CYSA+ Practice Exam#2

Rhonda recently configured new vulnerability scans for her organization's data center. Completing the scans according to current specifications requires that they run all day, every day. After the first day of scanning, Rhonda received complaints from administrators of network congestion during peak business hours. How should Rhonda handle this situation? Adjust the scanning frequency to avoid scanning during peak times. Request that network administrators increase available bandwidth to accommodate scanning. Inform the administrators of the importance of scanning and ask them to adjust the business requirements. Ignore the request because it does not meet security objectives.

Adjust the scanning frequency to avoid scanning during peak times. The most reasonable response is for Rhonda to adjust the scanning parameters to avoid conflicts with peak business periods. She could ask for additional network bandwidth, but this is likely an unnecessary expense. Adjusting the business requirements is not a reasonable response as security objectives should be designed to add security in a way that allows the business to operate efficiently, not the other way around. Ignoring the request would be very harmful to the business relationship.

Mika's forensic examination of a compromised Linux system is focused on determining what level of access attackers may have achieved using a compromised www account. Which of the following is not useful if she wants to check for elevated privileges associated with the www user? /etc/passwd /etc/shadow /etc/sudoers /etc/group

/etc/shadow /etc/shadow contains password hashes but does not provide information about privileges. Unlike /etc/passwd, it does not contain user ID or group ID information and instead contains only the username and hashed password.

Match each of the following with the appropriate element of the CIA triad: A hard drive failure resulting in a service outage A termination letter that is left on a printer and read by others in the department Modification of an email's content by a third party 1. Integrity, 2. confidentiality, 3. confidentiality 1. Integrity, 2. confidentiality, 3. availability 1. Availability, 2. availability, 3. confidentiality 1. Availability, 2. confidentiality, 3. integrity

1. Availability, 2. Confidentiality, 3. Integrity An outage is an availability issue, data exposures are confidentiality issues, and the integrity of the email was compromised when it was changed.

The Snort IPS that Adam has configured includes a rule that reads as follows: alert tcp $EXTERNAL_NET any -> 10.0.10.0/24 80 (msg:"Alert!"; content:"http|3a|//www.example.com/download.php"; nocase; offset:12; classtype: web-application-activity;sid:5555555; rev:1;) What type of detection method is Adam using? Anomaly based Trend based Availability based Behavioral based

Behavioral based Adam's Snort rule is looking for a specific behavior, in this case, web traffic to example.com's download script. Rules looking for anomalies typically require an understanding of "normal," while trend-based rules need to track actions over time, and availability-based analysis monitors uptime.

Brent's organization runs a web application that recently fell victim to a man-in-the-middle attack. Which one of the following controls serves as the best defense against this type of attack? HTTPS Input validation Patching Firewall

HTTPS The best defense against a man-in-the-middle attack is to use HTTPS with a digital certificate. Users should be trained to pay attention to certificate errors to avoid accepting a false certificate. Input validation and patching would not be an effective defense against man-in-the-middle attacks because man-in-the-middle attacks are network-based attacks. A firewall would be able to block access to the web application but cannot stop a man-in-the-middle attack.

Cynthia's review of her network traffic focuses on the graph shown here. What occurred in late June? Graph shows month of 2016-July versus range in megabits/second from 0 to 3,000. Beaconing High network bandwidth consumption A denial-of-service attack A link failure

High network bandwidth consumption The spike shown just before July appears to be out of the norm for this network since it is almost four times higher than normal. Cynthia may want to check to see what occurred during that time frame to verify whether it was normal traffic for her organization.

Which one of the following ISO standards provides guidance on the development and implementation of information security management systems? ISO 27001 ISO 9000 ISO 11120 ISO 23270

ISO 27001. ISO 27001 provides guidance on information security management systems. ISO 9000 applies to quality management. ISO 11120 applies to gas cylinders. ISO 23270 applies to programming languages.

Paul is researching models for implementing an IT help desk and would like to draw upon best practices in the industry. Which one of the following standard frameworks would provide Paul with the best guidance? ISO ITIL COBIT PCI DSS

ITIL The IT Infrastructure Library (ITIL) provides guidance on best practices for implementing IT service management, including help desk support. ISO provides high-level standards for a wide variety of business and manufacturing processes. COBIT provides control objectives for IT governance. PCI DSS provides security standards for handling credit card information.

Peter works for an organization that is joining a consortium of similar organizations that use a federated identity management system. He is configuring his identity management system to participate in the federation. Specifically, he wants to ensure that users at his organization will be able to use their credentials to access federated services. What role is Peter configuring? Relying party Service provider Identity provider Consumer

Identity providers Identity providers (IDPs) provide identities, make assertions about those identities to relying parties, and release information to relying parties about identity holders. Relying parties (RP), also known as service providers (SP), provide services to members of the federation and should handle the data from both users and identity providers securely. The consumer is the end user of the federated services.

Tracy is validating the web application security controls used by her organization. She wants to ensure that the organization is prepared to conduct forensic investigations of future security incidents. Which one of the following OWASP control categories is most likely to contribute to this effort? Implement logging Validate all inputs Parameterize queries Error and exception handling

Implement logging Logging of application and server activity may provide valuable evidence during a forensic investigation. The other three controls listed are proactive controls designed to reduce the risk of an incident occurring and are less likely to directly provide information during a forensic investigation.

While investigating a cybersecurity incident, Bob discovers the file shown here stored on a system on his network. Which one of the following tools most likely generated this file? Image shows loaded 3107 password hashes with markings for nguyen, Gemini, Rachel, qqq1111, Aylmer, Snoopy, Friends, et cetera. Cain & Abel Metaspolit ftk John the Ripper

John the Ripper The output that Bob sees is from a password-cracking tool. He can tell this by reading the header and realizing that the file contains unhashed passwords. Of the tools listed, only Cain & Abel and John the Ripper are password-cracking utilities. Metasploit is an exploitation framework, while ftk is a forensics toolkit. Cain & Abel is a Windows-based tool, and this appears to be command-line output. Therefore, the output is from John the Ripper, a command-line password-cracking utility available for all major platforms.

The IT services company that Ben works for uses the NIST functional impact categories to describe the impact of incidents. During a recent construction project, a contractor plugged a network device in twice to the same switch, resulting in a network loop and taking down the organization's network for a third of their users. How should Ben classify this event? Urgent Medium Important High

Medium NIST's functional impact categories range from none to high, but this event fits the description for a medium event; the organization has lost the ability to provide a critical service to a subset of system users. If the entire network had gone down, he would have rated the event as a high-impact event, whereas if a single switch or the network had a slowdown, he would have categorized it as low.

