Final Threats and Attacks Group Chapter 13-17, Network Defense Exam Chapter 18-20, Cryptography and Endpoint Protection Exam Chapter 21-23, Protocols and Log Files Group Chapter 24-25, Analyzing Security Data Chapter 26-28
A system administrator runs a file scan utility on a Windows PC and notices a file lsass.exe in the Program Files directory. What should the administrator do? a. delete the file because it is probably malware b. move it to Program Files (x86) because it is a 32bit application c. open the Task Manager, right-click on the lsass process and choose End Task d. uninstall the lsass application because it is a legacy application and no longer required in Windows
a
A threat actor has successfully breached the network firewall without being detected by the IDS system. What condition describes the lack of alert? a. false negative b. false positive c. true positive d. true negative
a
After a security monitoring tool identifies a malware attachment entering the network, what is the benefit of performing a retrospective analysis? a. a retrospective analysis can help in tracking the behavior of the malware from the identification point forward b. it can identify how the malware originally entered the network c. it can determine which network host was first affected d. it can calculate the probability of a future incident
a
In what order are the steps in the vulnerability management life cycle conducted? a. discover, prioritize assets, assess, report, remediate, verify b. discover, assess, prioritize assets, report, remediate, verify c. discover, prioritize assets, assess, remediate, report, verify d. discover, prioritize assets, assess, remediate, verify, report
a
In which step of the NIST incident response process does the CSIRT perform an analysis to determine which networks, systems, or applications are affected; who or what originated the incident; and how the incident is occurring? a. scoping b. detection c. incident notification d. attacker identification
a
What Snort rule source are older rules created by Sourcefire? a. GPL b. ET c. VRT
a
What are security event logs commonly based on when sourced by traditional firewalls? a. 5-tuples b. static filtering c. signatures d. application analysis
a
What does it indicate if the timestamp in the HEADER section of a syslog message is preceded by a period or asterisk symbol? a. there is a problem associated with NTP b. the timestamp represents the round trip duration value c. the syslog message should be treated with high priority d. the syslog message indicated the time an email is received
a
What does the telemetry function provide in host-based security software? a. it enables host-based security programs to have comprehensive logging functions b. it enables updates of malware signatures c. it blocks the passage of zero-day attacks d. it updates the heuristic antivirus signature database
a
What information is gathered by the CSIRT when determining the scope of a security incident? a. the networks, systems, and applications affected by an incident b. the strategies and procedures used for incident containment c. the processes used to preserve evidence d. the amount of time and resources needed to handle an incident
a
What is a potential danger to an asset? a. threat b. vulnerability c. exploit d. risk
a
What is defined in the SOP of a computer security incident response capability (CSIRC)? a. the procedures that are followed during an incident response b.. the metrics for measuring incident response capabilities c. the details on how an incident is handled d. the roadmap for increasing incident response capabilities
a
What is the intrusion event defined in the Diamond Model of Intrusion of the target of the attack? a. victim b. adversary c. capability d. infrastructure
a
What technology has a function of using trusted third-party protocols to issue credentials that are accepted as an authoritative identity? a. PKI certificates b. symmetric keys c. hashing algorithms d. digital signatures
a
What threat intelligence sharing standard is TAXII? a. this is the specification for an application layer protocol that allows the communication of CTI over HTTPS b. this is a set of specifications for exchanging cyberthreat information between organizations c. this is a set of standardized schemata for specifying, capturing, characterizing, and communicating events and properties of network operations
a
Which ICMP message type should be stopped inbound? a. echo b. echo-reply c. unreachable d. source quench
a
Which SIEM function maps log messages from different systems into a common data model? a. normalization b. correlation c. aggregation
a
Which Windows host log has information about the installation of software, including Windows updates? a. setup logs b. system logs c. security logs d. application logs
a
Which Windows log contains information about installations of software, including Windows updates? a. setup logs b. system logs c. security logs d. application logs
a
Which approach is intended to prevent exploits that target syslog? a. use syslog-ng b. use a Linux-based server c. use a VPN between a syslog client and the syslog server d. create an ACL that permits only TCP traffic to the syslog server
a
Which classification indicates that an alert is verified as an actual security incident? a. true positive b. true negative c. false postive d. false negative
a
Which network profile element is a list of TCP or UDP processes that are available to accept data? a. ports used b. total throughput c. session duration d. critical asset address space
a
Which of the NIST Cybersecurity Framework core functions is to develop an organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities? a. identify b. protect c. detect
a
Which protocol is a name resolution protocol often used by malware to communicate with command-and-control (CnC) servers? a. DNS b. HTTPS c. ICMP d. IMAP
a
Which security management plan specifies a component that involves tracking the location and configuration of networked devices and software across an enterprise? a. asset management b. risk management c. vulnerability management d. patch management
a
Which statement describes a Cisco Web Security Appliance (WSA)? a. it functions as a web proxy b. it provides high performance web services c. it acts as an SSL-based VPN server for an enterprise d. it protects a web server by preventing security threats from accessing the server
a
Which statement describes the policy-based intrusion detection approach? a. it compares the operations of a host against well-defined security rules b. it compares the signatures of incoming traffic to a known intrusion database c. it compare the antimalware definitions to a central repository for the latest updates d. it compares the behaviors of a host to an established baseline to identify potential intrusion
a
Which technology is a major standard consisting of a pattern of symbols that describe data to be matched in a query? a. POSIX b. Sguil c. Squert d. OSSEC
a
Which tool included in the Security Onion provides a visual interface to NSM data? a. Squert b. OSSEC c. Curator d. Beats
a
