CySA Practice Exam #4
B. DNS zone transfer, also sometimes known by the inducing DNS query type AXFR, is a DNS transaction type. It is one of the many mechanisms available for administrators to replicate DNS databases across a set of DNS servers. DNS zone transfers are an active technique.
A cybersecurity analyst is attempting to perform an active reconnaissance technique to audit their company's security controls. Which DNS assessment technique would be classified as active? A. A DNS forward or reverse lookup B. A zone transfer C. A whois query D. Using maltego
B.
Fail to Pass Systems has just become the latest victim in a large scale data breach by an APT. Your initial investigation confirms a massive exfiltration of customer data has occurred. Which of the following actions do you recommend to the CEO of Fail to Pass Systems in handling this data breach? A. Provide a statement to the press that minimizes the scope of the breach B. Conduct notification to all affected customers within 72 hours of the discovery of the breach C. Purchase a cyber insurance policy, alter the date of the incident in the log files, and file an insurance claim D. Conduct a 'hack-back' of the attacker in order to retrieve the stolen information
C. This is an example of an improper error handling vulnerability. A well-written application must be able to handle errors and exceptions gracefully. The main goal must be for the application not to fail and allows the attacker to execute code or perform an injection attack.
In 2014, Apple's implementation of SSL had a severe vulnerability that, when exploited, allowed an attacker to gain a privileged network position that would allow them to capture or modify data in an SSL/TLS session. This was caused by poor programming in which a failed check of the connection would exit the function too early. Based on this description, what is this an example of? A. Use of insecure functions B. Insufficient logging and monitoring C. Improper error handling D. Insecure object reference
A. The final phase of the security intelligence cycle is feedback and review, which utilizes intelligence producers' and intelligence consumers' input. This phase aims to improve the implementation of the requirements, collection, analysis, and dissemination phases as the life cycle is developed.
In which phase of the security intelligence cycle is input collected from intelligence producers and consumers to improve the implementation of intelligence requirements? A. Feedback B. Analysis C. Dissemination D. Collection
A, D, E. While we cannot be certain that any malicious activity is ongoing based solely on this netstat output, the three entries concerning port 53 are suspicious and should be further investigated. Port 53 is used for DNS servers to receive requests, and an employee's workstation running DNS would be unusual. If the Foreign Address using port 53, this would indicate the workstation was conducting a normal DNS lookup, but based on the network traffic direction, this is not the case
A cybersecurity analyst is analyzing an employee's workstation that is acting abnormally. The analyst runs the netstat command and reviews the following output: =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-Proto Local Address Foreign Address State TCP 0.0.0.0:53 0.0.0.0:0 LISTENING TCP 0.0.0.0:135 0.0.0.0:0 LISTENING TCP 0.0.0.0:445 0.0.0.0:0 LISTENING TCP 0.0.0.0:5357 0.0.0.0:0 LISTENING TCP 192.168.1.4:53 91.198.117.247:443 CLOSE_WAIT TCP 192.168.1.4:59393 74.125.224.39:443 ESTABLISHED TCP 192.168.1.4:59515 208.50.77.89:80 ESTABLISHED TCP 192.168.1.4:59518 69.171.227.67:443 ESTABLISHED TCP 192.168.1.4:59522 96.16.53.227:443 ESTABLISHED TCP 192.168.1.4:59523 96.16.53.227:443 ESTABLISHED TCP 192.168.1.4:53 208.71.44.30:80 ESTABLISHED TCP 192.168.1.4:59538 74.125.224.98:80 ESTABLISHED TCP 192.168.1.4:59539 74.125.224.98:80 ESTABLISHED -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Based on this output, which of the following entries is suspicious? (SELECT THREE) A. TCP 192.168.1.4:53 91.198.117.247:443 CLOSE_WAIT B. TCP 0.0.0.0:135 0.0.0.0:0 LISTENING C. TCP 192.168.1.4:59515 208.50.77.89:80 ESTABLISHED D. TCP 0.0.0.0:53 0.0.0.0:0 LISTENING E. TCP 192.168.1.4:53 208.71.44.30:80 ESTABLISHED F. TCP 192.168.1.4:59518 69.171.227.67:443 ESTABLISHED
D. This appears to be an indication that unauthorized privileges are being used. The first binary, svchost.exe, executes from an odd location that indicates it might be malicious). The process svchost.exe doesn't usually reside in the inetsrv folder in a Windows system since this folder contains the Windows IIS web server files. Additionally, this file then spawned a binary that appears to be masquerading as a Windows process, the WMI Provider Host called wmiprvse.exe. This appears to be the beginning of a privilege escalation attack.
A cybersecurity analyst is reviewing the logs for his company's server and sees the following output -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-Process spawned by services.exe (c:\windows\system32\inetsrv\svchost.exe)Process spawned by services.exe (c:\windows\system32\cmd.exe)Command line (cmd /c start C:\WINDOWS\system32\wmiprvse.exe c:\WINDOWS\system32\ 2006) -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Based on this potential indicator of compromise (IoC), which of the following hypotheses should you make to begin threat hunting? A. Beaconing is establishing a connection to a C2 server B. Data exfiltration is occurring over the network C. A common protocol is being used over a non-standard port D. Unauthorized privileges are being utilized
D. The university should utilize a tokenization approach to prevent an inadvertent release of the PHI data. In a tokenization approach, all or part of data in a field is replaced with a randomly generated token. That token is then stored with the original value on a token server or token vault, separate from the production database. This is an example of a deidentification control and should be used since the personally identifiable medical data is not needed to be retained after ingesting it for the research project; only the medical data itself is needed.
