the victim's browser has led to stolen cookies, hijacked sessions, malware execution, and bypassed access control. Which of the following exploits is the attacker conducting on the company's website? (A. Logic bomb B. Rootkit C. Privilege escalation D. Cross-site scripting)
Cross-site scripting
A cyber-incident response team is responding to a network intrusion incident on a hospital network. Which of the following must the team prepare to allow the data to be used in court as evidence? (A. Computer forensics form B. HIPAA response form C. Chain of custody form D. Incident form)
HIPAA response form
In reviewing firewall logs, a security analyst has discovered the following IP address, which several employees are using frequently: 152.100.57.18 The organization's servers use IP addresses in the 192.168.0.1/24 CIDR. Additionally, the analyst has noticed that corporate data is being stored at this new location. A few of these employees are on the management and executive management teams. The analyst has also discovered that there is no record of this IP address or service in reviewing the known locations of managing system assets. Which of the following is occurring in this scenario? (A. Malicious process B. Unauthorized change C. Data exfiltration D. Unauthorized access)
Data exfiltration
A security analyst is conducting a vulnerability assessment of older SCADA devices on the corporate network. Which of the following compensating controls is likely to prevent the scans from providing value? (A. Access control list network segmentation that prevents access to the SCADA devices inside the network. B. Detailed and tested firewall rules that effectively prevent outside access of the SCADA devices. C. Implementation of a VLAN that allows all devices on the network to see all SCADA devices on the network. D. SCADA systems configured with `SCADA SUPPORT'=ENABLE.)
Detailed and tested firewall rules that effectively prevent outside access of the SCADA devices.
A vulnerability scan returned the following results for a web server that hosts multiple wiki sites: Apache-HTTPD-cve-2014-023: Apache HTTPD: mod_cgid denial of service CVE-2014-0231 Due to a flaw found in mog_cgid, a server using mod_cgid to host CGI scripts could be vulnerable to a DoS attack caused by a remote attacker who is exploiting a weakness in non-standard input, causing processes to hang indefinitely. 192.168.7.35:80 | Running HTTP service product HTTPD exists: Apache HTTPD 2.2.22 Vulnerable version of product HTTPD found: Apache HTTPS 2.2.22 192.68.7.35:445 | Running HTTPS service product HTTPD exists: Apache HTTPD 2.2.22 Vulnerable version of product HTTPD found: Apache HTTPS 2.2.22 The security analyst has confirmed the server hosts standard CGI scripts for the wiki sites, does not have mod_cgid installed, is running Apache 2.2.22, and is not behind a WAF. The server is located in the DMZ, and the purpose of the server is to allow customers to add entries into a publicly accessible database. Which of the following would be the MOST efficient way to address this finding? (A. Place the server behind a WAF to prevent DoS attacks from occurring. B. Document the finding as a false positive. C. Upgrade to the newest version of Apache. D. Disable the HTTP service and use only HTTPS to access the server.)
Document the finding as a false positive.
A company has implemented WPA2, a 20-character minimum for the WiFi passphrase, and a new WiFi passphrase every 30 days, and has disabled SSID broadcast on all wireless access points. Which of the following is the company trying to mitigate? (A. Downgrade attacks B. Rainbow tables C. SSL pinning D. Forced deauthentication)
Downgrade attacks
A new security manager was hired to establish a vulnerability management program. The manager asked for a corporate strategic plan and risk register that the project management office developed. The manager conducted a tools and skill sets inventory to document the plan. Which of the following is a critical task for the establishment of a successful program? (A. Establish continuous monitoring. B. Update vulnerability feed. C. Perform information classification. D. Establish corporate policy.)
