CompTIA CySA+ (CS0-002) Practice Exam 3
You have been asked to determine if Dion Training's web server is vulnerable to a recently discovered attack on an older version of SSH. Which technique should you use to determine the current version of SSH running on their web server? A.Passive scan B.Banner grabbing C.Protocol analysis D.Vulnerability scan
B.Banner grabbing (Correct) Explanation OBJ-1.3: Banner grabbing is conducted by actively connecting to the server using telnet or netcat and collecting the web server's response. This banner usually contains the server's operating system and the version number of the service (SSH) being run. This is the fastest and easiest way to determine the SSH version being run on this web server. While it is possible to use a vulnerability scanner, protocol analyzer, or to conduct a passive scan to determine the SSH version, these are more time-consuming and not fully accurate methods to determine the version being run.
Which of the following automatically combines multiple disparate sources of information to form a complete picture of events for analysts to use during an incident response or when conducting proactive threat hunting? A.Deep learning B.Data enrichment C.Machine learning D.Continuous integration
B.Data enrichment (Correct) OBJ-1.1: When data enrichment occurs, it could combine a threat intelligence feed with a log of NetFlow. This will allow the analyst to know if an IP address of interest is associated with a known APT. Machine learning and deep learning are forms of artificial intelligence that may be used to conduct data enrichment activities, but individually they are not sufficient to answer this question. Continuous integration is a software development method in which code updates are tested and committed to development or build server/code repositories rapidly, and is unrelated to this question.
You are a cybersecurity analyst working for an accounting firm that manages the accounting for multiple smaller firms. You have successfully detected an APT operating in your company's network that appears to have been there for at least 8 months. In conducting a qualitative assessment of the impact, which of the following factors should be most prominently mentioned in your report to your firm's executives? (SELECT TWO) A.Recovery time B.Data integrity C.Economic D.Downtime E.Detection time
B.Data integrity (Correct) C.Economic (Correct) Explanation OBJ-4.2: While all of the above options should be included in your report to management, due to the nature of your company's work, the economic impact on the business should be your top factor. This would include any possible liability and damage that will be done to the company's reputation. Data integrity would be the second most important factor to highlight in your report since an APT may have stolen significant amounts of money by altering your financial documentation and accounts' data integrity. Downtime, recovery time, and detection time are important for understanding the broader cybersecurity concern and remediation steps but are not going to be the primary concern for your accounting firm's executives. As a cybersecurity analyst, you often prioritize what will be highlighted to the executives and management. It is important to remember their perspective and priorities, which are usually focused on monetary cost/ROI and the business's longevity over the technical details an analyst usually focuses on. To be successful in this career field, you need to learn to speak both languages (the technical details when working with the system administrators and the business impact when discussing with management/executives).
Which of the following are valid concerns when migrating to a serverless architecture? (SELECT THREE) A.Patching of the backend infrastructure B.Dependency on the cloud service provider C.Limited disaster recovery options D.Management of physical servers E.Protection of endpoint security F.Management of VPC offerings
B.Dependency on the cloud service provider (Correct) C.Limited disaster recovery options (Correct) E.Protection of endpoint security (Correct) Explanation OBJ-2.1: Serverless is a modern design pattern for service delivery. With serverless, all the architecture is hosted within a cloud, but unlike "traditional" virtual private cloud (VPC) offerings, services such as authentication, web applications, and communications aren't developed and managed as applications running on servers located within the cloud. Instead, the applications are developed as functions and microservices, each interacting with other functions to facilitate client requests. There is a heavy dependency on the cloud service provider in a serverless architecture system since all of the back-end infrastructure's patching and management functions are done by them. An organization using such an architecture would still need to prevent compromise of the user endpoints, though the cloud service provider does not manage these. Another concern with serverless architectures is that there are limited options for disaster recovery if service provisioning fails. Patching of backend infrastructure is eliminated because the infrastructure is eliminated with serverless architectures. Once migration is complete, there are no physical servers to manage, which reduces the workload on your system administration teams.
Sagar is planning to patch a production system to correct a detected vulnerability during his most recent network vulnerability scan. What process should he follow to minimize the risk of a system failure while patching this vulnerability? A.Contact the vendor to determine a safe time frame for deploying the patch into the production environment B.Deploy the patch in a sandbox environment to test it before patching the production system C.Deploy the patch immediately on the production system to remediate the vulnerability D.Wait 60 days to deploy the patch to ensure there are no associated bugs reported with it
B.Deploy the patch in a sandbox environment to test it before patching the production system Explanation OBJ-3.2: While patching a system is necessary to remediate a vulnerability, you should always test the patch before implementation. It is considered a best practice to create a staging or sandbox environment to test the patches' installation before installing them into the production environment. This reduces the risks of the patch breaking something in the production system. Unless you are dealing with a very critical vulnerability and the risk of not patching is worse than the risk of patching the production system directly, you should not immediately patch the production systems without testing the patch first. You should not wait 60 days to deploy the patch. Waiting this long provides attackers an opportunity to reverse engineer the patch and create a working exploit against the vulnerability. Finally, asking the vendor for a safe time frame is not helpful since the vendor does not know the specifics of your environment or your business operations.
