CIT270 Final Exam
Which of the following is a characteristic of a potentially unwanted program (PUP)? A. A PUP pretends to perform natural activities while also performing malicious activities. B. A PUP gives access to the computer, program, or a service, circumventing the system's normal security protections. C. A PUP interferes and obstructs the user with web browsing and pop-up windows. D. A PUP gives the threat agent remote access to the user's device using specially configured communication protocols.
A PUP interferes and obstructs the user with web browsing and pop-up windows A PUP is software that is accidentally installed along with other programs by overlooking default installation options. PUP interferes with web browsing and can cause pop-up windows, pop-under windows, search engine high jacking, homepage high jacking, etc.
Ian, a systems administrator, was checking systems on Monday morning when he noticed several alarms on his screen. He found many of the normal settings in his computer and programs changed, but he was sure no one had physically entered his room since Friday. If Ian did not make these changes, which of the events below is the most likely reason for the anomalies? A. The security administrator ran a penetration test over the weekend and did not tell anyone. B. The power went out over the weekend and caused the programs to move back to their default settings. C. A firewall scan that was run over the weekend shut down the computer and the programs. D. A backdoor was installed previously and utilized over the weekend to access the computer and the programs.
A backdoor was installed previously and utilized over the weekend to access the computer and the programs. A backdoor allows a threat actor to change settings by remotely controlling the devices.
Which type of memory vulnerability attack manipulates the "return address" of the memory location of a software program? A. Integer overflow attack B. Shim overflow attack C. Buffer overflow attack D. Factor overflow attack
A buffer overflow attack occurs when a process attempts to store data in RAM beyond the boundaries of a fixed-length storage buffer. This extra data overflows into the adjacent memory locations (a buffer overflow). Because the storage buffer typically contains the "return address" memory location of the software program that was being executed when another function interrupted the process, an attacker can overflow the buffer with a new address pointing to the attacker's malware code.
Which of the following attacks is based on the principle that when a user is currently authenticated on a website and then loads another webpage, the new page inherits the identity and privileges of the first website? A. CSRF B. DLLS C. DRCR D. SSFR
A cross-site request forgery (CSRF) takes advantage of an authentication "token" that a website sends to a user's web browser. If a user is currently authenticated on a website and is then tricked into loading another webpage, the new page inherits the identity and privileges of the victim, who may then perform an undesired function on the attacker's behalf.
Which cookie is created by the website a user is currently browsing to store the customer's browsing preference information? A. First-party cookie B. Third-party cookie C. Session cookie D. Secure cookie
A first-party cookie is created by the website a user is currently viewing and is used by the website to customize the user's preferences for a better customer experience.
Which of the following statements correctly describes the disadvantage of a hardware-based keylogger? A. A hardware-based keylogger's data can be easily erased by the antimalware software installed in the device. B. A hardware-based keylogger must be physically installed and removed without detection. C. A hardware-based keylogger can be detected by an antivirus when it scans for ports. D. A hardware-based keylogger can easily be detected in a network by an antivirus.
A hardware-based keylogger must be physically installed and removed without detection. Since hardware-based keyloggers need to be physically connected to and removed from the endpoint, the attacker is vulnerable to being detected and apprehended.
What type of attack occurs when the threat actor snoops and intercepts the digital data transmitted by the computer and resends that data, impersonating the user?
A replay attack copies data transmitted by the computer's user and then uses it for an attack. Replay attacks are commonly used against digital identities. After intercepting and copying the data, the threat actor later retransmits selected and edited portions of the copied communications to impersonate the legitimate user.
Which of the following is a characteristic of a vulnerability scan that is not a characteristic of a penetration test? A. A vulnerability scan identifies deep vulnerabilities. B. A vulnerability scan is usually automated. C. A vulnerability scan can be done when a regulatory body requires it or on a pre-determined schedule. D. A vulnerability scan is usually a manual process.
A vulnerability scan is automated, while a penetration test is performed manually.
Which of the following can be used to mitigate a limitation of public sharing centers in OSINT? A. KRI B. TTP C. HTTPS D. AIS
AIS: Automated indicator sharing (AIS) can be used to exchange cybersecurity threats between computers through computer-to-computer communication. This mitigates the limitation on the speed of sharing information through public sharing centers in open source intelligence.
