Jason Dion's CySA+ Practice Exam 1

Which of the following types of data breaches would require that the US Department of Health and Human Services and the media be notified if more than 500 individuals are affected by a data breach? ​ A.Credit card information ​ B.Protected health information ​ C.Personally identifiable information ​ D.Trade secret information

B.Protected health information Explanation OBJ-2: Protected health information (PHI) is defined as any information that identifies someone as the subject of medical and insurance records, plus their associated hospital and laboratory test results. This type of data is protected by the Health Insurance Portability and Accountability Act (HIPPA) and requires notification of the individual, the Secretary of the US Department of Health and Human Services (HHS), and the media (if more than 500 individuals are affected) in the case of a data breach. Personally identifiable information (PII) is any data that can be used to identify, to contact, or to impersonate an individual. Credit card information is protected under the PCI DSS information security standard. Trade secret information is protected by the organization that owns those secrets.

Which of the following is a best practice that should be followed when scheduling vulnerability scans of an organization's data center? ​ A.Schedule scans to be conducted evenly throughout the day ​ B.Schedule scans to run during periods of low activity ​ C.Schedule scans to begin at the same time every day ​ D.Schedule scans to run during peak times to simulate performance under load

B.Schedule scans to run during periods of low activity Explanation OBJ-2: For the best results, the scans should be scheduled during periods of low activity. This will help to reduce the negative impact of scanning on business operations. The other three options all carry a higher risk of causing disruptions to the network or its business operations.

You suspect that your server has been the victim of a web-based attack. Which of the following ports would most likely be seen in the logs to indicate the target of the attack? ​ A.389 ​ B.3389 ​ C.443 ​ D.21

C.443 OBJ-1.2: Web-based attacks would likely appear on port 80 (HTTP) or port 443 (HTTPS). An attack against Active Directory is likely to be observed on port 389 LDAP. An attack on an FTP server is likely to be observed on port 21 (FTP). An attack using the remote desktop protocol would be observed on port 3389 (RDP).

Ryan needs to verify the installation of a critical Windows patch on his organization's workstations. Which method would be the most efficient to validate the current patch status for all of the organization's Windows 10 workstations? ​ A.Check the Update History manually ​ B.Conduct a registry scan of each workstation to validate the patch was installed ​ C.Create and run a PowerShell script to search for the specific patch in question ​ D.Use SCCM to validate patch status for each machine on the domain

D.Use SCCM to validate patch status for each machine on the domain Explanation OBJ-3: The Microsoft System Center Configuration Manager (SCCM) provides remote control, patch management, software distribution, operating system deployment, network access protection, and hardware and software inventory. In an Azure environment, you can also use the Update Compliance tool to monitor your device's Windows updates, Windows Defender anti-virus status, and the up to date patching status across all of your Windows 10 workstations. In previous versions of Windows, you could use the Microsoft Baseline Analyzer (MSBA), but that is no longer supported when Windows 10 was introduced. A PowerShell script may be a reasonable option, but it would take a knowledgeable analyst to create the script and scan the network, whereas using SCCM is easier and quicker. A.Manually checking the Update History or registry of each system could also work, but that is very time consuming and inefficient, especially if Ryan is supporting a large network.

Review the following packet captured at your NIDS: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-23:12:23.154234 IP 86.18.10.3:54326 > 71.168.10.45:3389 Flags [P.], Seq 1834:1245, ack1, win 511, options [nop,nop, TS val 263451334 erc 482862734, length 125 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-After reviewing the packet above, you discovered there is an unauthorized service running on the host. Which of the following ACL entries should be implemented to prevent further access to the unauthorized service while maintaining full access to the approved services running on this host? ​ A.DENY TCP ANY HOST 71.168.10.45 EQ 3389 ​ B.DENY IP HOST 71.168.10.45 ANY EQ 25 ​ C.DENY IP HOST 86.18.10.3 EQ 3389 ​ D.DENY TCP ANY HOST 86.18.10.3 EQ 25

A. DENY TCP ANY HOST 71.168.10.45 EQ 3389 Explanation OBJ-3: Since the question asks you to prevent access to the unauthorized service, we need to block port 3389 from accepting connections on 71.168.10.45 (the host). This option will deny ANY workstation from connecting to this machine (host) over the Remote Desktop Protocol service that is unauthorized (port 3389).

You are conducting a routine vulnerability scan of a server when you find a vulnerability. You locate a patch for the vulnerability on the software vendor's website. What should you do next? ​A. A.Start the incident response process ​ B.Establish continuous monitoring ​ C.Rescan the server to ensure the vulnerability still exists ​ D.Submit a Request for Change using the change management process

A. Submit a Request for Change using the change management process Explanation OBJ-2: Before any changes to a baseline occurs, a Request for Change should be submitted. This submission will start the change management process within your organization. Once approved, the patch should be tested in a staging environment, installed on the production server, and then the server should be rescanned to ensure the vulnerability no longer exists. In this scenario, there is no incident response being performed since this is a vulnerability that was found during a routine vulnerability scan.

You have been given access to a Windows system located on an Active Directory domain as part of a white box penetration test. Which of the following commands would provide information about other systems on this network? ​ A.net use ​ B.net user ​ C,net group ​ D.net config

A. net use Explanation OBJ-1: The net use command will list network shares that the workstation is using. This will help to identify file servers and print servers on the network. The net group command can only be used on domain controllers. The net config command will allow servers and workstations services to be controlled once they have already been identified. The net user command would show any user accounts on the local Windows workstation you are using.

