CompTIA CySA Most Recent
An SNMP sweep is being conducted, but the sweep receives no-response replies from multiple addresses that are believed to belong to active hosts. What does this indicate to a cybersecurity analyst? The community string being used is invalid Any listed answers may be true The machines are not running SNMP servers The machines are unreachable
Any listed answers may be true The best option is all of the answers listed. SNMP doesn't report closed UDP ports, and SNMP servers don't respond to invalid information requests. The "no response" can mean that the systems cannot be reached (either internally or externally). If you entered an invalid community string, then SNMP will be unable to provide a response or report its findings.
A system administrator is hardening a newly provisioned server with software patches and security updates. What functional security control is the system administrator performing? A. Detective B. Preventative C. Corrective D. Compensating
B. Preventative Preventative controls act to eliminate or reduce the likelihood that an attack can succeed. A preventative control operates before an attack can take place. Implementing software patches and security updates are examples of preventative controls. The detective control may not prevent or deter access, but it will identify and record any attempted or successful intrusion. A detective control operates during the progress of an attack. A good example of a corrective control is a backup system that can restore data damaged during an intrusion. The compensating control is a substitute for a principal control, as recommended by a security standard, and affords the same (or better) level of protection but uses a different methodology or technology.
A security consultant is using the dark web as a source of defensive open-source intelligence (OSINT). Which of the following should the consultant be aware of when using the dark web? (Select the three best options.) A. The dark web is protected by a single layer of encryption. B. The dark web serves as an operating platform for cybercrimes. C. Threat actors leverage the dark web for criminal activities. D. The dark web can pro
B. The dark web serves as an operating platform for cybercrimes. C. Threat actors leverage the dark web for criminal activities. D. The dark web can pro
A systems administrator installs a syslog server to capture and report events for wireless infrastructure. Following a requirement from the Chief Information Officer (CIO), recorded logging levels should include a status if an access point is unusable and if any immediate action is required. Which logging levels does the administrator evaluate and configure? (Select the two best options.) 2-Critical 4-Warning 0-Emergency 1-Alert
0-Emergency 1-Alert Logging levels are categories of severity used to categorize log events. With a syslog server in place, a log level defined as 0-Emergency indicates that a system is unusable. Each logging level has a numerical value that can sort and filter log events. A log level of 1-Alert informs that a system needs immediate attention. Logging levels refer to the severity or importance of a log message. A log level of 2-Critical defines a system that is experiencing critical conditions. Syslog uses eight logging levels, from the most severe (level 0) to the least severe (level 7). A log level of 4-Warning indicates system warning conditions.
Which of the following ACL entries should be added to the firewall to allow only the Human Resources (HR) computer to have SMB access to the file server (Files)? (Note: The firewall in this network is using implicit deny to maintain a higher level of security. ACL entries are in the format of Source IP, Destination IP, Port Number, TCP/UDP, Allow/Deny.)
192.168.1.12, 172.16.1.3., 445 UDP, DENY 172.16.1.3, 192.168.1.12, 445, TCP, ALLOW 172.16.1.12, 192.168.1.3/24, 445, TCP, ALLOW 172.16.1.3, 192.168.1.12, ANY, TCP, ALLOW
You are reviewing a rule within your organization's IDS. You see the following output: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any msg: "BROWSER-IE Microsoft Internet Explorer CacheSize exploit attempt"; flow: to_client,established; file_data; content:"recordset"; offset:14; depth:9; content:".CacheSize"; distance:0; within:100; pcre:"/CacheSize\s*=\s*/"; byte_test:10,>,0x3ffffffe,0,relative,string; max-detect-ips drop, service http; reference:cve,2016-8077; classtype: attempted-user; sid:65535;rev:1; -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Based on this rule, which of the following malicious packets would this IDS alert on? Any malicious outbound packets Any malicious inbound packets A malicious outbound TCP packet A malicious inbound TCP packet
A malicious inbound TCP packet The rule header is set to alert only on TCP packets based on this IDS rule's first line. The flow condition is set as "to_client,established," which means that only inbound traffic will be analyzed against this rule and only inbound traffic for connections that are already established. Therefore, this rule will alert on an inbound malicious TCP packet only when the packet matches all the conditions listed in this rule. This rule is an example of a Snort IDS rule. For the exam, you do not need to create your own IDS rules, but you should be able to read them and pick out generic content like the type of protocol covered by the signature, the port be analyzed, and the direction of flow.
Question A mission-critical system is offline at an organization due to a zero-day attack. The associated software vendor plans to release a patch to remediate the vulnerability. Which of the following are important patch management considerations for this scenario? (Select the three best options.) A. A patch test environment B. Immediate push delivery of critical security patches C. A specific team responsible for reviewing vendor-supplied newsletters and security patch bulletins D. A routine schedule for the rollout of noncritical patches
A. A patch test environment B. Immediate push delivery of critical security patches C. A specific team responsible for reviewing vendor-supplied newsletters and security patch bulletins A patch test environment where technicians can install, test, and analyze urgent and important patches before deployment into production would be a vital consideration for this scenario. The organization should immediately push delivery of critical security patches at the earliest availability when mission-critical services are in question. A specific team or person responsible for reviewing vendor-supplied newsletters and security patch bulletins is necessary for this type of event. While creating a routine schedule for the rollout of noncritical patches has merit, it does not illustrate important patch management considerations in this example. A security analyst would address noncritical patches at a later time.
An attacker is browsing social media accounts associated with a targeted organization. Why is the attacker using social media in this manner? (Select the three best options.) A. Attackers can use social media sites to find an organization's information. B. Attackers can leverage social media as a vector to launch attacks against targets. C. Attackers can use information from social media as a source of defensive OSINT. D. An attacker may find posts or user profiles that give away sensitive information.
A. Attackers can use social media sites to find an organization's information. B. Attackers can leverage social media as a vector to launch attacks against targets. D. An attacker may find posts or user profiles that give away sensitive information. Attackers can use social media sites, like Facebook and LinkedIn, to find an organization's information. Attackers can leverage social media as a vector to launch attacks against targets. An example of such a scenario would be impersonation. Attackers can impersonate trusted people to get a target to divulge information about an organization. Depending on how much an organization or an organization's employees choose to share publicly, an attacker may find posts or user profiles that give away sensitive information or simply act as another vector or target for the attacker to take advantage of. Attackers do not use information from social media as a source of defensive open-source intelligence (OSINT) because social media is an offensive source of OSINT.
An engineer is considering appropriate risk responses using threat modeling. They are trying to understand which threat actors are in scope for their organization. How does threat modeling identify the principal risks and tactics, techniques, and procedures (TTPs) for which their system may be susceptible? (Select the three best options.) A. By evaluating the system from an attacker's point of view B. By evaluating a system from a neutral perspective C. Through using tools such as diagrams D. By analyzing the system from the defender's perspective
A. By evaluating the system from an attacker's point of view C. Through using tools such as diagrams D. By analyzing the system from the defender's perspective Threat modeling identifies the principal risks and tactics, techniques, and procedures (TTPs) for which a system may be susceptible through evaluating systems from an attacker's point of view. Diagrams can show how a security analyst can deconstruct a system into its functional parts to analyze each area for potential weaknesses. Analyzing systems from a defender's perspective is another way that threat modeling identifies the principal risks and tactics, techniques, and procedures (TTPs) to which a system may be susceptible. Evaluating systems from a neutral perspective is not a method used in threat modeling.