What is another name for footprinting?
Active reconnaissance involves directly probing for vulnerabilities and useful information, much like a threat actor would do. This reconnaissance is also called footprinting.
Which tool is most commonly associated with state actors? A. Unlimited Harvest and Secure Attack (UHSA) B. Network Spider and Worm Threat (NSAWT) C. Closed-Source Resistant and Recurrent Malware (CSRRM) D. Advanced Persistent Threat (APT)
Advanced Persistent Threat (APT): A class of attacks by that use innovative attack tools to infect and silently extract data over an extended period of time
Which of the following of the CIA Triad ensures that information is correct, and no unauthorized person has altered it? A. Confidentiality B. Integrity C. Availability D. Assurance
Assurance
What is the primary goal of penetration testing?
Attempt to uncover deep vulnerabilities and then manually exploit them. The primary goal of penetration testing is to uncover deep vulnerabilities and then manually exploit them.
Oskar has been receiving emails about critical threat intelligence information from a public information sharing center. His team leader has asked him to look into how the process can be automated so that the information can feed directly into their technology security. What technology will Oskar recommend?
Automated Indicator Sharing (AIS): Critical threat intelligence information should be distributed as quickly as possible to others. To rely on email alerts that require a human to read them and then react takes far too much time. As an alternative, Automated Indicator Sharing (AIS) can be used instead. AIS enables the exchange of cyberthreat indicators between parties through computer-to-computer communication and not email communication.
ou have been assigned to decide the process used for software application development at your company. Since the products need to be developed and deployed as each module is completed, you chose to go with agile application development. Your manager has requested you consider SecDevOps. Which of the following is a significant and key feature of using SecDevOps that can be considered for selecting this project's development model?
Automation is a key feature in SecDevOps.
What penetration testing level name is given to testers who have no knowledge of the network and no special privileges?
Black box testers have no knowledge of the network and no special privileges.
Which threat actors violate computer security for personal gain? A. White hat hackers B. Black hat hackers C. Red hat hackers D. Gray hat hackers
Black hat hackers are threat actors who violate computer security for personal gains, such as to steal credit card numbers or to inflict malicious damage.
Which threat actors violate computer security for personal gain? A. White hat hackers B. Gray hat hackers C. Black hat hackers D. Red hat hackers
Black hat hackers are threat actors who violate computer security for personal gains, such as to steal credit card numbers or to inflict malicious damage.
Japan's cybercrime control center noticed that around 200,000 Tokyo computers are infected by bots, and all these bots are remotely controlled by a single attacker. What is this attacker referred to as?
Bot herder: A bot herder is the administrator or controller of the logical network of all devices infected by the attacker-created bots. In most cases, the device user is unaware of the bot herder's influence on the endpoint. Botnet
What is the category of threat actors that sell their knowledge of vulnerabilities to other attackers or governments?
Brokers sell their knowledge of a weakness to other attackers or governments.
Which threat actors sell their knowledge to other attackers or governments? A. Cyberterrorists B. Criminal syndicates C. Competitors D. Brokers
Brokers sell their knowledge of a weakness to other attackers or governments.
What is another term commonly used to define cross-site request forgery (CSRF):
Client-side request forgery: ross-site request forgery is also referred to as a client-side request forgery, as this attack takes place on the client site.
What type of threat actor would benefit the most from accessing your enterprise's new machine learning algorithm research and development program?
Competitors
A learning management system application has been written in Python. While running the application code, the specific program or application that converts the program into machine language is called what?
Compiler: A compiler converts the high-level language code into binary, which is understood by the computer.
Which of the following ensures that only authorized parties can view protected information? A. Confidentiality B. Availability C.Authorization D. Integrity
Confidentiality ensures that only authorized parties can view the information.
Your company recently purchased routers with new and updated features and deployed them in the highly secure enterprise network without changing the default settings. A few days later, the enterprise network suffered a data breach, and you are assigned to prepare a report on the data breach. Which of the following vulnerabilities should you identify as the source of the breach? A. Third-party vulnerability B. Platform vulnerability C. Configuration vulnerability D. Zero-day vulnerability
Configuration vulnerability: As the routers were deployed without changing configuration from the default settings, threat actors might have gained easy access to the enterprise network.
