CompTIA CySA+ (CS0-002) Practice Exam 2

The registry is

used to store registration configuration settings on Windows systems.

The timing of the scan and the maintenance windows are

usually found in the rules of engagement (ROE).

Barrett needs to verify settings on a macOS computer to ensure that the configuration he expects is currently set on the system. What type of file is commonly used to store configuration settings for a macOS system? A..plists (Correct) B.The registry C..config files (Incorrect) D..profile files

A..plists (Correct) Explanation OBJ-4.3: Preference and configuration files in macOS use property lists (plists) to specify the attributes, or properties, of an app or process. An example is the preferences plist for the Finder in the Library/Preferences/ folder of a user's home folder. The file is named com.apple.finder.plist. The registry is used to store registration configuration settings on Windows systems. A profile (.profile) file is a UNIX user's start-up file, like the autoexec.bat file of DOS. A configuration (.config) file is a configuration file used by various applications containing plain text parameters that define settings or preferences for building or running a program. This is commonly used in Windows systems.

Which of the following is NOT one of the main criteria included in a penetration testing plan? A.Account credentials (Correct) B.Authorization C.Timing D.Scope Explanation

A.Account credentials (Correct) OBJ-5.2: The three main criteria that should be included in a penetration testing plan are timing, scope, and authorization. Account credentials are usually provided during a known environment test or vulnerability assessment, usually not provided for a penetration test.

Evaluate the following log entry: Based on this log entry, which of the following statements are true? A.An attempted connection to the telnet service was prevented B.Packets are being blocked inbound to and outbound from the network C.The packet was blocked outbound from the network An attempted connection to the ssh service was prevented D.The packet was blocked inbound to the network E.MAC filtering is enabled on the firewall

A.An attempted connection to the telnet service was prevented (Correct) D.The packet was blocked inbound to the network (Correct) Explanation OBJ-3.1: Firewall log formats will vary by vendors, but this example is a commonly used format from the Linux iptable firewall tool. This log starts with the date and time of the event and provides some key pieces of information. For example, the word "drop" shows the action this log entry recorded. In this case, the firewall dropped a packet due to an ACL rule being applied. You can also see that the packet was detected on the inbound connection over eth0, so we know that packets are being scanned and blocked when they are headed inbound to the network. Next, we see the MAC address of the source device of the packet, the source (SRC) IP address, and the destination (DST) IP address. Further down, we see the source (SPT) and destination ports (DPT). In this case, the DPT is 23 and is a well-known port for telnet. Based on this single log entry, we cannot tell if packets are also being blocked when they are attempting to leave the network or if they are blocking connections to the ssh service (port 22) is also being conducting.

You work as a cybersecurity analyst at a software development firm. The software developers have begun implementing commercial and open source libraries into their codebase to minimize the time it takes to develop and release a new application. Which of the following should be your biggest concern as a cybersecurity analyst? A.Any security flaws present in the library will also be present in the developed application B.There are no concerns with using commercial or open-source libraries to speed up developments C.Whether or not the libraries being used in the projects are the most up to date versions D.Open-source libraries are inherently insecure because you do not know who wrote them

A.Any security flaws present in the library will also be present in the developed application OBJ-1.2: Any security flaws present in a commercial or open-source library will also be present in the developed application. A library is vulnerable, just as any other application or code might be. There are both known (discovered) and unknown vulnerabilities in the libraries being integrated into the project. Therefore, the software development team needs to ensure that they monitor the applicable libraries for additional CVEs that might be uncovered later. They have plans for distributing appropriate patches to their customers and a plan for integrating subsequent updates into their codebase. Open-source libraries are not more vulnerable or insecure than commercially available or in-house developed libraries. Many consider open-source software more secure because it is widely analyzed and reviewed by programmers worldwide. While ensuring the most up to date versions of the libraries is a valid concern, as a cybersecurity analyst, you should be more concerned with current security flaws in the library so you can conduct risk management and implement controls to mitigate these vulnerabilities, and determine the method for continuing updates and patch support.

You conducted a security scan and found that port 389 is being used when connecting to LDAP for user authentication instead of port 636. The security scanning software recommends that you remediate this by changing user authentication to port to 636 wherever possible. What should you do? A.Change all devices and servers that support it to port 636 since encrypted services run by default on port 636 (Correct) B.Mark this as a false positive in your audit report since the services that typically run on ports 389 and 636 are identical C.Change all devices and servers that support it to port 636 since port 389 is a reserved port that requires root access and can expose the server to privilege escalation attacks D.Conduct remediation actions to update encryption keys on each server to match port 636

A.Change all devices and servers that support it to port 636 since encrypted services run by default on port 636 Explanation OBJ-1.3: LDAP can be run on either port 389 or port 636. Port 389 is the standard port for LDAP but typically runs unencrypted LDAP services over this port. Instead, you should change all devices and servers that can technically support the change to port 636 since LDAP services over port 636 are encrypted by default.

You have just run the following commands on your Linux workstation: Which of the following options would be included as part of the output for the grep command issued? (Select ANY that apply) A.DIOn (Correct) B.DIon (Correct) C.DION (Correct) D.Dion (Correct) E.dion (Correct)

A.DIOn (Correct) B.DIon (Correct) C.DION (Correct) D.Dion (Correct) E.dion (Correct) Explanation OBJ-3.1: The grep (global search for regular expressions and print) is one of Linux's powerful search tools. The general syntax for the grep command is "grep [options] pattern [files]. The command searches within the specified files (in this case, the Names.txt file). When the command is issued with the -i optional flag, it treats the specified pattern as case insensitive. Therefore, all uppercase and lowercase variations of the word "DION" will be presented from the file and displayed as the command output. By default, grep uses case sensitivity, so "grep DION Names.txt" would only display the output as "DION" and ignore the other variations. As a cybersecurity analyst, grep is one of your most important tools. You can use regular expressions (regex) to quickly find indicators of compromise within your log files using grep.

What type of information will a Cisco switch log be configured to capture logs at level 7? A.Debugging (Correct) B.Errors C.Emergencies D.Warnings

A.Debugging (Correct) Explanation OBJ-3.1: The severity levels range from zero to seven, with zero being the most severe and seven being the least severe. Level 0 is used for an emergency and is considered the most severe condition because the system has become unstable. Level 1 is used for an alert condition and means that there is a condition that should be corrected immediately. Level 2 is used for a critical condition, and it means that there is a failure in the system's primary application and it requires immediate attention. Level 3 is used for an error condition, and it means that something is happening to the system that is preventing the proper function. Level 4 is used for warning conditions and it may indicate that an error will occur if action is not taken soon.Level 5 is used for notice conditions and it means that the events are unusual, but they are not error conditions. Level 6 is used for information conditions and it is a normal operational message that requires no action. Level 7 is used for debugging conditions and it just information that is useful to developers as they are debugging their networks and applications.

Which of the following roles should coordinate communications with the media during an incident response? A.Public relations B.System administrators C.Human resources D.Senior leadership

A.Public relations (Correct) OBJ-4.1: Public relations staff should be included in incident response teams to coordinate communications with the general public and the media to manage any negative publicity from a serious incident. Information about the incident should be released in a controlled way when appropriate through known press and external public relations agencies. Senior leadership should be focused on how the incident affects their departments or functional areas to make the best decisions. The senior leadership should not talk to the media without guidance from the public relations team. System administrators are part of the incident response team since they know the network's normal baseline behavior and its system better than anyone else. System administrators should not talk to the media during an incident response. Human resources are part of the incident response team to appropriately contact any suspected insider threats and ensure no breaches of employment law or employment contracts are made.

During an assessment of the POS terminals that accept credit cards, a cybersecurity analyst notices a recent Windows operating system vulnerability exists on every terminal. Since these systems are all embedded and require a manufacturer update, the analyst cannot install Microsoft's regular patch. Which of the following options would be best to ensure the system remains protected and are compliant with the rules outlined by the PCI DSS? A.Identify, implement, and document compensating controls B.Remove the POS terminals from the network until the vendor releases a patch C.Build a custom OS image that includes the patch D.Replace the Windows POS terminals with standard Windows systems

A.Identify, implement, and document compensating controls (Correct) Explanation OBJ-5.2: Since the analyst cannot remediate the vulnerabilities by installing a patch, the next best action would be to implement some compensating controls. If a vulnerability exists that cannot be patched, compensating controls can mitigate the risk. Additionally, the analyst should document the current situation to achieve compliance with PCI DSS. The analyst will likely not remove the terminals from the network without affecting business operations, so this is a bad option. The analyst should not build a custom OS image with the patch since this could void the support agreement with the manufacturer and introduce additional vulnerabilities. Also, it would be difficult (or impossible) to replace the POS terminals with standard Windows systems due to the custom firmware and software utilized on these systems.

