Dion: Comptia CySA - Practice Test 6

cybersecurity analyst is attempting to classify network traffic within an organization. The analyst runs the tcpdump command and receives the following output: Which of the following statements is true based on this output?

10.0.19.121 is a client that is accessing an SSH server over port 52497 OBJ-4.4: This output from the tcpdump command is displaying three packets in a larger sequence of events. Based solely on these three packets, we can only be certain that the server (11.154.12.121) runs an SSH server over port 22. This is based on the first line of the output. note The second and third lines are the server responding to the request and sending data back to the client (10.0.19.121) over port 52497. There is no evidence of an attack against either the server or the client based on this output since we can only see the headers and not the content being sent between the client and server.

You have just finished running a Nmap scan on a server are see the following output: Based on the output above, which of the following ports listed as open represents the most significant security vulnerability to your network?

23 OBJ-1.4: Port 23 is used by telnet and is not considered secure because it sends all of its data in cleartext, including authentication data like usernames and passwords. As an analyst, you should recommend that telnet be disabled and blocked from use. note The other open ports are SSH (port 22), DNS (port 53), and HTTPS (port 443).

Which protective feature is used to prevent a buffer overflow attack from specific applications by randomizing where a program's components are run from in memory?

ASLR OBJ-2.1: ASLR randomizes where components of a running process (such as the base executable, APIs, and the heap) are placed in memory, which makes it more difficult to conduct a buffer overflow at specific points in the address space. note The Windows Data Execution Prevention (DEP) feature protects processes against exploits that try to execute code from a writable memory area (stack/heap). Windows DEP prevents code from being run from a non-executable memory region. Data loss prevention (DLP) software detects potential data breaches/data ex-filtration transmissions and prevents them by monitoring, detecting, and blocking sensitive data while in use, in motion, and at rest. A dynamic link library (DLL) is a library that contains code and data that can be used by more than one program at the same time.

Which law requires government agencies and other organizations that operate systems on behalf of government agencies to comply with security standards?

Federal Information Security Management Act (FISMA) OBJ-5.1: The Federal Information Security Management Act (FISMA) is a United States federal law that defines a comprehensive framework to protect government information, operations, and assets against natural or human-made threats. FISMA requires that government agencies and other organizations that operate systems on behalf of government agencies comply with security standards. note The Health Insurance Portability and Accountability Act (HIPAA) is a United States federal law designed to provide privacy standards to protect patients' medical records and other health information provided to health plans, doctors, hospitals, and other health care providers. The Children's Online Privacy Protection Act (COPPA) is a United States federal law that imposes certain requirements on operators of websites or online services directed to children under 13 years of age and on operators of other websites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age. Sarbanes-Oxley (SOX) is a United States federal law that sets new or expanded requirements for all U.S. public company boards, management, and public accounting firms.

Which of the following security controls provides Windows system administrators with an efficient way to deploy system configuration settings across many devices?

Group Policy Object (GPO) OBJ-1.7: Microsoft's Group Policy Object (GPO) is a collection of Group Policy settings that defines what a system will look like and how it will behave for a defined group of users. A Group Policy is the primary administrative tool for defining and controlling how programs, network resources, and the operating system operate for users and computers in an organization. In an active directory environment, Group Policy is applied to users or computers based on their membership in sites, domains, or organizational units. note A host-based intrusion detection system (HIDS) is a device or software application that monitors a system for malicious activity or policy violations. Any malicious activity or violation is typically reported to an administrator or collected centrally using a security information and event management system. Anti-malware software is a program that scans a device or network for known viruses, Trojans, worms, and other malicious software. Patch management is the process of distributing and applying updates to the software to prevent vulnerabilities from being exploited by an attacker or malware. Proper patch management is a technical control that would prevent future outbreaks.

Due to new regulations, your organization's CIO has the information security team institute a vulnerability management program. What framework would BEST support this program's establishment?

NIST (National Institute of Standards and Technology) OBJ-5.3: NIST (National Institute of Standards and Technology) produced a useful patch and vulnerability management program framework in its Special Publication (NIST SP 800-40). It would be useful during the program's establishment and provide a series of guidelines and best practices. note SANS is a company specializing in cybersecurity and secure web application development training and sponsors the Global Information Assurance Certification (GIAC). The SDLC is the software development lifecycle. It is a method for dividing programming projects into separate phases. The Open Web Application Security Project (OWASP) is a community effort that provides free access to many secure programming resources. The resources provided include documentation on web app vulnerabilities and mitigation tactics, software tools used to identify and handle threats that target web applications, frameworks for secure development life cycle implementation, frameworks for penetration testing web apps, general secure coding best practices, guidelines for specific web-based languages, and more.

You are applying for a job at a cybersecurity firm. The application requests you enter your social security number, date of birth, and email address to conduct a background check as part of the hiring process. Which of the following types of information have you been asked to provide?

Personally identifiable information (PII) OBJ-4.1: Personally identifiable information (PII) is data used to identify, contact, or locate an individual. Information such as social security number (SSN), name, date of birth, email address, telephone number, street address, and biometric data is considered PII. note Protected health information (PHI) refers to medical and insurance records, plus associated hospital and laboratory test results. Proprietary information or intellectual property (IP) is information created and owned by the company, typically about the products or services that they make or perform. Controlled Unclassified Information (CUI) is federal non-classified information that must be safeguarded by implementing a uniform set of requirements and information security controls to secure sensitive government information.

Dion Consulting Group has recently been awarded a contract to provide cybersecurity services for a major hospital chain in 48 cities across the United States. Previously, the consultants have won numerous contracts with financial services and publicly traded companies, but they are new to the healthcare industry. Which of the following laws must the consultants review to ensure the hospital and its customers are fully protected?

The Health Insurance Portability and Accountability Act (HIPAA) OBJ-5.1: The Health Insurance Portability and Accountability Act (HIPAA) was created primarily to modernize the flow of healthcare information, stipulate how Personally Identifiable Information maintained by the healthcare and healthcare insurance industries should be protected from fraud and theft, and address limitations on healthcare insurance coverage. This is a federal law that must be followed in the United States. note The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and safeguard sensitive data. This includes companies that offer consumers financial products or services like loans, financial or investment advice, or insurance. The Sarbanes-Oxley Act of 2002 is a federal law that established sweeping auditing and financial regulations for public companies. Lawmakers created the legislation to help protect shareholders, employees, and the public from accounting errors and fraudulent financial practices. The Committee of Sponsoring Organizations of the Treadway Commission (COSO) guides governance-related topics, including fraud, controls, finance, and ethics. COSO's ERM-integrated framework defines risk, and related common terminology lists key components of risk management strategies and supplies direction and criteria for enhancing risk management practices.

