Test 6
Information Types CUI IP
CUI - Controlled unclassified Info (federal non classified info) IP - Intellectual Property (info owned by company about services/property)
NIST Incident Response Lifecycle (phases)
Phases 1 - preparation 2 - detection and analysis 3 - containment, eradication, and recovery 4 - post event activity
Deserialization is the opposing process which takes data from a file, stream or network and rebuilds it into an object
Deserialization is the opposing process which takes data from a file, stream or network and rebuilds it into an object
Question 51: Incorrect Which protective feature is used to prevent a buffer overflow attack from specific applications by randomizing where a program's components are run from in memory? DLP DEP (Incorrect) DLL ASLR (Correct)
Explanation Address space layout randomization OBJ-2.1: ASLR randomizes where components of a running process (such as the base executable, APIs, and the heap) are placed in memory, which makes it more difficult to conduct a buffer overflow at specific points in the address space. The Windows Data Execution Prevention (DEP) feature protects processes against exploits that try to execute code from a writable memory area (stack/heap). Windows DEP prevents code from being run from a non-executable memory region. Data loss prevention (DLP) software detects potential data breaches/data ex-filtration transmissions and prevents them by monitoring, detecting, and blocking sensitive data while in use, in motion, and at rest. A dynamic link library (DLL) is a library that contains code and data that can be used by more than one program at the same time.
Question 74: Correct Which of the following will an adversary do during the installation phase of the Lockheed Martin kill chain? (SELECT FOUR) Timestomp a malware file to make it appear as if it is part of the operating system (Correct) Install a backdoor/implant on a client victim (Correct) Install a webshell on a server (Correct) Open two-way communications channel to an established C2 infrastructure Collect user credentials Create a point of presence by adding services, scheduled tasks, or AutoRun keys (Correct)
Explanation OBJ-1.2: During the installation phase, the adversary is taking actions to establish a footprint on the target system and is attempting to make it difficult for a defender to detect their presence. The attack may also attempt to confuse any attempts to remove the adversary from the system if the detection of their presence occurs. Due to this, an attacker will attempt to install multiple backdoors, implants, web shells, scheduled tasks, services, or AutoRun keys to maintain their access to the target. Timestomping is also conducted to hide the presence of malware on the system. Opening up two-way communication with an established C2 infrastructure occurs in the command and control phase. Collecting user credentials occurs in the actions on objectives phase.
Question 52: Correct Which one of the following methods would provide the most current and accurate information about any vulnerabilities present in a system with a misconfigured operating system setting? Agent-based monitoring (Correct) Continuous vulnerability scanning On-demand vulnerability scanning Scheduled vulnerability scanning
Explanation OBJ-1.3: An agent-based monitoring solution would be the best choice to meet these requirements. Agent-based monitoring provides more details of the configuration settings for a system and can provide an internal perspective. While vulnerability scans can give you a snapshot of a system's status at a certain time, they will not remain current and accurate without continual rescanning.
Question 26: Incorrect Michelle has just finished installing a new database application on her server. She then proceeds to uninstall the sample configuration files, properly configure the application settings, and update the software to the latest version according to her company's policy. What best describes the actions Michelle just took? Vulnerability scanning Input validation Patch management (Incorrect) Application hardening (Correct)
Explanation OBJ-1.3: Application hardening involves taking actions to best secure the application from attack. This involves removing any default or sample configurations, properly configuring settings, and updating the application to the latest and more secure version. Patch management is incorrect because only updating the software falls under patch management, not the configuration portions of her actions. Vulnerability scanning involves scanning a device for known vulnerabilities to update the device and prevent a future attack. Input validation is a technique to verify user-provided data meets the expected length and type before allowing a program to utilize it.
Question 22: Incorrect Which of the following is NOT a part of the vulnerability management lifecycle? Testing (Incorrect) Investigating (Correct) Remediation Detection
Explanation OBJ-1.3: The three phases of the vulnerability management lifecycle are detection, remediation, and testing.
Question 41: Correct Which of the following is the default nmap scan type when you do not provide a flag when issuing the command? A UDP scan A TCP connect scan A TCP FIN scan A TCP SYN scan (Correct)
Explanation OBJ-1.4: By default, Nmap performs an SYN Scan, though it substitutes a connect scan if the user does not have proper privileges to send raw packets (requires root access on Unix). A UDP scan requires the -sU flag to be issued when launching a nmap scan. A TCP FIN scan requires the -sF flag to be issued when launching a nmap scan.
Question 1: Incorrect Your organization's primary operating system vendor just released a critical patch for your servers. Your system administrators have recently deployed this patch and verified the installation was successful. This critical patch was designed to remediate a vulnerability that can allow a malicious actor to execute code on the server over the Internet remotely. You ran a vulnerability scan of the network and determined that all servers are still being reported as having the vulnerability. You verified all your scan configurations are correct. Which of the following might be the reason that the scan report still shows the servers as vulnerable? (SELECT ALL THAT APPLY) The wrong IP address range was scanned during your vulnerability assessment (Incorrect) The vulnerability assessment scan is returning a false positive (Correct) You conducted the vulnerability scan without waiting long enough after the patch was installed This critical patch did not remediate the vulnerability (Correct)
Explanation OBJ-1.4: There are two reasonable choices presented: (1) the vulnerability assessment scan is returning a false positive, or (2) this critical patch did not remediate the vulnerability. It is impossible to know which is based on the description in the question. If the patch was installed successfully, as the question states, then it is possible that the critical patch was coded incorrectly and did not remediate the vulnerability. While most operating system vendors test their patches before release to prevent this, they are sometimes rushed into production with extremely critical patches. The other possibility is that the patch does not remediate the vulnerability on all systems. When this occurs, the vendor will issue a subsequent patch to fix it and supersede the original patch. The other option is that the vulnerability assessment tool is incorrectly configured and is returning a false positive. This can occur when the signature used to detect the vulnerability is too specific or too generic to detect whether the system was patched for the vulnerability or not. The other options are incorrect, as you do not have to wait a certain period of time after installation before scanning. It is assumed that you are scanning the same IP range both times as you have verified your scan configuration.