A computer emergency response team (CERT) is quickly reacting to an attack on the network infrastructure of a semiconductor manufacturer. What is true about a CERT? (Select the three best options.) A. CERTS mitigate cybercrime. B. CERTS work with local law enforcement. C. CERTS provide knowledge of trending attacks. D. CERTS publish a wide variety of information concerning threats.
A. CERTS mitigate cybercrime. B. CERTS work with local law enforcement. C. CERTS provide knowledge of trending attacks. A CERT aims to mitigate cybercrime and minimize damage by responding to incidents quickly. CERTs work with local law enforcement, federal agencies, and other organizations to help prevent cyberattacks. CERTs coordinate responses to major events like natural disasters or terrorist attacks. This allows CERTs to provide knowledge and information regarding trending and observed attacks. The government is responsible for protecting the country's constituents and the national infrastructure and publishing various information and advice regarding observed threats. For example, the Department of Homeland Security and the Cybersecurity and Infrastructure Agency publishes several types of cybersecurity guidance.
A systems administrator is researching active defense approaches. The administrator decides to install a honeypot to lure attackers away from assets of actual value. What is true of a honeypot? (Select the three best options.) A. Honeypots seek to redirect malicious traffic away from live production systems. B. Honeypots can provide an early warning regarding ongoing attacks. C. Honeypots help collect intelligence on the attackers and their techniques. D. Honeypots assist defensive teams in identifying and responding after an attack has taken place on critical systems.
A. Honeypots seek to redirect malicious traffic away from live production systems. B. Honeypots can provide an early warning regarding ongoing attacks. C. Honeypots help collect intelligence on the attackers and their techniques.
A systems administrator is searching for potential vulnerabilities in the network. Which threat-hunting focus area should the administrator examine, as attackers often exploit it through connected systems or physical access? A. Isolated networks B. Misconfigured systems C. Business-critical assets D. Lateral movements
A. Isolated networks Isolated networks, such as air-gapped networks or networks with limited connectivity to the internet, are often thought to be more secure. However, attackers can still target these networks by exploiting vulnerabilities in connected systems or through physical access. Misconfigurations in IT systems can create vulnerabilities that attackers can exploit, but not through physical access. Business-critical asset hunting involves searching for vulnerabilities and threats that could impact these assets by searching for unauthorized access attempts, unusual traffic patterns, or suspicious activity that could indicate an attack. The process by which an attacker can move from one part of a computing environment to another is lateral movement. It is not a threat-hunting focus area.
A support manager is giving essential security training to the help desk. Which control class is the support manager implementing? A. Operational B. Technical C. Detective D. Managerial
A. Operational Operational controls are primarily implemented and executed by people (as opposed to systems). For instance, security guards and training programs are examples of operational controls. Firewalls, antivirus software, and operating system (OS) access control models are examples of technical controls. These are primarily executed by systems (hardware, software, or firmware). Detective controls are measures taken to detect and respond to incidents or vulnerabilities. These controls provide insight into anomalies or abnormal patterns in the environment. A managerial control gives oversight of the information system. Examples could include risk identification or a tool allowing the evaluation and selection of other security controls.
A geographically diverse group of hackers commit fraud against a small company for commercial gain. What type of threat actor committed this fraud? A. Organized crime B. Hacktivist C. Nation-state D. Insider threat
A. Organized crime An organized crime gang can operate across the internet from different jurisdictions than its victims, increasing the complexity of prosecution. Organized crime will seek any opportunity for criminal profit, but typical activities are financial fraud (against individuals and companies) and blackmail. Hacktivist groups, such as Anonymous, WikiLeaks, or LulzSec, use cyber weapons to promote a political agenda. Hacktivists might attempt to obtain and release confidential information to the public domain, perform denial of service (DoS) attacks, or deface websites. Nation-state actors have participated in many attacks, particularly on energy and electoral systems. The goals of nation-state actors are primarily espionage and strategic advantage. An insider threat arises from an actor to who an organization has identified and granted access.
Which of the following are characteristics of an advanced persistent threat? (Select the three best options.) A. Remove evidence of the attack B. Target large organizations C. Spend little time gathering intelligence D. Develop highly specific exploits
A. Remove evidence of the attack B. Target large organizations D. Develop highly specific exploits One of the defining characteristics of an APT is anti-forensics, where the adversary removes evidence of the attack. APTs typically target large organizations, such as financial institutions, companies in healthcare, and other organizations that store large volumes of personally identifiable information (PII), especially when the PII describes important government and political figures. APTs spend considerable time gathering intelligence on their targets to develop highly specific exploits. APT groups often combine many different attack elements into a carefully planned and orchestrated attack that may unfold over several months or longer. APT threat groups can access considerable financial and personnel resources, including teams specializing in custom exploit development and execution. APTs spend considerable time gathering intelligence.
A CEO of a small corporation has decided to continue using a legacy system despite security concerns. This is an example of which risk management principle? A. Risk acceptance B. Risk avoidance C. Risk mitigation D. Risk transference
A. Risk acceptance Risk acceptance means the company continues to operate without change after they evaluate an identified risk item, such as using a legacy system despite security concerns. The risk item could be in relation to software, hardware, or existing processes. Risk avoidance often means that the company stops risk-bearing activity. For instance, risk managers may discover a software application has numerous high-severity security vulnerabilities. Risk mitigation is when a company reduces exposure to risk items by implementing mitigating controls to ensure that technical business operations are safe. Risk transference (or sharing) means the company would assign risk to a third party, which they would typically accomplish through insurance policies. Insurance transfers financial risks to a third party.
A systems administrator runs a scan on an application server and finds several vulnerabilities. The issues are not severe, and patches are available in each instance. The administrator decided to install the available patches. What risk management principle did they demonstrate? A. Risk mitigation B. Risk acceptance C. Risk avoidance D. Risk transference
A. Risk mitigation The system administrator is practicing risk mitigation by installing the patches and reducing the vulnerabilities. Risk mitigation is when a company reduces exposure to risk items by implementing mitigating controls to ensure that technical business operations are safe. Risk acceptance means the company continues to operate without change after they evaluate an identified risk item. Risk avoidance often means that the company stops risk-bearing activity. For instance, risk managers may discover a software application has numerous high-severity security vulnerabilities. Risk transference (or sharing) means the company would assign risk to a third party, which they would typically accomplish through insurance policies. Insurance transfers financial risks to a third party.
A system administrator is performing patchwork on their organization's system. The administrator realizes the maintenance window will close before they complete the patchwork. What action must the administrator take to abide by the change management policy? A. Rollback to the system's previous state B. Rollout earlier patches C. Rollback to a system's initial state D. Rollout system patches
A. Rollback to the system's previous state Change management policy dictates that patching must finish quickly enough to accommodate rollback plans if trouble occurs—without overrunning the maintenance window. Change management rollback is the process of undoing a system's changes to restore the system to an earlier, pre-change state. The appropriate terminology for a rollout of earlier patches is rollback. The organization performs rollouts during a maintenance window when they implement new patches. Rolling back to a system's initial state is possible but unadvisable because of security concerns. Simply rolling back to the previous state is the best course of action. Rolling out system patches is a task performed during open maintenance windows. Patch management teams rely on maintenance windows to complete patch rollouts.