Establish corporate policy
In an effort to be proactive, an analyst has run an assessment against a sample workstation before auditors visit next month. The scan results are as follows: Microsoft Windows SMB Not Fully Accessible Detection Cannot Access the Windows Registry Scan Not Performed with Admin Privilege Based on the output of the scan, which of the following is the BEST answer? (A. Failed credentialed scan B. Failed compliance check C. Successful sensitivity level check D. Failed asset inventory)
Failed credentialed scan
An analyst received a forensically sound copy of an employee's hard drive. The employee's manager suspects inappropriate images may have been deleted from the hard drive. Which of the following could help the analyst recover the deleted evidence? (A. File hashing utility B. File timestamps C. File carving tool D. File analysis tool)
File carving tool
Joe, a user, is unable to launch an application on his laptop, which he typically uses on a daily basis. Joe informs a security analyst of the issue. After an online database comparison, the security analyst checks the SIEM and notices alerts indicating certain .txt and .dll files are blocked. Which of the following tools would generate these logs? (A. Antivirus B. HIPS C. Firewall D. Proxy)
Firewall
Which of the following organizations would have to remediate embedded controller vulnerabilities? (A. Banking institutions B. Public universities C. Regulatory agencies D. Hydroelectric facilities)
Hydroelectric facilities
In order to the leverage the power of data correlation with Nessus, a cybersecurity analyst must first be able to create a table for the scan results. Given the following snippet of code: CREATE TABLE MyResults ( ID INT AUTO_INCREMENT, IP TEXT Port TEXT, PlugInID INT, Type TEXT, Description TEXT, PrimaryKey ID (ID) ); Which of the following output items would be correct? (A. ID - IP - Port - PlugInID - Type - Description - PrimaryKey A10 - 192.168.1.2 - System(445/tcp) - 1000 - A - SystemScan - 2 B. ID - IP - Port - PlugInID - Type - Description - PrimaryKey A10 - 192.168.1.2 - System(445/tcp) - 1000 - WinXP - SystemScan - 2 C. ID - IP - Port - PlugInID - Type - Description - PrimaryKey 10 - 192.168.1.2 - System(445/tcp) - 1000 - A - SystemScan - 2 D. ID - IP - Port - PlugInID - Type - Description - PrimaryKey 10 - 192.168.1.2 - System(445/tcp) - 1000 - A - SystemScan - 2)
ID - IP - Port - PlugInID - Type - Description - PrimaryKey A10 - 192.168.1.2 - System(445/tcp) - 1000 - A - SystemScan - 2
A nuclear facility manager determined the need to monitor utilization of water within the facility. A startup company just announced a state-of-the-art solution to address the need for integrating the business and ICS network. The solution requires a very small agent to be installed on the ICS equipment. Which of the following is the MOST important security control for the manager to invest in to protect the facility? (A. Run a penetration test on the installed agent. B. Require that the solution provider make the agent source code available for analysis. C. Require through guides for administrator and users. D. Install the agent for a week on a test system and monitor the activities.)
Install the agent for a week on a test system and monitor the activities.
A security analyst has discovered that an outbound SFTP process is occurring at the same time of day for the past several days. At the time this was discovered, large amounts of business critical data were delivered. The authentication for this process occurred using a service account with proper credentials. The security analyst investigated the destination IP for this transfer and discovered that this new process is not documented in the change management log. Which of the following would be the BEST course of action for the analyst to take? (A. Investigate a potential incident. B. Verify user permissions. C. Run a vulnerability scan. D. Verify SLA with cloud provider.)
Investigate a potential incident.
A security analyst has discovered that an outbound SFTP process is occurring at the same time of day for the past several days. At the time this was discovered, large amounts of business critical data were delivered. The authentication for this process occurred using a service account with proper credentials. The security analyst investigated the destination IP for this transfer and discovered that this new process is not documented in the change management log. Which of the following would be the BEST course of action for the analyst to take? (A. Investigate a potential incident. B. Verify user permissions. C. Run a vulnerability scan. D. Verify SLA with cloud provider.)
Investigate a potential incident.
