CySA Practice Exam #6
D.
An independent cybersecurity researcher has contacted your company to prove a buffer overflow vulnerability exists in one of your applications. Which technique would have been most likely to identify this vulnerability in your application during development? A. Dynamic code analysis B. Pair programming C. Manual Peer Review D. Static code analysis
B. According to the GDPR, information about an individual's race or ethnic origin is classified as Sensitive Personal Information (SPI). Sensitive personal information (SPI) is information about a subject's opinions, beliefs, and nature afforded specially protected status by privacy legislation. As it cannot be used to identify somebody or make any relevant assertions about health uniquely, it is neither PII nor PHI.
Which of the following categories would contain information about an individual's race or ethnic origin? A. PII B. SPI C. PHI D. DLP
B. SQL injections target the data stored in enterprise databases by exploiting flaws in client-facing applications. These vulnerabilities being exploited are most often found in web applications.
Which of the following is exploited by an SQL injection to give the attacker access to a database? A. Operating system B. Web application C. Database server D. Firewall
D. Race conditions occur when the outcome from execution processes is directly dependent on the order and timing of certain events. Those events fail to execute in the order and timing intended by the developer. In this scenario, the hacker's exploit is racing to modify the configuration file before the application reads the number of lives from it.
A popular game allows for in-app purchases to acquire extra lives in the game. When a player purchases the extra lives, the number of lives is written to a configuration file on the gamer's phone. A hacker loves the game but hates having to buy lives all the time, so they developed an exploit that allows a player to purchase 1 life for $0.99 and then modifies the content of the configuration file to claim 100 lives were purchased before the application reading the number of lives purchased from the file. Which of the following type of vulnerabilities did the hacker exploit? A. Sensitive data exposure B. Dereferencing C. Broken authentication D. Race condition
B.
What should a vulnerability report include if a cybersecurity analyst wants it to reflect the assets scanned accurately? A. Processor utilization B. Virtual hosts C. Organizational governance D. Log disposition
D. OpenIOC is essentially just a flat database of known indicators of compromise.
Which analysis framework is essentially a repository of known IOCs with ties to known specific threats? A. MITRE ATT&CK framework B. Diamond Model of Intrusion Analysis C. Lockheed Martin cyber kill chain D. OpenIOC
C. A denial-of-service or DoS attack isn't usually included as part of a penetration test. This type of attack contains too much risk for an organization to allow it to be included in an assessment scope.
Matt is creating a scoping worksheet for an upcoming penetration test for his organization. Which of the following techniques is NOT usually included in a penetration test? A. Reverse engineering B. Social engineering C. Denial-of-service attacks D. Physical penetration attempts
B. The Family Educational Rights and Privacy Act (FERPA) requires that educational institutions implement security and privacy controls for student educational records.
What regulation protects the privacy of student educational records? A. HIPPA B. FERPA C. SOX D. GLBA
D. In a SaaS model, the consumer has to ensure that the endpoints being used to access the cloud are secure. Since the consumer owns the endpoint (laptop, desktop, tablet, smartphone, etc.), they are responsible for securing it. The entire concept behind using a SaaS product is that the service provider will patch the servers' underlying operating systems, create secure software that isn't vulnerable to SQL injection or cross-site scripting attacks, and ensure proper operations and maintenance of the backend systems.
Which of the following threats to a SaaS deployment would be the responsibility of the consumer to remediate? A. Cross-site scripting B. SQL injections C. Unpatched operating systems on the server D. An endpoint security failure
C. Windows comes with DEP, which is a built-in memory protection resource. This prevents code from being run in pages that are marked as nonexecutable. DEP, by default, only protects Windows programs and services classified as essential, but it can be used for all programs and services, or all programs and services except the ones on an exception list.
Which of the following should a domain administrator utilize to BEST protect their Windows workstations from buffer overflow attacks? A. Install an anti-malware tool B. Install an anti-spyware tool C. Enable DEP in Windows D. Conduct bound checking before executing a program
A, C. While all of the above options should be included in your report to management, due to the nature of your company's work, the economic impact on the business should be your top factor. This would include any possible liability and damage that will be done to the company's reputation. Data integrity would be the second most important factor to highlight in your report since an APT may have stolen significant amounts of money by altering your financial documentation and accounts' data integrity.
You are a cybersecurity analyst working for an accounting firm that manages the accounting for multiple smaller firms. You have successfully detected an APT operating in your company's network that appears to have been there for at least 8 months. In conducting a qualitative assessment of the impact, which of the following factors should be most prominently mentioned in your report to your firm's executives? (SELECT TWO) A. Data integrity B. Downtime C. Economic D. Recovery time E. Detection time
B. Based on this code snippet, the application is not utilizing input validation. This would allow a malicious user to conduct an XSS (cross-site scripting) attack.
You are conducting static analysis of an application's source code and see the following: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-(String) page += "<type name='id' type='INT' value='" + request.getParameter("ID") + "'>"; -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-Based on this code snippet, which of the following security flaws exists in this application? A. Race condition B. Improper input validation C. Improper error handling D. Insufficient logging and monitoring
A. This is an example of an insecure direct object reference. Direct object references are typically insecure when they do not verify whether a user is authorized to access a specific object. Therefore, it is important to implement access control techniques in applications that work with private information or other sensitive data types.
Yoyodyne Systems has recently bought out its competitor, Whamiedyne Systems, which went out of business due to a series of data breaches. As a cybersecurity analyst for Yoyodyne, you are assessing Whamiedyne's existing applications and infrastructure. During your analysis, you discover the following URL is used to access an application: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-ttps://www.whamiedyne.com/app/accountInfo?acct=12345 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-You change the URL to end with 12346 and notice that a different user's account information is now displayed. Which of the following type of vulnerabilities or threats have you discovered? A. Insecure direct object reference B. XML injection C. Race condition D. SQL injection
A. Since Apache is being run on the scanned server, this indicates a web server. Therefore, a web application vulnerability scan would be the most likely to provide valuable information.