Marius's team leader has just texted him that an employee, who violated company policy by bringing in a file on her USB flash drive, has just reported that her computer is suddenly locked up with cryptomalware. Why would Marius consider this a dangerous situation?
Cryptomalware can encrypt all files on any network that is connected to the employee's computer. In addition to encrypting files on the user's local hard drive, cryptomalware can encrypt all files on any network or attached device that is connected to that computer, including secondary hard disk drives, USB hard drives, network-attached storage devices, network servers, and even cloud-based data repositories. If a user's computer in an enterprise is infected with cryptomalware, potentially all files for the enterprise can be locked.
Luka has been asked by his supervisor to monitor the dark web for any IOCs concerning their organization. The next week, Luca reports back that he was unable to find anything due to how looking for information on the dark web is different from using the regular web. Which of the following is not different about looking for information on the dark web? A. Dark web search engines are identical to regular search engines. B. It is necessary to use Tor or IP2. C. The naming structure is different on the dark web. D. Dark web merchants open and close their sites without warning.
Dark web search engines are identical to regular search engines. Dark web search engines are very different from regular search engines.
Which issue can arise from security updates and patches? A. Difficulty resetting passwords B. Difficulty updating settings C. Difficulty installing databases D. Difficulty patching firmware
Difficulty patching firmware: Updating firmware to address a vulnerability can often be difficult and requires specialized steps. Furthermore, some firmware cannot be patched.
Which of the following is part of the OS security configuration? A. Enabling the most secure OS platform B. Giving all users administrator privileges C. Installing the latest version of OS D. Disabling default passwords and unnecessary ports
Disabling default passwords and unnecessary ports. Disabling default passwords and unnecessary ports are the primary steps for OS security configuration.
Which of the following is a physical social engineering technique? A. Pharming B. Hoaxes C. Dumpster diving D. Watering hole
Dumpster diving: involves digging through trash receptacles to find information that can be useful in an attack.
What type of analysis is heuristic monitoring based on?
Dynamic analysis: A newer approach to AV is heuristic monitoring (called dynamic analysis), which uses a variety of techniques to spot the characteristics of a virus instead of attempting to make matches.
Which of the following is the most common method for delivering malware? A. Identity theft B. Removable media C. Email D. Social media
Luna is reading a book about the history of cybercrime. She read that the very first cyberattacks were mainly for what purpose?
Fame
Which of the following is NOT a feature of a fileless virus? A. Fileless viruses grant limited control. B. Fileless viruses are easy to detect. C. Fileless viruses are easy to defend. D. Fileless viruses are persistent.
Fileless viruses are easy to detect. (hard to detect) Fileless viruses grant limited control. (extensive control) Fileless viruses are easy to defend. (hard to defend against)
Kile is assigned a role as a grey box penetration tester in the financial sector. He has to conduct a pen testing attack on all the application servers in the network. Which of the following tasks should he perform first while conducting a penetration testing attack on a network? A. Phishing B. Footprinting C. Tailgating D. Vishing
Footprinting is the process of collecting as much information about the target system as possible to find ways to penetrate the system. Information such as IP address, who is records, DNS information, operating system, employee email id, phone numbers, etc., comes under this.
Makayla has created software for automating the accounting process at ABL Manufacturing. She completed the software development, with testing done during development at individual stages. Before putting the software into production, Mary, who is in charge of the testing software, ran the application using tools and generated a report giving the various inputs and corresponding exceptions generated by the application. What process did Mary use?
Fuzzing is a process used by common dynamic software testing tools where random inputs are inputted to check exceptions, memory corruption, crashes, etc.
Which of the following penetration testing consultants have limited knowledge of the network and some elevated privileges? A.White box B. Gray box C. Black box D. Bug bounty
Gray box testers have limited knowledge of the network and some elevated privileges.
A federal appeals court recently made a judgment that caused significant public outrage. Soon after the ruling, the court's website was hacked, and the content was replaced with the text "Equal justice for all." Which of the following type of threat actors attacked the court's site? A. Cyberterrorists B. Hacktivists C. Insiders D. State actors
Hacktivists are individuals who attack a computer system or network for socially or politically motivated reasons.
