CyberVista

You run a vulnerability scan and receive the scanning report. You want to address the four vulnerabilities with the CVSS Base Score as shown below: Vulnerability A - 1.7 Vulnerability B - 9.4 Vulnerability C - 8.2 Vulnerability D - 5.3 When you analyze the vulnerabilities, you discover that Vulnerabilities A and C are easily addressed with minimal effort. Vulnerability B requires extensive effort, and Vulnerability D requires a medium amount of effort. Which vulnerability should you address first?

C

The organization hired a penetration tester to assess the vulnerability of the network. You have been assigned the task of assisting her in this process as a learning exercise. You observe her opening a command line and executing the following command: dig afxr dns3.yourcompany.com What type of attack is she attempting?

DNS harvesting

Which of the following is used to drive improvement in the security posture of the organization?

lessons learned document

Recently, one of your employees was discovered to be conducting hacking activities from inside the network. When he was taken into custody, he had just executed the following command: nslookup dns3.yourcompany.com set type=any ls-d Which of the following steps in reconnaissance was he attempting?

DNS harvesting

An organization recently suffered a data breach. When the issue was investigated, it was found that a disgruntled employee concealed product release dates within an image file he sent to someone else. What is this process called?

steganography

During a forensic investigation, you find that there is evidence located in several locations on a device. You would like to collect the most volatile evidence first. Which of the following is the most volatile?

swap space

You and the other members of your team are discussing the benefits and risks of a cloud environment versus an on-premises environment. The discussion turns to security. Which statement is NOT true regarding cloud security?

It is easier to control administrative access.

There have been reports from several users that they cannot access the Internet using the WLAN. You question them and find that they have connected to the same SSID they always do. Further investigation indicates that the source MAC address of the wireless frames being received by the users with the issue is NOT the MAC address of the wireless router. What type of issues should you suspect?

rogue AP

You have identified several inhibitors to your company's vulnerability management process. Which of the following is an organizational governance inhibitor?

Following formal change control procedures

Over time, the remote access needs of the user base in your network have become more and more granular. For example, you need to allow the Sales group access to the VPN connection but only under the following conditions: If they are connecting from home using their work laptop, they can connect at any time. If they are connecting from anywhere else using their work laptop, they can connect from 9 a.m. to 5 p.m. If they are connecting from anywhere using a non-work device, they cannot connect. What type of system could you deploy that would make these types of configurations possible?

NAC

A representative of a company that sells vulnerability scanners is making a presentation to your security team. He is using the software shown in the exhibit.

NESSUS

While analyzing the results of the most recent vulnerability scan, Sara reads the following information about a vulnerability detected on an Apache web server:

No special conditions are required.

The security team is doing some planning for a risk evaluation. Recently some security events went unrecorded because the log was full. Today the team was discussing the proper mitigation for that issue. What part of risk evaluation are they performing?

Technical control review

You just observed a meeting of the risk evaluation team. They were assigning the values of high, medium, and low to some threats they had identified. What part of risk evaluation are they performing?

Technical impact review

Which of the following is a good example of exercising care in ensuring the source authenticity and integrity of the components of hardware purchased from a vendor?

Trusted Foundry program

Which of the following is a common standard used for network access control?

802.1x

After performing a vulnerability scan, you receive the scanning report. A CVSS vector is provided as part of this report. For one of the vulnerabilities, you need to determine which metric measured may be a concern. The CVSS vector for this vulnerability is: CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N Which metric has a value that you should NOT be concerned with?

A

After performing a vulnerability scan, you receive the scanning report. A CVSS vector is provided as part of this report. For one of the vulnerabilities, you need to determine the type of access the attacker will need to the affected system for the vulnerability to occur. Which metric of the CVSS vector should you consult?

AV

The accounting team has asked for your advice concerning the handling of some sensitive data. They want to protect the information with cryptography when it is stored on a server. Which encryption algorithm would you suggest to be used for this?

AES

Recently your network was attacked, and the attack had the following characteristics: It appeared to be directed at your organization specifically. It was carried out over a long period of time. It appeared to originate from multiple sources. The attack targeted specific assets. The team is performing threat classification. Which of the following is the best description of this attack?

APT

John is analyzing the results of a vulnerability scan and reads the following information about a vulnerability detected on a Linux server:

All three are equal

After performing a vulnerability scan, you receive the scanning report. A CVSS vector is provided as part of this report. For one of the vulnerabilities, you need to determine which metric measured may be a concern. The CVSS vector for this vulnerability is: CVSS2#AV:L/AC:H/Au:N/C:N/I:N/A:N Which metric has a value that is undesirable?

Au

The security team is compiling a list of the types of patches or updates that should be performed on a regular basis. Which of the following types of patches are NOT important on routers and switches?