A cybersecurity analyst is preparing to run a vulnerability scan on a dedicated Apache server that will be moved into a DMZ. Which of the following vulnerability scans is most likely to provide valuable information to the analyst? A. Web application vulnerability scan B. Database vulnerability scan C. Port scan D. Network vulnerability scan
C. This is considered an internal covert test. It is internal because an employee of the company is part of the team and provides them with general user privileges. This will simulate an insider threat attack. It is also considered covert because the security staff and system administrators are unaware of the ongoing test.
Dion Training Solutions is conducting a penetration test of its facilities. The penetration testing team has been augmented by an employee of the company who has general user privileges. The security staff is unaware of the testing. According to NIST, which of the following types of penetration tests is being conducted? A. An overt internal test B. An overt external test C. An covert internal test D. An covert external test
B. A data breach is an incident where information is stolen or taken from a system without the system's owner's knowledge or authorization. If sensitive personally identifiable information (PII) was accessed or exfiltrated, then a privacy breach has occurred.
A cybersecurity analyst conducts an incident response at a government agency when she discovers that attackers had exfiltrated PII. Which of the following types of breaches has occurred? A. Financial breach B. Privacy breach C. Proprietary breach D. Integrity breach
C. Google interprets this statement as <anything>@diontraining.com and understands that the user is searching for email addresses since %40 is the hex code for the @ symbol. The * is a wild card character meaning that any text could be substituted for the * in the query. This type of search would provide an attacker with a list of email addresses associated with diontraining.com, which could be used as part of a spear-phishing campaign.
A cybersecurity analyst reviews the logs of a proxy server and saw the following URL, https://www.google.com/search?q=*%40diontraining.com. Which of the following is true about the results of this search? A. Returns no useful results for an attacker B. Returns all web pages containing the text diontraining.com C. Returns all web pages containing an email address affiliated with diontraining.com D. Returns all web pages hosted at diontraining.com
B. The Gramm-Leach-Bliley Act (GLBA) is a United States federal law that requires financial institutions to explain how they share and protect their customers' private information.
You have been hired as a cybersecurity analyst for a privately-owned bank. Which of the following regulations would have the greatest impact on your bank's cybersecurity program? A. HIPAA B. GLBA C. FERPA D. SOX
C, D. Segmentation is the best method to reduce the risk to an embedded ICS system from a network-based compromise. Additionally, you could disable unused services to reduce the footprint of the embedded ICS. Many of these embedded ICS systems have a large number of default services running. So, by disabling the unused services, we can better secure these devices. By segmenting the devices off the main portion of the network, we can also better protect them.
What remediation strategies are the MOST effective in reducing the risk to an embedded ICS from a network-based compromise? (Select TWO) A. Patching B. NIDS C. Disabling unused services D. Segmentation
C. When data enrichment occurs, it could combine a threat intelligence feed with a log of NetFlow. This will allow the analyst to know if an IP address of interest is actually associated with a known APT. Machine learning and deep learning are forms of artificial intelligence that may be used to conduct data enrichment activities, but individually they are not sufficient to answer this question.
Which of the following automatically combines multiple disparate sources of information to form a complete picture of events for analysts to use during an incident response or when conducting proactive threat hunting? A. Machine learning B. Deep learning C. Data enrichment D. Continuous integration
C. Ensuring that each console has its own unique key will allow the console manufacturer to track who has purchased which games when using digital rights management licensing. Additionally, this can be achieved using a hardware root of trust, such as a TPM module in the processor.
Dion Consulting Group has been hired to analyze the cybersecurity model for a new videogame console system. The manufacturer's team has come up with four recommendations to prevent intellectual property theft and piracy. As the cybersecurity consultant on this project, which of the following would you recommend they implement first? A. Ensure that all games for the console are distributed as encrypted so that they can only be decrypted on the game console B. Ensure that all games require excessive storage sizes so that it is difficult for unauthorized parties to distribute C. Ensure that all each individual console has its own unique key for decrypting individual licenses and tracking which console has purchased which game D. Ensure that all screen capture content is visibly watermarked
C. This is an example of a directory traversal. A directory traversal attack aims to access files and directories that are stored outside the webroot folder. By manipulating variables or URLs that reference files with "dot-dot-slash (../)" sequences and its variations or using absolute file paths, it may be possible to access arbitrary files and directories stored on the file system, including application source code or configuration and critical system files.
A cybersecurity analyst is reviewing the logs of a proxy server and saw the following URL, http://test.diontraining.com/../../../../etc/shadow. What type of attack has likely occurred? A. SQL injection B. Buffer overflow C. Directory traversal D. XML injection
B. Since you wish to check for only the known vulnerability, you should scan for that specific vulnerability on all web servers. All web servers are chosen because Apache is a web server application.
A new alert has been distributed throughout the information security community regarding a critical Apache vulnerability. What action could you take to ONLY identify the known vulnerability? A. Perform an unauthenticated vulnerability scan on all servers in the environment B. Perform a scan for the specific vulnerability on all web severs C. Perform a web vulnerability scan on all servers in the environment D. Perform an authenticated scan on all web servers in the environment
B. As part of the preparation phase, obtaining authorization to seize devices (including personally owned electronics) should have been made clear and consented to by all employees. If the proper requirements were placed into the BYOD policy before the incident occurred, this would have prevented this situation. Either the employee would be willing to hand over their device for imaging following the BYOD policy, or they would never have connected their device to the company wireless network in the first place if they were concerned with their privacy and understood the BYOD policy.
Fail to Pass Systems has suffered a data breach. Your analysis of suspicious log activity traced the source of the data breach to an employee in the accounting department's personally-owned smartphone connected to the company's wireless network. The smartphone has been isolated from the network now, but the employee refuses to allow you to image their smartphone to complete your investigation forensically. According to the employee, the company's BYOD policy does not require her to give you her device, and it is an invasion of their privacy. Which of the following phases of the incident response process is at fault for creating this situation? A. Detection and analysis phase B. Preparation phase C. Eradication and recovery phase D. Containment phase
D. The Microsoft System Center Configuration Manager (SCCM) provides remote control, patch management, software distribution, operating system deployment, network access protection, and hardware and software inventory.
