CompTIA CySA+ (CS0-003) Practice Exam #1
Which of the following is the default nmap scan type when you do not provide a flag when issuing the command? A UDP scan A TCP FIN scan A TCP SYN scan A TCP connect scan
A TCP SYN scan By default, Nmap performs an SYN Scan, though it substitutes a connect scan if the user does not have proper privileges to send raw packets (requires root access on Unix). A UDP scan requires the -sU flag to be issued when launching a nmap scan. A TCP FIN scan requires the -sF flag to be issued when launching a nmap scan.
If an administrator cannot fully remediate a vulnerability, which of the following should they implement? An engineering tradeoff A policy A compensating control Access requirements
A compensating control Based on the question's wording, a compensating control would be most accurate for the given scenario. Compensating controls may be considered when an entity cannot meet a requirement explicitly, as stated due to legitimate technical or documented business constraints but has sufficiently mitigated the risk associated with the requirement by implementing other controls. Access requirements are a form of logical controls that can be implemented to protect a system and could be a form of a compensating control if used appropriately. A policy is a statement of intent and is implemented as a procedure or protocol within an organization. An engineering tradeoff is a situational decision that involves diminishing or losing one quality, quantity, or property of a set or design in return for gains in other aspects. Often, an engineering tradeoff occurs when we trade security requirements for operational requirements or vice versa.
A cybersecurity analyst is attempting to perform an active reconnaissance technique to audit their company's security controls. Which DNS assessment technique would be classified as active? A DNS forward or reverse lookup A zone transfer Using maltego A whois query
A zone transfer DNS zone transfer, also sometimes known by the inducing DNS query type AXFR, is a DNS transaction type. It is one of the many mechanisms available for administrators to replicate DNS databases across a set of DNS servers. DNS zone transfers are an active technique. Performing a whois query is a passive reconnaissance technique that performs a query of the databases that store the registered users or assignees of an Internet resource, such as a domain name, an IP address block, or an autonomous system, but is also used for a wider range of other information. Performing a DNS forward and reverse lookup zones is an active technique that allows the resolution of names to IP addresses and IP addresses to names. This can be conducted as a passive technique. Maltego is used for open-source intelligence and forensics. It focuses on providing a library for data discovery from open sources and visualizing that information in a graph format suitable for link analysis and data mining. It collects this information passively since it can acquire the information from whois lookup servers, a DNS lookup tool using public DNS servers, or even emails and hostnames one can acquire from TheHarvester.
In the Diamond Model of Intrusion Analysis, which of the four components represents the entity or individual who conducts the cyber attack? Capability Victim Infrastructure Adversary
Adversary The Adversary in the Diamond Model of Intrusion Analysis represents the entity or individual who conducts the cyber attack. Capability represents the tools and techniques used in the attack, not the entity or individual conducting it. The Victim represents the entity that is targeted by the attack, not the one who conducts it. The Infrastructure component refers to the physical and virtual resources utilized in the attack, not the one who conducts it.
Your organization is updating its Acceptable User Policy (AUP) to implement a new password standard that requires a guest's wireless devices to be sponsored before receiving authentication. Which of the following should be added to the AUP to support this new requirement? Network authentication of all guest users should occur using the 802.1x protocol as authenticated by a RADIUS server Sponsored guest passwords must be at least 14 alphanumeric characters containing a mixture of uppercase, lowercase, and special characters Open authentication standards should be implemented on all wireless infrastructure All guests must provide valid identification when registering their wireless devices for use on the network
All guests must provide valid identification when registering their wireless devices for use on the network Sponsored authentication of guest wireless devices requires a guest user to provide valid identification when registering their wireless device for use on the network. This requires that an employee validates the guest's need for access, known as sponsoring the guest. While setting a strong password or using 802.1x are good security practices, these alone do not meet the question's sponsorship requirement. An open authentication standard only requires that the guest know the Service-Set Identifier (SSID) to gain access to the network. Therefore, this does not meet the sponsorship requirement.
While conducting a static analysis source code review of a program, you see the following line of code:<br /><br />String query = "SELECT * FROM CUSTOMER WHERE CUST_ID='" + request.getParameter("id") + "'";<br /><br />What is the issue with the largest security issue with this line of code? The code is using parameterized queries An SQL injection could occur because input validation is not being used on the id parameter The * operator will allow retrieval of every data field about this customer in the CUSTOMER table This code is vulnerable to a buffer overflow attack
An SQL injection could occur because input validation is not being used on the id parameter This code takes the input of "id" directly from a user or other program without conducting any input validation. This could be exploited and used as an attack vector for an SQL injection. If a malicious user can alter the ID source, it might get replaced with something like' or '1' ='1. This will cause the SQL statement to become: "SELECT * FROM CUSTOMER WHERE CUST_ID='' or '1'='1'". Because '1' always equals '1', the where clause will always return 'true,' meaning that EVERY record in the database could now become available to the attacker. When creating SQL statements, there are reasons for and against the use of the * operator. Its presence alone does not necessarily indicate a weakness. With only one line of code being reviewed, you cannot make any statement about whether it is vulnerable to a buffer overflow attack. You do not see the declaration values for the initialization of the id variable. This code is not using parameterized queries, but if it did, then it would eliminate this vulnerability. A parameterized query is a type of output encoding that relies on prepared statements to reduce the risk of an SQL injection.
Your company plans to test its web applications for vulnerabilities. Which tool would be appropriate for this task? Metasploit Burp Suite Wireshark Nmap
Burp Suite Burp Suite is a robust penetration testing toolkit specifically tailored for assessing the security posture of web applications. It provides a broad array of features, including automated scanning, manual testing tools, and functionality for mapping application attack surfaces. By enabling penetration testers to probe for weaknesses, such as SQL injection, Cross-Site Scripting (XSS), and Cross-Site Request Forgery (CSRF), it serves as a critical tool in identifying potential vulnerabilities before they can be exploited by malicious actors. Nmap is a network scanning tool, not a web application vulnerability scanner like Burp Suite. Metasploit is a framework for penetration testing and exploits but does not specialize in web application vulnerability scanning like Burp Suite. While Wireshark is useful for network protocol analysis, it is not specifically designed for web application vulnerability testing.
Lamont is in the process of debugging a software program. As he examines the code, he discovers that it is miswritten. Due to the error, the code does not validate a variable's size before allowing the information to be written into memory. Based on Lamont's discovery, what type of attack might occur? Buffer overflow Cross-site scripting SQL injection Malicious logic
Buffer overflow A buffer overflow occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information can cause an overflow into adjacent buffers, corrupting or overwriting the valid data held in them. Although it may occur accidentally through programming error, buffer overflow is an increasingly common security attack on data integrity. In buffer overflow attacks, the extra data may contain codes designed to trigger specific actions, in effect sending new instructions to the attacked computer that could, for example, damage the user's files, change data, or disclose confidential information. Programs should use the variable size validation before writing the data to memory to ensure that the variable can fit into the buffer to prevent this type of attack.
You are reverse engineering a malware sample using the Strings tool when you notice the code inside appears to be obfuscated. You look at the following line of output on your screen: ZWNobygiSmFzb24gRGlvbiBjcmVhdGVkIHRoaXMgQ29tcFRJQSBDeVNBKyBwcmFjdGljZSBleGFtIHF1ZXN0aW9uLiBJZiB5b3UgZm91bmQgdGhpcyBxdWVzdGlvbiBpbiBzb21lb25lIGVsc2UncyBjb3Vyc2UsIHRoZXkgc3RvbGUgaXQhIik7= Based on the output above, which of the following methods do you believe the attacker used to prevent their malicious code from being easily read or analyzed? Base64 SQL QR coding XML
Base64 While there are many different formats used by attackers to obfuscate their malicious code, Base64 is by far the most popular. If you see a string like the one above, you can decode it using an online Base64 decoder. In fact, I recommend you copy the string above and decode it to see how easy it is to reverse a standard Base64 encoded message. Some more advanced attackers will also use XOR and a key shift in combination with Base64 to encode the message and make it harder to decode, but using a tool like CyberChef can help you decode those. Structured Query Language (SQL) is used to communicate with a database. Extensible Markup Language (XML) is a markup language that defines a set of rules for encoding documents in a human-readable and machine-readable format. SQL and XML are not considered obfuscation techniques. A QR Code is a two-dimensional version of the barcode, known from product packaging in the supermarket. QR coding is the process of converting some data into a single QR code. QR coding might be considered a form of obfuscation, but it is not shown in this question's example output.
Which of the following is NOT a host-related indicator of compromise? Beaconing Processor consumption Drive capacity consumption Memory consumption
Beaconing Beaconing is considered a network-related indicator of compromise. Memory consumption, processor consumption, and drive capacity consumption are all classified as host-related indicators of compromise.