Antivirus updates

Your team has deployed a new NAC system. The team is reviewing the methods available to the system to make access control decisions. Which of the following is NOT one of the types of NAC operation?

Behavioral-based

Recently, there was an attack on a device that was targeted via Telnet. Telnet connections are never used in your network. Technicians must use SSH for remote sessions at the command line. You would like to stop this type of attack from happening again. What would be the quickest way to stop this?

Block port 23 at the perimeter firewall

Which of the following acts as the network defense team in a training exercise?

Blue team

During a recent vulnerability scan, you were scanning the network infrastructure. When the scan finished, you received the following vulnerability message:

Change to TLS 1.1 or higher.

You need to provide your company with a report regarding potential security-related software flaws. You need to use standardized names so that a security analyst contractor can understand the report. Which SCAP component should you use?

CVE

Recently, your organization has become increasingly concerned with the security of interconnected networks. As a security analyst, you have been asked to provide vulnerabilities that can be associated with this. Which vulnerability should be of a primary concern?

Cascading failures

After running a vulnerability scan on your network, you analyze the vulnerabilities that were identified. You notice that a server in the accounting department has several vulnerabilities listed. You need to obtain information on the applications and services installed on the server. Which of the following is most likely to contain the information you need?

Configuration management system

You are examining a server that has undergone a SQL injection attack. Which server is most likely the victim of this attack?

Database server

You have come up with a remediation for a vulnerability that was discovered on the most recent vulnerability scan of your company's file servers. You are unsure of the effects of the remediation. What should you do first?

Deploy the remediation in a sandbox environment

You just received a call from an associate who said he discovered a rogue switch on the network. What is the best course of action to take in response?

Disable DTP on all switch ports

You are investigating the symptoms displayed by a device in your network. The system is experiencing very high consumption of bandwidth during a time when there should not be a heavy workload on the device. Which issue is the most likely concern?

DoS attack

Which of the following is the final step in a pen test?

Document the results of the penetration test, and report the findings to management with suggestions for remedial action.

As your company's security analyst, you frequently run vulnerability scans using products from different vendors. You are explaining to a team of analysts the importance of using the CVSS Base Score and want them to know which calculations help to determine it. Which of the following is NOT a required calculation?

Exploitability function

Tom is analyzing the results of a vulnerability scan and is examining a vulnerability detected on one of his servers that has a CVSS breakdown as follows: CVSS2#AV:A/AC:M/Au:N/C:P/I:P/A:P Which one of the following statements is FALSE about this vulnerability?

Exploiting the vulnerability requires either physical access to the target or a local (shell) account on the target.

Bob is analyzing the results of a vulnerability scan. He examines a vulnerability detected on one of his servers that has a CVSS breakdown as follows: CVSS2#AV:N/AC:H/Au:M/C:P/I:N/A:N Which one of the following statements is true about this vulnerability?

Exploiting this vulnerability would require two or more instances of authentication.

Bob is analyzing the results of a vulnerability scan. He examines a vulnerability detected on one of his servers that has a CVSS breakdown as follows: CVSS2#AV:A/AC:H/Au:M/C:N/I:C/A:N Which one of the following statements is TRUE about this vulnerability?

Exploiting this vulnerability would result in total compromise of system integrity.

You are training a new member of the cyber security team. Currently she is assisting you in responding to a cyber incident. You place her in charge of the forms in the forensic toolkit and ask her to complete each form as required while the investigation proceeds. After you determine that this incident is low priority, she becomes confused and asks where she should record this type of information. On which form does this information go?

Incident form

You are hired as a security analyst for a company. The company's network contains mainly Windows 8 and Windows Server 2012 computers. One Windows Server 2003 computer has been retained to support a legacy application. You run a non-credentialed vulnerability scan on the network. When you receive the results, you note a number of vulnerabilities that are similar to the following two exhibits:

Install all the latest patches and service packs for the Windows Server 2003 computer.

Your company has a centralized patch deployment system. Which of the following systems is MOST likely to still have patch vulnerabilities?

IoT

Your vulnerability analysis scan has identified several vulnerabilities and assigned them a CVSS score. Issue A has a score of 4.3, Issue B has a score of 9.1, Issue C has a score of 1.6, and Issue D has a score of 7.7. Which issue should take priority?

Issue B

In a presentation to the team, a vendor is describing an access control system in which users do not control access to resources. A department head classifies the sensitivity of each resource, and then access to resources is based on the sensitivity level assigned to users. What type of system is this?

MAC

After a recent incident in which several network attacks occurred at once, several systems were down longer than was necessary because the team's response was somewhat confused. The team has decided to determine the longest amount of time the company can function without an asset before causing damage to the organization. The team needs to make this determination on an asset-by-asset basis. Which of the following factors are they trying to determine?

