Sybex Pratice Questions Domain 5 Chapter 5
Which of the following is not classified as an eradication by CompTIA? A. Patching B.Sanitization C.Reconstruction D.Secure disposal
A. Patching Explanation: CompTIA considers patching to be part of the validation effort. This differs from the NIST standard process; however, CompTIA considers patching, permission checking and setting, scanning, and ensuring that logging is working to be parts of the validation process.
Chris is planning a vulnerability scanning program for his organization and is scheduling weekly scans of all the servers in his environment. He was approached by a group of system administrators who asked that they be given direct access to the scan reports without going through the security team. How should Chris respond? A.Chris should provide the administrators with access. B. Chris should deny the administrators access because the information may reveal critical security issues. C. Chris should offer to provide the administrators with copies of the report after they go through a security review. D.Chris should deny the administrators access because it would allow them to correct security issues before they are analyzed by the security team.
A.Chris should provide the administrators with access. Explanation: Vulnerability scanning information is most effective in the hands of individuals who can correct the issues. The point of scans is not to "catch" people who made mistakes. Chris should provide the administrators with access. The security team may always monitor the system for unremediated vulnerabilities, but they should not act as a gatekeeper to critical information.
Sally used the dig command to attempt to look up the IP address for CompTIA's website and received the results shown here. What can Sally conclude from these results? A.CompTIA's website is located at 198.134.5.6. B.CompTIA's website is located at 172.30.0.2. C.CompTIA's website is currently down. D.The DNS search failed, but you cannot draw any conclusions about the website.
A.CompTIA's website is located at 198.134.5.6. Explanation: This is a valid DNS search result from dig. In this dig request, the DNS server located at 172.30.0.2 answered Sally's request and responded that the comptia.org server is located at 198.134.5.6.
Susan is the ISO for her company and is notified that a zero-day exploit has been released that can result in remote code execution on all Windows 10 workstations on her network because of an attack against Windows domain services. She wants to limit her exposure to this exploit but needs the systems to continue to be able to access the Internet. Which of the following approaches is best for her response? A.Firewalling B.Patching C.Isolation D.Segmentation
A.Firewalling Explanation: Susan knows that Windows domain services can be blocked using a network firewall. As long as she builds the correct ruleset, she can prevent external systems from sending this type of traffic to her Windows workstations. She may still want to segment her network to protect the most important workstations, but her first move should be to use her firewalls to prevent the traffic from reaching the workstations.
Jenny is evaluating the security of her organization's network management practices. She discovers that the organization is using RADIUS for administrator authentication to network devices. What additional security control should also be in place to ensure secure operation? A.IPsec B.Kerberos C.TACACS+ D.SSL
A.IPsec Explanation: RADIUS sends passwords that are obfuscated by a shared secret and MD5 hash, meaning that its password security is not very strong. RADIUS traffic between the RADIUS network access server and the RADIUS server is typically encrypted using IPsec tunnels or other protections to protect the traffic. Kerberos and TACACS+ are alternative authentication protocols and are not required in addition to RADIUS. SSL is no longer considered secure and should not be used to secure the RADIUS tunnel.
Which one of the following statements is true about virtualized operating systems? A.In bare-metal virtualization, all guest operating systems must be the same version. B. In bare-metal virtualization, all guest operating systems must be the same platform (e.g., Windows, Red Hat, CentOS). C.In bare-metal virtualization, the host operating system and guest operating system platforms must be consistent. D.None of these is correct.
A.In bare-metal virtualization, all guest operating systems must be the same version. Explanation: Bare-metal virtualization does not impose any requirements on the diversity of guest operating systems. It is very common to find Linux and Windows systems running on the same platform. Bare-metal virtualization does not use a host operating system. Instead, it runs the hypervisor directly on top of the physical hardware.
What purpose does a honeypot system serve when placed on a network as shown here? A.It prevents attackers from targeting production servers. B.It provides information about the techniques attackers are using. C.It slows down attackers like sticky honey. D.It provides real-time input to IDSs and IPSs.
A.It prevents attackers from targeting production servers. Explanation: A honeypot is used by security researchers and practitioners to gather information about techniques and tools used by attackers. A honeypot will not prevent attackers from targeting other systems, and unlike a tarpit, it is not designed to slow down attackers. Typically, honeypot data must be analyzed to provide useful information that can be used to build IDS and IPS rules.
Casey's incident response process leads her to a production server that must stay online for her company's business to remain operational. What method should she use to capture the data she needs? A.Live image to an external drive. B.Live image to the system's primary drive. C.Take the system offline and image to an external drive. D.Take the system offline, install a write blocker on the system's primary drive, and then image it to an external drive.
A.Live image to an external drive. Explanation: Normally, forensic images are collected from systems that are offline to ensure that a complete copy is made. In cases like this where keeping the system online is more important than the completeness of the forensic image, a live image to an external drive using a portable forensic tool such as FTK Imager Lite, dd, or similar is the correct choice.
What concept measures how easy data is to lose? A.Order of volatility B.Data transience C.Data loss prediction D.The Volatility Framework
A.Order of volatility Explanation: The order of volatility of data measures how easy the data is to lose. The Volatility Framework is a forensic tool aimed at memory forensics, while data transience and data loss prediction are not common terms.
Which one of the following document categories provides the highest-level authority for an organization's cybersecurity program? A.Policy B.Standard C.Procedure D.Framework
A.Policy Explanation: Policies are the highest-level component of an organization's governance documentation. They are set at the executive level and provide strategy and direction for the cybersecurity program. Standards and procedures derive their authority from policies. Frameworks are not governance documents but rather provide a conceptual structure for organizing a program. Frameworks are usually developed by third-party organizations, such as ISACA or ITIL.
Donna is interpreting a vulnerability scan from her organization's network, shown here. She would like to determine which vulnerability to remediate first. Donna would like to focus on the most critical vulnerability according to the potential impact if exploited. Assuming the firewall is properly configured, which one of the following vulnerabilities should Donna give the highest priority? A.Severity 5 vulnerability in the file server B.Severity 3 vulnerability in the file server C.Severity 4 vulnerability in the web server D.Severity 2 vulnerability in the mail server
A.Severity 5 vulnerability in the file server Explanation: In this case, the identity or network location of the server is not relevant. Donna is simply interested in the most critical vulnerability, so she should select the one with the highest severity. In vulnerability severity rating systems, severity 5 vulnerabilities are the most critical, and severity 1 are the least critical. Therefore, Donna should remediate the severity 5 vulnerability in the file server.