Which type of cyberattacker makes political statements in order to create an awareness of issues that are important to them? a. hacktivist b. script kiddies c. vulnerability brokers d. state-sponsored attackers
a
Which types of events should be assigned to categories in Sguil? a. true positive b. true negative c. false positive d. false negative
a
Why would an attacker want to spoof a MAC address? a. so that a switch on the LAN will start forwarding frames to the attacker instead of to the legitimate host b. so that a switch on the LAN will start forwarding all frames toward the device that is under the control of the attacker (that can then capture the LAN traffic) c. so that the attacker can capture traffic from multiple VLANs rather than from just the VLAN that is assigned to the port to which the attacker device is attached d. so that the attacker can launch another type of attack in order to gain access to the switch
a
Which two classes of metrics are included in the CVSS Base Metric Group? a. impact metrics b. exploitability c. modified base d. exploit code maturity e. confidentiality requirement
a, b
Which two technologies are primarily used on peer-to-peer networks? a. bitcoin b. bitTorrent c. darknet d. snort e. wireshark
a, b
What are three outcomes of the NIST Cybersecurity Framework identify core function? (Choose three.) a. asset management b. risk assessment c. governance d. mitigation e. recovery planning f. information protection process and procedures
a, b, c
Which two types of attacks are examples of reconnaissance attacks? a. port scan b. SYN flood c. ping sweep d. brute force e. man-in-the-middle
a, c
Which two options are network security monitoring approaches that use advanced analytic techniques to analyze network telemetry data? (Choose two.) a. NBA b. Sguil c. IPFIX d. NBAD e. Snorby f. NetFlow
a, d
Which two statements correctly describe certificate classes used in the PKI? (Choose two). a. a class 0 certificate is for testing purposes b. a class 0 certificate is more trusted than a class 1 certificate c. the lower the class number, the more trusted the certificate d. a class 5 certificate is for users with a focus on verification of email e. a class 4 certificate is for online business transactions between computers
a, e
A cybersecurity analyst is going to verify security alerts using Security Onion. Which tool should the analyst visit first? a. Bro b. Sguil c. ELK d. CapME
b
A network administrator is trying to download a valid file from an internal server. However, the process triggers an alert on a NMS tool. What condition describes this alert? a. false negative b. false positive c. true positive d. true negative
b
According to NIST standards, which incident response stakeholder is responsible for coordinating an incident response with other stakeholders to minimize the damage of an incident? a. IT support b. management c. legal department d. human resources
b
An administrator suspects polymorphic malware has successfully entered the network past the HIDS system perimeter. The polymorphic malware is, however, successfully identified and isolated. What must the administrator do to create signatures to prevent the file from entering the network again? a. use Cisco AMP to track the trajectory of a file through the network b. execute the polymorphic file in the Cisco Threat Grid Glovebox c. run the Cisco Talos security intelligence service d. run a baseline to establish an accepted amount of risk, and the environmental components that contribute to the risk level of the polymorphic malware
b
How does a web proxy device provide data loss prevention (DLP) for an enterprise? a. by functioning as a firewall b. by scanning and logging outgoing traffic c. by inspecting incoming traffic for potential exploits d. by checking the reputation of external web servers
b
In a Cisco AVC system, in which module is NetFlow deployed? a. Control b. Metrics Collection c. Application Recognition d. Management and Reporting
b
In addressing a risk that has the low potential impact and relatively high cost of mitigation or reduction, which strategy will accept the risk and its consequences? a. risk sharing b. risk retention c. risk reduction d. risk avoidance
b
On a Windows host, which tool can be used to create and maintain blacklists and whitelists? a. Task Manager b. Group Policy Editor c. Computer Management d. Local Users and Groups
b
Refer to the exhibit. A network administrator is viewing some output on the NetFlow collector. What can be determined from the output of the traffic flow shown? a. this is a TCP DNS response to a client machine b. this is a UDP DNS response to a client machine c. this is a UDP DNS request to a DNS server d. this is a TCP DNS request to a DNS server
b
Refer to the exhibit. A security analyst is reviewing an alert message generated by Snort. What does the number 2100498 in the message indicate? alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; fast_pattern:only; classtype:bad-unknown; sid:2100498; rev:8; a. the message length in bits b. the Snort rule that is triggered c. the session number of the message d. the id of the user that triggers the alert
b
Refer to the exhibit. Which field in the Sguil application window indicates the priority of an event or set of correlated events? a. CNT b. ST c. Pr d. AlertID
b
What Snort rule source is open source rules under BSD license? a. GPL b. ET c. VRT
b
What is CybOX? a. it is a specification for an application layer protocol that allows the communication of CTI over HTTPS b. it is a set of standardized schemata for specifying, capturing, characterizing, and communicating events and properties of network operations c. it is a catalog of known security threats called Common Vulnerabilities and Exposures (CVE) for publicly known cybersecurity vulnerabilities d. it enables the real-time exchange of cyberthreat indicators between the U.S. Federal Government and the private sector
b
What is Tor? a. a rule created in order to match a signature of a known exploit b. a software platform and network of P2P hosts that function as Internet routers c. a way to share processors between network devices across the Internet d. a type of Instant Messaging (IM) software used on the darknet
b
What is a feature of distributed firewalls? a. they all use an open sharing standard platform b. they combine the feature of host-based firewalls with centralized management c. they use only iptables to configure network rules d. they use only TCP wrappers to configure rule-based access control and logging systems
b
What is blacklisting? a. this is a network process list to stop a listed process from running on a computer b. this is an application list that can dictate which user applications are not permitted to run on a computer c. this is a user list to prevent blacklisted users from accessing a computer d. this is a Heuristics-based list to prevent a process from running on a computer
b
What is indicated by a Snort signature ID that is below 3464? a. the SID was created by members of EmergingThreats b. the SID was created by Sourcefire and distributed under a GPL agreement c. the SID was created by the Snort community and is maintained in Community Rules d. this is a custom signature developed by the organization to address locally observed rules