Mike is configuring vulnerability scans for a new web server in his organization. The server is located on the DMZ network, as shown here. What type of scans should Mike configure for best results? Diagram shows Internet connected to firewall, which is connected to data center network and DMZ, where data center network is divided into database server and file server and DMZ is connected to web server. Mike should not scan servers located in the DMZ. Mike should perform only internal scans of the server. Mike should perform only external scans of the server. Mike should perform both internal and external scans of the server.

Mike should perform both internal and external scans of the server. For best results, Mike should combine both internal and external vulnerability scans because this server has both public and private IP addresses. The external scan provides an "attacker's eye view" of the web server, while the internal scan may uncover vulnerabilities that would be exploitable only by an insider or an attacker who has gained access to another system on the network.

Alex needs to deploy a solution that will limit access to his network to only authorized individuals while also ensuring that the systems that connect to the network meet his organization's patching, antivirus, and configuration requirements. Which of the following technologies will best meet these requirements? Whitelisting Port security NAC EAP

NAC Network Access Control (NAC) can combine user or system authentication with client-based or clientless configuration and profiling capabilities to ensure that systems are properly patched and configured and are in a desired security state. Whitelisting is used to allow specific systems or applications to work, port security is a MAC address filtering capability, and EAP is an authentication protocol.

Carla is performing a penetration test of a web application and would like to use a software package that allows her to modify requests being sent from her system to a remote web server. Which one of the following tools would not meet Carla's needs? Nessus Burp ZAP Tamper Data

Nessus Carla is looking for a tool from a category known as interception proxies. They run on the tester's system and intercept requests being sent from the web browser to the web server before they are released onto the network. This allows the tester to manually manipulate the request to attempt the injection of an attack. Burp, ZAP, and Tamper Data are all examples of interception proxies. Nessus is a vulnerability scanner and, while useful in penetration testing, does not serve as an interception proxy.

Which one of the following tools cannot be used as a web application vulnerability scanner? Nikto Acunetix Nmap QualysGuard

Nmap Nmap is an open source port scanning tool and does not have web application vulnerability scanning capability. Acunetix and Nikto are dedicated-purpose web application vulnerability scanners. QualysGuard is a more general vulnerability scanning tool, but it does have web application scanning capabilities.

What nmap feature is enabled with the -O flag? OS detection Online/offline detection Origami attack detection Origination port validation

Operating system detection. The -O flag enables operating system detection for nmap.

During a log review Lisa sees repeated firewall entries, as shown here: Sep 16 2016 23:01:37: %ASA-4-106023: Deny tcp src outside:10.10.0.100/53534 dst inside:192.168.1.128/1521 by access-group "OUTSIDE" [0x5063b82f, 0x0] Sep 16 2016 23:01:38: %ASA-4-106023: Deny tcp src outside:10.10.0.100/53534 dst inside:192.168.1.128/1521 by access-group "OUTSIDE" [0x5063b82f, 0x0] Sep 16 2016 23:01:39: %ASA-4-106023: Deny tcp src outside:10.10.0.100/53534 dst inside:192.168.1.128/1521 by access-group "OUTSIDE" [0x5063b82f, 0x0] Sep 16 2016 23:01:40: %ASA-4-106023: Deny tcp src outside:10.10.0.100/53534 dst inside:192.168.1.128/1521 by access-group "OUTSIDE" [0x5063b82f, 0x0] What service is the remote system most likely attempting to access? H.323 SNMP MS-SQL Oracle

Oracle. Oracle databases default to TCP port 1521. Traffic from the "outside" system is being denied when it attempts to access an internal system via that port.

Nancy ran a port scan against a network switch located on her organization's internal network and discovered the results shown here. She ran the scan from her workstation on the employee VLAN. Which one of the following results should be of greatest concern to her? Image shows programming codes which read Nmap scan report for 10.1.0.121), host is up (0.049 latency), et cetera, and table shows columns for PORT and STATE. Port 22 Port 23 Port 80 Ports 8192 to 8194

Port 23. Both ports 22 and 23 should be of concern to Nancy because they indicate that the network switch is accepting administrative connections from a general-use network. Instead, the switch should only accept administrative connections from a network management VLAN. Of these two results, port 23 should be of the greatest concern because it indicates that the switch is allowing unencrypted telnet connections that may be subject to eavesdropping. The results from ports 80 and 8192 to 8194 are of lesser concern because they are being filtered by a firewall.

Which stage of the incident response process includes activities such as adding IPS signatures to detect new attacks? Detection and analysis Containment, eradication, and recovery Post-incident activity Preparation

Preparation Adding new signatures (prior to an incident) is part of the preparation phase because it prepares an organization to detect attacks.

Susan is building an incident response program and intends to implement NIST's recommended actions to improve the effectiveness of incident analysis. Which of the following items is not a NIST-recommended incident analysis improvement? Perform behavioral baselining. Create and implement a logging policy. Set system BIOS clocks regularly. Maintain an organization-wide system configuration database.

Set system BIOS clocks regularly. NIST recommends the usage of NTP to synchronize clocks throughout organizational infrastructure, thus allowing logs, alerts, and other data to be analyzed more easily during incident response. Manually setting clocks results in time skew, incorrect clocks, and other time-related problems.

Captured network traffic from a compromised system shows it reaching out to a series of five remote IP addresses that change on a regular basis. Since the system is believed to be compromised, the system's Internet access is blocked, and the system is isolated to a quarantine VLAN. When forensic investigators review the system, no evidence of malware is found. Which of the following scenarios is most likely? The system was not infected, and the detection was a false positive. The beaconing behavior was part of a web bug. The beaconing behavior was due to a misconfigured application. The malware removed itself after losing network connectivity.

The malware removed itself after losing network connectivity. Recurring beaconing behavior with a changing set of systems is a common characteristic of more advanced malware packages. It is most likely that this system was compromised with malware that deleted itself when its ability to check in with a command-and-control system was removed, thus preventing the malware from being captured and analyzed by incident responders.

Lonnie ran a vulnerability scan of a server that he recently detected in his organization that is not listed in the organization's configuration management database. One of the vulnerabilities detected is shown here. What type of service is most likely running on this server? Window shows sections for 3 phpinfo information disclosure vulnerability, threat, and impact, and options for first detected, last detected, vendor reference, user modified, et cetera. Database Web Time Network management

Web The PHP language is used for the development of dynamic web applications. The presence of PHP on this server indicates that it is a web server. It may also be running database, time, or network management services, but the scan results provide no evidence of this.

