Jason Dion Section 7 Practice exam
Nick is participating in a security exercise as part of the network defense team for his organization. Which team is Nick playing on? A.Blue team B.Yellow team C.Red team D.White team
A.Blue team Explanation OBJ-1.4: Penetration testing can form the basis of functional exercises. One of the best-established means of testing a security system for weaknesses is to play "war game" exercises in which the security personnel split into teams: red, blue, and white. C.The red team acts as the adversary. The blue team acts as the defenders. D.The white team acts as the referees and sets the parameters for the exercise. B.The yellow team is responsible for building tools and architectures in which the exercise will be performed.
Which of the following information is traditionally found in the SOW for a penetration test? A.Excluded hosts B.Format of the executive summary report C.Maintenance windows D.Timing of the scan
A.Excluded hosts Explanation OBJ-1.4: A Scope of Work (SOW) for a penetration test normally contains the list of excluded hosts. This ensures that the penetration tester does not affect hosts, workstations, or servers outside of their scope of the assessment. The timing of the scan and the maintenance windows are usually found in the rules of engagement (ROE). The contents of the executive summary report are usually not identified in any of the scoping documents, only the requirement of whether such a report is to be delivered at the end of the assessment.
Your organization is preparing for its required quarterly PCI DSS external vulnerability scan. Who is authorized to perform this scan? A.Only employees of the company B.Only an approved scanning vendor C.Any qualified individual D.Anyone
B.Only an approved scanning vendor Explanation OBJ-2: The Payment Card Industry Data Security Standard (PCI DSS) is a prescriptive framework. It is not a law, but a formal policy created by the credit card industry that must be followed by organizations wishing to accept credit and bank cards for payment. Quarterly required external vulnerability scans must be run by a PCI DSS approved scanning vendor (ASV).
Which of the following is the default nmap scan type when you do not provide with a flag when issuing the command? A. A TCP FIN scan B.A TCP connect scan C.A TCP SYN scan D.A UDP scan
C.A TCP SYN scan Explanation OBJ-1: By default, Nmap performs a SYN Scan, though it substitutes a connect scan if the user does not have proper privileges to send raw packets (requires root access on Unix). D.A UDP scan requires the -sU flag to be issued when launching a nmap scan. A.A TCP FIN scan requires the -sF flag to be issued when launching a nmap scan.
Which of the following methods could not be used to retrieve the key from a forensic copy of a BitLocker encrypted drive? A.Analyzing the memory dump file B.Analyzing the hibernation file C.Retrieving the key from the MBR D.Performing a FireWire attack on mounted drives
C.Retrieving the key from the MBR Explanation OBJ-3: BitLocker information is not stored in the Master Boot Record (MBR). Therefore, you cannot retrieve the key from the MBR. BitLocker keys can also be retrieved via hibernation files or memory dumps. The recovery key may also be retrieved by conducting a FireWire attack on the mounted drive using a side-channel attack known as a DMA attack.
Which of the following technologies is NOT a shared authentication protocol? A.LDAP B.OpenID Connect C.OAuth D.Facebook Connect
A.LDAP Explanation OBJ-4: LDAP can be used for single sign-on but is not a shared authentication protocol. OpenID, OAuth, and Facebook Connect are all shared authentication protocols. B.Open ID Connect (OIDC) is an authentication protocol that can be implemented as special types of OAuth flows with precisely defined token fields. C.OAuth is designed to facilitate the sharing of information (resources) within a user profile between sites.
DeepScan supports data-flow analysis and understands the execution flow of a program. It allows you to see possible security flaws without executing the code. Which of the following types of tools would DeepScan be classified as? A.Fault Injector B.Fuzzer C.Decompiler D.Static code analyzer
D.Static code analyzer Explanation OBJ-4: DeepScan is an example of a static code analysis tool. It inspects the code for possible errors and issues without actually running the code. Fuzzing is an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program through the use of a fuzzer. A decompiler is a computer program that takes an executable file as input and attempts to create a high-level source file that can be recompiled successfully. Fault injection is a testing technique that aids in understanding how a system behaves when stressed in unusual ways. A fuzzer, decompiler, and fault injector are all dynamic analysis tools because they require the program being tested to be run in order to be analyzed.
Which of the following categories of controls are firewalls, intrusion detection systems, and a RADIUS server classified as? A.Compensating controls B.Technical controls C.Physical controls D.Administrative controls
B.Technical Controls Explanation OBJ-4: Firewalls, intrusion detection systems, and a RADIUS server are all examples of technical controls. Technical controls are implemented as a system of hardware, software, or firmware. D. Administrative controls involve processes and procedures. C.Physical controls include locks, fences, and other controls over physical access. A.Compensating controls are controls that are put in place to cover any gaps and reduce the risk remaining after using other types of controls.
Which of the following secure coding best practices ensures special characters like <, >, /, and ' are not accepted from the user via a web form? A.Session management B.Output encoding C.Input validation D.Error handling
C.Input validation
An organization wants to choose an authentication protocol that can be used over an insecure network without having to implement additional encryption services. Which of the following protocols should they choose? A.TACAS+ B.RADIUS C.Kerberos D.TACAS
C.Kerberos Explanation OBJ-4: The Kerberos protocol is designed to send data over insecure networks while using strong encryption to protect the information. RADIUS, TACACS, and TACACS+ are all protocols that contain known vulnerabilities that would require additional encryption to secure them during the authentication process.
A penetration tester has been hired to conduct an assessment, but the company wants to exclude social engineering from the list of authorized activities. Which of the following documents would include this limitation? A.Memorandum of understanding B.Service level agreement C.Rules of engagement D.Acceptable use policy
C.Rules of engagement Explanation OBJ-1.4: While the network scope given in the contract documents will define what will be tested, the rules of engagement defines how that testing is to occur. Rules of engagement can state things like no social engineering is allowed, no external website scanning, etc. A. A memorandum of understanding (MOU) is a preliminary or exploratory agreement to express an intent to work together that is not legally binding and does not involve the exchange of money. B.A service level agreement contains the operating procedures and standards for a service contract. D.An acceptable use policy is a policy that governs employees' use of company equipment and internet services.
Which of the following vulnerability scans would provide the best results if you want to determine if the target's configuration settings are correct? A.Non-credentialed scan B.Internal scan C.External scan D.Credentialed scan
D.Credentialed scan Explanation OBJ-2: Credentialed scans log into a system and retrieve their configuration information. Therefore, it should provide you with the best results. A.Non-credentialed scans rely on external resources for configuration settings that can be altered or incorrect. B&C.The network location of the scanner does not have a direct impact on the ability to read the configuration information, so it would not make a difference if you conducted an external or internal scan.
What describes the infrastructure needed to support the other architectural domains in the TOGAF framework? A.Business architecture B.Data architecture C.Technical architecture D.Applications architecture
C.Technical architecture Explanation OBJ-4: TOGAF is a prescriptive framework that divides the enterprise architecture into four domains. Technical architecture describes the infrastructure needed to support the other architectural domains. Business architecture defines governance and organization and explains the interaction between enterprise architecture and business strategy. Applications architecture includes the applications and systems an organization deploys, the interactions between those systems, and their relation to business processes. Data architecture provides the organization's approach to storing and managing information assets. This question may seem beyond the scope of the exam, but the objectives allow for "other examples of technologies,
You have been tasked to create some baseline system images in order to remediate vulnerabilities found in different operating systems. Before any of the images can be deployed, they must be scanned for malware and vulnerabilities. You must ensure the configurations meet industry-standard benchmarks and that the baselining creation process can be repeated frequently. What vulnerability option would BEST create the process requirements to meet the industry-standard benchmarks? A.Utilizing a known malware plugin B.Utilizing a authorized credential scan C. Utilizing a non-credential scan D,Utilizing an operating system SCAP plugin
D,Utilizing an operating system SCAP plugin OBJ-2: Security Content Automation Protocol (SCAP) is a multi-purpose framework of specifications that supports automated configuration, vulnerability and patch checking, technical control compliance activities, and security measurement. It is an industry-standard and support testing for compliance. The other options will not allow for a truly repeatable process since individual scans would occur each time, instead of comparing against a known good baseline.