A cybersecurity analyst just finished conducting an initial vulnerability scan and is reviewing their results. To avoid wasting their time on results that are not really a vulnerability, the analyst wants to remove any false positives before they begin to remediate the findings. Which of the following is an indicator that something in their results would be a false positive? ​ A.A finding that shows the scanner compliance plug-ins are not up-to-date ​ B.Items classified by the system as Low or as For Informational Purposes Only ​ C.A scan result showing a version that is different from the automated asset inventory ​ D.A 'HTTPS entry that indicates the web page is securely encrypted

B. Items classfified by the system as Low or as For Informational Purposes Only Explanation OBJ-2: When conducting a vulnerability scan, it is common for the report to include some findings that are classified as "low" priority or "for informational purposes only". These are most likely false positives and can be ignored by the analyst when first starting their remediation efforts. "A HTTPS entry that indicates the web page is securely encrypted" is not a false positive, but a true negative (a non-issue). A scan result showing a version that is different from the automated asset inventory is something that should be investigated and is likely a true positive. A finding that shows the scanner compliance plug-ins are not up-to-date would likely also be a true positive that should be investigated.

Which protective feature is used to prevent a buffer overflow attack from specific applications by randomizing where components of a program are run from in memory? ​ A.DLP ​ B.ASLR ​ C.DLL ​ D.DEP

B.ASLR Explanation OBJ-4: ASLR randomizes where components of a running process (such as the base executable, APIs, and the heap) are placed in memory, which makes it more difficult to conduct a buffer overflow at specific points in the address space. The Windows Data Execution Prevention (DEP) feature to protect processes against exploits that try to execute code from writable memory area (stack/heap). Windows DEP prevents code from being run from a non-executable memory region. Data loss prevention (DLP) software detects potential data breaches/data ex-filtration transmissions and prevents them by monitoring, detecting, and blocking sensitive data while in use, in motion, and at rest. A dynamic link library (DLL) is a library that contains code and data that can be used by more than one program at the same time.

Which of the following type of solutions would you classify a FPGA as? ​ A.Hardware security module ​ B.Anti-tamper ​ C.Trusted platform module ​ D.Root of trust

B.Anti-tamper Explanation OBJ-2: A field programmable gate array (FPGA) is an anti-tamper mechanism that makes use of a type of programmable controller and a physically unclonable function (PUF). The PUF generates a digital fingerprint based on the unique features of the device. This means that tampering with a device, such as by removing the chip or adding an unknown input/output mechanism, can be detected, and a remedial action like using zero-filling cryptographic keys can be performed automatically. A hardware security module (HSM) is an appliance for generating and storing cryptographic keys. It is a solution that may be less susceptible to tampering and insider threats than a traditional software-based storage solution. A trusted platform module (TPM) is a specification for hardware-based storage of digital certificates, cryptographic keys, hashed passwords, and other user and platform identification information. A hardware root of trust (RoT) or trust anchor is a secure subsystem that is able to provide attestation to declare something as true.

Which of the following technologies is NOT a shared authentication protocol? ​ A.OpenID Connect ​ B.LDAP ​ C.OAuth ​ D.Facebook Connect

B.LDAP Explanation OBJ-4: LDAP can be used for single sign-on but is not a shared authentication protocol. OpenID, OAuth, and Facebook Connect are all shared authentication protocols. Open ID Connect (OIDC) is an authentication protocol that can be implemented as special types of OAuth flows with precisely defined token fields. OAuth is designed to facilitate the sharing of information (resources) within a user profile between sites.

You are attempting to run a packet capture on a Linux workstation using the tcpdump command. Which of the following would allow you to conduct the packet capture and write the output to a file for later analysis? ​ A.tcpdump -i eth0 -r diontraining.pcap ​ B.tcpdump -i eth0 -w diontraining.pcap ​ C.tcpdump -i eth0 -n diontraining.pcap ​ D.tcpdump -i eth0 -e diontraining.pcap

B.tcpdump -i eth0 -w diontraining.pcap Explanation OBJ-4.5: The tcpdump command is a command-line packet capture utility for Linux. The tcpdump command uses the -w option to write the capture output results to a file. A .pcap extension normally identifies packet capture files. The tcpdump command uses the -r option to read the contents of a packet capture file. The tcpdump command uses the -n option to show network address information in numeric format (does not resolve hostnames). The tcpdump command uses the -e option to include the data link (Ethernet) header when performing a packet capture.

Sagar is planning to patch a production system to correct a vulnerability that was detected during his most recent vulnerability scan of the network. What process should he follow to minimize the risk of a system failure while patching this vulnerability? ​ A.Deploy the patch immediately on the production system to remediate the vulnerability ​ B.Wait 60 days to deploy the patch to ensure there are no associated bugs reported with it ​ C.Deploy the patch in a sandbox environment to test it prior to patching the production system ​ D.Contact the vendor to determine a safe time frame for deploying the patch into the production environment

C. Deploy the patch in a sandbox environment to test it prior to patching the production system Explanation OBJ-2: While patching a system is necessary to remediate a vulnerability, you should always attempt to test the patch before implementation. It is considered a best practice to create a staging or sandbox environment to test the installation of the patches before installing them into the production environment. This reduces the risks of the patch breaking something in the production system. Unless you are dealing with a very critical vulnerability and the risk of not patching is worse than then risk of patching the production system directly, you should not immediately patch the production systems without testing the patch first. You should not wait 60 days to deploy the patch. Waiting this long provides attackers an opportunity to reverse engineer the patch and creating a working exploit against the vulnerability. Finally, asking the vendor for a safe time frame is not helpful, since the vendor does not know the specifics of your environment or your business operations.