What containment technique is the strongest possible response to an incident? A.Isolating affected systems B.Segmentation C.Enumeration D.Isolating the attacker

A.Isolating affected systems OBJ-4.2: Isolation involves removing an affected component from whatever larger environment it is a part of. This can be everything from removing a server from the network after it has been the target of a DoS attack, placing an application in a sandbox virtual machine (VM) outside of the host environments it usually runs on. Segmentation-based containment is a means of achieving the isolation of a host or group of hosts using network technologies and architecture. Segmentation uses VLANs, routing/subnets, and firewall ACLs to prevent a host or group of hosts from communicating outside the protected segment. Removal is not an industry term used but would be a synonym for isolation. Enumeration is defined as the process of extracting user names, machine names, network resources, shares, and services from a system. Isolating the attacker would only stop their direct two-way communication and control of the affected system. However, it would not be the strongest possible response since there could be malicious code still running on your victimized machine.

Marta's organization is concerned with the vulnerability of a user's account being vulnerable for an extended period of time if their password was compromised. Which of the following controls should be configured as part of their password policy to minimize this vulnerability? A.Password expiration (Correct) B.Minimum password length C.Password complexity D.Password history

A.Password expiration (Correct) Explanation OBJ-5.3: A password expiration control in the policy would force users to change their passwords at specific time intervals. This will then locks out a user who types in the incorrect password or create an alter that the user's account has been potentially compromised. While the other options are good components of password security to prevent an overall compromise, they are not effective against the vulnerability described in this particular scenario. It states the issue is based on time. Password history is used to determine the number of unique passwords a user must use before using an old password again. The Passwords must meet complexity requirements policy setting determines whether passwords must meet a series of guidelines that are considered important for a strong password. Maximum password length creates a limit to how long the password can be, but a longer password is considered stronger against a brute force attack.

Consider the following snippet from a log file collected on the host with the IP address of 10.10.3.6. What type of activity occurred based on the output above? A.Port scan targeting 10.10.3.6 (Correct) B.Port scan targeting 10.10.3.2 C.Denial of service attack targeting 10.10.3.6 D.Fragmentation attack targeting 10.10.3.6

A.Port scan targeting 10.10.3.6 OBJ-4.4: Port Scanning is the name for the technique used to identify open ports and services available on a network host. Based on the logs, you can see a sequential scan of some commonly used ports (20, 21, 22, 23, 25, 80, 135, 443, 445) with a two-second pause between each attempt. The scan source is 10.10.3.2, and the destination of the scan is 10.10.3.6, making "Port scan targeting 10.10.3.6" the correct choice. IP fragmentation attacks are a common form of denial of service attack, in which the perpetrator overbears a network by exploiting datagram fragmentation mechanisms. A denial-of-service (DoS) attack occurs when legitimate users cannot access information systems, devices, or other network resources due to a malicious cyber threat actor's actions.

uring which phase of the incident response process does an organization assemble an incident response toolkit? A.Preparation B.Detection and analysis C.Containment, eradication, and recovery D.Post-incident activity

A.Preparation OBJ-4.2: During the preparation phase, the incident response team conducts training, prepares their incident response kits, and researches threats and intelligence. During the detection and analysis phase, an organization focuses on monitoring and detecting any possible malicious events or attacks. During the containment, eradication, and recovery phase of an incident response, an analyst must preserve forensic and incident information for future needs, prevent future attacks or bring up an attacker on criminal charges. During the post-incident activity phase, the organization conducts after-action reports, creates lessons learned, and conducts follow-up actions to better prevent another incident from occurring.

Which of the following will an adversary do during the final phase of the Lockheed Martin kill chain? (SELECT FOUR) A.Privilege escalation B.Release of malicious email C.Modify data D.Exfiltrate data E.Wait for a user to click on a malicious link F.Lateral movement through the environment

A.Privilege escalation (Correct) C.Modify data (Correct) D.Exfiltrate data (Correct) F.Lateral movement through the environment (Correct) Explanation OBJ-1.2: The last phase is the actions on objectives phase. During this phase, the targeted network is now adequately controlled by the attacker. If the system or network owner does not detect the attacker, the adversary may persist for months while gaining progressively deeper footholds into the network. This is done through privilege escalation and lateral movement. Additionally, the attacker can now exfiltrate data from the network or modify data that will remain in the network. Waiting for a user to click on a malicious link occurs during the exploitation phase. Releasing a malicious email would occur during the delivery phase.

Which of the following lists the UEFI boot phases in the proper order? A.Security, Pre-EFI initialization, Driver Execution Environment, Boot Device Select, Transient System Load, Runtime B.Boot Device Select, Security, Pre-EFI initialization, Driver Execution Environment, Transient System Load, Runtime C.Pre-EFI initialization, Security, Boot Device Select, Transient System Load, Driver Execution Environment, Runtime D.Driver Execution Environment, Boot Device Select, Security, Transient System Load, Pre-EFI initialization, Runtime

A.Security, Pre-EFI initialization, Driver Execution Environment, Boot Device Select, Transient System Load, Runtime (Correct) Explanation OBJ-2.3: The security must first prevent any potential contamination from advanced malware from affecting the system as it proceeds into its startup process. The security consists of initializing the code that the system executes after powering on the EFI system. Pre-EFI initialization initializes the CPU, temporary memory, and boot firmware volume (BFV). Driver Execution Environment initializes the entire system's physical memory, I/O, and MIMO (Memory Mapped Input Output) resources. Finally, it begins dispatching DXE Drivers present in the system Firmware Volumes (given in the HOBL). Boot Device Select interprets the boot configuration data and selects the Boot Policy for later implementation. Runtime focuses on clearing the UEFI program from memory and transferring control to the operating system.

Rory is about to conduct forensics on a virtual machine. Which of the following processes should be used to ensure that all of the data is acquired forensically? A.Suspend the machine and copy the contents of the directory it resides in B.Shutdown the virtual machine off and make a forensic copy of its disk image C.Suspend the machine and make a forensic copy of the drive it resides on D.Perform a live acquisition of the virtual machine's memory

A.Suspend the machine and copy the contents of the directory it resides in (Correct) OBJ-4.4: The best option is to suspend the machine and copy the directory contents as long as you ensure you protect the integrity of the files by conducting a hash on them before and after copying the files. This procedure will store the virtual machine's RAM and disk contents. Since a virtual machine stores all of its data in a single file/folder on a host's hard drive, you can copy the entire virtual hard drive by copying the file/folder from the host operating system (such as Windows), and this will give you all the information needed for your analysis. The virtual machine should not be powered off to create a copy of the drive since it could alter the files in the virtual disk image during the shutdown process. Live acquisition relies on a specialist hardware or software tool that can capture memory contents while the computer is running. This is unnecessary for a virtual machine since suspending a virtual machine writes the entire memory contents to a file on the hard disk. Shutting down the machine is a bad idea since this runs the risk that the malware will detect the shutdown process and perform anti-forensics to remove traces of itself. While you could image the entire drive the virtual machine resides on, it is unnecessary, will take much longer, and requires you to shut down the host machine to conduct the bit-by-bit copy.

Which of the following authentication protocols was developed by Cisco to provide authentication, authorization, and accounting services? A.TACACS+ B.CHAP C.RADIUS D.Kerberos

A.TACACS+ (Correct) OBJ-2.1: TACACS+ is an extension to TACACS (Terminal Access Controller Access Control System) and was developed as a proprietary protocol by Cisco. The Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that operates on port 1812 and provides centralized Authentication, Authorization, and Accounting management for users who connect and use a network service, but Cisco did not develop it. Kerberos is a network authentication protocol designed to provide strong mutual authentication for client/server applications using secret-key cryptography developed by MIT. Challenge-Handshake Authentication Protocol (CHAP) is used to authenticate a user or network host to an authenticating entity. CHAP is an authentication protocol but does not provide authorization or accounting services.

A cybersecurity analyst is analyzing an employee's workstation that is acting abnormally. The analyst runs the netstat command and reviews the following output: Based on this output, which of the following entries is suspicious? (SELECT THREE) A.TCP 0.0.0.0:53 0.0.0.0:0 LISTENING B.TCP 192.168.1.4:53 208.71.44.30:80 ESTABLISHED C.TCP 192.168.1.4:53 91.198.117.247:443 CLOSE_WAIT D.TCP 192.168.1.4:59518 69.171.227.67:443 ESTABLISHED E.TCP 0.0.0.0:135 0.0.0.0:0 LISTENING F.TCP 192.168.1.4:59515 208.50.77.89:80 ESTABLISHED

A.TCP 0.0.0.0:53 0.0.0.0:0 LISTENING (Correct) B.TCP 192.168.1.4:53 208.71.44.30:80 ESTABLISHED (Correct) C.TCP 192.168.1.4:53 91.198.117.247:443 CLOSE_WAIT (Correct) Explanation OBJ-4.3: While we cannot be certain that any malicious activity is ongoing based solely on this netstat output, the three entries concerning port 53 are suspicious and should be further investigated. Port 53 is used for DNS servers to receive requests, and an employee's workstation running DNS would be unusual. If the Foreign Address uses port 53, this would indicate the workstation was conducting a normal DNS lookup, but based on the network traffic direction, this is not the case. The entry that is listening on port 135 is not suspicious for a Windows workstation since this is used to conduct file sharing across a local Windows-based network with NetBIOS. The two entries from a random high number port to a web server (port 80 and port 443) are normal network traffic. The web server listens on a well-known or reserved port (port 80 and port 443) and then responds to the random high number port chosen by the workstation to conduct two-way communications.