Stephane was asked to assess the technical impact of a reconnaissance performed against his organization. He has discovered that a third party has been performing reconnaissance by querying the organization's WHOIS data. Which category of technical impact should he classify this as? A.Low B.High C.Medium D.Critical
A. Low Explanation OBJ-1.4: This would be best classified as a low technical impact. Since WHOIS data about the organization's domain name is publicly available, it is considered a low impact. This is further mitigated by the fact that your company gets to decide what information is actually published in the WHOIS data. Since only publicly available information is being queried and exposed, this can be considered a low impact.
Which one of the following methods would provide the most current and accurate information about any vulnerabilities present in a system with a misconfigured operating system setting? A.On-demand vulnerability scanning B.Scheduled vulnerability Scanning C.Agent-based monitoring D.Continuous vulnerability scanning
C.Agent-based monitoring Explanation OBJ-2: An agent-based monitoring solution would be the best choice to meet these requirements. Agent-based monitoring provides more details of the configuration settings for a system and can provide an internal perspective. A,B&D.While vulnerability scans can give you a snapshot of a system's status at a certain time, it will not remain current and accurate without continual rescanning.
What technology is NOT PKI x.509 compliant and cannot be used in a variety of secure functions? A.PKCS B.SSL/TLS C.AES D.Blowfish
D.Blowfish Explanation OBJ-4: A,B.,C. AES, PKCS, and SSL/TLS are all compatible with x.509 and can be used in a wide variety of functions and purposes. AES is used for symmetric encryption. PKCS is used as a digital signature algorithm. SSL/TLS is used for the secure key exchange.
Which type of monitoring would utilize a network tap? A.Passive B.Router-based C.SNMP D.Active
A.Passive Explanation OBJ-1: Network taps are devices that allow a copy of network traffic to be captured for analysis. They conduct passive network monitoring and visibility without interfering with the network traffic itself. D.Active monitoring relies on the scanning of targeted systems, not a network tap. B.Router-based monitoring would involve looking over the router's logs and configuration files. C. SNMP is used to monitor network devices, but is considered a form of active monitoring and doesn't rely on network taps.
A recent vulnerability scan found several vulnerabilities on an organization's public-facing IP addresses. In order to reduce the risk of a breach, which of the following vulnerabilities should be prioritized first for remediation? A. A buffer overflow that is knbown to allow remote code execution B.A website utilizing a self-signed SSL certificate C.An HTTP response that reveals an internal IP address D. A cryptographically weak encryption cipher
A. A buffer overflow that is knbown to allow remote code execution Explanation OBJ-2: The most serious vulnerability discovered is one that could allow remote code execution to occur. Since this buffer overflow vulnerability is known to allow remote code execution, it must be mitigated first to most effectively prevent a security breach. While the other issues all should be addressed eventually, you need to prioritize the most critical one (remote code execution) on a public-facing IP address. A public-facing IP address means the device is accessible from the internet.
Which of the protocols listed is NOT likely to be a trigger for a vulnerability scan alert when it is used to support a virtual private network (VPN)? A.SSLv2 B.IPSec C.SSLv3 D.PPTP
B.IPSec Explanation OBJ-2: IPSec is the most secure protocol that works with VPNs. The use of PPTP and SSL is discouraged for VPN security. Due to this, the use of PPTP and SSL for a VPN will likely alert during a vulnerability scan as an issue to be remediated.
You are going to perform a forensic disk image of a macOS laptop. What type of hard drive format should you expect to encounter? A.NTFS B.exFAT C.HFS+ D.FAT32
C.HFS+ OBJ-3: The default macOS file system for the drive is HFS+ (Hierarchical File System Plus). While macOS does provide support for FAT32 and exFAT, they are not the default file system format used by macOS system. NTFS is not supported by macOS without additional drivers and software tools.
Which of the following tools is considered a web application scanner? A.Qualys B.OpenVAS C.Nessus D.Zap
D.Zap Explanation OBJ-2: OWASP Zed Attack Proxy (ZAP) is the world's most widely used web application scanner. It is a free, open-source, and provided by the Open Web Application Security Project (OWASP). Nessus, Qualys, and OpenVAS are all classified as infrastructure vulnerability scanners.
Which model of software development emphasizes individuals and interactions over processes and tools, customer collaboration over contract negotiation, and working software over comprehensive documentation? A.RAD B.Waterfall C.Agile D.SPiral
C.Agile Explanation OBJ-4: Agile software development is characterized by the principles of the Agile Manifesto. The Agile Manifesto emphasizes individuals and interactions over the processes and tools that Spiral and Waterfall rely on. It also focuses on working software, customer collaboration, and responding to change as key elements of the Agile process. B.The waterfall model is a breakdown of project activities into linear sequential phases, where each phase depends on the deliverables of the previous one and corresponds to a specialization of tasks. A.Rapid Application Development (RAD) is a form of agile software development methodology that prioritizes rapid prototype releases and iterations. Unlike the Waterfall method, RAD emphasizes the use of software and user feedback over strict planning and requirements recording. D.Spiral development is a risk-driven software development model that guides a team to adopt elements of one or more process models, such as incremental, waterfall, or evolutionary prototyping.
What two techniques are commonly used by port and vulnerability scanners to identify the services running on a target system? A.Using the -O option in nmap and UDP response timing B.Comparing response fingerprints and registry scanning C.Banner grabbing and UDP response timing D.Banner grabbing and comparing response fingerprints
D.Banner grabbing and comparing response fingerprints Explanation OBJ-1: Service and version identification are often performed by conducting a banner grab or by checking responses for services to known fingerprints for those services. C.UDP response timing, along with other TCP/IP stack fingerprinting techniques, are used to identify operating systems only. A.Using nmap -O will conduct an operating system fingerprint scan, but it will not identify the other services being run.
During which phase of the incident response process does an organization assemble an incident response toolkit? A.Preparation B.Post-incident activity C.Containment, eradication, and recovery D.Detection and analysis
A.Preparation Explanation OBJ-3: During the preparation phase, the incident response team conducts training, prepares their incident response kits, and researches threats and intelligence. D.During the detection and analysis phase, an organization focuses on monitoring and detecting any possible malicious events or attacks. C. During the containment, eradication, and recovery phase of an incident response, an analyst must preserve forensic and incident information for future needs, to prevent future attacks, or to bring up an attacker on criminal charges. B.During the post-incident activity phase, the organization conducts after-action reports, creates lessons learned, and conducts follow-up actions to better prevent another incident from occurring.
Which of the following does a User Agent request a resource from when conducting a SAML transaction? Service provider (SP) Single sign-on (SSO) Identity provider (IdP) Relying party (RP)
A.Service provider (SP) Explanation OBJ-4: Security assertions markup language (SAML) is an XML-based framework for exchanging security-related information such as user authentication, entitlement, and attributes. SAML is often used in conjunction with SOAP. SAML is a solution for providing single sign-on (SSO) and federated identity management. It allows a service provider (SP) to establish a trust relationship with an identity provider (IdP) so that the identity of a user (the principal) can be trusted by the SP without the user having to authenticate directly with the SP. The principal's User Agent (typically a browser) requests a resource from the service provider (SP). D.The resource host can also be referred to as the relying party (RP). If the user agent does not already have a valid session, the SP redirects the user agent to the identity provider (IdP). C.The IdP requests the principal's credentials if not already signed in and, if correct, provides a SAML response containing one or more assertions. The SP verifies the signature(s) and (if accepted) establishes a session and provides access to the resource.
Which of the following vulnerabilities involves leveraging access from a single virtual machine to other machines on a hypervisor? A.VM escape B.VM sprawl C.VM migration D.VM data remnant
A.VM escape Explanation OBJ-2: Virtual machine escape vulnerabilities are the most severe issue that may exist in a virtualized environment. In this attack, the attacker has access to a single virtual host and then leverages that access to intrude on the resources assigned to different virtual machines. D.Data remnant is the residual representation of digital data that remains even after attempts have been made to remove or erase the data. B.Virtualization sprawl is a phenomenon that occurs when the number of virtual machines on a network reaches a point where the administrator can no longer manage them effectively. C.Virtual machine migration is the task of moving a virtual machine from one physical hardware environment to another.