Jim's nmap port scan of a system showed the following list of ports: PORT STATE SERVICE 80/tcp open http 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 902/tcp open iss-realsecure 912/tcp open apex-mesh 3389/tcp open ms-wbt-server What operating system is the remote system most likely running? Windows Linux An embedded OS macOS

Windows TCP 135, 139, and 445 are all common Windows ports. The addition of 3389, the remote desktop port for Windows, makes it most likely that this is a Windows server.

Tommy's company recently implemented a new policy that restricts root access to its cloud computing service provider master account. This policy requires that a team member from the operations group retrieve a password from a password vault to log in to the account. The account then uses two-factor authentication that requires that a team member from the security group approve the login. What type of control is the company using? Separation of duties Privileged account monitoring Dual control Least privilege

dual control The scenario describes a dual-control (or two-person control) arrangement, where two individuals must collaborate to perform an action. This is distinct from separation of duties, where access controls are configured to prevent a single individual from accomplishing two different actions that, when combined, represent a security issue. There is no indication that the company is performing privileged account monitoring or enforcing least privilege given in this scenario.

Erin is attempting to collect network configuration information from a Windows system on her network. She is familiar with the Linux operating system and would use the ifconfig command to obtain the desired information on a Linux system. What equivalent command should she use in Windows? ipconfig netstat ifconfig netcfg

ipconfig The Windows equivalent to the Linux ifconfig command is ipconfig. netstat displays information about open network connections rather than network interface configuration. The ifconfig and netcfg commands do not exist on Windows.

Kim is reviewing the data gathered by the first responder to a security incident and comes across a text file containing the output shown here. What command generated this output? Image shows table with columns for proto, recv-Q, send-Q, local address, foreign address, and state. traceroute netstat ifconfig sockets

netstat The netstat command is used to generate a list of open network connections on a system, such as the one shown here. traceroute is used to trace the network path between two hosts. ifconfig is used to display network configuration information on Linux and Mac systems. The sockets command does not exist.

Which of the following commands is not useful for validating user permissions on a Linux system? more /etc/sudoers groups stat strings

strings The strings command prints strings of printable characters in a file and does not show Linux permission information. The contents of the sudoers file, the output of the groups command, and the stat command can all provide useful information about user or file permissions.

During a port scan of a server, Gwen discovered that the following ports are open on the internal network: TCP port 25 TCP port 80 TCP port 110 TCP port 443 TCP port 1521 TCP port 3389 Of the services listed here, for which one does the scan not provide evidence that it is likely running on the server? Web Database SSH Email

SSH. Web servers commonly run on ports 80 (for HTTP) and 443 (for HTTPS). Database servers commonly run on ports 1433 (for Microsoft SQL Server), 1521 (for Oracle), or 3306 (for MySQL). Remote Desktop Protocol services commonly run on port 3389. Simple Mail Transfer Protocol (SMTP) runs on port 25. There is no evidence that SSH, which uses port 22, is running on this server.

Susan needs to test thousands of submitted binaries. She needs to ensure that the applications do not contain malicious code. What technique is best suited to this need? Sandboxing Implementing a honeypot Decompiling and analyzing the application code Fagan testing

Sandboxing. Susan's best option is to use an automated testing sandbox that analyzes the applications for malicious or questionable behavior. While this may not catch every instance of malicious software, the only other viable option is decompiling the applications and analyzing the code, which would be incredibly time-consuming. Since she doesn't have the source code, Fagan inspection won't work (and would take a long time too), and running a honeypot is used to understand hacker techniques, not to directly analyze application code.

The Windows system that Fred is conducting live forensics on shows a partition map, as shown here. If Fred believes that a hidden partition was deleted resulting in the unallocated space, which of the following tools is best suited to identifying the data found in the unallocated space? Window shows markings for disk 0 and boxes labeled system reserved, (C:), and 449 megabytes unallocated. Scalpel DBAN parted dd

Scapel Scapel is a carving tool designed to identify files in a partition or volume that is missing its index or file allocation table. DBAN is a wiping tool, parted is a partition editor, and dd is used for disk duplication. You may encounter questions about programs you are unfamiliar with on the exam. Here, you can eliminate tools that you are familiar with like DBAN, parted, or dd and take a reasonable guess based on that knowledge.

As part of her post-incident recovery process, Alicia creates a separate virtual network as shown here to contain compromised systems she needs to investigate. What containment technique is she using? Diagram shows A containment VLAN connected to device via border router which leads to B business office VLAN and C data center VLANs. Segmentation Isolation Removal Reverse engineering

Segmentation The firewall rules continue to allow access to the compromised systems, while preventing them from attacking other systems. This is an example of segmentation. Segmentation via VLANs, firewall rules, or other logical methods can help to protect other systems, while allowing continued live analysis.

Ben needs to identify the device or storage type that has the lowest order of volatility. Which of the following is the least volatile? Network traffic A solid state drive A spinning hard drive A DVD-ROM

A DVD-ROM The order of volatility of common storage locations is as follows: - CPU cache, registers, running processes, and RAM Network traffic - Disk drives (both spinning and magnetic) - Backups, printouts, and optical media (including DVD-ROMs and CDs) Thus, the least volatile storage listed is the DVD-ROM.

After receiving complaints about a system on her network not performing correctly, Kathleen decides to investigate the issue by capturing traffic with Wireshark. The captured traffic is shown here. What type of issue is Kathleen most likely seeing? A link failure A failed three-way handshake A DDoS A SYN flood

A SYN flood. The repeated SYN packets are likely a SYN flood that attempts to use up resources on the target system. A failed three-way handshake might initially appear similar but will typically not show this volume of attempts. A link failure would not show traffic from a remote system, and a DDoS would involve more than one system sending traffic.

Ben is attempting to determine what services a Windows system is running and decides to use the netstat -at command to list TCP ports. He receives the output shown here. The system is most likely running which services? Table shows active connections with columns for proto, local address, foreign address, state, and offload state. A plain-text web server, Microsoft file sharing, and a secure web server SSH, email, and a plain-text web server An email server, a plain-text web server, and Microsoft-DS A plain-text web server, Microsoft RPC, and Microsoft-DS

A plain-text web server, Microsoft RPC, and Microsoft-DS This Windows system is likely running an unencrypted (plain-text) web server, as well as both the Microsoft RPC and Microsoft DS services on TCP 135 and 335, respectively. SSH would typically be associated with port 22, while email via SMTP is on TCP port 25.