A corporation employs a number of small-form-factor workstations and mobile devices, and an incident response team is therefore required to build a forensics kit with tools to support chip-off analysis. Which of the following tools would BEST meet this requirement? (A. JTAG adapters B. Last-level cache readers C. Write-blockers D. ZIF adapters)
JTAG adapters
During a physical penetration test at a client site, a local law enforcement officer stumbled upon the test questioned the legitimacy of the team. Which of the following information should be shown to the officer? (A. Letter of engagement B. Scope of work C. Timing information D. Team reporting)
Letter of engagement
A worm was detected on multiple PCs within the remote office. The security analyst recommended that the remote office be blocked from the corporate network during the incident response. Which of the following processes BEST describes this recommendation? (A. Logical isolation of the remote office B. Sanitization of the network environment C. Segmentation of the network D. Secure disposal of affected systems)
Logical isolation of the remote office
A security analyst is making recommendations for securing access to the new forensic workstation and workspace. Which of the following security measures should the analyst recommend to protect access to forensic data? (A. Multifactor authentication, Polarized lens protection, & Physical workspace isolation B. Secure ID token, Security reviews of the system at least yearly, & Polarized lens protection C. Bright lightning in all access areas, Security reviews of the system at least yearly, & Multifactor authentication D. Two-factor authentication into the building, Separation of duties, & Warning signs placed in clear view.)
Multifactor authentication, Polarized lens protection, & Physical workspace isolation
A company's asset management software has been discovering a weekly increase in non-standard software installed on end users' machines with duplicate license keys. The security analyst wants to know if any of this software is listening on any non-standard ports, such as 6667. Which of the following tools should the analyst recommend to block any command and control traffic? (A. Netstat B. NIDS C. IPS D. HIDS)
Netstat
An organization has recently experienced a data breach. A forensic analysis confirmed the attacker found a legacy web server that had not been used in over a year and was not regularly patched. After a discussion with the security team, management decided to initiate a program of network reconnaissance and penetration testing. They want to start the process by scanning the network for active hosts and open ports. Which of the following tools is BEST suited for this job? (A. Ping B. Nmap C. Netstat D. ifconfig E. Wireshark F. L0phtCrack)
Nmap
A security analyst with an international response team is working to isolate a worldwide distribution of ransomware. The analyst is working with international governing bodies to distribute advanced intrusion detection routines for this variant of ransomware. Which of the following is the MOST important step with which the security analyst should comply? (A. Security operations privacy law B. Export restrictions C. Non-disclosure agreements D. Incident response forms)
Non-disclosure agreements
Which of the following is the MOST secure method to perform dynamic analysis of malware that can sense when it is in a virtual environment? (A. Place the malware on an isolated virtual server disconnected from the network. B. Place the malware in a virtual server that is running Windows and is connected to the network. C. Place the malware on a virtual server connected to a VLAN. D. Place the malware on a virtual server running SIFT and begin analysis.)
Place the malware on an isolated virtual server disconnected from the network
During an investigation, a computer is being seized. Which of the following is the FIRST step the analyst should take? (A. Power off the computer and remove it from the network. B. Unplug the network cable and take screenshots of the desktop. C. Perform a physical hard disk image. D. Initiate chain-of-custody documentation.)
Power off the computer and remove it from the network.
Employees at a manufacturing plant have been victims of spear phishing, but security solutions prevented further intrusions into the network. Which of the following is the MOST appropriate solution in this scenario? (A. Continue to monitor security devices. B. Update antivirus and malware definitions. C. Provide security awareness training. D. Migrate email services to a hosted environment.)