Ryan needs to verify the installation of a critical Windows patch on his organization's workstations. Which method would be the most efficient to validate the current patch status for all of the organization's Windows 10 workstations? A. Check the Update History manually B. Conduct a registry scan of each workstation to validate the patch was installed C. Create and run a PowerShell script to search for the specific patch in question D. Use SCCM to validate patch status for each machine on the domain
B. TCP ACK scans can be used to determine what services are allowed through a firewall. An ACK scan sends TCP packets with only the ACK bit set. Whether ports are open or closed, the target is required to respond with an RST packet. Firewalls that block the probe usually make no response or send back an ICMP destination unreachable error. This distinction allows Nmap to report whether the ACK packets are being filtered.
Which of the following scan types are useful for probing firewall rules? A. TCP SYN B. TCP ACK C. TCP RST D. XMAS TREE
A, B, F. Passively harvesting information from a target is the main purpose of the reconnaissance phase. Harvesting email addresses from the public internet, identifying employees on social media (particularly LinkedIn profiles), discovering public-facing servers, and gathering other publicly available information can allow an attacker to develop a more thorough understanding of a targeted organization.
Which of the following will an adversary do during the reconnaissance phase of the Lockheed Martin kill chain? (SELECT THREE) A. Harvest email addresses B. Identify employees on Social Media networks C. Release of malware on USB drives D. Acquire or develop zero-day exploits E. Select backdoor implants and appropriate command and control mechanisms F. Discover servers facing the public Internet
A. The nmap tool can be used to identify the target's operating system by analyzing the TCP/IP stack responses. Identification of the operating system relies on differences in how operating systems and operating system versions respond to a query, what TCP options they support, what order they send the packets in, and other details that, when combined, can provide a unique fingerprint for a given TCP stack.
Which tool would allow you to identify the target's operating system by analyzing the TCP/IP stack responses? A. nmap B. dd C. scanf D. msconfig
A. Zero-day attacks have no known fix, so patches will not correct them. A zero-day vulnerability is a computer-software vulnerability that is unknown to, or unaddressed by, those who should be interested in mitigating the vulnerability (including the vendor of the target software).
Which type of threat will patches NOT effectively combat as a security control? A. Zero-day attacks B. Known vulnerabilities C. Discovered software bugs D. Malware with defined indicators of compromise
D. The collection phase is usually implemented by administrators using various software suites, such as security information and event management (SIEM). This software must be configured with connectors or agents that can retrieve data from sources such as firewalls, routers, IDS sensors, and servers.
In which phase of the security intelligence cycle is information from several different sources aggregated into useful repositories? A. Feedback B. Analysis C. Dissemination D. Collection
D. The largest and most immediate cybersecurity concern that the analyst should have is credential stuffing. Credential stuffing occurs when an attacker tests username and password combinations against multiple online sites. Since both companies share a common consumption group, it is likely that some of Yoyodyne's consumers also had a user account at Whamiedyne. If the attackers compromised the username and passwords from Whamiedyne's servers, they might attempt to use those credentials on Yoyodyne's servers, too.
A cybersecurity analyst at Yoyodyne Systems just finished reading a news article about their competitor, Whamiedyne Systems, being hacked by an unknown threat actor. Both companies sell to the same basic group of consumers over the internet since their products are used interchangeably by consumers. Which of the following is a valid cybersecurity concern for Yoyodyne Systems? A. The attacker will conduct a man-in-the-middle attack B. The same vulnerability will be compromised on their servers C. The attacker will conduct a SQL injection against their database D. They may now be vulnerable to a credential stuffing attack
D. Since the college wants to ensure a centrally-managed enterprise console, using an active scanning engine installed on the enterprise console would best meet these requirements. Then, the college's cybersecurity analysts could perform scans on any devices connected to the network using the active scanning engine at the desired intervals.
A cybersecurity analyst is working at a college that wants to increase its network's security by implementing vulnerability scans of centrally managed workstations, student laptops, and faculty laptops. Any proposed solution must scale up and down as new students and faculty use the network. Additionally, the analyst wants to minimize the number of false positives to ensure accuracy in their results. The chosen solution must also be centrally-managed through an enterprise console. Which of the following scanning topologies would be BEST able to meet these requirements? A. Passive scanning engine located at the core of the network infrastructure B. Combination of cloud-based and server-based scanning engines C. Combination of server-based and agent-based scanning engines D. Active scanning engine installed on the enterprise console
B. The best option here is vulnerability scanning as this allows the IT team to know what risks their network is taking on and where subsequent mitigations may be possible.
A new security appliance was installed on a network as part of a managed service deployment. The vendor controls the appliance, and the IT team cannot log in or configure it. The IT team is concerned about the appliance receiving the necessary updates. Which of the following mitigations should be performed to minimize the concern for the appliance and updates? A. Configuration management B. Vulnerability scanning C. Scan and patch the device D. Automatic updates
B. The provided indicators of compromise appear to be from an Advanced Persistent Threat (APT). These attacks tend to go undetected for several weeks or months and utilize secure communication to external IPs as well as Remote Desktop Protocol connections to provide the attackers with access to the infected host. While an APT might use a software vulnerability to gain their initial access, the full description provided in the question that includes the files being copied and executed from the %TEMP% folder and the use of SSL/RDP connections indicates longer-term exploitation, such as one caused by an APT.
Based on some old SIEM alerts, you have been asked to perform a forensic analysis on a given host. You have noticed that some SSL network connections are occurring over ports other than port 443. The SIEM alerts indicate that copies of svchost.exe and cmd.exe have been found in the host's %TEMP% folder. The logs indicate that RDP connections have previously connected with an IP address that is external to the corporate intranet, as well. What threat might you have uncovered during your analysis? A. DDoS B. APT C. Ransomware D. Software vulnerability
B. Port 3389 is an RDP port used for the Remote Desktop Protocol. If this port isn't supposed to be opened, then an incident response plan should be the next step since this can be used for remote access by an attacker.