MTD

Recently, your network suffered an attack that was unsuccessful. As a result, you are reviewing the access control list (ACL) on the routers. Which of the following is NOT a recommendation for ACLs?

Never include a permit statement in an ACL

Obtaining which of the following can reduce the likelihood of purchasing counterfeit equipment?

OEM documentation

You are analyzing the results of a vulnerability scan. One of the vulnerabilities detected on one of your servers has the following CVSS breakdown: CVSS2#AV:L/AC:L/Au:S/C:P/I:P/A:P Where would an attacker need to be located to exploit this vulnerability?

On the local system

Your boss needs assistance with some network reconnaissance activities. Using a tool called Nmap, he has executed the following command: nmap -O scanme.yourcompany.org Which of the following steps in reconnaissance is he performing?

Operating system fingerprinting

You have just been hired as a junior cyber security analyst. The orientation process involves shadowing a senior analyst. To gauge your current knowledge level, the senior analyst is testing your ability to recognize various tools of the trade. He gives you a quick look at a tool's GUI.

Packet analyzer

After some issues with damaged evidence during a forensic investigation, the team is reviewing the collection and storage of evidence to improve the process. You are reviewing the features of various tamper-evident bags to be used to hold evidence, such as hard drives and other storage devices. Which of the following is the most important feature?

Provides anti-static shielding

Which of the following attacks is more likely to only affect mobile devices and not desktop computers?

QR code-based attacks

After performing a vulnerability scan on your company's SQL server, you identify several issues that need to be handled. All of the identified issues will require changes to the current configuration of the SQL server. Your company has an establish change control process in place. What should you submit to start this process?

RFC

The cyber team just returned from a security conference where they learned about the value of determining the MTD for each asset. They have made these determinations. Now they are creating realistic goals for recovering these assets in the event they go down. What determination are they now making?

RTO

You perform a vulnerability scan and receive the vulnerability report. After you mitigate the vulnerabilities, you must prepare a report for management. One of management's favorite reports is a trending report that graphs the types of vulnerabilities over time. When you complete the report, you notice there has been a steady rise of malware infections on desktop computers over the past six months, despite the fact that anti-malware software is installed. You need to provide a solution to this issue. Which of the following should you suggest?

Require that all users attend mandatory security awareness training

After performing a vulnerability scan, you receive a vulnerability report. While working to remove the vulnerabilities from your network, you notice that one of the vulnerabilities could result in a DoS attack. One of your company's servers was recently the victim of a DoS attack. You want to determine if that attack was the result of the vulnerability reported. What should you do?

Review the logs on server from the time when the attack occurred

As a security analyst for your company, you are responsible for helping to analyze risks. After completing this process, you need to document the amount of risk your organization is willing to tolerate in their computing environment. Which term is used to describe this risk amount?

Risk appetite

Which of the following helps to prioritize the application of resources to the most critical vulnerabilities?

Risk assessment matrix

You just received an alert from the IDS that there has been a big spike in traffic during the last five minutes. Which of the following possible explanations is NOT a valid concern?

Rogue AP

After performing a vulnerability scan, another analyst reports to you that a vulnerability has been found on the Web server. The Web server has only one authentication mechanism to prevent exploitation. When you obtain the report, you locate the identified vulnerability. What should the Au metric ranking be?

S

Your organization's management has recently spent time discussing attacks against companies and their infrastructures. During the meeting, the Stuxnet attack was discussed. Against which type of system did this attack occur?

SCADA

Your company is governed by several regulations that state that you must use automated systems that provide CCE and CVE identifiers for vulnerability scans. Which of the following should you implement?

SCAP

Which of the following is a technique that can be used to run a possibly malicious program in a safe environment so it does not infect the local system?

Sandboxing

You were just assigned to shadow a senior cybersecurity analyst as part of your training. Your first encounter with her catches her right in the middle of using a sniffer. She is focused on the packet shown in the figure below:

She is sniffing a wireless network.

Recently there was a DoS attack on one of the servers that succeeded in taking it down for three hours. You would like to deploy a solution that would allow you to detect a huge rush of traffic to a specific device and route it somewhere away from the device. What technique could you use?

Sinkholes

Your assistant applied the following access list to a router interface: ip access-list standard workstationspermit 172.16.2.88deny 172.16.3.13 Which of the following statement is TRUE of the access list?

The only device allowed will be at 172.16.2.88.

Your assistant is trying to learn about access control lists (ACLs). He is compiling some notes about ACLs. Which of the following statements is NOT true of ACLS?

The packet is compared to every line on the list, the "best" match is selected, and the specified action is taken.