An electronics store was recently the victim of a robbery where an employee was injured, and some property was stolen. The store's IT department hired an external supplier to expand its network to include a physical access control system. The system has video surveillance, intruder alarms, and remotely monitored locks using an appliance-based system. Which of the following long-term cybersecurity risks might occur based on these actions? A.These devices should be isolated from the rest of the enterprise network B.These devices are insecure and should be isolated from the internet C.There are no new risks due to the install and the company has a stronger physical security posture D.These devices should be scanned for viruses before installation Explanation

A.These devices should be isolated from the rest of the enterprise network (Correct) OBJ-1.5: While the physical security posture of the company has been improved by adding the cameras, alarms, and locks, this appliance-based system may pose additional risks to the store's network. Specialized technology and appliance-based systems rarely receive security updates at the same rate as regular servers or endpoints. These devices need to be on a network to ensure that their network functions can continue, but they don't necessarily need to be on the enterprise production network. A good option would be to set up a parallel network that is physically or logically isolated from the enterprise network and install the video cameras, alarms, and lock on that one. These devices cannot be isolated from the internet without compromising their functions, such as allowing remote monitoring of the system and locks. The devices should be scanned for viruses before installation, but that is a short-term consideration and doesn't protect them long-term.

Isolation-based containment involves

removing an affected component from whatever larger environment it is a part of. In this scenario, the original database was never isolated from the network, nor were any other affected assets during the deception.

Which of the following vulnerabilities can be prevented by using proper input validation? (Select ANY that apply) A.XML injection B.Cross-site scripting C.SQL injection D.Directory traversal

A.XML injection B.Cross-site scripting C.SQL injection D.Directory traversal Explanation OBJ-2.2: Proper input validation can prevent cross-site scripting, SQL injection, directory traversal, and XML injections from occurring. When an application accepts string input, the input should be subjected to normalization or sanitization procedures before being accepted. Normalization means that a string is stripped of illegal characters or substrings and converted to the accepted character set. This can prevent SQL and XML injections from occurring. Input validation is also good at preventing cross-site scripting (XSS) in any forms that accept user input. Directory traversals can be prevented by conducting input validation in file paths or URLs accepted from the user. This prevents a canonicalization attack from disguising the nature of the malicious input that could cause a directory traversal.

You want to search all the logs using REGEX to alert on any findings where a filename contains the word "password" (regardless of case). For example, "PASSWORD.txt," "Password.log," or "password.xlsx" should cause the alert to occur. Once deployed, this search will be conducted daily to find any instances of an employee saving their passwords in a file that could be easily found by an attacker. Which of the following commands would successfully do this? A.grep -i password logfile.log B.grep password /i logfile.log C.grep \i password logfile.log D.grep "(PASSWORD)|(password)" logfile.log

A.grep -i password logfile.log (Correct) OBJ-3.1: The flag (-i) in grep means that the entire string that follows will be treated as case insensitive. The absence of the whole word identifier (i.e., \b, ^) indicates that matching can occur at any part of the text being evaluated. In other words, "MyPasswords" will also be detected by this REGEX search. The (PASSWORD)|(password) REGEX will detect partial phrases of "PASSWORD" or "password" but will fail on simple things like "Password." All other options misuse the case-insensitivity flag.

During the post-incident activity phase,

the organization conducts after-action reports, creates lessons learned, and conducts follow-up actions to better prevent another incident from occurring.

Pass the Hash (PtH) is

the process of harvesting an account's cached credentials when the user logs in to a single sign-on (SSO) system. This would then allow the attacker to use the credentials on other systems, as well.

A triple-homed firewall connects

to three networks internal (private), external (internet/public), and a screened subnet (formerly called a demilitarized zone or DMZ).

Your company just launched a new invoicing website for use by your five largest vendors. You are the cybersecurity analyst and have been receiving numerous phone calls that the webpage is timing out, and the website overall is performing slowly. You have noticed that the website received three million requests in just 24 hours, and the service has now become unavailable for use. What do you recommend should be implemented to restore and maintain the availability of the new invoicing system? A.VPN B.Implement an allow list C.MAC filtering D.Intrusion Detection System

B.Implement an allow list (Correct) OBJ-3.2: By implementing an allow list of the authorized IP addresses for the five largest vendors, they will be the only ones who can access the webserver. This can be done by creating rules in the Access Control List (ACL) to deny ALL other users except these five vendors, thereby dropping a large number of requests from any other IP addresses, such as those from an attacker. Based on the scenario's description, it appears like the system is under some form of denial of service attack. Still, by implementing an allow list at the edge of the network and sinkholing any traffic from IP addresses that are not allow listed, the server will no longer be overwhelmed or perform slowly to respond to legitimate requests. MAC filtering is only applicable at layer 2 of the OSI model (which would not work for traffic being sent over the internet from your vendors to your server). A VPN is a reasonable solution to secure the connection between the vendors and your systems, but it will not deal with the DoS condition being experienced. An intrusion detection system may detect the DoS condition, but an IDS cannot resolve it (whereas an IPS could).

Which of the following are the two most important factors when determining a containment strategy? A.Identification of whether the intrusion is the primary attack or a secondary one (i.e., part of a more complex campaign) B.Prevention of an ongoing intrusion or data breach C.Avoidance of alerting the attacker that they have been discovered D.Ensuring the safety and security of all personnel E.Preservation of evidence Explanation

B.Prevention of an ongoing intrusion or data breach (Correct) D.Ensuring the safety and security of all personnel (Correct) OBJ-4.2: Safety and security of personnel should always be the first and most important overriding concern. In particular, this may apply in cases where SCADA/ICS equipment is present. Once the physical danger is abated, the second priority will be to prevent any further exfiltration of data or prevent the ongoing intrusion from spreading. All other factors are important but should only be considered after considering safety and preventing the incident's further spread. Once that has been done, you can determine whether to use an isolation-based or segmentation-based containment technique.

You have been asked to recommend a capability to monitor all of the traffic entering and leaving the corporate network's default gateway. Additionally, the company's CIO requests to block certain content types before it leaves the network based on operational priorities. Which of the following solution should you recommend to meet these requirements? A.Configure IP filtering on the internal and external interfaces of the router B.Install a NIPS on the internal interface and a firewall on the external interface of the router C.Install a firewall on the router's internal interface and a NIDS on the router's external interface D.Installation of a NIPS on both the internal and external interfaces of the router Explanation OBJ-2.1: Due to the requirements provided, you should install a NIPS on the gateway router's internal interface and a firewall on the external interface of the gateway router. The firewall on the external interface will allow the bulk of the malicious inbound traffic to be filtered before reaching the network. Then, the NIPS can be used to inspect the traffic entering the network and provide protection for the network using signature-based or behavior-based analysis. A NIPS is less powerful than a firewall and could easily "fail open" if it is overcome with traffic by being placed on the external interface. The NIPS installed on the internal interface would also allow various content types to be quickly blocked using custom signatures developed by the security team. We wouldn't want to place the NIPS on the external interface in the correct choice for the same reasons. We also wouldn't choose to install a NIPS on both the internal and external connections. IP filtering on both interfaces of the router will not provide the ability to monitor the traffic or to block traffic based on content type. Finally, we would not want to rely on a NIDS on the external interface alone since it can only monitor and not provide the content blocking capabilities needed.

B.Install a NIPS on the internal interface and a firewall on the external interface of the router (Correct) Explanation OBJ-2.1: Due to the requirements provided, you should install a NIPS on the gateway router's internal interface and a firewall on the external interface of the gateway router. The firewall on the external interface will allow the bulk of the malicious inbound traffic to be filtered before reaching the network. Then, the NIPS can be used to inspect the traffic entering the network and provide protection for the network using signature-based or behavior-based analysis. A NIPS is less powerful than a firewall and could easily "fail open" if it is overcome with traffic by being placed on the external interface. The NIPS installed on the internal interface would also allow various content types to be quickly blocked using custom signatures developed by the security team. We wouldn't want to place the NIPS on the external interface in the correct choice for the same reasons. We also wouldn't choose to install a NIPS on both the internal and external connections. IP filtering on both interfaces of the router will not provide the ability to monitor the traffic or to block traffic based on content type. Finally, we would not want to rely on a NIDS on the external interface alone since it can only monitor and not provide the content blocking capabilities needed.