David noticed that port 3389 was open on one of the POS terminals in a store during a scheduled PCI compliance scan. Based on the scan results, what service should he expect to find enabled on this terminal? A. MySQL B. RDP C. LDAP D. IMAP
B. The best recommendation is to conduct the elevator control system's logical or physical isolation from the rest of the production network and the internet. This should be done through the change control process that brings the appropriate stakeholders together to discuss the best way to mitigate the vulnerability to the elevator control system that defines the business impact and risk of the decision.
Dion Consulting Group has recently been awarded a contract to provide cybersecurity services for a major hospital chain in 48 cities across the United States. You are conducting a vulnerability scan of the hospital's enterprise network when you detect several devices that could be vulnerable to a buffer overflow attack. Upon further investigation, you determine that these devices are PLCs used to control the hospital's elevators. Unfortunately, there is not an update available from the elevator manufacturer for these devices. Which of the following mitigations do you recommend? A. Recommend immediate replacement of the PLCs with ones that are not vulnerable to this type of attack B. Recommend isolation of the elevator control system from the rest of the production network through the change control process C. Conduct a penetration test of the elevator control system to prove that the possibility of this kind of attack exists D. Recommend immediate disconnection of the elevator's control system from the enterprise network
B. All options listed are an issue, but the most significant issue is that John does not have the client's permission to perform the scan. A vulnerability scan may be construed as a form of reconnaissance, penetration testing, or even an attack on the organization's systems. A cybersecurity analyst should never conduct a vulnerability scan on another organization's network without explicit written permission.
John is a cybersecurity consultant that wants to sell his services to an organization. In preparation for his first meeting with the client, John wants to conduct a vulnerability scan of their network to show the client how much they need his services. What is the most significant issue with John conducting this scan of the organization's network? A. The client's infrastructure design is unknown to John B. John does not have permission to perform the scan C. John does not know what operating systems and applications are in use D. The IP range of the client systems is unknown by John
B. The best option is MAC address reporting from a source device like a router or a switch. If the company uses a management system or inventory process to capture these addresses, then a report from one of these devices will show what is connected to the network even when they are not currently in the inventory. This information could then be used to track down rogue devices based on the physical port connected to a network device.
The management at Steven's work is concerned about rogue devices being attached to the network. Which of the following solutions would quickly provide the most accurate information that Steve could use to identify rogue devices on a wired network? A. A discovery scan using a port scanner B. Router and switch-based MAC address reporting C. A physical survey D. Reviewing a central administration tool like a SCCM
A. The world's most popular open-source port scanning utility is nmap. The Services console (services.msc) allows an analyst to disable or enable Windows services.
What popular open-source port scanning tool is commonly used for host discovery and service identification? A. nmap B. dd C. services.msc D. Nessus
C. The BYOD (bring your own device) strategy opens a network to many vulnerabilities. People can bring their personal devices to the corporate network, and their devices may contain vulnerabilities that could be allowed to roam free on a corporate network.
Which mobile device strategy is most likely to introduce vulnerable devices to a corporate network? A. COPE B. CYOD C. BYOD D. MDM
A, C, D. There is a heavy dependency on the cloud service provider in a serverless architecture system since all of the back-end infrastructure's patching and management functions are done by them. An organization using such an architecture would still need to prevent compromise of the user endpoints, though the cloud service provider does not manage these. Another concern with serverless architectures is that there are limited options for disaster recovery if service provisioning fails.
Which of the following are valid concerns when migrating to a serverless architecture? (SELECT THREE) A. Protection of endpoint security B. Management of VPC offerings C. Dependency on the cloud service provider D. Limited disaster recovery options E. Patching of the backend infrastructure F. Management of physical servers
B. Output encoding involves translating special characters into some different but equivalent form that is no longer dangerous in the target interpreter, for example, translating the < character into the < string when writing to an HTML page.
Which of the following secure coding best practices ensures a character like < is translated into the < string when writing to an HTML page? A. Session management B. Output encoding C. Error handling D. validation
C. Third-party DNS resolvers, particularly those of ISPs, will typically have elaborate algorithms designed to detect command and control (C2) via fast flux networks. Fast flux DNS utilizes a technique that rapidly changes the IP address associated with a domain to allow an adversary to defeat IP-based blacklists. Often, these fast flux networks have communication patterns that might be detectable, though. While in-house statistical analysis might be possible (and could be done in parallel), the commercial resources available to a large scale ISP or dedicated secure DNS providers will be better tailored to combatting this issue.
Which of the following techniques would best mitigate malware that utilizes a fast flux network for its command and control infrastructure? A. Blacklisting known malicious domain names B. Conduct detailed statistical analysis of the structure of domain names to detect anomalies C. Utilize a secure recursive DNS resolver to a third-party secure DNS resolver D. Blacklisting known malicious IP addresses
D. FTP cannot be used to conduct a banner grab. A cybersecurity analyst or penetration tester uses a banner grab to gain information about a computer system on a network and the services running on its open ports. Administrators can use this to take inventory of the systems and services on their network. This is commonly done using telnet, wget, or netcat.
Which of the following tools can NOT be used to conduct a banner grab from a web server on a remote host? A. netcat B. telnet C. wget D. ftp
B. ScoutSuite is used to audit instances and policies created on multi-cloud platforms. Prowler is a cloud auditing tool, but it can only be used on AWS. Pacu is an exploitation framework that is used to test the security configurations of an AWS account. OpenVAS is a general-purpose vulnerability scanner but does not deal with cloud-specific issues.
Which of the following tools would you use to audit a multi-cloud environment? A. OpenVAS B. ScoutSuite C. Prowler D. Pacu
B. According to the MITRE ATT&CK framework, developed capabilities can identify and exploit zero-day vulnerabilities. Acquired and augmented refers to the utilization of commodity malware and techniques (i.e., script kiddies). Advanced capabilities refer to those that can introduce vulnerabilities through the supply chain in proprietary and open-source products.