You are reviewing the report submitted by a penetration tester. In the report she states that when she used Nmap to scan for the state of ports on the device at 192.168.5.5, she received a state of Filtered for port 80. What does that state mean?

The port is being blocked by a firewall.

After several issues were created by using a production workstation to process a forensic investigation, the company decided to build a dedicated forensic workstation. Which of the following does SANS NOT recommend as a requirement for that workstation?

The system must support wireless connectivity

Your boss wants to deploy a symmetric key algorithm. You are attempting to talk him out of this idea by listing characteristics of these algorithms. Which of the following is NOT true of symmetric key algorithms?

They are typically used only for key exchange

Your assistant created an access list on a Cisco router, and the list is not working correctly. The first thing you ask him is whether he understands how these lists work. In what order are the lines of an access list read when an access list is applied to a router interface? (Choose two.)

Top to bottom, if it is a standard access list Top to bottom, if it is an extended access list

You suspect that a device has been compromised and is communicating with a remote C&C server. Which of the following symptoms would be indicative of this?

Traffic leaving your network at regular intervals from the same device to the same destination

The team has been assigned to perform host hardening of the servers in the sales domain. Which of the following activities would NOT be a part of this goal?

Using encryption for all transmissions

You have run a Nessus vulnerability scan on several Linux servers. When you receive the scan report, you suspect that there are several false positives on the report. What should you do FIRST?

Verify the false positives to ensure that you can eliminate them from the report.

You are working with a new security analyst on a recent non-credentialed Nessus vulnerability scan. You need to document the number of devices that are impacted by a particular vulnerability. The new security analyst does not know how to obtain this information. Which of the following should you instruct the analyst to obtain?

Vulnerabilities Grouped by Plugin

While performing a regular analysis of the firewall log, you discover that there is traffic leaving your network at regular intervals from the same device to the same destination. What is this type of traffic called?

beaconing

After arriving at the scene of a security incident, you secure the area and begin collecting evidence. As you begin this process, you record who has handled the evidence, when they handled it, and the order in which the handlers were in possession of the evidence on a form included in the digital forensic toolkit. What is this form called?

chain of custody form

You are your organization's security analyst. Recently, you discovered that an attacker injected malicious code into a Web application on your organization's Web site. You discovered this attack by reviewing the log data on the Web servers. Which type of attack did your organization experience?

cross-site scripting

A security service to which you subscribe just announced that a new threat exists for which no mitigation has been found. However, the application targeted by the threat is known. What would be the best description of this threat?

known unknown

After a security breach occurred this morning, the cyber team is trying to identify all network-related symptoms that of the event. Which of the following is NOT a network-related symptom of an attack?

malicious processes

One of your users is complaining about poor performance on his device. When you examine his device, you find that although he has no programs running, processor utilization is very high. At the same time, there is zero network utilization. Which issue may you be facing?

malware

You are in the process of completing final documentation of an incident investigation. You are classifying all of the symptoms exhibited during the incident. One of these symptoms of the target machine was unusually high memory consumption. Which of the following incident types could cause this condition?

malware

A user is complaining about the performance of his device. You investigate and discover that an application that the user downloaded and installed is using more and more memory as you monitor its use of memory. There appears to be no network activity while this is occurring. Which of the following is most likely the source of this issue?

memory overflow

After a recent DoS attack, you discovered that one of your internal devices that can be reached externally has command and control software installed on it that allows it to send instructions to other devices in your network,. What type of arrangement is this called?

peer-to-peer botnet

The cyber team just received an alert from one of the IDS systems that indicates that a system in the network is sending ICMP request packets to every IP address in the 192.168.0/24 network. What is most likely occurring?

ping sweep

Which of the following is used to sanitize a SSD?

special commands

It has been a hectic day for the cyber security team. Three separate attacks were detected, and attacks are still ongoing. The team is struggling to decide which incident should have the most resources devoted to it. Which of the following is NOT a factor to be considered when prioritizing the incidents?

the order in which the incidents were reported

Today there are two active attacks that have been detected by the IDS. One appears to be a malware attack affecting most of the network, and the other is a DDoS attack on your DNS server. Your boss has instructed the team to determine the scope of each attack before the attacks are prioritized for response. Which of the following is NOT considered a part of scope consideration?

the type of data that could be at risk

Today you received an email from a department head, who informs you that data located on the Sales server has been altered and is not in the state it was last week. Upon investigation, you find that an attack on the server occurred last week and the team knew of the attack. Which part of determining the scope of the attack was NOT done?

verifying data integrity

You have several SQL servers that were recently brought down by a DDoS attack. The attack was never detected by your signature-based IPS. When you received support from your vendor, you were told that the attack used an approach that was never seen before. What type of attack did you suffer?

zero-day