b
What is the intrusion event defined in the Diamond Model of Intrusion of the parties responsible for the intrusion? a. victim b. adversary c. capability d. infrastructure
b
What technique is necessary to ensure a private transfer of data using a VPN? a. authorization b. encryption c. scalability d. virtualization
b
What threat intelligence sharing standard is STIX? a. this is the specification for an application layer protocol that allows the communication of CTI over HTTPS b. this is a set of specifications for exchanging cyberthreat information between organizations c. this is a set of standardized schemata for specifying, capturing, characterizing, and communicating events and properties of network operations
b
When a server profile for an organization is being established, which element describes the TCP and UDP daemons and ports that are allowed to be open on the server? a. software environment b. listening ports c. service accounts d. critical asset address space
b
Which SIEM function links logs and events from disparate systems or applications, speeding detection of and reaction to security threats? a. normalization b. correlation c. aggregation
b
Which Windows host log has events related to the operation of drivers, processes, and hardware? a. setup logs b. system logs c. security logs d. application logs
b
Which information can be provided by the Cisco NetFlow utility? a. IDS and IPS capabilities b. peak usage times and traffic routing c. security and user account restrictions d. source and destination UDP port mapping
b
Which method is used by some malware to transfer files from infected hosts to a threat actor host? a. HTTPS traffic encryption b. ICMP tunneling c. iFrame injection d. UDP infiltration
b
Which network profile element is the amount of data passing from a given source to a given destination in a given period of time? a. ports used b. total throughput c. session duration d. critical asset address space
b
Which of the NIST Cybersecurity Framework core functions is to develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services? a. identify b. protect c. detect
b
Which personnel in a SOC is assigned the task of verifying whether an alert triggered by monitoring software represents a true security incident? a. SOC Manager b. Tier 1 personnel c. Tier 2 personnel d. Tier 3 personnel
b
Which statement describes session data in security logs? a. it shows the result of network sessions b. it is a record of a conversation between network hosts c. it can be used to describe or predict network behavior d. it reports detailed network activities between network hosts
b
Which term is used to describe the process of converting log entries into a common format? a. classification b. normalization c. standardization d. systemization
b
Why does HTTPS technology add complexity to network security monitoring? a. HTTPS dynamically changes the port number on the web server. b. HTTPS conceals data traffic through end-to-end encryption. c. HTTPS uses tunneling technology for confidentiality. d. HTTPS hides the true source IP address using NAT/PAT.
b
A company implements a security policy that ensures that a file sent from the headquarters office to the branch office can only be opened with a predetermined code. This code is changed every day. Which two algorithms can be used to achieve this task? (Choose two.) a. MD5 b. AES c. 3DES d. SHA-1 e. HMAC
b, c
Which two application layer protocols manage the exchange of messages between a client with a web browser and a remote web server? (Choose two.) a. DNS b. HTTP c. HTML d. DHCP e. HTTPS
b, e
A customer purchases an item from an e-commerce site. The e-commerce site must maintain proof that the data exchange took place between the site and the customer. Which feature of digital signatures is required? a. authenticity of digitally signed data b. integrity of digitally signed data c. nonrepudiation of the transaction d. confidentiality of the public key
c
A security professional is making recommendations to a company for enhancing endpoint security. Which security endpoint technology would be recommended as an agent-based system to protect hosts against malware? a. baselining b. blacklisting c. HIDS d. IPS
c
A threat actor collects information from web servers of an organization and searches for employee contact information. The information collected is further used to search personal information on the Internet. To which attack phase do these activities belong according to the Cyber Kill Chain model? a. exploitation b. weaponization c. reconnaissance d. action on objectives
c
According to NIST, which step in the digital forensics process involves drawing conclusions from data? a. collection b. examination c. analysis d. reporting
c
How can IMAP be a security threat to a company? a. encrypted data is decrypted b. someone inadvertently clicks on a hidden iFrame c. an email can be used to bring malware to a host d. it can be used to encode stolen data and send to a threat actor
c
How does an application program interact with the operating system? a. sending files b. using processes c. making API calls d. accessing BIOS or UEFI
c
In network security assessments, which type of test employs software to scan internal networks and Internet facing servers for various types of vulnerabilities? a. risk analysis b. penetration testing c. vulnerability assessment d. strength of network security testing
c
In which phase of the NIST incident response life cycle is evidence gathered that can assist subsequent investigations by authorities? a. preparation b. detection and analysis c. containment, eradication, and recovery d. postincident activities
c
What Snort rule source are rules created and maintained by Cisco Talos? a. GPL b. ET c. VRT
c
What is an action that should be taken in the discovery step of the vulnerability management life cycle? a. assigning business value to assets b. determining a risk profile c. developing a network baseline d. documenting the security plan
c
What is the difference between an HIDS and a firewall? a. an HIDS blocks intrusions, whereas a firewall filters them b. a firewall allows and denies traffic based on rules and an HIDS monitors network traffic c. an HIDS monitors operating systems on host computers and processes files system activity. Firewalls allow or deny traffic between the computer and other systems d. a firewall performs packet filtering and therefore is limited in effectiveness, whereas an HIDS blocks intrusions e. an HIDS works like an IPS, whereas a firewall just monitors traffic
c
What is the intrusion event defined in the Diamond Model of Intrusion of a tool or technique used to attack the victim? a. victim b. adversary c. capability d. infrastructure
c
What is the primary purpose of the Malware Information Sharing Platform (MISP)? a. to exchange all the response mechanisms to known threats b. to publish all informational materials on known and newly discovered cyberthreats c. to enable automated sharing of IOCs between people and machines using the STIX and other exports formats d. to provide a set of standardized schemata for specifying and capturing events and properties of network operations
