Security Operations and Monitoring
Which of the following defines all the prerequisites a device must meet in order to access a network?
Authentication
Which of the following applies the appropriate policies in order to provide a device with the access it's defined to receive?
Authorization
Which type of threat actor only uses their skills and knowledge for defensive purposes?
Authorized hacker
Which of the following should be implemented as protection against malware attacks?
DNS sinkhole
If a company wants to ensure that clients outside of their network are directed to an external DNS, which technique is BEST suited for this purpose?
DNS splitting
Where can you find a quick overview of your monitored system's current state?
Dashboard
The following steps BEST describe which one of the following data monitoring methods? -Keep a user log to document everyone that handles each piece of sensitive data. -Monitor the system in real time.
File monitoring
Which of the following is the process of determining the configuration of ACLs by sending a firewall TCP and UDP packets?
Firewalking
You are working on firewall evasion countermeasures and are specifically looking for a tool to expose TTL vulnerabilities. Which of the following tools would you use?
Firewalking
Which of the following is true about log review?
For logs to be beneficial, they must be analyzed.
Which of the following indicate the email highlighted below may be suspicious? (Select two.)
- There are several spelling mistakes in the email. - The link in the email is to an IP address; it is not to Microsoft's website.
Which of the following is the term used to describe what happens when an attacker sends falsified messages to link their MAC address with the IP address of a legitimate computer or server on a network?
ARP poisoning
You have run the ls -l command the output generated reads: -rwx r-x r-- root testout Which of the following statements is true?
The others entity has read access only.
Which of the following best describes source routing?
The packet's sender designates the route that a packet should take through the network.
Which of the following BEST describes the process of verifying that a device meets the minimum health requirements?
Posture assessment
Which of the following is the act of seeking to understand how malicious programs were programmed and what their capabilities are by extracting code from a binary executable?
Reverse engineering
William understands the need to keep internal and external DNS separate as a security countermeasure. Which term BEST describes this countermeasure?
Split DNS
Which of the following is a SIEM collection tool that's used to search and analyze large collections of data in multiple formats?
Splunk
You have just captured the following packet using Wireshark and the filter shown. Which of the following is the captured password?
St@y0ut!@
Which of the following is the practice of gathering insight about network events based on users daily behaviors to create a baseline for anomaly detection?
UEBA (User & Entity Behavior Analysis)
While looking at your Security Onion appliance, you noticed that there was a significant increase in after-hours traffic on your network when all workstations were powered off and nobody else was in the office. Some of this traffic generated alerts in Kibana. Also, your web server was very slow to respond when you checked the website. With the information in the graph below, what might be the cause? (Select two.)
- A DDoS attack - An ICMP flood attack
Some Remote Access Trojans (RATs) install a web server to allow access to the infected machine. Others use a custom application that is run on the remote machine, such as ProRAT. Once infected with this custom application, which other types of infections are possible with this tool installed? (Select two.)
- Ransomware - Rootkit
Tokenization is another effective tool in data loss prevention. Which of the following does tokenization do? (Select two.)
- Replaces actual data with a randomly generated alphanumeric character set. - Protects data on its server with authentication and authorization protocols.
Which of the following BEST describes workflow orchestration?
A collection of tasks that are performed in a logical sequence as efficiently as possible.
Which of the following BEST describes phishing?
A cyberattack in which an email purporting to be from a legitimate organization is sent with a malicious payload.
The DKIM tool can provide security for your company's emails because it contains which of the following?
A digital signature
Which of the following BEST describes MAC spoofing?
A method of changing the MAC address of a network interface on a device within a network
Which of the following BEST describes a lock shim?
A thin, stiff piece of metal.
Why are endpoints a favorite target for malware attacks?
Because they are often the personal devices of employees
On most operating systems, you can track and log a wide range of event types. Which type of data would you expect to find for a user-level event?
Commands used and unsuccessful attempts to access resources.
You have observed that Steve, an employee at your company, has been coming in at odd hours, requesting sensitive data that is unrelated to his position, and bringing in his own flash drive. Steve's actions are common indicators of which of the following threats?
Data loss
Which of the following is a mechanism that guards data going in and out of your network?
Data loss prevention
Which of the following permissions would take precedence over the others?