Which of the following is not a recognized adversarial attack vector according to the MITRE ATT&CK framework? A.Human B.Informational C.Physical D.Cyber
B.Informational (Correct) Explanation OBJ-2.1: Cyber, human, and physical are all recognized adversarial attack vectors in the framework. While the information may be exchanged in all of these factors, the term is too generic to uniquely describe any given attack vector under the MITRE ATT&CK framework. Cyber is the use of hardware or software IT systems. Human is the use of social engineering, coercion, impersonation, or force. Physical relies on gaining local access.
What tool can be used as an exploitation framework during your penetration tests? A.Nessus B.Metasploit C.Nmap D.Autopsy
B.Metasploit Explanation OBJ-5.2: The Metasploit Project is a computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development. Nessus is a very popular vulnerability scanner. It can be used to check how vulnerable your network is by using various plugins to test for vulnerabilities. Also, Nessus can perform compliance auditing, like internal and external PCI DSS audit scans. The nmap tool is a port scanner. Autopsy is used in digital forensic investigations.
According to Lockheed Martin's white paper "Intel Driven Defense," which of the following technologies could degrade an adversary's effort during the C2 phase of the kill chain? A.Anti-virus B.NIPS C.Port security D.Firewall ACL
B.NIPS OBJ-4.2: A network intrusion prevention system could disrupt an adversary's C2 channel by shutting it down or blocking it. While a firewall ACL might be lucky enough to deny an adversary the ability to establish the C2 channel, a NIPS is better suited to detect and block an adversary than a static ACL entry. A conventional anti-virus would potentially disrupt the installation phase of an adversary's attack, but it is unlikely to affect the C2 phase once installed. Port security is useful only against layer 2 addressing, which is not used for adversary C2 over the internet.
Which of the following lists represents the NIST cybersecurity framework's four tiers, when ordered from least mature to most mature? A.Partial, Risk Informed, Managed, Adaptive (Incorrect) B.Partial, Risk Informed, Repeatable, Adaptive C.Partial, Managed, Risk Informed, Adaptive D.Partial, Repeatable, Risk Informed, Adaptive
B.Partial, Risk Informed, Repeatable, Adaptive (Correct) Explanation OBJ-5.3: From least mature to most mature, the NIST cybersecurity framework is Partial (tier 1), Risk Informed (tier 2), Repeatable (tier 3), and Adaptive (tier 4). This question may seem beyond the scope of the exam. Still, the objectives allow for "other examples of technologies, processes, or tasks about each objective may also be included on the exam although not listed or covered" in the objectives' bulletized lists. The exam tests the equivalent of 4 years of hands-on experience in a technical cybersecurity job role. The content examples listed in the objectives are meant to clarify the test objectives and should not be construed as a comprehensive listing of this examination's content. Therefore, questions like this are fair game on test day. That said, your goal isn't to score 100% on the exam; it is to pass it. Don't let questions like this throw you off on test day. If you aren't sure, take your best guess and move on!
Which party in a federation provides services to members of the federation? A.SSO B.RP C.SAML D.IdP
B.RP (Correct) Explanation OBJ-2.1: Relying parties (RPs) provide services to members of a federation. An identity provider (IdP) provides identities, makes assertions about those identities, and releases information about the identity holders. The Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data between parties between an identity provider and a service provider (SP) or a relying party (RP). Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single ID and password to any of several related yet independent software systems across a federation. SAML and SSO are not parties. Therefore, they cannot possibly be the right answer to this question.
Cybersecurity analysts are experiencing some issues with their vulnerability scans aborting because the previous day's scans are still running when the scanner attempts to start the current day's scans. Which of the following recommendations is LEAST likely to resolve this issue? A.Add another vulnerability scanner B.Reduce the sensitivity of scans C.Reduce the scope of scans D.Reduce the frequency of scans
B.Reduce the sensitivity of scans (Correct) OBJ-1.3: If the cybersecurity analyst were to reduce the scans' sensitivity, it still would not decrease the time spent scanning the network and could alter the effectiveness of the results received. In this scenario, the scans, as currently scoped, are taking more than 24 hours to complete with the current resources. The analyst could reduce the scans' scope, thereby scanning fewer systems or vulnerabilities signatures and taking less time to complete. Alternatively, the analyst could reduce the scans' frequency by moving to a less frequent schedule, such as one scan every 48 hours or one scan per week. The final option would be to add additional vulnerability scanners to the process. This would allow the two scanners to work together to divide the workload and complete the task within the 24-hour scan frequency currently provided.
