Incident Response
A company has a list of high-value assets (HVAs). As a security analyst, what must you do to help protect those assets? (Select two.)
- Make sure an incident involving one of the HVAs is always high priority. - Make sure the response team can easily identify the HVAs.
Your IT coworker complains that their password-cracking attempt against a laptop from a former employee is taking too long. The former employee says they can't remember the password, but they know it was all lowercase English letters and less than 10 characters long. The password was also just random letters, not based on any words. The IT coworker asks you to review the settings to see what they are doing wrong. They shows you the way they had it configured, as seen in the picture below. Why is it taking so long? (Select two.)
- They have configured it to try password lengths of 1-16 characters. - They have selected a character set that includes all letters, numbers, and special characters.
What BEST defines an RST flag?
A TCP flag that resets the connection.
Which of the following ensures compatibility with existing systems and reduces the impact on daily operations?
A change control process
Which of the following best describes a rogue access point attack?
A hacker installing an unauthorized access point within a company.
Which of the following BEST describes a DoS attack?
A hacker overwhelms or damages a system and prevents users from accessing a service.
Which of the following best describes a wireless access point?
A networking hardware device that allows other Wi-Fi devices to connect to a wired network.
Which of the following best describes a wireless hotspot?
A physical location where people may obtain free internet access using Wi-Fi.
Vulnerability scanning has its limitations. Which answer BEST describes the concept of point in time?
A scan can only obtain data for the period of time that it runs.
As the cybersecurity specialist for your company, you believe a hacker is using ARP poisoning to infiltrate your network. To test your hypothesis, you have used Wireshark to capture packets and then filtered the results. After examining the results, which of the following is your BEST assessment regarding ARP poisoning?
ARP poisoning is occurring, as indicated by the duplicate response IP address.
Which type of wireless network does not use a wireless access point?
Ad-hoc
Which of the following BEST describes a DoS fragmentation attack?
An attack in which fake UDP or ICMP packets larger than the MTU are sent to exhaust the processing resources.
Which of the following BEST describes a high-value asset?
An offline asset that halts production.
From your Kali Linux computer, you have used a terminal and the airodump-ng command to scan for wireless access points. From the results shown, which of the following is most likely a rogue access point?
CoffeeShop
Which of the following packet crafting software programs can be used to modify flags and adjust other packet content?
Colasoft
What is the name of the sanitization method that involves destruction of an encryption key to render a drive's data useless?
Cryptographic erase
You want a list of all open UDP and TCP ports on your computer. You also want to know which process opened the port, which user created the process, and what time is was created. Which of the following scanning tools should you use?
Currports
In 2016, an attacker used a botnet of security cameras, DVRs, and network printers to target a cloud-based internet performance management organization that provided DNS services to large corporations. This created connectivity issues for legitimate users across the United States and Europe. Which type of attack was MOST likely used in this scenario?
DDoS attack
You train your staff to notify you if they notice any of the following signs: - Services are unavailable or very slow - Unexpected 503 error messages - Abnormal spikes in network traffic - Customer complaints about access Which type of attack are you preparing against?
DDoS attack
During which phase of the incidence response life cycle do you identify an attack or an incident after it has begun?
Detection and analysis
During a recent site survey, you found a rogue wireless access point on your network. Which of the following actions should you take first to protect your network while still preserving evidence?
Disconnect the access point from the network.
When you conduct a forensic investigation, which of the following initial actions is appropriate for preserving evidence?
Document what is on the screen.
What is the primary purpose of eradication?
Eliminate all traces of an incident while carefully preserving evidence that may be used in a criminal investigation.
Which of the following malware analysis techniques identifies unique malware programs by generating a hash for that program?
Fingerprinting
A hacker wants to check if a port is open using TCP Protocol. The hacker wants to be stealthy and not generate any security logs. Which type of port scan is BEST suited for this endeavor?
Half-open scan
If an employee is suspected of being an insider threat, he or she should be reported and mitigated through which department?
Human resources
In which of the following areas would you MOST likely update the knowledge base?
IOC generation
A hacker finds a target machine but wants to avoid getting caught, so they find another system to take the blame. This system is frequently called a zombie machine because it's disposable and creates a good distraction. Which of the following port scans is being used?
Idle scan
Which of the following uses the TCP/IP stack and is effectively employed to slow down the spread of worms, backdoors, and similar malware?
Layer 4 tarpit
A penetration tester is trying to extract employee information during the reconnaissance phase. Which kinds of data is the tester collecting about the employees?
Names, phone numbers, email addresses, fax numbers, and addresses
Which of the following sends you an alert when an automated port scan is detected?
Network intrusion system
A ping sweep is used to scan a range of IP addresses to look for live systems. A ping sweep can also alert a security system, which could result in an alarm being triggered or an attempt being blocked. Which type of scan is being used?
Network scan
Which type of information contains intellectual property?
Operations
Which of the following BEST describes the type of network Bluetooth devices create?
PAN
Which of the following types of wireless antenna is shown in the image?