An attacker is planning to target a business-critical database for a large enterprise. What are some business-critical asset-hunting methods that security analysts use to protect systems? (Select the two best options.) A. Search for unauthorized access attempts B. Search for misconfigured systems C. Search for unusual traffic patterns D. Search for routine activity
A. Search for unauthorized access attempts B. Search for misconfigured systems D. Search for routine activity Attackers can use social media sites, like Facebook and LinkedIn, to find an organization's information. Attackers can leverage social media as a vector to launch attacks against targets. An example of such a scenario would be impersonation. Attackers can impersonate trusted people to get a target to divulge information about an organization. Depending on how much an organization or an organization's employees choose to share publicly, an attacker may find posts or user profiles that give away sensitive information or simply act as another vector or target for the attacker to take advantage of. Attackers do not use information from social media as a source of defensive open-source intelligence (OSINT) because social media is an offensive source of OSINT.
A security analyst is analyzing systems for potential misconfiguration. Misconfiguration hunting is an important focus area. What are some key items the analyst should search for while misconfiguration hunting? (Select the three best options.) A. Weak passwords B. Open ports C. Unpatched software D. Isolated networks
A. Weak passwords B. Open ports C. Unpatched software One key item to search for during misconfiguration hunting is weak passwords. An attacker can exploit weak passwords and gain control of a system. Another key item to look for while misconfiguration hunting is open ports. Open ports offer attackers potential exploits leading to system compromise. During misconfiguration hunting, it is crucial to search for unpatched software. Unpatched software is a common exploit used by cybercriminals. Isolated networks, such as air-gapped networks or networks with limited connectivity to the internet, are often thought to be more secure. Searching for isolated networks is not a component of misconfiguration hunting.
A security engineer wants to implement Zero Trust architecture at their workplace. What key benefits would the engineer mention to their company for using a Zero Trust architecture? (Select the three best options.) A.Greater security B.Better access controls C.Improved governance and compliance D.Decreased granularity
A.Greater security B.Better access controls C.Improved governance and compliance Zero Trust architecture authenticates all users, devices, and applications and verifies before granting network access, thus, providing greater security. A Zero Trust architecture offers better access controls. For example, there are more stringent limits regarding who or what can access resources and from what locations users can access resources. A Zero Trust architecture provides improved governance and compliance. It requires limits on data access and greater operational visibility of user and device activity. Decreased granularity is not a key benefit of using a Zero Trust architecture. Zero Trust architecture offers increased granularity, granting users access to what they need when needed.
A network engineer wants to simplify network and security services. How could Secure Access Service Edge (SASE) help to simplify these services for the engineer? A.It combines network and security functions into a single cloud-hosted service. B.It requires dedicated hardware. C.It offers elementary features. D.It blocks the remote manage of networks and systems.
A.It combines network and security functions into a single cloud-hosted service. Secure Access Service Edge (SASE) aims to simplify the complexity of managing multiple network and security services by combining networking and security functions into a single cloud-hosted service. SASE eliminates the need for dedicated hardware, which allows security teams to quickly adapt to changes while maintaining secure access to any user from any device. SASE also offers advanced features such as identity and access management, secure web gateways, and supports Zero Trust network access, all designed to protect an organization's data and applications while providing uninterrupted user access. SASE also facilitates remote management of networks and systems.
A system technician reviews system logs from various devices and notices discrepancies between recorded events. The events between the systems are not synchronizing in the correct order. Which configuration should the technician analyze and adjust to ensure proper and accurate logging? (Select the two best options.) A.NTP B.GPS C.PKI D.SSL
A.NTP B.GPS Time drift or time discrepancies can cause the system to create logs with incorrect time stamps. A time source can provide accuracy by using the Network Time Protocol (NTP) on the systems. Global Positioning System (GPS) is a location-providing technology. GPS does have the ability to provide time synchronization to a system while providing location coordinates. Public key infrastructure (PKI) is a technology that provides a suite of tools designed to support public/private key management, integrity checks via digital signatures, and authentication. It does not provide time synchronization services. A secure socket layer (SSL) is an encryption technology. SSL inspection is useful in inspecting encrypted HTTPS traffic; however, it will not provide a solution for time synchronization.
While conducting a static analysis source code review of a program, you see the following line of code: String query = "SELECT * FROM CUSTOMER WHERE CUST_ID='" + request.getParameter("id") + "'"; What is the issue with the largest security issue with this line of code? The code is using parameterized queries An SQL injection could occur because input validation is not being used on the id parameter This code is vulnerable to a buffer overflow attack The * operator will allow retrieval of every data field about this customer in the CUSTOMER table
An SQL injection could occur because input validation is not being used on the id parameter This code takes the input of "id" directly from a user or other program without conducting any input validation. This could be exploited and used as an attack vector for an SQL injection. If a malicious user can alter the ID source, it might get replaced with something like' or '1' ='1. This will cause the SQL statement to become: "SELECT * FROM CUSTOMER WHERE CUST_ID='' or '1'='1'". Because '1' always equals '1', the where clause will always return 'true,' meaning that EVERY record in the database could now become available to the attacker. When creating SQL statements, there are reasons for and against the use of the * operator. Its presence alone does not necessarily indicate a weakness. With only one line of code being reviewed, you cannot make any statement about whether it is vulnerable to a buffer overflow attack. You do not see the declaration values for the initialization of the id variable. This code is not using parameterized queries, but if it did, then it would eliminate this vulnerability. A parameterized query is a type of output encoding that relies on prepared statements to reduce the risk of an SQL injection.
A cybersecurity analyst wants to collect indicators of compromise (IoCs) to identify, investigate, and mitigate threats. What are some examples of IoCs that the analyst will be collecting? (Select the three best options.) A. Expected configuration changes B. Odd network patterns C. Unusual account behaviors D. Unfamiliar new files
B. Odd network patterns C. Unusual account behaviors D. Unfamiliar new files Odd network patterns are one of the many indicators of compromise (IoCs) that the cybersecurity analyst might collect. Other common forms of IoC include unusual outbound network traffic, logins occurring from unexpected geographic locations, and suspicious privileged user account behavior. Unusual account behavior is another example of an indicator of compromise (IoC) that the analyst might collect. If the analyst finds an unfamiliar new file on a system, it would also be an indicator of compromise (IoC). Expected configuration changes to a system are not an indicator of compromise (IoC). Unexpected configuration changes to a system would be an IoC.