A cybersecurity analyst is working for a university that is conducting a big data medical research project. The analyst is concerned about the possibility of an inadvertent release of PHI data. Which of the following strategies should be used to prevent this? A. Use DevSecOps to build the application that processes the PHI B. Utilize formal methods of verification against the application processing the PHI C. Utilize a SaaS model to process the PHI data instead of an on-premise solution D. Conduct tokenization of the PHI data before ingesting it into the big data application
C. By executing the "which bash" command, the system will report the file structure path to where the bash command is being run. If the directory where bash is running is different from the default directory for this Linux distribution, this would indicate a compromised machine.
An analyst suspects that a trojan has victimized a Linux system. Which command should be run to determine where the current bash shell is being executed from on the system? A. dir bash B. ls -l bash C. which bash D. printenv bash
B. Jason is assigned to the white team. The white team acts as the judges, enforces the rules of the exercise, observes the exercise, scores teams, resolves any problems that may arise, handles all requests for information or questions, and ensures that the competition runs fairly and does not cause operational problems for the defender's mission.
An organization is conducting a cybersecurity training exercise. Which team is Jason assigned to if he has been asked to monitor and manage the defenders and attackers' technical environment during the exercise? A. Red team B. White team C. Blue team D. Purple team
B. Load testing or stress testing puts an application, network, or system under full load conditions to document any performance lapses.
Annah is deploying a new application that she received from a vendor, but she is unsure if the hardware is adequate to support many users during peak usage periods. What type of testing could Annah perform to determine if the application will support the required number of users? A. User acceptance testing B. Load testing C. Regression testing D. Fuzz testing
A. Deploying changes in a staging or sandbox environment provides the organization with a safe, isolated place for testing changes without interfering with production systems. Staging environments can mimic the actual production environment, leading to a realistic test environment that minimizes the risk of failure during a push to the production environment.
Aymen is creating a procedure for the remediation of vulnerabilities discovered within his organization. He wants to ensure that any vendor patches are tested before deploying them into the production environment. What type of environment should his organization establish? A. Staging B. Honeypot C. Honeynet D. Development
A. The excerpt is a JSON object used by the STIX protocol to convey threat information. STIX (Structured Threat Information eXpression) is a standardized XML programming language for conveying data about cybersecurity threats in a common language that can be easily understood by humans and security technologies.
Consider the following data:-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-{"id": "bundle--cf20f99b-3ed2-4a9f-b4f1-d660a7fc8241","objects": [{"aliases": ["Comment Crew","Comment Group","Shady Rat"],"created": "2015-05-15T09:00:00.000Z","description": "APT1 is a single organization of operators that has conducted a cyber espionage campaign against a broad range of victims since at least 2006.","first_seen": "2006-06-01T00:00:00.000Z","id": "intrusion-set--da1065ce-972c-4605-8755-9cd1074e3b5a","modified": "2015-05-15T09:00:00.000Z","name": "APT1","object_marking_refs": ["marking-definition--3444e29e-2aa6-46f7-a01c-1c174820fa67"],"primary_motivation": "organizational-gain","resource_level": "government","spec_version": "2.1","type": "intrusion-set"},{"aliases": ["Greenfield","JackWang","Wang Dong"],-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-Which of the following best describes the data presented above? A. A JSON excerpt that describes an APT using the Structured Threat Information eXpression (STIX) format B. An XML entry describing an APT using the MITRE ATT&CK framework C. An XML entry describing an APT using the Structured Threat Information eXpression (STIX) framework D. A JSON excerpt describing a REST API call to a Trusted Automated eXchange of Indicator Information (TAXII) service
D. Network Access Control (NAC) uses a set of protocols to define and implement a policy that describes how to secure access to network nodes whenever a device initially attempts to access the network. NAC can utilize an automatic remediation process by fixing non-compliant hosts before allowing network access. Network Access Control can control access to a network with policies, including pre-admission endpoint security policy checks and post-admission controls over where users and devices can go on a network and what they can do. In this scenario, implementing NAC can identify which machines are known and trusted Dion Training assets and provide them with access to the secure internal network. NAC could also determine unknown machines (assumed to be those of CompTIA employees) and provide them with direct internet access only by placing them onto a guest network or VLAN.
Dion Training allows its visiting business partners from CompTIA to use an available Ethernet port in their conference room to establish a VPN connection back to the CompTIA internal network. The CompTIA employees should obtain internet access from the Ethernet port in the conference room, but nowhere else in the building. Additionally, if a Dion Training employee uses the same Ethernet port in the conference room, they should access Dion Training's secure internal network. Which of the following technologies would allow you to configure this port and support both requirements? A. Create an ACL to allow access B. Configure a SIEM C. MAC filtering D. Implement NAC
C. Regression testing is re-running functional and non-functional tests to ensure that previously developed and tested software still performs after a change. After installing any patch, it is important to conduct regression testing to confirm that a recent program or code change has not adversely affected existing features or functionality.