A federal appeals court recently made a judgment that caused significant public outrage. Soon after the ruling, the court's website was hacked, and the content was replaced with the text "Equal justice for all." Which of the following type of threat actors attacked the court's site? A. State actors B. Hacktivists C. Insiders D. Cyberterrorists
Hacktivists are individuals who attack a computer system or network for socially or politically motivated reasons.
What additional measure should be enacted to increase the security on a computer network after secure boot, protective measures from attacks like antimalware, and intrusion detection systems are implemented in all the computers on the network?
Implement hardening at endpoints with patch management and operating system safeguards Patches are normally software codes that arrest identified vulnerabilities in the operating system codes. Updating the patches along with operating system safeguards hardens the protective cover for the network and computers.
Which of the following describes a memory leak attack? A. Memory leak attacks take advantage of the token generated and sent to the user's browser by the website as part of the authentication. B. In a memory leak attack, the threat actor takes advantage of the programming error of not freeing the memory after executing a process, taking advantage of the device's low memory conditions to attack. C. In a memory leak attack, an attacker changes the variable's value to something outside the range the programmer had intended. D. A memory leak occurs when a process attempts to store data beyond a fixed-length storage buffer's boundaries.
In a memory leak attack, the threat actor takes advantage of the programming error of not freeing the memory after executing a process, taking advantage of the device's low memory conditions to attack. threat actor exploits developer-created loopholes in a program, freeing memory, which is then used by the threat actor.
Which of the following is NOT something that a SIEM can perform? A. User behavior analysis B. Sentiment analysis C. Incident response D. Log aggregation
Incident response: A SOAR, not a SIEM, can perform incident response.
Threat actors focused on financial gain often attack which of the following main target categories? A. Product lists B. Social media assets C. Individual users D. REST services
Individual users: This category focuses on individuals as the victims. Threat actors steal and use data, credit card numbers, online financial account information, or social security numbers or send millions of spam emails to peddle counterfeit drugs, pirated software, fake watches, and pornography to profit from their victims.
Which of the following is a disadvantage of the secure boot process? A. It requires an operating system like Microsoft OS to ensure secure boot . B. It makes third party non-vendor-approved software difficult to implement. C. It does not validate the boot process. D. It slows down considerably, affecting the performance of the computer.
It makes third party non-vendor-approved software difficult to implement.
A company monitors the network activity of the organization and stores the logs in a database. You have been asked to identify whether there are any malicious activities in the network. Which of the following can denote the upper and lower bounds of their various network activities? A. TTP B. OSI model C. KRI D. Threat maps
KRI (key risk indicator) is a matrix, stored in the logs, of upper and lower bounds of specific activity occurring across the network. This is a metric used to measure the probability of an event or threat in the network.
When researching how an attack recently took place, Nova discovered that the threat actor, after penetrating the system, started looking to move through the network with their elevated position. What is the name of this technique?
Lateral movement: With advanced privileges, a threat actor will tunnel through the network looking for additional systems they can access from this newly elevated position.
What platforms is known for its vulnerabilities due to age?
Legacy platforms are no longer in widespread use, often because they have been replaced by an updated version of the earlier technology.
Which of the following computing platforms is highly vulnerable to attacks? A. Legacy B. On-premises C. Cloud D. Hybrid
Legacy: Old and outdated computing resources used in legacy platforms make them highly vulnerable.
Alice, a vulnerability assessment engineer at a bank, is told to find all the vulnerabilities on an internet-facing web application server running on port HTTPS. When she finishes the vulnerability scan, she finds several different vulnerabilities at different levels. How should she proceed?
Looking at the priority and the accuracy of the vulnerability is the most appropriate approach for Alice.
A company has approached you for their product testing, and you agree to do it. First, you have to install the necessary plugins for the software through the browser, install the software, and run the software again. What procedure should you adopt to ensure that you don't compromise the browser and the computer's operating system?
Making sure that the OS's security options are deployed, run the antivirus/antispyware on the files downloaded, run the software on HSTS/HTTPS mode, and then send a secure cookie to the server. OS security is deployed, viruses checked, data transmission is encrypted, stored data of the cookie is safe from intercepting by a third person.
Which of the following is NOT used to describe those who attack computer systems? A. Hacker B. Attacker C. Malicious agent D. Threat actor
Malicious agent. A threat actor may also be called a malicious actor, but not by the term "malicious agent".
