CySA+ final - Study Guide
Lauren has recently discovered that the Linux server she is responsible for maintaining is affected by a zero-day exploit for a vulnerability in the web application software that is needed by her organization. Which of the following compensating controls should she implement to best protect the server? A. A WAF B. Least privilege for accounts C. A patch from the vendor D. An IDS
A. A web application firewall can provide protection against unknown threats and zero-day exploits by restricting attacks based on behavior or by implementing custom protection based on known exploit behavior. A patch from the vendor is often not immediately available, an IDS cannot stop an attack—at best it will report the attack—and least privilege for accounts may limit the impact of an attack but won't stop it.
During a forensic investigation Ben asks Chris to sit with him and to sign off on the actions he has taken. What is he doing? A. Maintaining chain of custody B. Over-the-shoulder validation C. Pair forensics D. Separation of duties
A. Ben is maintaining chain-of-custody documentation. Chris is acting as the validator for the actions that Ben takes, and acts as a witness to the process.
What forensic issue might the presence of a program like CCleaner indicate? A. Anti-forensic activities B. Full disk encryption C. Malware packing D. MAC time modifications
A. CCleaner is a PC cleanup utility that wipes Internet history, destroys cookies and other cached data, and can impede forensic investigations. CCleaner may be an indication of intentional anti-forensic activities on a system. It is not a full disk encryption tool or malware packer, nor will it modify MAC times.
Example Corporation has split their network into network zones that include sales, HR, research and development, and guest networks, each separated from the others using network security devices. What concept is Example Corporation using for their network security? A. Segmentation B. Multiple-interface firewalls C. Single-point-of-failure avoidance D. Zoned routing
A. Example Corporation is using network segmentation to split their network up into security zones based on their functional requirements. They may use multiple-interface firewalls for this, and they may try to avoid single points of failure, but the question does not provide enough information to know if that is the case. Finally, zoned routing is a made up term—zone routing is an actual technical term, but it is used for wireless networks.
Jeff is investigating a system that is running malware that he believes encrypts its data on the drive. What process should he use to have the best chance of viewing that data in an unencrypted form? A. Live imaging B. Offline imaging C. Brute-force encryption cracking D. Cause a system crash and analyze the memory dump
A. Imaging the system while the program is live has the best probability of allowing Jeff to capture the encryption keys or decrypted data from memory. An offline image after the system is shut down will likely result in having to deal with the encrypted file. Brute-force attacks are typically slow and may not succeed, and causing a system crash may result in corrupted or nonexistent data.
Jason has user rights on his Linux workstation, but he wants to read his department's financial reports, which he knows are stored in a directory that only administrators can access. He executes a local exploit, which gives him the ability to act as root. What type of attack is this? A. Privilege escalation B. Zero day C. Rootkit D. Session hijacking
A. Jason's exploit is a form of privilege escalation, which uses a flaw to gain elevated privileges. Local users have a far greater ability to attempt these attacks in most organizations, since flaws that are only exploitable locally often get less attention from administrators than those that can be exploited remotely. A zero-day attack would use previously unknown flaws to exploit a system, rootkits are aimed at acquiring and maintaining long-term access to systems, and session hijacking focuses on taking over existing sessions.
Tina is creating a set of firewall rules designed to block denial-of-service attacks from entering her organization's network. What type of control is Tina designing? A. Logical control B. Physical control C. Administrative control D. Root access control
A. Logical controls are technical controls that enforce confidentiality, integrity, and availability in the digital space. Examples of logical security controls include firewall rules, access control lists, intrusion prevention systems, and encryption.
Mike installs a firewall in front of a previously open network to prevent the systems behind the firewall from being targeted by external systems. What did Mike do? A. Reduced the organization's attack surface B. Implemented defense in depth C. Added a corrective control D. Added an administrative control
A. Mike reduced the organization's attack surface. This occurs when the number of potential targets are reduced. Since the question describes only one security activity, we don't know that defense in depth has been implemented. The firewall may be a corrective control, but the question does not specify that it is there as part of a response or to deal with a specific problem, and firewalls are technical controls rather than administrative controls.
What type of attack occurs when an attacker takes advantage of OAuth open redirects to take on the identity of a legitimate user? A. Impersonation B. Session hijacking C. MiTM D. Protocol analysis
A. OAuth redirect exploits are a form of impersonation attack, allowing attackers to pretend to be a legitimate user. Session hijacking would take advantage of existing sessions, whereas man-in-the-middle (MiTM) attacks take advantage of being in the path of communications. Protocol analysis is a networking term used when reviewing packet contents.
Ben is responding to a security incident and determines that the attacker is using systems on Ben's network to attack a third party. Which one of the following containment approaches will prevent Ben's systems from being used in this manner? A. Removal B. Isolation C. Detection D. Segmentation
A. Only removal of the compromised system from the network will stop the attack against other systems. Isolated and/or segmented systems are still permitted access to the Internet and could continue their attack. Detection is a purely passive activity that does not disrupt the attacker at all.
Which one of the following statements is not true about compensating controls under PCI DSS? A. Controls used to fulfill one PCI DSS requirement may be used to compensate for the absence of a control needed to meet another requirement. B. Controls must meet the intent of the original requirement. C. Controls must meet the rigor of the original requirement. D. Compensating controls must provide a similar level of defense as the original requirement.