c
What is the purpose for data normalization? a. to reduce the amount of alert data b. to make the alert data transmission fast c. to simplify searching for correlated events d. to enhance the secure transmission of alert data
c
What is the purpose for data reduction as it relates to NSM? a. to remove recurring data streams b. to make the alert data transmission fast c. to diminish the quantity of NSM data to be handled d. to enhance the secure transmission of alert data
c
What threat intelligence sharing standard is CybOX? a. this is the specification for an application layer protocol that allows the communication of CTI over HTTPS b. this is a set of specifications for exchanging cyberthreat information between organizations c. this is a set of standardized schemata for specifying, capturing, characterizing, and communicating events and properties of network operations
c
Which HIDS is integrated into the Security Onion and uses rules to detect changes in host-based operating parameters caused by malware through system calls? a. Bro b. Snort c. OSSEC d. Suricata
c
Which SIEM function reduces the volume of event data by consolidating duplicate event records? a. normalization b. correlation c. aggregation
c
Which Windows host log has events related to logon attempts and operations related to file or object management and access? a. setup logs b. system logs c. security logs d. application logs
c
Which function is provided by the Sguil application? a. it detects potential network intrusions b. it prevents malware from attacking a host c. it makes Snort-generated alerts readable and searchable d. it reports conversations between hosts on the network
c
Which meta-feature element in the Diamond Model describes information gained by the adversary? a. methodology b. direction c. results d. resources
c
Which network profile element is the time between the establishment of a data flow and its termination? a. ports used b. total throughput c. session duration d. critical asset address space
c
Which objective of secure communications is achieved by encrypting data? a. authentication b. availability c. confidentiality d. integrity
c
Which of the NIST Cybersecurity Framework core functions is to develop and implement the appropriate activities to identify the occurrence of a cybersecurity event? a. identify b. protect c. detect
c
Which statement describes the Cisco Threat Grid Glovebox? a. it is a firewall appliance b. it is a network-based IDS/IPS c. it is a sandbox product for analyzing malware behaviors d. it is a host-based intrusion detection system (HIDS) solution to fight against malware
c
Which statement describes the term iptables? a. it is a DNS daemon in Linux b. it is a DHCP application in Windows c. it is a rule-based firewall application in Linux d. it is a file used by a DHCP server to store current active IP addresses
c
Which technique could be used by security personnel to analyze a suspicious file in a safe environment? a. baselining b. blacklisting c. sandboxing d. whitelisting
c
Which technique would a threat actor use to disguise traces of an ongoing exploit? a. use SSL to encapsulate malware b. create an invisible iFrame on a web page c. corrupt time information by attacking the NTP infrastructure d. encapsulate other protocols within DNS to evade security measures
c
Which technology would be used to create the server logs generated by network devices and reviewed by an entry level network person who works the night shift at a data center? a. ACL b. NAT c. syslog d. VPN
c
Which tool included in the Security Onion includes the capability of designing custom dashboards? a. Squert b. Sguil c. Kibana d. OSSEC
c
Why would threat actors prefer to use a zero-day attack in the Cyber Kill Chain weaponization phase? a. to get a free malware package b. to launch a DoS attack toward the target c. to avoid detection by the target d. to gain faster delivery of the attack on the target
c
Which two tools have a GUI interface and can be used to view and analyze full packet captures? (Choose two.) a. Splunk b. nfdump c. tcpdump d. Wireshark e. Cisco Prime Network Analysis Module
c, d
What two shared sources of information are included within the MITRE ATT&CK framework? (Choose two) a. details about the handling of evidence including time, places, and personnel involved b. eyewitness evidence from someone who directly observed criminal behavior c. attacker tactics, techniques, and procedures d. collection of digital evidence from most volatile evidence to least volatile e. mapping the steps in an attack to a matrix of generalized tactics
c, e
A company is developing a security policy for secure communication. In the exchange of critical messages between a headquarters office and a branch office, a hash value should only be recalculated with a predetermined code, thus ensuring the validity of data source. Which aspect of secure communications is addressed? a. data integrity b. non-repudiation c. data confidentiality d. origin authentication
d
A cybersecurity analyst has been called to a crime scene that contains several technology items including a computer. Which technique will be used so that the information found on the computer can be used in court? a. log collection b. rootkit c. Tor d. unaltered disk image
d
A cybersecurity analyst is performing a CVSS assessment on an attack where a web link was sent to several employees. Once clicked, an internal attack was launched. Which CVSS Base Metric Group Exploitability metric is used to document that the user had to click on the link in order for the attack to occur? a. availability requirement b. integrity requirement c. scope d. user interaction
d
How is the hash value of files useful in network security investigations? a. it is used to decode files b. it verifies confidentiality of files c. it is used as a key for encryption d. it help identify malware signatures
d
In a hierarchical CA topology, where can a subordinate CA obtain a certificate for itself? a. from the root CA only b. from the root CA or from self-generation c. from the root CA or another subordinate CA at the same level d. from the root CA or another subordinate CA at a higher level e. from the root CA or another subordinate CA anywhere in the tree
d
In addressing a identified risk, which strategy aims to stop performing the activities that create risk? a. risk sharing b. risk retention c. risk reduction d. risk avoidance
d
What information is contained in the options section of a Snort rule? a. direction of traffic flow b. source and destination address c. action to be taken d. text describing the event
d
What is the difference between symmetric and asymmetric encryption algorithms? a. symmetric algorithms are typically hundreds to thousands of times slower than asymmetric algorithms b. symmetric encryption algorithms are used to authenticate secure communications. Asymmetric encryption algorithms are used to repudiate messages c. symmetric encryption algorithms are used to encrypt data. Asymmetric encryption algorithms are used to decrypt data. d. symmetric encryption algorithms use pre-shared keys. Asymmetric encryption algorithms use different keys to encrypt and decrypt data