Provide security awareness training
A company has decided to process credit card transactions directly. Which of the following would meet the requirements for scanning this type of data? (A. Quarterly B. Yearly C. Bi-annually D. Monthly)
Quarterly
https://vceguide.com/which-of-the-following-vulnerability-management-processes-should-be-implemented/
Question 30
While conducting research on malicious domains, a threat intelligence analyst received a blue screen of death. The analyst rebooted and received a message stating that the computer had been locked and could only be opened by following the instructions on the screen. Which of the following combinations describes the MOST likely threat and the PRIMARY mitigation for the threat? (A. Ransomware and update antivirus B. Account takeover and data backups C. Ransomware and full disk encryption D. Ransomware and data backups)
Ransomware and data backups
A security analyst is performing ongoing scanning and continuous monitoring of the corporate datacenter. Over time, these scans are repeatedly showing susceptibility to the same vulnerabilities and an increase in new vulnerabilities on a specific group of servers that are clustered to run the same application. Which of the following vulnerability management processes should be implemented? (A. Frequent server scanning B. Automated report generation C. Group policy modification D. Regular patch application)
Regular patch application
Which of the following counter measures should the security administrator apply to MOST effectively mitigate Bootkit-level infections of the organization's workstation devices? (A. Remove local administrator privileges. B. Configure a BIOS-level password on the device. C. Install a secondary virus protection application. D. Enforce a system state recovery after each device reboot.)
Remove local administrator privileges.
The human resources division is moving all of its applications to an IaaS cloud. The Chief Information Officer (CIO) has asked the security architect to design the environment securely to prevent the IaaS provider from accessing its data-at-rest and data-in-transit within the infrastructure. Which of the following security controls should the security architect recommend? (A. Implement a non-data breach agreement. B. Ensure all backups are remote outside the control of the IaaS provider. C. Ensure all of the IaaS provider's workforce passes stringent background checks. D. Render data unreadable through the use of appropriate tools and techniques.)
Render data unreadable through the use of appropriate tools and techniques.
The board of directors made the decision to adopt a cloud-first strategy. The current security infrastructure was designed for on-premise implementation. A critical application that is subject to the Federal Information Security Management Act (FISMA) of 2002 compliance has been identified as a candidate for a hybrid cloud deployment model. Which of the following should be conducted FIRST? (A. Develop a request for proposal. B. Perform a risk assessment. C. Review current security controls. D. Review the SLA for FISMA compliance.)
Review current security controls
Alerts have been received from the SIEM, indicating infections on multiple computers. Base on threat characteristics, these files were quarantined by the host-based antivirus program. At the same time, additional alerts in the SIEM show multiple blocked URLs from the address of the infected computers; the URLs were classified as uncategorized. The domain location of the IP address of the URLs that were blocked is checked, and it is registered to an ISP in Russia. Which of the following steps should be taken NEXT? (A. Remove those computers from the network and replace the hard drives. Send the infected hard drives out for investigation. B. Run a full antivirus scan on all computers and use Splunk to search for any suspicious activity that happened just before the alerts were received in the SIEM. C. Run a vulnerability scan and patch discovered vulnerabilities on the next pathing cycle. Have the users restart their computers. Create a use case in the SIEM to monitor failed logins on the infected computers. D. Install a computer with the same settings as the infected computers in the DMZ to use as a honeypot. Permit the URLs classified as uncategorized to and from that host.)
Run a full antivirus scan on all computers and use Splunk to search for any suspicious activity that happened just before the alerts were received in the SIEM.
An organization has a practice of running some administrative services on non-standard ports as a way of frustrating any attempts at reconnaissance. The output of the latest scan on host 192.168.1.13 is shown below: Starting Nmap 4.67 (http://nmap.org) at 2011-11-03 18:32 EDT Nmap scan report for 192.168.1.13 Host is up (0.00066s 1latency). Not shown: 990 closed ports PORT STATE SERVICE 23/tcp open ssh 111/tcp open rpcbind 139/tcp open netbios-ssn 1417/tcp open OpenSSH 3306/tcp open mysql MAC Address: 01:AA:FB:23:21:45 Nmap done: 1 IP address (1 host up) scanned in 4.22 seconds Which of the following statements is true? (A. Running SSH on the Telnet port will now be sent across an unencrypted port. B. Despite the results of the scan, the service running on port 23 is actually Telnet and not SSH, and creates an additional vulnerability C. Running SSH on port 23 provides little additional security from running it on the standard port. D. Remote SSH connections will automatically default to the standard SSH port. E. The use of OpenSSH on its default secure port will supersede any other remote connection attempts.)