A. PCI DSS compensating controls must be "above and beyond" other PCI DSS requirements. This specifically bans the use of a control used to meet one requirement as a compensating control for another requirement.
What type of attack can be executed against a RADIUS shared secret if attackers have valid credentials including a known password and can monitor RADIUS traffic on the network? A. A brute force attack B. A dictionary attack C. A pass-the-hash attack D. A counter-RADIUS attack
A. RAIDUS shared secrets can be brute forced if attackers can gain access to a known password and can monitor traffic on the network. A dictionary attack is a type of attack used against passwords, pass-the-hash attacks attempt to reuse previously used hashes to authenticate, and counter-RADIUS attacks is a made-up term.
Which one of the following is not a purging activity? A. Resetting to factory state B. Overwriting C. Block erase D. Cryptographic erase
A. Resetting a device to factory state is an example of a data clearing activity. Data purging activities include overwriting, block erase, and cryptographic erase activities when performed through the use of dedicated, standardized device commands.
Which one of the following tools may be used to isolate an attacker so that he or she may not cause damage to production systems but may still be observed by cybersecurity analysts? A. Sandbox B. Playpen C. IDS D. DLP
A. Sandboxes are isolation tools used to contain attackers within an environment where they believe they are conducting an attack but, in reality, are operating in a benign environment.
What law creates cybersecurity obligations for healthcare providers and others in the health industry? A. HIPAA B. FERPA C. GLBA D. PCI DSS
A. The Health Insurance Portability and Accountability Act (HIPAA) includes security and privacy rules that affect healthcare providers, health insurers, and health information clearinghouses.
Which one of the phases of incident response involves primarily active undertakings designed to limit the damage that an attacker might cause? A. Containment, Eradication, and Recovery B. Preparation C. Post-Incident Activity D. Detection and Analysis
A. The containment, eradication, and recovery phase of incident response includes active undertakings designed to minimize the damage caused by the incident and restore normal operations as quickly as possible.
Joe would like to determine the appropriate disposition of a flash drive used to gather highly sensitive evidence during an incident response effort. He does not need to reuse the drive but wants to return it to its owner, an outside contractor. What is the appropriate disposition? A. Destroy B. Clear C. Erase D. Purge
A. The data disposition flowchart in Figure 8.7 directs that any media containing highly sensitive information that will leave the control of the organization must be destroyed. Joe should purchase a new replacement device to provide to the contractor.
Jeff is investigating a system compromise and knows that the first event was reported on October 5th. What forensic tool capability should he use to map other events found in logs and files to this date? A. timeline B. log viewer C. Registry analysis D. Timestamp validator
A. Timelines are one of the most useful tools when conducting an investigation of a compromise or other event. Forensic tools provide built-in timeline capabilities to allow this type of analysis.
A member of Susan's team recently fell for a phishing scam and provided his password and personal information to a scammer. What layered security approach is not an appropriate layer for Susan to implement to protect her organization from future issues? A. Multifactor authentication B. Multitiered firewalls C. An awareness program D. A SIEM monitoring where logins occur from
B. A multitier firewall is least likely to be an effective security control when Susan's organization deals with compromised credentials. Multifactor authentication would require the attacker to have the second factor in addition to the password, an awareness program may help Susan's employees avoid future scams, and a SIEM monitoring for logins that are out of the ordinary may spot the attacker logging in remotely or otherwise abusing the credentials they obtained.
Which of the following methods is not an effective method for preventing brute-force password guessing attacks via login portals? A. CAPTCHAs B. Returning an HTTP error C. Login throttling D. Failed login account lockout
B. CAPTCHAs, login throttling, and locking out accounts after a set number of failed logins are all useful techniques to stop or delay brute-force password guessing attacks. Some sites also use unique URLs, or limit the IP ranges that systems can authenticate from. Returning an HTTP error actually works in the attacker's favor, as they can key off of that error to try their next login attempt!
Authentication that uses the IP address, geographic location, and time of day to help validate the user is known as what type of authentication? A. Token based B. Context based C. NAC D. System-data contextual
B. Context-based authentication allows authentication decisions to be made based on information about the user, the system they are using, or other data like their geographic location, behavior, or even time of day. Token-based authentication uses a security token to generate a onetime password or value, and NAC is network access control, a means of validating systems and users that connect to a network. System-data contextual is a made-up answer for this question.
Which of the following layered security controls is commonly used at the WAN, LAN, and host layer in a security design? A. Encryption of data at rest B. Firewalls C. DMZs D. Antivirus
B. Firewalls are commonly used to create network protection zones, to protect network borders, and at the host level to help armor the host against attacks. Encryption at rest is most frequently used at the host layer, whereas DMZs are typically used at the edge of a network for publicly accessible services. Antivirus is sometimes used at each layer but is most commonly found at the host layer.
Fred has been assigned to review his organization's host security policies due to a recent theft of a workstation that contained sensitive data. Which of the following controls would best help to prevent a stolen machine from causing a data breach? A. Central management B. Full disk encryption C. Remote wipe capabilities D. Machine tracking software
B. Fred's best option is to employ full disk encryption. Without a valid login, a thief would find that all data on the system was encrypted. Remote wipe capabilities and machine tracking software would provide helpful additional capabilities, but both rely on the system connecting to a network after it is stolen. Central management is useful for reporting machine state and might even help locate a machine if it was reconnected to a network, but it does not protect the data the machine contains.