You work for Dion Training as a physical security manager. You are concerned that the physical security at the entrance to the company is not sufficient. To increase your security, you are determined to prevent piggybacking. What technique should you implement first? A.Install CCTV to monitor the entrance B.Install an access control vestibule at the entrance C.Require all employees to wear security badges when entering the building D.Install an RFID badge reader at the entrance

B.Install an access control vestibule at the entrance (Correct) Explanation OBJ-1.5: An access control vestibule, or mantrap, is a device that only allows a single person to enter per authentication. This authentication can be done by RFID, a PIN, or other methods. Once verified, the mantrap lets a single person enter through a system, such as a turnstile or rotating door. CCTV will not stop piggybacking, but it could be used as a detective control after an occurrence. Wearing security badges is useful, but it won't stop piggybacking by a skilled social engineer. RFID badges may be used as part of your entry requirements, but it won't stop a determined piggyback who follows an employee into the building after their authenticated RFID access has been performed.

Which of the following is NOT considered a phase in the incident response cycle? A.Detection and analysis B.Notification and communication C.Containment, eradication, and recovery D.Preparation

B.Notification and communication Explanation OBJ-4.2: There are four phases to the incident response cycle: preparation; detection and analysis; containment, eradication, and recovery; and post-incident activity. While you will conduct some notifications and communication during your incident response, that term is not one of the four defined phases.

An attacker recently compromised an e-commerce website for a clothing store. Which of the following methods did the attacker use to harvest an account's cached credentials when the user logged into an SSO system? A.Golden ticket B.Pass the hash C.Pivoting D.Lateral movement

B.Pass the hash OBJ-4.3: Pass the Hash (PtH) is the process of harvesting an account's cached credentials when the user logs in to a single sign-on (SSO) system. This would then allow the attacker to use the credentials on other systems, as well. A golden ticket is a Kerberos ticket that can grant other tickets in an Active Directory environment. Attackers who can create a golden ticket can use it to grant administrative access to other domain members, even to domain controllers. Lateral movement is an umbrella term for a variety of attack types. Attackers can extend their lateral movement by a great deal if they can compromise host credentials. Pivoting is a process similar to lateral movement. When attackers pivot, they compromise one central host (the pivot) that allows them to spread out to other hosts that would otherwise be inaccessible.

A penetration tester is conducting an assessment of a wireless network that is secure using WPA2 Enterprise encryption. Which of the following are major differences between conducting reconnaissance of a wireless network versus a wired network? (SELECT TWO) A.Authentication B.Physical accessibility C.Network access control D.Encryption E.MAC filtering F.Port security

B.Physical accessibility D.Encryption Explanation OBJ-1.4: Most wireless networks utilize end-to-end encryption, whereas wired networks do not. Physical accessibility is another major difference between wireless and wired networks since wireless networks can be accessed from a distance using powerful antennas. Authentication, MAC filtering, and network access control (NAC) can be implemented equally on wired and wireless networks. Port security is only applicable to wired networks.

You are reviewing the logs in your HIDS and see that entries were showing SYN packets received from a remote host targeting each port on your web server from 1 to 1024. Which of the following MOST likely occurred? A.UDP probe B.Port scan C.SYN flood D.The remote host cannot find the right service port Explanation

B.Port scan (Correct) OBJ-3.1: Based on the description provided, this is most likely a port scan. Using a tool like nmap, an attacker can create an SYN scan across every port in the range against the desired target. A port scan or SYN scan may trigger an alert in your IDS. While scanners support more stealthy scans, default scans may connect to each port sequentially. The other options are incorrect because a remote host will typically connect to only a single port associated with a service. An SYN flood normally sends many SYNs to a single system. Still, it doesn't send them to unused ports, and a UDP probe will not send SYN packets.

An analyst reviews a triple-homed firewall configuration that connects to the internet, a private network, and one other network. Which of the following would best describe the third network connected to this firewall? A.Staging environment B.Screened subnet C.Data zone D.Availability zone

B.Screened subnet (Correct) OBJ-3.2: A triple-homed firewall connects to three networks internal (private), external (internet/public), and a screened subnet (formerly called a demilitarized zone or DMZ). The screened subnet is used to host systems that require access from external hosts. Data zones describe the state and location of data to help isolate and protect it from unauthorized/inappropriate use-for example, as data transitions from raw storage, processing, production, and analytical use. Data zones are associated with data lakes and designed to help manage big data used by analysts and scientists for data exploration and discovery tasks. An availability zone is an individual data center within a region of a cloud service provider's network. A staging environment is a pre-production enclave used for testing and development.

What remediation strategies are the MOST effective in reducing the risk to an embedded ICS from a network-based compromise? (Select TWO) A.NIDS B.Segmentation C.Patching D.Disabling unused services

B.Segmentation (Correct) D.Disabling unused services (Correct) OBJ-2.1: Segmentation is the best method to reduce the risk to an embedded ICS system from a network-based compromise. Additionally, you could disable unused services to reduce the footprint of the embedded ICS. Many of these embedded ICS systems have a large number of default services running. So, by disabling the unused services, we can better secure these devices. By segmenting the devices off the main portion of the network, we can also better protect them. A NIDS might detect an attack or compromise, but it would not reduce the risk of the attack succeeding since it can only detect it. Patching is difficult for embedded ICS devices since they usually rely on customized software applications that rarely provide updates.

You are developing a containment and remediation strategy to prevent the spread of an APT within your network. Your plan suggests creating a mirror of the company's databases, routing all externally sourced network traffic to it, and gradually updating with pseudo-realistic data to confuse and deceive the APT as they attempt to exfiltrate the data. Once the attacker has downloaded the corrupted database, your company would then conduct remediation actions on the network and restore the correct database information to the production system. Which of the following types of containment strategies does the plan utilize? A.Isolation-based containment by removing the affected database from production B.Segmentation-based containment that deceives the attack into believing their attack was successful C.Isolation-based containment by disconnecting the APT from the affected network D.Segmentation-based containment disrupts the APT by using a hack-back approach

B.Segmentation-based containment that deceives the attack into believing their attack was successful (Correct) Explanation OBJ-4.2: There are two types of containment: segmentation and isolation. This is an example of a segmentation-based containment strategy that utilizes deception. Segmentation-based containment is a means of achieving the isolation of a host or group of hosts using network technologies and architecture. As opposed to completely isolating the hosts, you might configure the protected segment to deceive him or her into thinking the attack is progressing successfully, such as in the database modification example. The scenario is not a hack-back approach since the APT is not directly attacked, only deceived. Isolation-based containment involves removing an affected component from whatever larger environment it is a part of. In this scenario, the original database was never isolated from the network, nor were any other affected assets during the deception.

You are conducting threat hunting on your organization's network. Every workstation on the network uses the same configuration baseline and contains a 500 GB HDD, 4 GB of RAM, and the Windows 10 Enterprise operating system. You know from previous experience that most of the workstations only use 40 GB of space on the hard drives since most users save their files on the file server instead of the local workstation. You discovered one workstation that has over 250 GB of data stored on it. Which of the following is a likely hypothesis of what is happening, and how would you verify it? A.The host might be offline and conducted backups locally -- you should contact a system administrator to have it analyzed B.The host might use as a staging area for data exfiltration -- you should conduct volume-based trend analysis on the host's storage device C.The host might be used as a command and control node for a botnet -- you should immediately disconnect the host from the network D.The host might be the victim of a remote access trojan -- you should reimage the machine immediately

B.The host might use as a staging area for data exfiltration -- you should conduct volume-based trend analysis on the host's storage device (Correct) OBJ-3.3: Based on your previous experience, you know that most workstations only store 40 GB of data. Since client workstations don't usually need to store data locally, and you noticed that a host's disk capacity has suddenly diminished, you believe it could indicate that it is used to stage data for exfiltration. To validate this hypothesis, you should configure monitoring and conduct volume-based trend analysis to see how much data is added over the next few hours or days. If you suspect the machine is the victim of a remote access trojan, you should not reimage it immediately. By reimaging the host, you would lose any evidence or the ability to confirm your hypothesis. Based on the scenario, you have no evidence that the system is offline or conducting backups locally. If you did suspect this, you could confirm this by checking the network connectivity or analyzing the files stored on the system. If you suspect the host used as a command and control (C2) node for a botnet, you should conduct network monitoring to validate your hypothesis before disconnecting the host from the network. If the host were a C2 node, that would not explain the excessive use of disk space observed.