Question 17: Correct During a vulnerability scan, you notice that the hostname www.diontraining.com is resolving to www.diontraining.com.akamized.net instead. Based on this information, which of the following do you suspect is true? The scan will not produce any useful information The server assumes you are conducting a DDoS attack Nothing can be determined about this site with the information provided You are scanning a CDN-hosted copy of the site (Correct)
Explanation OBJ-1.4: This result is due to the company using a distributed server model that hosts content on Edge servers worldwide as part of a CDN. A content delivery network (CDN) is a geographically distributed network of proxy servers and their data centers that provide high availability and performance by distributing the service spatially relative to end-users. The requested content may be served from the Edge server's cache or pull the content from the main diontraining.com servers. If you are scanning a web server or application hosted with a CDN, you need to be aware that you might be scanning an edge copy of the site and not receive accurate results. While an edge server usually maintains static content, it is still useful to determine if any vulnerabilities exist in that portion of the site content. Distributed denial-of-service (DDoS) attacks range from small and sophisticated to large and bandwidth-busting. While Akamai does provide excellent DDoS protection capabilities, nothing in this question indicates that the server is attempting to stop your scans or is assuming you are conducting a DDoS attack against it.
Question 24: Incorrect Your company is adopting a cloud-first architecture model. Management wants to decommission the on-premises SIEM your analysts use and migrate it to the cloud. Which of the following is an issue with using this approach? A VM escape exploit could allow an attacker to gain access to the SIEM The company will have less control over the SIEM Legal and regulatory issues may prevent data migration to the cloud (Correct) The company will be dependent on the cloud provider's backup capabilities (Incorrect)
Explanation OBJ-1.6: If there are legal or regulatory requirements that require the company to host their security audit data on-premises, then moving to the cloud will not be possible without violating applicable laws. For example, some companies must host their data within their national borders, even if migrating to the cloud. The other options presented are all low risk and can be overcome with proper planning and mitigations. Most cloud providers have degrees of redundancy far above what any individual on-premises provider will be able to generate, making the concern over backups a minimal risk. If the SIEM is moved to a cloud-based server, it could still be operated and controlled in the same manner as the previous on-premise solution using a virtualized cloud-based server. While a VM or hypervisor escape is possible, they are rare and can be mitigated with additional controls.
Question 29: Correct Your company has just announced a change to an "API first" model of software development. As a cybersecurity analyst, you are immediately concerned about the possibility of an insecure deserialization vulnerability in this model. Which of the following is the primary basis for an attack against this vulnerability? Lack of input validation could allow for a SQL attack Lack of input validation could lead to a cross-site scripting attack Accepting serialized objects from untrusted sources or the use of serialized non-primitive data may lead to remote code execution (Correct) Insufficient logging and monitoring makes it impossible to detect when insecure deserialization vulnerabilities are exploited
Explanation OBJ-1.6: When implementing an API, objects in memory from one computer can be serialized and passed to another for deserialization. If the API user is malicious, they may create a fictitious object, appropriately serialize it, and then send it through the API for execution. The only model for defeating this approach is to allow the API to be exposed to trusted sources or to not serialize anything with potentially executable source code (i.e., non-primitive data types). Cross-site scripting and SQL attacks are not a concern for an API first model. While stuffiest logging and monitoring would prevent an analyst from detecting if a deserialization vulnerability was exploited, these alone would not be the basis for an attack against deserialization
Question 16: Correct An insurance company has developed a new web application to allow its customers to choose and apply for an insurance plan. You have been asked to help perform a security review of the new web application. You have discovered that the application was developed in ASP and used MSSQL for its backend database. You have been able to locate an application's search form and introduced the following code in the search input field: F-UCK YOU QUIZLET BITCHASS! When you click submit on the search form, your web browser returns a pop-up window that displays Vulnerable_to_Attack. Which of the following vulnerabilities did you discover in the web application? Cross-site request forgery SQL injection Cross-site scripting (Correct) Command injection
Explanation OBJ-1.7: This is a form of Cross-Site Scripting (XSS). Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users. Attackers may use a cross-site scripting vulnerability to bypass access controls such as the same-origin policy. Cross-site request forgery (CSRF or XSRF) is a malicious exploit of a website where unauthorized commands are transmitted from a user that the web application trusts. There are many ways in which a malicious website can transmit commands, such as specially-crafted image tags, hidden forms, and JavaScript XMLHttpRequests can all work without the user's interaction or even knowledge. SQL injection is a code injection technique used to attack data-driven applications. Malicious SQL statements are inserted into an entry field for execution, such as dumping the database contents to the attacker. Command injection is an attack in which the goal is to execute arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user-supplied data (forms, cookies, HTTP headers, etc.) to a system shell.
During her login session, Sally is asked by the system for a code sent to her via text (SMS) message. Which of the following concerns should she raise to her organization's AAA services manager? SMS should be encrypted to be secure SMS is a costly method of providing a second factor of authentication SMS messages may be accessible to attackers via VoIP or other systems (Correct) SMS should be paired with a third factor
Explanation OBJ-2.1: NIST's SP 800-63-3 recommends that SMS messages be deprecated as a means of delivering a second factor for multifactor authentication because they may be accessible to attackers. SMS is unable to be encrypted (at least without adding additional applications to phones). A third factor is typically not a user-friendly recommendation and would be better handled by replacing SMS with the proposed third factor. SMS is not a costly method since it can be deployed for less than $20/month at scale.