Alice confers with other team members and decides that even allowing limited access to other systems is an unacceptable risk and decides instead to prevent the quarantine VLAN from accessing any other systems by putting firewall rules in place that limit access to other enterprise systems. The attacker can still control the system to allow Alice to continue monitoring the incident. What strategy is she now pursuing? A. Eradication B. Isolation C. Segmentation D. Removal
B. In the isolation strategy, the quarantine network is directly connected to the Internet or restricted severely by firewall rules so that the attacker may continue to control it but not gain access to any other networked resources.
Which one of the following is not typically found in a cybersecurity incident report? A. Chronology of events B. Identity of the attacker C. Estimates of impact D. Documentation of lessons learned
B. Incident reports should include a chronology of events, estimates of the impact, and documentation of lessons learned, in addition to other information. Incident response efforts should not normally focus on uncovering the identity of the attacker, so this information would not be found in an incident report.
Angela is concerned about attackers enumerating her organization's LDAP directory. What LDAP control should she recommend to help limit the impact of this type of data gathering? A. LDAP replication B. ACLs C. Enable TLS D. Use MD5 for storage of secrets
B. LDAP access control lists (ACLs) can limit which accounts or users can access objects in the directory. LDAP replication may help with load issues or denial-of-service attacks, TLS helps protect data in transit, but MD5 storage for secrets like passwords is a bad idea!
Which of the following technologies is not a shared authentication technology? A. OpenID Connect B. LDAP C. OAuth D. Facebook Connect
B. LDAP is sometimes used for single sign-on but is not a shared authentication technology. OpenID Connect, OAuth, and Facebook Connect are all examples of shared authentication technologies.
Michelle has a security token that her company issues to her. What type of authentication factor does she have? A. Biometric B. Possession C. Knowledge D. Inherence
B. Michelle's security token is an example of a possession factor, or "something you have." A password or PIN would be a knowledge factor or "something you know," while a fingerprint or retina scan would be a biometric, or inherence factor.
Which one of the following activities is not normally conducted during the recovery validation phase? A. Verify the permissions assigned to each account B. Implement new firewall rules C. Conduct vulnerability scans D. Verify logging is functioning properly
B. New firewall rules, if required, would be implemented during the eradication and recovery phase. The validation phase includes verifying accounts and permissions, verifying that logging is working properly, and conducting vulnerability scans.
Ric is reviewing his organization's network design and is concerned that a known flaw in the border router could let an attacker disable their Internet connectivity. Which of the following is an appropriate compensatory control? A. An identical second redundant router set up in an active/passive design B. An alternate Internet connectivity method using a different router type C. An identical second redundant router set up in an active/active design D. Place a firewall in front of the router to stop any potential exploits that could cause a failure of connectivity
B. Ric's best option is to implement backup Internet connectivity using a different make and model of router. This reduces the chance of the same exploit being able to take down both types of device while removing the single point of failure for connectivity. Adding a second identical router in either active/active or active/passive mode does not work around the flaw since an attacker could immediately repeat the attack to take down the matching router. A firewall might help, but in many cases attacks against routers take place on a channel that is required for the router to perform its function.
Which one of the following would not normally be found in an organization's information security policy? A. Statement of the importance of cybersecurity B. Requirement to use AES-256 encryption C. Delegation of authority D. Designation of responsible executive
B. Security policies do not normally contain prescriptive technical guidance, such as a requirement to use a specific encryption algorithm. This type of detail would normally be found in a security standard.
Sue is the manager of a group of system administrators and is in charge of approving all requests for administrative rights. In her role, she files a change request to grant a staff member administrative rights and then approves it. What personnel control would best help to prevent this abuse of her role? A. Mandatory vacation B. Separation of duties C. Succession planning D. Dual control
B. Separation of duties would prevent Sue from both requesting and approving a change. Although this would not prevent her from having an employee make the request, it would stop her from handling the entire process herself. Mandatory vacation might help catch this issue if it were consistent but does not directly solve the problem. Succession planning identifies employees who might fill a role in the future, and dual control requires two people to work together to perform an action, neither of which is appropriate for this issue.
Ben's organization uses data loss prevention software that relies on metadata tagging to ensure that sensitive files do not leave the organization. What compensating control is best suited to ensuring that data that does leave is not exposed? A. Mandatory data tagging policies B. Encryption of all files sent outside the organization C. DLP monitoring of all outbound network traffic D. Network segmentation for sensitive data handling systems
B. Since Ben must assume that data that leaves may be exposed, his best option is to enforce encryption of files that leave the organization. Mandatory data tagging and DLP monitoring can help catch data that is accidentally sent, and network segmentation can help reduce the number of points he has to monitor, but encryption is the only control that can have a significant impact on data that does leave.
Files remnants found in clusters that have been only partially rewritten by new files found are in what type of space? A. Outer B. Slack C. Unallocated space D. Non-Euclidean
B. Slack space is the space that remains when only a portion of a cluster is used by a file. Data from previous files may remain in the slack space since it is typically not wiped or overwritten. Unallocated space is space on a drive that has not been made into part of a partition. Outer space and non-Euclidean space are not terms used for filesystems or forensics.