Which of the following is the default nmap scan type when you do not provide a flag when issuing the command?

a tcp syn scan OBJ-1.4: By default, Nmap performs an SYN Scan, though it substitutes a connect scan if the user does not have proper privileges to send raw packets (requires root access on Unix). note A UDP scan requires the -sU flag to be issued when launching a nmap scan. A TCP FIN scan requires the -sF flag to be issued when launching a nmap scan.

Following a root cause analysis of an edge router's unexpected failure, a cybersecurity analyst discovered that the system administrator had purchased the device from an unauthorized reseller. The analyst suspects that the router may be a counterfeit device. Which of the following controls would have been most effective in preventing this issue?

conduct secure supply chain management training OBJ-2.3: Anti-counterfeit training is part of the NIST 800-53r4 control set (SA-19(1)) and should be a mandatory part of your supply chain management training within your organization. Training on detection methodologies (i.e., simple visual inspections) and training for acquisition personnel will better prevent recurrences. note All other options may produce security gains in the network. They are unlikely to reliably detect a counterfeit item or prevent its introduction into the organization's supply chain.

Jay is replacing his organization's current vulnerability scanner with a new tool. As he begins to create the scanner's configurations and scanning policy, he notices a conflict in the settings recommended between different documents. Which of the following sources must Jay follow when trying to resolve these conflicts?

corporate policy OBJ-5.3: Policies are formalized statements that apply to a specific area or task. Policies are mandatory, and employees who violate a policy may be disciplined. note Guidelines are general, non-mandatory recommendations. Best practices are considered procedures that are accepted as being correct or most effective but are not mandatory to be followed. Configuration settings from the prior system could be helpful, but this is not a mandatory compliance area like a policy. Therefore, Jay should first follow the policy before the other three options if there is a conflict.

An insurance company has developed a new web application to allow its customers to choose and apply for an insurance plan. You have been asked to help perform a security review of the new web application. You have discovered that the application was developed in ASP and used MSSQL for its backend database. You have been able to locate an application's search form and introduced the following code in the search input field: When you click submit on the search form, your web browser returns a pop-up window that displays Vulnerable_to_Attack. Which of the following vulnerabilities did you discover in the web application?

cross site scripting OBJ-1.7: This is a form of Cross-Site Scripting (XSS). Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users. Attackers may use a cross-site scripting vulnerability to bypass access controls such as the same-origin policy. Cross-site request forgery (CSRF or XSRF) is a malicious exploit of a website where unauthorized commands are transmitted from a user that the web application trusts. There are many ways in which a malicious website can transmit commands, such as specially-crafted image tags, hidden forms, and JavaScript XMLHttpRequests can all work without the user's interaction or even knowledge. note SQL injection is a code injection technique used to attack data-driven applications. Malicious SQL statements are inserted into an entry field for execution, such as dumping the database contents to the attacker. Command injection is an attack in which the goal is to execute arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user-supplied data (forms, cookies, HTTP headers, etc.) to a system shell.

Your intrusion detection system has produced an alert based on its review of a series of network packets. After analysis, it is determined that the network packets did not contain any malicious activity. How should you classify this alert?

false positive OBJ-1.3: A false positive occurs when an alert is triggered (the system believes malicious activity occurred) when there is no malicious activity involved. A false positive is an error in some evaluation process in which a condition tested for is mistakenly found to have been detected.

A software assurance test analyst performs a dynamic assessment on an application by automatically generating random data sets and inputting them in an attempt to cause an error or failure condition. Which technique is the analyst utilizing?

fuzzing OBJ-2.2: Fuzzing is an automated software assessment technique that involves providing invalid, unexpected, or random data as inputs to a computer program. The program is then monitored for exceptions (crashes), failing built-in code assertions, or finding potential memory leaks. note Static code analysis is a method of debugging by examining source code before a program is run. Known bad data injection is a technique where data known to cause an exception or fault is entered as part of the testing/assessment. With known bad data injections, you would not use randomly generated data sets, though.

Your organization is updating its incident response communications plan. A business analyst in the working group recommends that if the company discovers they are the victims of a data breach, they should only notify the affected parties to minimize media attention and bad publicity. Which of the following recommendations do you provide in response to the business analyst's statement?

guidance from laws and regulations should be considered when deciding who must be notified to avoid fines and judgements from non compliance OBJ-4.1: Guidance from various laws and regulations must be considered when deciding who must be notified to avoid fines and judgments. The requirements for different types of data breaches are set out in laws/regulations. The requirements indicate who must be notified. Other than the regulator itself, this could include law enforcement, individuals and third-party companies affected by the breach, and public notification through the press or social media channels. note For example, the Health Insurance Portability and Accountability Act (HIPAA) sets out reporting requirements in legislation, requiring breach notification to the affected individuals, the Secretary of the US Department of Health and Human Services, and, if more than 500 individuals are affected, to the media.

Which of the following will an adversary do during the installation phase of the Lockheed Martin kill chain? (SELECT FOUR)

install a webshell on a server install a backdoor/implant on a client victim timesstomp a malware file to make it appears as if it is part of the OS create a point of presence by adding services, scheduled tasks, or AutoRun keys OBJ-1.2: During the installation phase, the adversary is taking actions to establish a footprint on the target system and is attempting to make it difficult for a defender to detect their presence. The attack may also attempt to confuse any attempts to remove the adversary from the system if the detection of their presence occurs. Due to this, an attacker will attempt to install multiple backdoors, implants, web shells, scheduled tasks, services, or AutoRun keys to maintain their access to the target. Timestomping is also conducted to hide the presence of malware on the system. note Opening up two-way communication with an established C2 infrastructure occurs in the command and control phase. Collecting user credentials occurs in the actions on objectives phase.

Which of the following is NOT a part of the vulnerability management lifecycle?

investigating OBJ-1.3: The three phases of the vulnerability management lifecycle are detection, remediation, and testing.

John is a cybersecurity consultant that wants to sell his services to an organization. In preparation for his first meeting with the client, John wants to conduct a vulnerability scan of their network to show the client how much they need his services. What is the most significant issue with John conducting this scan of the organization's network?

john does not have permission to perform the scan OBJ-1.3: All options listed are an issue, but the most significant issue is that John does not have the client's permission to perform the scan. A vulnerability scan may be construed as a form of reconnaissance, penetration testing, or even an attack on the organization's systems. note A cybersecurity analyst should never conduct a vulnerability scan on another organization's network without explicit written permission. In some countries, a vulnerability scan against an organization's network without their permission is considered a cybercrime and could result in jail time for the consultant.

An organization wants to choose an authentication protocol that can be used over an insecure network without implementing additional encryption services. Which of the following protocols should they choose?

kerberos OBJ-3.2: The Kerberos protocol is designed to send data over insecure networks while using strong encryption to protect the information. note RADIUS, TACACS+, and PAP are all protocols that contain known vulnerabilities that would require additional encryption to secure them during the authentication process.