Question 13: Correct Which protocol is paired with OAuth2 to provide authentication of users in a federated identity management solution? Kerberos ADFS OpenID Connect (Correct) SAML
Explanation OBJ-2.1: OAuth 2 is explicitly designed to authorize claims and not to authenticate users. The implementation details for fields and attributes within tokens are not defined. Open ID Connect (OIDC) is an authentication protocol that can be implemented as special types of OAuth flows with precisely defined token fields. Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. SAML is an XML-based markup language for security assertions. Active Directory Federation Services (ADFS) is a software component developed by Microsoft that can run on Windows Server operating systems to provide users with single sign-on access to systems and applications located across organizational boundaries. Kerberos is a computer network authentication protocol that works based on tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner.
Question 37: Correct Which of the following is the biggest advantage of using Agile software development? Reacts quickly to changing customer requirements since it allows all phases of software development to run in parallel (Correct) Its inherent agility allows developers to maintain focus on the overall goals of the project Its structured and phase-oriented approach ensures that customer requirements are rigorously defined before development begins It can produce better, more secure, and more efficient code
Explanation OBJ-2.2: Agile development can react quickly to changing customer requirements since it allows all phases of software development to run in parallel instead of a linear or sequenced approach. Waterfall development, not agile development, is a structured and phase-oriented model. A frequent criticism is that the agile model can allow developers to lose focus on the project's overall objective. Agile models do not necessarily produce better, more secure, or more efficient code than other methods.
Question 38: Incorrect Which software development model emphasizes individuals and interactions over processes and tools, customer collaboration over contract negotiation, and working software over comprehensive documentation? Spiral Agile (Correct) Waterfall (Incorrect) RAD
Explanation OBJ-2.2: The principles of the Agile Manifesto characterize agile software development. The Agile Manifesto emphasizes individuals and interactions over the processes and tools that Spiral and Waterfall rely on. It also focuses on working software, customer collaboration, and responding to change as key elements of the Agile process. The waterfall model is a breakdown of project activities into linear sequential phases. Each phase depends on the deliverables of the previous one and corresponds to a specialization of tasks. Rapid Application Development (RAD) is a form of agile software development methodology that prioritizes rapid prototype releases and iterations. Unlike the Waterfall method, RAD emphasizes software and user feedback over strict planning and requirements recording. Spiral development is a risk-driven software development model that guides a team to adopt elements of one or more process models, such as incremental, waterfall, or evolutionary prototyping.
Question 61: Incorrect What phase of the software development lifecycle is sometimes known as the acceptance, installation, and deployment phase? Development (Incorrect) Disposition Training and transition (Correct) Operations and maintenance
Explanation OBJ-2.2: The training and transition phase ensures that end users are trained on the software and entered general use. Because of these activities, this phase is sometimes called the acceptance, installation, and deployment phase. Disposition is focused on the retirement of an application or system. Operations and maintenance are focused on the portion of the lifecycle where the application or system goes into use to provide value to the end-users. Development is the portion of the lifecycle focused on designing and coding the application or system.
Question 45: Correct Which of the following has occurred if a device fails to activate because it has detected an unknown modification? Improper authentication Failed trusted foundry Self-checking (Correct) Obfuscation
Explanation OBJ-2.3: NIST defines self-checking behavior as a control used to prohibit elicit modification to hardware components. This can be done using anti-tamper technology like a field-programmable gate array (FPGA), a physically unclonable function (PUF), or other techniques. Obfuscation is the act of making something obscure, unclear, or unintelligible. Usually, this is done by encoding strings or binary information to make it less detectable by signature-based detection mechanisms. Improper authentication occurs when an attacker claims to have a given identity, and the software does not prove or insufficiently prove that the claim is correct. The Trusted Foundry Program, also called the trusted supplier program, is a United States Department of Defense program designed to secure the manufacturing infrastructure for information technology vendors providing hardware to the military.
Question 56: Correct Which of the following techniques would allow an attacker to get a full listing of your internal DNS information if your DNS server is not properly secured? DNS poisoning Zone transfers (Correct) FQDN resolution Split horizon
Explanation OBJ-3.1: A DNS zone transfer provides a full listing of DNS information. If your organization's internal DNS server is improperly secured, an attacker can gather this information by performing a zone transfer. Fully qualified domain name (FQDN) resolution is a normal function of DNS that converts a domain name like www.diontraining.com to its corresponding IP address. Split horizon is a method of preventing a routing loop in a network. DNS poisoning is a type of attack which uses security gaps in the Domain Name System (DNS) protocol to redirect internet traffic to malicious websites.
Question 49: Incorrect Which language would require the use of a decompiler during reverse engineering? Objective-C (Correct) Python JavaScript (Incorrect) Ruby
Explanation OBJ-3.1: Objective-C is a compiled language. Therefore, you will need to use a decompiler to conduct reverse engineering on it. Ruby, Python, and JavaScript are interpreted languages. Interpreted languages do not require the use of a decompiler to view the source code.
Question 64: Incorrect You are conducting a vulnerability assessment when you discover a critical web application vulnerability on one of your Apache servers. Which of the following files would contain the Apache server's logs if your organization uses the default naming convention? http_log (Incorrect) httpd_log apache_log access_log (Correct)
Explanation OBJ-3.1: On Apache web servers, the logs are stored in a file named access_log. By default, the file can be located at /var/log/httpd/access_log. This file records all requests processed by the Apache server. The WebSphere Application Server uses the httpd_log file for z/OS, which is a very outdated server from the early 2000s. The http_log file is a header class file in C used by the Apache web server's pre-compiled code that provides the logging library but does not contain any actual logs itself. The file called apache_log is an executable program that parses Apache log files within in Postgres database.