Allan is developing a document that lists the acceptable mechanisms for securely obtaining remote administrative access to servers in his organization. What type of document is Allan writing? A. Policy B. Standard C. Guideline D. Procedure
B. Standards describe specific security controls that must be in place for an organization. Allan would not include acceptable mechanisms in a high-level policy document, and this information is too general to be useful as a procedure. Guidelines are not mandatory, so they would not be applicable in this scenario.
What ISO standard applies to information security management controls? A. 9001 B. 27001 C. 14032 D. 57033
B. The International Organization for Standardization (ISO) publishes ISO 27001, a standard document titled "Information technology—Security techniques—Information security management systems—Requirements."
Which of the following technologies is NTLM associated with? A. SAML B. Active Directory C. OAuth D. RADIUS
B. The NT LAN Manager security protocols are associated with Active Directory. SAML, OAuth, and RADIUS do not use NTLM.
What law governs the financial records of publicly traded companies? A. GLBA B. SOX C. FERPA D. PCI DSS
B. The Sarbanes-Oxley (SOX) Act applies to the financial records of publicly traded companies and requires that those companies have a strong degree of assurance around the IT systems that store and process those records.
Which of the following Linux command-line tools will show you how much disk space is in use? A. top B. df C. lsof D. ps
B. The df tool will show you a system's current disk utilization. Both the top and the ps tools will show you information about processes, CPU, and memory utilization, and lsof is a multifunction tool for listing open files.
Which one of the following is not one of the five core security functions defined by the NIST Cybersecurity Framework? A. Identify B. Contain C. Respond D. Recover
B. The five security functions described in the NIST Cybersecurity Framework are identify, protect, detect, respond, and recover.
Joe is authoring a document that explains to system administrators one way that they might comply with the organization's requirement to encrypt all laptops. What type of document is Joe writing? A. Policy B. Guideline C. Procedure D. Standard
B. The key word in this scenario is "one way." This indicates that compliance with the document is not mandatory, so Joe must be authoring a guideline. Policies, standards, and procedures are all mandatory.
During an incident response process, Michelle discovers that the administrative credentials for her organization's Kerberos server have been compromised and that attackers have issued themselves a TGT without an expiration date. What is this type of ticket called? A. A master ticket B. A golden ticket C. A KDC D. A MGT
B. The nightmare scenario of having her a compromised Kerberos server that allows attackers to issue their own ticket granting tickets, known as golden tickets, would result in attackers being able to create new tickets, perform account changes, and even create new accounts and services. A KDC is a Kerberos key distribution center; MGT and master tickets were both made up for this question.
Which one of the following is not a common use of formal incident reports? A. Training new team members B. Sharing with other organizations C. Developing new security controls D. Assisting with legal action
B. There are many potential uses for written incident reports. First, it creates an institutional memory of the incident that is useful when developing new security controls and training new security team members. Second, it may serve as an important record of the incident if there is ever legal action that results from the incident. These reports should be classified and not disclosed to external parties.
James is concerned that network traffic from his datacenter has increased and that it may be caused by a compromise that his security tools have not identified. What SIEM analysis capability could he use to look at the traffic over time sent by his datacenter systems? A. Automated reporting B. Trend analysis C. BGP graphing D. Log aggregation
B. Trend analysis using historical data will show James what his network traffic's behavior has been. James may notice an increase since a new storage server with cloud replication was put in, or he may notice that a DMZ host has steadily been increasing its outbound traffic. Automated reporting might send an alarm if it has appropriate thresholds set, and log aggregation is the foundation of how a SIEM gathers information, but neither will individually give James the view he needs. BGP is a routing protocol, and graphing it won't give James the right information either.
Which of the following is not a potential issue with live imaging of a system? A. Remnant data from the imaging tool B. Unallocated space will be captured C. Memory or drive contents may change during the imaging process D. Malware may detect the imaging tool and work to avoid it
B. Unallocated space is typically not captured during a live image, potentially resulting in data being missed. Remnant data from the tool, memory and drive contents changing while the image is occurring, and malware detecting the tool are all possible issues.
Which of the following controls is best suited to prevent vulnerabilities related to software updates? A. Operating system patching standards B. Centralized patch management software C. Vulnerability scanning D. An IPS with appropriate detections enabled
B. While each of the items listed can help as part of a comprehensive security architecture, using centralized patch management software will typically have the largest impact in an organization's handling of vulnerabilities related to software updates. Vulnerability scanning can help detect issues, and an IPS with the appropriate detections enabled may help prevent exploits, but both are less important than patching itself. Similarly, standards for patching help guide what is done but don't ensure that the patching occurs.
Lauren is designing a multifactor authentication system for her company. She has decided to use a passphrase, a time-based code generator, and a PIN to provide additional security. How many distinct factors will she have implemented when she is done? A. One B. Two C. Three D. Four
B. While it may seem like Lauren has implemented three different factors, both a PIN and a passphrase are knowledge-based factors and cannot be considered distinct factors. She has implemented two distinct factors with her design. If she wanted to add a third factor, she could replace either the password or the PIN with a fingerprint scan or other biometric factor.