In his role as a security manager, Fred and a small team of experts have prepared a scenario for his security and system administration teams to use during their annual security testing. His scenario includes the rules that both the defenders and attackers must follow, as well as a scoring rubric that he will use to determine which team wins the exercise. What term should Fred use to describe his team's role in the exercise? A.White team B.Red team C.Gold team D.Blue team
A.White team Explanation: During penetration tests, the red team members are the attackers, the blue team members are the defenders, and the white team establishes the rules of engagement and performance metrics for the test.
What does the nmap response "filtered" mean in port scan results? A.nmap cannot tell whether the port is open or closed. B.A firewall was detected. C.An IPS was detected D.There is no application listening, but there may be one at any time.
A.nmap cannot tell whether the port is open or closed. Explanation: When nmap returns a response of "filtered," it indicates that nmap cannot tell whether the port is open or closed. Filtered results are often the result of a firewall or other network device, but a response of filtered does not indicate that a firewall or IPS was detected. When nmap returns a "closed" result, it means that there is no application listening at that moment.
Charlotte is having a dispute with a co-worker over access to information contained in a database maintained by her co-worker's department. Charlotte insists that she needs the information to carry out her job responsibilities, while the co-worker insists that nobody outside the department is allowed to access the information. Charlotte does not agree that the other department should be able to make this decision, and Charlotte's supervisor agrees with her. What type of policy could Charlotte turn to for the most applicable guidance? A. Data classification policy B. Data retention policy C. Data ownership policy D.Acceptable use policy
B. Data retention policy Explanation: During an incident recovery effort, patching priority should be placed upon systems that were directly involved in the incident. This is one component of remediating known issues that were actively exploited.
As part of the forensic investigation of a Linux workstation, Alex needs to determine what commands may have been issued on the system. If no anti-forensic activities have taken place, what is the best location for Alex to check for a history of commands issued on the system? A./var/log/commands.log B.$HOME/.bash_history C.$HOME/.commands.sqlite D./var/log/authactions.log
B.$HOME/.bash_history Explanation: On Linux systems that use the bash shell, $home/.bash_history will contain a log of recently performed actions. Each of the others was made up for this question.
Nick believes that an attacker has compromised a Linux workstation on his network and has added a new user. Unfortunately, most logging was not enabled on the system. Which of the following is most likely to provide useful information about which user was created most recently? A. /etc/passwd B./var/log/auth.log C.Run ls -ld /home/$username for each user on the system D.Run ls -l /home/$username/.bash_logout to see the most recent logout time for each user on the system
B./var/log/auth.log Explanation: Auth.log will contain new user creations and group additions as well as other useful information with timestamps included. /etc/passwd does not include user creation dates or times. Checking file creation and modification times for user home directories and bash sessions may be useful if the user has a user directory and auth.log has been wiped or is unavailable for some reason.
While reviewing network flow logs, John sees that network flow on a particular segment suddenly dropped to zero. What is the most likely cause of this? A. A denial-of-service attack B.A link failure C.High bandwidth consumption D.Beaconing
B.A link failure Explanation: The sudden drop to zero is most likely to be an example of link failure. A denial-of- service attack could result in this type of drop but is less likely for most organizations. High bandwidth consumption and beaconing both show different traffic patterns than shown in this example.
During a routine upgrade, Maria inadvertently changes the permissions to a critical directory, causing an outage of her organization's RADIUS infrastructure. How should this threat be categorized using NIST's threat categories? A. Adversarial B.Accidental C.Structural D.Environmental
B.Accidental Explanation: Accidental threats occur when individuals doing their routine work mistakenly perform an action that undermines security. In this case, Maria's actions were an example of an accident that caused an availability issue.
While reviewing a report from a vulnerability scan of a web server, Paul encountered the vulnerability shown here. What is the easiest way for Paul to correct this vulnerability with minimal impact on the business? A.Block ports 80 and 443. B.Adjust directory permissions. C.Block port 80 only to require the use of encryption. D.Remove CGI from the server.
B.Adjust directory permissions. Explanation: This vulnerability results in an information disclosure issue. Paul can easily correct it by disabling the directory listing permission on the cgi-bin directory. This is unlikely to affect any other use of the server because he is not altering permissions on the CGI scripts themselves. Blocking access to the web server and removing CGI from the server would also resolve the vulnerability but would likely have an undesirable business impact.
Danielle's security team has found consistent evidence of system compromise over a period of weeks, with additional evidence pointing to the systems they are investigating being compromised for years. Despite her team's best efforts, Danielle has found that her team cannot seem to track down and completely remove the compromise. What type of attack is Danielle likely dealing with? A. A Trojan horse B.An APT C.A rootkit D.A zero-day attack
B.An APT Explanation: Advanced persistent threats (APTs) are highly skilled attackers with advanced capabilities who are typically focused on specific objectives. To accomplish those objectives, they often obtain and maintain long-term access to systems and networks using powerful tools that allow them to avoid detection and to stay ahead of responders who attempt to remove them.
Susan's organization has faced a significant increase in successful phishing attacks, resulting in compromised accounts. She knows that she needs to implement additional technical controls to prevent successful attacks. Which of the following controls will be the most effective while remaining relatively simple and inexpensive to deploy? A.Increased password complexity requirements B.Application or token-based multifactor authentication C.Biometric-based multifactor authentication D.OAuth-based single sign-on
B.Application or token-based multifactor authentication Explanation: Application or token-based multifactor authentication ensures that the exposure of a password because of successful phishing email does not result in the compromise of the credential. Password complexity increases fail to add security since complex passwords can still be compromised by phishing attacks, biometric multifactor authentication is typically expensive to implement and requires enrollment, and OAuth-based single sign-on will not prevent phishing attacks; instead, it can make it easier for attackers to move between multiple services.
Selah's organization suffers an outage of its point-to-point encrypted VPN because of a system compromise at its ISP. What type of issue is this? A.Confidentiality B.Availability C.Integrity D.Accountability
B.Availability Explanation: This is an example of an availability issue. If data had been modified, it would have been an integrity issue, while exposure of data would have been a confidentiality issue. Accountability from the outsourced vendor isn't discussed in the question.