An organization wants to get an external attacker's perspective on their security status. Which of the following services should they purchase? ​ A.Vulnerability scan ​ B.Asset management ​ C.Penetration test ​ D.Patch management

C. Penetration test Explanation OBJ-1.4: Penetration tests provide an organization with an external attacker's perspective on their security status. The NIST process for penetration testing divides tests into four phases: planning, discovery, attack, and reporting. The results of penetration tests are valuable security planning tools, as they describe the actual vulnerabilities that an attacker might exploit to gain access to a network. A vulnerability scan provides an assessment of your security posture from an internal perspective. Asset management refers to a systematic approach to the governance and realization of value from the things that a group or entity is responsible for, over their whole life cycles. It may apply both to tangible assets and to intangible assets. Patch management is the process that helps acquire, test, and install multiple patches (code changes) on existing applications and software tools on a computer, enabling systems to stay updated on existing patches and determining which patches are the appropriate ones.

During a port scan, you discover a service running on a registered port. Based on this, what do you know about this service? ​ A.The service is running on a port between 0-1023 ​ B.The service's name on the registered port ​ C.The service is running on a port between 1024 and 49151 ​ D.The vulnerability status of the service on the registered port

C. The service is running on a port between 1024 and 49151 Explanation OBJ-1: Registered ports are assigned a port number between 1024 and 49151 by the Internet Assigned Numbers Authority. Just because you find one of those ports in use, that does not guarantee that the service running on it will match the normally registered service. For example, RDP uses the registered port of 3389, but there is nothing preventing an administrator from running a different service over port 3389 instead. Also, discovering a service using a port scanner does not necessarily identify the service correctly or provide its vulnerability status. Any ports between 0 and 1023 are known as the well-known ports.

Which of the following is NOT one of the main criteria that should be included in a penetration testing plan? ​ A.Timing ​ B.Scope ​ C.Account credentials ​ D.Authorization

C.Account credentials OBJ-1.4: The three main criteria that should be included in a penetration testing plan are timing, scope, and authorization. Account credentials are usually provided during a white box test or vulnerability assessment, usually not provided for a penetration test.

Which of the following is the default nmap scan type when you do not provide with a flag when issuing the command? ​ A.A TCP FIN scan ​ B.A TCP connect scan ​ C.A TCP SYN scan ​ D.A UDP scan

C.A TCP SYN scan Explanation OBJ-1: By default, Nmap performs a SYN Scan, though it substitutes a connect scan if the user does not have proper privileges to send raw packets (requires root access on Unix). A UDP scan requires the -sU flag to be issued when launching a nmap scan. A TCP FIN scan requires the -sF flag to be issued when launching a nmap scan.

Which law requires that government agencies and other organizations that operate systems on behalf of government agencies to comply with security standards? ​ A.FISMA ​ B.SOX ​ C.HIPPA ​ D.COPPA

A.FISMA Explanation OBJ-2: The Federal Information Security Management Act (FISMA) is a United States federal law that defines a comprehensive framework to protect government information, operations, and assets against natural or man-made threats. FISMA requires that government agencies and other organizations that operate systems on behalf of government agencies comply with security standards. The Health Insurance Portability and Accountability Act (HIPPA) is a United States federal law designed to provide privacy standards to protect patients' medical records and other health information provided to health plans, doctors, hospitals, and other health care providers. The Children's Online Privacy Protection Act (COPPA) is a United States federal law that imposes certain requirements on operators of websites or online services directed to children under 13 years of age, and on operators of other websites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age. Sarbanes-Oxley (SOX) is a United States federal law that set new or expanded requirements for all U.S. public company boards, management, and public accounting firms.

A software assurance laboratory is performing a dynamic assessment on an application by automatically generating random data sets and inputting them in an attempt to cause an error or failure condition. Which of the following is the laboratory performing? ​ A.Fuzzing ​ B.Stress testing ​ C.User acceptance testing ​ D.Security regression testing

A.Fuzzing Explanation OBJ-4: Fuzzing or fuzz testing is an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program. The program is then monitored for exceptions such as crashes, failing built-in code assertions, or potential memory leaks. User Acceptance Testing is the process of verifying that a created solution/software works for the user. Security regression testing ensures that changes made to a system do not harm its security, are therefore of high significance and the interest in such approaches has steadily increased. Stress testing verifies the stability and reliability of the system by measuring the system on its robustness and error handling capabilities under extremely heavy load conditions.

An e-commerce website for a clothing store was recently compromised by an attacker. Which of the following methods did the attacker use if they harvested an account's cached credentials when the user logged into a SSO system? ​ A.Pass the hash ​ B.Lateral movement ​ C.Pivoting ​ D.Golden ticket

A.Pass the hash Explanation OBJ-3.4: Pass the Hash (PtH) is the process of harvesting an account's cached credentials when the user logs in to a single sign-on (SSO) system. This would then allow the attacker to use the credentials on other systems, as well. D.A golden ticket is a Kerberos ticket that can grant other tickets in an Active Directory environment. Attackers who can create a golden ticket can use it to grant administrative access to other domain members, even to domain controllers. B.Lateral movement is an umbrella term for a variety of attack types. Attackers can extend their lateral movement by a great deal if they are able to compromise host credentials. C.Pivoting is a process similar to lateral movement. When attackers pivot, they compromise one central host (the pivot) that allows them to spread out to other hosts that would otherwise be inaccessible.