Keily is a vulnerability assessment engineer. She is told to find surface vulnerabilities on all internet-facing web servers in the network. Which of the following are surface vulnerabilities that she should initially chase? A. Lack of OS hardening, network design flaw, weak passwords, and misconfigurations B. Lack of OS hardening, network design flaw, lack of application hardening, weak passwords, misconfigurations, and SQL Injections C. Lack of OS hardening, network design flaw, lack of application hardening, misconfigurations, and brute force D. Missing patches, lack of OS hardening, network design flaw, lack of application hardening, weak passwords, and misconfigurations
Missing patches, lack of OS hardening, network design flaw, lack of application hardening, weak passwords, and misconfigurations. Are the low hanging fruits (vulnerabilities, in context) that Keily should chase first.
Which of the following tools can be used to scan 16 IP addresses for vulnerabilities? A. App Scan B. Nessus Essentials C. Nessus D. QualysGuard
Nessus Essentials
Which of the following is NOT a reason why a legacy platform has NOT been updated? A. Limited hardware capacity B. An application only operates on a specific OS version C. Neglect D. No compelling reason for any updates
No compelling reason for any updates. (There is always a reason to install updates, and that reason is security.)
What is the fastest-running vulnerability scan, and why does this type of scan run so fast?
Non-credentialed scans perform fundamental actions such as looking for open ports and finding software that will respond to requests. Non-credentialed scans run faster because they perform fundamental actions such as looking for open ports and finding software that will respond to requests.
Which of the following techniques is a method of passive reconnaissance? A. Port scanning B. War flying C. Open Source Intelligence (OSINT) D. War driving
OSINT is used to search online for publicly accessible information. It is a method of passive reconnaissance.
Which of the following is NOT a recognized attack vector? A. Supply chain B. On-prem C. Social media D. Email
On-prem is a vulnerability and not a recognized attack vector.
Which of the following compliance standards was introduced to provide a minimum degree of security to organizations who handle customer information such as debit card and credit card details daily? A. GLB B. PCI DSS C. FISMA D. SOX
PCI DSS (Payment Card Industry Data Security Standard) was introduced to provide a minimum degree of security to organizations that handle customer information such as debit cards and credit card details daily.
Randall's roommate is complaining to him about all of the software that came pre-installed on his new computer. He doesn't want the software because it slows down the computer. What type of software is this?
PUP (potentially unwanted programs): A broad category of software that is often more annoying than malicious is called potentially unwanted programs (PUPs). PUP is software that the user does not want on their computer.
What is an officially released software security update intended to repair a vulnerability called?
Patch: A security patch is an officially released software security update intended to repair a vulnerability.
Which of the following is NOT an issue with patching? A. Few patches exist for application software B. Delays in patching OSs C. Patches address zero-day vulnerabilities D. Difficulty patching firmware
Patches address zero-day vulnerabilities. Patches are intended to address vulnerabilities, which includes zero-day vulnerabilities.
Which of the following is the advantage of penetration testing over vulnerability scanning? A. Penetration testing performs SYN DOS attacks towards a server in a network, while vulnerability scanning only discovers versions of the running services. B. Penetration testing uncovers and exploits deep vulnerabilities, while vulnerability scanning only discovers surface vulnerabilities.\ C. Penetration testing scans a network for open FTP ports to prevent penetration, while vulnerability scanning only discovers versions of the running services. D. Penetration testing performs automated scans to discover vulnerabilities and prevent penetration, while vulnerability scanning requires manually scanning for vulnerabilities.
Penetration testing uncovers and exploits deep vulnerabilities, while vulnerability scanning only discovers surface vulnerabilities. Penetration testing attempts to uncover deep vulnerabilities and exploit them manually with the mindset of a threat actor, while vulnerability scanning is able to discover surface vulnerabilities.
John is a project manager with an IT firm, and his current project of developing an ERP application is in the development stage. Currently, the application is not yet mature or stable enough to be placed in a test environment. Which of the following secure coding review techniques is applicable for his project? A. Perform dynamic code analysis B. Perform a structured manual analysis of code C. Perform a static binary code analysis D. Perform static code analysis
Perform static code analysis
Social engineering is a means of eliciting information by relying on the weaknesses of individuals. How should you differentiate between the social engineering techniques of phishing and pharming?