Kathleen needs to find data contained in memory but only has an image of an offline Windows system. Where does she have the best chance of recovering the information she needs? A. The Registry B. %SystemRoot%\MEMORY.DMP C. A system restore point file D. %SystemRoot%/WinDBG
B. Windows crash dumps are stored in %SystemRoot%\MEMORY.DMP and contain the memory state of the system when the system crash occurred. This is her best bet for gathering the information she needs without access to a live image. The Registry and system restore point do not contain this information, and WinDbg is a Windows debugger, not an image of live memory.
Which format does dd produce files in? A. ddf B. RAW C. EN01 D. OVF
B. dd creates files in RAW, bit-by-bit format. EN01 is the EnCase forensic file format, OVF is virtualization file format, and ddf is a made-up answer.
Ben's successful attack on an authenticated user required him to duplicate the cookies that the web application put in place to identify the legitimate user. What type of attack did Ben conduct? A. Impersonation B. MiTM C. Session hijacking D. Privilege escalation
C. Ben successfully conducted a session hijacking attack by copying session information and using the existing session. If he had impersonated a legitimate user, it would have been an impersonation attack, while a MiTM attack would require being in the flow of traffic between two systems or services. Privilege escalation attacks focus on acquiring higher levels of privilege.
2013's Yahoo breach resulted in almost 1 billion MD5 hashed passwords being exposed. What user behavior creates the most danger when this type of breach occurs? A. Insecure password reset questions B. Use of federated credentials C. Password reuse D. Unencrypted password storage
C. Breaches of passwords stored in easily recoverable or reversible formats paired with user IDs or other identifying information create significant threats if users reused passwords. Attackers can easily test the passwords they recover against other sites and services. Poor password reset questions are a threat even without a breach, and unencrypted password storage is an issue during breaches, but this type of breach is enabled by poor storage, rather than a result of the breach. Use of federated credentials is not a critical concern in cases like this.
Which of the following is not a common attack against Kerberos? A. Administrator account attacks B. Ticket reuse attacks C. Open redirect based attacks D. TGT focused attacks
C. Common attacks against Kerberos include attacks aimed at administrative accounts, particularly those that attempt to create a ticket granting ticket. Ticket reuse attacks are also common. Open redirect-based attacks are associated with OAuth rather than Kerberos.
Mike is looking for information about files that were changed on a Windows system. Which of the following is least likely to contain useful information for his investigation? A. The MFT B. INDX files C. Event logs D. Volume shadow copies
C. Event logs do not typically contain significant amounts of information about file changes. The Master File Table and file indexes (INDX files) both have specific information about files, whereas volume shadow copies can help show differences between files and locations at a point in time.
Lynda is disposing of a drive containing sensitive information that was collected during the response to a cybersecurity incident. The information is categorized as a high security risk and she wishes to reuse the media during a future incident. What is the appropriate disposition for this information? A. Clear B. Erase C. Purge D. Destroy
C. Lynda should consult the flowchart that appears in Figure 8.7. Following that chart, the appropriate disposition for media that contains high security risk information and will be reused within the organization is to purge it.
Angela needs to implement a control to ensure that she is notified of changes to important configuration files on her server. What type of tool should she use for this control? A. Anti-malware B. Configuration management C. File integrity checking D. Logging
C. File integrity checking tools like Tripwire can notify an administrator when changes are made to a file or directory. Angela can implement file integrity monitoring for her critical system files, thus ensuring she is warned if they change without her knowledge. Antimalware tools only detect behaviors like those of malware and may not detect manual changes or behaviors that don't match the profile they expect. Configuration management tools can control configuration files but may not note changes that are made, and logging utilities often don't track changes to files.
Which party in a federated identity service model makes assertions about identities to service providers? A. RPs B. CDUs C. IDPs D. APs
C. Identity providers, or IDPs, make assertions about identities to relying parties and service providers in a federation. CDUs and APs are not terms used in federated identity designs.
Alice is responding to a cybersecurity incident and notices a system that she suspects is compromised. She places this system on a quarantine VLAN with limited access to other networked systems. What containment strategy is Alice pursuing? A. Eradication B. Isolation C. Segmentation D. Removal
C. In a segmentation approach, the suspect system is placed on a separate network where it has very limited access to other networked resources.
What TOGAF domain provides the organization's approach to storing and managing information assets? A. Business architecture B. Applications architecture C. Data architecture D. Technical architecture
C. In the TOGAF model, the data architecture provides the organization's approach to storing and managing information assets.
What technology is best suited to protecting LDAP authentication from compromise? A. SSL B. MD5 C. TLS D. SHA1
C. LDAP authentication occurs in plaintext, requiring TLS to protect the communication process. SSL is outdated, and both MD5 and SHA1 are useful for hashing but not for protecting authentication traffic.
Which of the following reasons is not a reason to avoid using SMS as a second factor for authentication? A. SMS via VoIP is easy to target. B. SMS is insecure. C. SMS cannot send unique tokens. D. VoIP management often uses the same password as the account.
C. NIST SP 800-63-3 recommends that SMS be deprecated due to issues with VoIP including password reuse and the ability to redirect SMS sent via VoIP calls. In addition, SMS itself is relatively insecure, allowing attackers with the right equipment to potentially intercept it. The good news is that SMS can send unique tokens—they're just text!