After analyzing and correlating activity from the firewall logs, server logs, and the intrusion detection system logs, a cybersecurity analyst has determined that a sophisticated breach of the company's network security may have occurred from a group of specialized attackers in a foreign country over the past five months. Up until now, these cyberattacks against the company network had gone unnoticed by the company's information security team. How would you best classify this threat? A.Insider threat B.Advanced persistent threat (APT) C.Spear phishing D.Privilege escalation
B.Advanced persistent threat (APT) Explanation OBJ-3: An advanced persistent threat (APT) is a network attack in which an unauthorized person gains access to a network and stays there undetected for a long period of time. The intention of an APT attack is to steal data rather than to cause damage to the network or organization. An APT refers to the ongoing ability of an adversary to compromise network security, to obtain and maintain access, and to use a variety of tools and techniques. They are often supported and funded by nation-states, or work directly for a nation-states' government. C.Spear phishing is the fraudulent practice of sending emails ostensibly from a known or trusted sender in order to induce targeted individuals to reveal confidential information. A. An insider threat is a malicious threat to an organization that comes from people within the organization, such as employees, former employees, contractors, or business associates, who have inside information concerning the organization's security practices, data, and computer systems. D.Privilege escalation is the act of exploiting a bug, design flaw, or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. While an APT may use spear phishing, privilege escalation, or an insider threat to gain access to the system, the scenario presented in this question doesn't specify what method was used. Therefore, APT is the best answer to select.
Which of the following provides a cryptographic authentication mechanism to positively identify an organization as the authorized sender of email for a particular domain name? A.DMARC B.DKIM C.SPF D.SMTP
B.DKIM Explanation OBJ-2: DomainKeys Identified Mail (DKIM) provides a cryptographic authentication mechanism. This can replace or supplement SPF. To configure DKIM, the organization uploads a public key as a TXT record in the DNS server. C.Sender Policy Framework (SPF) uses a DNS record published by an organization hosting an email service. The SPF record identifies the hosts authorized to send email from that domain and there must be only one per domain. SPF does not provide a cryptographic authentication mechanism like DKIM does, though. A.The Domain-Based Message Authentication, Reporting, and Conformance (DMARC) framework ensures that SPF and DKIM are being utilized effectively. DMARC relies on DKMI for the cryptographic authentication mechanism, making it the incorrect option for this question. D.The simple mail transfer protocol (SMTP) is a communication protocol for electronic mail transmission, which does not utilize cryptographic authentication mechanisms by default.
Which of the following would NOT be useful in defending against a zero-day threat? A.Threat intelligence B.Patching C.Segmentation D.Whitelisting
B.Patching Explanation OBJ-3: While patching is a great way to combat threats and protect your systems, it is not effective against zero-day threats. By definition, a zero-day threat is a flaw in software, hardware or firmware that is unknown to the party or parties responsible for patching or otherwise fixing the flaw. This attack has no time (or days) between the time the vulnerability is discovered and the first attack, and therefore no patch would be available to combat it. C.By using segmentation, whitelisting, and threat intelligence, a cybersecurity analyst can put additional mitigation in place that would protect the network even if a zero-day attack was successful.
During which incident response phase is the preservation of evidence performed? A.Detection and analysis B.Post-incident activity C.Containment, eradication, and recovery D.Preparation
C.Containment, eradication, and recovery Explanation OBJ-3: A cybersecurity analyst must preserve evidence during the containment, eradication, and recovery phase. They must preserve forensic and incident information for future needs, to prevent future attacks, or to bring up an attacker on criminal charges. Restoration and recovery are often prioritized over analysis by business operations personnel, but taking time to create a forensic image is crucial to preserve the evidence for further analysis and investigation. D.During the preparation phase, the incident response team conducts training, prepares their incident response kits, and researches threats and intelligence. A.During the detection and analysis phase, an organization focuses on monitoring and detecting any possible malicious events or attacks. During the post-incident activity phase, the organization conducts after-action reports, creates lessons learned, and conducts follow-up actions to better prevent another incident from occurring.
Jonathan's team completed the first phase of their incident response process. They are currently assessing the time to recover from the incident. Using the NIST recoverability effort categories, the team has decided that they can predict the time to recover, but this requires additional resources. How should he categorize this using the NIST model? A.Extended B.Regular C.Supplemented D.Non-recoverable
C.Supplemented Explanation OBJ-3: Based on the scenario given, the best choice is supplemented. The NIST keys are to remember that each level has additional unknowns as well as resources that increase the severity level from regular to supplemented then to extended. D.Non-recoverable situations exist when whatever happened cannot be remediated. In this case, an investigation would be started. In a non-governmental agency, this phase might even include notifying law enforcement. This question may seem beyond the scope of the exam, but the objectives allow for "other examples of technologies, processes, or tasks pertaining to each objective may also be included on the exam although not listed or covered" in the bulletized lists of the objectives. The exam tests the equivalent to 4 years of hands-on experience in a technical cybersecurity job role. The content examples listed in the objectives are meant to clarify the test objectives and should not be construed as a comprehensive listing of all the content of this examination. Therefore, questions like this are fair game on test day. That said, your goal is not to score 100% on the exam; it is to pass it. Don't let questions like this throw you off on test day. If you aren't sure, take your best guess and move on!
You are a cybersecurity analyst and your company has just enabled key-based authentication on its SSH server. Review the following log file:-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- BEGIN LOG ------------- Sep 09 13:15:24 diontraining sshd[3423]: Failed password for root from 192.168.3.2 port 45273 ssh2 Sep 09 15:43:15 diontraining sshd[3542]: Failed password for root from 192.168.2.24 port 43543 ssh2 Sep 09 15:43:24 diontraining sshd[3544]: Failed password for jdion from 192.168.2.24 port 43589 ssh2 Sep 09 15:43:31 diontraining sshd[3546]: Failed password for tmartinez from 192.168.2.24 port 43619 ssh2 Sep 09 15:43:31 diontraining sshd[3546]: Failed password for jdion from 192.168.2.24 port 43631 ssh2 Sep 09 15:43:37 diontraining sshd[3548]: Failed password for root from 192.168.2.24 port 43657 ssh2 ————————-- END LOG -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Which of the following actions should be performed to secure the SSH server? A.Disable remote root SSH logons B.DIsable password authentication for SSH C.Disable SSHv1 D.Disable anonymous SSH logon
A. Disable remote root SSH logons B.Disable password authentication for SSH C.Disable SSHv1 D.Disable anonymous
Which of the following types of scans are useful for probing firewall rules? A.TCP RST B.TCP ACK C.TCP SYN D.XMAS TREE
B. TCP ACK Explanation OBJ-1.2: TCP ACK scans can be used to determine what services are allowed through a firewall. An ACK scan sends TCP packets with only the ACK bit set. Whether ports are open or closed, the target is required to respond with a RST packet. Firewalls that block the probe, usually make no response or send back an ICMP destination unreachable error. This distinction allows Nmap to report whether the ACK packets are being filtered. A TCP SYN scan can sometimes be used to determine what ports are filtered, but if the firewall is configured to drop packets for disallowed ports instead of sending a RST packet, then a TCP SYN scan will not be able to determine if a firewall was there or if the port was simply unavailable. A TCP RST packet is sent by a target in response to a TCP ACK scan, but a TCP RST is not a valid type of scan itself. A XMAS Tree scan will set the FIN, PSH, and URG flags in the TCP packet. This is a very noisy type of scan and not useful for probing firewall rules
Trevor is responsible for conducting the vulnerability scans for his organization. His supervisor must produce a monthly report for the CIO that includes the number of open vulnerabilities. What process should Trevor use to ensure the supervisor gets the information needed for their monthly report? A.Create an account for the supervisor to the vulnerability scanner so they can run their own reports B.Create a custom report that is automatically emailed each month to the supervisor with the needed information C.Run a report each month and then email it to his supervisor D.Create an account for the supervisor's assistant so they can create their own reports
B.Create a custom report that is automatically emailed each month to the supervisor with the needed information Explanation OBJ-2: The best solution is to design a report that provides all necessary information and configure the system to automatically send this report to the supervisor automatically each month. D. It is not a good practice to create additional accounts on the vulnerability scanner beyond what is necessary per the concept of least privilege. C.It is also inefficient for Trevor to run the reports each month and then have to email them to his supervisor. When possible, the use of automation should be encouraged.
Which of the following techniques listed below are not appropriate to use during a passive reconnaissance exercise against a specific target company? A.BGP looking glass usage B.WHOIS lookups C.Registrar checks D.Banner grabbing
D.Banner grabbing Explanation OBJ-1: Banner grabbing requires a connection to the host in order to successfully grab the banner. This is an active reconnaissance activity. All other options are considered to be passive processes and typically use information retrieved from third-parties that do not require a direct connection to an organization's remote host.