A support team is preparing for an upcoming maintenance window. What tasks should the support team accomplish during the proactive maintenance windows? (Select the three best options.) A. Implement untested patches B. Restart devices C. Analyze events D. Restore critical services after a backup test
B. Restart devices C. Analyze events D. Restore critical services after a backup test Devices are often restarted during maintenance windows to apply updates, reset connections, and refresh systems. This is a standard maintenance procedure aimed at ensuring that services run optimally post-maintenance. Analyzing events during maintenance is important for identifying irregularities that could indicate problems with the maintenance activities or potential security issues. This analysis is proactive and helps in ensuring the health and security of the IT environment. Restoring critical services after a backup test can be part of a proactive maintenance strategy. This helps in confirming that backup systems are functioning correctly and that critical services can be restored in case of a failure, ensuring business continuity. While patch implementation is a crucial task, it is not typically done during the maintenance window without prior testing. Patches should be tested thoroughly before the maintenance window to ensure they do not cause issues when applied.
Someone with a casual interest in hacking techniques launches a random attack against a widely known enterprise using tools readily available online. What type of threat actor is likely behind this attack? A. Insider threat B. Script kiddie C. Organized crime D. Hacktivist
B. Script kiddie A script kiddie is someone who uses hacker tools without necessarily understanding how they work or having the ability to craft new attacks. An insider threat arises from an actor to an organization who has identified and granted access. An organized crime gang can operate across the Internet from different jurisdictions than its victims, increasing the complexity of prosecution. Organized crime will seek any opportunity for criminal profit, but typical activities are financial fraud (both against individuals and companies) and blackmail. Hacktivist groups, such as Anonymous, WikiLeaks, or LulzSec, use cyber weapons to promote a political agenda. Hacktivists might attempt to obtain and release confidential information to the public domain, perform denial of service (DoS) attacks, or deface websites.
Data loss prevention (DLP) systems detect and prevent users from storing information on unauthorized systems or transmitting information over unauthorized networks. Which of the following are examples of DLP systems an organization can set for users? (Select the three best options.) A.Enforce the use of external media B.Implement clipboard privacy controls C.Use print blocking D.Restrict virtual desktop infrastructure (VDI) implementation
B.Implement clipboard privacy controls C.Use print blocking D.Restrict virtual desktop infrastructure (VDI) implementation DLP systems limit access to the clipboard and prevent users from placing sensitive data on the clipboard for use elsewhere. DLP systems can block printing. They can prevent the printing of sensitive information or controlled documents. This is particularly important in the healthcare industry. DLP systems can restrict virtual desktop infrastructure (VDI) implementations. Incorporating DLP features within the underlying VDI infrastructure is useful for organizations to protect all virtual desktops and govern how users can use and share data in the environment. Data loss prevention (DLP) systems usually block the use of external media. They do not enforce the use of removable devices.
A systems administrator is developing a plan for deploying Zero Trust architecture throughout the enterprise. What components of Zero Trust architecture should the administrator consider essential? (Select the three best options.) A.Increased granularity B.Network and endpoint security C.Identity and access management (IAM) D.Network segmentation
B.Network and endpoint security C.Identity and access management (IAM) D.Network segmentation
A large corporation has established a team specifically tasked with responding to routine, non-emergency security incidents. Which of the following terms best describes this team? A. CERT B. Internal sources C. CSIRT D. Government bulletins
C. CSIRT A computer security incident response team (CSIRT) is a group responsible for responding to security incidents involving computer systems. A computer emergency response team (CERT) aims to mitigate cybercrime and minimize damage by responding to incidents quickly. It is important to consider that evidence regarding active threats, reconnaissance activities, and suspicious behavior exists internally or within the protected environment. Internal sources do not describe the team the corporation created. The government is responsible for protecting the country's constituents and the national infrastructure and publishing various information and advice regarding observed threats. For example, the Department of Homeland Security and the Cybersecurity and Infrastructure Agency publishes several types of cybersecurity guidance
An organization recently had an attack that resulted in system data loss. The system administrator must now restore the system with a data backup. What functional security control was the system administrator able to implement? A. Preventative B. Responsive C. Corrective D. Compensating
C. Corrective The system administrator used a corrective control after the attack. A good example of a corrective control is a backup system that can restore data that an attacker damages during an intrusion. Preventative controls act to eliminate or reduce the likelihood that an attack can succeed. A preventative control operates before an attack can take place. Responsive controls serve to direct corrective actions enacted after the organization confirms the incident. They often document these actions in a playbook. The compensating control is a substitute for a principal control, as recommended by a security standard, and affords the same (or better) level of protection but uses a different methodology or technology.
A security analyst reviews a firewall log's source IP addresses to investigate an attack. These logs are a representation of what type of functional security control? A. Corrective B. Preventative C. Detective D. Compensating
C. Detective The detective control may not prevent or deter access, but it will identify and record any attempted or successful intrusion. A detective control operates during the progress of an attack. Logs provide one of the best examples of detective-type controls. A good example of a corrective control is a backup system that can restore data that an attacker damages during an intrusion. Preventative controls act to eliminate or reduce the likelihood that an attack can succeed. A preventative control operates before an attack can take place. The compensating control is a substitute for a principal control, as recommended by a security standard, and affords the same (or better) level of protection but uses a different methodology or technology.
A security analyst is reviewing an announcement from the Cybersecurity and Infrastructure Security Agency. Which source of defensive open-source intelligence (OSINT) does the agency represent? A. CERT B. Internal sources C. Government bulletins D. CSIRT
C. Government bulletins The government is responsible for protecting the country's constituents and the national infrastructure and publishing various information and advice regarding observed threats. For example, the Department of Homeland Security and the Cybersecurity and Infrastructure Agency publishes several types of cybersecurity guidance, including basic informational content and binding operational directives that federal agencies must implement. A computer emergency response team (CERT) aims to mitigate cybercrime and minimize damage by responding to incidents quickly. It is important to consider that evidence regarding active threats, reconnaissance activities, and suspicious behavior exists within the protected environment. A computer security incident response team (CSIRT) is a group responsible for responding to security incidents involving computer systems.
A large corporation's security operations center (SOC) team is processing a recent incident. The team refers to a playbook for guidance about the incident. What type of functional security control does the playbook represent? A. Corrective B. Preventative C. Responsive D. Compensati
C. Responsive Responsive controls serve to direct corrective actions enacted after the SOC team confirms the incident. The team often documents these actions in a playbook. An example of a corrective control is a backup system that can restore data that an attacker damages during an intrusion. Preventative controls act to eliminate or reduce the likelihood that an attack can succeed. A preventative control operates before an attack can take place. The compensating control is a substitute for a principal control, as recommended by a security standard, and affords the same (or better) level of protection but uses a different methodology or technology.
An IT director reviews a cyber security audit and learns that an old accounting server is significantly out of compliance. Rather than attempting repairs, the director concludes that decommissioning the server is the safest course of action. What is the risk management principle the IT director is following? A. Risk acceptance B. Risk mitigation C. Risk avoidance D. Risk transference
C. Risk avoidance The IT director is electing to follow risk avoidance because of the risk and cost of bringing the server into compliance. Risk avoidance often means that the company stops risk-bearing activity. For instance, risk managers may discover that a software application has numerous high-severity security vulnerabilities. Risk acceptance means the company continues to operate without change after they evaluate an identified risk item. Risk mitigation is when a company reduces exposure to risk items by implementing mitigating controls to ensure that technical business operations are safe. Risk transference (or sharing) means the company would assign risk to a third party, which they would typically accomplish through insurance policies. Insurance transfers financial risks to a third party.