Running SSH on port 23 provides little additional security from running it on the standard port.
A centralized tool for organizing security events and managing their response and resolution is known as what? (A. SIEM B. HIPS C. Syslog D. Wireshark)
SIEM
The IT department at a growing law firm wants to begin using a third-party vendor for vulnerability monitoring and mitigation. The executive director of the law firm wishes to outline the assumptions and expectations between the two companies. Which of the following documents might be referenced in the event of a security breach at the law firm? (A. SLA B. MOU C. SOW D. NDA)
SLA
A security analyst is reviewing IDS logs and notices the following entry: (where [email protected] and password =' or 20==20') Which of the following attacks is occurring? (A. Cross-site scripting B. Header manipulation C. SQL injection D. XML injection)
SQL injection
A security administrator recently deployed a virtual honeynet. The honeynet is not protected by the company's firewall, while all production networks are protected by a stateful firewall. Which of the following would BEST allow an external penetration tester to determine which one is the honeynet's network? (A. Banner grab B. Packet analyzer C. Fuzzer D. TCP ACK scan)
TCP ACK scan
A list of vulnerabilities has been reported in a company's most recent scan of a server. The security analyst must review the vulnerabilities and decide which ones should be remediated in the next change window and which ones can wait or may not need patching. Pending further investigation. Which of the following vulnerabilities should the analyst remediate FIRST? (A. The analyst should remediate https (443/tcp) first. This web server is susceptible to banner grabbing and was fingerprinted as Apache/1.3.27-9 on Linux w/ mod_fastcgi. B. The analyst should remediate dns (53/tcp) first. The remote BIND 9 DNS server is susceptible to a buffer overflow, which may allow an attacker to gain a shell on this host or disable this server. C. The analyst should remediate imaps (993/tcp) first. The SSLv2 suite offers five strong ciphers and two weak "export class" ciphers. D. The analyst should remediate ftp (21/tcp) first. An outdated version of FTP is running on this port. If it is not in use, it should be disabled.)
The analyst should remediate dns (53/tcp) first. The remote BIND 9 DNS server is susceptible to a buffer overflow, which may allow an attacker to gain a shell on this host or disable this server.
A company provides wireless connectivity to the internal network from all physical locations for company-owned devices. Users were able to connect the day before, but now all users have reported that when they connect to an access point in the conference room, they cannot access company resources. Which of the following BEST describes the cause of the problem? (A. The access point is blocking access by MAC address. Disable MAC address filtering. B. The network is not available. Escalate the issue to network support. C. Expired DNS entries on users' devices. Request the affected users perform a DNS flush. D. The access point is a rogue device. Follow incident response procedures.)
The access point is a rogue device. Follow incident response procedures.
A company has monthly scheduled windows for patching servers and applying configuration changes. Out-of-window changes can be done, but they are discouraged unless absolutely necessary. The systems administrator is reviewing the weekly vulnerability scan report that was just released. Which of the following vulnerabilities should the administrator fix without waiting for the next scheduled change window? (A. The administrator should fix dns (53/tcp). BIND 'NAMED' is an open-source DNS server from ISC.org. The BIND-based NAMED server (or DNS servers) allow remote users to query for version and type information. B. The administrator should fix smtp (25/tcp). The remote SMTP server is insufficiently protected against relaying. This means spammers might be able to use the company's mail server to send their emails to the world. C. The administrator should fix http (80/tcp). An information leak occurs on Apache web servers with the UserDir module enabled, allowing an attacker to enumerate accounts by requesting access to home directories and monitoring the response. D. The administrator should fix http (80/tcp). The 'greeting.cgi' script is installed. This CGI has a well-known security flaw that lets anyone execute arbitrary commands with the privileges of the http daemon. E. The administrator should fix general/tcp. The remote host does not discard TCP SYN packets that have the FIN flag set. Depending on the kind of firewall a company is using, an attacker may use this flaw to bypass its rules.)