Question 6: Incorrect As part of the reconnaissance stage of a penetration test, Kumar wants to retrieve information about an organization's network infrastructure without causing an IPS alert. Which of the following is his best course of action? Perform a DNS zone transfer Use a nmap stealth scan (Incorrect) Perform a DNS brute-force attack (Correct) Use a nmap ping sweep
Explanation OBJ-3.1: The best course of action is to perform a DNS brute-force attack. The DNS brute-force attack queries a list of IPs and typically bypasses IDS/IPS systems that do not alert on DNS queries. A ping sweep or a stealth scan can be easily detected by the IPS, depending on the signatures and settings being used. A DNS zone transfer is also something that often has a signature search for it and will be alerted upon since it is a common attack technique.
Question 72: Incorrect An employee contacts the service desk because they cannot open an attachment they receive in their email. The service desk agent conducts a screen-sharing session with the user and investigates the issue. The agent notices that the attached file is named Invoice1043.pdf, and a black pop-up window appears and then disappears quickly when the attachment was double-clicked. Which of the following is most likely causing this issue? The attachment is using a double file extension to mask its identity (Correct) The email is a form of spam and should be deleted The user doesn't have a PDF reader installed on their computer The file contains an embedded link to a malicious website (Incorrect)
Explanation OBJ-3.1: The message contains a file attachment hoping that the user will execute or open it. The attachment's nature might be disguised by formatting tricks such as using a double file extension, such as Invoice1043.pdf.exe, where the user only sees the first extension since .exe is a known file type in Windows. This would explain the black popup window that appears and then disappeared, especially if the exe file was running a command-line tool. This file is most likely not a PDF, so there is no need for a PDF reader. Additionally, most modern web browsers, such as Chrome and Edge, can open PDF files by default for the user. The file would not contain an embedded link since an embedded link is another popular attack vector that embeds a link to a malicious site within the email body, not within the file. This email is likely not spam and would be better categorized as a phishing attempt instead.
Question 8: Correct A cybersecurity analyst is reviewing the logs of a proxy server and saw the following URL, http://test.diontraining.com/index.php?id=1%20OR%2017-7%3d10. What type of attack has likely occurred? Buffer overflow SQL injection (Correct) XML injection Session hijacking
Explanation OBJ-3.1: This is an example of a Boolean-based SQL injection. This occurs when data input by a user is interpreted as a SQL command rather than as normal data by the backend database. In this example, notice that the statement being parsed as part of the URL after the equal sign is equivalent to 1 or 17-7=10. This means the portion of the statement that is 17-7=10 would return a value of 1 (since it is true). Then, we are left to compute if 1 = 1, and since it does, the SQL database will treat this as a positive authentication. This is simply an obfuscation technique of a 1=1 SQL injection technique. A buffer overflow is an exploit that attempts to write data to a buffer and exceed that buffer's boundary to overwrite an adjacent memory location. A session hijacking attack consists of exploiting the web session control mechanism, normally managed for a session token. XML Injection is an attack technique used to manipulate or compromise an XML application or service's logic.
Question 33: Correct Raj is working to deploy a new vulnerability scanner for an organization. He wants to verify the information he gets is the most accurate view of the configurations on the organization's traveling salespeople's laptops to determine if any configuration issues could lead to new vulnerabilities. Which of the following technologies would work BEST to collect the configuration information in this situation? Server-based scanning Passive network monitoring Non-credentialed scanning Agent-based scanning (Correct)
Explanation OBJ-3.1: Using agent-based scanning, you typically get the most reliable results for systems that are not connected to the network, as well as the ones that are connected. This is ideal for traveling salespeople since their laptops are not constantly connected to the organization's network. These agent-based scans can be conducted when the laptop is offline and then sent to a centralized server the next time it is connected to the network. Server-based scanning, non-credentialed scanning, and passive network monitoring require a continuous network connection to collect the devices' configurations accurately.
FQuestion 25: Incorrect You have been asked to review the SIEM event logs for suspected APT activity. You have been given several indicators of compromise, such as a list of domain names and IP addresses. What is the BEST action to take to analyze the suspected APT activity? Scan for vulnerabilities with exploits known to previously have been used by an APT Create an advanced query that includes all of the indicators and review any matches (Incorrect) Use the IP addresses to search through the event logs Analyze the trends of the events while manually reviewing them to see if any indicators match (Correct) (You F-cjung piece of sh1t you tricked bit-ch)
Explanation OBJ-3.1: You should begin by analyzing the event's trends while manually reviewing them to determine if any of the indicators match. If you only searched through the event logs using the IP addresses, this would not be sufficient as many APTs hide their activity by compromising and using legitimate networks and their IP addresses. If you only use the IP addresses to search the event logs, you would miss any events correlated only to the domain names. If you create an advanced query will all of the indicators, your search of the event logs will find nothing because no single event will include all of these IPs and domain names. Finally, while scanning for vulnerabilities known to have been used by the APTs is a good practice, it would only be effective in determining how to stop future attacks from occurring, not determine whether or not an attack has already occurred.
Question 57: Correct Tim is working to prevent any remote login attacks to the root account of a Linux system. What method would be the best option to stop attacks like this while still allowing normal users to connect using ssh? Add a network IPS rule to block root logins Change sshd_config to deny root login (Correct) Add root to the sudoers group Add an iptables rule blocking root logins
Explanation OBJ-3.2: Linux systems use the sshd (SSH daemon) to provide ssh connectivity. If Tim changes the sshd_config to deny root logins, it will still allow any authenticated non-root user to connect over ssh. The sshd service has a configuration setting that is named PermitRootLogin. If you set this configuration setting to no or deny, all root logins will be denied by the ssh daemon. If you didn't know about this setting, you could still answer this question by using the process of elimination. An iptables rule is a Linux firewall rule, and this would block the port for ssh, not the root login. Adding root to the sudoers group won't help either since the sudoers group allows users to login as root. If you have a network IPS rule to block root logins, the IPS would have to see the traffic being sent within the SSH tunnel. This is not possible since SSH connections are encrypted end-to-end by default. Therefore, the only possible right answer is to change the sshd_config setting to deny root logins.