Which of the following is the most difficult to confirm with an external vulnerability scan? Cross-site request forgery (XSRF/CSRF) Unpatched web server Cross-site scripting (XSS) Blind SQL injection
Blind SQL injection Vulnerability scanners typically cannot confirm that a blind SQL injection with the execution of code has previously occurred. XSS and CSRF/XSRF are typically easier to detect because the scanner can pick up information that proves a successful attack. The banner information can usually identify unpatched servers.
Which of the following physical security controls would be the most effective in preventing an attacker from driving a vehicle through the glass doors at the front of the organization's headquarters? Intrusion alarm Mantraps Security guards Bollards
Bollards Bollards are a physical security control that is designed to prevent a vehicle-ramming attack. Bollards are typically designed as a sturdy, short, vertical post. Some organizations have installed more decorative bollards created out of cement and are large enough to plant flowers or trees inside. Mantraps are designed to prevent individuals from tailgating into the building. Security guards and intrusion alarms could detect this from occurring but not truly prevent them.
A vulnerability scanner has reported that a vulnerability exists in the system. Upon validating the report, the analyst determines that this reported vulnerability does not exist on the system. What is the proper term for this situation? True negative False positive False negative True positive
False positive A false positive occurs when a scanner detects a vulnerability, but the vulnerability does not actually exist on the scanned system. A true positive occurs when a scanner detects a vulnerability, and the vulnerability exists on the scanned system. A true negative occurs when a scanner does not detect a vulnerability because the vulnerability does not exist on the scanned system. A false negative occurs when a scanner does not detect a vulnerability, but the vulnerability actually exists on the scanned system.
The incident response team leader has asked you to perform a forensic examination on a workstation suspected of being infected with malware. You remember from your training that you must collect digital evidence in the proper order to protect it from being changed during your evidence collection efforts. Which of the following describes the correct sequence to collect the data from the workstation? Swap, RAML, CPU cache, Hard drive CPU cache, RAM, Swap, Hard drive Hard drive, Swap, CPU cache, RAM RAM, CPU cache, Swap, Hard drive
CPU cache, RAM, Swap, Hard drive The order of volatility states that you should collect the most volatile (least persistent) data first and the least volatile (most persistent) data last. The most volatile data resides in the CPU Cache since this small memory cache is overwritten quickly during computer operations. Next, you should collect the data in the system memory (RAM) since it will be erased if the workstation is shut down or the power is lost. Third, you should collect the Swap file, a form of temporary memory located on the hard disk. These files are also overwritten frequently during operations. Finally, you should collect the data from the hard disk, as it is the least volatile and remains on the hard disk until a command is given to delete it. Data on a hard disk remains even when power is removed from the workstation.
Tim is working to prevent any remote login attacks to the root account of a Linux system. What method would be the best option to stop attacks like this while still allowing normal users to connect using ssh? Add root to the sudoers group Add an iptables rule blocking root logins Add a network IPS rule to block root logins Change sshd_config to deny root login
Change sshd_config to deny root login Linux systems use the sshd (SSH daemon) to provide ssh connectivity. If Tim changes the sshd_config to deny root logins, it will still allow any authenticated non-root user to connect over ssh. The sshd service has a configuration setting that is named PermitRootLogin. If you set this configuration setting to no or deny, all root logins will be denied by the ssh daemon. If you didn't know about this setting, you could still answer this question by using the process of elimination. An iptables rule is a Linux firewall rule, and this would block the port for ssh, not the root login. Adding root to the sudoers group won't help either since the sudoers group allows users to login as root. If you have a network IPS rule to attempt to block root logins, the IPS would have to see the traffic being sent within the SSH tunnel. This is not possible since SSH connections are encrypted end-to-end by default. Therefore, the only possible right answer is to change the sshd_config setting to deny root logins.
Fail to Pass Systems has just become the latest victim in a large scale data breach by an APT. Your initial investigation confirms a massive exfiltration of customer data has occurred. Which of the following actions do you recommend to the CEO of Fail to Pass Systems in handling this data breach? Conduct a 'hack-back' of the attacker in order to retrieve the stolen information Conduct notification to all affected customers within 72 hours of the discovery of the breach Provide a statement to the press that minimizes the scope of the breach Purchase a cyber insurance policy, alter the date of the incident in the log files, and file an insurance claim
Conduct notification to all affected customers within 72 hours of the discovery of the breach Generally speaking, most laws require notification within 72 hours, such as the GDPR. All other options are either unethical, constitute insurance fraud, or are illegal. Conducting a hack-back is considered illegal, and once data has been taken, it is nearly impossible to steal it back as the attacker probably has a backup of it. Providing an incorrect statement to the press is unethical, and if your company is caught lying about the extent of the breach, it could further hurt your reputation. Purchasing a cyber insurance policy and altering the log file dates to make it look like the attack occurred after buying the policy would be insurance fraud. This is unethical and illegal.
Your company is adopting a new BYOD policy for tablets and smartphones. Which of the following would allow the company to secure the sensitive information on personally owned devices and the ability to remote wipe corporate information without the user's affecting personal data? Face ID Touch ID Containerization Long and complex passwords
Containerization Containerization is the logical isolation of enterprise data from personal data while co-existing in the same device. The major benefit of containerization is that administrators can only control work profiles that are kept separate from the user's personal accounts, apps, and data. This technology basically creates a secure vault for your corporate information. Highly targeted remote wiping is supported with most container-based solutions.
Which of the following is a characteristic of the Deep Web? Contains information not indexed by standard search engines Accessible through standard browsers Only includes encrypted data Predominantly used for illegal activities
Contains information not indexed by standard search engines The Deep Web contains information that is not indexed by standard search engines, making it invisible to conventional searches. The Deep Web does not only include encrypted data. It includes all data not indexed by search engines, whether encrypted or not. The Deep Web is not typically accessible through standard browsers. It requires specific software (like Tor) for access. While some illegal activities do occur on the Deep Web, it is also used for many legitimate purposes.
An insurance company has developed a new web application to allow its customers to choose and apply for an insurance plan. You have been asked to help perform a security review of the new web application. You have discovered that the application was developed in ASP and used MSSQL for its backend database. You have been able to locate an application's search form and introduced the following code in the search input field: IMG SRC=vbscript:msgbox("Vulnerable_to_Attack");> originalAttribute="SRC"originalPath="vbscript:msgbox("Vulnerable_to_Attack ");>" When you click submit on the search form, your web browser returns a pop-up window that displays Vulnerable_to_Attack. Which of the following vulnerabilities did you discover in the web application? SQL injection Command injection Cross-site scripting Cross-site request forgery
Cross-site scripting This is a form of Cross-Site Scripting (XSS). Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users. Attackers may use a cross-site scripting vulnerability to bypass access controls such as the same-origin policy. Cross-site request forgery (CSRF or XSRF) is a malicious exploit of a website where unauthorized commands are transmitted from a user that the web application trusts. There are many ways in which a malicious website can transmit commands, such as specially-crafted image tags, hidden forms, and JavaScript XMLHttpRequests can all work without the user's interaction or even knowledge. SQL injection is a code injection technique used to attack data-driven applications. Malicious SQL statements are inserted into an entry field for execution, such as dumping the database contents to the attacker. Command injection is an attack in which the goal is to execute arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user-supplied data (forms, cookies, HTTP headers, etc.) to a system shell.
While conducting a penetration test of an organization's web applications, you attempt to insert the following script into the search form on the company's website:-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-<script>alert("This site is vulnerable to an attack!")</script>-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-Then, you clicked the search button, and a pop-up box appears on your screen showing the following text: "This site is vulnerable to an attack!" Based on this response, what vulnerability have you uncovered in the web application? Distributed denial of service Cross-site request forgery Cross-site scripting Buffer overflow
Cross-site scripting This is a form of Cross-Site Scripting (XSS). Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users. Attackers may use a cross-site scripting vulnerability to bypass access controls such as the same-origin policy. Cross-site request forgery (CSRF or XSRF) is a type of malicious exploit of a website where unauthorized commands are transmitted from a user that the web application trusts. There are many ways in which a malicious website can transmit commands, such as specially-crafted image tags, hidden forms, and JavaScript XMLHttpRequests can all work without the user's interaction or even knowledge. A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt normal traffic of a targeted server, service, or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic. A buffer overflow is an anomaly that occurs when a program overruns the buffer's boundary and overwrites adjacent memory locations while writing data to a buffer.