Which of the following types of capabilities would an adversary need to identify and exploit zero-day vulnerabilities? A. Acquired and augmented B. Developed C. Advanced D. Integrated
C. While the payroll server could be assumed to holds PII, financial information, and corporate information, the analyst would only be making that assumption based on its name. Even before an incident response occurs, it would be a good idea to conduct a data criticality and prioritization analysis to determine what assets are critical to your business operations and need to be prioritized for protection. After an intrusion occurs, this information could be used to better protect and defend those assets against an attacker. Since the question states the analyst is trying to determine which server to look at based on their names, it is clear this organization never performed a data criticality and prioritization analysis and should do that first. After all, with names like FIREFLY, DEATHSTAR, THOR, and Dion, the analyst has no idea what is stored on those systems.
A cybersecurity analyst is analyzing what they believe to be an active intrusion into their network. The indicator of compromise maps to suspected nation-state group that has strong financial motives, APT 38. Unfortunately, the analyst finds their data correlation is lacking and cannot determine which assets have been affected, so they begin to review the list of network assets online. The following servers are currently online: PAYROLL_DB, DEV_SERVER7, FIREFLY, DEATHSTAR, THOR, and DION. Which of the following actions should the analyst conduct first? A. Hardening the DEV_SERVER7 server B. Conduct a Nessus scan of the FIREFLY server C. Conduct a data criticality and prioritization analysis D. Logically isolate the PAYROLL_DB server from the production network
C. The fast flux DNS technique rapidly changes the IP address associated with a domain. It allows the adversary to defeat IP-based blacklists, but the communication patterns established by the changes might be detectable. Based on the evidence provided above, you only know that a fast flux DNS is being used.
A cybersecurity analyst is reviewing the DNS logs for his company's networks and sees the following output: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- $ cat dns.log | bro-cut query gu2m9qhychvxrvh0eift.com oxboxkgtyx9veimcuyri.com 4f3mvgt0ah6mz92frsmo.com asvi6d6ogplqyfhrn0p7.com 5qlark642x5jbissjm86.com -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-Based on this potential indicator of compromise (IoC), which of the following hypotheses should you make to begin threat hunting? A. The DNS server's hard drive is being used as a staging location for a data exfiltration B. Data exfiltration is being attempted by an APT C. Fast flux DNS is being used for an attacker's C2 D. The DNS server is running out of memory due to a memory resource exhaustion attack
B. Password spraying refers to the attack method that takes many usernames and loops them with a single password. We can use multiple iterations using many different passwords, but the number of passwords attempted is usually low compared to the number of users attempted. This method avoids password lockouts, and it is often more effective at uncovering weak passwords than targeting specific users. In the scenario provided, only one or two attempts are being made to each username listed. This is indicative of a password spraying attack instead of a brute force attempt against a single user.
A cybersecurity analyst is reviewing the logs of an authentication server and saw the following output: -=-=-=-=--=-=-=-=--=-=-=-=--=-=-=-=--=-=-=-=--=-=-[443] [https-get-form] host: diontraining.com login: admin password: P@$$w0rd! [443] [https-get-form] host: diontraining.com login: admin password: C0mpT1@P@$$w0rd [443] [https-get-form] host: diontraining.com login: root password: P@$$w0rd! [443] [https-get-form] host: diontraining.com login: root password: C0mpT1@P@$$w0rd [443] [https-get-form] host: diontraining.com login: dion password: P@$$w0rd! [443] [https-get-form] host: diontraining.com login: dion password: C0mpT1@P@$$w0rd [443] [https-get-form] host: diontraining.com login: jason password: P@$$w0rd! [443] [https-get-form] host: diontraining.com login: jason password: C0mpT1@P@$$w0rd -=-=-=-=--=-=-=-=--=-=-=-=--=-=-=-=--=-=-=-=--=-=-What type of attack was most likely being attempted by the attacker? A. Session hijacking B. Password spraying C. Impersonation D. Credential stuffing
C. A jumpbox is a system on a network used to access and manage devices in a separate security zone. This would create network segmentation between the supplier's laptops and the rest of the network to minimize the risk. A jump-box system is a hardened and monitored device that spans two dissimilar security zones and provides a controlled means of access between them.
A supplier needs to connect several laptops to an organization's network as part of their service agreement. These laptops will be operated and maintained by the supplier. Victor, a cybersecurity analyst for the organization, is concerned that these laptops could contain some vulnerabilities that could weaken the network's security posture. What can Victor do to mitigate the risk to other devices on the network without having direct administrative access to the supplier's laptops? A. Scan the laptops for vulnerabilities and patch them B. Increase the encryption level of VPN used by the laptops C. Implement a jumpbox system D. Require 2FA (two-factor authentication) on the laptops
C. According to the US Department of Health and Human Services, "Covered entities that experience a breach affecting more than 500 residents of a State or jurisdiction are, in addition to notifying the affected individuals, required to provide notice to prominent media outlets serving the State or jurisdiction. Covered entities will likely provide this notification in the form of a press release to appropriate media outlets serving the affected area. Like individual notice, this media notification must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach. It must include the same information required for the individual notice."
According to the US Department of Health and Human Services, the media must be notified when a data breach containing PHI exceeds how many affected individuals? A. 5 B. 50 C. 500 D. 5000
B. Internet Relay Chat (IRC) used to be extremely popular but was replaced by modern chat applications like Facebook Messenger, Google Hangouts, Slack, and numerous others. These days, IRC traffic is infrequent on most corporate networks. Therefore, this would be classified as suspicious and require additional investigation. The unencrypted nature of the protocol makes it easy to intercept and read communications on this port. Still, even so, there are many types of malware use IRC as a communication channel. Due to this cleartext transmission, an APT would avoid using IRC for their C2 channel to blend in with regular network traffic and avoid detection. IRC is not normally used for machine-to-machine communications in corporate networks. Because the scenario mentioned a connection to a foreign country, as part of your investigation, you should ask the employee if they have friends or family overseas in the country to rule out the possibility that this is acceptable traffic.
After an employee complains that her computer is running abnormally slow, so you conduct an analysis of the NetFlow data from her workstation. Based on the NetFlow data, you identify a significant amount of traffic from her computer to an IP address in a foreign country over port 6667 (IRC). Which of the following is the most likely explanation for this? A. The employee is using Internet Relay Chat to communicate with her friends and family overseas B. Malware has been installed on her computer and is using the IRC protocol to communicate C. The computer has likely been compromised by an APT D. This is routine machine-to-machine communications in a corporate network
A. There is minimal risk being assumed in this scenario since the cellular modem is configured for outbound connections only. This also minimizes the risk of an attacker gaining remote access to the generator. The generator is logically and physically isolated from the rest of the enterprise network, so even if an attacker could exploit the generator, they could not pivot into the production network.