Question 63: Correct Dion Training utilizes a wired network throughout the building to provide network connectivity. Jason is concerned that a visitor might plug their laptop into a CAT 5e wall jack in the lobby and access the corporate network. What technology should be utilized to prevent users from gaining access to network resources if they can plug their laptops into the network? UTM VPN NAC (Correct) DMZ
Explanation OBJ-3.2: Network Access Control (NAC) is an approach to computer security that attempts to unify endpoint security technology, the user or system authentication, and network security enforcement. NAC restricts the data that each particular user can access and implements anti-threat applications such as firewalls, anti-virus software, and spyware detection programs. NAC also regulates and restricts the things individual subscribers or users can do once they are connected. If a user is unknown, the NAC can quarantine the device from the network upon connection. A DMZ (demilitarized zone), a type of screened subnet, is a physical or logical subnetwork that contains and exposes an organization's external-facing services to an untrusted network such as the Internet. A virtual private network (VPN) extends a private network across a public network and enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network. Unified threat management (UTM) provides multiple security features (anti-virus, anti-spam, content filtering, and web filtering) in a single device or network appliance.
Question 44: Incorrect An organization wants to choose an authentication protocol that can be used over an insecure network without implementing additional encryption services. Which of the following protocols should they choose? TACACS+ RADIUS PAP (Incorrect) Kerberos (Correct)
Explanation OBJ-3.2: The Kerberos protocol is designed to send data over insecure networks while using strong encryption to protect the information. RADIUS, TACACS+, and PAP are all protocols that contain known vulnerabilities that would require additional encryption to secure them during the authentication process. What is PAP networking? PAP, or password authentication protocol, is a point-to-point protocol (PPP) authentication method that uses passwords to validate users. It is an internet standard (RFC 1334), password-based authentication protocol. Using PAP, data is not encrypted. It is sent to the authentication server as plain text.
Question 34: Correct You are attempting to run a packet capture on a Linux workstation using the tcpdump command. Which of the following would allow you to conduct the packet capture and write the output to a file for later analysis? tcpdump -i eth0 -n diontraining.pcap tcpdump -i eth0 -e diontraining.pcap tcpdump -i eth0 -r diontraining.pcap tcpdump -i eth0 -w diontraining.pcap (Correct)
Explanation OBJ-3.2: The tcpdump command is a command-line packet capture utility for Linux. The tcpdump command uses the -w option to write the capture output results to a file. A .pcap extension normally identifies packet capture files. The tcpdump command uses the -r option to read the contents of a packet capture file. The tcpdump command uses the -n option to show network address information in numeric format (does not resolve hostnames). The tcpdump command uses the -e option to include the data link (Ethernet) header when performing a packet capture.
Which type of system would classify traffic as malicious or benign based on explicitly defined examples of malicious and benign traffic? Artificial intelligence Machine learning (Correct) Generative adversarial network Deep learning
Explanation OBJ-3.4: A machine learning (ML) system uses a computer to accomplish a task without being explicitly programmed. In the context of cybersecurity, ML generally works by analyzing example data sets to create its own ability to classify future items presented. If the system was presented with large datasets of malicious and benign traffic, it will learn which is malicious and categorize future traffic presented to it. Artificial Intelligence is the science of creating machines to develop problem-solving and analysis strategies without significant human direction or intervention. AI goes beyond ML and can make a more complicated decision than just the classifications made by ML. A deep learning system can determine what is malicious traffic without having the prior benefit of being told what is benign/malicious. A generative adversarial network is an underlying strategy used to accomplish deep learning but is not specific to the scenario described.
Question 9: Incorrect CIO has recently made a purchasing decision to install a new security appliance that will automatically sandbox all attachments as they enter the enterprise network to run dynamic and static code analysis on them. Which of the following questions about the appliance should you consider as the SOC manager responsible for operating this new appliance for the company? (SELECT FOUR) Will the device inadvertently alter anyone's data when it is analyzed in the sandbox? (Incorrect) How will the appliance receive security patches and updates? (Correct) Does the new appliance provide a detailed report or alert showing why it believes an attachment is malicious? (Correct) How will the appliance receive updated signatures and scanning engines? (Correct) Will the security appliance violate your employee's right to privacy? Do you have security personnel and procedures in place to review the output from this appliance and take action where appropriate? (Correct)
Explanation OBJ-3.4: Often, cybersecurity professionals fall in love with a new technological solution without fully considering the true cost of ownership and risks it poses to their organization. Even if this is the perfect security mechanism, the organization must plan for how they will respond to the alerts provided by this appliance. Additionally, you must consider if you have the right people and procedures to use the new application effectively. The appliance will also need to receive security patches, feature updates, and signature definition files routinely to remain effective and secure. At later stages of analysis, your security team may need to determine why a false-positive or false-negative occurred, which requires detailed alerts or reports from the machine. In a corporate environment, privacy is limited for employees as most companies have a "right to monitor" included as part of their AUP and access policies. Therefore privacy is a minimal area of concern in this case. The appliance cannot manipulate the information passing through it since it will analyze the information by placing a copy into a sandbox. This allows it to make a allow or deny decision and will not modify the original data is processed.