Ben is preparing to reuse media that contained data that his organization classifies as "moderate" value. If he wants to follow NIST SP-800-88's guidelines, what should he do to the media if the media will not leave his organization's control? A. Reformat it. B.Clear it. C.Purge it. D.Destroy it.
B.Clear it. Explanation: B. NIST SP-800-88 recommends clearing media and then validating and documenting that it was cleared. Clearing uses logical techniques to sanitize data in user-addressable storage locations and protects against noninvasive data recovery techniques. This level of security is appropriate to moderately sensitive data contained on media that will remain in an organization.
Curt is conducting a forensic analysis of a Windows system and needs to determine whether a program was set to automatically run. Which of the following locations should he check for this information? A.NTFS INDX files B.The registry C.Event logs D.Prefetch files
B.The registry Explanation: The registry contains autorun keys that are used to make programs run at startup. In addition, scheduled tasks, individual user startup folders, and DLLs placed in locations that will be run by programs (typically malicious DLLs) are all locations where files will automatically run at startup or user login.
Steps like those listed here are an example of what type of incident response preparation? Visit https://otx.alienvault.com and the suspected C&C system's IP address on the top search input field. If the IP address is associated with malware C&C activity, create a ticket in the incident response tracking system. A.Creating a CSIRT B.Creating a playbook C.Creating an incident response plan D.Creating an IR-FAQ
B.Creating a playbook Explanation: B. Playbooks contain specific procedures used during a particular type of cybersecurity incident. In this case, the playbook entry addresses malware command and control traffic validation. Creating a CSIRT or IR plan occurs at a higher level, and IR-FAQs is not a common industry term.
After reading the NIST standards for incident response, Chris spends time configuring the NTP service on each of his servers, workstations, and appliances throughout his network. What phase of the incident response process is he working to improve? A.Preparation B.Detection and analysis C. Containment, eradication, and recovery D.Post-incident activity
B.Detection and analysis Explanation: NIST recommends that clock synchronization is performed for all devices to improve the ability of responders to conduct analysis, part of the detection and analysis phase of the NIST incident response process. While this might occur in the preparation phase, it is intended to improve the analysis process.
Chris is able to break into a host in a secured segment of a network during a penetration test. Unfortunately, the rules of engagement state that he is not allowed to install additional software on systems he manages to compromise. How can he use netcat to perform a port scan of other systems in the secured network segment? A. He can use the -sS option to perform a SYN scan. B.He can use the -z option to perform a scan. C. He can use the -s option to perform a scan. D.He can't; netcat is not a port scanner.
B.He can use the -z option to perform a scan. Explanation: netcat is often used as a port scanner when a better port scanning tool is not available. The -z flag is the zero I/O mode and is used for scanning. While -v is useful, it isn't required for scanning and won't provide a scan by itself. The -sS flag is used by nmap and not by netcat.
Richard uses the following command to mount a forensic image. What has he specified in his command? sansforensics@siftworkstation:~/Case1$ sudo mount RHINOUSB.dd /mnt/usb -t auto -o loop, noexec,ro A.He has mounted the file automatically, and it will not use any autorun files contained in the image. B.He has mounted the file with the filesystem type set to auto recognize and has set the mount to act as a read-only loop device that will not execute files. C.He has mounted the file automatically and has set the mount to act as a read-only loop device that will not execute files. D. He has mounted the file with the filesystem type set to auto recognize and has set it to act as a remote-only loop device that will not execute files.
B.He has mounted the file with the filesystem type set to auto recognize and has set the mount to act as a read-only loop device that will not execute files. Explanation: Richard knows that mounting forensic images in read-only mode is important. To prevent any issues with executable files, he has also set the mounted image to noexec. He has also taken advantage of the automatic filesystem type recognition built into the mount command and has set the device to be a loop device, allowing the files to be directly interacted with after mounting.
When Frank was called in to help with an incident recovery effort, he discovered that the network administrator had configured the network as shown here. What type of incident response action best describes what Frank has encountered? A.Segmentation B.Isolation C.Removal D.Network locking
B.Isolation Explanation: The systems in the containment network are fully isolated from the rest of the network using logical controls that prevent any access. To work with the systems that he needs to access, Frank will need to either have firewall rules added to allow him remote access to the systems or physically work with them.
After a major compromise involving what appears to be an APT, Jaime needs to conduct a forensic examination of the compromised systems. Which containment method should he recommend to ensure that he can fully investigate the systems that were involved while minimizing the risk to his organization's other production systems? A.Sandboxing B.Removal C.Isolation D.segmentation
B.Removal Explanation: Completely removing the systems involved in the compromise will ensure that they cannot impact the organization's other production systems. While attackers may be able to detect this change, it provides the best protection possible for the organization's systems.
Susan's organization suffered from a major breach that was attributed to an advanced persistent threat (APT) that used exploits of zero-day vulnerabilities to gain control of systems on her company's network. Which of the following is the least appropriate solution for Susan to recommend to help prevent future attacks of this type? A. Heuristic attack detection methods B.Signature-based attack detection methods C.Segmentation D.Leverage threat intelligence
B.Signature-based attack detection methods Explanation: Signature-based attack detection methods rely on knowing what an attack or malware looks like. Zero-day attacks are unlikely to have an existing signature, making them a poor choice to prevent them. Heuristic (behavior) detection methods can indicate compromises despite the lack of signatures for the specific exploit. Leveraging threat intelligence to understand new attacks and countermeasures is an important part of defense against zero-day attacks. Building a well-designed and segmented network can limit the impact of compromises or even prevent them.
During a security assessment, Scott discovers that his organization has implemented a multifactor authentication requirement for systems that store and handle highly sensitive data. The system requires that users provide both a password and a four-digit PIN. What should Scott note in his findings about this system? A. The multifactor system provides two independent factors and provides an effective security control. B.The factors used are both the same type of factor, making the control less effective. C.The system uses only two factors and is not a true multifactor system. To qualify as multifactor, it should include at least three factors. D.The multifactor system's use of a PIN does not provide sufficient complexity, and additional length should be required for any PIN for secure environments.
B.The factors used are both the same type of factor, making the control less effective. Explanation: The biggest issue in this scenario is that both factors are knowledge-based factors. A true multifactor system relies on more than one type of distinct factor including something you know, something you have, or something you are (and sometimes where you are). This system relies on two things you know, and attackers are likely to acquire both from the same location in a successful attack.