What is the term for the amount of risk that an organization is willing to accept or tolerate? ​ A.Risk appetite ​ B.Risk avoidance ​ C.Risk deterrence ​ D.Risk transference

A.Risk Appetite Explanation OBJ-2: An organization's willingness to tolerate risk is known as its risk appetite. If you determine that you have a greater risk appetite for a certain system or function of the business, you may choose to scan less it frequently, for example. If you have a low-risk appetite, you will place a higher amount of resources towards defending and mitigating your systems. Risk avoidance is the response of deploying security controls to reduce the likelihood and/or impact of a threat scenario. Risk deterrence is the response of deploying security controls to reduce the likelihood and/or impact of a threat scenario. Risk transference is the response of moving or sharing the responsibility of risk to another entity.

Where should a forensic analyst search to find a list of the wireless networks that a laptop has previously connected to with a company-owned laptop? ​ A.Search the register for a complete list ​ B.Search the user's profile directory for the list ​ C.Search the wireless adapter cache for the list ​ D.A list of the previously connected wireless networks is not stored on the laptop

A.Search the register for a complete list Explanation OBJ-3: The Windows registry keeps a list of the wireless networks that a system has previously connected to. The registry keys can be found in the directory of HKLM\Software\Microsoft\WindowsNT\CurrentVersion\NetworkList\Profiles. This stored in Local Machine because it logs a copy of every access point connected to by all users of the machine, not just the currently logged in user.

Which of the following tools could be used to detect unexpected output from an application being managed or monitored? ​ A.A log analysis tool ​ B.A behavior-based analysis tool ​ C.A signature-based detection tool ​ D.Manual analysis

B.A behavior-based analysis tool Explanation OBJ-3: A behavior-based analysis tool can be used to capture/analyze normal behavior and then alert when an anomaly occurs. Configuring a behavior-based analysis tool requires more effort to properly set up, but it requires less work and manual monitoring once it is running. Signature-based detection is a process where a unique identifier is established about a known threat so that the threat can be identified in the future. Manual analysis requires a person to read all the output and determine if it is erroneous. A log analysis tool would only be useful to analyze the logs, but it would not be able to detect unexpected output by itself. Instead, the log analysis tool would need to use a behavior-based or signature-based detection system.

Shawn needs to boot a system in order to remediate it. The system was compromised by an attack and had a malicious program installed by creating a RunOnce key in the registry. What can Shawn do to boot the computer and prevent the RunOnce from executing the malicious program listed in the registry key? ​ A.Disable the registry at boot ​ B.Boot with Safe Mode ​ C.Boot with the -RunOnce flag ​ D.RunOnce cannot be disabled therefore she will need to boot from external media to disable it first

B.Boot with Safe Mode Explanation OBJ-3: When booting in Safe Mode, Run and RunOnce are ignored by the Windows system. The autorun entries in the Registry are often targeted because they're not always visible to the average user. In modern Windows systems, there are two types of autorun keys: Run, which initializes its values asynchronously, and RunOnce, which initializes its values in order. By default, these keys are ignored when the computer is started in Safe Mode. The value name of RunOnce keys can be prefixed with an asterisk (*) to force the program to run even in Safe mode.

You have been hired as a cybersecurity analyst for a privately-owned bank. Which of the following regulations would have the greatest impact on your bank's cybersecurity program? ​ A.HIPAA ​ B.GLBA ​ C.FERPA ​ D.SOX

B.GLBA Explanation OBJ-4: The Gramm-Leach-Bliley Act (GLBA) is a United States federal law that requires financial institutions to explain how they share and protect their customers' private information. The Health Insurance Portability and Accountability Act (HIPPA) is a US law designed to provide privacy standards to protect patients' medical records and other health information provided to health plans, doctors, hospitals, and other health care providers. Sarbanes-Oxley (SOX) is a United States federal law that set new or expanded requirements for all US public company boards, management, and public accounting firms. The Family Educational Rights and Privacy Act (FERPA) of 1974 is a United States federal law that governs the access to educational information and records by public entities such as potential employers, publicly funded educational institutions, and foreign governments.

You have just completed writing the scoping document for your next penetration test, which clearly defines what tools, techniques, and targets you intend to include during your assessment. Which of the following actions should you take next? ​ A.Conduct a port scan of the target network ​ B.Get leadership concurrence on the scoping document ​ C.Conduct passive fingerprinting on the target servers ​ D.Provide a copy of the scoping document to local law enforcement

B.Get leadership concurrence on the scoping document Explanation OBJ-1: Once the scoping document has been prepared, it is important that you get concurrence with your plan before you begin your penetration test. Therefore, you must get the scoping plan signed off by the organization's leadership as your next action. You should never begin a penetration test before you have written permission and concurrence from the target organization. Port scanning of the target and even passive fingerprinting could be construed as a cyber crime if you did not get the scoping document signed off before beginning your assessment. There is no requirement to notify local law enforcement of your upcoming penetration test as long as you have a signed scoping document and contract with the targeted company.