Which one of the following criteria is not normally used when evaluating the appropriateness of a cybersecurity incident containment strategy? A. Effectiveness of the strategy B. Evidence preservation requirements C. Log records generated by the strategy D. Cost of the strategy
C. NIST recommends using six criteria to evaluate a containment strategy: the potential damage to resources, the need for evidence preservation, service availability, time and resources required (including cost), effectiveness of the strategy, and duration of the solution.
During a penetration test of Anna's company, the penetration testers were able to compromise the company's web servers and deleted their log files, preventing analysis of their attacks. What compensating control is best suited to prevent this issue in the future? A. Using full-disk encryption B. Using log rotation C. Sending logs to a syslog server D. Using TLS to protect traffic
C. Sending logs to a remote log server or bastion host is an appropriate compensating control. This ensures that copies of the logs exist in a secure location, allowing them to be reviewed if a similar compromise occurred. Full-disk encryption leaves files decrypted while in use and would not secure the log files from a compromise, whereas log rotation simply means that logs get changed out when they hit a specific size or timeframe. TLS encryption for data (including logs) in transit can keep it private and prevent modification but wouldn't protect the logs from being deleted.
Lauren's departure from her organization leaves her team without a Linux systems administrator and means they no longer have in-depth knowledge of a critical business system. What should her manager have done to ensure that this issue did not have a significant impact? A. Mandatory vacation B. Exit interview C. Succession planning D. HR oversight
C. Succession planning can help to ensure that employee departures do not result in critical skillsets and knowledge being inaccessible. Exit interviews may identify tasks or skills but won't ensure that skills and knowledge are already prepared before an employee leaves. Mandatory vacation and HR oversight do not address this issue.
Tamara is a cybersecurity analyst for a private business that is suffering a security breach. She believes the attackers have compromised a database containing sensitive information. Which one of the following activities should be Tamara's first priority? A. Identifying the source of the attack B. Eradication C. Containment D. Recovery
C. Tamara's first priority should be containing the attack. This will prevent it from spreading to other systems and also potentially stop the exfiltration of sensitive information. Only after containing the attack should Tamara move on to eradication and recovery activities. Identifying the source of the attack should be a low priority.
During a security architecture design review, Kathleen notices that there is no written process in place to ensure that systems are returned to their normal state after a compromise. How would this control be classified? A. A technical, corrective control B. A corrective, compensatory control C. An administrative, corrective control D. A physical, detective control
C. The control Kathleen identified as missing would be an administrative (process) control that acts in a corrective manner to ensure that remediation occurs. It is nontechnical and not a physical control. It also does not make up for a flaw in other controls and is thus not a compensatory control.
What SABSA architecture layer corresponds to the designer's view of security architecture? A. Contextual security architecture B. Conceptual security architecture C. Logical security architecture D. Component security architecture
C. The logical security architecture corresponds to the designer's view in the SABSA model. The contextual architecture is the business view, the conceptual architecture is the architect's view, and the component architecture is the tradesman's view.
Susan has been asked to identify the applications that start when a Windows system does. Where should she look first? A. INDX files B. Volume shadow copies C. The Registry D. The MFT
C. Windows stores information about programs that run when Windows starts in the Registry as Run and RunOnce Registry keys, which run each time a user logs in. INDX files and the MFT are both useful for file information, and volume shadow copies can be used to see point-in-time information about a system.
Frederick wants to determine if a thumb drive was ever plugged into a Windows system. How can he test for this? A. Review the MFT B. Check the system's live memory C. Use USB Historian D. Create a forensic image of the drive
C. USB Historian provides a list of devices that are logged in the Windows Registry. Frederick can check the USB device's serial number and other identifying information against the Windows system's historical data. If the device isn't listed, it is not absolute proof, but if it is listed, it is reasonable to assume that it was used on the device.
Which one of the following pieces of information is most critical to conducting a solid incident recovery effort? A. Identity of the attacker B. Time of the attack C. Root cause of the attack D. Attacks on other organizations
C. Understanding the root cause of an attack is critical to the incident recovery effort. Analysts should examine all available information to help reconstruct the attacker's actions. This information is crucial to remediating security controls and preventing future similar attacks.
Alice wants to copy a drive without any chance of it being modified by the copying process. What type of device should she use to ensure that this does not happen? A. read blocker B. drive cloner C. write blocker D. hash validator
C. Write blockers ensure that no changes are made to a source drive when creating a forensic copy. Preventing reads would stop you from copying the drive, drive cloners may or may not have write blocking capabilities built in, and hash validation is useful to ensure contents match but don't stop changes to the source drive from occurring.
Darren is helping the Human Resources department create a new policy for background checks on new hires. What type of control is Darren creating? A. Physical B. Technical C. Logical D. Administrative
D. Administrative controls are procedural mechanisms that an organization follows to implement sound security management practices. Examples of administrative controls include user account reviews, employee background investigations, log reviews, and separation of duties policies.
Ben wants to ensure that a single person cannot independently access his organization's secure vault. What personnel control is best suited to this need? A. Mandatory vacation B. Separation of duties C. Succession planning D. Dual control
D. Ben's best option is dual control, which requires two individuals to collaborate to perform an action. This might take the form of independent access codes, both of which are required to access a secure vault. Mandatory vacation, succession planning, and separation of duties do not directly prevent an individual from gaining independent access to a secure location.