Which term is used in software development to refer to the method in which app and platform updates are committed to a production environment rapidly? Continuous monitoring Continuous integration Continuous delivery Continuous deployment
Continuous deployment Continuous deployment is a software development method in which app and platform updates are committed to production rapidly. Continuous delivery is a software development method in which app and platform requirements are frequently tested and validated for immediate availability. Continuous integration is a software development method in which code updates are tested and committed to development or build server/code repositories rapidly. Continuous monitoring is the technique of constantly evaluating an environment for changes so that new risks may be more quickly detected and business operations improved upon. While continuous deployment and continuous delivery sound very similar, there is one key difference. In continuous delivery, a human is still required to approve the release into the production environment. In continuous deployment, the test and release process into the production environment is automated, making the changes available for immediate release once the code is committed.
A threat actor obtains and releases confidential information about a political candidate to the public domain. The information damages the person's candidacy and helps the opposing party. These actions were likely performed by which type of threat actor? A. Insider threat B. Script kiddie C. Organized crime D. Hacktivist
D. Hacktivist Hacktivist groups, such as Anonymous, WikiLeaks, or LulzSec, use cyber weapons to promote a political agenda. Hacktivists might attempt to obtain and release confidential information to the public domain, perform denial of service (DoS) attacks, or deface websites. An insider threat arises from an actor to who the organization has identified and granted access. A script kiddie is someone who uses hacker tools without necessarily understanding how they work or having the ability to craft new attacks. An organized crime gang can operate across the internet from different jurisdictions than its victims, increasing the complexity of prosecution. Organized crime will seek any opportunity for criminal profit, but typical activities are financial fraud (both against individuals and companies) and blackmail.
Agents from a sovereign region in North Africa perform a cyber attack against the energy infrastructure of a neighboring republic. What type of threat actor does this scenario illustrate? A. Insider threat B. Organized crime C. Hacktivist D. Nation-state
D. Nation-state Nation-state actors have participated in many attacks, particularly on energy and electoral systems. The goals of nation-state actors are primarily espionage and strategic advantage. An insider threat arises from an actor to who an organization has identified and granted access. An organized crime gang can operate across the internet from different jurisdictions than its victims, increasing the complexity of prosecution. Organized crime will seek any opportunity for criminal profit, but typical activities are financial fraud (against individuals and companies) and blackmail. Hacktivist groups, such as Anonymous, WikiLeaks, or LulzSec, use cyber weapons to promote a political agenda. Hacktivists might attempt to obtain and release confidential information to the public domain, perform denial of service (DoS) attacks, or deface websites.
The legal affairs team of an international conglomerate elects to assign certain risks to a third party. Which risk management principle are they implementing? A. Risk acceptance B. Risk avoidance C. Risk mitigation D. Risk transference
D. Risk transference Risk transference (or sharing) means the company would assign risk to a third party, which they would typically accomplish through insurance policies. Insurance transfers financial risks to a third party. Risk acceptance means the company continues to operate without change after they evaluate an identified risk item. The risk item could be in relation to software, hardware, or existing processes. Risk avoidance often means that the company stops risk-bearing activity. For instance, risk managers may discover a software application has numerous high-severity security vulnerabilities. Risk mitigation is when a company reduces exposure to risk items by implementing mitigating controls to ensure that technical business operations are safe.
A security engineer installs a next-generation firewall on the perimeter of a network. This installation is an example of what type of security control class? A. Managerial B. Operational C. Detective D. Technical
D. Technical Firewalls, antivirus software, and operating system (OS) access control models are examples of technical controls. The engineer would implement technical control as a system (hardware, software, or firmware). The managerial control gives oversight of the information system. Examples could include risk identification or a tool allowing the evaluation and selection of other security controls. People primarily implement operational control rather than systems. For example, security guards and training programs are operational controls rather than technical controls. The detective control is a functional control that is not a security control class.
What type of information will a Cisco switch log be configured to capture logs at level 7? Debugging Errors Warnings Emergencies
Debugging Cisco's log levels range from significant emergencies at level 0 for emergencies to level 7 for debugging, which can be quite noisy but provides large amounts of information for analysis during an incident response.
An engineer is studying the hardware architecture of a company's various systems. The engineer can find the x86 architecture in which of the following items? (Select the three best options.) A.Desktops B.ARM-based Tablets C.Laptops D.Servers
Desktops Laptops Servers Advanced RISC Machines (ARM) and x86 are common architectures. The x86 architecture dominates desktops, laptops, and server computers, while the ARM architecture dominates smartphones, tablets, and single-board computers. Laptops fall under the scope of x86 architecture. Different architectures emphasize different characteristics, such as scalability, raw processing power, power management, and other features. The engineer would also find that servers use the x86 hardware architecture. While some tablets use x86 architecture (like certain models of Microsoft Surface), many other tablets, especially those running Android or iOS, use ARM-based architectures. Therefore, ARM-based Tablets is not the best option in the context of this question.
You are a security investigator at a high-security installation which houses significant amounts of valuable intellectual property. You are investigating the utilization of George's credentials and are trying to determine if his credentials were compromised or if he is an insider threat. In the break room, you overhear George telling a coworker that he believes he is the target of an ongoing investigation. Which of the following step in the preparation phase of the incident response was likely missed? Creating a call list or escalation list Your answer is incorrect Conduct background screenings on all applicants Correct answer Development of a communication plan Developing a proper incident response form
Development of a communication plan An established and agreed upon communication plan, which may also include a non-disclosure agreement, should be put in place to prevent the targets of an ongoing insider threat investigations from becoming aware of it. Even if it was later determined that George was innocent, the knowledge that he was being investigated could be damaging to both him and the company. If he was an insider threat who now suspects he is under investigation, he could take steps to cover his tracks or conduct destructive action. While background screenings may prevent some people from becoming insiders, it would not prevent the unauthorized disclosure of information concerning the investigation. A call list/escalation list will help manage this kind of problem and keep the right people informed, but it will not explicitly deal with the issue of inadvertent disclosure. Similarly, a proper incident response form may include guidance for communication but would have been orchestrated as part of a larger communications plan that detailed the proper channels to use.
A cloud consultant is investigating cloud deployment types for a client. The client requires both onsite and offsite infrastructure. Which of the following deployment types should the consultant recommend to their client? Public Hybrid Microservices Private
Hybrid The consultant should recommend a hybrid cloud deployment model. A hybrid cloud would allow the client to combine resources in a public and private cloud. It is a type of cloud computing that combines a private cloud with a public cloud. Public cloud is for public access and geared toward those without the budget, resources, or desire to build and manage a private cloud or data center. Microservices is a software architecture where components of the solution are highly decoupled services not dependent on a single platform type or technology. It is not a type of cloud deployment. An organization would design, build, and manage a private cloud in-house using its own hardware and software.
Judith is conducting a vulnerability scan of her data center. She notices that a management interface for a virtualization platform is exposed to her vulnerability scanner. Which of the following networks should the hypervisor's management interface be exposed to ensure the best security of the virtualization platform? DMZ Internal zone External zone Correct answer Management network
Management network The management interface should only be exposed to an isolated or dedicated network used for the management and configuration of the network device and platforms only. This would also help reduce the likelihood of an attack against the virtualization platform or the hypervisor itself. The external zone (internet), internal zone (LAN), or DMZ should not have the management interface exposed to them.