Praveen is currently investigating activity from an attacker who compromised a host on the network. The individual appears to have used credentials belonging to a janitor. After breaching the system, the attacker entered some unrecognized commands with very long strings of text and then began using the sudo command to carry out actions. What type of attack has just taken place? A.Session hijacking B.Phishing C.Social Engineering D,Privilege escalation
D,Privilege escalation
As part of the reconnaissance stage of a penetration test, Kumar wants to retrieve some information about an organization's network infrastructure without causing an IPS alert. Which of the following is his best course of action? A.Use a nmap ping sweep B.Perform a DNS brute-force attack C.Use a nmap stealth scan D.Perform a DNS zone transfer
Explanation OBJ-1: The best course of action is to perform a DNS brute-force attack. The DNS brute-force attack queries a list of IPs and typically bypasses IDS/IPS systems that do not alert on DNS queries. A&C.Conducting either a ping sweep or a stealth scan can be easily detected by the IPS, depending on the signatures and settings being used. D.A DNS zone transfer is also something that often has a signature search for it and will be alerted upon since it is a common attack technique.B.Perform a DNS brute-force attack
You have been asked to conduct a forensic disk image on an internal 500 GB hard drive. You connect a write blocker to the drive and begin to image it using dd to copy the contents to an external 500 GB USB hard drive. Before completing the image, the tool reports that the imaging failed. Which of the following is most likely the reason for the imaging failure? A.The source drive is encrypted with Bitlocker B.The data on the source drive was modified during the image C.There are bad sectors on the destination drive D.The data cannot be copied using the RAW format
Explanation OBJ-3: If you have verified that the source and the target media are both the same size, then a failure has likely occurred due to bad media on the source drive or some bad sectors on the destination drive. The data can always be copied into a RAW format since it is a bit by bit copy and will copy even the bad sectors of the source drive. Even if the source disk was encrypted, the dd program would create a bit by bit copy to the destination drive for later attempts at cryptoanalysis. Even if the data was modified, this would not cause the copy to fail. Instead, the copy would simply continue and record the modified data instead of the original data.
While performing a vulnerability scan, Christina discovered an administrative interface to a storage system is exposed to the internet. She looks through the firewall logs and attempts to determine whether any access attempts have occurred from external sources. Which of the following IP addresses in the firewall logs would indicate a connection attempt from an external source? A.192.186.1.100 B.172.16.1.100 C.10.15.1.100 D.192.168.1.100
A.192.186.1.100 OBJ-2: This question is testing your ability to determine if an IP address is a publicly routable IP (external connection) or private IP (internal connection). During your CompTIA A+, Network+, and Security+ studies, you should have learned that private IP addresses are either 10.x.x.x, 172.16-32.x.x, or 192.168.x.x. All other IP addresses are considered publicly routable over the internet (except localhost and APIPA addresses). Therefore, the answer must be 192.186.1.100, since it is not a private IP address.
A cybersecurity analyst is working at a college that wants to increase the security of its network by implementing vulnerability scans of centrally managed workstations, student laptops, and faculty laptops. Any proposed solution must be able to scale up and down as new students and faculty use the network. Additionally, the analyst wants to minimize the numbrt of false positives to ensure accuracy in their results. The chosen solution must also be centrally-managed through an enterprise console. Which of the following scanning topologies would be BEST able to meet these requirements? A.Active scanning engine installed on the enterprise console B.Passive scanning engine located at the core of the network infrastructure C.Combination of cloud-based and server-based scanning engines D.Combination of server-based and agent-based scanning engines
A.Active scanning engine installed on the enterprise console Explanation OBJ-2: Since the college wants to ensure there is a centrally-managed enterprise console, using an active scanning engine installed on the enterprise console would best meet these requirements. Then, the college's cybersecurity analysts could perform scans on any devices that are connected to the network using the active scanning engine at the desired intervals. D.Agent-based scanning would be ineffective since the college cannot force the installation of the agents onto each of the personally owned devices brought in by the students or faculty. C.A cloud-based or server-based engine may be useful, but it won't address the centrally-managed requirement. Passive scanning is less intrusive but is subject to a high number of false positives.
Your organization recently suffered a large-scale data breach. The hackers successfully exfiltrated the personal information and social security numbers of your customers from your network. The CEO notified law enforcement about the breach and they are going to assist with the investigation and conduct evidence collection so that the hackers can be brought up on charges. What actions should your organization take in response to this event? A.Ask a member of law enforcement to meet with your employees B.Require all employees to commit to an NDA about the data breach verbally C.Require all employees to commit to an NDA about the data breach in writing D.Block all employee access to social media from the company's network and begin monitoring your employee's email
A.Ask a member of law enforcement to meet with your employees OBJ-3: Since the data breach is now the subject of an active law enforcement investigation, your organization should request that a law enforcement agent speaks with your employees to give them clear guidance on what they should and should not say to people outside of the investigation. Additionally, the company's system administrators and analysts should not perform any actions on the network until they receive guidance from law enforcement. This will ensure that the employees do not accidently destroy and tamper with potential evidence of the crime.
You are reverse engineering a malware sample using the Strings tool when you notice the code inside appears to be obfuscated. You look at the following line of output on your screen: -=-=-=--=-=-=--=-=-=--=-=-=--=-=-=--=-=-=--=-=-=--=-=-=- ZWNobygiSmFzb24gRGlvbiBjcmVhdGVkIHRoaXMgQ29tcFRJQSBDeVNBKyBwcmFjdGljZSBleGFtIHF1ZXN0aW9uLiBJZiB5b3UgZm91bmQgdGhpcyBxdWVzdGlvbiBpbiBzb21lb25lIGVsc2UncyBjb3Vyc2UsIHRoZXkgc3RvbGUgaXQhIik7= -=-=-=--=-=-=--=-=-=--=-=-=--=-=-=--=-=-=--=-=-=--=-=-=- Based on the output above, which of the following methods do you believe the attacker used to prevent their malicious code from being easily read or analyzed? A.Base64 B.SQL C.XML D.QR coding
A.Base64 Explanation OBJ-1.4: While there are many different formats used by attackers to obfuscate their malicious code, Base64 is by far the most popular. If you see a string like the one above, you can attempt to decode it using an online Base64 decoder. In fact, I recommend you copy the string above and decode it to see how easy it is to reverse a standard Base64 encoded message. Some more advanced attackers will also use XOR and a key shift in combination with Base64 to encode the message and make it harder to decode, but using a tool like CyberChef can help you decode those, as well. Structured Query Language (SQL) is used to communicate with a database. Extensible Markup Language (XML) is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. SQL and XML are not considered obfuscation techniques. A QR Code is a two-dimensional version of the barcode, known from product packaging in the supermarket. QR coding is the process of converting some kind of data into a single QR code. QR coding might be considered a form of obfuscation, but it is not shown in the example output provided in this question.
In 2014, Apple's implementation of SSL had a severe vulnerability that, when exploited, allowed an attacker to gain a privileged network position that would allow them to capture or modify data in an SSL/TLS session. This was caused by poor programming in which a failed check of the connection would exit the function too early. Based on this description, what is this an example of? A.Improper error handling B.Use of insecure functions C.Insufficient logging and monitoring D.Insecure object reference
A.Improper error handling Explanation OBJ-3: This is an example of an improper error handling vulnerability. A well-written application must be able to handle errors and exceptions gracefully. The main goal must be for the application not to fail in a way that allows the attacker to execute code or perform some sort of injection attack. One famous example of an improper error handling vulnerability is Apple's GoTo bug, as described above. For more details on this particular vulnerability, please see CVE-2014-1266. D.Insecure object reference refers to when a reference to an internal implementation object, such as a file or database key, is exposed to users without any other access control. C.Insufficient logging and monitoring allows attackers to achieve their goals without being detected due to the lack of monitoring and timely response by defenders. B.The use of insecure functions occurs in the C language when legacy functions like strcpy() are used. These insecure functions can lead to buffer overflow and other exploits being successful against a program.