Parabolic
PII, if exposed or captured by attackers, can be used to exploit and blackmail. What is PII?
Personally identifiable information
During which phase of the incident response life cycle do you hold meetings to discuss lessons learned from the incident and the response?
Post-incident activities
Which of the following is one of the five phases of the incident response life cycle?
Preparation
All incident-related questions from outside the organization should be handled through which department?
Public relations
A retail company is getting complaints from customers about how long product pages are taking to load, which is causing a decline in sales. Which of the following actions should you take first to discover the source of the problem?
Run a network bandwidth test on the company's network to determine if there are any anomalies.
Which of the following protocols is most secure?
SSH
TCP is a connection-oriented protocol that uses a three-way handshake to establish a connection to a system port. Computer 1 sends a SYN packet to Computer 2. Which packet does Computer 2 send back?
SYN/ACK
You are using an iOS device. You want to scan networks, websites, and ports to find open network devices. Which of the following network mapping tools should you use?
Scany
Which of the following containment methods divides the network into subnetworks that are unable to communicate with each other directly?
Segmentation
It is important to be prepared for a DoS attack, as these attacks are becoming more common. Which of the following BEST describes the response you should take for a service degradation?
Set services to throttle or shut down.
A manager is asking questions about why you must use a disk wiping utility before donating old hardware to a charity. How would you answer that question?
Simply deleting data using a workstation's standard tools does not really remove data from the hard drive.
You are assigned the task of reviewing incoming and outgoing traffic on a Windows server that has been reported as sluggish. There are no servers or appliances on the segment that can capture the traffic to the machine, so you will run your own tool. Which tool will provide you with live data, showing connections, ports, protocols, and volume of traffic similar to the image below?
TCPView
Costs that are easily identifiable and quantifiable, such as damaged hardware, stolen passwords, and lost or corrupted data, are considered which type of impact?
Tangible
You have been asked to crack the password on a zip file for the CEO. The employee who sent it to the CEO told them the password over the phone, but the CEO forgot it, and the employee who knows the password is unavailable for the next week. You are using John the Ripper on Linux to recover the password. You transferred the file to your Linux machine and ensured that John the Ripper is installed, but you receive the following message. Which step did you skip?
The hash has to be determined for the file.
A recently patched Windows machine on your network no longer responds to ping, but you have confirmed it is otherwise functioning normally and servicing incoming connections to other machines on the network. No other changes were made to the machine or its connection to the network. When you use hping3, you get the following output. Which of the following BEST explains that behavior?
The machine's firewall is blocking ICMP.
Which of the following BEST describes scan information?
The name of the scanning tool, its version, and the network ports that have been scanned.
Which method does degaussing use to securely dispose of data?
The use of a powerful magnetic force to wipe data completely from a drive.
While analyzing network traffic on your company network, you see the following in Wireshark. What appears to be happening?
There is an ICMP flood attack.
Damage to an organization's reputation and other non-cost incident consequences are considered which type of impact?
Total impact
Which method involves considering all an incident's details and taking action to keep the incident from happening again.
Vulnerability mitigation
Which type of scan is used to find system weaknesses, such as open ports, access points, and other potential threats?
Vulnerability scan
When decommissioning assets, which of the following MUST be recycled?
- CRT monitors - Notebook batteries
What types of computing devices are typically deployed as rogue devices? (Select two.)
- DHCP server devices - Wireless access points
You are looking for a wipe utility to erase deleted files without affecting any other files. Which utilities could you use? (Select two.)
- DP Shredder - Cipher
Which of the following methods for making data inaccessible is considered insufficient for preventing data recovery? (Select two.)
- Deleting or changing all partitions on the device. - Formatting all partitions.
The economic impact of an incident can be tangible or intangible. Which of the following costs would be considered intangible? (Select two.)
- Loss of potential customers - Damage to reputation
During which phase of the incident response life cycle do you isolate affected systems and restrict communication to only trusted individuals?
Containment
You are configuring a pfsense appliance to support a new guest Wi-Fi network, which will be used by potentially hundreds of customers per day. This new network will connect to the internet through your corporate network, although many switches and firewalls are in place to help with security. You are using a pfsense appliance to serve up the terms and conditions for users to agree to. What might be the BEST option for keeping your corporate network secure?
Create a VLAN for the new Wi-Fi network.
Your company allows guests that visit the office access to Wi-Fi. You have created a separate ESSID called CorpGuest. It is not using encryption. You need to make sure that guests who connect understand the rules in place. How can you best do this?
Create a captive portal with a link to the terms and conditions for connecting.
You are conducting a forensic investigation. The attack has been stopped. Which of the following actions should you perform first?
Document what is on the screen.
Which Wi-Fi attack uses a rogue access point configured with the same SSID as the organization's SSID?
Evil twin
An employee has asked for help with some files they accidently deleted from their machine. They were a training schedule and a resume for a new employee named Jack. You access the machine, install Recuva, and run it. You point to the directory where the files were located, but you only see one file can be recovered. How do you best explain this?