Which one of the following metrics would be most useful in determining the effectiveness of a vulnerability remediation program? A. Number of critical vulnerabilities resolved B.Time to resolve critical vulnerabilities C. Number of new critical vulnerabilities per month D.Time to complete vulnerability scans
B.Time to resolve critical vulnerabilities Explanation: Of these choices, the most useful metric would be the time required to resolve critical vulnerabilities. This is a metric that is entirely within the control of the vulnerability remediation program and demonstrates the responsiveness of remediation efforts and the time that a vulnerability was present. The number of vulnerabilities resolved and the number of new vulnerabilities each month are not good measures of the program's effectiveness because they depend upon the number of systems and services covered by the scan and the nature of those services.
As a penetration tester, Max uses Wireshark to capture all of his testing traffic. Which of the following is not a reason that Max would capture packets during penetration tests? A.To document the penetration test B.To scan for vulnerabilities C.To gather additional information about systems and services D.To troubleshoot issues encountered when connecting to targets
B.To scan for vulnerabilities Explanation: While packet capture can help Max document his penetration test and gather additional information about remote systems through packet analysis, as well as help troubleshoot connection and other network issues, sniffers aren't useful for scanning for vulnerabilities on their own.
After finishing a forensic case, Sam needs to wipe the media that he is using to prepare it for the next case. Which of the following methods is best suited to preparing the hard drive that he will use if he wants to be in compliance with NIST SP 800-88? A.Degauss the drive. B.Zero write the drive. C. Seven rounds: all ones, all zeros, and five rounds of random values D.Use the ATA Secure Erase command.
B.Zero write the drive. Explanation: NIST SP800-88, along with many forensic manuals, requires a complete zero wipe of the drive but does not require multiple rounds of wiping. Degaussing is primarily used for magnetic media-like tapes and may not completely wipe a hard drive (and may, in fact, damage it). Using the ATA Secure Erase command is commonly used for SSDs.
Jake is building a forensic image of a compromised drive using the dd command with its default settings. He finds that the imaging is going very slowly. What parameter should he adjust first? A.if B.bs C.of D.count
B.bs Explanation: The most likely cause of this slowness is an incorrect block size. Block size is set using the bs flag and is defined in bytes. By default, dd uses a 512-byte block size, but this is far smaller than the block size of most modern disks. Using a larger block size will typically be much faster, and if you know the block size for the device you are copying, using its native block size can provide huge speed increases. This is set using a flag like bs = 64k. The if and of flags adjust the input and output files, respectively, but there is no indication that these are erroneous. The count flag adjusts the number of blocks to copy and should not be changed if Jake wants to image the entire disk.
Charlotte is having a dispute with a co-worker over access to information contained in a database maintained by her co-worker's department. Charlotte insists that she needs the information to carry out her job responsibilities, while the co-worker insists that nobody outside the department is allowed to access the information. Charlotte does not agree that the other department should be able to make this decision, and Charlotte's supervisor agrees with her. What type of policy could Charlotte turn to for the most applicable guidance? A. Data classification policy B. Data retention policy C. Data ownership policy D.Acceptable use policy
C. Data ownership policy Explanation:" This is fundamentally a dispute about data ownership. Charlotte's co-worker is asserting that her department owns the data in question, and Charlotte disagrees. While the other policies mentioned may have some relevant information, Charlotte should first turn to the data ownership policy to see whether it reinforces or undermines her co-worker's data ownership claim.
Crystal is attempting to determine the next task that she should take on from a list of security priorities. Her boss told her that she should focus on activities that have the most "bang for the buck." Of the tasks shown here, which should she tackle first? A.Task 1 B.Task 2 C. Task 3 D.Task 4
C. Task 3 Explanation: Task 3 strikes the best balance between criticality and difficulty. It allows her to remediate a medium criticality issue with an investment of only 6 hours of time. Task 2 is higher criticality but would take 12 weeks to resolve. Task 1 is the same criticality but would require a full day to fix. Task 4 is lower criticality but would require the same amount of time to resolve as Task 1.
Which one of the following is not a characteristic of an information systems security audit? A.Conducted on behalf of a third party B.Result in a formal statement C. Use informal interviews rather than rigorous, formal testing D.May be conducted by internal groups
C. Use informal interviews rather than rigorous, formal testing Explanation: Audits are formal reviews of an organization's security program or specific compliance issues conducted on behalf of a third party. Audits require rigorous, formal testing of controls and result in a formal statement from the auditor regarding the entity's compliance. Audits may be conducted by internal audit groups at the request of management or by external audit firms, typically at the request of an organization's governing body or a regulator.
Mika wants to run an nmap scan that includes all TCP ports and uses service detection. Which of the following nmap commands should she execute? A.nmap -p0 -all -SC B.nmap -p 1-32768 -sVS C. nmap -p 1-65535 -sV -sS D.nmap -all -sVS
C. nmap -p 1-65535 -sV -sS Explanation; Scanning the full range of TCP ports can be done using a SYN scan (-sS) and declaring the full range of possible ports (1-65535). Service version identification is enabled with the -sV flag.
Martha ran a vulnerability scan against a series of endpoints on her network and received the vulnerability report shown here. She investigated further and found that several endpoints are running Internet Explorer 7. What is the minimum version level of IE that is considered secure? A.7 B.9 C.11 D.No version of Internet Explorer is considered secure.
C.11 Explanation: Microsoft announced the end of life for Internet Explorer and will no longer support it in the future. However, they still provide support for Internet Explorer 11, which is widely used. This is the only version of Internet Explorer currently considered secure.
When Pete connects to his organization's network, his PC runs the NAC software his systems administrator installed. The software communicates to the edge switch he is plugged into, which validates his login and system security state. What type of NAC solution is Pete using? A.Agent based, in-band B.Agentless, in-band C.Agent based, out-of-band D.Agentless, out-of-band
C.Agent based, out-of-band Explanation: C. Pete's organization is using an agent based, out-of-band NAC solution that relies on a locally installed agent to communicate to existing network infrastructure devices about the security state of his system. If Pete's organization used dedicated appliances, it would be an in-band solution, and of course not having an agent installed would make it agentless
A log showing a successful user authentication is classified as what type of occurrence in NIST's definitions? A.A security incident B.A security event C.An event D.An adverse event
C.An event Explanation: Observable occurrences are classified as events in NIST's scheme. Events with negative consequences are considered adverse events, while violations (or event imminent threats of violations) are classified as security incidents.