Alexa is an analyst for a large bank that has offices in multiple states. She wants to create an alert to detect when an employee from one bank office logs into a workstation located at an office in another state. What type of detection and analysis is Alexa configuring? A.Behavior B.Anomaly C.Trend D.Heuristic
A.Behavior Explanation OBJ-1.2: This is an example of behavior-based detection. Behavior-based detection (or statistical- or profile-based detection) means that the engine is trained to recognize baseline traffic or expected events associated with a user account or network device. Anything that deviates from this baseline (outside a defined level of tolerance) generates an alert. Heuristic analysis determines whether a number of observed data points constitutes an indicator and whether related indicators make up an incident depend on a good understanding of the relationship between the observed indicators. Human analysts are typically good at interpreting context but work painfully slowly, in computer terms, and cannot hope to cope with the sheer volume of data and traffic generated by a typical network. B.Anomaly analysis is the process of defining an expected outcome or pattern to events and then identifying any events that do not follow these patterns. This is useful in tools and environments that enable you to set rules. C.Trend analysis is not used for detection, but instead to better understand capacity and the normal baseline of a system. Behavioral-based detection differs from anomaly-based detection. Behavioral-based detection records expected patterns in relation to the entity being monitored (in this case, user logins). B.Anomaly-based detection prescribes the baseline for expected patterns based on its own observation of what normal looks like.
Which of the following provides a standard nomenclature for describing security-related software flaws? A.CVE B.VPC C.SOX D.SIEM
A.CVE Explanation OBJ-2: Common Vulnerabilities and Exposures (CVE) is an element of the Security Content Automation Protocol (SCAP) that provides a standard nomenclature for describing security flaws or vulnerabilities. D.A SIEM is a solution that provides real-time or near-real-time analysis of security alerts generated by network hardware and applications. B.A VPC is a private network segment made available to a single cloud consumer on a public cloud. C.The Sarbanes-Oxley Act (SOX) dictates requirements for the storage and retention of documents relating to an organization's financial and business operations, including the type of documents to be stored and their retention periods.
Which of the following elements is LEAST likely to be included in an organization's data retention policy? A.Classification of information B.Minimum retention period C.Maximum retention period D.Description of information needing to be retained
A.Classification of information Explanation OBJ-4: Data retention policies highlight what types of information an organization will maintain and the length of time they will maintain it. Data classification would not be covered in the retention policy, but instead would be a key part of your organization's data classification policy.
What sanitization technique uses only logical techniques to remove data, such as overwriting a hard drive with a random series of ones and zeroes? A.Clear B.Purge C.Destroy D.Degauss
A.Clear OBJ-3: Clear applies logical techniques to sanitize data in all user-addressable storage locations for protection against simple non-invasive data recovery techniques. Clearing involves overwriting data once (and seldom more than three times) with repetitive data (such as all zeros) or resetting a device to factory settings. Purging data is meant to eliminate information from being feasibly recovered even in a laboratory environment. Destroy requires physical destruction of the media, such as pulverization, melting, incineration, and disintegration. Degaussing is the process of decreasing or eliminating a remnant magnetic field. Degaussing is an effective method of sanitization for magnetic media, such as hard drives and floppy disks.
A forensic analyst needs to access a macOS encrypted drive that uses FileVault 2. Which of the following methods is NOT a means of unlocking the volume? A.Conduct a brute-force attack against the FileVault 2 encryption B.Extract the keys from iCloud C.Acquire the recovery key D.Retrieve the key from memory while the volume is mounted
A.Conduct a brute-force attack against the FileVault 2 encryption Explanation OBJ-3: FileVault 2 is a full-disk encryption system used on macOS devices. A drive can be decrypted if you have the encryption key. This key can be recovered from memory while the volume is mounted. The Recovery key can also be obtained either from the user's notes or from their storage area of iCloud. You cannot unlock the volume by conducting a brute force attack against the drive since it uses AES 256-bit encryption system, which is currently unbreakable without access to a super computer.
A software assurance test analyst is performing a dynamic assessment on an application by automatically generating random data sets and inputting them in an attempt to cause an error or failure condition. Which technique is the analyst utilizing? A.Fuzzing B.Known bad data injection C.Static code analysis D.Sequential data sets
A.Fuzzing Explanation OBJ-4: Fuzzing is an automated software assessment technique that involves providing invalid, unexpected, or random data as inputs to a computer program. The program is then monitored for exceptions (crashes), for failing built-in code assertions, or for finding potential memory leaks. Dynamic code analysis relies on studying how the code behaves during execution. D.Fuzzing a specific type of dynamic code analysis, making it a better answer to this question. C.Static code analysis is a method of debugging by examining source code before a program is run. Known bad data injection is a technique where data that is known to cause an exception or fault is entered as part of the testing/assessment. With known bad data injections, you would not use randomly generated data sets, though.
You have just completed writing the scoping document for your next penetration test, which clearly defines what tools, techniques, and targets you intend to include during your assessment. Which of the following actions should you take next? A.Get leadership concurrence on the scoping document B.Conduct passive fingerprinting on the target servers C.Provide a copy of the scoping document to local law enforcement D.Conduct a port scan of the target network
A.Get leadership concurrence on the scoping document Explanation OBJ-1: Once the scoping document has been prepared, it is important that you get concurrence with your plan before you begin your penetration test. Therefore, you must get the scoping plan signed off by the organization's leadership as your next action. You should never begin a penetration test before you have written permission and concurrence from the target organization. D.Port scanning of the target and even passive fingerprinting could be construed as a cyber crime if you did not get the scoping document signed off before beginning your assessment. C.There is no requirement to notify local law enforcement of your upcoming penetration test as long as you have a signed scoping document and contract with the targeted company.
You are conducting a code review of a program and observe the following calculation of 0xffffffff + 1 was attempted, but the result was returned as 0x0000000. Based on this, what type of exploit could be created against this program? A.Integer overflow attack B.Password spraying C.SQL Injection D.Impersonation
A.Integer Overflow Attack Explanation OBJ-1.2: Integer overflows and other integer manipulation vulnerabilities frequently result in buffer overflows. An integer overflow occurs when an arithmetic operation results in a number that is too large to be stored in the space allocated for it. Integers are stored in 32 bits on the x86 architecture; therefore, if an integer operation results in a number greater than 0xffffffff, an integer overflow occurs, as was the case in this example. SQL injection is an attack that injects a database query into the input data directed at a server by accessing the client-side of the application. Password spraying is a type of brute force attack in which multiple user accounts are tested with a dictionary of common passwords. Impersonation is the act of pretending to be another person or system for the purpose of fraud.
Keith wants to validate the application file that he downloaded from the vendor of the application. Which of the following should he compare against the file to verify the integrity of the downloaded application? A.MD5 or SHA1 hash digest of the file B.Private key of the file C.File size and file creation date D.Public key of the file
A.MD5 or SHA1 hash digest of the file Explanation OBJ-3: Keith should conduct a hash of the downloaded file and compare it against the MD5 hash digest listed on the server of this file. This file needs to be a verifiable MD5 hash file in order to validate the file integrity has not been compromised during the download. This is an important step to ensure the file was not modified in transit during the download. The other options are insufficient to guarantee the integrity of the downloaded file since integrity checking relies on comparison of hash digests. B&D.A public or private key would not be assigned solely to a single file, nor do they provide integrity on their own. Public and private keys are used to ensure the confidentiality of data, whereas a hash digest ensures integrity. C.The file size and file creation date are additional forms of metadata that could be used to help validate the integrity of a file, but they of a much lower quality and trust factor than using a hash digest, therefore MD5 or SHA1 is still a better choice.
Nicole's organization does not have the budget or staff to conduct 24/7 security monitoring of their network. To supplement her team, she contracts with a managed SOC service. Which of the following services or providers would be best suited for this role? A.MSSP B.IaaS C.PaaS D.SaaS
A.MSSP Explanation OBJ-1: A managed security service provider (MSSP) provides security as a service (SECaaS). IaaS, PaaS, and SaaS (infrastructure, platform, and software as a service) do not include security monitoring as part of their core service offerings. Security as a service or a managed service provider (MSP) would be better suited for this role. This question may seem beyond the scope of the exam, but the objectives allow for "other examples of technologies, processes, or tasks pertaining to each objective may also be included on the exam although not listed or covered" in the bulletized lists of the objectives.