d
What is the intrusion event defined in the Diamond Model of Intrusion of a network path used to establish and maintain command and control? a. victim b. adversary c. capability d. infrastructure
d
What is the likelihood of undesireable consequences? a. threat b. vulnerability c. exploit d. risk
d
What is the objective the threat actor in establishing a two-way communication channel between the target system and a CnC infrastructure? a. to launch a buffer overflow attack b. to send user data stored on the target to the threat actor c. to steal network bandwidth from the network where the target is located d. to allow the threat actor to issue commands to the software that is installed on the target
d
What is the purpose for using digital signatures for code signing? a. to generate a virtual ID b. to establish an encrypted connection to exchange confidential data with a vendor website c. to authenticate the identity of the system with a vendor website d. to verify the integrity of executable files downloaded from a vendor website
d
What is the purpose of a digital certificate? a. it guarantees that a website has not been hacked b. it provides proof that data has a traditional signature attached c. it ensures that the person who is gaining access to a network device is authorized d. it authenticates a website and establishes a secure connection to exchange confidential data
d
What is the purpose of the DH algorithm? a. to provide nonrepudiation support b. to support email data confidentiality c. to encrypt data traffic after a VPN is established d. to generate a shared secret between two hosts that have not communicated before
d
Which Cisco appliance can be used to filter network traffic contents to report and deny traffic based on the web server reputation? a. ESA b. AVC c. WSA d. ASA
d
Which Windows host log has events logged by various applications? a. setup logs b. system logs c. security logs d. application logs
d
Which network profile element is the IP addresses or the logical location of essential systems of data? a. ports used b. total throughput c. session duration d. critical asset address space
d
Which statement describes statistical data in network security monitoring processes? a. it contains conversations between network hosts b. it lists each alert message along with statistical information c. it shows the results of network activities between network hosts d. it is created through an analysis of other forms of network data
d
Which technology is used by Cisco Advanced Malware Protection (AMP) in defending and protecting against known and emerging threats? a. network admission control b. website filtering and blacklisting c. network profiling d. threat intelligence
d
Which tool is a Security Onion integrated host-based intrusion detection system? a. Sguil b. ELK c. Snort d. OSSEC
d
Which type of attack does the use of HMACs protect against? a. DoS b. DDoS c. brute force d. man-in-the-middle
d
When dealing with security threats and using the Cyber Kill Chain model, which two approaches can an organization use to block a potential back door creation? (Choose two) a. conduct damage assessment b. establish an incident response playbook c. consolidate the number of Internet points of presence d. audit endpoints to discover abnormal file creations e. use HIPS to alert or place a block on common installation paths
d, e
This is a security tool that can be used by white hat hackers to find any trace of evidence existing in a particular computer system. a. IDA Pro b. Netfilter c. NetStumbler d. Socat e. Helix
e
How can a DNS tunneling attack be mitigated? a. by using a filter that inspects DNS traffic b. by securing all domain owner accounts c. by using strong passwords and two-factor authentication d. by preventing devices from using gratuitous ARP
a
How does AIS address a newly discovered threat? a. by enabling real-time exchange of cyberthreat indicators with U.S. Federal Government and the private sector b. by creating response strategies against the new threat c. by advising the U.S. Federal Government to publish internal response strategies d. by mitigating the attack with active response defense mechanisms
a
In what type of attack is a cybercriminal attempting to prevent legitimate users from accessing network services? a. DoS b. MITM c. session hijacking d. address spoofing
a
This is a debugger tool that can be used by black hats to reverse engineer binary files when writing exploits. it can also be used by white hats when analyzing malware. a. IDA Pro b. Netfilter c. NetStumbler d. Socat e. Helix
a
In a defense-in-depth approach, which three options must be identified to effectively defend a network against attacks? (Choose three.) a. assets that need protection b. location of attacker or attackers c. threats to assets d. total number of devices that attach to the wired and wireless network e. vulnerabilities in the system f. past security breaches
a, c, e
What are the three major components of a worm attack? (Choose three.) a. an enabling vulnerability b. an infecting vulnerability c. a payload d. a penetration mechanism e. a probing mechanism f. a propagation mechanism
a, c, f
An administrator discovers a vulnerability in the network. On analysis of the vulnerability the administrator decides the cost of managing the risk outweighs the cost of the risk itself. The risk is accepted, and no action is taken. What risk management strategy has been adopted? a. risk avoidance b. risk acceptance c. risk reduction d. risk transfer
b
An attacker is redirecting traffic to a false default gateway in an attempt to intercept the data traffic of a switched network. What type of attack could achieve this? a. DHCP snooping b. DHCP spoofing c. MAC address starvation d. MAC address snooping
b
Once a cyber threat has been verified, the US Cybersecurity Infrastructure and Security Agency (CISA) automatically shares the cybersecurity information with public and private organizations. What is this automated system called? a. NCASM b. AIS c. NCSA d. ENISA
b
The IT department is reporting that a company web server is receiving an abnormally high number of web page requests from different locations simultaneously. Which type of security attack is occurring? a. adware b. DDoS c. phishing d. social engineering e. spyware
b
What is a weakness in a system? a. threat b. vulnerability c. exploit d. risk
b
Which information security component description is only authorized individuals, entities, or processes can access sensitive information? a. availability b. confidentiality c. integrity
b
What are two examples of DoS attacks? (Choose two.) a. phishing b. ping of death c. SQL injection d. port scanning e. buffer overflow
b, e
Which two characteristics describe a worm? (Choose two.) a. executes when software is run on a computer b. is self-replicating c. hides in a dormant state until needed by an attacker d. infects computers by attaching to software code e. travels to new computers without any intervention of knowledge of the user
b, e