Dion Training's security team recently discovered a bug in their software's code. The development team released a software patch to remove the vulnerability caused by the bug. What type of test should a software tester perform on the application to ensure that it is still functioning properly after the patch is installed? A. Fuzzing B. User acceptance testing C. Regression testing D. Penetration testing
C. Registered ports are assigned a port number between 1024 and 49151 by the Internet Assigned Numbers Authority. Just because you find one of those ports in use, that does not guarantee that the service running on it will match the normally registered service.
During a port scan, you discover a service running on a registered port. Based on this, what do you know about this service? A. The service is running on a port between 0-1023 B. The service's name on the registered port C. The service is running on a port between 1024 and 49151 D. The vulnerability status of the service on the registered port
B. This result is due to the company using a distributed server model that hosts content on Edge servers worldwide as part of a CDN. A content delivery network (CDN) is a geographically distributed network of proxy servers and their data centers that provide high availability and performance by distributing the service spatially relative to end-users. The requested content may be served from the Edge server's cache or pull the content from the main diontraining.com servers. If you are scanning a web server or application hosted with a CDN, you need to be aware that you might be scanning an edge copy of the site and not receive accurate results.
During a vulnerability scan, you notice that the hostname www.diontraining.com is resolving to www.diontraining.com.akamized.net instead. Based on this information, which of the following do you suspect is true? A. The server assumes you are conducting a DDoS attack B. You are scanning a CDN-hosted copy of the site C. The scan will not produce any useful information D. Nothing can be determined about this site with the information provided
D. DMARC (domain-based message authentication, reporting, and conformance) and DKIM (domain keys identified mail) are configurations performed on a DNS server to verify whether an email is sent by a third-party are verified to send it on behalf of the organization. For example, if you are using a third-party mailing list provider, they need your organization to authorize them to send an email on your behalf by setting up DMARC and DKIM in on your DNS records.
During the analysis of data as part of ongoing security monitoring activities, which of the following is NOT a good source of information to validate the results of an analyst's vulnerability scans of the network's domain controllers? A. Log files B. SIEM systems C. Configuration management systems D. DMARC and DKIM
A. During the preparation phase, the incident response team conducts training, prepares their incident response kits, and researches threats and intelligence.
During which phase of the incident response process does an organization assemble an incident response toolkit? A. Preparation B. Detection and analysis C. Containment, eradication, and recovery D. Post-incident activity
A, D. Firewall log formats will vary by vendors, but this example is a commonly used format from the Linux iptable firewall tool. This log starts with the date and time of the event and provides some key pieces of information. For example, the word "drop" shows the action this log entry recorded. In this case, the firewall dropped a packet due to an ACL rule being applied. You can also see that the packet was detected on the inbound connection over eth0, so we know that packets are being scanned and blocked when they are headed inbound to the network. Next, we see the MAC address of the source device of the packet, the source (SRC) IP address, and the destination (DST) IP address. Further down, we see the source (SPT) and destination ports (DPT). In this case, the DPT is 23 and is a well-known port for telnet.
Evaluate the following log entry: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-Jan 11 05:52:56 lx1 kernel: iptables INPUT drop IN=eth0 OUT= MAC=00:15:5d:01:ca:55:00:15:5d:01:ca:ad:08:00 SRC=10.1.0.102 DST=10.1.0.10 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=3988 DF PROTO=TCP SPT=2583 DPT=23 WINDOW=64240 RES=0x00 SYN URGP=0 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-Based on this log entry, which of the following statements are true? A. The packet was blocked inbound to the network B. MAC filtering is enabled on the firewall C. Packets are being blocked inbound to and outbound from the network D. An attempted connection to the telnet service was prevented E. The packet was blocked outbound from the network F. An attempted connection to the ssh service was prevented
A. Since Jack's DMZ would contain systems and servers exposed to the Internet, there is a high likelihood that they are constantly being scanned by potential attackers performing reconnaissance.
Jack is assessing the likelihood of reconnaissance activities being performed against his organization. Which of the following would best classify the likelihood of a port scan being conducted against his DMZ? A. High B. Medium C. Low D. None
C. Policies are formalized statements that apply to a specific area or task. Policies are mandatory, and employees who violate a policy may be disciplined.
Jay is replacing his organization's current vulnerability scanner with a new tool. As he begins to create the scanner's configurations and scanning policy, he notices a conflict in the settings recommended between different documents. Which of the following sources must Jay follow when trying to resolve these conflicts? A. NIST guideline documents B. Vendor best practices C. Corporate policy D. Configuration settings from the prior system
B.
Jonathan's team completed the first phase of their incident response process. They are currently assessing the time to recover from the incident. Using the NIST recoverability effort categories, the team has decided to predict the time to recover, but this requires additional resources. How should he categorize this using the NIST model? A. Regular B. Supplemented C. Extended D. Non-recoverable
C. Penetration testing can form the basis of functional exercises. One of the best-established means of testing a security system for weaknesses is to play "war game" exercises in which the security personnel split into teams: red, blue, and white. The red team acts as the adversary. The blue team acts as the defenders. The white team acts as the referees and sets the parameters for the exercise. The yellow team is responsible for building tools and architectures in which the exercise will be performed.