Fran is trying to run a vulnerability scan of a web server from an external network, and the scanner is reporting that there are no services running on the web server. She verified the scan configuration and attempted to access the website running on that server using a web browser on a computer located on the same external network and experienced no difficulty. What is the most likely issue with the scan? A.A host firewall is blocking access to the server. B.A network firewall is blocking access to the server. C.An intrusion prevention system is blocking access to the server. D. Fran is scanning the wrong IP address.
C.An intrusion prevention system is blocking access to the server. Explanation: The most likely issue is that an intrusion prevention system is detecting the scan as an attack and blocking the scanner. If this were a host or network firewall issue, Fran would most likely not be able to access the server using a web browser. It is less likely that the scan is misconfigured given that Fran double-checked the configuration.
Bryce ran a vulnerability scan on his organization's wireless network and discovered that many employees are bringing their personally owned devices onto the corporate network (with permission) and those devices sometimes contain serious vulnerabilities. What mobile strategy is Bryce's organization using? A.COPE B.SAFE C.BYOD D.None of the above
C.BYOD Explanation: Policies that allow employees to bring personally owned devices onto corporate networks are known as bring your own device (BYOD) policies. Corporate-owned personally enabled (COPE) strategies allow employees to use corporate devices for personal use. SAFE is not a mobile device strategy
Which element of the COBIT framework contains the high-level requirements that an organization should implement to manage its information technology functions? A.Framework B.Process descriptions C.Control objectives D.Maturity models
C.Control objectives Explanation: C. Control objectives provide organizations with high-level descriptions of the controls that they can implement for their information technology systems. The framework organizes objectives by subject-matter domain. The process descriptions provide a common language and business process model for the organization. Maturity models provide organizations with a means to assess their adherence to the standard.
During a reconnaissance exercise, Mika uses the following command: root@demo:~# nc -v 10.0.2.9 8080 www.example.com [10.0.2.9] 8080 (http-alt) open GET / HTTP/1.0 What is she doing? A.Checking for the HTTP server version using netcat B.Creating a reverse shell using netcar C.HTTP banner grabbing using netcat D.Executing an HTTP keep-alive using netcar
C.HTTP banner grabbing using netcat Explanation: Mika is using netcat to grab the default HTTP response from a remote server. Using netcat like this allows penetration testers to gather information quickly using scripts or manually when interaction may be required or tools are limited.
Hank's boss recently came back from a CEO summit event where he learned about the importance of cybersecurity and the role of vulnerability scanning. He asked Hank about the vulnerability scans conducted by the organization and suggested that instead of running weekly scans that they simply configure the scanner to start a new scan immediately after the prior scan completes. How should Hank react to this request? A. Hank should inform the CEO that this would have a negative impact on system performance and is not recommended. B.Hank should immediately implement the CEO's suggestion. C.Hank should consider the request and work with networking and engineering teams on possible implementation. D.Hank should inform the CEO that there is no incremental security benefit from this approach and that he does not recommend it.
C.Hank should consider the request and work with networking and engineering teams on possible implementation. Explanation: The CEO's suggestion is a reasonable approach to vulnerability scanning that is used in some organizations, often under the term continuous scanning. He shouldconsider the request and the impact on systems and networks to determine a reasonable course of action.
Frank has been tasked with conducting a risk assessment for the midsize bank that he works at because of a recent compromise of their online banking web application. Frank has chosen to use the NIST 800-30 risk assessment framework shown here. What likelihood of occurrence should he assign to breaches of the web application? A.Low B.Medium C.High D.Cannot be determined from the information given
C.High Explanation: When an event of the type that is being analyzed has occurred within the recent past (often defined as a year), assessments that review that event will normally classify the likelihood of occurrence as high since it has already occurred.
Charles is building an incident response playbook for his organization that will address command and control client-server traffic detection and response. Which of the following information sources is least likely to be part of his playbook? A. DNS query logs B.Threat intelligence feeds C.Honeypot data D.Notifications from internal staff about suspicious behavior
C.Honeypot data Explanation: Relatively few organizations run honeypots because of the effort required to maintain and analyze the data they generate. DNS queries and other traffic logs, threat intelligence feeds, and notifications from staff are all common information sources for a variety of types of incident detection.
Michelle is attempting to remediate a security vulnerability and must apply a patch to a production database server. The database administration team is concerned that the patch will disrupt business operations. How should Michelle proceed? A.Michelle should deploy the patch immediately on the production system. B.Michelle should wait 60 days to deploy the patch to determine whether bugs are reported. C.Michelle should deploy the patch in a sandbox environment to test it prior to applying it in production. D.Michelle should contact the vendor to determine a safe timeframe for deploying the patch in production.
C.Michelle should deploy the patch in a sandbox environment to test it prior to applying it in production. Explanation: Michelle should deploy the patch in a sandbox environment and then thoroughly test it prior to releasing it in production. This reduces the risk that the patch will not work well in her environment. Simply asking the vendor or waiting 60 days may identify some issues, but it does not sufficiently reduce the risk because the patch will not have been tested in her company's environment.
Jenna is configuring the scanning frequency for her organization's vulnerability scanning program. Which one of the following is the least important criteria for Jenna to consider? A.Sensitivity of information stored on systems B.Criticality of the business processes handled by systems C.Operating system installed on systems D.Exposure of the system to external networks
C.Operating system installed on systems Explanation; Of the criteria listed, the operating system installed on the systems is the least likely to have a significant impact on the likelihood and criticality of discovered vulnerabilities. All operating systems are susceptible to security issues.
During an incident investigation, Chris discovers that attackers were able to query information about his routers and switches using SNMP. In addition, he discovers that the SNMP traffic was sent in plain text through his organization's network management backend network. Which version of SNMP would provide encryption and authentication features to help him prevent this in the future? A.SNMP v1 B.SNMP v2 C.SNMP v3 D.SNMP v4
C.SNMP v3 Explanation; SNMP v3 is the current version of SNMP and provides message integrity, authentication, and encryption capabilities. Chris may still need to address how his organization configures SNMP, including what community strings they use. SNMP versions 1 and 2 do not include this capability, and version 4 doesn't exist.