Dion Training Solutions has just installed a backup generator for their offices that use SCADA/ICS for remote monitoring of the system. The generator's control system has an embedded cellular modem that periodically connects to the generator's manufacturer to provide usage statistics. The modem is configured for outbound connections only, and the generator has no data connection with any of Dion Training's other networks. The manufacturer utilizes data minimization procedures and uses the data to recommend preventative maintenance service and ensure maximum uptime and reliability by identifying parts that need to be replaced. Which of the following cybersecurity risk is being assumed in this scenario? A. There is minimal risk being assumed since the cellular modem is configured for outbound connections only B. There is high risk being assumed since the presence of a cellular modem could allow an attacker to remotely disrupt the generator C. There is a critical risk being assumed since the cellular modem represents a threat to the enterprise network if an attacker exploits the generator and then pivots to the production environment D. There is medium risk being assumed since the manufacturer could use the data for purposes other than originally agreed upon
A. If the PII (Personally Identifiable Information) of the company's employees or customers were exfiltrated or stolen during the compromise, this would increase the incident's impact assessment. Loss of PII is a big issue for corporations and one that might garner media attention. While all of the options presented here are bad things that could increase the impact of the assessment, loss of PII is considered the MOST likely to increase the impact dramatically. Depending on the company's size or organization, there may also be mandatory reporting requirements, fines, or restitution that must be paid.
During your review of the firewall logs, you notice that an IP address from within your company's server subnet had been transmitting between 125 to 375 megabytes of data to a foreign IP address overnight each day. You have determined this has been occurring for approximately 5 days, and the affected server has since been taken offline for forensic review. Which of the following is MOST likely to increase the impact assessment of the incident? A. PII of company employees and customers was exfiltrated B. Raw financial information about the company was accessed C. Forensic review of the server required fallback to a less efficient service D. IP addresses and other network-related configurations were exfiltrated
C. Jorge should recommend that emergency maintenance windows be scheduled for an off-peak time later in the day. Since the vulnerability is critical, it needs to be remediated or mitigated as quickly as possible. But, this also needs to be balanced against the business and operational needs. Therefore, we cannot simply remediate it immediately, as this would cause downtime for this public-facing server.
Jorge is working with an application team to remediate a critical SQL injection vulnerability on a public-facing server. The team is worried that deploying the fix will require several hours of downtime and block customer transactions from being completed by the server. Which of the following is the BEST action for Jorge to recommend? A. Wait until next scheduled maintenance window to remediate the vulnerability B. Remediate the vulnerability immediately C. Schedule an emergency maintenance for an off-peak time later in the day to remediate the vulnerability D. Delay the remediation until the next major update of the SQL server occurs
A. This approach is an example of dual control authentication. Dual control authentication is used when performing a sensitive action. It requires the participation of two different users to login (in this case, one with the password and one with the token). Transitive trust is a technique via which a user/entity has already undergone authentication by one communication network to access resources in another communication network without having to undergo authentication a second time.
Susan is worried about the security of the master account associated with a cloud service and the access to it. This service is used to manage payment transactions. She has decided to implement a new multifactor authentication process where one individual has the password to the account. Still, another user in the accounting department has a physical token to the account. To login to the cloud service with this master account, both users would need to come together. What principle is Susan implementing by using this approach? A. Dual control authentication B. Transitive trust C. Least privilege D. Security through obscurity
B. A poorly implemented security model at a physical location will still be a poorly implemented security model in a virtual location. Unless the fundamental causes of the security issues that caused the previous data breaches have been understood, mitigated, and remediated, then migrating the current images into the cloud will change where the processing occurs without improving the network's security.
The Pass Certs Fast corporation has recently been embarrassed by several high profile data breaches. The CIO proposes improving the company's cybersecurity posture by migrating images of all the current servers and infrastructure into a cloud-based environment. What, if any, is the flaw in moving forward with this approach? A. This approach assumes that the cloud will provide better security than is currently done on-site B. This approach only changes the location of the network and not the attack surface of it C. The company has already paid for the physical servers and will not fully realize their ROI on them due to the migration D. This is a reasonable approach that will increase the security of the servers and infrastructure
A, B, C, F. The last phase is the actions on objectives phase. During this phase, the targeted network is now adequately controlled by the attacker. If the system or network owner does not detect the attacker, the adversary may persist for months while gaining progressively deeper footholds into the network. This is done through privilege escalation and lateral movement. Additionally, the attacker can now exfiltrate data from the network or modify data that will remain in the network.
Which of the following will an adversary do during the final phase of the Lockheed Martin kill chain? (SELECT FOUR) A. Exfiltrate data B. Privilege escalation C. Lateral movement through the environment D. Release of malicious email E. Wait for a user to click on a malicious link F. Modify data
D. Since ICS, SCADA, and IoT devices often run proprietary, inaccessible, or unpatchable operating systems, the traditional tools used to detect the presence of malicious cyber activity in normal enterprise networks will not function properly. Therefore, user and entity behavior analytics (UEBA) is best suited to detect and classify known-good behavior from these systems to create a baseline. Once a known-good baseline is established, deviations can be detected and analyzed. UEBA may be heavily dependent on advanced computing techniques like artificial intelligence and machine learning and may have a higher false-positive rate. As the name suggests, the analytics software tracks user account behavior across different devices and cloud services. Entity refers to machine accounts, such as client workstations or virtualized server instances, and embedded hardware, such as the Internet of Things (IoT) devices.
Which technique would provide the largest increase in security on a network with ICS, SCADA, or IoT devices? A. Installation of anti-virus tools B. Use of a host-based IDS or IPS C. Implement endpoint protection platforms D. User and entity behavior analytics
C. This code takes the input of "id" directly from a user or other program without conducting any input validation. This could be exploited and used as an attack vector for an SQL injection. If a malicious user can alter the ID source, it might get replaced with something like' or '1' ='1. This will cause the SQL statement to become: "SELECT * FROM CUSTOMER WHERE CUST_ID='' or '1'='1'". Because '1' always equals '1', the where clause will always return 'true,' meaning that EVERY record in the database could now become available to the attacker.