A cybersecurity analyst at Yoyodyne Systems just finished reading a news article about their competitor, Whamiedyne Systems, being hacked by an unknown threat actor. Both companies sell to the same basic group of consumers over the internet since their products are used interchangeably by consumers. Which of the following is a valid cybersecurity concern for Yoyodyne Systems? A.The attacker will conduct a SQL injection against their database B.They may now be vulnerable to a credential stuffing attack (Correct) C.The same vulnerability will be compromised on their servers D.The attacker will conduct an on-path attack

B.They may now be vulnerable to a credential stuffing attack(Correct) Explanation OBJ-1.1: The largest and most immediate cybersecurity concern that the analyst should have is credential stuffing. Credential stuffing occurs when an attacker tests username and password combinations against multiple online sites. Since both companies share a common consumption group, it is likely that some of Yoyodyne's consumers also had a user account at Whamiedyne. If the attackers compromised the username and passwords from Whamiedyne's servers, they might attempt to use those credentials on Yoyodyne's servers, too. There is no definitive reason to believe that both companies are using the same infrastructure. Therefore, the same vulnerability that was exploited by the attacker may not exist at Yoyodyne. The question doesn't mention an SQL database. Therefore, there is no direct threat of an SQL injection. An on-path attack occurs when the attacker sits between two communicating hosts and transparently captures, monitors, and relays all communications between the host. Nothing in this question indicates that an on-path was utilized or is a possible threat.

A cybersecurity analyst conducts proactive threat hunting on a network by correlating and searching the Sysmon and Windows Event logs. The analyst uses the following query as part of their hunt: Based on the query above, which of the following potential indicators of compromise is the threat hunter relying on? A.Data exfiltration B.Unauthorized software C.Processor consumption D.Irregular peer-to-peer communication Explanation

B.Unauthorized software (Correct) OBJ-3.3: This is a difficult question, but you should see a keyword in the query, "mimikatz." Mimikatz is a leading post-exploitation tool that dumps passwords from memory, as well as hashes, PINs, and Kerberos tickets. Other useful attacks it enables are pass-the-hash, pass-the-ticket, or building Golden Kerberos tickets. This makes post-exploitation lateral movement within a network easy for attackers. It is considered unauthorized software and should be immediately alerted upon if discovered in your network. Data exfiltration is the process by which an attacker takes data that is stored inside of a private network and moves it to an external network. Processor consumption is an IoC that monitors the per-process percentage of CPU time to show what causes the problem. Irregular peer-to-peer communication occurs when hosts within a network establish connections over unauthorized ports or data transfers.

The beacon's protocol is not

typically a means of identifying a malware beacon. A beacon can be sent over numerous protocols, including ICMP, DNS, HTTP, and numerous others. Unless you specifically knew the protocol being used by the suspected beacon, filtering out beacons by the protocol seen in the logs could lead you to eliminate malicious behavior prematurely.

You just finished conducting a remote scan of a class C network block using the following command "nmap -sS 202.15.73.0/24". The results only showed a single web server. Which of the following techniques would allow you to gather additional information about the network? A.Use an IPS evasion technique B.Scan using the -p 1-65535 flag C.Perform a scan from on-site D.Use a UDP scan

C.Perform a scan from on-site OBJ-1.4: You should request permission to conduct an on-site scan of the network. If the organization's network is set up correctly, scanning from off-site will be much more difficult as many of the devices will be hidden behind the firewall. By conducting an on-site scan, you can conduct the scan from behind the firewall and receive more detailed information on the various servers and services running on the internal network. While nmap does provide some capabilities to scan through a firewall, it is not as detailed as being on-site.

Joseph would like to prevent hosts from connecting to known malware distribution domains. What type of solution should be used without deploying endpoint protection software or an IPS system? A.Subdomain allow listing B.Route poisoning Anti-malware router filters (Incorrect) C.DNS sinkholing (Correct) D.Explanation

C.DNS sinkholing (Correct) OBJ-3.2: DNS sinkholing is a process that uses a list of known domains/IP addresses belonging to malicious hosts and uses an internal DNS server to create a fake reply. Route poisoning prevents networks from sending data somewhere when the destination is invalid. Routers do not usually have an anti-malware filter, and this would be reserved for a unified threat management system. Subdomain allow listing would not apply here because it would imply that you are implicitly denying all traffic and only allowing allow listed subdomains to be accessed from the hosts that would affect their operational utility to the organization.

You have been asked to provide some training to Dion Training's system administrators about the importance of proper patching of a system before deployment. To demonstrate the effects of deploying a new system without patching it first, you ask the system administrators to provide you with an image of a brand-new server they plan to deploy. How should you deploy the image to demonstrate the vulnerabilities exposed while maintaining the security of the corporate network? A.Utilize a server with multiple virtual machine snapshots installed o it, restore from a known compromised image, then scan it for vulnerabilities B.Deploy the vulnerable image to a virtual machine on a physical server, create an ACL to restrict all incoming connections to the system, then scan it for vulnerabilities C.Deploy the system image within a virtual machine, ensure it is in an isolated sandbox environment, then scan it for vulnerabilities D.Deploy the image to a brand new physical server, connect it to the corporate network, then conduct a vulnerability scan to demonstrate how many vulnerabilities are now on the network

C.Deploy the system image within a virtual machine, ensure it is in an isolated sandbox environment, then scan it for vulnerabilities Explanation OBJ-3.2: To ensure your corporate network's safety, any vulnerable image you deploy should be done within a sandboxed environment. This will ensure that an outside attacker cannot exploit the vulnerabilities but will still allow you to show the vulnerabilities found during a scan to demonstrate how important patching is to the security of the server.

The local electric power plant contains both business networks and ICS/SCADA networks to control their equipment. Which technology should the power plant's security administrators look to implement first as part of configuring better defenses for the ICS/SCADA systems? A.Log consolidation B.Automated patch deployment C.Intrusion prevention system (Correct) D.Anti-virus software

C.Intrusion prevention system (Correct) Explanation OBJ-1.5: Since this question is focused on the ICS/SCADA network, the best solution would be implementing an Intrusion Prevention System. ICS/SCADA machines utilize very specific commands to control the equipment and to prevent malicious activity. You could set up strict IPS rules to prevent unknown types of actions from being allowed to occur. Log consolidation is a good idea, but it won't prevent an issue and therefore isn't the most critical thing to add first. Automated patch management should not be conducted, as ICS/SCADA systems must be tested before conducting any patches. Often, patches will break ICS/SCADA functionality. Anti-virus software may or may not be able to run on the equipment, as well, since some ICS/SCADA systems often do not rely on standard operating systems like Windows.

Which type of media sanitization would you classify degaussing as? A.Clearing B.Destruction C.Purging D.Erasing

C.Purging OBJ-4.2: Degaussing is classified as a form of purging. Purging eliminates information from being feasibly recovered even in a laboratory environment. Purging includes degaussing, encryption of the data with the destruction of its encryption key, and other non-destructive techniques. Some generic magnetic storage devices can be reused after the degaussing process has finished, such as VHS tapes and some older backup tapes. For this reason, though, the technique of degaussing is classified as purging and not destruction, even though hard drives are rendered unusable after being degaussed. Clearing data prevents data from being retrieved without the use of state-of-the-art laboratory techniques. Clearing often involves overwriting data one or more times with repetitive or randomized data. Destroying data is designed not merely to render the information unrecoverable but also to hinder any reuse of the media itself. Destruction is a physical process that may involve shredding media to pieces, disintegrating it into parts, pulverizing it to powder, or incinerating it to ash. Erasing or deleting is considered a normal operation of a computer, which erases the data file's pointer on a storage device. Erasing and deleting are easily reversed, and the data can be recovered with commercially available or open-source tools.

Fail To Pass Systems has just been the victim of another embarrassing data breach. Their database administrator needed to work from home this weekend, so he downloaded the corporate database to his work laptop. On his way home, he left the laptop in an Uber, and a few days later, the data was posted on the internet. Which of the following mitigations would have provided the greatest protection against this data breach? A.Require all new employees to sign an NDA B.Require data masking for any information stored in the database C.Require data at rest encryption on all endpoints (Correct) D.Require a VPN to be utilized for all telework employees

C.Require data at rest encryption on all endpoints (Correct) Explanation OBJ-5.1: The greatest protection against this data breach would have been to require data at rest encryption on all endpoints, including this laptop. If the laptop were encrypted, the data would not have been readable by others, even if it was lost or stolen. While requiring a VPN for all telework employees is a good idea, it would not have prevented this data breach since the laptop's loss caused it. Even if a VPN had been used, the same data breach would have still occurred if the employee copied the database to the machine. Remember on exam day that many options are good security practices, but you must select the option that solves the issue or problem in the question being asked. Similarly, data masking and NDAs are useful techniques, but they would not have solved this particular data breach.