As part of the reconnaissance stage of a penetration test, Kumar wants to retrieve information about an organization's network infrastructure without causing an IPS alert. Which of the following is his best course of action?

perform a DNS brute force attack OBJ-3.1: The best course of action is to perform a DNS brute-force attack. The DNS brute-force attack queries a list of IPs and typically bypasses IDS/IPS systems that do not alert on DNS queries. note A ping sweep or a stealth scan can be easily detected by the IPS, depending on the signatures and settings being used. A DNS zone transfer is also something that often has a signature search for it and will be alerted upon since it is a common attack technique.

Which of the following provides the detailed, tactical information that CSIRT members need when responding to an incident?

procedures OBJ-4.2: The incident response policy contains procedures and guidelines covering appropriate priorities, actions, and responsibilities in the event of security incidents, divided into preparation, detection/analysis, containment, eradication/recovery, and post-incident stages. Procedures provide detailed, tactical information to the CSIRT and represent the team members' collective wisdom and subject-matter experts. note A policy is a statement of intent and is implemented as a procedure or protocol. A guideline is a statement by which to determine a course of action. A guideline aims to streamline particular processes according to a set routine or sound practice. A framework is a basic structure underlying a system, concept, or text.

According to Lockheed Martin's white paper "Intel Driven Defense," which of the following technologies could degrade an adversary's effort during the actions on the objectives phase of the kill chain?

quality of service OBJ-4.2: During the adversary's actions on objective phase, the adversary is already deep within the victim's network and has defeated all security mechanisms. If the adversary is attempting to exfiltrate data, implementing a quality of service approach could potentially slow down the rate at which information could be exfiltrated. This is considered a degradation to their effort by purposely manipulating service quality to decrease their transfer speeds. note Honeypots could deceive an enemy during the actions on objective phase as the adversary may unknowingly take actions against a honeypot instead of their real objectives, but this would be classified as deception and not degradation. NIPS technologies serve to disrupt C2 channels, not degrade them. Audit logs may detect actions an adversary has taken after the fact but will not degrade the actions themselves.

Which of the following is the biggest advantage of using Agile software development?

reacts quickly to changing customer requirements since it allows all phases of software development to run in parallel OBJ-2.2: Agile development can react quickly to changing customer requirements since it allows all phases of software development to run in parallel instead of a linear or sequenced approach. Waterfall development, not agile development, is a structured and phase-oriented model. A frequent criticism is that the agile model can allow developers to lose focus on the project's overall objective. Agile models do not necessarily produce better, more secure, or more efficient code than other methods.

Which of the following methods could not be used to retrieve the key from a forensic copy of a BitLocker encrypted drive?

retrieving the key from the MBR (master boot record) OBJ-4.4: BitLocker information is not stored in the Master Boot Record (MBR). Therefore, you cannot retrieve the key from the MBR. note BitLocker keys can also be retrieved via hibernation files or memory dumps. The recovery key may also be retrieved by conducting a FireWire attack on the mounted drive using a side-channel attack known as a DMA attack.

Where should a forensic analyst search to find a list of the wireless networks that a laptop has previously connected to with a company-owned laptop?

search the registry for a complete list OBJ-4.3: The Windows registry keeps a list of the wireless networks that a system has previously connected to. The registry keys can be found in the directory of HKLM\Software\Microsoft\WindowsNT\CurrentVersion\NetworkList\Profiles. This is stored in Local Machine because it logs a copy of every access point connected to all users of the machine, not just the currently logged in user.

Which of the following has occurred if a device fails to activate because it has detected an unknown modification?

self checking OBJ-2.3: NIST defines self-checking behavior as a control used to prohibit elicit modification to hardware components. This can be done using anti-tamper technology like a field-programmable gate array (FPGA), a physically unclonable function (PUF), or other techniques. note Obfuscation is the act of making something obscure, unclear, or unintelligible. Usually, this is done by encoding strings or binary information to make it less detectable by signature-based detection mechanisms. Improper authentication occurs when an attacker claims to have a given identity, and the software does not prove or insufficiently prove that the claim is correct. The Trusted Foundry Program, also called the trusted supplier program, is a United States Department of Defense program designed to secure the manufacturing infrastructure for information technology vendors providing hardware to the military.

You are conducting an incident response and have already eradicated the malware from a victimized system. Which of the following actions should you perform as part of the recovery phase?

setting permissions OBJ-4.2: Following an incident, all types of permissions should be reviewed and reinforced. This especially affects file and firewall ACLs and system privileges assigned to the administrative user accounts or groups. This is performed during the recovery phase. note During the eradication phase, you would conduct sanitization, secure disposal, and reimaging.

Following an incident, the incident response team has generated many recommendations for additional controls and items to be purchased to prevent future recurrences. Which of the following approaches best describes what the organization should do next?

submit a prioritized list with all of the recommendations for review, procurement, and installation OBJ-4.1: Since an incident has just occurred, it is important to act swiftly to prevent a reoccurrence. The organization should still take a defined and deliberate approach to choosing the proper controls and risk mitigations. Therefore, execution through a rational business management process is the best approach, including creating a prioritized list of recommendations. Once this list has been created, the organization can conduct a cost/benefit analysis of each recommendation and determine which controls and items will be implemented in the network based upon resource availability in terms of time, person-hours, and money note . This process does not need to be a long-term study or filled with complexity. Instead, it should be rapidly conducted due to the probability that an attacker may compromise the network again.

Jonathan's team completed the first phase of their incident response process. They are currently assessing the time to recover from the incident. Using the NIST recoverability effort categories, the team has decided to predict the time to recover, but this requires additional resources. How should he categorize this using the NIST model?

supplemented OBJ-4.2: Based on the scenario given, the best choice is supplemented. The NIST keys are to remember that each level has additional unknowns and resources that increase the severity level from regular to supplemented then extended. note Non-recoverable situations existed when whatever happened cannot be remediated. In this case, an investigation would be started. In a non-governmental agency, this phase might even include notifying law enforcement.

You are attempting to run a packet capture on a Linux workstation using the tcpdump command. Which of the following would allow you to conduct the packet capture and write the output to a file for later analysis?

tcpdump -i eth0 -w diontraining.pcap OBJ-3.2: The tcpdump command is a command-line packet capture utility for Linux. The tcpdump command uses the -w option to write the capture output results to a file. A .pcap extension normally identifies packet capture files. note The tcpdump command uses the -r option to read the contents of a packet capture file. The tcpdump command uses the -n option to show network address information in numeric format (does not resolve hostnames). The tcpdump command uses the -e option to include the data link (Ethernet) header when performing a packet capture.