During an incident response, your team identified that an attacker performed a scan on your network, then delivered malware via a phishing email, which was exploited to install a backdoor on the system. The attacker then executed commands to exfiltrate data. Which framework would BEST represent this attack sequence? MITRE ATT&CK Cyber Kill Chain Diamond Model of Intrusion Analysis OWASP Testing Guide
Cyber Kill Chain The Cyber Kill Chain is a model developed by Lockheed Martin that describes the stages of a cyberattack from reconnaissance (scanning the network) through delivery (phishing email), exploitation (using malware), installation (installing a backdoor), command and control (executing commands), and actions on objectives (exfiltrating data). The Diamond Model focuses on the relationship between four main elements of an attack: adversary, infrastructure, victim, and capability, rather than the stages of an attack. While the MITRE ATT&CK framework does detail a variety of tactics, techniques, and procedures used by attackers, it does not describe a linear progression of an attack like the Cyber Kill Chain does. The OWASP Testing Guide provides a framework for web application security testing, not a model describing the stages of a cyberattack.
During a simulated attack on your organization's network, the red team identified several vulnerabilities and successfully exfiltrated data. The red team then used these vulnerabilities and the steps they took to create an example of a possible real-world attack. Which framework does this attack sequence BEST represent? Cyber Kill Chain OWASP Testing Guide MITRE ATT&CK Diamond Model of Intrusion Analysis
Cyber Kill Chain The Cyber Kill Chain, developed by Lockheed Martin, describes the stages of a cyber attack. The steps taken by the red team align with this model, from the identification of vulnerabilities (reconnaissance), through exploitation and installation, to achieving their objectives (exfiltration). The Diamond Model focuses on the relationship between four elements of an attack: the adversary, the victim, the infrastructure, and the capability. It doesn't represent a sequential progression of an attack. The MITRE ATT&CK framework provides a matrix of tactics, techniques, and procedures (TTPs) used by cyber adversaries. While it's useful for detailing attacker behavior, it doesn't provide a linear progression of an attack. The OWASP Testing Guide provides a methodology for testing the security of web applications. It doesn't describe the stages of a cyber attack.
A penetration tester is conducting an assessment of a wireless network that is secure using WPA2 Enterprise encryption. Which of the following are major differences between conducting reconnaissance of a wireless network versus a wired network? (SELECT TWO) Authentication Encryption Physical accessibility Network access control MAC filtering Port security
Encryption Physical accessibility Most wireless networks utilize end-to-end encryption, whereas wired networks do not. Physical accessibility is another major difference between wireless and wired networks since wireless networks can be accessed from a distance using powerful antennas. Authentication, MAC filtering, and network access control (NAC) can be implemented equally on wired and wireless networks. Port security is only applicable to wired networks.
You are working as a junior cybersecurity analyst and utilize a SIEM to support investigations into ongoing incidents. The SIEM is configured to collect data from numerous sources across the network, including network sensors, routers, switches, firewalls, hosts, and servers. Unfortunately, due to the number of data sources, you have data about a particular event being detected by different sensors and devices. Which of the following must you ensure to make sense of all the data being collected by your SIEM before analyzing it? Data retention Data sanitization Data correlation Data recovery
Data correlation Data correlation is the first step in making sense of data from across numerous sensors. This will ensure the data is placed concerning other pieces of data within the system. For example, if your IDS detected an incident, host logs were collected, and your packet capture system collected the network traffic, the SIEM could be used to correlate all three pieces of information from these different systems to allow an analyst to understand the event better. By conducting data correlation, it allows an analyst to identify a pattern more clearly and take action. Data correlation should be performed as soon as the SIEM indexes the data.
Your organization requires the use of TLS or IPSec for all communications with an organization's network. Which of the following is this an example of? Data in transit Data in use Data at rest DLP
Data in transit Data in transit (or data in motion) occurs whenever data is transmitted over a network. Examples of types of data in transit include website traffic, remote access traffic, data being synchronized between cloud repositories, and more. In this state, data can be protected by a transport encryption protocol, such as TLS or IPsec. Data at rest means that the data is in persistent storage media using whole disk encryption, database encryption, and file- or folder-level encryption. Data in use is when data is present in volatile memory, such as system RAM or CPU registers and cache. Secure processing mechanisms such as Intel Software Guard Extensions can encrypt data as it exists in memory so that an untrusted process cannot decode the information. This uses a secure enclave and requires a hardware root of trust. Data loss prevention (DLP) products automate the discovery and classification of data types and enforce rules so that data is not viewed or transferred without proper authorization. DLP is a generic term that may include data at rest, data in transit, or data in use to function.
Which of the following is a technique used in Secure Disposal? Zero-fill Clearing Degaussing Erasing
Degaussing Secure Disposal involves the physical destruction of media. This can be done by mechanical shredding, incineration, or degaussing. Degaussing, should be used for media containing top secret or highly confidential information. Clearing data prevents data from being retrieved without the use of state of the art laboratory techniques. Clearing often involves overwriting data one or more times with repetitive or randomized data. It is not part of Secure Disposal because the media isn't destroyed. Zero-fill overwrites the media with bits to eliminate information. It allows the media to be reused. It doesn't destroy the media, so it isn't part of Secure Disposal.
Your incident response team has identified a persistent threat actor who has used a spear-phishing attack to compromise a system in your network. The actor used this system to move laterally within the network, stealing sensitive data. The team wants to understand the relationship between the adversary, the victim system, the phishing infrastructure used by the attacker, and the lateral movement capability. Which framework would best help them in this analysis? MITRE ATT&CK OWASP Testing Guide Diamond Model of Intrusion Analysis Cyber Kill Chain
Diamond Model of Intrusion Analysis The Diamond Model of Intrusion Analysis provides a framework for understanding the four key elements of a cyber attack: the adversary (threat actor), the victim (compromised system), the infrastructure (phishing setup), and the capability (lateral movement). The OWASP Testing Guide provides a methodology for testing web application security, not for analyzing a cyber attack's relationships. The MITRE ATT&CK framework details tactics, techniques, and procedures used by attackers, but it does not specifically address the relationship between adversary, victim, infrastructure, and capability. The Cyber Kill Chain describes the stages of a cyber attack, but it does not specifically analyze the relationships between the adversary, victim, infrastructure, and capability.
As part of your organization's proactive threat hunting, you're considering gathering threat intelligence from the deep web and dark web. What could be a significant benefit of this approach? Discovering potential threats before they impact your organization Avoiding the need for other security measures Eliminating all cyber threats Increasing the organization's web presence
Discovering potential threats before they impact your organization Gathering threat intelligence from the deep web and dark web can help your organization identify emerging threats or planned attacks before they affect your network. While gathering intelligence can help identify and mitigate threats, it does not guarantee the elimination of all cyber threats. Gathering threat intelligence is a part of a broader security strategy and should be used in conjunction with other security measures, not in lieu of them. Gathering threat intelligence from the deep web and dark web is not related to increasing an organization's web presence; it's about identifying potential cyber threats.
Sarah has reason to believe that systems on her network have been compromised by an APT. She has noticed many file transfers outbound to a remote site via TLS-protected HTTPS sessions from unknown systems. Which of the following techniques would most likely detect the APT? Endpoint forensics Network forensics Endpoint behavior analysis Network traffic analysis
Endpoint forensics An advanced persistent threat (APT) is a stealthy computer network threat actor, typically a nation-state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period. APTs usually send encrypted traffic so that they are harder to detect through network traffic analysis or network forensics. This means that you need to focus on the endpoints to detect an APT. Unfortunately, APTs are very sophisticated, so endpoint behavioral analysis is unlikely to detect them easily, so Sarah will need to conduct endpoint forensics as her most likely method to detect an APT and their associated infections on her systems.
Your organization has implemented several cybersecurity tools, but there is a lack of coordination among the team in managing and facilitating automation. Which of the following actions would most effectively address this issue? Buying more tools Ignoring automation Limiting team access to tools Establishing clear roles and responsibilities for managing automation
Establishing clear roles and responsibilities for managing automation Establishing clear roles and responsibilities ensures everyone knows who is in charge of what parts of the automation process, reducing confusion and increasing coordination. Limiting team access to tools can lead to silos, inhibit teamwork, and reduce overall efficiency in managing and facilitating automation. Ignoring automation would be counterproductive. Automation can help improve efficiency and free up staff to focus on more complex tasks. Simply buying more tools doesn't necessarily improve coordination among the team. It may add complexity and could actually worsen the issue without proper management and integration.
After issuing the command "telnet diontraining.com 80" and connecting to the server, what command conducts the banner grab? PUT / HTTP/2.0 HEAD / HTTP/2.0 PUT / HTTP/1.1 HEAD / HTTP/1.1
HEAD / HTTP/1.1 To conduct a banner grab using telnet, you first must connect to the server using "telnet webserver 80". Once the connection establishes, you will receive a blank prompt, and you then issue the command "HEAD / HTTP/1.1". It requests the document header from the server and provides information such as the server software version and the server's operating system.