An analyst just completed a port scan and received the following results of open ports: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- TCP: 80 TCP: 110 TCP: 443 TCP: 1433 TCP: 3306 TCP: 3389 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-Based on these scan results, which of the following services are NOT currently operating? A.SSH B.Web C.Database D.RDP
A.SSH Explanation OBJ-2: Based on the port numbers shown as open in the results, SSH is not currently operating. SSH operates over port 22. Web servers use port 80 for HTTP and 443 for HTTPS. Database servers run on port 1433 (Microsoft SQL) or 3306 (MySQL). Remote Desktop Protocol runs on port 3389.
You are analyzing the logs of a forensic analysts workstation and see the following:-=-=-=-=-=-=-=-=-=-=-=-=-=-=-root@DionTraining:/home# dd if=/dev/sdc of=/dev/sdb bs=1M count=1000 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-What does the bs=1M signify in the command list above? A.Sets the block size B.Removes error messages and other incorrect data C.Sets the beginning sector D.Sends output to a blank sector
A.Sets the block size Explanation OBJ-3: The dd command is used in forensic data acquisition to forensically create a bit by bit copy of a hard drive to a disk image. The bs operator sets the block size when using the Linux dd command.
Which of the following techniques would allow an attacker to get a full listing of your internal DNS information if your DNS server is not properly secured? A.Zone transfer B.DNS Poisoning C.Split Horizon D.FQDN Resolution
A.Zone transfers Explanation OBJ-1.2: A DNS zone transfer provides a full listing of DNS information. If your organization's internal DNS server is improperly secured, this can allow an attacker to gather this information by performing a zone transfer. D.Fully qualified domain name (FQDN) resolution is a normal function of DNS that converts a domain name like www.diontraining.com to its corresponding IP address. C. Split horizon is a method of preventing a routing loop in a network. B.DNS poisoning is a type of attack which uses security gaps in the Domain Name System (DNS) protocol to redirect internet traffic to malicious websites.
Tony works for a company as a cybersecurity analyst. His company runs a website that allows public postings. Recently, users have started complaining about the website having pop-up messages asking for their username and password. Simultaneously, your security team has noticed there has been a large increase in the number of compromised user accounts on the system. What type of attack is most likely the cause of both of these events? A.SQL injection B.Cross-site scripting C.Cross-site request forgery D.Rootkit
B.Cross-site scripting Explanation OBJ-4: OBJ-1.7: This scenario is a perfect example of the effects of a cross-site scripting (XSS) attack. If your website's HTML code does not perform input validation to remove scripts that may be entered by a user, then an attacker can create a popup window that collects passwords and uses that information to further compromise other accounts. C..A cross-site request forgery (CSRF) is an attack that forces an end-user to execute unwanted actions on a web application in which they are currently authenticated. .An XSS will allow an attacker to execute arbitrary JavaScript within the browser of a victim user (such as creating pop-ups), a CSRF would allow an attack to induce a victim to perform actions that they do not intend to perform. D.A rootkit is a set of software tools that enable an unauthorized user to gain control of a computer system without being detected. A. SQL injection is the placement of malicious code in SQL statements, via web page input. None of the things described in this scenario would indicate a CSRF, rootkit, or an SQL injection.
A threat intelligence analyst is researching a new indicator of compromise. At the same time, the web proxy server-generated an alert for this same indicator of compromise. When asked about this alert, the analyst insists that they did not visit any of the related sites, but instead they were simply listed in the results page of their search engine query. Which of the following is the BEST explanation for what has occurred? A.A Link related to the indicator was accidentally clicked by the analyst B.Prefetch is enabled on the analysts web browser C.The stadard approved browser was not being used by tghe analyst D.Alert is unrelated to the search that was conducted
B.Prefetch is enabled on the alayst's web browser OBJ-1.3: Prefetch is a capability in modern web browsers that is used to speed up web browsing by grabbing content that may be asked for by the user at a later time. For example, if you search for a term and the results are being shown to the user, prefetch will download the first three results in anticipation of the user clicking one of the top three links. In the scenario presented in this question, the prefetch has downloaded the malicious content and therefore caused the alert.
You are analyzing a Linux server that you suspect has been tampered with by an attacker. You went to the terminal and typed 'history' into the prompt and see the output:-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=->echo 127.0.0.1 diontraining.com >> /etc/hosts -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Which of the following best describes what actions were performed by this line of code? A.Routed traffic destined for the localhost to the diontraning.coom domain B.Routed traffic, destined for the diontraining.com domain to the localhost C.Addedd the website to system's whitelist in the hots file D.Attemoted to overwrite the host file and deleted data except this entry
B.RTouted traffic, destined for diontraining.com domain to the localhost Explanation OBJ-1.2: Based on the output provided, it appears that the attacker has attempted to route all traffic destined for diontraining.com to the IP address specified (127.0.0.1). This is typically done to prevent a system from communicating with a specific domain in order to redirect a host to a malicious site. In this example, the IP/domain name pair of 127.0.0.1 and diontraining.com are being written to the /etc/hosts file. Modifying your hosts file enables you to override the domain name system (DNS) for a domain on a specific machine. The command echo >> redirects the output of the content on the left of the >> to the end of the file on the right of the >> symbol. If the > was used instead of >>, then this command would have overwritten the host file completely with this entry. The hosts file is not a system whitelist file.
A web developer wants to protect their new web application from a man-in-the-middle attack. Which of the following controls would best prevent an attacker from stealing tokens stored in cookies? A.Forcing the use of SSL for the web application B.Setting the secure attribute on the cookie C.Forcing the use of TLS for the web application D.Hashing the cookie value
B.Setting the secure attribute on the cookie OBJ-4: When a cookie has the Secure attribute, the user agent includes the cookie in an HTTP request only if the request is transmitted over a secure channel (typically HTTPS). Although seemingly useful for protecting cookies from active network attackers, the Secure attribute protects only the cookie's confidentiality. A&C.Forcing the web application to use TLS or SSL does not force the cookie to be sent over TLS/SSL, so you still would need to set the Secure attribute on the cookie. D.Hashing the cookie provides integrity of the cookie, not confidentiality; therefore, it will not solve the issue presented by this question
You are interpreting a Nessus vulnerability scan report and identified a vulnerability in the system which has a CVSS attack vector rating of A. Based on this information, which of the following statements would be true? A.Exploiting the vulnerability does not require any specialized conditions B.The attacker must have access to the local network that the system is connected to C.Exploiting the vulnerability requires the existence of specialized conditions D.The attacker must have physical or logical access to the affected system
B.The attacker must have access to the local network that the system is connected to Explanation OBJ-2: The attack vector explains what type of access that the attacker must have to a system or network and does not refer to the types of specialized conditions that must exist. In this case, the A rating refers to Adjacent, where the attacker must launch the attack from the same shared physical (such as Bluetooth or Wi-Fi network), logical network (such as a local subnet), or a limited administrative domain (such as a VPN or MPLS). An attack vector of Network (N) would allow the attack to extend beyond these options and conduct a remote exploitation of the vulnerability. An attack vector of Local (L) would require the attacker to conduct the exploit locally at the workstation via the keyboard or over an SSH connection. An attack vector of Physical (P) would require the attacker to physically touch or manipulate the vulnerable component themselves, such as conducting a cold boot attack.
Your company just launched a new invoicing website for use by your five largest vendors. You are the cybersecurity analyst and have been receiving numerous phone calls that the webpage is timing out and the website overall is performing slowly. You have noticed that the website received three million requests in just 24 hours and the service has now become unavailable for use. What do you recommend should be implemented to restore and maintain the availability of the new invoicing system? A.MAC Filtering B.Whitelisting C>Intrustion Detection System D.VPN
B.Whitelisting Explanation OBJ-1: By implementing whitelisting of the authorized IP addresses for the five largest vendors, they will be the only ones who will be able to access the webserver. This can be done by creating rules in the Access Control List (ACL) to deny ALL other users except these five vendors, thereby dropping a large number of requests from any other IP addresses, such as those from an attacker. Based on the description in the scenario, it appears like the system is under some form of denial of service attack, but by implementing a whitelist at the edge of the network and blackholing any traffic from IP addresses that are not whitelisted, the server will no longer be overwhelmed or perform slowly to respond to legitimate requests. MAC filtering is only applicable at layer 2 of the OSI model (which would not work for traffic being sent over the internet from your vendors to your server). A VPN is a reasonable solution to help secure the connection between the vendors and your systems, but it will not deal with the DoS condition being experienced. An intrusion detection system may detect the DoS condition, but an IDS cannot resolve the condition (whereas an IPS could).