Which two types of hackers are typically classified as grey hat hackers? (Choose two.) a. state sponsored hackers b. hacktivists c. script kiddies d. cyber criminals e. vulnerability brokers
b, e
A user receives a phone call from a person who claims to represent IT services and then asks that user for confirmation of username and password for auditing purposes. Which security threat does this phone call represent? a. DDoS b. spam c. social engineering d. anonymous keylogging
c
What is a mechanism used to compromise an asset? a. threat b. vulnerability c. exploit d. risk
c
Which network monitoring solution is used to capture traffic and show what is happening on the network? a. IPS b. SPAN c. protocol analyzer
c
Which protocol is exploited by cybercriminals who create malicious iFrames? a. DNS b. DHCP c. HTTP d. ARP
c
Which type of security threat would be responsible if a spreadsheet add-on disables the local software firewall? a. DoS b. buffer overflow c. Trojan Horse d. brute-force attack
c
What are two characteristics of the RADIUS protocol? (Choose two). a. encryption of the entire bode of the packet b. the use of TCP port 49 c. the use of UDP ports for authentication and accounting d. encryption of the password only e. the separation of the authentication and authorization processes
c, d
What are two methods used by cybercriminals to mask DNS attacks? (Choose two.) a. reflection b. tunneling c. fast flux d. domain generation algorithms e. shadowing
c, d
A white hat hacker is using a security tool called Skipfish to discover the vulnerabilities of a computer system. What type of tool is this? a. debugger b. packet sniffer c. vulnerability scanner d. fuzzer
d
This is a packet crafting tool that uses specially crafted forged packets to probe and test the robustness of a firewall. a. IDA Pro b. Netfilter c. NetStumbler d. Socat e. Helix
d
Which AAA component can be established using token cards? a. accounting b. authorization c. auditing d. authentication
d
This is a wireless hacking tool that can be used to hack into a wireless network to detect security vulnerabilities. a. IDA Pro b. Netfilter c. NetStumbler d. Socat e. Helix
c
What causes a buffer overflow? a. launching a security countermeasure to mitigate a Trojan horse b. downloading and installing too many software updates at one time c. attempting to write more data to a memory location than that location can hold d. sending too much information to two or more interfaces of the same devices, thereby causing dropped packets e. sending repeated connections such as Telnet to a particular device, thus denying other data sources
c
What does the incident handling procedures security policy describe? a. it describes the procedure for auditing the network after a cyberattack b. it describes the procedure for mitigating cyberattacks c. it describes how security incidents are handled d. it describes how to prevent various cyberattacks
c
What kind of ICMP message can be used by threat actors to create a man-in-the-middle attack? a. ICMP echo request b. ICMP unreachable c. ICMP mask reply d. ICMP redirects
d
What technique is a security attack that depletes the pool of IP addresses available for legitimate hosts? a. reconnaissance attack b. DHCP spoofing c. DHCP snooping d. DHCP starvation
d
Which attack involves threat actors positioning themselves between a source and destination with the intent of transparently monitoring, capturing, and controlling the communication? a. DoS attack b. ICMP attack c. SYN flood attack d. man-in-the-middle
d
What is a vulnerability that allows criminals to inject scripts into web pages viewed by users? a. cross-site scripting b. XML injection c. SQL injection d. buffer overflow
a
What is the benefit of a defense-in-depth approach? a. the effectiveness of other security measures is not impacted when a security mechanism fails b. the need for firewalls is eliminated c. all network vulnerabilities are mitigated d. only a single layer of security at the network core is required
a
What is the goal of a white hat hacker? a. protecting data b. stealing data c. modifying data d. validating data
a
What is the primary purpose of the Forum of Incident Response and Security Teams (FIRST)? a. to enable a variety of computer security incident response teams to collaborate, cooperate, and coordinate information sharing, incident prevention, and rapid reaction strategies b. to provide vendor neutral education products and career services to industry professionals worldwide c. to offer 24x7 cyberthreat warnings and advisories, vulnerability identification, and mitigation and incident response d. to provide a security news portal that aggregates the latest breaking news pertaining to alerts, exploits, and vulnerabilities
a
What is the result of a passive ARP poisoning attack? a. confidential information is stolen b. data is modified in transit or malicious data is inserted in transit c. multiple subdomains are created d. network clients experience a denial of service
a
What would be the target of an SQL injection attack? a. database b. DHCP c. DNS d. email
a
Which cyber attack involves a coordinated attack from a botnet of zombie computers? a. DDoS b. MITM c. ICMP redirect d. address spoofing
a
Which information security component description is authorized users must have uninterrupted access to important resources and data? a. availability b. confidentiality c. integrity
a
Which network monitoring solution monitors traffic and compared it against configured rules? a. IPS b. SPAN c. protocol analyzer
a
Which term is information or equipment valuable enough to an organization to warrant protection? a. assets b. threats c. vulnerabilities
a
Which threat actor is an inexperienced threat actor running existing scripts, tools, and exploits, to cause harm, but typically not for profit? a. script kiddies b. hacktivists c. cybercriminals d. State-sponsored
a
Which type of business policy protects the rights of workers and the company interests? a. company b. employee c. security
a
Which two functions are provided by NetFlow? (Choose two.) a. it provides a complete audit trail of basic information about every IP flow forwarded on a device. b. it provides 24x7 statistics on packets that flow through a Cisco router or multilayer swtich c. it uses artificial intelligence to detect incidents and aid in incident analysis and response d. it allows an administrator to capture real-time network traffic and analyze the entire contents of packets e. it presents correlated and aggregated event data in real-time monitoring and long-term summaries
a, b
What are three functionalities provided by SOAR? (Choose three.) a. it provides case management tools that allow cybersecurity personnel to research and investigate incidents. b. it uses artificial intelligence to detect incidents and aid in incident analysis and response c. it automates complex incident response procedures and investigations d. it provides 24x7 statistics on packets that flow through a Cisco router or multilayer switch e. it provides a complete audit trail of basic information about every IP flow forwarded on a device f. it presents the correlated and aggregated event data in real-time monitoring and long-term summaries.