File recovery software can't always reclaim data from free space.
A hacker doesn't want to use a computer that can be tracked back to them. They decide to use a zombie computer. Which type of scan BEST describes what the hacker is doing?
Idle scan
An incident that impacts a company's primary functions to the point that it cannot continue with business as usual is considered to have which type of impact?
Organizational impact
You need to prepare a computer for surplus. Which of the following is the BEST option for removing data from the hard drives so that it cannot be retrieved?
Overwrite the disks with a series of 1s and 0s.
Which of the following flags is used by a TCP scan to direct the sending system to send buffered data?
PSH
Which of the following scans is used to actively engage a target in an attempt to gather information about it?
Port scan
Which phase includes taking the recommendations that can be put into action through security implementations, policies, and procedures?
Post-incident feedback
During which phase of the incident response life cycle do you reinforce your systems, policies, and procedures to ensure that your resources are well secured?
Preparation
Alex, a security specialist, is using an Xmas tree scan. Which of the following TCP flags will be sent back if the port is closed?
RST
Tom, a security analyst, is notified by Karen, an employee, that her work iPad has some setting changes and a new app that she didn't download. What is the first step Tom should take?
Run an antivirus software scan on Karen's device and scan the entire network.
Part of a penetration test is checking for malware vulnerabilities. During this process, the penetration tester needs to manually check many different areas of the system. After these checks have been completed, which of the following is the next step?
Run anti-malware scans
MinJu, a penetration tester, is testing a client's security. She notices that every Wednesday, a few employees go to a nearby bar for happy hour. She goes to the bar and starts befriending one of the employees with the intention of learning the employee's personal information. Which information-gathering technique is MinJu using?
Social engineering
You are configuring a wireless access point and are presented with the image shown below. Which of the following is the most correct statement regarding the access point's configuration?
The Host Name is what the users see in the list of available networks when they connect to the access point.
You are configuring several wireless access points for your network. Knowing that each access point will have a service set identifier (SSID), you want to ensure that it is configured correctly. Which of the following SSID statements are true?
The SSID is a unique name separate from the access point name.
You are asked to capture traffic from a remote Linux host in a satellite office that only has SSH access configured and has no GUI. The machine has tshark installed and is connected to the LAN via Ethernet. You use the tshark -w eth0 -i /tmp/capture.pcap command and see the following results. What should you do next?
Use the tshark -r /tmp/capture.pcap command to review the contents of the .pcap file.
A technician is using a modem to dial a large block of phone numbers in an attempt to locate other systems connected to a modem. Which type of network scan is being used?
Wardialing
Downtime, penalties, and damage to assets are incident consequences with which type of impact?
Immediate impact
The process of determining the extent of damage/potential damage from a security event is known as what?
Impact analysis
The following information about an incident should be provided to stakeholders: - What caused the incident and which security measures have been taken. - What was the incident's financial, systemic, and reputational impact. - How have policies and procedures been updated because of the incident. Which report should be used to share this information?
Incident summary
Which of the following BEST describes system logs?
Indicate logins with escalated privileges.
Which of the following elements of penetration testing includes the use of web surfing, social engineering, dumpster diving, and social networking?
Information gathering techniques
A hacker is gathering information about operating systems, applications, security policies, and network mapping. This BEST describes which of the following information types?
Information systems
What is a likely motivation for DoS and DDoS attacks?
Injury of the target's reputation
Which of the following BEST describes the isolation-based containment method?
Involves disconnecting a device, VLAN, or network segment from the rest of the network
Which wireless component functions as a bridge between a wired and wireless network?
Wireless access point
Which type of scan turns on an abundance of flags, causing the packet to be lit up?
Xmas tree scan
Which of the following types of antennas is a special type of high-gain directional antenna?
Yagi
Which of the following types of wireless antenna is shown?
Yagi
Your network has been subject to a variety of network attacks and you are currently monitoring the user logs for suspicious activity, yet further attacks are still occurring. Which additional step could you take to increase network security?
You could regularly scan your system for vulnerabilities.
A compromised computer that is used by an attacker to conduct malicious activities, like DDoS attacks, is known as a _________?
Zombie device
Using Wireshark filtering, you want to see all traffic except IP address 192.168.142.3. Which of the following is the best command to filter a specific source IP address?
ip.src ne 192.168.142.3
A Windows machine in your office has been sending and receiving more traffic than usual, and a user is complaining that it has a slow connection. Your manager would like statistics on all protocol traffic to and from that machine over Ethernet. The netstat command can do that, but you need to know the switch that will give an output similar to what is shown below. Which command and options should you use?
netstat -e -s
Post-incident activities provide an opportunity to learn from experiences. The feedback gathered in this phase can be used to improve on existing security policies and procedures. A good way to gather this information is to hold a meeting to discuss the incident and the incident response. What is this meeting called?
Lessons learned
John, a security analyst, needs a network mapping tool that will diagram network configurations. Which of the following BEST fits this category?
NetAuditor