Phishing involves sending an email message or displaying a web announcement that falsely claims to be from a legitimate enterprise in an attempt to trick the user into surrendering private information or taking action. Pharming is a redirection technique that attempts to exploit a URL by converting its corresponding IP address. A threat actor may install malware on a user's computer that redirects traffic away from its intended target to a fake website instead.
Ebba has received a new initiative for her security team to perform an in-house penetration test. What is the first step that Ebba should undertake?
Planning
You work for an enterprise that provides various cybersecurity services. You are assigned to examine an enterprise's network and suggest security measures modifications, if necessary. On examining the network, you find that the enterprise hosts most of its computing resources on a cloud platform and few resources on-premises, and both seem to have secure settings implemented. You also find that the enterprise computers use the Windows XP operating system. Which of the following vulnerabilities should you insist on fixing first? A. Platform vulnerability B. Third-party vulnerability C. Configuration vulnerability D. Zero-day vulnerability
Platform vulnerability is present in the network, as the enterprise's computers use a legacy operating system.
Which of the following is a social engineering method that attempts to influence the subject before the event occurs? A. Spear phishing B. Prepending C. Watering hole D. Redirection
Prepending attempts to influence the subject before the attack event occurs. A common general example is a preview of a soon-to-be-released movie that begins with the statement, "The best film you will see this year!" Threat actors use prepending with social engineering attacks, such as including the desired outcome in a statement that uses the urgency principle, as in "You need to reset my password immediately because my meeting with the board starts in five minutes."
Which of the following is false about the CompTIA Security+ certification? A. Security1 is one of the most widely acclaimed security certifications. B. Security1 is internationally recognized as validating a foundation level of security skills and knowledge. C. The Security1 certification is a vendor-neutral credential. D. Professionals who hold the Security+ certification earn about the same or slightly less than security professionals who have not achieved this certification.
Professionals who hold the Security+ certification earn about the same or slightly less than security professionals who have not achieved this certification.
Which of the following is a form of malware attack that uses specialized communication protocols? A. Bot B. Keylogger C. Spyware D. RAT
RAT (Remote Access Trojan) RAT has the functionality of a Trojan while also using specialized communication protocols that allow unauthorized access to the entire infected system.
What term refers to changing the design of existing code?
Refactoring is changing the design of existing code.
Which type of malware can hide its agenda inside other processes, making it undetectable, and what is it usually used for? A. Trojan, an executable program that pretends to perform a harmless activity while doing something malicious B. RAT, an executable program that gives unauthorized remote access to a user's computer C. Rootkit, a malware that uses the lower layers of the operating system or undocumented functions to make alterations to the operating system's processes D. Backdoor, which gives access to a computer, program, or service that overrides any normal security protections
Rootkit, a malware that uses the lower layers of the operating system or undocumented functions to make alterations to the operating system's processes
Which of the following can automate an incident response? A. CVCC B. SOSIA C. SOAR D. SIEM
SOAR: SOARs go beyond SIEMS by combining more comprehensive data gathering and analytics in order to automate incident response. While a SIEM tends to generate more alerts than a security team may be to respond to, a SOAR allows a security team to automate incident responses.
What threat actor group have the lowest level of technical knowledge?
Script kiddies are individuals who want to perform attacks, yet they lack the technical knowledge to carry out these attacks. Script kiddies instead do their work by downloading freely available automated attack software (scripts) and use it to perform their malicious acts.
What is meant by "infrastructure as code" in SecDevOps?
SecDevOps method of managing software and hardware using principles of developing code "Infrastructure as code" is the SecDevOps method of managing both software and hardware in the same way as developing code.
Which of the following is TRUE regarding the relationship between security and convenience? A. Security is less important than convenience. B. Security and convenience are inversely proportional. C. Security and convenience are equal in importance. D. Security and convenience have no relationship.
Security and convenience are inversely proportional. The relationship between these two is inversely proportional so that as security is increased, convenience is decreased.
Which of the following is not true regarding security? A. Security is a goal. B. Security includes the necessary steps to protect from harm. C. Security is a process. D. Security is a war that must be won at all costs.
Security is a war that must be won at all costs.