Deny Read
Security Onion is being used on your network to identify threats and potential penetrations. While looking at a suspicious packet capture, you see the following under rule.name. In this case, what does ET stand for?
Emerging threats
You need to review the logs on a Windows machine that's experiencing a lot of crashes. From PowerShell, you plan on using the Get-Eventlog command but need to use an option to see which logs are available. What is the full command you should use?
Get-Eventlog -logname *
Which protocol does Windows Event Forwarding use to transfer events to a central computer?
HTTP
Jessica needs to set up a firewall to protect her internal network from the internet. Which of the following would be the best type of firewall for her to use?
Hardware
Which of the following NAC policies is MOST commonly implemented?
Health
Which of the following statements is true regarding IDS and IPS?
IDS is a passive system; IPS is an active system.
Pedro, a security analyst, is tasked with monitoring a company's threat feed. Which of the following should he look for as part of his analysis?
IP addresses that might be malicious.
After a sniffing attack has been discovered on an organization's large network, Jim, a security analyst, has been asked to take steps to secure the network from future attacks. The organization has multiple buildings and departments. Which of the following is the BEST step Jim could take to make the network more secure?
Implement switched networks.
Which of the following BEST describes continuous integration?
It allows all integration changes to be automated and placed back into a shared mainline.
Tristi, a community outreach employee, is looking to apply machine learning into her job. Which of the following might she use machine learning for as a way to further her company's goals?
It can help her tailor the company's social media feed.
In an attempt to bypass Windows Firewall using a remote session and Metasploit, you have begun the process by running the command shown in the image. What is the purpose of this command?
It creates a malicious file named game.exe that will be used in the exploit.
Why does splitting DNS into internal and external groups make sense.
It provides an added layer of security.
Which framework includes the Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command and Control, and Actions on Objectives phases?
Kill Chain
Which of the following is the term used for an IP address that's been flagged for suspicious or malicious activity?
Known bad
Your company has just completed social engineering training for all employees. To test the training's effectiveness, you have been tasked with creating a simple computer virus that creates a file on a user's desktop. Approximately how long will you need to create the virus?
Less than one day
Which of the following is a method of attack that is intended to overload the memory of a network switch, forcing the switch into open-fail mode and thereby causing it to broadcast incoming data to all ports?
MAC flooding
An attacker has, through reconnaissance, discovered the MAC address to Sam Black's computer. Sam is a user in your network with admin privileges. The attacker uses a software tool that allows him or her to mimic Sam's MAC address and use it to access your network. Which type of attack has the attacker performed?
MAC spoofing
File fingerprinting, scanning, string searches, and disassembly are all used to identify malware. When these techniques are used, what is the identifying information called?
Malware signature
Which DLP method works by replacing sensitive data with realistic fictional data?
Masking
A criminal offers a bribe to an employee at your company who has access to sensitive data, asking the employee to transfer the data to the criminal's computer. What are some actions you can take to help protect against data loss from insider threats like this one?
Monitor who is requesting and sending data, monitor employee's behavior, and store all sensitive data in one location.
Members of the sales team use laptops to connect to the company network. While traveling, they connect their laptops to the internet through airport and hotel networks. You are concerned that these computers could pick up viruses that could spread to your private network. You would like to implement a solution that prevents the laptops from connecting to your network unless antivirus software and the latest operating system patches are installed. Which solution should you use?
NAC (Network Access Control)
Which of the following is used to define minimum security requirements a device must meet before it can connect to a network?
NAC (Network Access Control)
A security analyst was alerted in real time that there is unusual incoming traffic on the network. The traffic was not and could not be prevented or altered by the program. Which type of program MOST likely sent the alert to the security analyst?
NIDS (Network Intrusion Detection System)
URL and DNS monitoring, flow and packet analysis, and DGA monitoring are all methods to secure data in which of the following areas?
Network monitoring
Where are network device log files stored by default?
On the local device
Which type of attack involves changing the boot order on a PC so that the hacker can gain access to the computer by bypassing the installed operating system?
Physical attack
While configuring a perimeter firewall on your network using pfSense, you created the rule shown in the image. The intent of the rule is to allow all traffic from the LAN network to the DMZ network. What have you configured incorrectly?
Protocol should be set to Any.
Which of the following is true about a SIEM's Security Information Management?
Provides long-term storage of collected data to meet government compliance requirements
Which of the following blackhole implementations sends traffic going to a specific destination to the blackhole?