During a vulnerability scan, you notice that the hostname www.diontraining.com is resolving to www.diontraining.com.akamized.net instead. Based on this information, which of the following do you suspect is true? A.The server assumes you are conducting a DDoS B. You are scanning a CDN-hosted copy of the site C.Nothing can be determined about this site with the information provided D.The scan will not produce any useful information
B.You are scanning a CDN-hosted copy of this site Explanation OBJ-1: This result is occurring due to the company using a distributed server model that hosts content on Edge servers around the world as part of a CDN. A content delivery network (CDN) is a geographically distributed network of proxy servers and their data centers that provide high availability and performance by distributing the service spatially relative to end-users. Based on the requested content, it may be served from the Edge server's cache, or pull the content from the main diontraining.com servers. If you are scanning a web server or application hosted with a CDN, you need to be aware that you might be scanning an edge copy of the site and not receive accurate results. While an edge server usually maintains static content, it is still useful to determine if any vulnerabilities exist in that portion of the site content. Distributed denial-of-service (DDoS) attacks range from small and sophisticated to large and bandwidth-busting. While Akamai does provide excellent DDoS protection capabilities, nothing in this question indicates that the server is attempting to stop your scans or is assuming you are conducting a DDoS attack against it.
An analyst's vulnerability scanner did not have the latest set of signatures installed. Due to this, several unpatched servers may have vulnerabilities that were undetected by their scanner. You have directed the analyst to update their vulnerability scanner with the latest signatures at least 24 hours before conducting any scans, but the results of their scans still appear to be the same. Which of the following logical controls should you use to address this situation? A.Test the vulnerability remediations in a sandbox before deploying them into peoduction B.Ensure the analyst manually validates that the updates are being performed as directed C.Create a script to automatically update the signatures every 24 hours D. Configure the vulnerability scanners to run in a credentialed mode C. D.
C.Create a script to automatically update the signatures every 24 hours Explanation OBJ-2: Since the analyst appears to not be installing the latest vulnerability signatures according to your instructions, it would be best to create a script and automate the process to eliminate human error. The script will always ensure that the latest signatures are downloaded and installed in the scanner every 24 hours without any human intervention. While you may want the analyst to manually validate the updates were performed as part of their procedures, this is still error-prone and likely to not be conducted properly. Regardless of whether the scanners are being run in uncredentialed or credentialed mode, they will still miss vulnerabilities if they are using out-of-date signatures. Finally, the option to test the vulnerability remediations in a sandbox is a good suggestion, but it won't solve this scenario since we are concerned with the scanning portion or vulnerability management and not remediation in this question.
What containment techniques is the strongest possible response to an incident? A.Segmentation B.Enumeration C.Isolating affected systems D.Isolating the attacker
C.Isolating affected systems Explanation OBJ-3: Isolation involves removing an affected component from whatever larger environment it is a part of. This can be everything from removing a server from the network after it has been the target of a DoS attack, to placing an application in a sandbox virtual machine (VM) outside of the host environments it usually runs on. Segmentation-based containment is a means of achieving the isolation of a host or group of hosts using network technologies and architecture. A.Segmentation uses VLANs, routing/subnets, and firewall ACLs to prevent a host or group of hosts from communicating outside the protected segment. Removal is not an industry term used but would be a synonym for isolation. B.Enumeration is defined as the process of extracting user names, machine names, network resources, shares, and services from a system. C.Isolating the attacker would only stop their direct two-way communication and control of the affected system, but it would not be the strongest possible response since there could be malicious code still running on your victimized machine.
Marta's organization is concerned with the vulnerability of a user's account being vulnerable for an extended period of time if their password was compromised. Which of the following controls should be configured as part of their password policy to minimize this vulnerability? A. Minimum password length B.Password history C.Password expiration D.Password complexiy
C.Password Expiration Explanation OBJ-4: A password expiration control in the policy would force users to change their password at specific intervals of time. This will then locks out a user who types in the incorrect password or create an alter that the user's account has been potentially compromised. While the other options are good components of password security to prevent an overall compromise, they are not effective against the vulnerability described in this particular scenario as it states the issue is based on time. B.Password history is used to determine the number of unique passwords a user must use before they can use an old password again. D.The Passwords must meet complexity requirements policy setting determines whether passwords must meet a series of guidelines that are considered important for a strong password. A.Maximum password length creates a limit to how long the password can be, but a longer password is considered stronger against a brute force attack.
You just finished conducting a remote scan of a class C network block using the following command "nmap -sS 202.15.73.0/24". The results only showed a single web server. Which of the following techniques would allow you to gather additional information about the network? A.Use a UDP scan B.Scan using the -p 1-65535 flag C.Perform a scan from on-site D. Use an IPS evasion technique
C.Perform a scan from on-site Explanation OBJ-1: You should request permission to conduct an on-site scan of the network. If the organization's network is set up correctly, scanning from off-site will be much more difficult as many of the devices will be hidden behind the firewall. By conducting an on-site scan, you can conduct the scan from behind the firewall and receive more detailed information on the various servers and services that are running on the internal network. While nmap does provide some capabilities to scan through a firewall, it is not as detailed as being on-site.
Dion Training's security team recently discovered a bug in their software's code. The development team released a software patch to remove the vulnerability caused by the bug. What type of test should a software tester perform on the application to ensure that the application is still functioning properly after the patch is installed? A. User accpetance testing B.Penetration testing C.Regression testing D.Fuzzing
C.Regression testing OBJ-4: Regression testing is re-running functional and non-functional tests to ensure that previously developed and tested software still performs after a change. After installing any patch, it is important to conduct regression testing to confirm that a recent program or code change has not adversely affected existing features or functionality. Fuzzing is an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program. The program is then monitored for exceptions such as crashes, failing built-in code assertions, or potential memory leaks. User acceptance testing is a test conducted to determine if the requirements of a specification or contract have been met. A penetration test is an authorized simulated cyberattack on a computer system, performed to evaluate the security of the system.
What is the term for the amount of risk that an organization is willing to accept or tolerate? A.Risk deterrence B.Risk avoidance C.Risk apptetite D.Risk transference
C.Risk apptetite Explanation OBJ-2: An organization's willingness to tolerate risk is known as its risk appetite. If you determine that you have a greater risk appetite for a certain system or function of the business, you may choose to scan less it frequently, for example. If you have a low-risk appetite, you will place a higher amount of resources towards defending and mitigating your systems. Risk avoidance is the response of deploying security controls to reduce the likelihood and/or impact of a threat scenario. Risk deterrence is the response of deploying security controls to reduce the likelihood and/or impact of a threat scenario. Risk transference is the response of moving or sharing the responsibility of risk to another entity.
Rory is about to conduct forensics on a virtual machine. Which of the following processes should be used to ensure that all of the data is acquired forensically? A.Suspend the machine and make a forensic copy of the drive it resides on B.Shutdown the virtual machine off and make forenic copy of its disk image C.Suspend the machine and copy the contents of the directory it resides in D.Perform a live acquistion of the virtual machine's memory
C.Suspend the machine and copy the contents of the directory it resides in Explanation OBJ-3: The best option is to suspend the machine and copy the contents of the directory as long as you ensure you protect the integrity of the files by conducting a hash on them before and after copying the files. This procedure will store the virtual machine's RAM and disk contents. Since a virtual machine stores all of its data in a single file/folder on a host's hard drive, you can simply copy then entire Copying the folder will give all the information needed, but the virtual machine should not be powered off because creating a copy of the drive is not necessary because the files would still have to be validated. Live acquisition relies on a specialist hardware or software tool that can capture the contents of memory while the computer is running. This is unnecessary for a virtual machine since suspending a virtual machine writes the entire contents of memory to a file on the hard disk. Shutting down the machine is a bad idea since this runs the risk that the malware will detect the shutdown process and perform anti-forensics to try to remove traces of itself. While you could image the entire drive the virtual machine resides on, it is unnecessary, will take much longer, and will require you to shutdown the host machine to conduct the bit-by-bit copy.