Nick is participating in a security exercise as part of the network defense team for his organization. Which team is Nick playing on? A. Red team B. White team C. Blue team D. Yellow team
A. The use of long query strings points to a buffer overflow attack, and the sudo command confirms the elevated privileges after the attack. This indicates a privilege escalation has occurred. While the other three options may have been used as an initial access vector, they cannot be confirmed based on the question's details. Only a privilege escalation is currently verified within the scenario due to the use of sudo.
Praveen is currently investigating activity from an attacker who compromised a host on the network. The individual appears to have used credentials belonging to a janitor. After breaching the system, the attacker entered some unrecognized commands with very long text strings and then began using the sudo command to carry out actions. What type of attack has just taken place? A. Privilege escalation B. Phishing C. Social engineering D. Session hijacking
B. WAF (web application firewall) is the best option since it can serve as a compensating control and protect against web application vulnerabilities like an SQL injection until the application can be fully remediated.
Riaan's company runs critical web applications. During a vulnerability scan, Riaan found a serious SQL injection vulnerability in one of their web applications. The system cannot be taken offline to remediate the vulnerability. Which of the following compensating controls should Riaan recommend using until the system can be remediated? A. IPS B. WAF C. Vulnerability scanning D. Encryption
D. An advanced persistent threat (APT) is a stealthy computer network threat actor, typically a nation-state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period. APTs usually send encrypted traffic so that they are harder to detect through network traffic analysis or network forensics. This means that you need to focus on the endpoints to detect an APT. Unfortunately, APTs are very sophisticated, so endpoint behavioral analysis is unlikely to detect them easily, so Sarah will need to conduct endpoint forensics as her most likely method to detect an APT and their associated infections on her systems.
Sarah has reason to believe that systems on her network have been compromised by an APT. She has noticed many file transfers outbound to a remote site via TLS-protected HTTPS sessions from unknown systems. Which of the following techniques would most likely detect the APT? A. Network traffic analysis B. Network forensics C. Endpoint behavior analysis D. Endpoint forensics
D. When attempting to remediate numerous vulnerabilities, it is crucial to prioritize the vulnerabilities to determine which ones should be remediated first. In this case, there is a regulatory requirement to ensure the security of the PHI data. Therefore, those critical assets to the secure handling or storage of PHI are of the highest risk should be prioritized for remediation first.
Vulnerability scans must be conducted continuously to meet regulatory compliance requirements for the storage of PHI. During the last vulnerability scan, a cybersecurity analyst received a report of 2,592 possible vulnerabilities and was asked by the Chief Information Security Officer (CISO) for a plan to remediate all the known issues. Which of the following should the analyst do next? A. Attempt to identify all the false positives and exceptions, then resolve any remaining items B. Wait to perform any additional scanning until the current list of vulnerabilities have been remediated fully C. Place any assets that contain PHI in a sandbox environment and then remediate all the vulnerabilities D. Filter the scan results to include only those items listed as critical in the asset inventory and remediate those vulnerabilities first
A. The dd tool is used to make bit by bit copies of a disk, drive, or partition. Once the image is created using dd, a hash of the file should be made and placed into evidence to validate the integrity of the disk image that was created. This will ensure that no modification occurs between the collection and analysis of the disk image.
What command should a forensic analyst use to make a forensic disk image of a hard drive? A. dd B. wget C. touch D. rm
B. The training and transition phase ensures that end users are trained on the software and entered general use.
What phase of the software development lifecycle is sometimes known as the acceptance, installation, and deployment phase? A. Development B. Training and transition C. Operations and maintenance D. Disposition
A. The Windows registry keeps a list of the wireless networks that a system has previously connected to. The registry keys can be found in the directory of HKLM\Software\Microsoft\WindowsNT\CurrentVersion\NetworkList\Profiles. This is stored in Local Machine because it logs a copy of every access point connected to all users of the machine, not just the currently logged in user.
Where should a forensic analyst search to find a list of the wireless networks that a laptop has previously connected to with a company-owned laptop? A. Search the register for a complete list B. Search the user's profile directory for the list C. Search the wireless adapter cache for the list D. A list of the previously connected wireless networks is not stored on the laptop
B. The Diamond Model provides an excellent methodology for communicating cyber events and allowing analysts to derive mitigation strategies implicitly. The Diamond Model is constructed around a graphical representation of an attacker's behavior.
Which analysis framework provides a graphical depiction of the attacker's approach relative to a kill chain? A. MITRE ATT&CK framework B. Diamond Model of Intrusion Analysis C. Lockheed Martin cyber kill chain D. OpenIOC
C. While the unauthorized third-party may assemble a component that was legitimately made from OEM parts, the fact remains that those parts were never intended for distribution under the manufacturer's legitimate label. Therefore, this is considered counterfeiting.
Which of the following BEST describes when a third-party takes components produced by a legitimate manufacturer and assembles an unauthorized replica sold in the general marketplace? A. Recycling B. Capitalism C. Counterfeiting D. Entrepreneurship
A. A SQL injection poses the most direct and more impactful threat to an organization's database. A SQL injection could allow the attacker to execute remote commands on the database server and lead to sensitive information disclosure.