An employee contacts the service desk because they cannot open an attachment they receive in their email. The service desk agent conducts a screen-sharing session with the user and investigates the issue. The agent notices that the attached file is named Invoice1043.pdf, and a black pop-up window appears and then disappears quickly when the attachment was double-clicked. Which of the following is most likely causing this issue?

the attachment is using a double file extension to mask its identity OBJ-3.1: The message contains a file attachment hoping that the user will execute or open it. The attachment's nature might be disguised by formatting tricks such as using a double file extension, such as Invoice1043.pdf.exe, where the user only sees the first extension since .exe is a known file type in Windows. This would explain the black popup window that appears and then disappeared, especially if the exe file was running a command-line tool. note This file is most likely not a PDF, so there is no need for a PDF reader. Additionally, most modern web browsers, such as Chrome and Edge, can open PDF files by default for the user. The file would not contain an embedded link since an embedded link is another popular attack vector that embeds a link to a malicious site within the email body, not within the file. This email is likely not spam and would be better categorized as a phishing attempt instead.

What phase of the software development lifecycle is sometimes known as the acceptance, installation, and deployment phase?

training and transition OBJ-2.2: The training and transition phase ensures that end users are trained on the software and entered general use. Because of these activities, this phase is sometimes called the acceptance, installation, and deployment phase. note Disposition is focused on the retirement of an application or system. Operations and maintenance are focused on the portion of the lifecycle where the application or system goes into use to provide value to the end-users. D evelopment is the portion of the lifecycle focused on designing and coding the application or system.

You have run a vulnerability scan and received the following output: Which of the following categories should this be classified as?

web application cryptography vulnerability OBJ-1.4: This vulnerability should be categories as a web application cryptographic vulnerability. This is shown by the weak SSLv3.0/TLSv1.0 protocol being used in cipher block chaining (CBC) mode. note Specifically, the use of the 3DES and DES algorithms during negotiation is a significant vulnerability. A stronger protocol should be used, such as forcing the use of AES.

During a vulnerability scan, you notice that the hostname www.diontraining.com is resolving to www.diontraining.com.akamized.net instead. Based on this information, which of the following do you suspect is true?

you are scanning a CDN hosted copy of the site OBJ-1.4: This result is due to the company using a distributed server model that hosts content on Edge servers worldwide as part of a CDN. A content delivery network (CDN) is a geographically distributed network of proxy servers and their data centers that provide high availability and performance by distributing the service spatially relative to end-users. The requested content may be served from the Edge server's cache or pull the content from the main diontraining.com servers. note If you are scanning a web server or application hosted with a CDN, you need to be aware that you might be scanning an edge copy of the site and not receive accurate results. While an edge server usually maintains static content, it is still useful to determine if any vulnerabilities exist in that portion of the site content. Distributed denial-of-service (DDoS) attacks range from small and sophisticated to large and bandwidth-busting. While Akamai does provide excellent DDoS protection capabilities, nothing in this question indicates that the server is attempting to stop your scans or is assuming you are conducting a DDoS attack against it.

Which protocol is paired with OAuth2 to provide authentication of users in a federated identity management solution?

Open ID connect OBJ-2.1: OAuth 2 is explicitly designed to authorize claims and not to authenticate users. The implementation details for fields and attributes within tokens are not defined. Open ID Connect (OIDC) is an authentication protocol that can be implemented as special types of OAuth flows with precisely defined token fields. Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. SAML is an XML-based markup language for security assertions. Active Directory Federation Services (ADFS) is a software component developed by Microsoft that can run on Windows Server operating systems to provide users with single sign-on access to systems and applications located across organizational boundaries. Kerberos is a computer network authentication protocol that works based on tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner.

You are reverse engineering a piece of malware recovered from a retailer's network for analysis. They found that the malicious code was extracting track data from their customer's credit cards during processing. Which of the following types of threats would you classify this malware as?

POS malware OBJ-4.4: Point-of-sale malware (POS malware) is usually a type of malicious software (malware) that is used by cybercriminals to target point of sale (POS) and payment terminals with the intent to obtain credit card and debit card information, a card's track 1 or track 2 data and even the CVV code, by various man-in-the-middle attacks, that is the interception of the processing at the retail checkout point of sale system. note Ransomware is a type of malware that threatens to publish the victim's data or perpetually block access to it unless a ransom is paid. Keyloggers are a type of monitoring software designed to record keystrokes made by a user. These keyloggers can record the information you type into a website or application and send it back to an attacker. A rootkit is a malware class that modifies system files, often at the kernel level, to conceal its presence.

A cybersecurity analyst is reviewing the logs of a proxy server and saw the following URL, http://test.diontraining.com/index.php?id=1%20OR%2017-7%3d10. What type of attack has likely occurred?

SQL injection OBJ-3.1: This is an example of a Boolean-based SQL injection. This occurs when data input by a user is interpreted as a SQL command rather than as normal data by the backend database. In this example, notice that the statement being parsed as part of the URL after the equal sign is equivalent to 1 or 17-7=10. This means the portion of the statement that is 17-7=10 would return a value of 1 (since it is true). Then, we are left to compute if 1 = 1, and since it does, the SQL database will treat this as a positive authentication. This is simply an obfuscation technique of a 1=1 SQL injection technique. note A buffer overflow is an exploit that attempts to write data to a buffer and exceed that buffer's boundary to overwrite an adjacent memory location. A session hijacking attack consists of exploiting the web session control mechanism, normally managed for a session token. XML Injection is an attack technique used to manipulate or compromise an XML application or service's logic.

You are analyzing DNS logs looking for indicators of compromise associated with the use of a fast-flux network. You are already aware that the names involved in this particular fast-flux network are longer than 50 characters and always end in a .org top-level domain. Which of the following REGEGX expressions would you use to filter DNS traffic that matches this?

\b[A-Za-z0-9\.\-]{50,251}+\.org OBJ-3.1: The correct REGEX is \b[A-Za-z0-9\.\-]{50,251}+\.org to use as a filter in this case. The first phrase before the + sign indicates to match between 50 and 251 instances of any of the preceding letters (A-Z, a-z, 0-9, period, and the minus symbol). Since DNS hostnames cannot be longer than 255 characters per RFC1123, a range of 50-251 will account for the four characters in ".org" being added to the end of the random sequences. The + sign indicates that after the preceding regex fragment, the following regex pattern should be present. Following the + sign, the pattern "\.org" indicates that selected strings must end in .org. note All other options either incorrectly use parenthesis, the OR operator (|), or forgot to use the escape character (\) in front of the period symbol.