Dion Training wants to require students to log on using multifactor authentication to increase the security of the authorization and authentication process. Currently, students log in to diontraining.com using a username and password. What proposed solution would best meet the goal of enabling multifactor authentication for the student login process? A.Require students to choose an image to serve as a secondary password after logon B.Require students to create a unique pin that is entered after their username and password are accepted C.Require students to enter a unique six-digit number that is sent to them by SMS after entering their username and password D.Require students to enter a cognitive password requirement (such as 'What is your dog's name?')

C.Require students to enter a unique six-digit number that is sent to them by SMS after entering their username and password (Correct) Explanation OBJ-2.1: All of the options presented are knowledge factors (something you know) except the six-digit number sent by SMS to your smartphone. This SMS sent number is an example of a possession factor or something you have. In this case, it verifies you have your smartphone. By combining this possession factor with the already in use knowledge factor (username and password), you can establish multifactor security for the login process.

Which of the following categories of controls are firewalls, intrusion detection systems, and a RADIUS server classified as? A.Administrative controls B.Compensating controls C.Technical controls (Correct) D.Physical controls Explanation

C.Technical controls (Correct) OBJ-2.1: Firewalls, intrusion detection systems, and a RADIUS server are all examples of technical controls. Technical controls are implemented as a system of hardware, software, or firmware. Administrative controls involve processes and procedures. Physical controls include locks, fences, and other controls over physical access. Compensating controls are controls that are put in place to cover any gaps and reduce the risk remaining after using other controls.

You are working as a network administrator for Dion Training. The company has decided to allow employees to connect their devices to the corporate wireless network under a new BYOD policy. You have been asked to separate the corporate network into an administrative network (for corporate-owned devices) and an untrusted network (for employee-owned devices). Which of the following technologies should you implement to achieve this goal? A.VPN B.MAC filtering C.VLAN D.WPA2

C.VLAN (Correct) Explanation OBJ-2.1: A virtual local area network (VLAN) is a type of network segmentation configured in your network switches that prevent communications between different VLANs without using a router. This allows two virtually separated networks to exist on one physical network and separates the two virtual network's data. A virtual private network (VPN) is a remote access capability to connect a trusted device over an untrusted network back to the corporate network. A VPN would not create the desired effect. WPA2 is a type of wireless encryption, but it will not create two different segmented networks on the same physical hardware. MAC filtering is used to allow or deny a device from connecting to a network, but it will not create two network segments, as desired.

You need to determine the best way to test operating system patches in a lab environment before deploying them to your automated patch management system. Unfortunately, your network has several different operating systems in use, but you only have one machine available to test the patches on. What is the best environment to utilize to perform the testing of the patches before deployment? A.Bypass testing and deploy patches directly into the production environment B.Purchase additional workstations C.Virtualization (Correct) D.Sandboxing

C.Virtualization (Correct) OBJ-1.3: When you have a limited amount of hardware resources to utilize but have a requirement to test multiple operating systems, you should set up a virtualized environment to test the patch across each operating system before deployment. You should never deploy patches directly into production without testing them first in the lab. Virtualization will allow the organization to create a lab environment without significant costs. Purchasing additional workstations would be costly and more time-consuming to configure.

Which of the following vulnerabilities is the greatest threat to data confidentiality? A.phpinfo information disclosure vulnerability B.HTTP TRACE/TRACK methods enabled C.Web application SQL injection vulnerability D.SSL Server with SSLv3 enabled vulnerability

C.Web application SQL injection vulnerability (Correct) Explanation OBJ-1.4: Each vulnerability mentioned poses a significant risk, but the greatest threat comes from the SQL injection. An SQL injection could allow an attacker to retrieve our data from the backend database directly. Using this technique, the attacker could also alter the data and put it back, and nobody would notice everything that had been changed, thereby also affecting our data integrity. The HTTP TRACE/TRACK methods are normally used to return the full HTTP request to the requesting client for proxy-debugging purposes and allow the attacker to access sensitive information in the HTTP headers. Since this only exposes information in the headers, it minimizes the risk to our system's data confidentiality. An SSL server with SSLv3 enabled is not ideal since this is an older encryption type, but it still provides some confidentiality. The phpinfo information disclosure vulnerability prints out detailed information on both the system and the PHP configuration. This information by itself doesn't disclose any information about the data stored within the system, though, so it isn't a great threat to our data's confidentiality.

Consider the following data: Which of the following best describes the data presented above? A.An XML entry describing an APT using the Structured Threat Information eXpression (STIX) framework B.A JSON excerpt describing a REST API call to a Trusted Automated eXchange of Indicator Information (TAXII) service C.An XML entry describing an APT using the MITRE ATT&CK framework D.A JSON excerpt that describes an APT using the Structured Threat Information eXpression (STIX) format

D.A JSON excerpt that describes an APT using the Structured Threat Information eXpression (STIX) format (Correct) Explanation OBJ-1.2: This excerpt is a JSON object used by the STIX protocol to convey threat information. STIX (Structured Threat Information eXpression) is a standardized XML programming language for conveying data about cybersecurity threats in a common language that can be easily understood by humans and security technologies. Trusted Automated Exchange of Intelligence Information (TAXII™) is an application protocol for exchanging CTI over HTTPS. TAXII defines a RESTful API (a set of services and message exchanges) and a set of requirements for TAXII Clients and Servers. MITRE ATT&CK® is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for developing specific threat models and methodologies in the private sector, government, and the cybersecurity product and service community.

A recent vulnerability scan found several vulnerabilities on an organization's public-facing IP addresses. To reduce the risk of a breach, which of the following vulnerabilities should be prioritized for remediation? A.A website utilizing a self-signed SSL certificate B.An HTTP response that reveals an internal IP address C.A cryptographically weak encryption cipher D.A buffer overflow that is known to allow remote code execution

D.A buffer overflow that is known to allow remote code execution (Correct) Explanation OBJ-1.4: The most serious vulnerability discovered is one that could allow remote code execution to occur. Since this buffer overflow vulnerability is known to allow remote code execution, it must be mitigated first to prevent a security breach most effectively. While the other issues should be addressed eventually, you need to prioritize the most critical one (remote code execution) on a public-facing IP address. A public-facing IP address means the device is accessible from the internet.

You are reviewing a rule within your organization's IDS. You see the following output: Based on this rule, which of the following malicious packets would this IDS alert on? A.Any malicious outbound packets B.A malicious outbound TCP packet C.Any malicious inbound packets D.A malicious inbound TCP packet

D.A malicious inbound TCP packet (Correct) OBJ-3.1: The rule header is set to alert only on TCP packets based on this IDS rule's first line. The flow condition is set as "to_client,established," which means that only inbound traffic will be analyzed against this rule and only inbound traffic for connections that are already established. Therefore, this rule will alert on an inbound malicious TCP packet only when the packet matches all the conditions listed in this rule. This rule is an example of a Snort IDS rule. For the exam, you do not need to create your own IDS rules, but you should be able to read them and pick out generic content like the type of protocol covered by the signature, the port to be analyzed, and the direction of flow.

Which of the following is NOT considered part of the Internet of Things? A.ICS B.SCADA C.Smart television D.Laptop (Correct)

D.Laptop OBJ-1.5: Supervisory control and data acquisition (SCADA) systems, industrial control systems (ICS), internet-connected televisions, thermostats, and many other things examples of devices classified as the Internet of Things (IoT). A laptop would be better classified as a computer or host than part of the Internet of Things. The Internet of things (IoT) is a system of interrelated computing devices, mechanical and digital machines provided with unique identifiers (UIDs), and the ability to transfer data over a network without requiring human-to-human or human-to-computer interaction.

While conducting a static analysis source code review of a program, you see the following line of code: What is the issue with the largest security issue with this line of code? A.The * operator will allow retrieval of every data field about this customer in the CUSTOMER table B.The code is using parameterized queries C.This code is vulnerable to a buffer overflow attack D.An SQL injection could occur because input validation is not being used on the id parameter

D.An SQL injection could occur because input validation is not being used on the id parameter OBJ-2.2: This code takes the input of "id" directly from a user or other program without conducting any input validation. This could be exploited and used as an attack vector for an SQL injection. If a malicious user can alter the ID source, it might get replaced with something like' or '1' ='1. This will cause the SQL statement to become: "SELECT * FROM CUSTOMER WHERE CUST_ID='' or '1'='1'". Because '1' always equals '1', the where clause will always return 'true,' meaning that EVERY record in the database could now become available to the attacker. When creating SQL statements, there are reasons for and against the use of the * operator. Its presence alone does not necessarily indicate a weakness. With only one line of code being reviewed, you cannot make any statement about whether it is vulnerable to a buffer overflow attack. You do not see the declaration values for the initialization of the id variable. This code is not using parameterized queries, but if it did, then it would eliminate this vulnerability. A parameterized query is a type of output encoding that relies on prepared statements to reduce the risk of an SQL injection.