A port scan conducted during a security assessment shows the following results. What type of device has most likely been scanned? Nmap scan report for EXAMPLE (192.168.1.79) Host is up (1.00s latency). Not shown: 992 closed ports PORT STATE 21/tcp open 23/tcp open 80/tcp open 280/tcp open 443/tcp open 515/tcp open 631/tcp open 9100/tcp open Nmap done: 1 IP address (1 host up) scanned in 124.20 seconds A wireless access point A server A printer A switch

A printer. While TCP ports 21, 23, 80, and 443 are all common ports, 515 and 9100 are commonly associated with printers.

As part of a government acquisitions program for the U.S. Department of Defense, Sean is required to ensure that the chips and other hardware-level components used in the switches, routers, and servers that he purchases do not include malware or other potential attack vectors. What type of supplier should Sean seek out? A TPM An OEM provider A trusted foundry A gray-market provider

A trusted foundry Trusted foundries are part of the Department of Defense's program that ensures that hardware components are trustworthy and have not been compromised by malicious actors. A TPM is a hardware security module, OEMs are original equipment manufacturers but may not necessarily have completed trusted hardware sources, and gray-market providers sell hardware outside of their normal or contractually allowed areas.

Gary is using agent-based scanning to assess the security of his environment. Every time that Gary runs a vulnerability scan against a particular system, it causes the system to hang. He spoke with the system administrator who provided him with a report showing that the system is current with patches and has a properly configured firewall that allows access only from a small set of trusted internal servers. Gary and the server administrator both consulted the vendor, and they are unable to determine the cause of the crashes and suspect that it may be a side effect of the agent. What would be Gary's most appropriate course of action? Approve an exception for this server. Continue scanning the server each day. Require that the issue be corrected in 14 days and then resume scanning. Decommission the server.

Approve an exception for this server This is an appropriate case for an exception to the scanning policy. The server appears to be secure, and the scanning itself is causing a production issue. Gary should continue to monitor the situation and consider alternative forms of scanning, but it would not be appropriate to continue the scanning or set an artificial deadline that is highly unlikely to be met. Decommissioning the server is an excessive action as there is no indication that it is insecure, and the issue may, in fact, be a problem with the scanner itself.

Which NIST attack vector classification best describes a distributed denial-of-service attack? Impersonation Improper usage Web Attrition

Attrition NIST describes attrition attacks as attacks that employ brute-force methods to compromise, degrade, or destroy systems, networks, or services. A DDoS attack seeks to degrade or prevent access to systems, services, or networks.

Joe is designing a vulnerability management program for his company, a hosted service provider. He would like to check all relevant documents for customer requirements that may affect his scanning. Which one of the following documents is least likely to contain this information? BPA SLA MOU BIA

BIA The Business Impact Assessment (BIA) is an internal document used to identify and assess risks. It is unlikely to contain customer requirements. Service Level Agreements (SLAs), Business Partner Agreements (BPAs), and Memorandums of Understanding (MOUs) are much more likely to contain this information.

During an nmap scan of a network, Charles receives the following response from nmap: Starting Nmap 7.01 ( https://nmap.org ) at 2017-04-21 20:03 EDT Nmap done: 256 IP addresses (0 hosts up) scanned in 29.74 seconds What can Charles deduce about the network segment from these results? There are no active hosts in the network segment. All hosts on the network segment are firewalled. The scan was misconfigured. Charles cannot determine if there are hosts on the network segment from this scan.

Charles cannot determine if there are hosts on the network segment from this scan. A host that is not running any services or that has a firewall enabled that prevents responses can be invisible to nmap. Charles cannot determine whether there are hosts on this network segment and may want to use other means such as ARP queries, DHCP logs, and other network layer checks to determine whether there are systems on the network.

As part of her duties as an SOC analyst, Emily is tasked with monitoring intrusion detection sensors that cover her employer's corporate headquarters network. During her shift, Emily's IDS reports that a network scan has occurred from a system with IP address 10.0.11.19 on the organization's unauthenticated guest wireless network aimed at systems on an external network. What should Emily's first step be? Report the event to the impacted third parties. Report the event to law enforcement. Check the system's MAC address against known assets. Check authentication logs to identify the logged-in user.

Check the syste's MAC address against known assets. In most organizations, Emily's first action should be to verify that the system is not one that belongs to the organization by checking it against her organization's asset inventory. If the system is a compromised system on the wrong network, she or her team will need to address it. In most jurisdictions, there is no requirement to notify third parties or law enforcement of outbound scans, and since the guest wireless is specifically noted as being unauthenticated, there will not be authentication logs to check.

Alex learns that a recent Microsoft patch covers a zero-day exploit in Microsoft Office that occurs because of incorrect memory handling. The flaw is described as potentially resulting in memory corruption and arbitrary code execution in the context of the current privilege level. Exploitation of the flaws can occur if victims open a specifically crafted Office document in a vulnerable version of Microsoft Office. If Alex finds out that approximately 15 of the workstations in his organization have been compromised by this malware, including one workstation belonging to a domain administrator, what phase of the incident response process should he enter next? Preparation Detection and analysis Containment, eradication, and recovery Post-incident activity

Containment, eradication, and recovery Alex needs to quickly move into containment mode by limiting the impact of the compromise. He can then gather the evidence and data needed to support the incident response effort, allowing him to work with his organization's desktop and IT support teams to return the organization to normal function.

Chris is implementing cryptographic controls to protect his organization and would like to use defense-in-depth controls to protect sensitive information stored and transmitted by a web server. Which one of the following controls would be least suitable to directly provide this protection? TLS VPN DLP FDE

DLP A data loss prevention system may be able to intercept and block unencrypted sensitive information leaving the web server, but it does not apply cryptography to web communications. Transport layer security (TLS) is the most direct approach to meeting Chris' requirement, as it encrypts all communication to and from the web server. Virtual private networks (VPNs) may also be used to encrypt network traffic, adding a layer of security. Full disk encryption (FDE) may also be used to protect information stored on the server in the event the disk is stolen.

Dylan is creating a vulnerability management program for his company. He only has the resources to conduct daily scans of approximately 10 percent of his systems, and the rest will be scheduled for weekly scans. He would like to ensure that the systems containing the most sensitive information receive scans on a more frequent basis. What criteria is Dylan using? Data privacy. Data remnance. Data retention. Data classification.

Data classification Data classification is a set of labels applied to information based upon their degree of sensitivity and/or criticality. It would be the most appropriate choice in this scenario. Data retention requirements dictate the length of time that an organization should maintain copies of records. Data remnance is an issue where information thought to be deleted may still exist on systems. Data privacy may contribute to data classification but does not encompass the entire field of data sensitivity and criticality in the same manner as data classification. For example, a system may process proprietary business information that would be very highly classified and require frequent vulnerability scanning. Unless that system also processed personally identifiable information, it would not trigger scans under a system based solely upon data privacy.