While conducting a static analysis source code review of a program, you see the following line of code:-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-String query = "SELECT * FROM CUSTOMER WHERE CUST_ID='" + request.getParameter("id") + "'"; -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-What is the issue with the largest security issue with this line of code? A. The code is using parameterized queries B. The * operator will allow retrieval of every data field about this customer in the CUSTOMER table C. An SQL injection could occur because input validation is not being used on the id parameter D. This code is vulnerable to a buffer overflow attack
A. An insider threat is any current or former employee, contractor, or business partner who has or had authorized access to an organization's network, system, or data and intentionally exceeded or misused that access in a manner that negatively affected the confidentiality, integrity, or availability of the organization's information or information systems. Based on the details provided in the question, it appears the employee's legitimate credentials were used to conduct the breach. This would be classified as an insider threat.
While investigating a data breach, you discover that the account credentials used belonged to an employee who was fired several months ago for misusing company IT systems. Apparently, the IT department never deactivated the employee's account upon their termination. Which of the following categories would this breach be classified as? A. Insider Threat B. Zero-day C. Known threat D. Advanced persistent threat
B. An established and agreed upon communication plan, which may also include a non-disclosure agreement, should be put in place to prevent the targets of an ongoing insider threat investigations from becoming aware of it.
You are a security investigator at a high-security installation which houses significant amounts of valuable intellectual property. You are investigating the utilization of George's credentials and are trying to determine if his credentials were compromised or if he is an insider threat. In the break room, you overhear George telling a coworker that he believes he is the target of an ongoing investigation. Which of the following step in the preparation phase of the incident response was likely missed? A. Conduct background screenings on all applicants B. Development of a communication plan C. Creating a call list or escalation list D. Developing a proper incident response form
C. The most immediate protection against this emergent threat would be to block the web interface from being accessible over the network. Before doing this, you must evaluate whether the interface needs to remain open for the system to function properly. If it is not needed, you should block it to minimize the SCADA/ICS component's attack surface.
You are attending a cybersecurity conference and just watched a security researcher demonstrating the exploitation of a web interface on a SCADA/ICS component. This caused the device to malfunction and be destroyed. You recognize that the same component is used throughout your company's manufacturing plants. Which of the following mitigation strategies would provide you with the most immediate protection against this emergent threat? A. Demand that the manufacturer of the component release a patch immediately and deploy the patch as soon as possible B. Logically or physically isolate the SCADA/ICS component from the enterprise network C. Evaluate if the web interface must remain open for the system to function; if it isn't needed, block the web interface D. Replace the affected SCADA/ICS components with more secure models from a different manufacturer
C. The exact string used here was the attack string used in CVE-2019-11510 to compromise thousands of VPN servers worldwide using a directory traversal approach. However, its presence in the logs does not prove that the attack was successful, only that it was attempted. To verify that the attacker successfully downloaded the/etc/passwd file, a cybersecurity analyst would require additional information and correlation. If the server utilizes proper input validation on URL entries, then the directory traversal would be prevented.
You are conducting a review of a VPN device's logs and found the following URL being accessed: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-https://sslvpn/dana-na/../diontraining/html5acc/teach/../../../../../../etc/passwd?/diontraining/html5acc/teach/ -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-Based upon this log entry alone, which of the following most likely occurred? A. The /etc/passwd file was downloaded using a directory traversal attack B. A XML injection attack caused the VPN server to return the password file C. The /etc/passwd file was downloaded using a directory traversal attack if input validation of the URL was not conducted D. An SQL injection attack caused the VPN server to return the password file
A. ID and certification must be crafted so that when substituted for the ".getparameter" fields, the SQL statement formed is still complete and will return a Boolean value of true for the ENTIRE statement every time it is evaluated. The AND in the middle of the WHERE clause indicates that both the courseID and certification portion must be true to be true in every case. When this occurs, the entire table of courses would be returned. The only string that would ensure both halves of the WHERE clause always return true would be <id = "1' OR '1' =='1".
You are conducting static analysis of an application's source code and see the following:-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-String query = "SELECT * FROM courses WHERE courseID='" + request.getParameter("id") + "' AND certification='"+ request.getParameter("certification")+"'";-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-If an attacker wanted to get a complete copy of the courses table and was able to substitute arbitrary strings for "id" and "certification", which of the following strings allow this to occur? A. id = "1' OR '1'=='1" and certification = "cysa' OR '1'=='1" B. id = "1' OR '1'==1" and certification = "cysa' OR '1=='1" C. id = "1' OR '1'=='1" D. certification = "cysa' OR '1'=='1"
D. To best understand a system's criticality, you should review the asset inventory and the BCP. Most organizations classify each asset in its inventory based on its criticality to the organization's operations. This helps to determine how many spare parts to have, the warranty requirements, service agreements, and other key factors to help keep these assets online and running at all times. Additionally, you can review the business continuity plan (BCP) since this will provide the organization's plan for continuing business operations in the event of a disaster or other outage. Generally, the systems or operations listed in a BCP are the most critical ones to support business operations.
You are developing your vulnerability scanning plan and attempting to scope your scans properly. You have decided to focus on the criticality of a system to the organization's operations when prioritizing the system in the scope of your scans. Which of the following would be the best place to gather the criticality of a system? A. Ask the CEO for a list of the critical systems B. Conduct a nmap scan of the network to determine the OS of each system C. Scope the scan based on IP subnets D. Review the asset inventory and BCP
B. SQL injection is a code injection technique that is used to attack data-driven applications. SQL injections are conducted by inserting malicious SQL statements into an entry field for execution. For example, an attacker may try to dump the contents of the database by using this technique. A common SQL injection technique is to insert an always true statement, such as 1 == 1, or in this example, 7 == 7.