Alex notices the traffic shown here during a Wireshark packet capture. What is the host with IP address 10.0.2.11 most likely doing? A.UDP-based port scanning B.Network discovery via TCP C.SYN based port scanning D.DNS based discovery
C.SYN based port scanning Explanation: C. This image shows a SYN-based port scan. The traffic is primarily made up of TCP SYN packets to a variety of common ports, which is typical of a SYN-based port scan.
Gina is testing a firewall ruleset for use on her organization's new CheckPoint firewall. She would like the firewall to allow unrestricted web browsing for users on the internal network, with the exception of sites listed on a Blocked Hosts list that the cybersecurity team maintains. She designed the ruleset shown here. What, if any, error does it contain? A.Promiscuous rule B.Orphaned rule C.Shadowed rule D.The rule base does not contain an error.
C.Shadowed rule Explanation: This rule base contains a shadowed rule. The rule designed to deny requests to access blocked sites will never trigger because it is positioned below the rule that allows access to all sites. Reversing the order of the first two rules would correct this error. There are no orphaned rules because every rule in the rule base is designed to meet a security requirement. There are no promiscuous rules because the rules do not allow greater access than intended, they are simply in the wrong order.
Part of the forensic data that Susan was provided for her investigation was a Wireshark packet capture. The investigation is aimed at determining what type of media an employee was consuming during work. What is the more detailed analysis that Susan can do if she is provided with the data shown here? A.She can determine that the user was viewing a GIF. B.She can manually review the TCP stream to see what data was sent. C.She can export and view the GIF. D.She cannot determine what media was accessed using this data set.
C.She can export and view the GIF. Explanation; Wireshark includes the ability to export packets. In this case, Susan can select the GIF89a detail by clicking that packet and then export the actual image to a file that she can view.
Lauren downloads a new security tool and checks its MD5. What does she know about the software she downloaded if she receives the following message: root@demo:~# md5sum -c demo.md5 demo.txt: FAILED md5sum: WARNING: 1 computed checksum did not match A.The file is corrupt. B.Attackers have modified the file. C.The files do not match. D.The test failed and provided no answer.
C.The files do not match. Explanation: C. Lauren knows that the file she downloaded and computed a checksum for does not match the MD5 checksum that was calculated by the providers of the software. She does not know it the file is corrupt or if attackers have modified the file but may want to contact the providers of the software to let them know about the issue, and she definitely shouldn't execute or trust the file!
Kent ran a vulnerability scan of an internal CRM server that is routinely used by employees, and the scan reported that no services were accessible on the server. Employees continued to use the CRM application over the web without difficulty during the scan. What is the most likely source of Kent's result? A.The server requires strong authentication. B.The server uses encryption. C.The scan was run from a different network perspective than user traffic. D.The scanner's default settings do not check the ports used by the CRM application.
C.The scan was run from a different network perspective than user traffic. Explanation: The most likely scenario is that Kent ran the scan from a network that does not have access to the CRM server. Even if the server requires strong authentication and/or encryption, this would not prevent ports from appearing as open on the vulnerability scan. The CRM server runs over the web, as indicated in the scenario. Therefore, it is most likely using ports 80 and/or 443, which are part of the default settings of any vulnerability scanner.
Mike's nmap scan of a system using the command nmap 192.168.1.100 does not return any results. What does Mike know about the system if he is sure of its IP address, and why? A.The system is not running any open services. B.All services are firewalled. C.There are no TCP services reachable on nmap's default 1000 TCP ports D.There are no TCP servicea reachable on nmaps default 65535 TCP ports
C.There are no TCP services reachable on nmap's default 1000 TCP ports Explanation: By default nmap scans 1,000 of the most common TCP ports. Mike only knows that the system he scanned had no reachable (open, filtered, or closed) TCP ports in that list.
After completing his unsuccessful forensic analysis of the hard drive from a workstation that was compromised by malware, Ben sends it to be re-imaged and patched by his company's desktop support team. Shortly after the system returns to service, the device once again connects to the same botnet. What action should Ben take as part of his next forensic review if this is the only system showing symptoms like this? A.Verify that all patches are installed. B. Destroy the system. C.Validate the BIOS hash against a known good version. D.Check for a system with a duplicate MAC address.
C.Validate the BIOS hash against a known good version. Explanation: While BIOS infections are relatively rare, some malware does become resident in the system's firmware or BIOS. Once there, analysis of the hard drive will not show the infection. If the desktop support team at Ben's company has fully patched the system and no other systems are similarly infected, Ben's next step should be to validate that elements of the system he did not check before, such as the BIOS, are intact.
As part of her duties as an SOC analyst, Emily is tasked with monitoring intrusion detection sensors that cover her employer's corporate headquarters network. During her shift, Emily's IDS alarms report that a network scan has occurred from a system with IP address 10.0.11.19 on the organization's WPA2 enterprise wireless network aimed at systems in the finance division. What data source should she check first? A.Host firewall logs B.AD authentication logs C.Wireless authentication logs D.WAF logs
C.Wireless authentication logs Explanation: Since Emily's organization uses WPA2 enterprise, users must authenticate to use the wireless network. Associating the scan with an authenticated user will help incident responders identify the device that conducted the scan.
Fred has configured SNMP to gather information from his network devices and issues the following command: $ snmpgetnext -v 1 -c public device1 \ He receives a response that includes the following data: ip.ipRouteTable.ipRouteEntry.ipRouteDest \ ip.ipRouteTable.ipRouteEntry.ipRouteNextHop ip.ipRouteTable.ipRouteEntry.ipRouteDest.0.0.0.0 = IpAddress: 0.0.0.0 ip.ipRouteTable.ipRouteEntry.ipRouteNextHop.0.0.0.0 = IpAddress: 10.0.11.1 What local command could he have executed to gather the same information? A. traceroute B. route add default gw 10.0.11.1 C.netstat -nr D.ping -r 10.0.11.1
C.netstat -nr Explanation; Fred's SNMP command requested the route table from the system called device1. This can be replicated on the local system using netstat -nr. The traceroute command provides information about the path between two systems. The route command could be used to get this information, but the command listed here adds a default gateway rather than querying current information. ping -r records the route taken to a site for a given number of tries (between 1 and 9).