Remote blackhole filtering
A proxy server can be configured to do which of the following?
Restrict users on the inside of a network from getting out to the internet.
Which SIEM function provides long-term storage of collected data to meet government compliance requirements.
Retention
Which of the following actions can help safeguard against data loss?
Routinely review access controls to ensure only needed access is given to each employee.
Which of the following BEST describes how using scripts is different from running regular code?
Scripts are usually interpreted instead of compiled.
Miguel has been practicing his hacking skills. He has discovered a vulnerability on a system that he did not have permission to attack. Once Miguel discovered the vulnerability, he anonymously alerted the owner and instructed them on how to secure the system. Which type of hacker is Miguel in this scenario?
Semi-authorized
You configure your switches to shut down a port immediately after it being accessed by an unauthorized user. Which type of attack are you trying to prevent?
Sniffing
Your network administrator is configuring settings so the switch shuts down a port when the max number of MAC addresses is reached. What is the network administrator taking countermeasures against?
Sniffing
When you create an event subscription, events are sent from one computer to another. What is the computer that generated the event called?
Source computer
You have a large number of source computers in your IT environment. Which subscription type would be most efficient to employ?
Source-initiated
A security consultant has recommended the use of an internal and external DNS to provide an extra layer of security for your organization. Which of the following DNS countermeasures are they suggesting?
Split DNS
Business email compromise attacks have been increasingly waged against corporations' email systems. Attackers exploit an auto-forwarding email vulnerability to set emails that contain keywords to be redirected to their own inboxes. Which of the following BEST helps protect against this form of attack?
Sync email accounts settings.
While configuring a perimeter firewall on your network using pfSense, you created the rule shown in the image. The intent of the rule is to allow secure traffic coming from the internet through the firewall and to the web server (172.16.1.5) in the DMZ. What have you configured incorrectly?
The source and destination ports should be HTTPs.
What is the main purpose of SOAR?
To replace tasks that are repetitive and done manually with automated workflows
After having downloaded and installed pfblockerng for your pfsense firewall, you are configuring what sites to block. How do you block lists of websites you don't want the employees to access?
Use lists found on the internet that are formatted for pfblockerng.
Which of the following could you use as a DNS countermeasure?
Utilize digital signatures.
What information can an organization obtain as part of a SCAP security scan?
Whether or not their systems are configured for optimal security.
A security analyst is working to discover zero-day attacks before the system is compromised. What is one method for discovering these types of attacks that the security analyst should try?
Write rules in a program like YARA that recognizes similar patterns of code found in other malware and flags them if they interact with the system.
Which Windows command line tool can be used to show and modify a file's permissions?
icacls
Cisco devices have a special interface called _____, which is designed to act as a blackhole.
null0
You have been asked to perform a penetration test for a company to see if any sensitive information can be captured by a potential hacker. You have used Wireshark to capture a series of packets. Using the tcp contains Invoice filter, you have found one packet. Using the captured information shown, which of the following is the account manager's email address?
Which of the following two methods can be used to refine the number of alerts displayed in Kibana based on search rules? (Select two.)
- Click a ring on the Security Onion - Data Overview graph. - Add a filter in the Search field.
Which of the following firewall evasion countermeasures should be implemented to mitigate firewall evasion? (Select two.)
- Defense in Depth - Filtering an intruder's IP address
Which of the following configurations can be used with Windows Event Forwarding? (Select two.)
- Source-initiated subscriptions - Collector-initiated subscriptions
The following image is of DHCP logs on a pfSense appliance. What is happening here?
A host named kali is releasing and renewing its IP address with the appliance.
You are the security administrator for your organization. You need to provide Mary with the needed access to make changes to the finances.xlsx file located in the Accounting directory. Which of the following permissions should you set for Mary?
Allow Write permission on the finances.xlsx file.
You wish to configure collector-initiated event subscriptions. On the collector computer, in which program do you configure a subscription?
Event Viewer
Which of the following BEST describes a stateful inspection?
Filters packets at the OSI Network layer to determine whether session packets are legitimate
Which of the following firewall identification methods uses a TCP packet with a TTL value set to expire one hop past the firewall?
Firewalking
Jake, a security analyst, has been asked to examine the malware found on the company's network. He decides the best place to start is to use a tool to translate the executable files to assembly language so he can understand what the malware can do and what it can impact. Which tool is the BEST choice for Jake to use?