Dion Consulting Group has recently been awarded a contract to provide cybersecurity services for a major hospital chain in 48 cities across the United States. Previously, the consultants have won numerous contracts with financial services and publicly traded companies, but they are new to the healthcare industry. Which of the following laws must the consultants review to ensure the hospital and its customers are fully protected? HIPAA COSO SOX GLBA
HIPAA The Health Insurance Portability and Accountability Act (HIPPA) was created primarily to modernize the flow of healthcare information, stipulate how Personally Identifiable Information maintained by the healthcare and healthcare insurance industries should be protected from fraud and theft, and address limitations on healthcare insurance coverage. This is a federal law that must be following in the United States. The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and safeguard sensitive data. This includes companies that offer consumers financial products or services like loans, financial or investment advice, or insurance. The Sarbanes-Oxley Act of 2002 is a federal law that established sweeping auditing and financial regulations for public companies. Lawmakers created the legislation to help protect shareholders, employees, and the public from accounting errors and fraudulent financial practices. The Committee of Sponsoring Organizations of the Treadway Commission (COSO) provides guidance on various governance-related topics, including fraud, controls, finance, and ethics. COSO's ERM-integrated framework defines risk, and related common terminology lists key components of risk management strategies and supplies direction and criteria for enhancing risk management practices.
When conducting forensic analysis of a hard drive, what tool would BEST prevent changing the hard drive contents during your analysis? Forensic drive duplicator Hardware write blocker Degausser Software write blocker
Hardware write blocker Both hardware and software write blockers are designed to ensure that forensic software and tools cannot change a drive inadvertently by accessing it. But, since the question indicates that you need to choose the BEST solution to protect the drive's contents from being changed during analysis, you should pick the hardware write blocker. A hardware write blocker's primary purpose is to intercept and prevent (or 'block') any modifying command operation from ever reaching the storage device. A forensic drive duplicator copies a drive and validates that it matches the original drive but cannot be used by itself during analysis. A degausser is used to wipe magnetic media. Therefore, it should not be used on the drive since it would erase the hard drive contents.
After the SolarWinds supply chain attack, a software company that also used SolarWinds' software decided to deploy an intrusion detection system (IDS) to monitor network traffic and alert for any signs of malicious activity. In the context of this scenario, what incident response activity is the software company performing? Eradication Implementing compensating controls Containment Recovery
Implementing compensating controls By deploying an intrusion detection system (IDS), the software company is implementing compensating controls to augment their existing security measures and to protect against potential breaches. Eradication involves removing the components of an attack from the network. The company is not eradicating a threat in this scenario; rather, it's implementing controls to detect potential threats. Recovery involves restoring systems to normal operation. While IDS can be part of a recovery plan, in this scenario, the company is implementing IDS as a proactive measure, not as part of recovery from a specific incident. Containment involves taking steps to prevent an intrusion from spreading further. In this scenario, the company is implementing compensating controls, not containing an existing breach.
Your organization has detected logins to company accounts from locations that the users could not have traveled to in the given time frame. This security alert is generated based on the detection of what concept? Joe Sandbox Interpreting Suspicious Commands Impossible Travel Pattern Recognition
Impossible Travel In this scenario, the concept of impossible travel is in play. This involves detecting when a user's account is used in two geographically distant locations within a timeframe that is shorter than the physical travel time between the two locations. While pattern recognition might help identify recurring trends or anomalies, it doesn't specifically denote the detection of impossible travel scenarios. Interpreting suspicious commands is a skill that helps in understanding the implications of suspicious activities within system logs or command lines. It doesn't directly relate to the concept of impossible travel. Joe Sandbox is a malware analysis tool. While it can aid in analyzing malicious software potentially related to a security incident, it doesn't help detect impossible travel scenarios.
Your organization has experienced a significant cybersecurity incident, and an executive summary of the incident has been prepared. However, the board of directors has requested detailed evidence supporting the summary. Where would they typically find this information? In the executive summary In the regulatory reporting In the public relations communication
In the evidence section of the incident response report The evidence section typically contains all detailed information, data, and artifacts related to the incident, supporting the claims and conclusions made in the executive summary. Regulatory reporting is focused on providing information to regulatory bodies and usually does not include detailed evidence supporting an executive summary. The executive summary is meant to provide a high-level overview of the incident, and while it should be accurate, it typically does not include detailed evidence. Public relations communications are intended for external stakeholders and are not typically used for providing detailed evidence related to an incident.
In the aftermath of a security incident, you as an incident responder have documented a series of recommended actions to prevent similar occurrences in the future. Where would these recommendations typically be documented in an incident response report? In the evidence section In the executive summary In the recommendations section
In the recommendations section This section is typically where any suggested actions or strategies are outlined, based on the analysis and lessons learned from the incident. The executive summary provides a high-level overview of the incident and does not typically contain detailed recommendations for future action. The evidence section typically contains all detailed information, data, and artifacts related to the incident, not recommendations for future action. In the root cause analysis Incorrect. The root cause analysis focuses on identifying the underlying causes of the incident, not providing recommendations for future action.
Your organization's server is hit with a ransomware attack, encrypting critical business data. You've been asked to communicate with a third-party vendor who provides data backup services for your company. In this scenario, which stakeholder role do you MOST align with? Regulatory reporting Public relations Incident response communication Executive management
Incident response communication As a part of incident response communication, you'd be coordinating with vendors, internal teams, and other relevant stakeholders to ensure an effective response to the incident. In this scenario, you're dealing directly with a third-party vendor to respond to the incident, not handling public or media communications related to the incident. While executive management would be involved in high-level decisions and communication, your role in this scenario is more operational, focusing on addressing the incident. While it's important to report significant incidents to regulatory bodies, your role in this scenario is not focused on this aspect.
A major cyber incident has occurred at your organization. As a part of the incident response team, you have been tasked with analyzing the incident, including who caused it, what systems were affected, when it occurred, where it originated from, and why it happened. What kind of report are you preparing? Regulatory reporting Incident response report Incident declaration report Root cause analysis report
Incident response report An incident response report includes comprehensive details of the incident, including who, what, when, where, and why. While a root cause analysis report may include some of these details, it primarily focuses on the underlying cause of the incident. Regulatory reports are usually a part of compliance with legal requirements and do not typically contain a detailed analysis of the incident. An incident declaration report usually precedes the incident response and does not typically contain detailed analysis of the incident.
A cybersecurity analyst is reviewing the logs of a proxy server and saw the following URLs:https://test.diontraining.com/profile.php?userid=1546https://test.diontraining.com/profile.php?userid=5482https://test.diontraining.com/profile.php?userid=3618 What type of vulnerability does this website have? Race condition Weak or default configurations Insecure direct object reference Improper error handling
Insecure direct object reference Insecure direct object references (IDOR) are a cybersecurity issue that occurs when a web application developer uses an identifier for direct access to an internal implementation object but provides no additional access control and/or authorization checks. An attacker could change the userid number and directly access any user's profile page in this scenario. A race condition is a software vulnerability when the resulting outcome from execution processes is directly dependent on the order and timing of certain events. Those events fail to execute in the order and timing intended by the developer. Weak or default configurations are commonly a result of incomplete or ad-hoc configurations, open cloud storage, misconfigured HTTP headers, unnecessary HTTP methods, permissive Cross-Origin resource sharing (CORS), and verbose error messages containing sensitive information. Improper handling of errors can reveal implementation details that should never be revealed, such as detailed information that can provide hackers important clues on the system's potential flaws.
Edward's bank recently suffered an attack where an employee made an unauthorized modification to a customer's bank balance. Which tenet of cybersecurity was violated by this employee's actions? Authentication Confidentiality Integrity Availability
Integrity The CIA Triad is a security model that helps people think about various parts of IT security. Integrity ensures that no unauthorized modifications are made to the information. The attack described here violates the integrity of the customer's bank account balance. Confidentiality is concerned with unauthorized people seeing the contents of the data. In this scenario, the employee is authorized to see the bank balance but not change its value. Availability is concerned with the data being accessible when and where it is needed. Again, this wasn't affected by the employee's actions. Authentication is concerned with only authorized people accessing the data. Again, this employee was authorized to see the balance.
If your organization needs to comply with GDPR due to its interactions with European customers, which framework would be the BEST to focus on when planning data protection strategies? Open Web Application Security Project (OWASP) International Organization for Standardization (ISO) 27000 series Payment Card Industry Data Security Standard (PCI DSS) Center for Internet Security (CIS) benchmarks
International Organization for Standardization (ISO) 27000 series The ISO 27000 series provides comprehensive guidelines for implementing a robust information security management system, crucial for complying with GDPR's strict data protection requirements. While the CIS benchmarks provide excellent security recommendations, they do not specifically address GDPR requirements in the same manner as the ISO 27000 series does. OWASP provides guidelines mainly on web application security, not specifically on data protection strategies required for GDPR compliance. While crucial for businesses dealing with payment card data, PCI DSS does not directly relate to the broad data protection requirements of GDPR.