Jay received an alert from his organization's SIEM that it detected a potential attack against a web server on his network. However, he is unsure whether the traffic generating the alert actually entered the network from an external source or whether it came from inside the network. The NAT policy at the network perimeter firewall rewrites public IP addresses, making it difficult to assess this information based upon IP addresses. Jay would like to perform a manual log review to locate the source of the traffic. Where should he turn for the best information? A.Application server logs B.Database server logs CFirewall logs D.Antimalware logs
CFirewall logs Explanation: All of the data sources listed in this question may provide Jay with further information about the attack. However, firewall logs would be best positioned to answer his specific question about the source of the attack. Since the firewall is performing network address translation (NAT), it would likely have a log entry of the original (pre-NAT) source IP address of the traffic.
Garrett is working with a database administrator to correct security issues on several servers managed by the database team. He would like to extract a report for the DBA that will provide useful information to assist in the remediation effort. Of the report templates shown here, which would be most useful to the DBA team? A.Qualys Top 20 Report B.Payment Card Industry (PCI) C.Technical Report Executive Report D. Technical Report
D. Technical Report Explanation: The Technical Report will contain detailed information on a specific host and is designed for an engineer seeking to remediate the system. The PCI Technical Report would focus on credit card compliance issues, and there is no indication that this server is used for credit card processing. The Qualys Top 20 Report and Executive Report would contain summary information more appropriate for a management audience and would cover an entire network, rather than providing detailed information on a single system.
Jim ran a traceroute command to discover the network path between his system and the CompTIA website. He received the results shown here. What can he conclude from these results? A.The CompTIA website is located in Chicago. B.The CompTIA website is down. C.The closest network device to the CompTIA site that Jim can identify is 216.182.225.74. D. The closest network device to the CompTIA site that Jim can identify is 216.55.11.62.
D. The closest network device to the CompTIA site that Jim can identify is 216.55.11.62. Explanation; These results show the network path between Jim's system and the CompTIA web server. It is not unusual to see unknown devices in the path, represented by * * * because those devices may be configured to ignore traceroute requests. These query results do indicate that the network path passes through Chicago, but this does not mean that the final destination is in Chicago. There is no indication that the website is down. 216.182.225.74 is the system closest to Jim in this result, while 216.55.11.62 is the closest system to the remote server.
After scanning a network device located in her organization's data center, Shannon noted the vulnerability shown here. What is the minimum version level of SNMP that Shannon should be running? A.1.1 B.1.2 C.2 D.3
D.3 Explanation: When the Internet Engineering Task Force (IETF) endorsed SNMP v3.0 as a standard, it designated all earlier versions of SNMP as obsolete. Shannon should upgrade this device to SNMP 3.0.
Which one of the following mechanisms may be used to enhance security in a context-based authentication system? A.Time of day B>Location C.Device fingerprint D.All of the above
D.All of the above Explanation: Context-based authentication may leverage a wide variety of information. Potential attributes include time of day, location, device fingerprint, frequency of access, user roles, user group memberships, and IP address/reputation.
What is the purpose of creating an MD5 hash for a drive during the forensic imaging process? A. To prove that the drive's contents were not altered B.To prove that no data was deleted from the drive C.To prove that no files were placed on the drive D.All of the above
D.All of the above Explanation: Once they are connected via a write blocker, a checksum is created (often using MD5 or SHA1). If this hash matches the hash of forensic images, they exactly match, meaning that the drive's contents were not altered and that no files were added to or deleted from the drive.
Dan is a cybersecurity analyst for a healthcare organization. He ran a vulnerability scan of the VPN server used by his organization. His scan ran from inside the data center against a VPN server also located in the data center. The complete vulnerability report is shown here. What action should Dan take next? A.Dan should immediately remediate this vulnerability. B.Dan should schedule the vulnerability for remediation within the next 30 days. C.Dan should rerun the scan because this is likely a false positive report. D.Dan should take no action.
D.Dan should take no action. Explanation: Dan does not need to take any action. This is a very low criticality vulnerability (1/5), and it is likely not exploitable from outside the data center. It is not necessary to remediate this vulnerability, and there is no indication that it is a false positive report. Overall, this is a very clean scan result for a VPN server.
During his investigation of a Windows system, Eric discovered that files were deleted and wants to determine whether a specific file previously existed on the computer. Which of the following is the least likely to be a potential location to discover evidence supporting that theory? A.Windows registry B.Master File Table C.INDX files D.Event logs
D.Event logs Explanation: The Windows registry, Master File Tables, and INDX files all contain information about files, often including removed or deleted files. Event logs are far less likely to contain information about a specific file location.
Which one of the following regulations imposes compliance obligations specifically only upon financial institutions? A.SOX B.`HIPAA C.PCI DSS D.GLBA
D.GLBA Explanation: The Gramm-Leach-Bliley Act (GLBA) applies specifically to the security and privacy of information held by financial institutions. HIPAA applies to healthcare providers. PCI DSS applies to anyone involved in the processing of credit card transactions. This does include financial institutions but is not limited to those institutions as it also applies to merchants and service providers. Sarbanes-Oxley applies to all publicly traded corporations, which includes, but is not limited to, some financial institutions.
Bob's Solarwinds network monitoring tools provide data about a system hosted in Amazon's AWS environment. When Bob checks his server's average response time, he sees the results shown here. What action should Bob take based on this information? A. He should increase the speed of his network link. B.He should check for scheduled tasks that the times he sees spike. C.He should ensure that his network card has the proper latency settings. D.He should perform additional diagnostics to determine the cause of the latency.
D.He should perform additional diagnostics to determine the cause of the latency. Explanation: Bob needs to perform additional diagnostics to determine the cause of the latency.
While analyzing the vulnerability scan from her web server, Kristen discovers the issue shown here. Which one of the following solutions would best remedy the situation? A.Move from TLS 1.0 to SSL 3.0. B.Require IPsec connections to the server. C.Disable the use of TLS. D.Move from TLS 1.0 to TLS 1.2.
D.Move from TLS 1.0 to TLS 1.2. Explanation: Kristen should upgrade the web server to the most current secure version of TLS: TLS 1.2. SSL 3.0 has vulnerabilities similar to those in TLS 1.0 and is not a suitable alternative. IPsec is not effective for web communications. Disabling the use of TLS would jeopardize the security of information sent to and from the server and would create additional risk, rather than remedying the situation.
Darcy is the security administrator for a hospital that operates in the United States and is subject to the Health Insurance Portability and Accountability Act (HIPAA). She is designing a vulnerability scanning program for the hospital's data center that stores and processes electronic protected health information (ePHI). What is the minimum scanning frequency for this environment, assuming that the scan shows no critical vulnerabilities? A.Every 30 days B.Every 90 days C. Every 180 days D.No scanning is required.