Which of the following protocols is considered insecure and should never be used in your networks? A.SFTP B.SSH C.Telnet D.HTTPS
C.Telnet Explanation OBJ-2: Telnet is an application protocol used on the internet or local area network to provide a bidirectional interactive text-oriented communication facility using a virtual terminal connection. It is considered insecure and should never be used in secure networks because it transmits everything in cleartext, including your authentication credentials. Telnet should be replaced with a more secure option, such as the secure shell (SSH) protocol. B.SSH performs the same functions as telnet, but uses an encrypted tunnel to maintain the confidentiality of the data be sent over it. SSH File Transfer Protocol (SFTP) is a network protocol that provides file access, file transfer, and file management over any reliable data stream. D.Hypertext Transfer Protocol Secure (HTTPS) is an extension of HTTP that is used for secure communication over a computer network by encrypting data being transferred over it with either TLS or SSL.
You just received a notification that your company's email servers have been blacklisted due to reports of spam originating from your domain. What information do you need to start investigating the source of the spam emails? A.Network flows for the DMZ containing the email servers B.The SMTP audit log from his companys email server C.The full email header from one of the spam messages D.Firewall logs showing the SMTP connections D.
C.The full email header from one of the spam messages Explanation OBJ-1: You should first request a copy of one of the spam messages that include the full email header. By reading through the full headers of one of the messages, you can determine where the email originated from, whether it was from your email system or if it was external, and if it was a spoofed email or a legitimate email. Once this information has been analyzed, you can then continue your analysis further based on those findings, whether that be analyzing your email server, the firewalls, or other areas of concern. If enough information cannot be found by analyzing the email headers, then you will need to conduct more research to determine the best method to solve the underlying problem.
You just completed an nmap scan against a workstation and received the following output: -=-=-=-=-=-=--=-=-=-=-=-=--=-=-=-=-=-=--=-=-=-=-=-=- # nmap diontraining012 Starting Nmap ( http://nmap.org ) Nmap scan report for diontraining012 (192.168.14.61) Not shown: 997 filtered ports PORT STATE 135/tcp open 139/tcp open 445/tcp open Nmap done: 1 IP address (1 host up) scanned in 1.24 seconds -=-=-=-=-=-=--=-=-=-=-=-=--=-=-=-=-=-=--=-=-=-=-=-=- Based on these results, which of the following operating system is most likely being run by this workstation? A.macOS B.CentOS C.Windows D.Ubuntu
C.Windows Explanation OBJ-2: The workstation is most likely running a version of the Windows operating system. Port 139 and port 445 are associated with the SMB file and printer sharing service run by Windows. Since Windows 2000, the NetBIOS file and print sharing has been running over these ports on all Windows systems by default.
What document typically contains high-level statements of management intent? A.STandard Guideline C.Procedure D.POlicy
D.Policy OBJ-2: Policies are high-level statements of management intent. Compliance with policies by employees should be mandatory. An information security policy will generally contain broad statements around the various cybersecurity objectives. Procedures describe exactly how to use the standards and guidelines to implement the countermeasures that support the policy. Standards and baselines describe specific products, configurations, or other mechanisms to secure the systems. A guideline is a recommendation that can specify the methodology that is to be used.
A cybersecurity analyst is reviewing the logs of a proxy server and saw the following URLs:-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-https://test.diontraining.com/profile.php?userid=1546https://test.diontraining.com/profile.php?userid=5482https://test.diontraining.com/profile.php?userid=3618-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-What type of vulnerability does this website have? A.Improper error handling B.Race condition C.Weak or default configurations D.Insecure direct object reference
D.Insecure direct object reference Explanation OBJ-4: Insecure direct object references (IDOR) are a cybersecurity issue that occurs when a web application developer uses an identifier for direct access to an internal implementation object but provides no additional access control and/or authorization checks. In this scenario, an attacker could simply change the userid number and directly access any user's profile page. B.A race condition is a software vulnerability when the resulting outcome from execution processes is directly dependent on the order and timing of certain events, and those events fail to execute in the order and timing intended by the developer. C.Weak or default configurations are commonly a result of incomplete or ad-hoc configurations, open cloud storage, misconfigured HTTP headers, unnecessary HTTP methods, permissive Cross-Origin resource sharing (CORS), and verbose error messages containing sensitive information. A.Improper handling of errors can reveal implementation details that should never be revealed, such as detailed information that can provide hackers important clues on potential flaws in the system.
You have been asked to recommend a capability to monitor all of the traffic entering and leaving the corporate network's default gateway. Additionally, the company's CIO requests the ability to block certain types of content before it leaves the network based on operational priorities. Which of the following solution should you recommend to meet these requirements? A.Install a firewall on the router's internal interface and a NIDS on the router's external interface B.Configure IP filtering on the internal and external interfaces of the router C.Installation of a NIPS on both the internal and external interfaces of the router D.Install a NIPS on the internal interface and a firewall on the external interface of the router
D.Install a NIPS on the internal interface and a firewall on the external interface of the router Explanation OBJ-4: Due to the requirements provided, you should install a NIPS on the internal interface of the gateway router and a firewall on the external interface of the gateway router. The firewall on the external interface will allow the bulk of the malicious inbound traffic to be filtered prior to reaching the network. Then, the NIPS can be used to conduct an inspection of the traffic entering the network and provide protection for the network using signature-based or behavior-based analysis. C.A NIPS is less powerful than a firewall and could easily "fail open" if it is overcome with traffic by being placed on the external interface. The NIPS being installed on the internal interface would also allow various content types to be quickly blocked using custom signatures developed by the security team. For the same reasons that we wouldn't want to place the NIPS on the external interface in the correct choice, we also wouldn't choose to install a NIPS on both the internal and external connections. B.IP filtering on both interfaces of the router will not provide the ability to monitor the traffic or to block traffic based on content type. Finally, we would not want to rely on a NIDS on the external interface alone, since it can only monitor and not provide the content blocking capabilities needed.
Annah is deploying a new application that she received from a vendor, but she is unsure if the hardware is adequate to support a large number of users during peak usage periods. What type of testing could Annah perform to determine if the application will support the required number of users? A.Fuzz testing B.User acceptance testing C.Regression testing D.Load testing
D.Load testing OBJ-4: Load testing or stress testing puts an application, network, or system under full load conditions to document any lapses in performance. User Acceptance Testing is the process of verifying that a created solution/software works for a user. Regression testing is defined as a type of software testing to confirm that a recent program or code change has not adversely affected existing features. Fuzz testing, or fuzzing, is a quality assurance technique used to discover coding errors and security loopholes in software, operating systems or networks. It involves inputting massive amounts of random data to the test subject in an attempt to make it crash. User acceptance testing, regression testing, and fuzz testing are not designed to test a system under heavy load conditions. Therefore, they will not be suitable for Annah's needs in this scenario.
Syed is developing a vulnerability scanner program for a large network of sensors that are used to monitor his company's transcontinental oil pipeline. What type of network is this? A.SoC B.CAN C.BAS D.SCADA
D.SCADA Explanation OBJ-2: SCADA (supervisory control and data acquisition) networks is a type of network that works off of an ICS (industry control system) and is used to maintain sensors and control systems over large geographic areas. C.A building automation system (BAS) for offices and data centers ("smart buildings") can include physical access control systems, but also heating, ventilation, and air conditioning (HVAC), fire control, power and lighting, and elevators and escalators. B.Vehicular networks are called a controller area network (CAN). A CAN uses serial communication buses to connect electronic control units and other subsystems in cars and unmanned aerial vehicles (UAV). A.System-on-chip (SoC) is a design where all these processors, controllers, and devices are provided on a single processor die or chip.
You are creating a script to filter some logs so that you can detect any suspected malware beaconing. Which of the following is NOT a typical means of identifying a malware beacons behavior on the network? A.The removal of known traffic B.The beaconing interval C.The beacon's persistence D.The beacon's protocol
D.The beacon's protocol Explanation OBJ-3: The beacon's protocol is not typically a means of identifying a malware beacon. A beacon can be sent over numerous protocols, including ICMP, DNS, HTTP, and numerous others. D.Unless you specifically knew the protocol being used by the suspected beacon, filtering out beacons by the protocol seen in the logs could lead you to eliminate malicious behavior prematurely. C.Other factors like the beacon's persistence (if it remains after a reboot of the system) and the beacon's interval (how much time elapses between beaconing)are much better indicators for fingerprinting a malicious beacon. A.The removal of known traffic by the script can also minimize the amount of data the cybersecurity analyst needs to analyze, therefore making it easier to detect the malicious beacon without wasting their time reviewing non-malicious traffic.