After Bella earned her security certification, she was offered a promotion. As she reviewed the job responsibilities, she saw that in this position she will report to the CISO and will be a supervisor over a group of security technicians. Which of these generally recognized security positions has she been offered? A. Security manager B. Security officer C. Security administrator D. Security technician
Security manager: The security manager reports to the CISO and supervises technicians, administrators, and security staff.
Smitha, an employee working in the accounts department, reported to the information security officer that she could not access her computer. James, the security officer, noticed the following on Smitha's system: On booting the computer, the following message was flashing on the computer screen with the IRS logo: "This computer is locked by the Internal Revenue Service. It has come to our attention that you are transferring funds to other agencies using this computer without compliance with the local income tax laws. As per section 22 of the U.S. Income Tax Act, the transmission of funds without applicable taxes is prohibited. Your IP address is identified in this fraudulent transaction and is locked to prevent further unlawful activities. This offense attracts a penalty of $400.00 for the first offense. You are hereby given 16 hours to resolve this issue, failing which you shall be prosecuted to the full extent of the law. You may make a secure payment by clicking on the following link. If you face any issues, you may reach out to us at [email protected]." The message will not close, nor is there access to applications or files on the computer; however, James can open shared files
Smitha's computer is compromised by ransomware. Ransomware pretends to block the computer, giving a seemingly valid reason and instructing the user to pay a fine before being allowed to use the device. James's observations of Smitha's computer shows it is most likely compromised by a ransomware attack.
Which statement regarding a keylogger is NOT true? A. Software keyloggers can be designed to send captured information automatically back to the attacker through the Internet. B. Software keyloggers are generally easy to detect. C. Keyloggers can be used to capture passwords, credit card numbers, or personal information. D. Hardware keyloggers are installed between the keyboard connector and computer keyboard USB port.
Software keyloggers are generally easy to detect. Software keyloggers are difficult to detect because a type of rootkit is used to conceal their presence.
What is a variation of a common social engineering attack targeting a specific user?
Spear phishing targets specific users. The emails used in spear phishing are customized to the recipients, including their names and personal information, to make the message appear legitimate.
Over the last few days, several employees in your enterprise reported seeing strange messages containing links in their company's IM account. Even though no one has clicked on the messages, they are spreading throughout the network. Which type of malicious activity is this? A. Spear phishing B. Spimming C. Whaling D. Vishing
Spim is spam delivered through instant messaging (IM) instead of email. For threat actors, spim can have even more impact than spam. The immediacy of instant messages makes users more likely to reflexively click embedded links in a spim.
Which of the following is not an improvement of UEFI over BIOS? A. Support of USB 3.0 B. Access larger hard drives C. Networking functionality in UEFI D. Stronger boot security
Support of USB 3.0
Which of the following uses vulnerable applications to modify Microsoft registry keys? A. Executable files attack B. System tampering C. Process spawning control D. Quarantine
System tampering attacks occur when a vulnerable application is used by the threat actor to modify key operating system areas like registry keys, startup files, etc.
Which of the following is considered an industry-specific cybersecurity regulation? A. Gramm-Leach-Bliley Act (GLB) B. Sarbanes-Oxley Act of 2002 (SOX) C. Personal Information Protection and Electronic Documents Act (PIPEDA) D. Health Insurance Portability and Accountability Act of 1996 (HIPAA)
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) contains regulations protecting the privacy and security of certain personal health information (PHI).
Dillip is assigned the role of a SOC developer who must build different teams under the SOC. He must build a new team that will put security defenses in place to prevent another team from penetrating the network. Which team should he build to monitor the other team's attacks and shore up security defenses as necessary? A. Red team B. Purple team C. Blue team D. White team
The blue team monitors for red team attacks and shores up defenses as necessary.
Which of the following is a primary difference between a red team and a white team? A. The red team uses an automated vulnerability scanning tool to find vulnerabilities, whereas the white team defines the rules of penetration testing. B. The red team scans for vulnerabilities and exploits them manually, whereas the white team defines the rules of the penetration testing. C. The red team provides real-time feedback to enhance the threat detection capability, whereas the white team defines the rules of penetration testing. D. The red team uses an automated vulnerability scanning tool to find vulnerabilities, whereas the white team decides which tool to use in automated vulnerability scanning.
The red team scans for vulnerabilities and exploits them manually, whereas the white team defines the rules of the penetration testing. Red teams perform vulnerability scanning, and white teams set the rules for penetration testing.