You have been tasked to create some baseline system images to remediate vulnerabilities found in different operating systems. Before any of the images can be deployed, they must be scanned for malware and vulnerabilities. You must ensure the configurations meet industry-standard benchmarks and that the baselining creation process can be repeated frequently. What vulnerability scanner option would BEST create the process requirements to meet the industry-standard benchmarks? Utilizing an operating system SCAP plugin (Correct) Utilizing a non-credential scan Utilizing an authorized credential scan Utilizing a known malware plugin
Explanation OBJ-3.4: Security Content Automation Protocol (SCAP) is a multi-purpose framework of specifications supporting automated configuration, vulnerability and patch checking, technical control compliance activities, and security measurement. It is an industry standard and supports testing for compliance. The other options will not allow for a truly repeatable process since individual scans would occur each time instead of comparing against a known good baseline
Question 39: Correct Your organization is updating its incident response communications plan. A business analyst in the working group recommends that if the company discovers they are the victims of a data breach, they should only notify the affected parties to minimize media attention and bad publicity. Which of the following recommendations do you provide in response to the business analyst's statement? The first responder should contact law enforcement upon confirmation of a security incident for a forensic team to preserve the chain of custody An externally hosted website should be prepared in advance to ensure that when an incident occurs, victims have timely access to notifications from a non-compromised resource Guidance from laws and regulations should be considered when deciding who must be notified to avoid fines and judgments from non-compliance (Correct) The Human Resources department should have information security personnel who are involved in the investigation of the incident sign non-disclosure agreements so the company cannot be held liable for customer data that is viewed during an investigation
Explanation OBJ-4.1: Guidance from various laws and regulations must be considered when deciding who must be notified to avoid fines and judgments. The requirements for different types of data breaches are set out in laws/regulations. The requirements indicate who must be notified. Other than the regulator itself, this could include law enforcement, individuals and third-party companies affected by the breach, and public notification through the press or social media channels. For example, the Health Insurance Portability and Accountability Act (HIPAA) sets out reporting requirements in legislation, requiring breach notification to the affected individuals, the Secretary of the US Department of Health and Human Services, and, if more than 500 individuals are affected, to the media.
Explanation OBJ-1.3: The three phases of the vulnerability management lifecycle are detection, remediation, and testing. Question 23: Incorrect You are in the recovery steps of an incident response. Your analysis revealed that the attacker exploited an unpatched vulnerability on a public-facing web server as the initial intrusion vector in this incident. Which of the following mitigations should be implemented first during the recovery? Scan the network for additional instances of this vulnerability and patch the affected assets (Correct) Restrict shell commands by user or host to ensure least privilege is followed Restrict host access to peripheral protocols like USB and Bluetooth Disable unused user account and reset the administrator credentials (Incorrect)
Explanation OBJ-4.2: All of the options listed are the best security practices to implement before and after a detected intrusion, but scanning for additional instances of this vulnerability should be performed first. Often, an enterprise network uses the same baseline configuration for all servers and workstations. Therefore, if a vulnerability is exploited on one device (such as an insecure configuration), that same vulnerability could exist on many other assets across the network. During your recovery, you must identify if any other network systems share the same vulnerability and mitigate them. If you don't, the attacker could quickly reinfect your network by simply attacking another machine using the same techniques used during this intrusion. The other options listed are all examples of additional device hardening that should be conducted during recovery after you have identified the exploited vulnerability across the rest of the network.
Question 71: Correct Jonathan's team completed the first phase of their incident response process. They are currently assessing the time to recover from the incident. Using the NIST recoverability effort categories, the team has decided to predict the time to recover, but this requires additional resources. How should he categorize this using the NIST model? Supplemented (Correct) Regular Extended Non-recoverable
Explanation OBJ-4.2: Based on the scenario given, the best choice is supplemented. The NIST keys are to remember that each level has additional unknowns and resources that increase the severity level from regular to supplemented then extended. Non-recoverable situations existed when whatever happened cannot be remediated. In this case, an investigation would be started.
Question 27: Incorrect According to Lockheed Martin's white paper "Intel Driven Defense," which of the following technologies could degrade an adversary's effort during the actions on the objectives phase of the kill chain? Audit log Honeypot (Incorrect) Quality of service (Correct) NIPS
Explanation OBJ-4.2: During the adversary's actions on objective phase, the adversary is already deep within the victim's network and has defeated all security mechanisms. If the adversary is attempting to exfiltrate data, implementing a quality of service approach could potentially slow down the rate at which information could be exfiltrated. This is considered a degradation to their effort by purposely manipulating service quality to decrease their transfer speeds. Honeypots could deceive an enemy during the actions on objective phase as the adversary may unknowingly take actions against a honeypot instead of their real objectives, but this would be classified as deception and not degradation. NIPS technologies serve to disrupt C2 channels, not degrade them. Audit logs may detect actions an adversary has taken after the fact but will not degrade the actions themselves.
Question 2: Incorrect You are conducting an incident response and have already eradicated the malware from a victimized system. Which of the following actions should you perform as part of the recovery phase? Setting permissions (Correct) Secure disposal Reimaging (Incorrect) Sanitization
Explanation OBJ-4.2: Following an incident, all types of permissions should be reviewed and reinforced. This especially affects file and firewall ACLs and system privileges assigned to the administrative user accounts or groups. This is performed during the recovery phase. During the eradication phase, you would conduct sanitization, secure disposal, and reimaging.