Your company has just announced a change to an "API first" model of software development. As a cybersecurity analyst, you are immediately concerned about the possibility of an insecure deserialization vulnerability in this model. Which of the following is the primary basis for an attack against this vulnerability?

accepting serialized objects from untrusted sources or the use of serialized non primitive data may lead to remote code execution OBJ-1.6: When implementing an API, objects in memory from one computer can be serialized and passed to another for deserialization. If the API user is malicious, they may create a fictitious object, appropriately serialize it, and then send it through the API for execution. The only model for defeating this approach is to allow the API to be exposed to trusted sources or to not serialize anything with potentially executable source code (i.e., non-primitive data types). note Cross-site scripting and SQL attacks are not a concern for an API first model. While stuffiest logging and monitoring would prevent an analyst from detecting if a deserialization vulnerability was exploited, these alone would not be the basis for an attack against deserialization.

You are conducting a vulnerability assessment when you discover a critical web application vulnerability on one of your Apache servers. Which of the following files would contain the Apache server's logs if your organization uses the default naming convention?

access_log OBJ-3.1: On Apache web servers, the logs are stored in a file named access_log. By default, the file can be located at /var/log/httpd/access_log. This file records all requests processed by the Apache server. note The WebSphere Application Server uses the httpd_log file for z/OS, which is a very outdated server from the early 2000s. The http_log file is a header class file in C used by the Apache web server's pre-compiled code that provides the logging library but does not contain any actual logs itself. The file called apache_log is an executable program that parses Apache log files within in Postgres database.

Which one of the following methods would provide the most current and accurate information about any vulnerabilities present in a system with a misconfigured operating system setting?

agent based monitoring OBJ-1.3: An agent-based monitoring solution would be the best choice to meet these requirements. Agent-based monitoring provides more details of the configuration settings for a system and can provide an internal perspective. note While vulnerability scans can give you a snapshot of a system's status at a certain time, they will not remain current and accurate without continual rescanning.

Raj is working to deploy a new vulnerability scanner for an organization. He wants to verify the information he gets is the most accurate view of the configurations on the organization's traveling salespeople's laptops to determine if any configuration issues could lead to new vulnerabilities. Which of the following technologies would work BEST to collect the configuration information in this situation?

agent based scanning OBJ-3.1: Using agent-based scanning, you typically get the most reliable results for systems that are not connected to the network, as well as the ones that are connected. This is ideal for traveling salespeople since their laptops are not constantly connected to the organization's network. These agent-based scans can be conducted when the laptop is offline and then sent to a centralized server the next time it is connected to the network. note Server-based scanning, non-credentialed scanning, and passive network monitoring require a continuous network connection to collect the devices' configurations accurately.

Which software development model emphasizes individuals and interactions over processes and tools, customer collaboration over contract negotiation, and working software over comprehensive documentation?

agile OBJ-2.2: The principles of the Agile Manifesto characterize agile software development. The Agile Manifesto emphasizes individuals and interactions over the processes and tools that Spiral and Waterfall rely on. It also focuses on working software, customer collaboration, and responding to change as key elements of the Agile process. note The waterfall model is a breakdown of project activities into linear sequential phases. Each phase depends on the deliverables of the previous one and corresponds to a specialization of tasks. Rapid Application Development (RAD) is a form of agile software development methodology that prioritizes rapid prototype releases and iterations. Unlike the Waterfall method, RAD emphasizes software and user feedback over strict planning and requirements recording. Spiral development is a risk-driven software development model that guides a team to adopt elements of one or more process models, such as incremental, waterfall, or evolutionary prototyping.

You have been asked to review the SIEM event logs for suspected APT activity. You have been given several indicators of compromise, such as a list of domain names and IP addresses. What is the BEST action to take to analyze the suspected APT activity?

analyze the trends of the events while manually reviewing them to see if any indicators match OBJ-3.1: You should begin by analyzing the event's trends while manually reviewing them to determine if any of the indicators match. If you only searched through the event logs using the IP addresses, this would not be sufficient as many APTs hide their activity by compromising and using legitimate networks and their IP addresses. note If you only use the IP addresses to search the event logs, you would miss any events correlated only to the domain names. If you create an advanced query will all of the indicators, your search of the event logs will find nothing because no single event will include all of these IPs and domain names. Finally, while scanning for vulnerabilities known to have been used by the APTs is a good practice, it would only be effective in determining how to stop future attacks from occurring, not determine whether or not an attack has already occurred.

Michelle has just finished installing a new database application on her server. She then proceeds to uninstall the sample configuration files, properly configure the application settings, and update the software to the latest version according to her company's policy. What best describes the actions Michelle just took?

application hardening OBJ-1.3: Application hardening involves taking actions to best secure the application from attack. This involves removing any default or sample configurations, properly configuring settings, and updating the application to the latest and more secure version. note Patch management is incorrect because only updating the software falls under patch management, not the configuration portions of her actions. Vulnerability scanning involves scanning a device for known vulnerabilities to update the device and prevent a future attack. Input validation is a technique to verify user-provided data meets the expected length and type before allowing a program to utilize it.

Which of the following physical security controls would be the most effective in preventing an attacker from driving a vehicle through the glass doors at the front of the organization's headquarters?

bollards OBJ-5.2: Bollards are a physical security control that is designed to prevent a vehicle-ramming attack. Bollards are typically designed as sturdy, short, vertical posts. Some organizations have installed more decorative bollards created out of cement and are large enough to plant flowers or trees inside. note Access control vestibules are designed to prevent individuals from tailgating into the building. Security guards and intrusion alarms could detect this from occurring but not truly prevent them.

A penetration tester discovered a legacy web server running IIS 4.0 during their enumeration phase. The tester decided to use the msadc.pl attack script to execute arbitrary commands on the webserver. While the msadc.pl script is effective, and the pentester found it too monotonous to perform extended functions. During further research, the penetration tester found a Perl script that runs the following msadc commands: Which exploit type is indicated by this script?

chained exploit OBJ-3.1: The script is an example of a chained exploit because it combines several programs into one, including writing to a temporary file, netcat usage, and FTP usage. Chained exploits integrate more than one form of attack to accomplish their goal. A buffer overflow is an anomaly where a program that occurs while writing data to a buffer overruns the buffer's boundary and overwrites adjacent memory locations. note SQL injection is a code injection technique used to attack data-driven applications. Malicious SQL statements are inserted into an entry field for execution, such as dumping the database contents to the attacker. A denial-of-service (DoS) attack occurs when legitimate users cannot access information systems, devices, or other network resources due to a malicious cyber threat actor's actions.

Tim is working to prevent any remote login attacks to the root account of a Linux system. What method would be the best option to stop attacks like this while still allowing normal users to connect using ssh?

change sshed_config to deny root login OBJ-3.2: Linux systems use the sshd (SSH daemon) to provide ssh connectivity. If Tim changes the sshd_config to deny root logins, it will still allow any authenticated non-root user to connect over ssh. The sshd service has a configuration setting that is named PermitRootLogin. If you set this configuration setting to no or deny, all root logins will be denied by the ssh daemon. note If you didn't know about this setting, you could still answer this question by using the process of elimination. An iptables rule is a Linux firewall rule, and this would block the port for ssh, not the root login. Adding root to the sudoers group won't help either since the sudoers group allows users to login as root. If you have a network IPS rule to block root logins, the IPS would have to see the traffic being sent within the SSH tunnel. This is not possible since SSH connections are encrypted end-to-end by default. Therefore, the only possible right answer is to change the sshd_config setting to deny root logins.