Which role validates the user's identity when using SAML for authentication? ​ A.SP ​ B.IdP ​ C.User agent ​ D.RP

B.IDP Explanation OBJ-4: The IdP provides the validation of the user's identity. Security assertions markup language (SAML) is an XML-based framework for exchanging security-related information such as user authentication, entitlement, and attributes. SAML is often used in conjunction with SOAP. SAML is a solution for providing single sign-on (SSO) and federated identity management. It allows a service provider (SP) to establish a trust relationship with an identity provider (IdP) so that the identity of a user (the principal) can be trusted by the SP without the user having to authenticate directly with the SP. The principal's User Agent (typically a browser) requests a resource from the service provider (SP). The resource host can also be referred to as the relying party (RP). If the user agent does not already have a valid session, the SP redirects the user agent to the identity provider (IdP). The IdP requests the principal's credentials if not already signed in and, if correct, provides a SAML response containing one or more assertions. The SP verifies the signature(s) and (if accepted) establishes a session and provides access to the resource.`

What containment techniques is the strongest possible response to an incident? ​ A.Segmentation ​ B.Isolating affected systems ​ C.Isolating the attacker ​ D.Enumeration

B.Isolated affected systems Explanation OBJ-3: Isolation involves removing an affected component from whatever larger environment it is a part of. This can be everything from removing a server from the network after it has been the target of a DoS attack, to placing an application in a sandbox virtual machine (VM) outside of the host environments it usually runs on. Segmentation-based containment is a means of achieving the isolation of a host or group of hosts using network technologies and architecture. Segmentation uses VLANs, routing/subnets, and firewall ACLs to prevent a host or group of hosts from communicating outside the protected segment. Removal is not an industry term used but would be a synonym for isolation. Enumeration is defined as the process of extracting user names, machine names, network resources, shares, and services from a system. Isolating the attacker would only stop their direct two-way communication and control of the affected system, but it would not be the strongest possible response since there could be malicious code still running on your victimized machine.

You received an incident response report that indicates a piece of malware was introduced into the company's network through a remote workstation that was connected to the company's servers over a VPN connection. Which of the following controls should be applied to prevent this type of incident from occurring again? ​ A.ACL ​ B.NAC ​ C.SPF ​ D.MAC filtering

B.NAC Explanation OBJ-1.3: Network Access Control (NAC) is an approach to computer security that attempts to unify endpoint security technology (such as anti-virus, host intrusion prevention, and vulnerability assessment), user or system authentication, and network security enforcement. When a remote workstation connects to the network, NAC will place it into a segmented portion of the network (sandbox), scan it for malware and validate its security controls, and then based on the results of those scans either connect it to the company's networks or place the workstation into a separate quarantined portion of the network for further remediation. An access control list (ACL) is a type of network traffic filter that can control incoming or outgoing traffic. An ACL alone would not have prevented this issue. MAC Filtering refers to a security access control method whereby the MAC address assigned to each network card is used to determine access to the network. MAC filtering operates at layer 2 and is easy to bypass. Sender Policy Framework (SPF) is an email authentication method designed to detect forging sender addresses during the delivery of the email.

Which of the following is NOT considered a phase in the incident response cycle? ​ A.Containment, eradication, and recovery ​ B.Notification and communication ​ C.Detection and analysis ​ D.Preparation

B.Notification and communication Explanation OBJ-3: There are four phases to the incident response cycle: preparation; detection and analysis; containment, eradication and recovery; and post-incident activity. While you will conduct some notifications and communication during your incident response, that term is not one of the four defined phases.

A cybersecurity analyst is reviewing the logs of an authentication server and saw the following output:-=-=-=-=--=-=-=-=--=-=-=-=--=-=-=-=--=-=-=-=--=-=-=-=--=-=-=-=-[443] [https-get-form] host: diontraining.com login: admin password: P@$$w0rd![443] [https-get-form] host: diontraining.com login: admin password: C0mpT1@P@$$w0rd[443] [https-get-form] host: diontraining.com login: root password: P@$$w0rd![443] [https-get-form] host: diontraining.com login: root password: C0mpT1@P@$$w0rd[443] [https-get-form] host: diontraining.com login: dion password: P@$$w0rd![443] [https-get-form] host: diontraining.com login: dion password: C0mpT1@P@$$w0rd[443] [https-get-form] host: diontraining.com login: jason password: P@$$w0rd![443] [https-get-form] host: diontraining.com login: jason password: C0mpT1@P@$$w0rd-=-=-=-=--=-=-=-=--=-=-=-=--=-=-=-=--=-=-=-=--=-=-=-=--=-=-=-=-What type of attack was most likely being attempted by the attacker? ​ A.Session hijacking ​ B.Password spraying ​ C.Impersonation ​ D.Credential stuffing

B.Password spraying Explanation OBJ-2: Password spraying refers to the attack method that takes a large number of usernames and loops them with a single password. We can use multiple iterations using a number of different passwords, but the number of passwords attempted is usually low when compared to the number of users attempted. This method avoids password lockouts, and it is often more effective at uncovering weak passwords than targeting specific users. In the scenario provided, there are only one or two attempts being made to each username listed. This is indicative of a password spraying attack instead of a brute force attempt against a single user. Impersonation is the act of pretending to be another person for the purpose of fraud. Credential stuffing is the automated injection of breached username/password pairs in order to fraudulently gain access to user accounts. This is a subset of the brute force attack category: large numbers of spilled credentials are automatically entered into websites until they are potentially matched to an existing account, which the attacker can then hijack for their own purposes. Session hijacking is the exploitation of a valid computer session to gain unauthorized access to information or services in a computer system.

Which type of media sanitization would you classify degaussing as? ​ A.Clearing ​ B.Purging ​ C.Destruction ​ D.Erasing

B.Purging Explanation OBJ-3: Degaussing is classified as a form of purging. Purging eliminates information from being feasibly recovered even in a laboratory environment. Purging includes degaussing, encryption of the data with the destruction of its encryption key, and other non-destructive techniques. Some generic magnetic storage devices can be reused after the degaussing process has taken place, such as VHS tapes and some older backup tapes. For this reason, though, the technique of degaussing is classified as purging and not destruction, even though hard drives are rendered unusable after being degaussed. Clearing data prevents data from being retrieved without the use of state of the art laboratory techniques. Clearing often involves overwriting data one or more times with repetitive or randomized data. Destroying data is designed not merely to render the information unrecoverable, but also to hinder any reuse of the media itself. Destruction is a physical process that may involve shredding media to pieces, disintegrating it to parts, pulverizing it to powder, or incinerating it to ash. Erasing or deleting is considered a normal operation of a computer, which erases the pointer to the data file on a storage device. Erasing and deleting are easily reversed, and the data can be recovered with commercially available or open-source tools.