The administrator should fix smtp (25/tcp). The remote SMTP server is insufficiently protected against relaying. This means spammers might be able to use the company's mail server to send their emails to the world.
A security analyst's company uses RADIUS to support a remote sales staff of more than 700 people. The Chief Information Security Officer (CISO) asked to have IPSec using ESP and 3DES enabled to ensure the confidentiality of the communication as per RFC 3162. After the implementation was complete, many sales users reported latency issues and other performance issues when attempting to connect remotely. Which of the following is occurring? (A. The device running RADIUS lacks sufficient RAM and processing power to handle ESP implementation. B. RFC 3162 is known to cause significant performance problems. C. The IPSec implementation has significantly increased the amount of bandwidth needed. D. The implementation should have used AES instead of 3DES.)
The device running RADIUS lacks sufficient RAM and processing power to handle ESP implementation.
A security incident has been created after noticing unusual behavior from a Windows domain controller. The server administrator has discovered that a user logged in to the server with elevated permissions, but the user's account does not follow the standard corporate naming scheme. There are also several other accounts in the administrators group that do not follow this naming scheme. Which of the following is the possible cause for this behavior and the BEST remediation step? (A. The Windows Active Directory domain controller has not completed synchronization, and should force the domain controller to sync. B. The server has been compromised and should be removed from the network and cleaned before reintroducing it to the network. C. The server administrator created user accounts cloning the wrong user ID, and the accounts should be removed from administrators and placed in an employee group. D. The naming scheme allows for too many variations, and the account naming convention should be updates to enforce organizational policies.)
The naming scheme allows for too many variations, and the account naming convention should be updates to enforce organizational policies.
A security analyst is reviewing output from a CVE-based vulnerability scanner. Before conducting the scan, the analyst was careful to select only Windows-based servers in a specific datacenter. The scan revealed that the datacenter includes 27 machines running Windows 2003 Server Edition (Win2003SE). In 2015, there were 36 new vulnerabilities discovered in the Win2003SE environment. Which of the following statements are MOST likely applicable? (A. Remediation is likely to require some form of compensating control. B. Microsoft's published schedule for updates and patches for Win2003SE have continued uninterrupted. C. Third-party vendors have addressed all of the necessary updates and patches required by Win2003SE. D. The resulting report on the vulnerability scan should include some reference that the scan of the datacenter included 27 Win2003SE machines that should be scheduled for replacement and deactivation. E. Remediation of all Win2003SE machines requires changes to configuration settings and compensating controls to be made through Microsoft Security Center's Win2003SE Advanced Configuration Toolkit.)
The resulting report on the vulnerability scan should include some reference that the scan of the datacenter included 27 Win2003SE machines that should be scheduled for replacement and deactivation.
A security analyst begins to notice the CPU utilization from a sinkhole has begun to spike. Which of the following describes what may be occurring? (A. Someone has logged on to the sinkhole and is using the device. B. The sinkhole has begun blocking suspect or malicious traffic. C. The sinkhole has begun rerouting unauthorized traffic. D. Something is controlling the sinkhole and causing CPU spikes due to malicious utilization.)
The sinkhole has begun rerouting unauthorized traffic.
Which of the following has the GREATEST impact to the data retention policies of an organization? (A. The CIA classification matrix assigned to each piece of data. B. The level of sensitivity of the data established by the data owner. C. The regulatory requirements concerning the data set. D. The technical constraints of the technology used to store the data.)
The technical constraints of the technology used to store the data.
Which of the following describes why it is important for an organization's incident response team and legal department to meet and discuss communication processes during the incident response process? (A. To comply with existing organization policies and procedures on interacting with internal and external parties. B. To ensure all parties know their roles and effective lines of communication are established. C. To identify which group will communicate details to law enforcement in the event of a security incident. D. To predetermine what details should or should not be shared with internal or external parties in the event of an incident.)
To comply with existing organization policies and procedures on interacting with internal and external parties.