Which one of the following activities does CompTIA classify as part of the recovery validation effort? A. Rebuilding systems B. Sanitization C. Secure disposal D. Scanning
D. CompTIA includes patching, permissions, security scanning, and verifying logging/communication to monitoring in the set of validation activities that cybersecurity analysts should undertake in the aftermath of a security incident.
What two files may contain encryption keys normally stored only in memory on a Window system? A. The MFT and the hash file B. The Registry and hibernation files C. Core dumps and encryption logs D. Core dumps and hibernation files
D. Core dumps and hibernation files both contain an image of the live memory of a system, potentially allowing encryption keys to be retrieved from the stored file. The MFT provides information about file layout, and the Registry contains system information but shouldn't have encryption keys stored in it. There is no hash file or encryption log stored as a Windows default file.
Sondra determines that an attacker has gained access to a server containing critical business files and wishes to ensure that the attacker cannot delete those files. Which one of the following strategies would meet Sondra's goal? A. Isolation B. Segmentation C. Removal D. None of the above
D. Even removing a system from the network doesn't guarantee that the attack will not continue. In the example given in this chapter, an attacker can run a script on the server that detects when it has been removed from the network and then proceeds to destroy data stored on the server.
Which one of the following security policy framework components does not contain mandatory guidance for individuals in the organization? A. Policy B. Standard C. Procedure D. Guideline
D. Guidelines are the only element of the security policy framework that are optional. Compliance with policies, standards, and procedures is mandatory.
After observing the attacker, Alice decides to remove the Internet connection entirely, leaving the systems running but inaccessible from outside the quarantine VLAN. What strategy is she now pursuing? A. Eradication B. Isolation C. Segmentation D. Removal
D. In the removal approach, Alice keeps the systems running for forensic purposes but completely cuts off their access to or from other networks, including the Internet.
During his investigation, Jeff, a certified forensic examiner, is provided with a drive image created by an IT staff member and is asked to add it to his forensic case. What is the most important issue could Jeff encounter if the case goes to court? A. Bad checksums B. Hash mismatch C. Anti-forensic activities D. Inability to certify chain of custody
D. Jeff did not create the image and cannot validate chain of custody for the drive. This also means he cannot prove that the drive is a copy of the original. Since we do not know the checksum for the original drive, we do not have a bad checksum or a hash mismatch—there isn't an original to compare it to. Anti-forensics activities may have occurred, but that is not able to be determined from the question.
In Lauren's initial design for a secure network, she applied the same security controls to every system and network. After reviewing her design, she decided to isolate systems based on their functions and to apply controls to protected network segments for more sensitive data and systems. What two design models did she apply? A. Threat analysis-based design, protected enclaves B. Uniform protection, threat analysis-based design C. Information-based design, uniform protection D. Uniform protection, protected enclaves
D. Lauren's initial design provided uniform protection. Her redesign placed systems into protected enclaves based on their sensitivity. If she had used threat analysis-based design, she would have considered threat vectors to build her design. An information-based design would have applied protections based on information classification or control requirements.
Which one of the following data elements would not normally be included in an evidence log? A. Serial number B. Record of handling C. Storage location D. Malware signatures
D. Malware signatures would not normally be included in an evidence log. The log would typically contain identifying information (e.g., the location, serial number, model number, hostname, MAC addresses and IP addresses of a computer), the name, title and phone number of each individual who collected or handled the evidence during the investigation, the time and date (including time zone) of each occurrence of evidence handling, and the locations where the evidence was stored.
Carl does not have the ability to capture data from a cell phone using forensic or imaging software, and the phone does not have removable storage. Fortunately, the phone was not set up with a PIN or screen lock. What is his best option to ensure he can see email and other data stored there? A. Physical acquisition B. Logical access C. File system access D. Manual access
D. Manual access is used when phones cannot be forensically imaged or accessed as a volume or filesystem. Manual access requires that the phone be reviewed by hand, with pictures and notes preserved to document the contents of the phone.
What NIST publication contains guidance on cybersecurity incident handling? A. SP 800-53 B. SP 800-88 C. SP 800-18 D. SP 800-61
D. NIST SP 800-61 is the Computer Security Incident Handling Guide. NIST SP 800-53 is Security and Privacy Controls for Federal Information Systems and Organizations. NIST SP 800-88 is Guidelines for Media Sanitization. NIST SP 800-18 is the Guide for Developing Security Plans for Federal Information Systems.
Which one of the following documents must normally be approved by the CEO or similarly high-level executive? A. Standard B. Procedure C. Guideline D. Policy
D. Policies require approval from the highest level of management, usually the CEO. Other documents may often be approved by other managers, such as the CISO.
Jim was originally hired into the helpdesk at his current employer but has since then moved into finance. During a rights audit, it is discovered that he still has the ability to change passwords for other staff members. What is this issue called? A. Rights mismanagement B. Least privilege C. Permission misalignment D. Privilege creep
D. Privilege creep occurs as staff members change roles but their rights and permissions are not updated to match their new responsibilities. This violates the concept of least privilege. Rights mismanagement and permission misalignment are both terms made up for this question.