Ben would like guidance on grouping information into varying levels of sensitivity. He plans to use these groupings to assist with decisions around the security controls that the organization will apply to storage devices containing that information. Which one of the following policies is most likely to contain relevant information for Ben's decision-making process? Data retention policy Data classification policy Data encryption policy Data disposal policy

Data classification policy While all of these policies may contain information about data security, Ben is specifically interested in grouping information into categories of similar sensitivity. This is the process of data classification. A data retention policy would contain information on the data life cycle. An encryption policy would describe what data must be encrypted and appropriate encryption techniques. A data disposal policy would contain information on properly destroying data at the end of its life cycle.

Mike's company recently suffered a security incident when they lost control of thousands of personal customer records. Many of these records were from projects that ended long ago and served no business purpose. What type of policy, if followed, would have best limited the impact of this incident? Data ownership policy Account management policy Acceptable use policy Data retention policy

Data rentention policy Data retention policies specify the appropriate life cycle for different types of information. In this example, a data retention policy would likely have instructed the organization to dispose of the unneeded records, limiting the number that were compromised. A data ownership policy describes who bears responsibility for data and is less likely to have a direct impact on this incident. An acceptable use policy could limit the misuse of data by insiders, but there is no indication that this was an insider attack. An account management policy may be useful in pruning unused accounts and managing privileges, but there is no indicator that these issues contributed to the impact of this incident.

During an incident investigation, Chris discovers that attackers were able to query information about his routers and switches using SNMP. Chris finds that his routers used "public" and "private" as their community strings. Which of the following is not an appropriate action to take to help secure SNMP in Chris's organization? Add complexity requirements to the SNMP community string. Enable and configure SNMP v2c. Enable and require TLS setting for SNMP. Apply different SNMP community strings to devices with different security levels.

Enable and configure SNMP v2c. SNMP v1 through v2c all transmit data in the clear. Instead, Chris should move his SNMP monitoring infrastructure to use SNMP v3. Adding complexity requirements helps to prevent brute-force attacks against community strings, while TLS protects against data capture. Using different community strings based on security levels helps to ensure that a single compromised string can't impact all of the devices on a network.

Ron arrived at the office this morning to find a subpoena on his desk requesting electronic records in his control. What type of procedure should he consult to determine appropriate next steps, including the people he should consult and the technical process he should follow? Evidence production procedure Monitoring procedure Data classification procedure Patching procedure

Evidence production procedure Evidence production procedures describe how the organization will respond to subpoenas, court orders, and other legitimate requests to produce digital evidence. Monitoring procedures describe how the organization will perform security monitoring activities, including the possible use of continuous monitoring technology. Data classification procedures describe the processes to follow when implementing the organization's data classification policy. Patching procedures describe the frequency and process of applying patches to applications and systems under the organization's care.

Which of the following is not one of the major categories of security event indicators described by NIST 800-61? Alerts from IDS, IPS, SIEM, AV, and other security systems Logs generated by systems, services, and applications Exploit developers Internal and external sources

Exploit developers NIST identifies four major categories of security event indicators: alerts, logs, publicly available information, and people both inside and outside the organization. Exploit developers may provide some information but are not a primary source of security event information.

Heidi runs a vulnerability scan of the management interface of her organization's virtualization platform and finds the severity 1 vulnerability shown here. What circumstance, if present, should increase the severity level of this vulnerability to Heidi? Window shows section for 1 remote management service accepting unencrypted credentials detected and options for first detected, last detected, vendor reference, user modified, et cetera. Lack of encryption Missing security patch Exposure to external networks Out-of-date antivirus signatures

Exposure to external networks This vulnerability has a low severity, but that could be dramatically increased if the management interface is exposed to external networks. If that were the case, it is possible that an attacker on a remote network would be able to eavesdrop on administrative connections and steal user credentials. Out-of-date antivirus definitions and missing security patches may also be severe vulnerabilities, but they do not increase the severity of this specific vulnerability. The lack of encryption is already known because of the nature of this vulnerability, so confirming that fact would not change the severity assessment.

Which one of the following is an example of a logical control? Lock and key Firewall rule Background check Security guard

Firewall rule. Firewall rules are an example of a logical control because they are technical controls that enforce confidentiality, integrity, and availability in the digital space. Locks and keys and security guards are examples of physical controls. Background checks are an example of an administrative control.

Patricia is evaluating the security of an application developed within her organization. She would like to assess the application's security by supplying it with invalid inputs. What technique is Patricia planning to use? Fault injection Stress testing Mutation testing Fuzz testing

Fuzz testing Fuzz testing involves sending invalid or random data to an application to test its ability to handle unexpected data. Fault injection directly inserts faults into error-handling paths, particularly error-handling mechanisms that are rarely used or might otherwise be missed during normal testing. Mutation testing is related to fuzzing and fault injection, but rather than changing the inputs to the program or introducing faults to it, mutation testing makes small modifications to the program itself. Stress testing is a performance test that ensures applications and the systems that support them can stand up to the full production load.

Jerry recently completed a vulnerability scan of his organization's data center and received the vulnerability report shown here from a server running in the data center. This server is running on a virtualization platform running on a bare-metal hypervisor. Where must Jerry correct this issue? Guest operating system Hypervisor Application Host operating system

Guest operating system. This vulnerability states that there is a missing patch to the Windows operating system. In a bare-metal hypervisor, the only place that Windows could be running is as a guest operating system. Therefore, this is the location where Jerry must apply a patch.

Tyler scans his organization's mail server for vulnerabilities and finds the result shown here. What should be his next step? Window shows Microsoft exchange client access server information with sections for description (solution), output (port, hosts), plugin details (severity, ID, version, type), risk information, vulnerability information, and reference information. Shut down the server immediately. Initiate the change management process. Apply the patch. Rerun the scan.

Initiate the change management process. Tyler should initiate his organization's change management process to begin the patching process. This is a medium severity vulnerability, so there is no need to apply the patch in an emergency fashion that would bypass change management. Similarly, shutting down the server would cause a serious disruption and the level of severity does not justify that. Finally, there is no need to rerun the scan because there is no indication that it is a false positive result.