You are reviewing the IDS logs and notice the following log entry:-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-(where [email protected] and password=' or 7==7')-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-What type of attack is being performed? A. XML injection B. SQL injection C. Header manipulation D. Cross-site scripting
C. It is most likely that an inadvertent release of information has occurred. This could have occurred due to communication not being limited to trusted parties or information being shared amongst the analyst using insecure communication methods. Based on the scenario, we cannot tell if the data breach (if one has actually occurred) involved the release of PII or SPI. Part of any good communications plan understands that you are required to disclose information based on regulatory requirements. When that disclosure occurs, it will usually be accompanied by a press release.
You are the incident response team lead investigating a possible data breach at your company with 5 other analysts. A journalist contacts you and inquires about a press release from your company that indicates a breach has occurred. You quickly deny everything and then call the company's public relations officer to ask if a press release had been published, which it has not. Which of the following has likely occurred? A. Disclosing based on regulatory requirements B. Communication was limited to trusted parties C. Inadvertent release of information D. Release of PII and SPI
C. Since your company owns the website, you can require the developer to implement a bug/code fix to prevent the form from allowing the AUTOCOMPLETE function to work on this website. The code change to perform is quite simple, simply adding "autocomplete=off" to the code's first line. The resulting code would be <form action="authenticate.php" autocomplete="off">.
You have been asked to scan your company's website using the OWASP ZAP tool. When you perform the scan, you received the following warning:"The AUTOCOMPLETE output is not disabled in HTML FORM/INPUT containing password type input. Passwords may be stored in browsers and retrieved." You begin to investigate further by reviewing a portion of the HTML code from the website that is listed below: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- <form action="authenticate.php"> Enter your username: <BR> <input type="text" name="user" value="" autofocus><BR> Enter your Password: <BR> <input type="password" name="pass" value="" maxlength="32"><BR><input type="submit" value="submit"> </form> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-Based on your analysis, which of the following actions should you take? A. This is a false positive and you should implement a scanner exception to ensure you don't receive this again during your next scan B. You recommend that the system administrator disables SSL on the server and implements TLS instead C. You tell the developer to review their code and implement a bug/code fix D. You recommend that the system administrator pushes out a GPO update to reconfigure the web browsers security settings
C. Since you are trying to protect the BIOS, utilizing secure boot is the best choice. Secure boot is a security system offered by UEFI. It is designed to prevent a computer from being hijacked by a malicious OS. Under secure boot, UEFI is configured with digital certificates from valid OS vendors. The system firmware checks the operating system boot loader using the stored certificate to ensure that the OS vendor has digitally signed it. This prevents a boot loader that has been changed by malware (or an OS installed without authorization) from being used.
You have been investigating how a malicious actor could exfiltrate confidential data from a web server to a remote host. After an in-depth forensic review, you determine that a rootkit's installation had modified the web server's BIOS. After removing the rootkit and reflash the BIOS to a known good image, what should you do to prevent the malicious actor from affecting the BIOS again? A. Install an anti-malware application B. Install a host-based IDS C. Utilize secure boot D. Utilize file integrity monitoring
D. Sanitizing a hard drive can be done using cryptographic erase (CE), secure erase (SE), zero-fill, or physical destruction. In this case, the hard drives already used data at rest. Therefore, the most efficient method would be to choose CE. The cryptographic erase (CE) method sanitizes a self-encrypting drive by erasing the media encryption key and then reimaging the drive.
You have just completed identifying, analyzing, and containing an incident. You have verified that the company uses self-encrypting drives as part of its default configuration. As you begin the eradication and recovery phase, you must sanitize the storage devices' data before restoring the data from known-good backups. Which of the following methods would be the most efficient to use to sanitize the affected hard drives? A. Incinerate and replace the storage devices B. Conduct zero-fill on the storage devices C. Use a secure erase (SE) utility on the storage devices D. Perform a cryptographic erase (CE) on the storage devices
D. Any security flaws present in a commercial or open-source library will also be present in the developed application. A library is vulnerable, just as any other application or code might be. There are both known (discovered) and unknown vulnerabilities in the libraries being integrated into the project. Therefore, the software development team needs to ensure that they monitor the applicable libraries for additional CVEs that might be uncovered later.
You work as a cybersecurity analyst at a software development firm. The software developers have begun implementing commercial and open source libraries into their codebase to minimize the time it takes to develop and release a new application. Which of the following should be your biggest concern as a cybersecurity analyst? A. There are no concerns with using commercial or open-source libraries to speed up developments B. Open-source libraries are inherently insecure because you do not know who wrote them C. Whether or not the libraries being used in the projects are the most up to date versions D. Any security flaws present in the library will also be present in the developed application
C. The function is using hard-coded credentials in the function, which is an insecure practice that can lead to compromise. The password for the application is shown in the source code as mR7HCS14@31&#. Even if this was obfuscated using encoding or encryption, it is a terrible security practice to include hard-coded credentials in the application since they can be reverse engineered by an attacker, and in this case, it could be used to rob the bank or its customers!
Your company has been contracted to develop an Android mobile application for a major bank. You have been asked to verify the security of the Java function's source code below: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- int verifyAdmin(String password) { if (password.equals("mR7HCS14@31&#")) { return 0; } return 1; } -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Which of the following vulnerabilities exist in this application's authentication function based solely on the source code provided? A. The function is using parameterized queries B. The function is vulnerable to an SQL injection attack C. The function is using hard-coded credentials to verify the password entered by the user D. The function is vulnerable to a buffer overflow attack
A. If there are legal or regulatory requirements that require the company to host their security audit data on-premises, then moving to the cloud will not be possible without violating applicable laws. For example, some companies must host their data within their national borders, even if migrating to the cloud. The other options presented are all low risk and can be overcome with proper planning and mitigations.
Your company is adopting a cloud-first architecture model. Management wants to decommission the on-premises SIEM your analysts use and migrate it to the cloud. Which of the following is an issue with using this approach? A. Legal and regulatory issues may prevent data migration to the cloud B. A VM escape exploit could allow an attacker to gain access to the SIEM C. The company will be dependent on the cloud provider's backup capabilities D. The company will have less control over the SIEM