A cyber security consultant is examining security control classes for an Infrastructure as a Service (IaaS) provider. The classes measure how effectively assets are protected. Which security control class would the consultant examine to gain oversight of the information system? A. Technical B. Managerial C. Operational D. Detective
Managerial The managerial control gives oversight of the information system. Examples could include risk identification or a tool allowing the evaluation and selection of other security controls. Firewalls, antivirus software, and operating system (OS) access control models are examples of technical controls. The consultant would implement technical controls as a system (hardware, software, or firmware). The consultant would primarily implement operational control rather than systems. For example, security guards and training programs are operational controls rather than technical controls. The detective control is a functional control that is not a security control class.
Which of the following vulnerability scanning tools would be used to conduct a web application vulnerability assessment? Nikto Nessus Qualys OpenVAS
Nikto Nikto is a web application scanner that can perform comprehensive tests against web servers for multiple items, including over 6700 potentially dangerous files/programs, checks for outdated versions of over 1250 servers, and version specific problems on over 270 servers. While OpenVAS, Nessus, and Qualys have the ability to scan the web servers themselves for vulnerabilities, they are not the best option to conduct a web application vulnerability assessment. OpenVAS, Nessus, and Qualys are infrastructure vulnerability scanners that focus on vulnerabilities with hosts and network devices.
Which protocol is paired with OAuth2 to provide authentication of users in a federated identity management solution? SAML ADFS Kerberos OpenID Connect
OpenID Connect OAuth 2 is explicitly designed to authorize claims and not to authenticate users. The implementation details for fields and attributes within tokens are not defined. Open ID Connect (OIDC) is an authentication protocol that can be implemented as special types of OAuth flows with precisely defined token fields. Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. SAML is an XML-based markup language for security assertions. Active Directory Federation Services (ADFS) is a software component developed by Microsoft that can run on Windows Server operating systems to provide users with single sign-on access to systems and applications located across organizational boundaries. Kerberos is a computer network authentication protocol that works based on tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner.
You are conducting a static code analysis of a Java program. Consider the following code snippet: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- String custname = request.get Parameter("customerName"); String query = "SELECT account_balance FROM user_data WHERE user_name = ? "; PreparedStatement pstmt = connection.prepareStatement( query ); pstmt.setString( 1, custname); ResultSet results = pstmt.executeQuery( ); -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Based on the code above, what type of secure coding practice is being used? Session management Input validation Parameterized queries Authentication
Parameterized queries A parameterized query (also known as a prepared statement) is a means of pre-compiling a SQL statement so that all you need to supply are the "parameters" (think "variables") that need to be inserted into the statement for it to be executed. It's commonly used as a means of preventing SQL injection attacks. This code snippet is an example of a Java implementation of a parameterized query. Input validation would involve the proper testing of any input supplied by a user to an application. Since the first line takes the custname input without any validation, this is not an example of the input validation secure coding practice. Session management refers to the process of securely handling multiple requests to a web-based application or service from a single user or entity. Authentication is the act of proving an assertion, such as the identity of a computer system user. This code snippet is neither a form of session management nor authentication. For the exam, you should not fully understand what this code is doing, but you should understand what it is not doing. There is nothing in the code that indicates session management or receiving usernames and passwords. Therefore, we can rule out session management and authentication. This leaves us with input validation and parameterized queries as our best options. Based on the code, we see the word query multiple times, which should be a hint that the answer is a parameterized query even if you can't read this Java code fully.
A security analyst needs a data loss prevention (DLP) solution to prevent users from transferring data without authorization. What components typically make up DLP solutions? (Select the three best options.) Policy servers USB devices Endpoint agents Network agents
Policy servers Endpoint agents Network agents Data loss prevention solutions (DLP) commonly utilize policy servers to configure classification, confidentiality, privacy rules, and policies. It also logs incidents and compiles reports. Endpoint agents enforce policy on client computers, even when they do not connect to the network. DLP solutions typically use network agents as a component of their systems to scan communications at network borders and interface with web and messaging servers to enforce the policy. USB devices are not typical components of DLP solutions. Instead, USB devices often facilitate the unauthorized transference of data. Email, instant messaging, and social media are other methods users can use to transfer data improperly.
What are the 7 phases of the Cyber Kill Chain?
Reconnaissance. Weaponization. Delivery. Exploitation. Installation. Command and control. Action.
A cybersecurity analyst reviews the logs of a proxy server and saw the following URL, https://www.google.com/search?q=*%40diontraining.com. Which of the following is true about the results of this search? Returns all web pages containing an email address affiliated with diontraining.com Returns no useful results for an attacker Returns all web pages hosted at diontraining.com Returns all web pages containing the text diontraining.com
Returns all web pages containing an email address affiliated with diontraining.com Google interprets this statement as @diontraining.com and understands that the user is searching for email addresses since %40 is the hex code for the @ symbol. The * is a wild card character meaning that any text could be substituted for the * in the query. This type of search would provide an attacker with a list of email addresses associated with diontraining.com, which could be used as part of a spear-phishing campaign. To return all web pages hosted at diontraining.com, you should use the "site:" modifier in the query. To return all web pages with the text diontraining.com, enter "diontraining.com" into the Google search bar with no modifiers to return those results.
A support technician examines the Windows registry for a host on a local area network (LAN). The technician uses which subkey to find username information for accounts used on a computer? SAM SECURITY DEFAULT SYSTEM
SAM The Windows registry is a database for storing operating system, device, and software application configuration information. The support technician can use the Security Accounts Manager (SAM), which stores username information for accounts on the current computer. SECURITY does not store username information for accounts. Instead, SECURITY is the subkey that links to the security database of the domain the current user logged onto. DEFAULT is the subkey that contains settings for the LocalSystem account profile, not username information for accounts on the current computer. SYSTEM does not store username information for accounts. Instead, SYSTEM is the subkey that contains settings for drivers and file systems.
Which of the following protocols is commonly used to collect information about CPU utilization and memory usage from network devices? NetFlow SMTP SNMP MIB
SNMP Simple Network Management Protocol (SNMP) is commonly used to gather information from routers, switches, and other network devices. It provides information about a device's status, including CPU and memory utilization, and many other useful details about the device. NetFlow provides information about network traffic. A management information base (MIB) is a database used for managing the entities in a communication network. The Simple Mail Transfer Protocol (SMTP) is a communication protocol for electronic mail transmission.
A systems administrator is setting up single sign-on (SSO) for a company. What are some of the primary benefits of SSO to an organization? (Select the two best options.) SSO allows users to access multiple systems using only a single set of credentials. SSO allows users to access multiple websites using only a single set of credentials. SSO dramatically reduces usability. SSO eliminates the risk of breached credentials.
SSO allows users to access multiple systems using only a single set of credentials. SSO allows users to access multiple websites using only a single set of credentials. It allows users to access multiple systems using only a single set of credentials. With single sign-on (SSO), a user authenticates once using designated credentials and can access different resources seamlessly. SSO allows users to access multiple websites using only a single set of credentials. SSO dramatically improves usability. In light of SSO providing powerful, seamless access to a wide range of sensitive systems and data using only a single set of credentials, the administrator should multifactor authentication methods and SSO together to prevent attackers from easily stealing and abusing credentials. While SSO dramatically improves usability, it comes with the risk that an attacker can use breached credentials to access a wide array of resources.