IDA Pro
You are the security analyst for your organization. You have noticed that an attacker has gotten past the network's firewall by modifying the addressing information in IP packet headers to make it look like the packets are coming from a trusted source. Which of the following is the MOST likely firewall evasion technique the attacker is using?
IP spoofing
In monitoring you company's email for security, you notice that several employees have been sent emails with an attachment that includes a virus. The virus in this email is considered which of the following?
Malicious payload
On Wireshark, you have used a filter to help capture only the desired types of packets. Using the information shown in the image, which of the following BEST describes the effects of using the host 192.168.0.34 filter?
Only packets with 192.168.0.34 in either the source or destination address are captured.
You have been asked to perform a penetration test for a company to see if any sensitive information can be captured by a potential hacker. You have used Wireshark to capture a series of packets. Using the tcp contains Invoice filter, you have found one packet. Using the captured information shown, which of the following is the name of the company requesting payment?
ACME, Inc.
Which of the following components are the SIEM's way of letting the IT team know that a pre-established parameter is not within the acceptable range?
Alerts
Which of the following BEST describes a phishing attack?
A user is tricked into believing that a legitimate website is requesting their login information.
Why should DNS zone transfers be restricted or disabled?
An attacker can intercept the transfer and change information.
The sender's name, company position, address, and phone number are commonly found in which of the following?
An email's signature block
At which layer is a web application firewall log used to record HTTP traffic?
Application
Some users report that frequent system crashes have started happening on their workstations. Upon further investigation, you notice that these users all have the same application installed, which has been recently updated. Where would you go to conduct a root cause analysis in this scenario?
Application log
Which of the following firewall identification techniques is a simple method to discover the vendor and firmware version?
Banner grabbing
You are configuring a new email server for your organization and need to implement a firewall solution. The firewall will be designed to handle connections to the email server. Which of the following would be the BEST firewall solution?
Bastion host
Which of the following security methods explicitly defines specific programs, ports, IP addresses, services, or other types of traffic to block from the network?
Blacklisting
Which of the following terms means writing access control rules to block connections from suspicious IP addresses and URLs to protect against DDoS and other attacks and sending back a reply stating that the destination is unavailable?
Blacklisting
In order to perform testing of various websites for your company, you are using Burpsuite. What function allows Burpsuite to collect so much information about a client/server communication stream?
Burp Suite acts as a proxy.
Which of the following firewall technologies operates on Layer 5 of the OSI model?
Circuit-level gateway
Most SIEM implementations start by installing which tool on network devices?
Collection agent
When you create an event subscription, events are sent from one computer to another. What is the computer that receives the events called?
Collector computer
You are setting up a Windows machine as a collector to handle event subscriptions from other machines. You have dozens of machines to collect from, and you have configured the receiving machine. What do you need to do next?
Configure the machines that will forward logs to the collector using Group Policy.
Which of the following is an email authentication tool that relies on an email's encrypted digital signature to verify its authenticity?
DKIM (DomianKeys Identified Mail)
Which of the following tools allows domain owners to notify receivers that emails have been authenticated, provides feedback about the legitimacy of emails sent on their domain, and applies instructions for emails that failed authentication?
DMARC (Domain-Based Message Authentication, Reporting, and Conformance)
During the reconnaissance phase, an attacker is looking for common attack vectors. Which of the following services is MOST likely to be targeted?
DNS
Which of the following services is most targeted during the reconnaissance phase of a hacking attack?
DNS
Dan wants to implement reconnaissance countermeasures to help protect his DNS service. Which of the following actions should he take?
Install patches against known vulnerabilities and clean up out-of-date zones, files, users, and groups.
Which of the following BEST describes a SIEM system?
Is sold as a software application or as a stand-alone security appliance
While adding a new admin to the pfSense security appliance, you double-check that you have completed all of the changes necessary for them to work with the appliance. What else should you do before you continue?
Move the admins group entry to the Member Of box.
Which of the following Windows permissions apply to local files and directories?
NTFS
On Wireshark, you have used a filter to help capture only the desired types of packets. Using the information shown in the image, which of the following BEST describes the effects of using the net 192.168.0.0 filter?
Only packets with either a source or destination address on the 192.168.0.0 network are captured.