Shelly is writing a document that describes the steps that incident response teams will follow upon first notice of a potential incident. What type of document is she creating? A. Policy B. Standard C. Guideline D. Procedure
D. Procedures provide checklist-style sets of step-by-step instructions guiding how employees should react in a given circumstance. Procedures commonly guide the early stages of incident response.
Chris is in charge of his organization's Windows security standard, including their Windows XP security standard, and has recently decommissioned the organization's last Windows XP system. What is the next step in his security standard's life cycle? A. A scheduled review of the Windows standards B. A final update to the standard, noting that Windows XP is no longer supported C. Continual improvement of the Windows standards D. Retiring the Windows XP standard
D. Retirement is the last step at the end of the life cycle for a standard or process. Of course this means that if the process is retired, a final update to it is not needed! The standards for other, currently maintained operating systems should undergo regular scheduled review, and staff who support them may participate in a continuous improvement process to keep the standards up to date.
During her forensic copy validation process Danielle received the following MD5 sums from her original drive and the cloned image after using dd. What is likely wrong? b49794e007e909c00a51ae208cacb169 original.img d9ff8a0cf6bc0ab066b6416e7e7abf35 clone.img A. The original was modified. B. The clone was modified. C. dd failed. D. An unknown change or problem occurred.
D. Since Danielle did not hash her source drive prior to cloning, you cannot determine where the problem occurred. If she had run MD5sum prior to the cloning process as well as after, she could verify that the original disk had not changed.
What security design is best suited to protect authentication and authorization for a network that uses TACACs+? A. Use TACACS+ built-in encryption to protect traffic B. Implement TACACS++ C. Enable accounting services to detect issues D. Route management traffic over a dedicated network
D. TACACS+ should be run on an isolated management network to protect it from attackers. It does not provide built-in encryption, TACACS++ does not exist, and while enabling auditing features is a good idea, it won't stop attacks from occurring.
Which one of the following control models describes the five core activities associated with IT service management as service strategy, service design, service transition, service operation, and continual service improvement? A. COBIT B. TOGAF C. ISO 27001 D. ITIL
D. The Information Technology Infrastructure Library (ITIL) is a framework that offers a comprehensive approach to IT service management (ITSM) within the modern enterprise. ITIL covers five core activities: Service Strategy, Service Design, Service Transition, Service Operation, and Continual Service Improvement.
Which one of the following is not a common use of the NIST Cybersecurity Framework? A. Describe the current cybersecurity posture of an organization. B. Describe the target future cybersecurity posture of an organization. C. Communicate with stakeholders about cybersecurity risk. D. Create specific technology requirements for an organization.
D. The NIST Cybersecurity Framework is designed to help organizations describe their current cybersecurity posture, describe their target state for cybersecurity, identify and prioritize opportunities for improvement, assess progress, and communicate with stakeholders about risk. It does not create specific technology requirements.
What compliance obligation applies to merchants and service providers who work with credit card information? A. FERPA B. SOX C. HIPAA D. PCI DSS
D. The Payment Card Industry Data Security Standard (PCI DSS) provides detailed rules about the storage, processing, and transmission of credit and debit card information. PCI DSS is not a law but rather a contractual obligation that applies to credit card merchants and service providers.
Jennifer wants to perform memory analysis and forensics for Windows, macOS, and Linux systems. Which of the following is best suited to her needs? A. LiME B. DumpIt C. fmem D. The Volatility Framework
D. The Volatility Framework is designed to work with Windows, macOS, and Linux, and it provides in-depth memory forensics and analysis capabilities. LiME and fmem are Linux tools, whereas DumpIt is a Windows-only tool.
Which one of the following policies would typically answer questions about when an organization should destroy records? A. Data ownership policy B. Account management policy C. Password policy D. Data retention policy
D. The data retention policy outlines what information the organization will maintain and the length of time different categories of information will be retained prior to destruction.
While studying an organization's risk management process under the NIST Cybersecurity Framework, Rob determines that the organization adapts its cybersecurity practices based on lessons learned and predictive indicators derived from previous and current cybersecurity activities. What tier should he assign based on this measure? A. Tier 1 B. Tier 2 C. Tier 3 D. Tier 4
D. The description provided matches the definition of a Tier 4 (Adaptive) organization's risk management practices under the NIST Cybersecurity Framework.
What incident response activity focuses on removing any artifacts of the incident that may remain on the organization's network? A. Containment B. Recovery C. Post-Incident Activities D. Eradication
D. The primary purpose of eradication is to remove any of the artifacts of the incident that may remain on the organization's network. This may include the removal of any malicious code from the network, the sanitization of compromised media, and the securing of compromised user accounts.
Which tool is not commonly used to generate the hash of a forensic copy? A. MD5 B. FTK C. SHA1 D. AES
D. While AES does have a hashing mode, MD5, SHA1, and built-in hashing tools in FTK and other commercial tools are more commonly used for forensic hashes.
Alex is conducting a forensic examination of a Windows system and wants to determine if an application was installed. Where can he find the Windows installer log files for a user named Jim? A. C:\Windows\System 32\Installers B. C:\Windows\Install.log C. C:\Windows\Jim\Install.log D. C:\Windows\Jim\AppData\Local\Temp
D. Windows installer logs are typically kept in the user's temporary app data folder. Windows does not keep install log files, and System32 does not contain an Installers directory.
Ignored
Picture question
ignored
Single point of Failure on picture.