After provisioning a server, a support technician conducts system hardening. Why is system hardening such a vital practice? (Select the three best options.) System hardening eliminates monitoring software. System hardening reduces the attack surface of a system. System hardening includes disabling unnecessary services. System hardening involves patching the operating system.
System hardening reduces the attack surface of a system. System hardening includes disabling unnecessary services. System hardening involves patching the operating system. The purpose of system hardening is to reduce the attack surface of a system. Hardening involves enabling or disabling specific features and restricting access to sensitive areas of the system, such as protected operating system files, windows registry, configuration files, and logs. System hardening includes making many changes to a system, such as disabling unnecessary services. Best-practice hardening configurations can be very complex. Patching the operating system is one of many procedures that can take place while hardening a system. System hardening does not eliminate monitoring software. Installing monitoring software to protect against malware and intrusions is a component of system hardening.
You were interpreting a Nessus vulnerability scan report and identified a vulnerability in the system with a CVSS attack vector rating of A. Based on this information, which of the following statements would be true? The attacker must have access to the local network that the system is connected to Exploiting the vulnerability does not require any specialized conditions The attacker must have physical or logical access to the affected system Exploiting the vulnerability requires the existence of specialized conditions
The attacker must have access to the local network that the system is connected to The attack vector explains what type of access that the attacker must have to a system or network and does not refer to the types of specialized conditions that must exist. In this case, the A rating refers to Adjacent, where the attacker must launch the attack from the same shared physical (such as Bluetooth or Wi-Fi network), logical network (such as a local subnet), or a limited administrative domain (such as a VPN or MPLS). An attack vector of Network (N) would allow the attack to extend beyond these options and conduct remote exploitation of the vulnerability. An attack vector of Local (L) would require the attacker to locally exploit the workstation via the keyboard or over an SSH connection. An attack vector of Physical (P) would require the attacker to physically touch or manipulate the vulnerable component themselves, such as conducting a cold boot attack.
A cloud architect advises an associate to consider a serverless platform for their new endeavor. What benefits would the architect highlight about a serverless platform? (Select the two best options.) Serverless platforms require the management of physical or virtual server instances. There are considerable management demands for file system security monitoring. There is no requirement to provision multiple servers for redundancy or load balancing. The service provider manages the underlying architecture.
There is no requirement to provision multiple servers for redundancy or load balancing. The service provider manages the underlying architecture. There is no requirement to provision multiple servers for redundancy or load balancing. As all of the processing is taking place within the cloud, there is little emphasis on the provision of a corporate network. The service provider manages the underlying architecture. Serverless platforms offer a software architecture that runs functions within virtualized runtime containers in a cloud rather than on dedicated server instances. Rather than requiring the management of physical or virtual server instances, serverless platforms eliminate the need to manage physical or virtual instances. With serverless computing, there is little to no management effort for software and patches, administration privileges, or file system security monitoring.
A cybersecurity analyst is reviewing the logs for his company's server and sees the following output: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Process spawned by services.exe (c:\windows\system32\inetsrv\svchost.exe) Process spawned by services.exe (c:\windows\system32\cmd.exe) Command line (cmd /c start C:\WINDOWS\system32\wmiprvse.exe c:\WINDOWS\system32\ 2006) -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Based on this potential indicator of compromise (IoC), which of the following hypotheses should you make to begin threat hunting? Unauthorized privileges are being utilized Data exfiltration is occurring over the network A common protocol is being used over a non-standard port Beaconing is establishing a connection to a C2 server
Unauthorized privileges are being utilized This appears to be an indication that unauthorized privileges are being used. The first binary, svchost.exe, executes from an odd location that indicates it might be malicious). The process svchost.exe doesn't usually reside in the inetsrv folder in a Windows system since this folder contains the Windows IIS web server files. Additionally, this file then spawned a binary that appears to be masquerading as a Windows process, the WMI Provider Host called wmiprvse.exe. This appears to be the beginning of a privilege escalation attack. Based on the output above, there is no evidence that data is being exfiltrated or stolen from the network. Based on the output above, there is no evidence that any network protocol is currently used over a non-standard port. Finally, there is no evidence of beaconing or network activity in this output.
A cybersecurity analyst conducts proactive threat hunting on a network by correlating and searching the Sysmon and Windows Event logs. The analyst uses the following query as part of their hunt: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Query: "mimikatz" NOT "EventCode=4658" NOT "EventCode=4689" EventCode=10 | stats count by _time, SourceImage, TargetImage, GrantedAccess -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Based on the query above, which of the following potential indicators of compromise is the threat hunter relying on? Processor consumption Unauthorized software Irregular peer-to-peer communication Data exfiltration
Unauthorized software This is a difficult question, but you should see a keyword in the query, "mimikatz." Mimikatz is a leading post-exploitation tool that dumps passwords from memory, as well as hashes, PINs, and Kerberos tickets. Other useful attacks it enables are pass-the-hash, pass-the-ticket, or building Golden Kerberos tickets. This makes post-exploitation lateral movement within a network easy for attackers. It is definitely considered unauthorized software and should be immediately alerted upon if discovered in your network. Data exfiltration is the process by which an attacker takes data that is stored inside of a private network and moves it to an external network. Processor consumption is an IoC that monitors the per-process percentage of CPU time to show what causes the problem. Irregular peer-to-peer communication occurs when hosts within a network establish connections over unauthorized ports or data transfers.
Which of the following functions is not provided by a TPM? Secure generation of cryptographic keys Sealing Random number generation User authentication Binding Remote attestation
User authentication User authentication is performed at a much higher level in the operating system. Trusted Platform Module (TPM) technology is designed to provide hardware-based, security-related functions. A TPM chip is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper-resistant, and malicious software cannot tamper with the security functions of the TPM. The TPM provides random number generation, secure generation of cryptographic keys, remote attestation, binding, and sealing functions securely.
A support manager is deploying multifactor authentication (MFA) in a corporate office. What is true of MFA? (Select the three best options.) Using at least two of the three factors of authentication is called multifactor authentication (MFA). MFA can use multiple authentication factors combined with authentication attributes. When using MFA, abusing authentication becomes far more simplified. With MFA in place, a username and password can be breached but are unusable without the additional factor.
Using at least two of the three factors of authentication is called multifactor authentication (MFA). MFA can use multiple authentication factors combined with authentication attributes. With MFA in place, a username and password can be breached but are unusable without the additional factor. Multifactor authentication (MFA) uses at least two of the three authentication factors. MFA can use multiple authentication factors combined with authentication attributes such as gait analysis and geo-location to improve its rigor further. With MFA in place, an attacker can breach a username and password, but these items are unusable without the additional factor. When using MFA, abusing authentication becomes far more complex. When the MFA requires a password and a token-generated PIN or a fingerprint scan, abusing authentication becomes many, many factors more complicated.