Which of the following elements is LEAST likely to be included in an organization's data retention policy?

classification of information OBJ-5.1: Data retention policies highlight what types of information an organization will maintain and the length of time they will maintain it. Data classification would not be covered in the retention policy but would be a key part of your organization's data classification policy.

You walked up behind a penetration tester in your organization and saw the following output on their Kali Linux terminal: What type of test is the penetration tester currently conducting?

conducting a brute force login attempt of a remote service on 192.168.1.142 OBJ-4.3: The penetration tester is attempting to conduct a brute force login attempt of a remote service on 192.168.1.142, as shown by the multiple login attempts with common usernames and passwords. A brute force attack attempts to crack a password or username or find a hidden web page, or find the key used to encrypt a message, using a trial and error approach and hoping, eventually, to guess correctly. note Port Scanning is the name for the technique used to identify open ports and services available on a network host. A denial-of-service (DoS) attack occurs when legitimate users cannot access information systems, devices, or other network resources due to a malicious cyber threat actor's actions. A ping sweep is a basic network scanning technique used to determine which range of IP addresses map to live hosts.

During a vulnerability scan of your network, you identified a vulnerability on an appliance installed by a vendor on your network under an ongoing service contract. You do not have access to the appliance's operating system as the device was installed under a support agreement with the vendor. What is your best course of action to remediate or mitigate this vulnerability?

contact the vendor to provide an update or to remediate the vulnerability OBJ-3.2: You should contact the vendor to determine if a patch is available for installation. Since this is a vendor-supported appliance installed under a service contract, the vendor is responsible for the appliance's management and security. note You should not attempt to gain access to the underlying operating system to patch the vulnerability yourself, as this could void your warranty and void your service contract. Based on the information provided, there is no reason to believe that this is a false positive, either. You should not simply wait 30 days and rerun the scan, as this is a non-action. Instead, you should contact the vendor to fix this vulnerability. Then, you could rerun the scan to validate they have completed the mitigations and remediations.

A cybersecurity analyst is reviewing the logs of a Citrix NetScaler Gateway running on a FreeBSD 8.4 server and saw the following output: What type of attack was most likely being attempted by the attacker?

directory traversal OBJ-1.7: A directory traversal attack aims to access files and directories stored outside the webroot folder. By manipulating variables or URLs that reference files with "dot-dot-slash (../)" sequences and its variations or using absolute file paths, it may be possible to access arbitrary files and directories stored on the file system, including application source code or configuration and critical system files. The example output provided comes from a remote code execution vulnerability being exploited in which a directory traversal is used to access the files. note XML Injection is an attack technique used to manipulate or compromise an XML application or service's logic. SQL injection is the placement of malicious code in SQL statements via web page input. Password spraying attempts to crack various users' passwords by attempting a compromised password against multiple user accounts.

CIO has recently made a purchasing decision to install a new security appliance that will automatically sandbox all attachments as they enter the enterprise network to run dynamic and static code analysis on them. Which of the following questions about the appliance should you consider as the SOC manager responsible for operating this new appliance for the company? (SELECT FOUR)

does the new applicance provide a detailed report or alert showing why it believes an attachment is malicious do you have security personel and procedures in place to review the output from this appliance and take action where appropriate how will the appliance receive updated signatures and scanning engines how will the appliance receive security patches and updates OBJ-3.4: Often, cybersecurity professionals fall in love with a new technological solution without fully considering the true cost of ownership and risks it poses to their organization. Even if this is the perfect security mechanism, the organization must plan for how they will respond to the alerts provided by this appliance. Additionally, you must consider if you have the right people and procedures to use the new application effectively. The appliance will also need to receive security patches, feature updates, and signature definition files routinely to remain effective and secure. note At later stages of analysis, your security team may need to determine why a false-positive or false-negative occurred, which requires detailed alerts or reports from the machine. In a corporate environment, privacy is limited for employees as most companies have a "right to monitor" included as part of their AUP and access policies. Therefore privacy is a minimal area of concern in this case. The appliance cannot manipulate the information passing through it since it will analyze the information by placing a copy into a sandbox. This allows it to make a allow or deny decision and will not modify the original data is processed.

A software assurance laboratory performs a dynamic assessment on an application by automatically generating random data sets and inputting them to cause an error or failure condition. Which of the following is the laboratory performing?

fuzzing OBJ-2.2: Fuzzing or fuzz testing is an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program. The program is then monitored for exceptions such as crashes, failing built-in code assertions, or potential memory leaks. note User Acceptance Testing is the process of verifying that a created solution/software works for the user. Security regression testing ensures that changes made to a system do not harm its security, are therefore of high significance, and the interest in such approaches has steadily increased. Stress testing verifies the system's stability and reliability by measuring its robustness and error handling capabilities under heavy load conditions.

Your company is adopting a cloud-first architecture model. Management wants to decommission the on-premises SIEM your analysts use and migrate it to the cloud. Which of the following is an issue with using this approach?

legal and regulatory issues may prevent data migration to the cloud OBJ-1.6: If there are legal or regulatory requirements that require the company to host their security audit data on-premises, then moving to the cloud will not be possible without violating applicable laws. For example, some companies must host their data within their national borders, even if migrating to the cloud. The other options presented are all low risk and can be overcome with proper planning and mitigations. Most cloud providers have degrees of redundancy far above what any individual on-premises provider will be able to generate, making the concern over backups a minimal risk. If the SIEM is moved to a cloud-based server, it could still be operated and controlled in the same manner as the previous on-premise solution using a virtualized cloud-based server. note While a VM or hypervisor escape is possible, they are rare and can be mitigated with additional controls.

Which of the following items represents a document that includes detailed information on when an incident was detected, how impactful the incident was, how it was remediated, the effectiveness of the incident response, and any identified gaps that might require improvement?

lessons learned report OBJ-4.2: The lessons learned report provides you with the details of the incident, its severity, the remediation method, and, most importantly, how effective your response was. Additionally, it provides recommendations for improvements in the future. note A forensic analysis report would not provide recommendations for future improvements, even though it provides many of the other details. A trend analysis report describes whether behaviors have increased, decreased, or stayed the same over time. The chain of custody report is the chronological documentation or paper trail that records the custody, control, transfer, analysis, and disposition of physical or electronic evidence.