After implementing and running an automated patching tool, a security administrator ran a vulnerability scan that reported no missing patches found. Which of the following BEST describes why this tool was used? (A. To create a chain of evidence to demonstrate when the servers were patched. B. To harden the servers against new attacks. C. To provide validation that the remediation was active. D. To generate log data for unreleased patches.)
To harden the servers against new attacks.
The development team recently moved a new application into production for the accounting department. After this occurred, the Chief Information Officer (CIO) was contacted by the head of accounting because the application is missing a key piece of functionality that is needed to complete the corporation's quarterly tax returns. Which of the following types of testing would help prevent this from reoccurring? (A. Security regression testing B. User acceptance testing C. Input validation testing D. Static code testing)
User acceptance testing
The software development team pushed a new web application into production for the accounting department. Shortly after the application was published, the head of the accounting department informed IT operations that the application was not performing as intended. Which of the following SDLC best practices was missed? (A. Peer code reviews B. Regression testing C. User acceptance testing D. Fuzzing E. Static code analysis)
User acceptance testing
Which of the following is a vulnerability that is specific to hypervisors? (A. DDoS B. VLAN hopping C. Weak encryption D. WMescape)
WMescape
A threat intelligence analyst who is working on the SOC floor has been forwarded an email that was sent to one of the executives in business development. The executive mentions the email was from the Chief Executive Officer (CEO), who was requesting an emergency wire transfer. This request was unprecedented. Which of the following threats MOST accurately aligns with this behavior? (A. Phishing B. Whaling C. Spam D. Ransomware)
Whaling
A cybersecurity analyst is investigating an incident report concerning a specific user workstation. The workstation is exhibiting high CPU and memory usage, even when first started, and network bandwidth usage is extremely high. The user reports that applications crash frequently, despite the fact that no significant changes in work habits have occurred. An antivirus scan reports no known threats. Which of the following is the MOST likely reason for this? (A. Advanced persistent threat B. Zero day C. Trojan D. Logic bomb)
Zero day
A common mobile device vulnerability has made unauthorized modifications to a device. The device owner removes the vendor/carrier provided limitations on the mobile device. This is also known as: (A. jailbreaking B. cracking C. hashing D. fuzzing)
jailbreaking
Which of the following command line utilities would an analyst use on an end-user PC to determine the ports it is listening on? (A. tracert B. ping C. nslookup D. netstat)
netstat
An analyst is detecting Linux machines on a Windows network. Which of the following tools should be used to detect a computer operating system? (A. whois B. netstat C. nmap D. nslookup)
nmap
A cybersecurity analyst wants to use ICMP ECHO_REQUEST on a machine while using Nmap. Which of the following is the correct command to accomplish this? (A. nmap -PE 192.168.1.7 B. ping -PE 192.168.1.7 C. nmap -traceroute 192.168.1.7 D. nmap -PO 192.168.1.7)
nmap -PE 192.168.1.7
An organization is conducting penetration testing to identify possible network vulnerabilities. The penetration tester has received the following output from the latest scan: Starting Nmap 4.67 (http://nmap.org) at 2011-11-03 18:32 EDT Nmap scan report for 192.168.1.13 Host is up (0.00066s 1latency). Not shown: 990 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 139/tcp open netbios-ssn 1417/tcp open timbuktu-srv1 MAC Address: 01:AA:FB:23:21:45 Nmap done: 1 IP address (1 host up) scanned in 4.22 seconds The penetration tester knows the organization does not use Timbuktu servers and wants to have Nmap interrogate the ports on the target in more detail. Which of the following commands should the penetration tester use NEXT? (A. nmap -sV 192.168.1.13 -p1417 B. nmap -sS 192.168.1.13 -p1417 C. sudo nmap -sS 192.168.1.13 D. nmap 192.168.1.13 -v)
nmap -sV 192.168.1.13 -p1417
Which of the following tools should a cybersecurity analyst use to verify the integrity of a forensic image before and after an investigation? (A. strings B. sha1sum C. file D. dd E. gzip)
sha1sum