a, b, c
What three goals does a BYOD security policy accomplish? (Choose three.) a. identify safeguards to put in place if a device is compromised b. describe the rights to access and activities permitted to security personnel on the device c. identify a list of websites that users are not permitted to access d. identify and prevent all heuristic virus signatures e. identify which employees can bring their own devices f. identify all malware signatures and synchronize them across corporate databases
a, b, e
What are two evasion methods used by hackers? (Choose two.) a. encryption b. phishing c. access attack d. resource exhaustion e. scanning
a, d
A network administrator is checking the system logs and notices unusual connectivity tests to multiple well-known ports on a server. What kind of potential network attack could this indicate? a. access b. reconnaissance c. denial of service d. information theft
b
What is a characteristic of security artichoke, defense-in-depth approach? a. each layer has to be penetrated before the threat actor can reach the target data or system b. threat actors no longer have to peel away each layer before reaching the target data or system c. threat actors can no longer penetrate any layers safeguarding the data or system d. threat actors can easily compromise all layers safeguarding the data or systems
b
What is the first line of defense when an organization is using a defense-in-depth approach to network security? a. IPS b. edge router c. firewall d. proxy server
b
What is the principle behind the nondiscretionary access control model? a. it applies the strictest access control possible b. it allows access decisions to be based on roles and responsibilities of a user within the organization c. it allows users to control access to their data as owners of that data d. it allows access based on attributes of the object to be accessed
b
What is the significant characteristic of worm malware? a. worm malware disguises itself as legitimate software b. a worm can execute independently of the host system c. a worm must be triggered by an event on the host system d. once installed on a host system, a worm does not replicate itself
b
What scenario describes a vulnerability broker? a. a teenager running existing scripts, tools, and exploits to cause harm, but typically not for profit b. a threat actor attempting to discover exploits and report them to vendors, sometimes for prizes or rewards c. a threat actor publicly protesting against governments by posting articles and leaking sensitive information d. a State-Sponsored threat actor who steals government secrets and sabotages networks of foreign governments
b
When a security audit is performed at a company, the auditor reports that new users have access to network resources beyond their normal job roles. Additionally, users who move to different positions retain their prior permissions. What kind of violation is occurring? a. network policy b. least privilege c. audit d. password
b
Which network monitoring solution copies frames received on one or more ports to a port connected to an analysis device? a. IPS b. SPAN c. protocol analyzer
b
Which organization defined unique CVE identifiers for p. ublicly known information-security vulnerabilities that make it easier to share data? a. Cisco Talos b. MITRE c. FireEye d. DHS
b
Which term is a potential danger to a protected asset? a. assets b. threats c. vulnerabilities
b
Which threat actor publicly protests against organizations or governments by posting articles, videos, leaking sensitive information, and performing distributed denial of service (DDoS) attacks? a. script kiddies b. hacktivists c. cybercriminals d. State-sponsored
b
Which type of Trojan horse security breach uses the computer of the victim as the source device to launch other attacks? a. DoS b. proxy c. FTP d. data-sending
b
Which type of attack is carried out by threat actors against a network to determine which IP addresses, protocols, and ports are allowed by ACLs? a. phishing b. reconnaissance c. denial of service d. social engineering
b
Which type of business policy identifies salary, pay schedule, benefits, work schedule, vacations, etc.? a. company b. employee c. security
b
Why is asset management a critical function of a growing organization against security threats? a. it serves to preserve an audit trail of all new purchases b. it identifies the ever increasing attack surface to threats c. it prevents theft of older assets that are decommissioned d. it allows for a build of a comprehensive AUP
b
What are two purposes of launching a reconnaissance attack on a network (Choose two.) a. to retrieve and modify data b. to scan for accessibility c. to escalate privileges d. to gather information about the network and devices e. to prevent other users from accessing the system
b, d
Which two characteristics describe a virus? (Choose two.) a. a self-replicating attack that is independently launched. b. malicious code that can remain dormant before executing an unwanted action c. program code specifically designed to corrupt memory in network devices d. malware that relies on the action of a user or a program to activate e. malware that executes arbitrary code and installs copies of itself in memory
b, d
Passwords, passphrases, and PINs are examples of which security term? a. identification b. authorization c. authentication d. access
c
What functionality is provided by Cisco SPAN in a switched network? a. it mitigates MAC address overflow attacks b. it prevents traffic on a LAN from being disrupted by a broadcast storm c. it mirrors traffic that passes through a switch port or VLAN to another port for traffic analysis d. it protects the switched network from receiving BPDUs on ports that should not be receiving them e. it inspects voice protocols to ensure that SIP, SCCP, H.323, and MGCP requests conform to voice standards f. it copies traffic that passes through a switch interface and send the data directly to a syslog or SNMP server for analysis
c
What is the purpose of the network security accounting function? a. to require users to prove who they are b. to determine which resources a user can access c. to keep track of the actions of a user d. to provide challenge and response questions
c
When designing a prototype network for a new server farm, a network designer chooses to use redundant links to connect to the rest of the network. Which business goal will be addressed by this choice? a. security b. scalability c. availability d. manageability
c
Which component of the zero trust security model focuses on secure access when an API, a microservice, or a container is accessing a database within an application? a. workforce b. workflow c. workload d. workplace