Question 46: Incorrect Which of the following provides the detailed, tactical information that CSIRT members need when responding to an incident? Policies Procedures (Correct) Framework (Incorrect) Guidelines
Explanation OBJ-4.2: The incident response policy contains procedures and guidelines covering appropriate priorities, actions, and responsibilities in the event of security incidents, divided into preparation, detection/analysis, containment, eradication/recovery, and post-incident stages. Procedures provide detailed, tactical information to the CSIRT and represent the team members' collective wisdom and subject-matter experts. A policy is a statement of intent and is implemented as a procedure or protocol. A guideline is a statement by which to determine a course of action. A guideline aims to streamline particular processes according to a set routine or sound practice. A framework is a basic structure underlying a system, concept, or text.
Which of the following items represents a document that includes detailed information on when an incident was detected, how impactful the incident was, how it was remediated, the effectiveness of the incident response, and any identified gaps that might require improvement? Forensic analysis report Lessons learned report (Correct) Trends analysis report Chain of custody report
Explanation OBJ-4.2: The lessons learned report provides you with the details of the incident, its severity, the remediation method, and, most importantly, how effective your response was. Additionally, it provides recommendations for improvements in the future. A forensic analysis report would not provide recommendations for future improvements, even though it provides many of the other details. A trend analysis report describes whether behaviors have increased, decreased, or stayed the same over time. T he chain of custody report is the chronological documentation or paper trail that records the custody, control, transfer, analysis, and disposition of physical or electronic evidence.
Question 42: Correct Where should a forensic analyst search to find a list of the wireless networks that a laptop has previously connected to with a company-owned laptop? Search the user's profile directory for the list Search the registry for a complete list (Correct) A list of the previously connected wireless networks is not stored on the laptop Search the wireless adapter cache for the list
Explanation OBJ-4.3: The Windows registry keeps a list of the wireless networks that a system has previously connected to. The registry keys can be found in the directory of HKLM\Software\Microsoft\WindowsNT\CurrentVersion\NetworkList\Profiles. This is stored in Local Machine because it logs a copy of every access point connected to all users of the machine, not just the currently logged in user.
Question 66: Incorrect Which of the following methods could not be used to retrieve the key from a forensic copy of a BitLocker encrypted drive? Performing a FireWire attack on mounted drives Analyzing the memory dump file (Incorrect) Analyzing the hibernation file Retrieving the key from the MBR (Correct)
Explanation OBJ-4.4: BitLocker information is not stored in the Master Boot Record (MBR). Therefore, you cannot retrieve the key from the MBR. BitLocker keys can also be retrieved via hibernation files or memory dumps. The recovery key may also be retrieved by conducting a FireWire attack on the mounted drive using a side-channel attack known as a DMA attack.
Question 12: Incorrect You are reverse engineering a piece of malware recovered from a retailer's network for analysis. They found that the malicious code was extracting track data from their customer's credit cards during processing. Which of the following types of threats would you classify this malware as? Ransomware Keylogger (Incorrect) Rootkit POS malware (Correct)
Explanation OBJ-4.4: Point-of-sale malware (POS malware) is usually a type of malicious software (malware) that is used by cybercriminals to target point of sale (POS) and payment terminals with the intent to obtain credit card and debit card information, a card's track 1 or track 2 data and even the CVV code, by various man-in-the-middle attacks, that is the interception of the processing at the retail checkout point of sale system. Ransomware is a type of malware that threatens to publish the victim's data or perpetually block access to it unless a ransom is paid. Keyloggers are a type of monitoring software designed to record keystrokes made by a user. These keyloggers can record the information you type into a website or application and send it back to an attacker. A rootkit is a malware class that modifies system files, often at the kernel level, to conceal its presence.
Question 15: Incorrect Which of the following elements is LEAST likely to be included in an organization's data retention policy? Description of information that needs to be retained Minimum retention period (Incorrect) Classification of information (Correct) Maximum retention period
Explanation OBJ-5.1: Data retention policies highlight what types of information an organization will maintain and the length of time they will maintain it. Data classification would not be covered in the retention policy but would be a key part of your organization's data classification policy.
Question 70: Correct Dion Consulting Group has recently been awarded a contract to provide cybersecurity services for a major hospital chain in 48 cities across the United States. Previously, the consultants have won numerous contracts with financial services and publicly traded companies, but they are new to the healthcare industry. Which of the following laws must the consultants review to ensure the hospital and its customers are fully protected? HIPAA (Correct) COSO GLBA SOX
Explanation OBJ-5.1: The Health Insurance Portability and Accountability Act (HIPAA) was created primarily to modernize the flow of healthcare information, stipulate how Personally Identifiable Information maintained by the healthcare and healthcare insurance industries should be protected from fraud and theft, and address limitations on healthcare insurance coverage. This is a federal law that must be followed in the United States. The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and safeguard sensitive data. This includes companies that offer consumers financial products or services like loans, financial or investment advice, or insurance. The Sarbanes-Oxley Act of 2002 is a federal law that established sweeping auditing and financial regulations for public companies. Lawmakers created the legislation to help protect shareholders, employees, and the public from accounting errors and fraudulent financial practices. The Committee of Sponsoring Organizations of the Treadway Commission (COSO) guides governance-related topics, including fraud, controls, finance, and ethics. COSO's ERM-integrated framework defines risk, and related common terminology lists key components of risk management strategies and supplies direction and criteria for enhancing risk management practices.
Question 20: Incorrect Due to new regulations, your organization's CIO has the information security team institute a vulnerability management program. What framework would BEST support this program's establishment? NIST (Correct) OWASP SANS SDLC (Incorrect)
Explanation OBJ-5.3: NIST (National Institute of Standards and Technology) produced a useful patch and vulnerability management program framework in its Special Publication (NIST SP 800-40). It would be useful during the program's establishment and provide a series of guidelines and best practices. SANS is a company specializing in cybersecurity and secure web application development training and sponsors the Global Information Assurance Certification (GIAC). The SDLC is the software development lifecycle. It is a method for dividing programming projects into separate phases. T he Open Web Application Security Project (OWASP) is a community effort that provides free access to many secure programming resources. The resources provided include documentation on web app vulnerabilities and mitigation tactics, software tools used to identify and handle threats that target web applications, frameworks for secure development life cycle implementation, frameworks for penetration testing web apps, general secure coding best practices, guidelines for specific web-based languages, and more.