You are analyzing a Linux server that you suspect has been tampered with by an attacker. You went to the terminal and typed 'history' into the prompt and see the output -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=->echo 127.0.0.1 diontraining.com >> /etc/hosts-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-Which of the following best describes what actions were performed by this line of code? ​ A.Added the website to system's whitelist in the hosts file ​ B.Routed traffic destined for the diontraining.com domain to the localhost ​ C.Routed traffic destined for the localhost to the diontraining.com domain ​ D.Attempted to overwrite the host file and deleted all data except this entry

B.Routed traffic destined fore the diontraining.com domain to the locahost Explanation OBJ-1.2: Based on the output provided, it appears that the attacker has attempted to route all traffic destined for diontraining.com to the IP address specified (127.0.0.1). This is typically done to prevent a system from communicating with a specific domain in order to redirect a host to a malicious site. In this example, the IP/domain name pair of 127.0.0.1 and diontraining.com are being written to the /etc/hosts file. Modifying your hosts file enables you to override the domain name system (DNS) for a domain on a specific machine. The command echo >> redirects the output of the content on the left of the >> to the end of the file on the right of the >> symbol. If the > was used instead of >>, then this command would have overwritten the host file completely with this entry. The hosts file is not a system whitelist file.

During her login session, Sally is asked by the system for a code that is sent to her via text (SMS) message. Which of the following concerns should she raise to her organization's AAA services manager? ​ A.SMS should be encrypted to be secure ​ B.SMS messages may be accessible to attackers via VoIP or other systems ​ C.SMS should be paired with a third factor ​ D.SMS is a costly method of providing a second factor of authentication

B.SMS messages may be accessible to attackers via VoIP or other systems OBJ-4: NIST's SP 800-63-3 recommends that SMS messages be deprecated as a means of delivering a second factor for multifactor authentication because they may be accessible to attackers. SMS is unable to be encrypted (at least without adding additional applications to phones). A third factor is typically not a user-friendly recommendation and would be better handled by replacing SMS with the proposed third factor instead. SMS is not a costly method since it can be deployed for less than $20/month at scale.

While studying for your CompTIA CySA+ course at Dion Training, you decided you want to install a SIEM to collect data on your home network and its systems. You do not want to spend any money purchasing a license, so you decide to use an open-source option instead. Which of the following SIEM solutions utilize an open-source licensing model? ​ A.Splunk ​ B.QRadar ​ C.ArcSight ​ D.OSSIM

D.OSSIM

You are analyzing the following network utilization report because you suspect one of the servers has been compromised .-=-=-=-=-=--=-=-=-=-=--=-=-=-=-=--=-=-=-=-=--=-=-=-=-=--=-=-=-=-=- IP Address Name Uptime Historical Current192.168.20.2 web01 7D 12H 32M 06S 42.6 GB 44.1 GB192.168.20.3 webdev02 4D 07H 12M 45S 1.95 GB 2.13 GB192.168.20.4 dbsvr01 12D 02H 46M 14S 3.15 GB 24.6 GB192.168.20.5 marketing01 2D 17H 18M 41S 5.2 GB 4.9 GB-=-=-=-=-=--=-=-=-=-=--=-=-=-=-=--=-=-=-=-=--=-=-=-=-=--=-=-=-=-=- Based on the report above, which of the following servers do you suspect has been compromised and should be investigated further? ​ A.web01 ​ B.webdev02 ​ C.dbsvr01 ​ D.marketing01

C. dbsrv01 Explanation OBJ-3: Due to the very large increase in network utilization on dbsvr01, it should be suspected of compromise and be investigated further. The server has a historical average utilization of only 3.15 GB per month, but this month there has been an increase to 24.6 GB of usage. This increase is nearly 8x more than the previous month when all of the other servers stayed relatively constant. This is indicative of a possible compromise of the database server (dbsvr01) and a data breach or data exfiltration.

Dion Training's new COO is reviewing the organization's current information security policy. She notices that it was first created three years ago. Since that time, the organization has undergone multiple audits and assessments that required revisions to the policy. Which of the following is the most reasonable frequency to conduct a formal review of the organization's policies to ensure they remain up to date? ​ A.Monthly ​ B.Quarterly ​ C.Annually ​ D.Every five years

C.Anually Explanation OBJ-4: Annual reviews are an industry standard and are typically sufficient unless circumstances happen that might require an update or revision sooner. Waiting five years between policy reviews is too long and would leave the organization with policies that are constantly outdated. Similarly, conduct quarterly or monthly reviews is too frequent, and there will not be enough time for substantial changes to have occurred. Additionally, most formal audits and assessments are undertaken annually. Therefore, this is a reasonable frequency to use without overburdening your staff.