Taylor is preparing to run vulnerability scans of a web application server that his organization recently deployed for public access. He would like to understand what information is available to a potential external attacker about the system as well as what damage an attacker might be able to cause on the system. Which one of the following scan types would be least likely to provide this type of information? Internal network vulnerability scan Port scan Web application vulnerability scan External network vulnerability scan

Internal network vulnerability scan An internal network vulnerability scan will provide an insider's perspective on the server's vulnerabilities. It may provide useful information, but it will not meet Taylor's goal of determining what an external attacker would see.

Jose is working with his manager to implement a vulnerability management program for his company. His manager tells him that he should focus on remediating critical and high-severity risks to externally accessible systems. He also tells Jose that the organization does not want to address risks on systems without any external exposure or risks rated medium or lower. Jose disagrees with this approach and believes that he should also address critical and high-severity risks on internal systems. How should he handle the situation? Jose should recognize that his manager has made a decision based upon the organization's risk appetite and should accept it and carry out his manager's request. Jose should discuss his opinion with his manager and request that the remediation criteria be changed. Jose should ask his manager's supervisor for a meeting to discuss his concerns about the manager's approach. Jose should carry out the remediation program in the manner that he feels is appropriate because it will address all of the risks identified by the manager as well as additional risks.

Jose should discuss his opinion with his manager and request that the remediation criteria be changed. The most appropriate step for Jose to take is to discuss his opinion with his manager and see whether the manager is willing to change the guidelines. As a security professional, it is Jose's ethical responsibility to share his opinion with his manager. It would not be appropriate for Jose to act against his manager's wishes. Jose should also not ask to speak with his manager's supervisor until he has had an opportunity to discuss the issue thoroughly with his manager.

Charleen's incident response team is fighting a rapidly spreading zero-day malware package that silently installs via Adobe Flash a vulnerability when an email attachment is viewed via webmail. After identifying a compromised system, she determines that the system is beaconing to a group of fast flux DNS entries. Which of the following techniques is best suited to identifying other infected hosts? Update antivirus software and scan using the latest definitions. Monitor for the IP addresses associated with the command-and-control systems. Log DNS queries to identify compromised systems. Check email logs for potential recipients of the message.

Log DNS queries to identify compromised systems. Fast flux DNS networks use many IP addresses behind one (or a few) fully qualified domain names. Logging DNS server queries and reviewing them for hosts that look up the DNS entries associated with the command-and-control network can quickly identify compromised systems. Unfortunately, antivirus software is typically not updated quickly enough to immediately detect new malware. Since the fast flux DNS command and control relies on frequent changes to the C&C hosts, IP addresses change quickly, making them an unreliable detection method. Finally, reviewing email to see who received the malware-laden message is useful but won't indicate whether the malware was successful in infecting a system without additional data.

The collection of objects, the type of the objects, and how they relate to each other to create monitoring groups are all implemented as which of the following for SNMP? MBI MIB SMI OBJ

MIB Management Information Bases (MIBs) provide monitoring groups to get information about networks, including flow-based information, statistics, history, alarms, and events.

Which of the following factors is not typically considered when determining whether evidence should be retained? Media life span Likelihood of civil litigation Organizational retention policies Likelihood of criminal prosecution

Media life span. Incident data should be retained as necessary regardless of media life span. Retention is often driven by the likelihood of civil or criminal action, as well as by organizational standards.

Rachel discovered the vulnerability shown here when scanning a web server in her organization. Which one of the following approaches would best resolve this issue? Window shows sections for 4 Microsoft IIS server XSS elevation of privilege vulnerability (MS17-016) and threat, and options for first detected, last detected, vendor reference, et cetera. Patching the server Performing input validation Adjusting firewall rules Rewriting the application code

Patching the server. The vulnerability description mentions that this is a cross-site scripting (XSS) vulnerability. Normally, XSS vulnerabilities are resolved by performing proper input validation in the web application code. However, in this particular case, the XSS vulnerability exists within Microsoft IIS server itself and not in a web application. Therefore, it requires a patch from Microsoft to correct it.

Greg is seeking to protect his organization against attacks that involve the theft of user credentials. Which one of the following threats poses the greatest risk of credential theft in most organizations? DNS poisoning Phishing Telephone-based social engineering Shoulder surfing

Phishing While all of the techniques listed may be used to engage in credential theft, phishing is, by far, the most common way that user accounts become compromised in most organizations.

Chris has been tasked with removing data from systems and devices that leave his organization. One of the devices is a large multifunction device that combines copying, fax, and printing capabilities. It has a built-in hard drive to store print jobs and was used in an office that handles highly sensitive business information. If the multifunction device is leased, what is his best option for handling the drive? Destroy the drive. Reformat the drive using the MFD's built-in formatting program. Remove the drive and format it using a separate PC. Remove the drive and purge it.

Remove the drive and purge it. The best option presented is for Chris to remove the drive and purge the data from it. Destroying the drive, unless specified as allowable in the lease, is likely to cause contractual issues. Reformatting a drive that contains highly sensitive data will not remove the data, so neither reformatting option is useful here. In a best-case scenario, Chris will work to ensure that future devices either have built-in encryption that allows an easy secure wipe mode or a dedicated secure wipe mode, or he will work to ensure that the next lease includes a drive destruction clause.

Lou recently scanned a web server in his environment and received the vulnerability report shown here. What action can Lou take to address this vulnerability? Window shows sections for 2 SSL certificate - signature verification failed vulnerability, threat, and impact, and options for first detected, last detected, vendor reference, user modified, et cetera. Configure TLS Replace the certificate Unblock port 443 Block port 80

Replace the certificate This error indicates that the digital certificate presented by the server is not valid. Lou should replace the certificate with a certificate from a trusted CA to correct the issue.

After restoring a system from 30-day-old backups after a compromise, administrators at Michelle's company return the system to service. Shortly after that, Michelle detects similar signs of compromise again. Why is restoring a system from a backup problematic in many cases? Backups cannot be tested for security issues. Restoring from backup may reintroduce the original vulnerability. Backups are performed with the firewall off and are insecure after restoration. Backups cannot be properly secured.

Restoring from backup may reintroduce the original vulnerability. When restoring from a backup after a compromise, it is important to ensure that the flaw that allowed attackers in is patched or otherwise remediated. In many environments, backups can be restored to a protected location where they can be patched, validated, and tested before they are restored to service.

As part of her forensic analysis of a wiped thumb drive, Selah runs Scalpel to carve data from the image she created. After running Scalpel, she sees the following in the audit.log file created by the program. What should Selah do next? Image shows programming codes with options for output directory and configuration file, and table shows columns for filed from, start, chop, length, and extracte. Run a data recovery program on the drive to retrieve the files. Run Scalpel in filename recovery mode to retrieve the actual filenames and directory structures of the files. Review the contents of the scalpelout folder. Use the identified file names to process the file using a full forensic suite.