D.No scanning is required. Explanation; Despite that vulnerability scanning is an important security control, HIPAA does not offer specific requirements for scanning frequency. However, Darcy would be well advised to implement vulnerability scanning as a best practice, and daily or weekly scans are advisable.
During an incident investigation, Chris is able to identify the IP address of the system that was used to compromise multiple systems belonging to his company. What can Chris determine from this information? A.The identity of the attacker B.The country of origin of the attacker C.The attacker's domain name D.None of the above
D.None of the above Explanation: While it may be tempting to assign blame based on an IP address, attackers frequently use compromised systems for attacks. Some may also use cloud services and hosting companies where they can purchase virtual machines or other resources using stolen credit cards. Thus, knowing the IP address from which an attack originated will typically not provide information about an attacker. In some cases, deeper research can identify where an attack originated, but even then knowing the identity of an attacker is rarely certain.
Carol recently fell victim to a phishing attack. When she clicked the link in an email message that she received, she was sent to her organization's central authentication service and logged in successfully. She did verify the URL and certificate to validate that the authentication server was genuine. After authenticating, she was sent to a form that collected sensitive personal information that was sent to an attacker. What type of vulnerability did the attacker most likely exploit? A.Buffer overflow B.Session hijacking C.IP spoofing D.Open redirect
D.Open redirect Explanation: In an open redirect attack, users may be sent to a genuine authentication server and then redirected to an untrusted server through the OAuth flow. This occurs when the authentication server does not validate OAuth server requests prior to redirection.
Mark is a cybersecurity analyst for a large company but is helping a nonprofit organization in his free time. He would like to begin a vulnerability scanning program for that company but does not have any funds available to purchase a tool. What open source tool can he use? A.Qualys B.Nessus C.Nexpose D.Openvas
D.Openvas Explanation; Openvas is an open source vulnerability scanning product. Qualys, Nessus, and Nexpose are all vulnerability scanners but are commercial products that require paying license fees.
Catherine is working with the architect on the design of a new data center for her organization. She is concerned about the intrusion alarms that will notify security personnel of an attempted break-in to the facility. What type of control is Catherine designing? A.Logical B.Compensating C.Administrative D.Physical
D.Physical Explanation: D. Intrusion alarms designed to alert staff to a facility break-in are a clear example of physical controls because they are monitoring for a physical intrusion. The design of the alarm is not an administrative control, but the process for reacting to alarms would fall into that category. Physical intrusion alarms are not logical controls, although a network intrusion detection system would be a logical control. There is no indication that this alarm will compensate for the failure to meet a different control objective, so this is not a compensating control.
Rich recently configured new vulnerability scans for his organization's business intelligence systems. The scans run late at night when users are not present. Rich received complaints from the business intelligence team that the performance burden imposed by the scanning is causing their overnight ETL jobs to run too slowly and they are not completing before business hours. How should Rich handle this situation? A.Rich should inform the team that they need to run the ETL jobs on a different schedule. B.Rich should reconfigure the scans to run during business hours. C.Rich should inform the team that they must resize the hardware to accommodate both requirements. D.Rich should work with the team to find a mutually acceptable solution.
D.Rich should work with the team to find a mutually acceptable solution. Explanation: Rich should not attempt to solve this problem on his own or dictate a specific solution. Instead, he should work with the business intelligence team to find a way to both meet their business requirements and accomplish the security goals achieved by scanning.
Matt recently ran a vulnerability scan of his organization's network and received the results shown here. He would like to remediate the server with the highest number of the most serious vulnerabilities first. Which one of the following servers should be on his highest priority list? A.Server A B.Server B C.Server C D.Server D
D.Server D Explanation: The most serious vulnerabilities shown in this report are medium-severity vulnerabilities. Server D has the highest number (8) of vulnerabilities at that severity level.
During the analysis of an incident that took place on her network, Tammy discovered that the attacker used a stolen cookie to access a web application. Which one of the following attack types most likely occurred? A.Man-in-the-middle B.Privilege escalation C.Cross-site scripting D.Session hijacking
D.Session hijacking Explanation: The use of a stolen cookie is the hallmark of a session hijacking attack. These attacks focus on taking over an already existing session, either by acquiring the session key or cookies used by the remote server to validate the session or by causing the session to pass through a system the attacker controls, allowing them to participate in the session.
Javier ran a vulnerability scan of a new web application created by developers on his team and received the report shown here. The developers inspected their code carefully and do not believe that the issue exists. They do have a strong understanding of SQL injection issues and have corrected similar vulnerabilities in other applications. What is the most likely scenario in this case? A.Javier misconfigured the scan. B.The code is deficient and requires correction. C.The vulnerability is in a different web application running on the same server. D.The result is a false positive.
D.The result is a false positive. Explanation: Blind SQL injection vulnerabilities are difficult to detect and are a notorious source of false positive reports. Javier should verify the results of the tests performed by the developers but should be open to the possibility that this is a false positive report, as that is the most likely scenario.
Which one of the following types of vulnerability scans would provide the least information about the security configuration of a system? A. Agent-based scan B.Credentialed scan C.Uncredentialed internal scan D.Uncredentialed external scan
D.Uncredentialed external scan Explanation: D. An uncredentialed scan provides far less information than a credentialed scan or an agent-based scan because both credentialed and agent-based scans are able to gather configuration information from the target systems. External scans also provide less information than internal scans because they are filtered by border firewalls and other security devices. Therefore, an uncredentialed external scan would provide the least information.
Steve needs to perform an nmap scan of a remote network and wants to be as stealthy as possible. Which of the following nmap commands will provide the stealthiest approach to his scan? A. nmap -P0 -sT 10.0.10.0/24 B.nmap -sT -T0 10.0.10.0/24 C.nmap -P0 -sS 10.0.10.0/24 D.nmap -P0 -sS -T0 10.0.10.0/24
D.nmap -P0 -sS -T0 10.0.10.0/24 Explanation: nmap provides multiple scan modes, including a TCP SYN scan, denoted by the -sS flag. This is far stealthier than the full TCP connect scan, which uses the -sT flag. Turning off pings with the -P0 flag helps with stealth, and setting the scan speed using the -T flag to either a 0 for paranoid or a 1 for sneaky will help bypass many IDSs by falling below their detection threshold.