The Security Operations Center Director for Dion Training received a pop-up message on his workstation that said, "You will regret firing me; just wait until Christmas!" He suspects the message came from a disgruntled former employee who may have set up a piece of software to create this pop-up on his machine. The director is now concerned that other code might be lurking within the network that could negatively affect Christmas. He directs his team of cybersecurity analysts to begin searching the network for this suspicious code. What type of malware should they be searching for?

logic bomb OBJ-1.1: A logic bomb is a piece of code intentionally inserted into a software system that will set off a malicious function when specified conditions are met. For example, a programmer may hide a piece of code that starts deleting files should they ever be terminated from the company. The director is concerned that a logic bomb may have been created and installed on his system or across the network before the analyst was fired.

Which type of system would classify traffic as malicious or benign based on explicitly defined examples of malicious and benign traffic?

machine learning OBJ-3.4: A machine learning (ML) system uses a computer to accomplish a task without being explicitly programmed. In the context of cybersecurity, ML generally works by analyzing example data sets to create its own ability to classify future items presented. If the system was presented with large datasets of malicious and benign traffic, it will learn which is malicious and categorize future traffic presented to it. note Artificial Intelligence is the science of creating machines to develop problem-solving and analysis strategies without significant human direction or intervention. AI goes beyond ML and can make a more complicated decision than just the classifications made by ML. A deep learning system can determine what is malicious traffic without having the prior benefit of being told what is benign/malicious. A generative adversarial network is an underlying strategy used to accomplish deep learning but is not specific to the scenario described.

Dion Training utilizes a wired network throughout the building to provide network connectivity. Jason is concerned that a visitor might plug their laptop into a CAT 5e wall jack in the lobby and access the corporate network. What technology should be utilized to prevent users from gaining access to network resources if they can plug their laptops into the network?

nac OBJ-3.2: Network Access Control (NAC) is an approach to computer security that attempts to unify endpoint security technology, the user or system authentication, and network security enforcement. NAC restricts the data that each particular user can access and implements anti-threat applications such as firewalls, anti-virus software, and spyware detection programs. NAC also regulates and restricts the things individual subscribers or users can do once they are connected. If a user is unknown, the NAC can quarantine the device from the network upon connection. note A DMZ (demilitarized zone), a type of screened subnet, is a physical or logical subnetwork that contains and exposes an organization's external-facing services to an untrusted network such as the Internet. A virtual private network (VPN) extends a private network across a public network and enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network. Unified threat management (UTM) provides multiple security features (anti-virus, anti-spam, content filtering, and web filtering) in a single device or network appliance.

Which of the following command-line tools would you use to identify open ports and services on a host along with the version of the application that is associated with them?

nmap OBJ-1.4: Nmap sends specially crafted packets to the target host(s) and then analyzes the responses to determine the open ports and services running on those hosts. Also, nmap can determine the versions of the applications being used on those ports and services. Nmap is a command-line tool for use on Linux, Windows, and macOS systems. note The netstat (network statistics) tool is a command-line utility that displays network connections for incoming and outgoing TCP packets, routing tables, and some network interface and network protocol statistics. Still, it cannot identify open ports and services on a host with their version numbers. The ping tool is used to query another computer on a network to determine whether there is a valid connection. Wireshark is an open-source packet analyzer used for network troubleshooting, analysis, software and communications protocol development, and education.

What popular open-source port scanning tool is commonly used for host discovery and service identification?

nmap OBJ-4.4: The world's most popular open-source port scanning utility is nmap. The Services console (services.msc) allows an analyst to disable or enable Windows services. The dd tool is used to copy files, disks, and partitions, and it can also be used to create forensic disk images. note Nessus is a proprietary vulnerability scanner developed by Tenable. While Nessus does contain the ability to conduct a port scan, its primary role is as a vulnerability scanner, and it is not an open-source tool.

Which language would require the use of a decompiler during reverse engineering?

objective-c OBJ-3.1: Objective-C is a compiled language. Therefore, you will need to use a decompiler to conduct reverse engineering on it. Ruby, Python, and JavaScript are interpreted languages. Interpreted languages do not require the use of a decompiler to view the source code.

James is working with the software development team to integrate real-time security reviews into some of their SDLC processes. Which of the following would best meet this requirement?

pair programming OBJ-2.2: Pair programming is a real-time process that would meet this requirement. It utilizes two developers working on one workstation, where one developer reviews the code being written in real-time by the other developer. While the other three options can also provide a security review, none are considered "real-time" since they are asynchronous processes performed after the coding has already been completed.

Which of the following would NOT be useful in defending against a zero-day threat?

patching OBJ-4.2: While patching is a great way to combat threats and protect your systems, it is not effective against zero-day threats. By definition, a zero-day threat is a flaw in the software, hardware, or firmware that is unknown to the party or parties responsible for patching or otherwise fixing the flaw. This attack has no time (or days) between the time the vulnerability is discovered and the first attack, and therefore no patch would be available to combat it. note Using segmentation, allow listing, and threat intelligence, a cybersecurity analyst, can put additional mitigations in place to protect the network even if a zero-day attack was successful.

You are in the recovery steps of an incident response. Your analysis revealed that the attacker exploited an unpatched vulnerability on a public-facing web server as the initial intrusion vector in this incident. Which of the following mitigations should be implemented first during the recovery?

scan the network for additional instances of this vulnerability and patch the affected assets OBJ-4.2: All of the options listed are the best security practices to implement before and after a detected intrusion, but scanning for additional instances of this vulnerability should be performed first. Often, an enterprise network uses the same baseline configuration for all servers and workstations. Therefore, if a vulnerability is exploited on one device (such as an insecure configuration), that same vulnerability could exist on many other assets across the network. During your recovery, you must identify if any other network systems share the same vulnerability and mitigate them. If you don't, the attacker could quickly reinfect your network by simply attacking another machine using the same techniques used during this intrusion. note The other options listed are all examples of additional device hardening that should be conducted during recovery after you have identified the exploited vulnerability across the rest of the network.

A forensics team follows documented procedures while investigating a data breach. The team is currently in the first phase of its investigation. Which of the following processes would they perform during this phase?

secure the scene to prevent contamination of evidence OBJ-4.4: During the first phase of a forensic investigation, an analyst should ensure the scene is safe before beginning evidence collection. Then, they should secure the scene to prevent any contamination of evidence. An analyst will then begin to collect evidence during the collection phase while documenting their efforts and maintaining the integrity of the data collected. note Once the analyst moves into the analysis phase, they will copy the evidence and perform their analysis on the copy. Finally, a report is generated during the reporting phase.