Which of the following attacks would most likely be used to create an inadvertent disclosure of information from an organization's database? A. SQL injection B. Cross-site scripting C. Buffer overflow D. Denial of service
C. TACACS+ is an extension to TACACS (Terminal Access Controller Access Control System) and was developed as a proprietary protocol by Cisco.
Which of the following authentication protocols was developed by Cisco to provide authentication, authorization, and accounting services? A. RADIUS B. CHAP C. TACACS+ D. Kerberos
D. Service control (sc) is a Windows command that allows you to create, start, stop, query, or delete a Windows service.
Which of the following commands would NOT provide domain name information and details about a host? A. dig -x [ip address] B. host [ip address] C. nslookup [ip address] D. sc [ip address]
C. Security assertions markup language (SAML) is an XML-based framework for exchanging security-related information such as user authentication, entitlement, and attributes. SAML is often used in conjunction with SOAP. SAML is a solution for providing single sign-on (SSO) and federated identity management.
Which of the following does a User Agent request a resource from when conducting a SAML transaction? A. Relying party (RP) B. Identity provider (IdP) C. Service provider (SP) D. Single sign-on (SSO)
D. Data retention policies highlight what types of information an organization will maintain and the length of time they will maintain it. Data classification would not be covered in the retention policy but would be a key part of your organization's data classification policy.
Which of the following elements is LEAST likely to be included in an organization's data retention policy? A. Minimum retention period B. Maximum retention period C. Description of information needing to be retained D. Classification of information
C. Atomic execution by operations and distributes their processing across the multi-threaded processing environment securely.
Which of the following ensures multi-threaded processing is conducted securely? A. Trusted execution B. Processor security extensions C. Atomic execution D. Secure enclave
C. If a software developer has a copy of their source code, there is no need to reverse engineer it since they can directly examine the code. Doing this is known as static code analysis, not reverse engineering.
Which of the following is NOT a valid reason to conduct reverse engineering? A. To commit industrial espionage B. To determine how a piece of malware operates C. To allow the software developer to spot flaws in their source code D. To allow an attacker to spot vulnerabilities in an executable
C. A primary vector for attacking applications is to exploit faulty input validation. The input could include user data entered into a form or URL, passed by another application or link. This is heavily exploited by cross-site scripting, SQL injection, and XML injection attacks.
Which of the following is the leading cause for cross-site scripting, SQL injection, and XML injection attacks? A. Directory traversals B. File inclusions C. Faulty input validation D. Output encoding
D. The software development lifecycle model used by a company is purely an internal function relevant only to the development of custom software within the organization. Regardless of whether a waterfall or agile methodology is chosen, it does not directly affect the organization's attack surface.
Which of the following is usually not considered when evaluating the attack surface of an organization? A. External and internal users B. Websites and cloud entities C. Software applications D. Software development lifecycle model
D. Account management policies describe the account life cycle from creation through decommissioning.
Which of the following policies should contain the requirements for removing a user's access when an employee is terminated? A. Data ownership policy B. Data classification policy C. Data retention policy D. Account management policy
A. Telnet is an application protocol used on the internet or local area network to provide a bidirectional interactive text-oriented communication facility using a virtual terminal connection. It is considered insecure and should never be used in secure networks because it transmits everything in cleartext, including your authentication credentials.
Which of the following protocols is considered insecure and should never be used in your networks? A. Telnet B. SSH C. SFTP D. HTTPS
A, B, D, F. Human Resources has a role to play in that the discoveries made during incident handling may affect employees and employment law. Privacy concerns regarding how to intercept and monitor data may also necessitate HR and Legal involvement. For various reasons, the company may decide to go public with the knowledge of the breach. Therefore, public relations personnel are needed. Management has a crucial role to play in being able to allocate resources to remediate the incident. System administrators and security analysts should also be on the team since they know what constitutes a normal baseline for the systems.
Which of the following roles should be assigned to the incident response team? (SELECT FOUR) A. Legal B. Human resources C. Accounting D. Public relations E. Facility maintenance F. Management
D. OWASP Zed Attack Proxy (ZAP) is the world's most widely used web application scanner. It is free, open-source, and provided by the Open Web Application Security Project (OWASP).
Which of the following tools is considered a web application scanner? A. Nessus B. Qualys C. OpenVAS D. Zap
C. Airgaps are designed to remove connections between two networks to create a physical segmentation between them. The only way to cross an airgap is to have a physical device between these systems, such as using a removable media device to transfer files between them.
Which of the following type of threats did the Stuxnet attack rely on to cross an airgap between a business and an industrial control system network? A. Directory traversal B. Cross-site scripting C. Removable media D. Session hijacking
D. Each vulnerability mentioned poses a significant risk, but the greatest threat comes from the SQL injection. An SQL injection could allow an attacker to retrieve our data from the backend database directly. Using this technique, the attacker could also alter the data and put it back, and nobody would notice everything that had been changed, thereby also affecting our data integrity.
Which of the following vulnerabilities is the greatest threat to data confidentiality? A. HTTP TRACE/TRACK methods enabled B. SSL Server with SSLv3 enabled vulnerability C. phpinfo information disclosure vulnerability D. Web application SQL injection vulnerability
A, B, D. During the weaponization phase, the adversary is exploiting the knowledge gained during the reconnaissance phase. During this phase, the adversary is still not initiating any contact with the target, though. Therefore, obtaining a 'weaponizer' (a tool to couple malware and exploit into a deliverable payload), crafting the decoy document, determining C2 infrastructure, and the weaponization of the payload all occur during the weaponization phase.