During which incident response phase is the preservation of evidence performed? ​ A.Preparation ​ B.Detection and analysis ​ C.Containment, eradication, and recovery ​ D.Post-incident activity

C.Containment, eradication, and recovery Explanation OBJ-3: A cybersecurity analyst must preserve evidence during the containment, eradication, and recovery phase. They must preserve forensic and incident information for future needs, to prevent future attacks, or to bring up an attacker on criminal charges. Restoration and recovery are often prioritized over analysis by business operations personnel, but taking time to create a forensic image is crucial to preserve the evidence for further analysis and investigation. A.During the preparation phase, the incident response team conducts training, prepares their incident response kits, and researches threats and intelligence. B.During the detection and analysis phase, an organization focuses on monitoring and detecting any possible malicious events or attacks. D.During the post-incident activity phase, the organization conducts after-action reports, creates lessons learned, and conducts follow-up actions to better prevent another incident from occurring.

Richard attempted to visit a website and received a DNS response from the DNS cache server pointing to the wrong IP address. Which of the following attacks has occurred? ​ A.DNS brute forcing ​ B.ARP spoofing ​ C.DNS poisoning ​ D.MAC spoofing

C.DNS Spoofing Explanation OBJ-1: Once the scoping document has been prepared, it is important that you get concurrence with your plan before you begin your penetration test. Therefore, you must get the scoping plan signed off by the organization's leadership as your next action. You should never begin a penetration test before you have written permission and concurrence from the target organization. Port scanning of the target and even passive fingerprinting could be construed as a cyber crime if you did not get the scoping document signed off before beginning your assessment. There is no requirement to notify local law enforcement of your upcoming penetration test as long as you have a signed scoping document and contract with the targeted company.

Which of the following is NOT a means of improving data validation and trust? ​ A.Encrypting data in transit ​ B.Using MD5 checksums for files ​ C.Decrypting data at rest ​ D.Implementing Tripwire

C.Decrypting data at rest Explanation OBJ-4: Encrypting data in transit leads to more integrity and confidentiality of the data, and therefore trust. Hashing files using MD5 to check against known valid checksums would provide integrity, and therefore validation and trust. Implementing a file integrity monitoring program, such as Tripwire, would also improve data validation and trust. Decrypting data at rest does not improve data validation or trust since the data at rest could be modified when decrypted.

During an assessment of the POS terminals that accept credit cards, a cybersecurity analyst notices a recent Windows operating system vulnerability exists on every terminal. Since these systems are all embedded and require a manufacturer update, the analyst cannot install a regular patch provided by Microsoft. Which of the following options would be best to ensure the system remains protected and are compliant with the rules outlined by the PCI DSS? ​ A.Replace the Windows POS terminals with standard Windows systems ​ B.Build a custom OS image that includes the patch ​ C.Identify, implement, and document compensating controls ​ D.Remove the POS terminals from the network until the vendor releases a patch

C.Identify, implement, and document compensating controls Explanation OBJ-1.4: Since the analyst cannot remediate the vulnerabilities by installing a patch, the next best action to take would be to implement some compensating controls. If a vulnerability exists that cannot be patched, compensating controls can mitigate the risk. Additionally, the analyst should document the current situation in order to achieve compliance with PCI DSS. The analyst will likely not be able to remove the terminals from the network without affecting business operations, so this is a bad option. The analyst should not build a custom OS image with the patch since this could void the support agreement with the manufacturer and can introduce additional vulnerabilities. Also, it would be difficult (or impossible) to replace the POS terminals with standard Windows systems due to the custom firmware and software utilized on these systems.

Which language would require the use of a decompiler during reverse engineering? ​ A.Ruby ​ B.Python ​ C.Objective-C ​ D.JavaScriptw

C.Objective-C OBJ-1.4: Objective-C is a compiled language. Therefore, you will need to use a decompiler to conduct reverse engineering on it. Ruby, Python, and JavaScript are interpreted languages. Interpreted languages do not require the use of a decompiler to view the source code.

You are reviewing the latest list of important web application security controls published by OWASP. Which of these items is LEAST likely to appear on that list? ​ A.Implement identity and authentication controls ​ B.Implement appropriate access controls ​ C.Obscure web interface locations ​ D.Leverage security frameworks and libraries

C.Obscure web interface locations Explanation OBJ-4: The least likely option to appear in the list is to obscure web interface locations. This recommendation is based on the concept of security through obscurity and is not considered a good security practice. The other options are all considered best practices in designing web application security controls and help to create software assurance in our programs.

Which type of monitoring would utilize a network tap? ​ A.Router-based ​ B.Active ​ C.Passive ​ D.SNMP

C.Passive Explanation OBJ-1: Network taps are devices that allow a copy of network traffic to be captured for analysis. They conduct passive network monitoring and visibility without interfering with the network traffic itself. Active monitoring relies on the scanning of targeted systems, not a network tap. Router-based monitoring would involve looking over the router's logs and configuration files. SNMP is used to monitor network devices, but is considered a form of active monitoring and doesn't rely on network taps.

Taylor needs to sanitize hard drives from some leased workstations that are being returned to a supplier at the end of the lease period. The workstations' hard drives contained sensitive corporate data. Which is the most appropriate choice to ensure that data exposure doesn't occur during this process? ​ A.Clear, validate, and document the sanitation of the drives ​ B.Clear the drives ​ C.Purge, validate, and document the sanitation of the drives ​ D.The drives must be destroyed to ensure no data loss

C.Purge, validate, and document the sanitation of the drives Explanation OBJ-3: Purging the drives, validating that the purge was effective, and documenting the sanitization is the best response. Purging includes methods that eliminate information from being feasibly recovered even in a lab environment. For example, performing a cryptographic erasure (CE) would sanitize and purge the data from the drives without harming the drives themselves. Clearing them leaves the possibility that some tools would allow data recovery. Since the scenario indicates that these were leased drives that must be returned at the end of a lease, they cannot be destroyed.