Question 29: Incorrect Dion Training Solutions is conducting a penetration test of its facilities. The penetration testing team has been augmented by an employee of the company who has general user privileges. The security staff is unaware of the testing. According to NIST, which of the following types of penetration tests is being conducted? A.An overt internal test B.An overt external test C.An covert external test D.An covert internal test

D.An covert internal test (Correct) Explanation OBJ-4.2: This is considered an internal covert test. It is internal because an employee of the company is part of the team and provides them with general user privileges. This will simulate an insider threat attack. It is also considered covert because the security staff and system administrators are unaware of the ongoing test.

You are reverse engineering a malware sample using the Strings tool when you notice the code inside appears to be obfuscated. You look at the following line of output on your screen: Based on the output above, which of the following methods do you believe the attacker used to prevent their malicious code from being easily read or analyzed? A.QR coding B.XML C.SQL D.Base64

D.Base64 (Correct) Explanation OBJ-4.2: While there are many different formats used by attackers to obfuscate their malicious code, Base64 is by far the most popular. If you see a string like the one above, you can decode it using an online Base64 decoder. I recommend you copy the string above and decode it to see how easy it is to reverse a standard Base64 encoded message. Some more advanced attackers will also use XOR and a key shift in combination with Base64 to encode the message and make it harder to decode, but using a tool like CyberChef can help you decode those. Structured Query Language (SQL) is used to communicate with a database. Extensible Markup Language (XML) is a markup language that defines a set of rules for encoding documents in a human-readable and machine-readable format. SQL and XML are not considered obfuscation techniques. A QR Code is a two-dimensional version of the barcode, known from product packaging in the supermarket. QR coding is the process of converting some data into a single QR code. QR coding might be considered a form of obfuscation, but it is not shown in this question's example output.

A recent threat has been announced in the cybersecurity world, stating a critical vulnerability in a particular operating system's kernel. Unfortunately, your company has not maintained a current asset inventory, so you are unsure of how many of your servers may be affected. What should you do to find all of the affected servers within your network? A.Conduct a packet capture of data traversing the server network B.Conduct a service discovery scan on the network C.Manually review the syslog server's logs D.Conduct an OS fingerprinting scan across the network (Correct)

D.Conduct an OS fingerprinting scan across the network (Correct) Explanation OBJ-1.4: By utilizing operating system fingerprinting using a tool like nmap, you can identify the servers running each version of an operating system. This will give you an accurate list of the possibly affected servers. Once you have this list, you can focus your attention on just those servers that need further inspection and scanning. Manually reviewing the Syslog server's log would take too long, and would not find servers that don't send their logs to the Syslog server. Conducting a packet capture would only allow you to find the server actively transmitting data during the period of time you are capturing. Conducting a service discovery scan would not identify which servers are running which operating systems effectively. For example, if you see that the Apache web service is running on port 80, it doesn't indicate running Linux or Windows as the underlying server.

Which of the following information is traditionally found in the Scope of Work (SOW) for a penetration test? A.Maintenance windows B.Timing of the scan C.Format of the executive summary report D.Excluded hosts

D.Excluded hosts (Correct) Explanation OBJ-5.2: A Scope of Work (SOW) for a penetration test normally contains the list of excluded hosts. This ensures that the penetration tester does not affect hosts, workstations, or servers outside the assessment scope. The timing of the scan and the maintenance windows are usually found in the rules of engagement (ROE). The executive summary report contents are usually not identified in any of the scoping documents, only the requirement of whether such a report is to be delivered at the end of the assessment.

You are the incident response team lead investigating a possible data breach at your company with 5 other analysts. A journalist contacts you and inquires about a press release from your company that indicates a breach has occurred. You quickly deny everything and then call the company's public relations officer to ask if a press release had been published, which it has not. Which of the following has likely occurred? A.Release of PII and SPI B.Disclosing based on regulatory requirements C.Communication was limited to trusted parties D.Inadvertent release of information

D.Inadvertent release of information Explanation OBJ-5.1: It is most likely that an inadvertent release of information has occurred. This could have occurred due to communication not being limited to trusted parties or information being shared amongst the analyst using insecure communication methods. Based on the scenario, we cannot tell if the data breach (if one has occurred) involved the release of PII or SPI. Part of any good communications plan understands that you are required to disclose information based on regulatory requirements. When that disclosure occurs, it will usually be accompanied by a press release.

You are conducting an incident response and want to determine if any account-based indicators of compromise (IoC) exist on a compromised server. Which of the following would you NOT search for on the server? A.Failed logins B.Unauthorized sessions C.Off-hours usage D.Malicious processes

D.Malicious processes OBJ-4.3: A malicious process is any process running on a system that is outside the norm. This is a host-based indicator of compromise (IOC) and not directly associated with an account-based IOC. Off-hours usage, unauthorized sessions, and failed logins are all account-based examples of an IOC. Off-hours usage occurs when an account is observed to log in during periods outside of normal business hours. An attacker often uses this to avoid detection during business hours. Unauthorized sessions occur when a device or service is accessed without authorization. For example, if a limited privilege user is signed into a domain controlled. A failed login might be normal if a user forgets or incorrectly types their password, but repeated failures for one account could also be an indication of an attack attempting to crack a user's password.

Judith is conducting a vulnerability scan of her data center. She notices that a management interface for a virtualization platform is exposed to her vulnerability scanner. Which of the following networks should the hypervisor's management interface be exposed to ensure the best security of the virtualization platform? A.Internal zone B.Screened subnet (Incorrect) C.External zone D.Management network (Correct)

D.Management network (Correct) Explanation OBJ-3.3: The management interface should only be exposed to an isolated or dedicated network used for the management and configuration of the network device and platforms only. This would also help reduce the likelihood of an attack against the virtualization platform or the hypervisor itself. The external zone (internet), internal zone (LAN), or screened subnet (formerly called a DMZ) should not have the management interface exposed to them.

Christina is auditing the security procedures related to the use of a cloud-based online payment service. She notices that the access permissions are set so that a single person can not add funds to the account and transfer funds out of the account. What security principle is most closely related to this scenario? A.Least privilege B.Security through obscurity C.Dual control authentication D.Separation of duties

D.Separation of duties (Correct) Explanation OBJ-5.2: Separation of duties is the concept of having more than one person required to complete a task. In business, the separation by sharing more than one individual in a single task is an internal control intended to prevent fraud and error. In this case, one person can transfer money in, while another must transfer money out. Dual control authentication is used when performing a sensitive action and requires two different users to log in. Least privilege is the concept and practice of restricting access rights for users, accounts, and computing processes to only those resources required to perform routine, legitimate activities. Security through obscurity is the reliance on security engineering in design or implementation by using secrecy as the main method of providing security to a system or component.

You are creating a script to filter some logs so that you can detect any suspected malware beaconing. Which of the following is NOT a typical means of identifying a malware beacon's behavior on the network? A.The beaconing interval (Incorrect) B.The beacon's persistence C.The removal of known traffic D.The beacon's protocol (Correct) Explanation OBJ-3.3: The beacon's protocol is not typically a means of identifying a malware beacon. A beacon can be sent over numerous protocols, including ICMP, DNS, HTTP, and numerous others. Unless you specifically knew the protocol being used by the suspected beacon, filtering out beacons by the protocol seen in the logs could lead you to eliminate malicious behavior prematurely. Other factors like the beacon's persistence (if it remains after a reboot of the system) and the beacon's interval (how much time elapses between beaconing)are much better indicators for fingerprinting a malicious beacon. The removal of known traffic by the script can also minimize the amount of data the cybersecurity analyst needs to analyze, making it easier to detect the malicious beacon without wasting their time reviewing non-malicious traffic.

D.The beacon's protocol Explanation OBJ-3.3: The beacon's protocol is not typically a means of identifying a malware beacon. A beacon can be sent over numerous protocols, including ICMP, DNS, HTTP, and numerous others. Unless you specifically knew the protocol being used by the suspected beacon, filtering out beacons by the protocol seen in the logs could lead you to eliminate malicious behavior prematurely. Other factors like the beacon's persistence (if it remains after a reboot of the system) and the beacon's interval (how much time elapses between beaconing)are much better indicators for fingerprinting a malicious beacon. The removal of known traffic by the script can also minimize the amount of data the cybersecurity analyst needs to analyze, making it easier to detect the malicious beacon without wasting their time reviewing non-malicious traffic.