Review the contents of the scalpelout folder. You may not be familiar with Scalpel or other programs you encounter on the exam. In many cases, the problem itself will provide clues that can help you narrow down your answer. Here, pay close attention to the command-line flags, and note the -o flag, a common way to denote an output file. In practice, Scalpel automatically creates directories for each of the file types that it finds. Selah simply needs to visit those directories to review the files that she has recovered. She does not need to use another program. The filenames and directory structures may not be recoverable when carving files.

Randi's organization recently suffered a cross-site scripting attack, and she plans to implement input validation to protect against the recurrence of such attacks in the future. Which one of the following HTML tags should be most carefully scrutinized when it appears in user input? SCRIPT XSS B EM

SCRIPT The SCRIPT tag is used to mark the beginning of a code element, and its use is indicative of a cross-site scripting attack. XSS is not a valid HTML tag. The B (for bold text) and EM (for italics) tags are commonly found in normal HTML input.

During a postmortem forensic analysis of a Windows system that was shut down after its user saw strange behavior, Ben concludes that the system he is reviewing was likely infected with a memory-resident malware package. What is his best means of finding the malware? Search for a core dump or hiberfil.sys to analyze. Review the INDX files and Windows registry for signs of infection. Boot the system and then use a tool like the Volatility Framework to capture live memory. Check volume shadow copies for historic information prior to the reboot.

Search for a core dump or hiberfil.sys to analyze. Ben's best option is to look for a hibernation file or core dump that may contain evidence of the memory-resident malware. Once a system has been shut down, a memory-resident malware package will be gone until the system is re-infected, making reviews of the registry, INDX files, and volume shadow copies unlikely to be useful. Since the system was shut down, he won't get useful memory forensics from a tool like the Volatility Framework unless the machine is re-infected.

Jennifer is reviewing her network monitoring configurations and sees the following chart for a system she runs remotely in Amazon's Web Services environment more than 400 miles away. What can she use this data for? Bar graph shows AMI (AWS) on time from 6:00 PM to 12:00 PM versus response time in milliseconds from 0 ms to 200ms versus percent packet loss from 0 percent to 100 percent with plots for response time AMI (AWS) and percent packet loss AMI (AWS). Incident response; she needs to determine the issue causing the spikes in response time. The high packet loss must be investigated, as it may indicate a denial-of-service attack. She can use this data to determine a reasonable response time baseline. The high response time must be investigated, as it may indicate a denial-of-service attack.

She can use this data to determine a reasonable response time baseline. Jennifer can use this information to help build her baseline for response times for the AWS server. A 200 ms response time for a remotely hosted server is well within a reasonable range. There is nothing in this chart that indicates an issue.

Mika uses a security token like the unit shown here and a password to authenticate to her PayPal account. What two types of factors is she using? Photograph shows device labeled PayPal with digital display in center which reads 536739. Something she knows and something she has Something she knows and something she is Something she is and something she has Mika is only using one type of factor because she knows the token code and her password.

Something she known and something she has. Mika is using both a knowledge-based factor in the form of her password and something she has in the form of the token. Possession of the token is the "something she has."

One of the servers that Adam is responsible for recently ran out of disk space. Despite system-level alarms, the problem was not detected, resulting in an outage when the server crashed. How would this issue be categorized if the NIST threat categorization method was used as part of an after-action review? Environmental Adversarial Accidental Structural

Structural Resource exhaustion is a type of structural failure as defined by the NIST threat categories. It might be tempting to categorize this as accidental because Adam did not notice the alarms; however, accidental threats are specifically caused by individuals doing routine work who undermine security through their actions. In this case, the structural nature of the problem is the more important category.

While analyzing a packet capture in Wireshark, Chris finds the packet shown here. Which of the following is he unable to determine from this packet? Window shows programming codes with sections for Internet protocol version 4, differentiated services field, transmission control protocol, et cetera. That the username used was gnome That the protocol used was FTP That the password was gnome123 That the remote system was 137.30.120.40

That the username used was gnome. FTP sends the username in a separate packet. Chris can determine that this was an FTP connection, that the password was gnome123, and that the FTP server was 137.30.120.40.

Tim works in an environment that is subject to the Payment Card Industry Data Security Standard. He realizes that technical constraints prevent the organization from meeting a specific PCI DSS requirement and want to implement a compensating control. Which one of the following statements is not true about proper compensating controls? The control must include a clear audit mechanism. The control must meet the intent and rigor of the original requirement. The control must provide a similar level of defense as the original requirement provides. The control must be above and beyond other requirements.

The control must include a clear audit mechanism. The PCI DSS compensating control procedures do not require that compensating controls have a clearly defined audit mechanism, although this is good security practice. They do require that the control meet the intent and rigor of the original requirement, provide a similar level of defense as the original requirement, and be above and beyond other requirements.

During an nmap port scan using the -sV flag to determine service versions, Sarah discovers that the version of SSH on the Linux system she is scanning is not up-to-date. When she asks the system administrators, they inform her that the system is fully patched and that the SSH version is current. What issue is Sarah most likely experiencing? The system administrators are incorrect. The nmap version identification is using the banner to determine the service version. nmap does not provide service version information, so Sarah cannot determine version levels in this way. The systems have not been rebooted since they were patched.

The nmap version identification is using the banner to determine the service version. While nmap provides service version identification, it relies heavily on the information that the services provide. In some cases, fully patched services may provide banner information that does not show the minor version or may not change banners after a patch, leading to incorrect version identification.

Ty is reviewing the scan report for a Windows system joined to his organization's domain and finds the vulnerability shown here. What should be Ty's most significant concern related to this vulnerability? Window shows sections for 3 administrator account's password does not expire and threat, and options for first detected, last detected, vendor reference, user modified, et cetera. The presence of this vulnerability indicates that an attacker may have compromised his network. The presence of this vulnerability indicates a misconfiguration on the target server. The presence of this vulnerability indicates that the domain security policy may be lacking appropriate controls. The presence of this vulnerability indicates a critical flaw on the target server that must be addressed immediately.

The presence of this vulnerability indicates that the domain security policy may be lacking appropriate controls. The presence of this vulnerability does indicate a misconfiguration on the targeted server, but that is not the most significant concern that Ty should have. Rather, he should be alarmed that the domain security policy does not prevent this configuration and should know that many other systems on the network may be affected. This vulnerability is not an indicator of an active compromise and does not rise to the level of a critical flaw.