The files in James's computer were found spreading within the device without any human action. As an engineer, you were requested to identify the problem and help James resolve it. During file code inspection, you noticed that certain types of files in the computer have similar codes. You found that the problem is coming from a set of codes that are not part of the actual files, appended at the bottom of the file. You also noticed a transfer control code written at the beginning of the files giving control to the code at the bottom of the file. Which type of infection is this a characteristic of? A. This is a typical characteristic of a spyware infection in the endpoint device. B. This is a typical characteristic of an endpoint device infected with a file-based virus attack. C. This is a typical characteristic of files infected by keystrokes in an endpoint. D. This is a typical characteristic exhibited by files attacked by ransomware in the device.
This is a typical characteristic of an endpoint device infected with a file-based virus attack. This is a characteristic of a typical early generation file-based virus, where the malicious code is attached at the bottom of the file, and the control is transferred from the beginning of the file through a control transfer code in the file.
How do vendors decide which should be the default settings on a system?
Those settings that provide the means by which the user can immediately begin to use the product. Default settings are chosen that allow the user to quickly begin using the product.
Which of the following is NOT a general information source that can provide valuable in-depth information on cybersecurity? A. Conferences B. Local industry groups C. Twitter D. Vendor websites
Twitter: With its limitation on the number of characters, Twitter is not considered an in-depth information source for cybersecurity.
Several websites use URLs similar to one of the most globally popular websites, attempting to attract traffic if a user misspells the popular website's URL. What is this social engineering technique called?
Typo squatting
Juan, a cybersecurity expert, has been hired by an organization whose networks have been compromised by a malware attack. After analyzing the network systems, Juan submits a report to the company mentioning that the devices are infected with malware that uses a split infection technique on files. Which malware attack is Juan reporting? A.Cryptomalware B. Virus C. Spyware D. RAT
Virus: Split infection technique is characteristic of a type of virus that lodges malicious codes in multiple locations within the file. It is normally placed randomly in various parts of the infected file.
There is often confusion between vulnerability scanning and penetration testing. What is the best explanation of the difference between vulnerability scanning and penetration testing?
Vulnerability scanning is performed using an automated tool to scan a network for known vulnerability signatures. Penetration testing involves attempting to manually uncover deep vulnerabilities just as a threat actor would, and then exploiting them.
In an application development model, which of the following uses a sequential development process? A. Rapid application development B. DevOps deployment C. Agile development D. Waterfall development
Waterfall development follows a sequential model of application development.
Attackers have taken over a site commonly used by an enterprise's leadership team to order new raw materials. The site is also visited by leadership at several other enterprises, so taking this site will allow for attacks on many organizations. Which type of malicious activity is this? A. Spear phishing B. Hoax C. Watering hole D. Vishing
Watering hole: A watering hole attack is directed towards a smaller group of specific individuals, such as the top executives working for a manufacturing company. These executives all tend to visit a common website, such as a parts supplier to the manufacturer. An attacker who wants to target this group of executives tries to determine the common website they frequent and then infects it with malware that will make its way onto the group's computers.
What type of hacker will probe a system for weaknesses and then privately provide that information back to the organization?
White hat hackers: Also known as ethical attackers, these white hat hackers attempt to probe a system (with an organization's permission) for weaknesses and then privately provide that information back to the organization.
Which of these is a list of preapproved applications? A. Greenlist B. Whitelist C. Redlist D. Blacklist
Whitelist: Whitelisting is approving in advance only specific applications to run on the OS so that any item not approved is either restricted or denied.
Which HTTP response header should be used to prevent attackers from displaying their content on a website? A. X-Frame-Option B. X-XSS C. CSP D. HSTS
X-Frame-Option
A cybercriminal attempts to trick a computer's user into sharing their personal information by implementing content to discreetly capture user information over the actual webpage. What should the user implement to avoid this situation? A. CSP B. X-Frame C. X-XSS D. HSTS
X-Frame: X-Frame prevents cybercriminals from overlaying content over the webpage.
Which of the following attacks is based on a website accepting user input without sanitizing it? A. RSS B. SQLS C. XSS D. SSXRS
XSS: In a cross-site scripting (XSS) attack, a website that accepts user input without validating it (called sanitizing) and uses that input in a response can be exploited.