Which type of personnel control is being implemented if Kirsten must receive and inventory any items that her coworker, Bob, orders?

separation of duties OBJ-5.3: This organization uses separation of duties to ensure that neither Kirsten nor Bob can exploit the organization's ordering processes for their gain. Separation of duties is the concept of having more than one person required to complete a particular task to prevent fraud and error. note Dual control, instead, requires both people to act together. For example, a nuclear missile system uses dual control and requires two people to each turn a different key simultaneously to allow for a missile launch to occur. Mandatory vacation policies require employees to take time away from their job and detect fraud or malicious activities. A background check is a process a person or company uses to verify that a person is who they claim to be and provides an opportunity for someone to check a person's criminal record, education, employment history, and other past activities to confirm their validity.

During her login session, Sally is asked by the system for a code sent to her via text (SMS) message. Which of the following concerns should she raise to her organization's AAA services manager?

sms messages may be accessible to attackers via VoIP or other systems OBJ-2.1: NIST's SP 800-63-3 recommends that SMS messages be deprecated as a means of delivering a second factor for multifactor authentication because they may be accessible to attackers. note SMS is unable to be encrypted (at least without adding additional applications to phones). A third factor is typically not a user-friendly recommendation and would be better handled by replacing SMS with the proposed third factor. SMS is not a costly method since it can be deployed for less than $20/month at scale.

DeepScan supports data-flow analysis and understands the execution flow of a program. It allows you to see possible security flaws without executing the code. Which of the following types of tools would DeepScan be classified as?

static code analyzer OBJ-2.2: DeepScan is an example of a static code analysis tool. It inspects the code for possible errors and issues without actually running the code. note Fuzzing is an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program through a fuzzer. A decompiler is a computer program that takes an executable file as input and attempts to create a high-level source file that can be recompiled successfully. Fault injection is a testing technique that aids in understanding how a system behaves when stressed in unusual ways. A fuzzer, decompiler, and fault injector are all dynamic analysis tools because they require the program to be run during testing and analysis.

What describes the infrastructure needed to support the other architectural domains in the TOGAF framework?

technical archtiecture OBJ-5.3: TOGAF is a prescriptive framework that divides the enterprise architecture into four domains. Technical architecture describes the infrastructure needed to support the other architectural domains. note Business architecture defines governance and organization and explains the interaction between enterprise architecture and business strategy. Applications architecture includes the applications and systems an organization deploys, the interactions between those systems, and their relation to the business processes. Data architecture provides the organization's approach to storing and managing information assets.

Your company has been contracted to develop an Android mobile application for a major bank. You have been asked to verify the security of the Java function's source code below: Which of the following vulnerabilities exist in this application's authentication function based solely on the source code provided?

the function is using hard coded credentials to verify the password entered by the user OBJ-2.2: The function uses hard-coded credentials in the function, which is an insecure practice that can lead to compromise. The password for the application is shown in the source code as mR7HCS14@31&#. note Even if this was obfuscated using encoding or encryption, it is a terrible security practice to include hard-coded credentials in the application since an attacker can reverse-engineer them. In this case, it could be used to rob the bank or its customers! There is no evidence of a SQL injection or buffer overflow attack vulnerability based on the code being shown since this code doesn't even show any SQL or ability to connect to an SQL database. We cannot see the variable initiation in this code, either, so we cannot determine if it is vulnerable to a buffer overflow attack. Finally, a parameterized query is a security feature, not a vulnerability, and this source code does not show any evidence of parameterized queries being used.

Your organization's primary operating system vendor just released a critical patch for your servers. Your system administrators have recently deployed this patch and verified the installation was successful. This critical patch was designed to remediate a vulnerability that can allow a malicious actor to execute code on the server over the Internet remotely. You ran a vulnerability scan of the network and determined that all servers are still being reported as having the vulnerability. You verified all your scan configurations are correct. Which of the following might be the reason that the scan report still shows the servers as vulnerable? (SELECT ALL THAT APPLY)

the vulnerability assessment scan is returning a false positive the critical patch did not remediate the vulnerability OBJ-1.4: There are two reasonable choices presented: (1) the vulnerability assessment scan is returning a false positive, or (2) this critical patch did not remediate the vulnerability. It is impossible to know which is based on the description in the question. If the patch was installed successfully, as the question states, then it is possible that the critical patch was coded incorrectly and did not remediate the vulnerability. While most operating system vendors test their patches before release to prevent this, they are sometimes rushed into production with extremely critical patches. The other possibility is that the patch does not remediate the vulnerability on all systems. When this occurs, the vendor will issue a subsequent patch to fix it and supersede the original patch. The other option is that the vulnerability assessment tool is incorrectly configured and is returning a false positive. This can occur when the signature used to detect the vulnerability is too specific or too generic to detect whether the system was patched for the vulnerability or not. note The other options are incorrect, as you do not have to wait a certain period of time after installation before scanning. It is assumed that you are scanning the same IP range both times as you have verified your scan configuration.

Mark works as a Department of Defense contracting officer and needs to ensure that any network devices he purchases for his organization's network are secure. He utilizes a process to verify the chain of custody for every chip and component used in the device's manufacturer. What program should Mark utilize?

trusted foundry OBJ-5.2: The US Department of Defense (DoD) has set up a Trusted Foundry Program, operated by the Defense Microelectronics Activity (DMEA). Accredited suppliers have proved themselves capable of operating a secure supply chain, from design to manufacture and testing. The Trusted Foundry program to help assure the integrity and confidentiality of circuits and manufacturing. The purpose is to help verify that foreign governments' agents are not able to insert malicious code or chips into the hardware being used by the military systems. This is part of ensuring hardware source authenticity and ensure purchasing is made from reputable suppliers to prevent the use of counterfeited or compromised devices.

You have been tasked to create some baseline system images to remediate vulnerabilities found in different operating systems. Before any of the images can be deployed, they must be scanned for malware and vulnerabilities. You must ensure the configurations meet industry-standard benchmarks and that the baselining creation process can be repeated frequently. What vulnerability scanner option would BEST create the process requirements to meet the industry-standard benchmarks?

utilizing an os scap plugin OBJ-3.4: Security Content Automation Protocol (SCAP) is a multi-purpose framework of specifications supporting automated configuration, vulnerability and patch checking, technical control compliance activities, and security measurement. It is an industry standard and supports testing for compliance. note The other options will not allow for a truly repeatable process since individual scans would occur each time instead of comparing against a known good baseline.

Which of the following techniques would allow an attacker to get a full listing of your internal DNS information if your DNS server is not properly secured?

zone transfers OBJ-3.1: A DNS zone transfer provides a full listing of DNS information. If your organization's internal DNS server is improperly secured, an attacker can gather this information by performing a zone transfer. note Fully qualified domain name (FQDN) resolution is a normal function of DNS that converts a domain name like www.diontraining.com to its corresponding IP address. Split horizon is a method of preventing a routing loop in a network. DNS poisoning is a type of attack which uses security gaps in the Domain Name System (DNS) protocol to redirect internet traffic to malicious websites.