Which of the following will an adversary do during the weaponization phase of the Lockheed Martin kill chain? (SELECT THREE) A. Obtain a weaponizer B. Select a decoy document to present to the victim C. Harvest email addresses D. Select backdoor implant and appropriate command and control infrastructure for operation E. Conduct social media interactions with targeted individuals F. Compromise the targets servers
A. IPSec is the most secure protocol that works with VPNs. The use of PPTP and SSL is discouraged for VPN security. Due to this, PPTP and SSL for a VPN will likely alert during a vulnerability scan as an issue to be remediated.
Which of the protocols listed is NOT likely to trigger a vulnerability scan alert when used to support a virtual private network (VPN)? A. IPSec B. SSLv2 C. PPTP D. SSLv3
D. An agent-based monitoring solution would be the best choice to meet these requirements. Agent-based monitoring provides more details of the configuration settings for a system and can provide an internal perspective.
Which one of the following methods would provide the most current and accurate information about any vulnerabilities present in a system with a misconfigured operating system setting? A. On-demand vulnerability scanning B. Continuous vulnerability scanning C. Scheduled vulnerability scanning D. Agent-based monitoring
B.
Which role validates the user's identity when using SAML for authentication? A. SP B. IdP C. User agent D. RP
C. The principles of the Agile Manifesto characterize agile software development. The Agile Manifesto emphasizes individuals and interactions over the processes and tools that Spiral and Waterfall rely on. It also focuses on working software, customer collaboration, and responding to change as key elements of the Agile process.
Which software development model emphasizes individuals and interactions over processes and tools, customer collaboration over contract negotiation, and working software over comprehensive documentation? A. Waterfall B. Spiral C. Agile D. RAD
C.
Which term is used in software development to refer to the method in which app and platform updates are committed to a production environment rapidly? A. Continuous delivery B. Continuous integration C. Continuous deployment D. Continuous monitoring
B. Degaussing is classified as a form of purging. Purging eliminates information from being feasibly recovered even in a laboratory environment. Purging includes degaussing, encryption of the data with the destruction of its encryption key, and other non-destructive techniques. Some generic magnetic storage devices can be reused after the degaussing process has finished, such as VHS tapes and some older backup tapes. For this reason, though, the technique of degaussing is classified as purging and not destruction, even though hard drives are rendered unusable after being degaussed.
Which type of media sanitization would you classify degaussing as? A. Clearing B. Purging C. Destruction D. Erasing
C. Network taps are devices that allow a copy of network traffic to be captured for analysis. They conduct passive network monitoring and visibility without interfering with the network traffic itself.
Which type of monitoring would utilize a network tap? A. Router-based B. Active C. Passive D. SNMP
A. This organization uses separation of duties to ensure that neither Kirsten nor Bob can exploit the organization's ordering processes for their own individual gain. Separation of duties is the concept of having more than one person required to complete a particular task to prevent fraud and error.
Which type of personnel control is being implemented if Kirsten must receive and inventory any items that her coworker, Bob, orders? A. Separation of duties B. Background checks C. Dual control D. Mandatory vacation
D. OSSIM is an open-source SIEM developed by AlienVault. It is capable of pulling information together from a wide variety of sources. ArcSight, Qradar, and Splunk are all proprietary, commercially licensed SIEM solutions.
While studying for your CompTIA CySA+ course at Dion Training, you decided to install a SIEM to collect data on your home network and its systems. You do not want to spend any money purchasing a license, so you decide to use an open-source option instead. Which of the following SIEM solutions utilize an open-source licensing model? A. Splunk B. QRadar C. ArcSight D. OSSIM
A. The correct REGEX is \b[A-Za-z0-9\.\-]{50,251}+\.org to use as a filter in this case. The first phrase before the + sign indicates to match between 50 and 251 instances of any of the preceding letters (A-Z, a-z, 0-9, period, and the minus symbol). Since DNS hostnames cannot be longer than 255 characters per RFC1123, a range of 50-251 will account for the four characters in ".org" being added to the end of the random sequences. The + sign indicates that after the preceding regex fragment, the following regex pattern should be present. Following the + sign, the pattern "\.org" indicates that selected strings must end in .org.
You are analyzing DNS logs looking for indicators of compromise associated with the use of a fast-flux network. You are already aware that the names involved in this particular fast-flux network are longer than 50 characters and always end in a .org top-level domain. Which of the following REGEGX expressions would you use to filter DNS traffic that matches this? A. \b[A-Za-z0-9\.\-]{50,251}+\.org B. \b(A-Za-z0-9\.\-){50,251}|\.org C. \b[A-Za-z0-9\.-]{50,251}+.org D. \b[A-Za-z0-9.-]{50,251}+.org
C. The data's asset value is a metric or classification that an organization places on data stored, processed, and transmitted by an asset. Different data types, such as regulated data, intellectual property, and personally identifiable information, can determine its value.