Question 21: Incorrect Jay is replacing his organization's current vulnerability scanner with a new tool. As he begins to create the scanner's configurations and scanning policy, he notices a conflict in the settings recommended between different documents. Which of the following sources must Jay follow when trying to resolve these conflicts? Configuration settings from the prior system Vendor best practices NIST guideline documents (Incorrect) Corporate policy (Correct)
Explanation OBJ-5.3: Policies are formalized statements that apply to a specific area or task. Policies are mandatory, and employees who violate a policy may be disciplined. Guidelines are general, non-mandatory recommendations. Best practices are considered procedures that are accepted as being correct or most effective but are not mandatory to be followed. Configuration settings from the prior system could be helpful, but this is not a mandatory compliance area like a policy. Therefore, Jay should first follow the policy before the other three options if there is a conflict.
Question 30: Correct What describes the infrastructure needed to support the other architectural domains in the TOGAF framework? Technical architecture (Correct) Data architecture Business architecture Applications architecture
Explanation OBJ-5.3: TOGAF is a prescriptive framework that divides the enterprise architecture into four domains. Technical architecture describes the infrastructure needed to support the other architectural domains. Business architecture defines governance and organization and explains the interaction between enterprise architecture and business strategy. Applications architecture includes the applications and systems an organization deploys, the interactions between those systems, and their relation to the business processes. Data architecture provides the organization's approach to storing and managing information assets. This question may seem beyond the scope of the exam. S
Fault injector
Fault injection is a testing technique that aids in understanding how a system behaves when stressed in unusual ways.
NIST
National Institute of Standards and Technology, or NIST. NIST is a government agency which sets standards and practices around topics like incident response and cybersecurity.
Question 36: Incorrect James is working with the software development team to integrate real-time security reviews into some of their SDLC processes. Which of the following would best meet this requirement? Tool-assisted review (Incorrect) Pair Programming (Correct) Formal code review Pass-around code review
OBJ-2.2: Pair programming is a real-time process that would meet this requirement. It utilizes two developers working on one workstation, where one developer reviews the code being written in real-time by the other developer. While the other three options can also provide a security review, none are considered "real-time" since they are asynchronous processes performed after the coding has already been completed.
SAML
Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. SAML is an XML-based markup language for security assertions
SDLC
Software Development Life Cycle. A software development process. 1. Strategy 2. Design 3. Development 4. Testing 5. deployment. 5. maintenance
NIST recovery time Supplemented (Correct) Regular Extended Non-recoverable
Supplemented - predictable recov time w. additional resources (Correct) Regular - predictable w. resources Extended - unpredictable. need resources Non-recoverable
Question 43: Incorrect Which law requires government agencies and other organizations that operate systems on behalf of government agencies to comply with security standards? COPPA SOX (Incorrect) HIPAA FISMA (Correct)
The Federal Information Security Management Act (FISMA) is a United States federal law that defines a comprehensive framework to protect government information, operations, and assets against natural or human-made threats. FISMA requires that government agencies and other organizations that operate systems on behalf of government agencies comply with security standards. The Health Insurance Portability and Accountability Act (HIPAA) is a United States federal law designed to provide privacy standards to protect patients' medical records and other health information provided to health plans, doctors, hospitals, and other health care providers. The Children's Online Privacy Protection Act (COPPA) is a United States federal law that imposes certain requirements on operators of websites or online services directed to children under 13 years of age and on operators of other websites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age. Sarbanes-Oxley (SOX) is a United States federal law that sets new or expanded requirements for all U.S. public company boards, management, and public accounting firms.
TOGAF
The Open Group Architecture Framework The Open Group Architecture Framework is the most used framework for enterprise architecture as of 2020 that provides an approach for designing, planning, implementing, and governing an enterprise information technology architecture. TOGAF is a high-level approach to design
Question 55: Incorrect You are analyzing DNS logs looking for indicators of compromise associated with the use of a fast-flux network. You are already aware that the names involved in this particular fast-flux network are longer than 50 characters and always end in a .org top-level domain. Which of the following REGEGX expressions would you use to filter DNS traffic that matches this? \b[A-Za-z0-9.-]{50,251}+.org \b(A-Za-z0-9\.\-){50,251}|\.org (Incorrect) \b[A-Za-z0-9\.\-]{50,251}+\.org (Correct) \b[A-Za-z0-9\.-]{50,251}+.org
The first phrase before the + sign indicates to match between 50 and 251 instances of any of the preceding letters (A-Z, a-z, 0-9, period, and the minus symbol). Since DNS hostnames cannot be longer than 255 characters per RFC1123, a range of 50-251 will account for the four characters in ".org" being added to the end of the random sequences. The + sign indicates that after the preceding regex fragment, the following regex pattern should be present. Following the + sign, the pattern "\.org" indicates that selected strings must end in .org. All other options either incorrectly use parenthesis, the OR operator (|), or forgot to use the escape character (\) in front of the period symbol.
Quality of Service
a variety of techniques that control the flow of network traffic, improve transmission speeds, and improve real-time communications traffic
services.msc
he Services console (services.msc) allows an analyst to disable or enable Windows services.
ADFS
s a software component developed by Microsoft that can run on Windows Server operating systems to provide users with single sign-on access to systems and applications located across organizational boundaries.
DeepScan
static code analysis tool.t inspects the code for possible errors and issues without actually running the code.