Which of the following BEST describes a proxy server?
Operates at Layer 7 (Application layer) of the OSI model
Which of the following firewall technologies operates at Layers 3 (Network layer) and 4 (Transport layer) of the OSI model?
Packet filtering
Which log type records information about system resource use, such as use by printers and servers?
Performance logs
Including a legitimate-looking embedded link to a malicious site in an email purporting to be from a legitimate source is which of the following types of cyberattack?
Phishing
Which of the following needs to be configured so a firewall knows which traffic to allow or block?
Rules
Which of the following is true about rule-writing?
Rules could be as simple as looking for unsuccessful logins or could include more complex behavioral patterns.
Which of the following tools allows a domain owner to specify email servers that can send an email in the domain, and which servers are not allowed to send emails?
SPF (Sender Policy Framework)
Which of the following is an open-source intrusion detection system that provides search and analysis tools to help index collected data?
Security Onion
Julie configures two DNS servers. One is internal and one is external, with authoritative zones for the corpnet.xyz domain. One DNS server directs external clients to an external server. The other DNS server directs internal clients to an internal server. Which of the following DNS countermeasures is she implementing?
Split DNS
Your company president suspects that one of the employees has been embezzling money from the company and depositing it in their own bank account. Which of the following methods could you use to find evidence of this action?
String search
Which of the following is a standard for sending log messages to a central logging server?
Syslog
You are configuring your pfSense security appliance, which will provide firewall, DNS, and DHCP services for your users. You are currently working on configuring DNS servers. Which menus would you use to make the required changes?
System > General Setup
Which of the following can contain a wealth of information that can be used to determine the authenticity of an email?
The header block
Which of the following firewall limitations is a critical vulnerability because it means that packet filters cannot tell whether a connection was started inside or outside an organization?
The inability to detect the keep-the-state status
You are the security analyst for a corporate network that uses Cisco routers. You are preparing to submit a proposal to set up a centralized syslog server where logs from all of the 35 routing devices will send their logs to be stored. Which of the following is the most important justification for the expense of a syslog server?
The log data is centralized and monitored in one place.
While reviewing your pfSense appliance logs, you notice the following. What is happening?
There are two DHCP servers that are responding to DHCPREQUEST events.
You are working with ACLs on your Windows machine and have created some complex permissions with many users and groups defined. Now you want to back up those permissions so that they can be restored in the event of a system failure. What is missing from the below command?
There has been no file name specified.
As you review a .pcap file containing the traffic seen during a Windows machine compromise, you see the following output in NetworkMiner. What conclusion can you reasonably reach from this screen?
There is a Windows machine with an IP address of 192.168.204.137.
A penetration tester has executed the following command. Which of the following describes what we learn from the output below?
This is a DNS zone transfer.
Match each firewall architecture type to its description.
This is the simplest implementation of a firewall. The firewall sits between the internal and external networks as the main line of defense. - Dual-homed A specialized computer system with two network interfaces that is placed between the internal and external networks. - Bastion host This configuration uses a single firewall to protect multiple interfaces. It is usually used with a DMZ. - Screened subnet This firewall architecture is the most secure type. It uses multiple firewalls. - Multi-homed
In what order are rules in an ACL processed?
Top to bottom
Which of the following analysis methods involves looking at data over a period of time and then uses those patterns to make predictions about future events?
Trend
You are concerned that an attacker can gain access to your web server, make modifications to the system, and alter the log files to hide his or her actions. Which of the following solutions would BEST protect the log files?
Use syslog to send log entries to another server.
When configuring a pfSense security appliance for your network, which of the following interfaces would be associated with external traffic?
WAN
An attack that targets senior executives and high-profile victims is referred to as which of the following?
Whaling
One of the Windows 10 workstations on your network has been reported to be generating errors with the operating system. Which of the following Event Viewer sections would be used to review these system errors?
Windows Logs
The pfSense appliance has a logging system that captures data from several services, including gateways, routers, and the DNS resolver. What is the other feature that has a system log category?
Wireless
Which of the following Linux permissions allows files to be added or deleted from a directory?
Write
As part of setting up a Windows machine to send log events to a remote host, you have executed the winrm qc command and answered the questions as shown below. Which command would you run on the collector host from an elevated Command Prompt?
wecutil qc