Why is regulatory reporting a significant component of incident response communication? It ensures compliance with relevant laws and regulations that mandate reporting of certain types of incidents It provides a platform for communicating with the media It helps to track the attacker It speeds up the resolution of the incident
It ensures compliance with relevant laws and regulations that mandate reporting of certain types of incidents Regulatory reporting is essential for maintaining compliance with laws and regulations that require organizations to report specific types of incidents. While information from regulatory reporting might assist in investigations, its primary purpose isn't to track the attacker. Regulatory reporting, while crucial, does not directly influence the speed of incident resolution. Regulatory reporting is primarily a means of ensuring legal compliance, not a platform for media communication.
An organization's security team has recently discovered several vulnerabilities within its systems. Why is it crucial for these vulnerabilities to be thoroughly reported and communicated within the organization? It ensures that the organization maintains compliance with required security standards and protocols It eliminates the need for regular system audits It guarantees that the organization will not experience a data breach It reduces the need for employee cybersecurity training
It ensures that the organization maintains compliance with required security standards and protocols Detailed reporting and communication about vulnerabilities help the organization remain in line with required compliance standards by demonstrating proactive risk management. Various regulations mandate vulnerability management reporting, and these requirements may vary based on factors such as organization location, industry, and size. Common regulations include the Payment Card Industry Data Security Standard (PCI DSS), which mandates reporting vulnerabilities to the PCI Security Standards Council. The Health Insurance Portability and Accountability Act (HIPAA) requires healthcare organizations to report security breaches to the Department of Health and Human Services. Additionally, the Sarbanes-Oxley Act (SOX) mandates public companies to report vulnerabilities to the Securities and Exchange Commission, while the National Institute of Standards and Technology (NIST) Special Publication 800-53 stipulates reporting vulnerabilities to the appropriate authorities. Organizations should consult their legal team for guidance on applicable regulations. Employee training remains essential as human error is a common source of security risks, independent of specific system vulnerabilities. While effective vulnerability management reduces the risk of data breaches, it cannot completely guarantee prevention due to the evolving nature of cyber threats. Regular audits are still necessary as they provide an ongoing review of the organization's security posture, beyond identified vulnerabilities.
You are the head of a cybersecurity operations center. Currently, the team is struggling to manage data from different security tools and platforms. You're considering implementing a "single pane of glass" solution. What is the primary benefit of this approach? It eliminates the need for team coordination It increases the complexity of data management It provides a unified view of security data from different sources It reduces the number of security tools required
It provides a unified view of security data from different sources A single pane of glass solution aggregates data from multiple sources into a single dashboard, making it easier to view and manage. While a single pane of glass solution can streamline operations, it does not necessarily reduce the number of security tools required. These tools are still necessary for gathering the data that is displayed. A single pane of glass solution doesn't eliminate the need for team coordination. While it can provide a unified view of data, effective teamwork and communication are still necessary for managing cybersecurity operations. A single pane of glass solution is designed to simplify data management by providing a unified view of data from different sources, not to increase complexity.
In managing the cybersecurity of a multinational banking corporation, how would the use of a specific Key Performance Indicator such as 'Time To Patch' enhance the overall effectiveness and responsiveness of the vulnerability management process, especially considering the high-risk nature of the banking sector? It would give the organization an accurate measurement of current patching efficiency To evaluate the company's growth potential To identify new market opportunities To assess employee performance across departments
It would give the organization an accurate measurement of current patching efficiency Time to patch is a key performance indicator (KPI) that measures the average amount of time it takes to patch a vulnerability. A low time to patch indicates that an organization is quickly fixing known vulnerabilities, which can help to reduce the risk of exploitation. Identifying market opportunities is typically not associated with vulnerability management KPIs; these KPIs aim to quantify the success of security practices. While important, this is not the primary purpose of vulnerability management KPIs; these KPIs measure the effectiveness of security management. While business growth is an important consideration, metrics and KPIs in vulnerability management specifically measure the effectiveness of security processes.
A cybersecurity analyst just finished conducting an initial vulnerability scan and is reviewing their results. To avoid wasting time on results that are not really a vulnerability, the analyst wants to remove any false positives before remediating the findings. Which of the following is an indicator that something in their results would be a false positive? A scan result showing a version that is different from the automated asset inventory Items classified by the system as Low or as For Informational Purposes Only A finding that shows the scanner compliance plug-ins are not up-to-date An HTTPS entry that indicates the web page is securely encrypted
Items classified by the system as Low or as For Informational Purposes Only When conducting a vulnerability scan, it is common for the report to include some findings that are classified as "low" priority or "for informational purposes only." These are most likely false positives and can be ignored by the analyst when starting their remediation efforts. An HTTPS entry that indicates the web page is securely encrypted is not a false positive but a true negative (a non-issue). A scan result showing a different version from the automated asset inventory should be investigated and is likely a true positive. A finding that shows the scanner compliance plug-ins are not up-to-date would likely also be a true positive that should be investigated.
You want to provide controlled remote access to the remote administration interfaces of multiple servers hosted on a private cloud. What type of segmentation security solution is the best choice for this scenario? Jumpbox Airgap Physical Bastion hosts
Jumpbox Installing a jumpbox as a single point of entry for the administration of servers within the cloud is the best choice for this requirement. The jumpbox only runs the necessary administrative port and protocol (typically SSH). Administrators connect to the jumpbox then use the jumpbox to connect to the admin interface on the application server. The application server's admin interface has a single entry in its ACL (the jumpbox) and denies any other hosts' connection attempts. A bastion host is a special-purpose computer on a network specifically designed and configured to withstand attacks. The computer generally hosts a single application. For example, a proxy server and all other services are removed or limited to reduce the threat to the computer. An airgap system is a network or single host computer with unique security requirements that may physically be separated from any other network. Physical separation would prevent a system from accessing the remote administration interface directly and require an airgap system to reach the private cloud.
After a significant security breach involving customer data leakage, your organization conducts a comprehensive review. The aim is to comprehend the contributing factors that led to this incident and to establish measures to avert such incidents in the future. Which term best describes this specific post-incident activity? Forensic analysis Root cause analysis Incident response plan Lessons learned
Lessons learned The lessons learned process involves a thorough review after an incident to identify what happened, what was done well, and what needs to be improved to prevent similar incidents in the future. An incident response plan is a set of procedures and processes to handle and manage an incident effectively. It is used in preparation for potential incidents, not in post-incident activity. Forensic analysis involves a meticulous examination of all evidence related to an incident to understand its origin, extent, and impact. It does not inherently focus on the improvement of future responses. Root cause analysis seeks to identify the initial cause of an issue, but does not involve a broad review of the incident response process.
Which analysis framework makes no allowance for an adversary retreat in its analysis? Diamond Model of Intrusion Analysis MITRE ATT&CK framework AlienVault (AT&T Cybersecurity) Cyber Kill Chain Lockheed Martin cyber kill chain
Lockheed Martin cyber kill chain The Lockheed Martin cyber kill chain implicitly assumes a unidirectional workflow. Therefore, it fails to consider that an adversary may retreat during an attack. MITRE and Diamond's models are more dynamic systems that allow for a broader range of adversary behaviors. AlienVault was specifically designed to avoid the rigidity of the Lockheed Martin cyber kill chain.
Your security team is analyzing a recent cyber attack on your organization's network. They want to understand the attacker's behavior, tactics, techniques, and procedures. Which framework is BEST suited for this purpose? Cyber Kill Chain MITRE ATT&CK OWASP Testing Guide Diamond Model of Intrusion Analysis
MITRE ATT&CK The MITRE ATT&CK framework provides a comprehensive matrix of tactics, techniques, and procedures (TTPs) used by attackers, making it a powerful tool for understanding attacker behavior. While the Cyber Kill Chain can provide some insight into an attacker's actions, it primarily describes the linear progression of a cyberattack, not the detailed tactics, techniques, and procedures used. The OWASP Testing Guide is focused on web application security testing, not on understanding attacker behavior. The Diamond Model focuses on the relationship between the adversary, victim, infrastructure, and capability, rather than the detailed tactics, techniques, and procedures used by the attacker.
Which analysis framework provides the most explicit detail regarding how to mitigate or detect a given threat? Diamond Model of Intrusion Analysis MITRE ATT&CK framework Lockheed Martin cyber kill chain OpenIOC
MITRE ATT&CK framework The MITRE ATT&CK framework provides explicit pseudo-code examples for detecting or mitigating a given threat within a network and ties specific behaviors back to individual actors. The Diamond Model provides an excellent methodology for communicating cyber events and allowing an analyst to derive mitigation strategies implicitly. The Lockheed Martin cyber kill chain provides a general life cycle description of how attacks occur but do not deal with the specifics of how to mitigate. OpenIOC contains a depth of research on APTs but does not integrate the detections and mitigation strategy.