You are analyzing the SIEM for your company's ecommerce server when you notice the following URL in the logs of your SIEM: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-https://www.diontraining.com/add_to_cart.php?itemId=5"+perItemPrice="0.00"+quantity="100"+/><item+id="5&quantity=0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-Based on this line, what type of attack do you expect has been attempted? ​ A.SQL injection ​ B.Buffer overflow ​ C.XML injection ​ D.Session hijacking

C.XML injection

You suspect that a service called explorer.exe on a Windows server is malicious and you need to terminate it. Which of the following tools would NOT be able to terminate it? ​ A.sc ​ B.wmic ​ C.secpol.msc ​ D.services.msc

C.secpol.msc Explanation OBJ-3.1: The security policy auditor (secpol.msc) will allow an authorized administrator the option to change a great deal about an operating system, but it cannot explicitly stop a process or service that is already running. A.The sc.exe command allows an analyst to control services, including terminating them. B.The Windows Management Instrumentation (wmic) can terminate a service by using the following: wmic service <ServiceName> call StopService. D.The services.msc tool can also be used to enable, start, or terminate a running service.

A popular game allows for in-app purchases to acquire extra lives in the game. When a player purchases the extra lives, the number of lives is written to a configuration file on the gamer's phone. A hacker loves the game, but hate having to buy lives all the time, so they developed an exploit that allows a player to purchase 1 life for $0.99 and then modifies the content of the configuration file to claim 100 lives were purchased prior to the application reading the number of lives purchased from the file. Which of the following type of vulnerabilities did the hacker exploit? ​ A.Sensitive data exposure ​ B.Dereferencing ​ C.Broken authentication ​ D.Race condition

D. Race condition Explanation OBJ-4.4: Race conditions occur when the outcome from execution processes is directly dependent on the order and timing of certain events, and those events fail to execute in the order and timing intended by the developer. In this scenario, the hacker's exploit is racing to modify the configuration file before the application reads the number of lives from it. Sensitive data exposure is a fault that allows privileged information (such as a token, password, or PII) to be read without being subject to the proper access controls. Broken authentication refers to an app that fails to deny access to malicious actors. Dereferencing attempts to access a pointer that references an object at a particular memory location.

Which of the following policies should contain the requirements for removing a user's access when an employee is terminated? ​ A.Data ownership policy ​ B.Data classification policy ​ C.Data retention policy ​ D.Account management policy

D.Account management policy Explanation OBJ-4: Account management policies describe the account life cycle from creation through decommissioning. Data ownership policies describe how ownership information is created and used. Data classification policies describe the classification structure of the data in use by an organization. Retention policies describe what data will be maintained and for how long it will be retained.

What two techniques are commonly used by port and vulnerability scanners to identify the services running on a target system? ​ A.Comparing response fingerprints and registry scanning ​ B.Banner grabbing and UDP response timing ​ C.Using the -O option in nmap and UDP response timing ​ D.Banner grabbing and comparing response fingerprints

D.Banner grabbing and comparing response fingerrprints Explanation OBJ-1: Service and version identification are often performed by conducting a banner grab or by checking responses for services to known fingerprints for those services. UDP response timing, along with other TCP/IP stack fingerprinting techniques, are used to identify operating systems only. Using nmap -O will conduct an operating system fingerprint scan, but it will not identify the other services being run.

Which of the following items represents a document that includes detailed information on when an incident was detected, how impactful the incident was, how it was remediated, the effectiveness of the incident response, and any identified gaps that might require improvement? ​ A.Forensic analysis report ​ B.Chain of custody report ​ C.Trends analysis report ​ D.Lessons learned report

D.Lessons learned report Explanation OBJ-3: The lessons learned report provides you with the details of the incident, its severity, the remediation method, and, most importantly, how effective your response was. Additionally, it provides recommendations for improvements in the future. A forensic analysis report would not provide recommendations for future improvements, even though it provides many of the other details. A trend analysis report describes whether behaviors have increased, decreased, or stayed the same over time. Chain of custody report is the chronological documentation or paper trail that records the sequence of custody, control, transfer, analysis, and disposition of physical or electronic evidence.

Which protocol is paired with OAuth2 to provide authentication of users in a federated identity management solution? ​ A.Kerberos ​ B.ADFS ​ C.SAML ​ D.OpenID Connect

D.OpenID Connect Explanation OBJ-4: OAuth 2 is explicitly designed to authorize claims and not to authenticate users. The implementation details for fields and attributes within tokens are not defined. Open ID Connect (OIDC) is an authentication protocol that can be implemented as special types of OAuth flows with precisely defined token fields. Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. SAML is an XML-based markup language for security assertions. Active Directory Federation Services (ADFS) is a software component developed by Microsoft that can run on Windows Server operating systems to provide users with single sign-on access to systems and applications located across organizational boundaries. Kerberos is a computer-network authentication protocol that works on the basis of tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner.

Which of the following protocols is commonly used to collect information about CPU utilization and memory usage from network devices? ​ A.NetFlow ​ B.SMTP ​ C.MIB ​ D.SNMP

D.SNMP Explanation OBJ-1.2: Simple Network Management Protocol (SNMP) is commonly used to gather information from routers, switches, and other network devices. It provides information about a device's status, including CPU and memory utilization, as well as many other useful details about the device. NetFlow provides information about network traffic. A management information base (MIB) is a database used for managing the entities in a communication network. The Simple Mail Transfer Protocol (SMTP) is a communication protocol for electronic mail transmission.