You are attempting to prioritize your vulnerability scans based on the data's criticality. This will be determined by the asset value of the data contained in each system. Which of the following would be the most appropriate metric to use in this prioritization? A. Cost of acquisition of the system B. Cost of hardware replacement of the system C. Type of data processed by the system D. Depreciated hardware cost of the system
B. Linux services are started by xinetd, but some new versions use sytemctl. Therefore, the /etc/xinetd.conf should be analyzed for any evidence of a backdoor being started as part of the Linux services.
You are searching a Linux server for a possible backdoor during a forensic investigation. Which part of the file system should you search for evidence of a backdoor related to a Linux service? A. /etc/passwd B. /etc/xinetd.conf C. /etc/shadow D. $HOME/.ssh/
D. War walking is conducted by walking around a build while locating wireless networks and devices. War walking will not help find a wired rogue device.
You are trying to find a rogue device on your wired network. Which of the following options would NOT help find the device? A. MAC validation B. Port scanning C. Site surveys D. War walking
A, C. Files that users have deleted are most likely found in the Recycle Bin or slack space. Slack space is the space left after a file has been written to a cluster. Slack space may contain remnant data from previous files after the pointer to the files was deleted by a user.
You are trying to find some files that were deleted by a user on a Windows workstation. What two locations are most likely to contain those deleted files? A. Slack space B. Unallocated space C. Recycle bin D. Registry
B. Your first action as an analyst would be to inform management of the issues being experienced so a decision on the proper course of action can be determined.
You are working as a cybersecurity analyst, and you just received a report that many of your servers are experiencing slow response times due to what appears to be a DDoS attack. Which of the following actions should you undertake? A. Inform users regarding the affected systems B. Inform management of the issue being experienced C. Shutdown all of the interfaces on the affected servers D. Take no action but continue to monitor the critical systems
C. If you have verified that the source and the target media are both the same size, then a failure has likely occurred due to bad media on the source drive or some bad sectors on the destination drive.
You have been asked to conduct a forensic disk image on an internal 500 GB hard drive. You connect a write blocker to the drive and begin to image it using dd to copy the contents to an external 500 GB USB hard drive. Before completing the image, the tool reports that the imaging failed. Which of the following is most likely the reason for the image failure? A. The data on the source drive was modified during the imaging B. The source drive is encrypted with BitLocker C. There are bad sectors on the destination drive D. The data cannot be copied using the RAW format
A. Security Content Automation Protocol (SCAP) is a multi-purpose framework of specifications supporting automated configuration, vulnerability and patch checking, technical control compliance activities, and security measurement. It is an industry-standard and support testing for compliance.
You have been tasked to create some baseline system images to remediate vulnerabilities found in different operating systems. Before any of the images can be deployed, they must be scanned for malware and vulnerabilities. You must ensure the configurations meet industry-standard benchmarks and that the baselining creation process can be repeated frequently. What vulnerability option would BEST create the process requirements to meet the industry-standard benchmarks? A. Utilizing an operating system SCAP plugin B. Utilizing an authorized credential scan C. Utilizing a non-credential scan D. Utilizing a known malware plugin
B. The correct answer is \b172\.16\.1\.(25[0-5]|19[2-9]|2[0-4][0-9])\b. The \b delimiter indicates that we are looking for whole words for the complete string. Since this is a /26, it would have 64 IP addresses in the range. Since the IP provided was 172.16.1.224, the range would be 172.16.1.192 to 172.16.1.255. The correct answer allows all values of 200-249 through the use of the phrase 2[0-4][0-9]. The values of 250-255 are specified by 25[0-5]. The values of 192-199 are specified through the use of 19[2-9].
You have evidence to believe that an attacker was scanning your network from an IP address at 172.16.1.224. This network is part of a /26 subnet. You wish to quickly filter through several logs using a REGEX for anything that came from that subnet. What REGEX expression would provide the appropriate output when searching the logs for any traffic originating from only IP addresses within that subnet? A. \b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b B. \b172\.16\.1\.(25[0-5]|2[0-4][0-9]|19[2-9])\b C. \b172\.16\.1\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b D. \b172\.16\.1\.(25[0-5]|2[0-4][0-9]?)\b
B. Port 23 is used by telnet and is not considered secure because it sends all of its data in cleartext, including authentication data like usernames and passwords. As an analyst, you should recommend that telnet is disabled and blocked from use.
You have just finished running an nmap scan on a server are see the following output:-=-=-=-=-=-=--=-=-=-=-=-=--=-=-=-=-=-=--=-=-=-=-=-=-# nmap diontraining.com Starting Nmap ( http://nmap.org ) Nmap scan report for diontraining.com (64.13.134.52) Not shown: 996 filtered ports PORT STATE 22/tcp open 23/tcp open 53/tcp open 443/tcp open Nmap done: 1 IP address (1 host up) scanned in 2.56 seconds -=-=-=-=-=-=--=-=-=-=-=-=--=-=-=-=-=-=--=-=-=-=-=- Based on the output above, which of the following ports listed as open represents the most significant security vulnerability to your network? A. 22 B. 23 C. 53 D. 443
A, B, C, D, E. The grep (global search for regular expressions and print) is one of Linux's powerful search tools. The general syntax for the grep command is "grep [options] pattern [files]. The command searches within the specified files (in this case, the Names.txt file). When the command is issued with the -i optional flag, it treats the specified pattern as case insensitive. Therefore, all uppercase and lowercase variations of the word "DION" will be presented from the file and displayed as the command output. By default, grep uses case sensitivity, so "grep DION Names.txt" would only display the output as "DION" and ignore the other variations.