Which security control would prevent unauthorized users from connecting to a company's wireless network? IPS Firewall Segmentation NAC
NAC Network Access Control (NAC) prevents unauthorized users from connecting to a network. Firewalls and intrusion prevention systems (IPS) are meant to restrict access from external sources and block known attacks. They would not keep out an intruder who is already in range of the wireless network. Network segmentation would limit the access that an intruder has to network resources but would not block the connection itself.
Which of the following frameworks is best suited for performing a structured approach to security testing across different areas such as applications, networks, and systems? OWASP Testing Guide Diamond Model of Intrusion Analysis Open Source Security Testing Methodology Manual (OSS TMM) MITRE ATT&CK
Open Source Security Testing Methodology Manual (OSS TMM) The Open Source Security Testing Methodology Manual (OSSTMM) provides a structured approach to security testing across different areas such as applications, networks, and systems. The MITRE ATT&CK framework provides a matrix of tactics, techniques, and procedures (TTPs) used by cyber adversaries. It doesn't focus on providing a structured approach to security testing. The OWASP Testing Guide provides a methodology for testing the security of web applications specifically, not a comprehensive approach to security testing across different areas. The Diamond Model primarily focuses on understanding the relationship between four elements of an attack: the adversary, the victim, the infrastructure, and the capability. It's not geared towards security testing.
Which protocol is paired with OAuth2 to provide authentication of users in a federated identity management solution? OpenID Connect ADFS SAML Kerberos
OpenID Connect OAuth 2 is explicitly designed to authorize claims and not to authenticate users. The implementation details for fields and attributes within tokens are not defined. Open ID Connect (OIDC) is an authentication protocol that can be implemented as special types of OAuth flows with precisely defined token fields. Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. SAML is an XML-based markup language for security assertions. Active Directory Federation Services (ADFS) is a software component developed by Microsoft that can run on Windows Server operating systems to provide users with single sign-on access to systems and applications located across organizational boundaries. Kerberos is a computer network authentication protocol that works based on tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner.
An organization wants to get an external attacker's perspective on their security status. Which of the following services should they purchase? Vulnerability scan Patch management Penetration test Asset management
Penetration test Penetration tests provide an organization with an external attacker's perspective on their security status. The NIST process for penetration testing divides tests into four phases: planning, discovery, attack, and reporting. The penetration test results are valuable security planning tools, as they describe the actual vulnerabilities that an attacker might exploit to gain access to a network. A vulnerability scan provides an assessment of your security posture from an internal perspective. Asset management refers to a systematic approach to the governance and realization of value from the things that a group or entity is responsible for over their whole life cycles. It may apply both to tangible assets and intangible assets. Patch management is the process that helps acquire, test, and install multiple patches (code changes) on existing applications and software tools on a computer, enabling systems to stay updated on existing patches and determining which patches are the appropriate ones.
What document typically contains high-level statements of management intent? Policy Procedure Guideline Standard
Policy Policies are high-level statements of management intent. Compliance with policies by employees should be mandatory. An information security policy will generally contain broad statements around the various cybersecurity objectives. Procedures describe exactly how to use the standards and guidelines to implement the countermeasures that support the policy. Standards and baselines describe specific products, configurations, or other mechanisms to secure the systems. A guideline is a recommendation that can specify the methodology that is to be used.
Which tool should a malware analyst utilize to track the registry's changes and the file system while running a suspicious executable on a Windows system? DiskMon Autoruns Process Monitor ProcDump
Process Monitor Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry, and process/thread activity. Autoruns shows you what programs are configured to run during system bootup or login. ProcDump is a command-line utility whose primary purpose is monitoring an application for CPU spikes and generating crash dumps during a spike that an administrator or developer can use to determine the cause of the spike. DiskMon is an application that logs and displays all hard disk activity on a Windows system. This question may seem beyond the scope of the exam. Still, the objectives allow for "other examples of technologies, processes, or tasks about each objective may also be included on the exam although not listed or covered" in the objectives' bulletized lists. The exam tests the equivalent of 4 years of hands-on experience in a technical cybersecurity job role. The content examples listed in the objectives are meant to clarify the test objectives and should not be construed as a comprehensive listing of this examination's content. Therefore, questions like this are fair game on test day. That said, your goal isn't to score 100% on the exam; it is to pass it. Don't let questions like this throw you off on test day. If you aren't sure, take your best guess and move on!
What is the primary goal of the OWASP Testing Guide? Understanding the relationships between the elements of a cyber attack Providing a knowledge base of tactics, techniques, and procedures used by attackers Providing a framework for web application security testing Describing the linear progression of a cyber attack
Providing a framework for web application security testing The OWASP Testing Guide provides a comprehensive framework for testing the security of web applications. This is the main focus of the Cyber Kill Chain, not the OWASP Testing Guide. This is a primary focus of the Diamond Model of Intrusion Analysis, not the OWASP Testing Guide. This is a primary purpose of the MITRE ATT&CK framework, not the OWASP Testing Guide.
According to Lockheed Martin's white paper "Intel Driven Defense," which of the following technologies could degrade an adversary's effort during the actions on the objectives phase of the kill chain? NIPS Honeypot Quality of service Audit log
Quality of service During the adversary's actions on objective phase, the adversary is already deep within the victim's network and has defeated all security mechanisms. If the adversary is attempting to exfiltrate data, implementing a quality of service approach could potentially slow down the rate at which information could be exfiltrated. This is considered a degradation to their effort by purposely manipulating service quality to decrease their transfer speeds. Honeypots could deceive an enemy during the actions on objective phase as the adversary may unknowingly take actions against a honeypot instead of their real objectives, but this would be classified as deception and not degradation. NIPS technologies serve to disrupt C2 channels, not degrade them. Audit logs may detect actions an adversary has taken after the fact but will not degrade the actions themselves.
Which of the following refers to the likelihood of a vulnerability appearing again after it has been remediated? Security Incident Data Breach Access Control Recurrence
Recurrence Recurrence refers to the likelihood of a vulnerability appearing again after it has been remediated. A data breach refers to an incident where information is accessed without authorization. A security incident is an event that results in unauthorized access or damage to a system or data. Access control is the method of regulating who or what can view or use resources in a computing environment.
Dion Training is concerned with the possibility of employees accessing another user's workstation in secured areas without their permission. Which of the following would BEST be able to prevent this from happening? Enforce a policy that requires passwords to be changed every 30 days Install security cameras in secure areas to monitor logins Require biometric identification for user logins Require a username and a password for user logins
Require biometric identification for user logins The BEST choice is to implement biometric identification for user logins, such as a fingerprint reader or a retina scanner. This would ensure that even if an employee could discover another employee's username and password, they would be prevented from logging into the workstation without the employee's finger or eye to scan. Enforcing short password retention can limit the possible damage when a password is disclosed, but it won't prevent a login during the valid period. Security cameras may act as a deterrent or detective control, but they cannot prevent an employee from logging into the workstation as another employee. Security cameras could be used to determine who actually logged in (after the fact), though.
You are analyzing a Linux server that you suspect has been tampered with by an attacker. You went to the terminal and typed 'history' into the prompt and see the output: echo 127.0.0.1 diontraining.com etc/hosts. Which of the following best describes what actions were performed by this line of code? Routed traffic destined for the diontraining.com domain to the localhost Added the website to system's whitelist in the hosts file Routed traffic destined for the localhost to the diontraining.com domain Attempted to overwrite the host file and deleted all data except this entry
Routed traffic destined for the diontraining.com domain to the localhost
The management at Steven's work is concerned about rogue devices being attached to the network. Which of the following solutions would quickly provide the most accurate information that Steve could use to identify rogue devices on a wired network? A discovery scan using a port scanner Router and switch-based MAC address reporting Reviewing a central administration tool like a SCCM A physical survey
Router and switch-based MAC address reporting The best option is MAC address reporting from a source device like a router or a switch. If the company uses a management system or inventory process to capture these addresses, then a report from one of these devices will show what is connected to the network even when they are not currently in the inventory. This information could then be used to track down rogue devices based on the physical port connected to a network device.
A penetration tester has been hired to conduct an assessment, but the company wants to exclude social engineering from the list of authorized activities. Which of the following documents would include this limitation? Acceptable use policy Rules of engagement Memorandum of understanding Service level agreement
Rules of engagement While the contract documents' network scope will define what will be tested, the rules of engagement define how that testing is to occur. Rules of engagement can state things like no social engineering is allowed, no external website scanning, etc. A memorandum of understanding (MOU) is a preliminary or exploratory agreement to express an intent to work together that is not legally binding and does not involve monetary exchange. A service level agreement contains the operating procedures and standards for a service contract. An acceptable use policy is a policy that governs employees' use of company equipment and internet services.