c
Which devices should be secured to mitigate against MAC address spoofing attacks? a. Layer 7 devices b. Layer 4 devices c. Layer 2 devices d. Layer 3 devices
c
Which field in the IPv6 header points to optional network layer information that is carried in the IPv6 packet? a. flow label b. version c. next header d. traffic class
c
Which information security component description is data is protected from unauthorized alteration? a. availability b. confidentiality c. integrity
c
Which term describes the ability of the web server to keep a log of the users who access the server, as well as the length of time they use it? a. authentication b. authorization c. accounting d. assigning permissions
c
Which term is a weaknesses in a system or design? a. assets b. threats c. vulnerabilities
c
Which type of access control applies the strictest access control and is commonly used in military or mission critical applications? a. attribute-based access control (ABAC) b. discretionary access control (DAC) c. mandatory access control (MAC) d. non-discretionary access control
c
Which type of business policy defines system requirements and objectives, rules, and requirements for users when they attach to or on the network? a. company b. employee c. security
c
Which type of cyberattacker discovers exploits and reports them to vendors? a. hacktivist b. script kiddies c. vulnerability brokers d. state-sponsored attackers
c
Which type of network attack involves randomly opening many Telnet requests to a router and results in a valid network administrator not being able to access the device? a. spoofing b. man-in-the-middle c. SYN flooding d. DNS poisoning
c
Which type of security attack would attempt a buffer overflow? a. reconnaissance b. ransomware c. DoS d. scareware
c
Which two options are security best practices that help mitigate BYOD risks? (Choose two.) a. use wireless MAC address filtering b. decrease the wireless antenna gain level c. keep the device OS and software updated d. only turn on Wi-Fi when using the wireless network e. only allow devices that have been approved by the corporate IT team f. use paint that reflects wireless signals and glass that prevents the signals from going outside the building
c, d
A user is curious about how someone might know a computer has been infected with malware. What are two common malware behaviors? (Choose two.) a. the computer beeps once during the boot process b. the computer emits a hissing sound every time the pencil sharpener is used c. the computer gets increasingly slower to respond d. no sound emits when an audio CD is played e. the computer freezes and requires reboots
c, e
A web server administrator is configuring access settings to require users to authenticate first before accessing certain web pages. Which requirement of information security is addressed through the configuration? a. integrity b. scalability c. availability d. confidentiality
d
How does FireEye detect and prevent zero-day attacks? a. by keeping a detailed analysis of all viruses and malware b. by establishing an authentication parameter prior to any data exchange c. by only accepting encrypted data packets that validate against their configured hash values d. by addressing all stages of an attack lifecycle with a signature-less engine utilizing stateful attack analysis
d
What is a characteristic of a layered defense-in-depth security approach? a. three of more devices are used b. routers are replaced with firewalls c. when one device fails, another one takes over d. one safeguard failure does not affect the effectiveness of other safeguards
d
What is the function of a gratuitous ARP sent by a networked device when it boots up? a. to request the netbios name of the connected system b. to request the IP address of the connected network c. to request the MAC address of the DNS server d. to advise connected devices of its MAC address
d
What is the primary function of the Center for Internet Security (CIS)? a. to provide vendor-neutral education products and career services to industry professionals worldwide b. to provide a security news portal that aggregates the latest breaking news pertaining to alerts, exploits, and vulnerabilities c. to maintain a list of common vulnerabilities and exposures (CVE) used by security organizations d. to offer 24x7 cyberthreat warnings and advisories, vulnerability identification, and mitigation and incident responses
d
What is the purpose of mobile device management (MDM) software? a. it is used to create a security policy b. it is used by threat actors to penetrate the system c. it is used to identify potential mobile device vulnerabilities d. it is used to implement security policies, setting, and software configurations on mobile devices
d
Which statement describes Trusted Automated Exchange of Indicator Information (TAXII)? a. it is a dynamic database of real-time vulnerabilities b. it is a set of specification for exchanging cyber threat information between organizations c. it is a signature-less engine utilizing stateful attack analysis to detect zero-day threats d. it is the specification for an application layer protocol that allows the communication of CTI over HTTPS
d
Which statement describes an operational characteristic of NetFlow? a. NetFlow captures the entire contents of a packet b. NetFlow can provide services for user access control c. NetFlow flow records can be viewed by the tcpdump tool d. NetFlow collects basic information about the packet flow, not the flow data itself
d
Which statement describes the function of the SPAN tool used in a Cisco switch? a. it supports the SNMP trap operation on a switch b. it provides interconnection between VLANs over multiple switches c. it is a secure channel for a switch to send logging to a syslog server d. it copies the traffic from one switch port and send it to another switch port that is connected to a monitoring device
d
Which technology is a proprietary SIEM system? a. StealthWatch b. SNMP agent c. NetFlow collector d. Splunk
d
Which threat actor is a threat actor who steal government secrets, gather intelligence, and sabotage networks of foreign governments, terrorist groups, and corporations? a. script kiddies b. hacktivists c. cybercriminals d. State-sponsored
d
Which type of cyberattackers gather intelligence or commit sabotage on specific goals on behalf of their government? a. hacktivist b. script kiddies c. vulnerability brokers d. state-sponsored attackers
d
Why would a rootkit be used by a hacker? a. to reverse engineer binary files b. to do reconnaissance c. to try to guess a password d. to gain access to a device without being detected
d