You have just run the following commands on your Linux workstation: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- DionTraining:~ root# lsNames.txtDionTraining:~ root# more Names.txtDIONDIOnDIonDiondionDionTraining:~ root# grep -i DION Names.txt -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Which of the following options would be included as part of the output for the grep command issued? (SELECT ALL THAT APPLY) A. DION B. DIOn C. DIon D. Dion E. dion
B. This code is performing a ping sweep of the subnet 10.1.0.0/24. The code states that for every number in the sequence from 1 to 255, conduct a ping to 10.1.0.x, where x is the number from 1 to 255. When it completes this sequence, it is to return to the terminal prompt (done). The ping command uses an echo request and then receives an echo reply from the ping's target.
You have received a laptop from a user who recently left the company. You went to the terminal in the operating system and typed 'history' into the prompt and see the following:-=-=-=-=-=-=-=-=-=-=-=-=-=-=-> for i in seq 255; ping -c 1 10.1.0.$i; done -=-=-=-=-=-=-=-=-=-=-=-=-=-=-Which of the following best describes what actions were performed by this line of code? A. Attempted to conduct a SYN scan on the network B. Conducted a ping sweep of the subnet C. Conducted a sequential ICMP echo reply to the subnet D. Sequentially sent 255 ping packets to every host on the subnet
C. This vulnerability should be categories as a web application cryptographic vulnerability. This is shown by the weak SSLv3.0/TLSv1.0 protocol being used in cipher block chaining (CBC) mode. Specifically, the use of the 3DES and DES algorithms during negotiation is a significant vulnerability. A stronger protocol should be used, such as forcing the use of AES.
You have run a vulnerability scan and received the following output: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- CVE-2011-3389 QID 42366 - SSLv3.0/TLSv1.0 Protocol weak CBC mode Server side vulnerability Check with: openssl s_client -connect login.diontraining.com:443 - tls -cipher "AES:CAMELLISA:SEED:3DES:DES" -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-Which of the following categories should this be classified as? A. PKI transfer vulnerability B. Active Directory encryption vulnerability C. Web application cryptography vulnerability D. VPN tunnel vulnerability
D. The workstation is most likely running a version of the Windows operating system. Port 139 and port 445 are associated with the SMB file and printer sharing service run by Windows. Since Windows 2000, the NetBIOS file and print sharing has been running over these ports on all Windows systems by default.
You just completed an nmap scan against a workstation and received the following output: -=-=-=-=-=-=--=-=-=-=-=-=--=-=-=-=-=-=--=-=-=-=-=-=-# nmap diontraining012 Starting Nmap ( http://nmap.org ) Nmap scan report for diontraining012 (192.168.14.61) Not shown: 997 filtered ports PORT STATE 135/tcp open 139/tcp open 445/tcp open Nmap done: 1 IP address (1 host up) scanned in 1.24 seconds-=-=-=-=-=-=--=-=-=-=-=-=--=-=-=-=-=-=--=-=-=-=-=-=- Based on these results, which of the following operating system is most likely being run by this workstation? A. Ubuntu B. macOS C. CentOS D. Windows
C. The security policy auditor (secpol.msc) will allow an authorized administrator the option to change a great deal about an operating system, but it cannot explicitly stop a process or service that is already running.
You suspect that a service called explorer.exe on a Windows server is malicious, and you need to terminate it. Which of the following tools would NOT be able to terminate it? A. sc B. wmic C. secpol.msc D. services.msc
B. Installing a jumpbox as a single point of entry for the administration of servers within the cloud is the best choice for this requirement. The jumpbox only runs the necessary administrative port and protocol (typically SSH). Administrators connect to the jumpbox then use the jumpbox to connect to the admin interface on the application server. The application server's admin interface has a single entry in its ACL (the jumpbox) and denies any other hosts' connection attempts.
You want to provide controlled remote access to the remote administration interfaces of multiple servers hosted on a private cloud. What type of segmentation security solution is the best choice for this scenario? A. Airgap B. Jumpbox C. Bastion hosts D. Physical
D. The Payment Card Industry Data Security Standard (PCI DSS) is a prescriptive framework. It is not a law but a formal policy created by the credit card industry that organizations must follow to accept credit and bank cards for payment. Quarterly required external vulnerability scans must be run by a PCI DSS approved scanning vendor (ASV).
Your organization is preparing for its required quarterly PCI DSS external vulnerability scan. Who is authorized to perform this scan? A. Anyone B. Any qualified individual C. Only employees of the company D. Only an approved scanning vendor
A. Stress testing is a software testing activity that determines the robustness of software by testing beyond normal operating limits. It ensures adequate resources are available to support the end user's needs when an application goes into a production environment.
Your service desk has been receiving many complaints from external users that a web application is responding slowly to requests and frequently receives a "connection timed out" error message when they attempt to submit information to the application. Which software development best practice should have been implemented to prevent this from occurring? A. Stress testing B. Regression testing C. Input validation D. Fuzzing