Peter is designing a vulnerability scanning program for the large chain of retail stores where he works. The store operates point-of-sale terminals in its retail stores as well as an e-commerce website. Which one of the following statements about PCI DSS compliance is not true? Peter's company must hire an approved scanning vendor to perform vulnerability scans. The scanning program must include, at a minimum, weekly scans of the internal network. The point-of-sale terminals and website both require vulnerability scans. Peter may perform some required vulnerability scans on his own.

The scanning program must include, at a minimum, weekly scans of the internal network. PCI DSS only requires scanning on at least a quarterly basis and after any significant changes. Weekly scanning is a best practice but is not required by the standard. Peter must hire an approved scanning vendor to perform the required quarterly external scans but may conduct the internal scans himself. All systems in the cardholder data environment, including both the website and point-of-sale terminals, must be scanned.

Evan is troubleshooting a vulnerability scan issue on his network. He is conducting an external scan of a website located on the web server shown in the diagram. After checking the Apache httpd logs on the web server, he saw no sign of the scan requests. Which one of the following causes is the least likely issue for him to troubleshoot? Diagram shows Internet connected to firewall (via IDS), which is connected to internal network and DMZ (via IPS), where internal network is connected to workstation and file server and DMZ is connected to email server and web server. The scans are being blocked by an intrusion prevention system. The scans are being blocked by an Apache .htaccess file. The scans are being blocked by a network firewall. The scans are being blocked by a host firewall.

The scans are being blocked by an Apache .htaccess file. All of the scenarios described here could result in failed vulnerability scans and are plausible on this network. However, the fact that the Apache logs do not show any denied requests indicates that the issue is not with an .htaccess file on the server. If this were the case, Evan would see evidence of it in the Apache logs.

Sam is looking for evidence of software that was installed on a Windows 10 system. He believes that the programs were deleted and that the suspect used both registry and log cleaners to hide evidence. What Windows feature can't he use to find evidence of the use of these programs? The MFT Volume shadow copies The shim (application compatibility) cache Prefetch files

The shim (application compatibility) cache The shim cache is used by Windows to track scripts and programs that need specialized compatibility settings. It is stored in the registry at shutdown, which means that a thorough registry cleanup will remove program references from it. The master file table (MFT), volume shadow copies, and prefetch files can all contain evidence of deleted applications.

As part of her incident response process on a live Windows system, Alex reviews services using services.msc. What finding should Alex take away from her review of this based on the image shown here? Window shows table with columns for number, time, source, destination, protocol, length, and info. Services are running normally. The system is infected with malware. The system's Windows antivirus software is disabled. The system will not generate logs properly because Event Collector is set to Manual.

The system's Windows antivirus software is disabled. Windows Defender is set to Disabled, and the network protections are set to Manual, meaning that the system's antivirus is likely disabled. This does not necessarily mean that the system is infected with malware, but some malware does attempt to disable antivirus software. The Windows Event Collector that is set to Manual collects remote WMI events and will not prevent the system from logging normally.

What information can be gathered by observing the distinct default values of the following TCP/IP fields during reconnaissance activities: initial packet size, initial TTL, window size, maximum segment size, and flags? The target system's TCP version The target system's operating system The target system's MAC address These fields are only useful for packet analysis.

The target system's operating system. Operating system fingerprinting relies on the differences between how each operating system (and sometimes OS versions) handles and sets various TCP/IP fields, including initial packet size, initial TTL, window size, maximum segment size, and the don't fragment, sackOK, and nop flags.

Dylan is an IT consultant brought in to assess the maturity of risk management practices at a firm using the NIST Cybersecurity Framework. During his evaluation, he determines that the organization does use an organization-wide approach to managing cybersecurity risk but that it does not use risk-informed policies, processes, and procedures to address potential cybersecurity events. At what tier of the Cybersecurity Framework does this organization's risk management program reside? Tier 1: Partial Tier 2: Risk Informed Tier 3: Repeatable Tier 4: Adaptive

Tier 3: Repeatable The hallmark of a Tier 3 risk management program is that there is an organization-wide approach to managing cybersecurity risk. In a Tier 4 program, there is an organization-wide approach to managing cybersecurity risk that uses risk-informed policies, processes, and procedures to address potential cybersecurity events.

Niesha discovered the vulnerability shown here on a server running in her organization. What would be the best way for Niesha to resolve this issue? Window shows sections for 4 OpenSSH AES-GCM cipher remote code execution vulnerability, threat, impact, solution, compliance, exploitability, associated malware, and results, and options for first detected, last detected, vendor reference, et cetera. Disable the use of AES-GCM. Upgrade OpenSSH. Upgrade the operating system. Update antivirus signatures.

Upgrade OpenSSH The best way to resolve this issue would be to upgrade to OpenSSH 6.4, as stated in the solution section of the report. Disabling the use of AES-GCM is an acceptable workaround, but upgrading to a more current version of OpenSSH is likely to address additional security issues not described in this particular vulnerability report. There is no indication that an operating system upgrade would correct the problem. The vulnerability report states that there is no malware associated with this vulnerability, so antivirus signature updates would not correct it.

After finishing a forensic case, Lucas needs to wipe the media that he is using to prepare it for the next case. Which of the following methods is best suited to preparing the SSD that he will use? Degauss the drive. Zero write the drive. Use a PRNG. Use the ATA Secure Erase command.

Use the ATA Secure Erase command. The ATA Secure Erase command wipes all of an SSD, including host-protected area partitions and remapped spare blocks. Degaussing is used for magnetic media such as tapes and is not effective on SSDs, while zero writing or using a pseudorandom number generator to fill the drive will not overwrite data in the host-protected area or spare blocks, which are used to wear level most SSDs.

Jessie needs to prevent port scans like the scan shown here. Which of the following is a valid method for preventing port scans? Not registering systems in DNS Using a firewall to restrict traffic to only ports required for business purposes Using a heuristic detection rule on an IPS Implementing port security

Using a heuristic detection rule on an IPS. An intrusion prevention system (or other device or software with similar capabilities) to block port scans based on behavior is the most effective method listed. Not registering systems in DNS won't stop IP-based scans, and port scans will still succeed on the ports that firewalls allow through. Port security is a network switch-based technology designed to limit which systems can use a physical network port.

Which CompTIA-defined phase of an incident response process includes scanning, validating and updating permissions, and patching impacted machines? Eradication Validation Recovery Reporting

Validation CompTIA includes patching, permissions, scanning, verifying logging, and communicating to security monitoring systems in the validation stage. This differs from the NIST standard, which groups activities into eradication and recovery phases.