You have been asked to conduct a forensic disk image on an internal 500 GB hard drive. You connect a write blocker to the drive and begin to image it using dd to copy the contents to an external 500 GB USB hard drive. Before completing the image, the tool reports that the imaging failed. Which of the following is most likely the reason for the image failure? A.The data cannot be copied using the RAW format B.The source drive is encrypted with BitLocker C.The data on the source drive was modified during the imaging D.There are bad sectors on the destination drive (Correct)

D.There are bad sectors on the destination drive (Correct) Explanation OBJ-4.4: If you have verified that the source and the target media are both the same size, then a failure has likely occurred due to bad media on the source drive or some bad sectors on the destination drive. The data can always be copied into a RAW format since it is a bit by bit copy and will copy even the source drive's bad sectors. Even if the source disk were encrypted, the dd program would create a bit by bit copy to the destination drive for later cryptoanalysis attempts. Even if the data were modified, this would not cause the copy to fail. Instead, the copy would continue and record the modified data instead of the original data.

Which of the following is exploited by an SQL injection to give the attacker access to a database? A.Database server B.Firewall C.Operating system D.Web application (Correct)

D.Web application (Correct) OBJ-1.7: SQL injections target the data stored in enterprise databases by exploiting flaws in client-facing applications. These vulnerabilities being exploited are most often found in web applications. The database server or operating system would normally be exploited by a remote code execution, a buffer overflow, or another type of server-side attack. The firewall would not be subject to an SQL injection.

You are a cybersecurity analyst who has been given the output from a system administrator's Linux terminal. Based on the output provided, which of the following statements is correct? A.Your email server has been compromised B.Your organization has a vulnerable version of the SSH server software installed C.Your web server has been compromised D.Your email server is running on a non-standard port

D.Your email server is running on a non-standard port (Correct) Explanation OBJ-3.1: As shown in the nmap scans' output, only two standard ports are being utilized: 22 (SSH) and 80 (HTTP). But, when netcat is run against port 80, the banner provided shows the SMTP server is running on port 80. SMTP is normally run on port 25 by default, so running it on port 80 means your email server (SMTP) runs on a non-standard port.

What method might a system administrator use to replicate the DNS information from one DNS server to another, but could also be used maliciously by an attacker? A.DNSSEC B.DNS registration C.CNAME D.Zone transfers

D.Zone transfers (Correct) OBJ-2.3: Zone transfers provide an easy way to send all the DNS information from one DNS server to another, but an attacker could also use it for reconnaissance against your organization. For this reason, most administrators disable zone transfers from untrusted servers. DNSSEC strengthens authentication in DNS using digital signatures based on public-key cryptography. CNAME is a Canonical Name Record or Alias Record. A type of resource record in the Domain Name System (DNS) specifies that one domain name is an alias of another canonical domain name. DNS registration is a service, which allows the owner of a domain name to use their name servers, which can match the domain name in question.

Consider the following file called firewall.log that contains 53,682 lines that logged every connection going into and out of this network. The log file is in the following data format, as shown below with the first two lines of the log file: Which of the following commands would display all of the lines from the firewall.log file that contain the destination IP address of 10.1.0.10 and a destination port of 23? A.grep "10\.1\.0\.10\," firewall.log | grep "23" B.grep "10.1.0.10," firewall.log | grep "23" C.grep "10.1.0.10," firewall.log | grep "23$" D.grep "10\.1\.0\.10\," firewall.log | grep "23$"

D.grep "10\.1\.0\.10\," firewall.log | grep "23$" (Correct) Explanation OBJ-3.1: The easiest way to do this is with a grep command. In Linux, you can chain together commands by piping data from one command's output to serve as the input to another command. In this scenario, you can use grep to find all the lines with the IP address first. Then, you can use the second grep command to find all the lines using port 23. The result is a smaller, filtered list of events to analyze. When using the dot in the IP addresses, you must remember to escape this character. Otherwise, grep treats it as a special character in a regular expression treated as any character (except a line break). Adding the \ before the dot (\.), grep treats it simply as a dot or period. You must also escape the comma for it to be processed properly. The $ after the port number is used to indicate that the number should only be counted as a match if it is at the end of the line. This ensures that we only return the destination ports (DPT) matching 23 and not the source port (SPT).

DNSSEC strengthens authentication in

DNS using digital signatures based on public-key cryptography.

CNAME is

a Canonical Name Record or Alias Record. A type of resource record in the Domain Name System (DNS) specifies that one domain name is an alias of another canonical domain name. DNS registration is a service, which allows the owner of a domain name to use their name servers, which can match the domain name in question.

A golden ticket is

a Kerberos ticket that can grant other tickets in an Active Directory environment. Attackers who can create a golden ticket can use it to grant administrative access to other domain members, even to domain controllers.

A profile (.profile) file is

a UNIX user's start-up file, like the autoexec.bat file of DOS.

Segmentation-based containment is

a means of achieving the isolation of a host or group of hosts using network technologies and architecture. As opposed to completely isolating the hosts, you might configure the protected segment to deceive him or her into thinking the attack is progressing successfully, such as in the database modification example. The scenario is not a hack-back approach since the APT is not directly attacked, only deceived.

The Remote Authentication Dial-In User Service (RADIUS) is

a networking protocol that operates on port 1812 and provides centralized Authentication, Authorization, and Accounting management for users who connect and use a network service, but Cisco did not develop it.

A Scope of Work (SOW) for

a penetration test normally contains the list of excluded hosts. This ensures that the penetration tester does not affect hosts, workstations, or servers outside the assessment scope.

A staging environment is

a pre-production enclave used for testing and development.

Pivoting is

a process similar to lateral movement. When attackers pivot, they compromise one central host (the pivot) that allows them to spread out to other hosts that would otherwise be inaccessible.

Challenge-Handshake Authentication Protocol (CHAP) is

used to authenticate a user or network host to an authenticating entity. CHAP is an authentication protocol but does not provide authorization or accounting services.

The $ after

after the port number is used to indicate that the number should only be counted as a match if it is at the end of the line. This ensures that we only return the destination ports (DPT) matching 23 and not the source port (SPT).

During the containment, eradication, and recovery phase of an incident response,

an analyst must preserve forensic and incident information for future needs, prevent future attacks or bring up an attacker on criminal charges.

Zone transfers provide

an easy way to send all the DNS information from one DNS server to another, but an attacker could also use it for reconnaissance against your organization. For this reason, most administrators disable zone transfers from untrusted servers.

An availability zone is

an individual data center within a region of a cloud service provider's network.

During the detection and analysis phase,

an organization focuses on monitoring and detecting any possible malicious events or attacks

Lateral movement is

an umbrella term for a variety of attack types. Attackers can extend their lateral movement by a great deal if they can compromise host credentials.

he screened subnet is

used to host systems that require access from external hosts.

Data zones describe

describe the state and location of data to help isolate and protect it from unauthorized/inappropriate use-for example, as data transitions from raw storage, processing, production, and analytical use. Data zones are associated with data lakes and designed to help manage big data used by analysts and scientists for data exploration and discovery tasks.

When using the dot in the IP addresses, you must remember to

escape this character. Otherwise, grep treats it as a special character in a regular expression treated as any character (except a line break). Adding the \ before the dot (\.), grep treats it simply as a dot or period. You must also escape the comma for it to be processed properly.

TACACS+ is an

extension to TACACS (Terminal Access Controller Access Control System) and was developed as a proprietary protocol by Cisco.

During the preparation phase, the

incident response team conducts training, prepares their incident response kits, and researches threats and intelligence.

Other factors like the beacon's persistence (if it remains after a reboot of the system) and the beacon's interval (how much time elapses between beaconing)are

much better indicators for fingerprinting a malicious beacon.

The grep (global search for regular expressions and print) is

one of Linux's powerful search tools. The general syntax for the grep command is "grep [options] pattern [files]. The command searches within the specified files (in this case, the Names.txt file). When the command is issued with the -i optional flag, it treats the specified pattern as case insensitive

MAC filtering is

only applicable at layer 2 of the OSI model (which would not work for traffic being sent over the internet from your vendors to your server).

LDAP can be run on either

port 389 or port 636. Port 389 is the standard port for LDAP but typically runs unencrypted LDAP services over this port. Instead, you should change all devices and servers that can technically support the change to port 636 since LDAP services over port 636 are encrypted by default.

Preference and configuration files in macOS use

property lists (plists) to specify the attributes, or properties, of an app or process. An example is the preferences plist for the Finder in the Library/Preferences/ folder of a user's home folder. The file is named com.apple.finder.plist.

Kerberos is a network authentication protocol designed to

provide strong mutual authentication for client/server applications using secret-key cryptography developed by MIT.

A VPN is a

reasonable solution to secure the connection between the vendors and your systems, but it will not deal with the DoS condition being experienced.