Dion Training has just suffered a website defacement of its public-facing webserver. The CEO believes the company's biggest competitor may have done this act of vandalism. The decision has been made to contact law enforcement so that evidence can be collected properly for use in a potential court case. Laura is a digital forensics investigator assigned to collect the evidence. She creates a bit-by-bit disk image of the web server's hard drive as part of her evidence collection. What technology should Laura use after creating the disk image to verify the copy's data integrity matches that of the original web server's hard disk? AES RSA SHA-256 3DES
SHA-256 SHA-256 is the Secure Hash Algorithm with a 256-bit length output. This is one of the most common hash algorithms in use and is employed in many applications and protocols. SHA-256 and other hashing algorithms are used to ensure the data integrity of a file has not been altered. RSA, 3DES, and AES are all encryption algorithms. These algorithms can ensure confidentiality but not integrity.
Bidgood Technologies has been experiencing a series of cyberattacks. As a cybersecurity analyst, you decide to implement a strategy that allows you to effectively collect security threat data, analyze it for malicious activity, and automate responses. Which tool would best serve this purpose? SOAR (Security Orchestration, Automation, and Response) Joe Sandbox Pattern Recognition Interpreting Suspicious Commands
SOAR (Security Orchestration, Automation, and Response) SOAR tools are designed to collect and analyze security threat data and automate responses, making them an effective solution for dealing with multiple, persistent cyberattacks. Joe Sandbox is a powerful malware analysis tool that can thoroughly dissect malicious software, but it does not have the automation and response orchestration capabilities of SOAR tools. While interpreting suspicious commands is an important skill in cybersecurity, it is a manual process and does not provide the same level of automation and response orchestration as a SOAR tool. Pattern recognition can be used to identify repeating trends in data and could potentially identify some types of attacks, but it lacks the comprehensive threat management and response automation of SOAR.
Which of the following tools would you use to audit a multi-cloud environment? Pacu OpenVAS ScoutSuite Prowler
ScoutSuite ScoutSuite is used to audit instances and policies created on multi-cloud platforms. Prowler is a cloud auditing tool, but it can only be used on AWS. Pacu is an exploitation framework that is used to test the security configurations of an AWS account. OpenVAS is a general-purpose vulnerability scanner but does not deal with cloud-specific issues.
Which of the following vulnerabilities was a zero-day exploit, meaning it was exploited before a patch was available? Stuxnet Meltdown BlueKeep Heartbleed
Stuxnet Stuxnet was a sophisticated worm that exploited several zero-day vulnerabilities in Windows systems, making this the correct answer. Heartbleed was a serious vulnerability in the OpenSSL library, but it was not a zero-day exploit. Meltdown was a critical vulnerability affecting processors, but it was not a zero-day exploit. BlueKeep was a critical vulnerability in Microsoft's Remote Desktop Protocol (RDP), but it was not exploited before a patch was available.
A company's quarterly vulnerability reports consistently reveal popular content management systems like WordPress and Joomla in the "Top 10 Most Vulnerable" list, what strategic action might this situation suggest for the company to undertake? The repeated listing of these applications means they are most used within the organization Repeated appearance of applications in the list indicates a need for staff training on those applications The company should conduct risk analysis on the use of the application This pattern suggests a need to increase the frequency of company-wide meetings
The company should conduct risk analysis on the use of the application This pattern may necessitate a reevaluation of the vulnerable applications' continued use or an increased focus on mitigating their vulnerabilities. Company-wide meetings and vulnerability management are largely unrelated. The pattern primarily points toward potential issues with the applications. While staff training can be part of vulnerability management, repeated vulnerabilities might indicate deeper issues with the applications themselves. Application usage and vulnerability are not directly correlated; applications can be heavily used and still secure, or lightly used and highly vulnerable.
Evaluate the following log entry: Jan 11 05:52:56 lx1 kernel: iptables INPUT drop IN=eth0 OUT= MAC=00:15:5d:01:ca:55:00:15:5d:01:ca:ad:08:00 SRC=10.1.0.102 DST=10.1.0.10 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=3988 DF PROTO=TCP SPT=2583 DPT=23 WINDOW=64240 RES=0x00 SYN URGP=0- Based on this log entry, which of the following statements are true? The packet was blocked outbound from the network Packets are being blocked inbound to and outbound from the network The packet was blocked inbound to the network MAC filtering is enabled on the firewall An attempted connection to the telnet service was prevented An attempted connection to the ssh service was prevented
The packet was blocked inbound to the network An attempted connection to the telnet service was prevented Firewall log formats will vary by vendors, but this example is a commonly used format from the Linux iptable firewall tool. This log starts with the date and time of the event and provides some key pieces of information. For example, the word "drop" shows the action this log entry recorded. In this case, the firewall dropped a packet due to an ACL rule being applied. You can also see that the packet was detected on the inbound connection over eth0, so we know that packets are being scanned and blocked when they are headed inbound to the network. Next, we see the MAC address of the source device of the packet, the source (SRC) IP address, and the destination (DST) IP address. Further down, we see the source (SPT) and destination ports (DPT). In this case, the DPT is 23 and is a well-known port for telnet. Based on this single log entry, we cannot tell if packets are also being blocked when they are attempting to leave the network or if they are blocking connections to the ssh service (port 22) is also being conducting.
Dion FutureScope AI system has multiple vulnerabilities. One of them has a high likelihood of being exploited and could lead to a minor loss of non-sensitive data. Another one has a moderate likelihood of being exploited but could lead to a significant loss of sensitive data. Which vulnerability should be addressed first? Both vulnerabilities should be addressed simultaneously Neither vulnerability needs to be addressed until an attack occurs The vulnerability with the high likelihood of exploitation and minor data loss The vulnerability with the moderate likelihood of exploitation and significant potential data loss
The vulnerability with the moderate likelihood of exploitation and significant potential data loss This vulnerability has the potential for more significant harm due to the potential loss of sensitive data, and thus should be addressed first. While it's ideal to address all vulnerabilities as soon as possible, prioritization helps manage resources and efforts efficiently. This is a risky approach as waiting for an attack to occur could lead to data loss and other potential damages. Although this vulnerability has a high likelihood of being exploited, it only leads to minor non-sensitive data loss.
Why is regular vulnerability management reporting critical to an organization's security posture? It's key to improving the company's stock performance It's primarily important for increasing employee productivity It's essential for enhancing the company's brand image To aid in effective prioritization and remediation
To aid in effective prioritization and remediation Regular reporting provides ongoing visibility into system vulnerabilities, aiding in effective prioritization and remediation strategies. While strong security can enhance a company's reputation, the primary objective of vulnerability management reporting is to ensure effective security management. While robust security can indirectly contribute to a company's overall performance, the immediate goal of vulnerability management reporting is to aid in maintaining a secure system. While productivity is a vital organizational goal, the primary aim of vulnerability management reporting is to maintain awareness of the system's security status.
Which of the following is NOT a valid reason to conduct reverse engineering? To commit industrial espionage To allow an attacker to spot vulnerabilities in an executable To allow the software developer to spot flaws in their source code To determine how a piece of malware operates
To allow the software developer to spot flaws in their source code If a software developer has a copy of their source code, there is no need to reverse engineer it since they can directly examine the code. Doing this is known as static code analysis, not reverse engineering. Reverse engineering is the process of analyzing a system's or application's structure to reveal more about how it functions. In malware, examining the code that implements its functionality can provide you with information as to how the malware propagates and what its primary directives are. Reverse engineering is also used to conduct industrial espionage since it can allow a company to figure out how a competitor's application works and develop its own version. An attacker might use reverse engineering of an application or executable to identify a flaw or vulnerability in its operation and then exploit that flaw as part of their attack.
If a company's Service Level Objectives (SLOs) mandate that critical vulnerabilities be patched within a specific timeframe, why would monitoring adherence to this SLO be a valuable Key Performance Indicator (KPI) for vulnerability management? Monitoring adherence to SLOs can help the company evaluate its brand image in the market Adherence to this SLO indicates the company's overall profitability Keeping track of this SLO can inform the company about the need for new hardware To measure the effectiveness of the vulnerability management program
To measure the effectiveness of the vulnerability management program By tracking this KPI, an organization can measure how effectively and promptly the vulnerability management team is addressing high-risk security issues. While brand image is an important business consideration, adherence to vulnerability management SLOs primarily indicates the effectiveness of security processes. Hardware needs and the speed of vulnerability remediation are distinct considerations; tracking this KPI primarily provides insights about the latter. While profitability is vital for a business, tracking SLO adherence primarily gives insights into the effectiveness of the vulnerability management process.
Which of the following techniques would best mitigate malware that utilizes a fast flux network for its command and control infrastructure? Blacklisting known malicious IP addresses Utilize a secure recursive DNS resolver to a third-party secure DNS resolver Blacklisting known malicious domain names Conduct detailed statistical analysis of the structure of domain names to detect anomalies
Utilize a secure recursive DNS resolver to a third-party secure DNS resolver Third-party DNS resolvers, particularly those of ISPs, will typically have elaborate algorithms designed to detect command and control (C2) via fast flux networks. Fast flux DNS utilizes a technique that rapidly changes the IP address associated with a domain to allow an adversary to defeat IP-based blacklists. Often, these fast flux networks have communication patterns that might be detectable, though. While in-house statistical analysis might be possible (and could be done in parallel), the commercial resources available to a large scale ISP or dedicated secure DNS providers will be better tailored to combatting this issue.