What computing environment can an administrator use to install multiple independent operating systems on a single hardware platform and run them simultaneously? Container Serverless computing Microservices Virtualization
Virtualization A computing environment where an administrator can install multiple independent operating systems on a single hardware platform and run them simultaneously is virtualization. The administrator would not use a container in this situation. A container is an operating system virtualization deployment containing everything the system requires to run a service, application, or microservice. Serverless computing is a software architecture that runs functions within virtualized runtime containers in a cloud rather than on dedicated server instances. Microservices is a software architecture where components of the solution are highly decoupled services that are not dependent on a single platform type or technology.
A new security appliance was installed on a network as part of a managed service deployment. The vendor controls the appliance, and the IT team cannot log in or configure it. The IT team is concerned about the appliance receiving the necessary updates. Which of the following mitigations should be performed to minimize the concern for the appliance and updates? Configuration management Automatic updates Vulnerability scanning Scan and patch the device
Vulnerability scanning The best option here is vulnerability scanning as this allows the IT team to know what risks their network is taking on and where subsequent mitigations may be possible. Configuration management, automatic updates, and patching could be a possible solution. These are not viable options without gaining administrative access to the appliance. Therefore, the analyst should continue to conduct vulnerability scanning of the device to understand the risks associated with it and then make recommendations to add additional compensating controls like firewall configurations, adding a WAF, providing segmentation. Other configurations outside the appliance to minimize the vulnerabilities it presents.
What SCAP component could be used to create a checklist to be used by different security teams within an organization and then report results in a standardized fashion? CVE XCCDF CPE CCE
XCCDF XCCDF (extensible configuration checklist description format) is a language that is used in creating checklists for reporting results. The Common Vulnerabilities and Exposures (CVE) system provides a reference-method for publicly known information-security vulnerabilities and exposures. The Common Configuration Enumeration (CCE) provides unique identifiers to system configuration issues to facilitate fast and accurate correlation of configuration data across multiple information sources and tools. Common Platform Enumeration (CPE) is a standardized method of describing and identifying classes of applications, operating systems, and hardware devices present among an enterprise's computing assets.
You are a cybersecurity analyst who has been given the output from a system administrator's Linux terminal. Based on the output provided, which of the following statements is correct? -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- BEGIN OUTPUT ———————--------- # nmap win2k16.local Nmap scan report for win2k16 (192.168.2.15) Host is up (0.132452s latency) Not shown: 997 closed ports PORT STATE SERVICE 22/tcp open ssh80/tcp open http # nc win2k16.local 80 220 win2k16.local DionTraining SMTP Server (Postfix/2.4.1) # nc win2k16.local 22 SSH-2.0-OpenSSH_7.2 Debian-2 # ———————--------- END OUTPUT -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Your web server has been compromised Your email server is running on a non-standard port Your organization has a vulnerable version of the SSH server software installed Your email server has been compromised
Your email server is running on a non-standard port As shown in the nmap scans' output, only two standard ports being utilized: 22 (SSH) and 80 (HTTP). But, when netcat is run against port 80, the banner provided shows the SMTP server is running on port 80. SMTP is normally run on port 25 by default, so running it on port 80 means your email server (SMTP) runs on a non-standard port.
You have been hired to investigate a possible insider threat from a user named Terri. Which command would you use to review all sudo commands ever issued by Terri (whose login account is terri and UID=1003) on a Linux system? (Select the MOST efficient command) journalctl _UID=1003 | grep -e [Tt]erri | grep sudo journalctl _UID=1003 | grep sudo journalctl _UID=1003 | grep -e [Tt]erri | grep -e 1003 | grep sudo journalctl _UID=1003 | grep -e 1003 | grep sudo
journalctl _UID=1003 | grep sudo journalctl is a command for viewing logs collected by systemd. The systemd-journald service is responsible for systemd's log collection, and it retrieves messages from the kernel, systemd services, and other sources. These logs are gathered in a central location, which makes it easy to review. If you specify the parameter of _UID=1003, you will only receive entries made under the authorities of the user with ID (UID) 1003. In this case, that is Terri. Using the piping function, we can send that list of entries into the grep command as an input and then filter the results before returning them to the screen. This command will be sufficient to see all the times that Terri has executed something as the superuser using privilege escalation. If there are too many results, we could further filter the results using regular expressions with grep using the -e flag. Since the UID of 1003 is only used by Terri, it is unnecessary to add [Tt]erri to your grep filter as the only results for UID 1003 (terri) will already be shown. So, while all four of these would produce the same results, the most efficient option to accomplish this is by entering "journalctl _UID=1003 | grep sudo" in the terminal. Don't get afraid when you see questions like this; walk through each part of the command step by step and determine the differences. In this question, you may not have known what journalctl is, but you didn't need to. You needed to identify which grep expression was the shortest that would still get the job done. By comparing the differences between the options presented, you could likely take your best guess and identify the right one.
Dion Consulting Group has just won a contract to provide updates to an employee payroll system originally written years ago in C++. During your assessment of the source code, you notice the command "strcpy" is being used in the application. Which of the following provides is cause for concern, and what mitigation would you recommend to overcome it? strcpy could allow an integer overflow to occur; you should rewrite the entire system in Java strcpy could allow a buffer overflow to occur; upgrade the operating system to run ASLR to prevent a buffer overflow strcpy could allow a buffer overflow to occur; you should rewrite the entire system in Java strcpy could allow an integer overflow to occur; upgrade the operating system to run ASLR to prevent an integer overflow
strcpy could allow a buffer overflow to occur; upgrade the operating system to run ASLR to prevent a buffer overflow C and C++ contain built-in functions such as strcpy that do not provide a default mechanism for checking if data will overwrite the boundaries of a buffer. The developer must identify such insecure functions and ensure that every call made to them by the program is performed securely. Many development projects use higher-level languages, such as Java, Python, and PHP. These interpreted languages will halt execution if an overflow condition is detected. However, changing languages may be infeasible in an environment that relies heavily on legacy code. By ensuring that the operating system supports ASLR, you can make it impossible for a buffer overflow to work by randomizing where objects in memory are being loaded. Rewriting the source code would be highly desirable but could be costly, time-consuming, and is not an immediate mitigation to the problem. The strcpy function (which is short for String copy) does not work on integers, and it only works on strings. As strcpy does not check for boundary conditions, buffer overflows are certainly possible using this deprecated method.
You are troubleshooting a network connectivity issue and need to determine the packet's flow path from your system to the remote server. Which of the following tools would best help you identify the path between the two systems? tracert nbtstat ipconfig netstat
tracert The TRACERT (trace route) diagnostic utility determines the route to a destination by sending Internet Control Message Protocol (ICMP) echo packets to the destination. In these packets, TRACERT uses varying IP Time-To-Live (TTL) values. When the TTL on a packet reaches zero (0), the router sends an ICMP "Time Exceeded" message back to the source computer. The ICMP "Time Exceeded" messages that intermediate routers send back show the route. The ipconfig tool displays all current TCP/IP network configuration values on a given system. The netstat tool is a command-line network utility that displays network connections for Transmission Control Protocol, routing tables, and some network interface and network protocol statistics on a single system. The nbtstat command is a diagnostic tool for NetBIOS over TCP/IP used to troubleshoot NetBIOS name resolution problems.