What should a vulnerability report include if a cybersecurity analyst wants it to reflect the assets scanned accurately? Processor utilization Log disposition Organizational governance Virtual hosts
Virtual hosts Vulnerability reports should include both the physical hosts and the virtual hosts on the target network. A common mistake of new cybersecurity analysts is to include physical hosts, thereby missing many network assets.
Which of the following is exploited by an SQL injection to give the attacker access to a database? Database server Web application Operating system Firewall
Web application SQL injections target the data stored in enterprise databases by exploiting flaws in client-facing applications. These vulnerabilities being exploited are most often found in web applications. The database server or operating system would normally be exploited by a remote code execution, a buffer overflow, or another type of server-side attack. The firewall would not be subject to an SQL injection.
What SCAP component could be to create a checklist to be used by different security teams within an organization and then report results in a standardized fashion? CPE CCE CVE XCCDF
XCCDF XCCDF (extensible configuration checklist description format) is a language that is used in creating checklists for reporting results. The Common Vulnerabilities and Exposures (CVE) system provides a reference-method for publicly known information-security vulnerabilities and exposures. The Common Configuration Enumeration (CCE) provides unique identifiers to system configuration issues to facilitate fast and accurate correlation of configuration data across multiple information sources and tools. Common Platform Enumeration (CPE) is a standardized method of describing and identifying classes of applications, operating systems, and hardware devices present among an enterprise's computing assets.
A cybersecurity analyst is reviewing the logs of a proxy server and saw the following URL, http://test.diontraining.com/?param=<data:text/html;base64,PHNjcmlwdD5hbGVydCgnSSBsb3ZlIERpb24gVHJhaW5pbmcnKTwvc2NyaXB0Pg==. What type of attack was attempted? SQL injection XSS Password spraying XML injection
XSS This is an example of a URL-based XSS (cross-site scripting) attack. A cross-site scripting attack uses a specially crafted URL that includes attack code that will cause information that users enter into their web browser to be sent to the attacker. In this example, everything from ?param onward is part of the attack. You can see the base64 encoded string of PHNjcmlwdD5hbGVydCgnSSBsb3ZlIERpb24gVHJhaW5pbmcnKTwvc2NyaXB0Pg== being used. While you could not convert it during the exam without a base64 decoder, you should be able to tell that it is not a SQL injection nor an XML injection based on your studies. It is also not an attempt to conduct password spraying by logging into different usernames with the same password. So, by process of elimination, you can determine this is an XSS attack. If you did have a base64 decoder, you would have found that the parameter being passed would translate to , which is a simple method to cause your web browser to create a popup that displays the text "I love Dion Training." If you attempt to load this URL in your browser, it may or may not function depending on your browser's security.
Which type of threat will patches NOT effectively combat as a security control? Known vulnerabilities Zero-day attacks Discovered software bugs Malware with defined indicators of compromise
Zero-day attacks Zero-day attacks have no known fix, so patches will not correct them. A zero-day vulnerability is a computer-software vulnerability that is unknown to, or unaddressed by, those who should be interested in mitigating the vulnerability (including the vendor of the target software). If a discovered software bug or known vulnerability is found, a patch or mitigation is normally available. If a piece of malware has well-defined indicators of compromise, a patch or signature can be created to defend against it, as well.
You have evidence to believe that an attacker was scanning your network from an IP address at 172.16.1.224. This network is part of a /26 subnet. You wish to quickly filter through several logs using a REGEX for anything that came from that subnet. What REGEX expression would provide the appropriate output when searching the logs for any traffic originating from only IP addresses within that subnet? \b172\.16\.1\.(25[0-5]|2[0-4][0-9]?)\b \b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b \b172\.16\.1\.(25[0-5]|2[0-4][0-9]|19[2-9])\b \b172\.16\.1\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b
\b172\.16\.1\.(25[0-5]|2[0-4][0-9]|19[2-9])\b The correct answer is \b172\.16\.1\.(25[0-5]|19[2-9]|2[0-4][0-9])\b. The \b delimiter indicates that we are looking for whole words for the complete string. To answer this question, you have to rely on your networking knowledge and what you learned back in Network+. First, you need to calculate what is the IP range for this subnet. Since this is a /26, it would have 64 IP addresses in the range. Since the IP provided was 172.16.1.224, the range would be 172.16.1.192 to 172.16.1.255. The correct answer allows all values of 200-249 through the use of the phrase 2[0-4][0-9]. The values of 250-255 are specified by 25[0-5]. The values of 192-199 are specified through the use of 19[2-9]. All other REGEX expressions either allow too much or too little of the available IP space to be effective and precise filters for the subnet given. If you had this on the exam, I would calculate the IP address range first (as we did in this explanation). Then, I would see which parts are static in the IP address (172.16.1. in this case). Three of our answer choices provide this, so we now know the large REGEX is the wrong answer. Next, we need to figure out how only to show the values of 192-255. As you look at the three options, you need to look for the differences only between the options and see which would allow for the addresses needed. All three options have the same two first terms in the last octet, which covers 200-255, so you really need to determine how to represent the values of 192-199 best.
Which of the following command-line tools would you use to identify open ports and services on a host along with the version of the application that is associated with them? ping netstat Wireshark nmap
nmap Nmap sends specially crafted packets to the target host(s) and then analyzes the responses to determine the open ports and services running on those hosts. Also, nmap can determine the versions of the applications being used on those ports and services. Nmap is a command-line tool for use on Linux, Windows, and macOS systems. The netstat (network statistics) tool is a command-line utility that displays network connections for incoming and outgoing TCP packets, routing tables, and some network interface and network protocol statistics. Still, it cannot identify open ports and services on a host with their version numbers. The ping tool is used to query another computer on a network to determine whether there is a valid connection. Wireshark is an open-source packet analyzer used for network troubleshooting, analysis, software and communications protocol development, and education.
Dion Consulting Group has just won a contract to provide updates to an employee payroll system originally written years ago in C++. During your assessment of the source code, you notice the command "strcpy" is being used in the application. Which of the following provides is cause for concern, and what mitigation would you recommend to overcome it? strcpy could allow an integer overflow to occur; you should rewrite the entire system in Java strcpy could allow an integer overflow to occur; upgrade the operating system to run ASLR to prevent an integer overflow strcpy could allow a buffer overflow to occur; upgrade the operating system to run ASLR to prevent a buffer overflow strcpy could allow a buffer overflow to occur; you should rewrite the entire system in Java
strcpy could allow a buffer overflow to occur; upgrade the operating system to run ASLR to prevent a buffer overflow C and C++ contain built-in functions such as strcpy that do not provide a default mechanism for checking if data will overwrite the boundaries of a buffer. The developer must identify such insecure functions and ensure that every call made to them by the program is performed securely. Many development projects use higher-level languages, such as Java, Python, and PHP. These interpreted languages will halt execution if an overflow condition is detected. However, changing languages may be infeasible in an environment that relies heavily on legacy code. By ensuring that the operating system supports ASLR, you can make it impossible for a buffer overflow to work by randomizing where objects in memory are being loaded. Rewriting the source code would be highly desirable but could be costly, time-consuming, and is not an immediate mitigation to the problem. The strcpy function (which is short for String copy) does not work on integers, and it only works on strings. As strcpy does not check for boundary conditions, buffer overflows are certainly possible using this deprecated method.
You are conducting a grep search on a log file using the following REGEX expression: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\b[A-Za-z0-9_%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}\b-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-Which of the following strings would be included in the output of the search? [email protected] [email protected] www.diontraining.com [email protected]
[email protected] In the above REGEX, the \b parameter identifies that we are looking for whole words. The strategic use of the + operator indicates the three places where the word is broken into parts. The first part ([A-Za-z0-9_%+-]" is composed of upper or lower case alphanumeric symbols "_%+-." After the first part of the word and the at sign (@) is specified, follows by another word ([A-Za-z0-9.-]), a period (\.), and another purely alphabetic (non-numeric) string that is 2-6 characters in length. This finds a standard email format of [email protected] (but could be @something.co, @something.org, @something.money, or other options as long as the top-level domain is between 2 and 6 characters). The option of www.diontraining.com is wrong because it does not have an @ sign in the string. The option of [email protected] is wrong because you cannot use a period before the @ symbol, only letters, numbers, and some specified symbols ( _ % + - ). The option of [email protected] is wrong because the last word (training) is longer than 6 characters in length. As a cybersecurity analyst, you must get comfortable creating regular expressions and understanding what type of output they generate.