Which of the following protocols could be used inside a virtual system to manage and monitor the network? A.SMTP B.SNMP C.BGP D.EIGRP
B.SNMP (Correct) Explanation OBJ-2.1: SNMP is used to monitor and manage networks, both physical and virtual. SMTP is used for email. BGP and EIGRP are used for routing network data.
A company has recently experienced a data breach and has lost nearly 1 GB of personally identifiable information about its customers. You have been assigned as part of the incident response team to identify how the data was leaked from the network. Your team has conducted an extensive investigation, and so far, the only evidence of a large amount of data leaving the network is from the email server. One user has sent numerous large attachments out of the network to their personal email address. Upon closer inspection, those emails only contain pictures of that user's recent trip to Australia. What is the most likely explanation for how the data left the network? A.The files were downloaded from home while connected to the corporate VPN B.Steganography was used to hide the leaked data inside the user's photos C.The data was hashed and then emailed to their personal email account D.The data was encrypted and emailed to their spouse's email account
B.Steganography was used to hide the leaked data inside the user's photos (Correct) Explanation OBJ-5.1: The most likely explanation is that the user utilized steganography to hide the leaked data inside their trip photos. Steganography is the process of hiding one message inside another. By hiding the customer's information within the digital photos, the incident response team would not see the data being hidden without knowing to look for it inside the seemingly benign pictures from the trip. The scenario did not mention whether or not the user connected to the corporate VPN from their home, and the company should log all VPN connections, so this is not the correct answer. Additionally, the user could not hash the data and email it to themselves without losing the information since hashes are a one-way algorithm. Therefore, even if the user had the hash value, they still would not have the customers' personal information. Finally, according to the scenario, the user's email showed no evidence of encrypted files being sent.
Jason is conducting an assessment of a network-enabled software platform that contains a published API. In reviewing the platform's key management, he discovers that API keys are embedded in the application's source code. Which of the following statements best describes the security flaw with this coding practice? A.It is difficult to control the permission levels for embedded keys B.The embedded key may be discovered by an attacker who reverse engineers the source code C.Changing the API key will require a corresponding software upgrade D.Key management is no longer required since the key is embedded in the source code
B.The embedded key may be discovered by an attacker who reverse engineers the source code (Correct) Explanation OBJ-2.2: A sophisticated adversary may discover the software's embedded key through reverse engineering the source code. This inadvertent key disclosure could then allow an attacker to abuse the API in ways other than intended. Key management would still be required, even if the key is embedded in the source code. Permission levels of a software-embedded key are still controlled like any other key. While the added inconvenience of installing new software on the client side every time the key is changed would be inconvenient, this option does not address the underlying security issues with embedding API keys into the source code.
You are conducting a review of a VPN device's logs and found the following URL being accessed: Based upon this log entry alone, which of the following most likely occurred? A.An XML injection attack caused the VPN server to return the password file B.The passwd file was downloaded using a directory traversal attack if input validation of the URL was not conducted C.An SQL injection attack caused the VPN server to return the password file D.The passwd file was downloaded using a directory traversal attack
B.The passwd file was downloaded using a directory traversal attack if input validation of the URL was not conducted (Correct) Explanation OBJ-3.3: The exact string used here was the attack string used in CVE-2019-11510 to compromise thousands of VPN servers worldwide using a directory traversal approach. However, its presence in the logs does not prove that the attack was successful, only that it was attempted. To verify that the attacker successfully downloaded the passwd file, a cybersecurity analyst would require additional information and correlation. If the server utilizes proper input validation on URL entries, then the directory traversal would be prevented. As no SQL or XML language elements are present, this is not an SQL or XML injection attack.
Riaan's company runs critical web applications. During a vulnerability scan, Riaan found a serious SQL injection vulnerability in one of their web applications. The system cannot be taken offline to remediate the vulnerability. Which of the following compensating controls should Riaan recommend using until the system can be remediated? A.Encryption B.WAF C.Vulnerability scanning D.IPS
B.WAF (Correct) Explanation OBJ-3.2: WAF (web application firewall) is the best option since it can serve as a compensating control and protect against web application vulnerabilities like an SQL injection until the application can be fully remediated. Vulnerability scanning could only be used to detect the issue. Therefore, it is a detective control, not a compensating control. Encryption would not be effective in stopping an SQL injection. An intrusion prevention system (IPS) is designed to protect network devices based on ports, protocols, and signatures. It would not be effective against an SQL injection and is not considered a compensating control for this vulnerability.
You are conducting static analysis of an application's source code and see the following: If an attacker wanted to get a complete copy of the courses table and was able to substitute arbitrary strings for "id" and "certification", which of the following strings allow this to occur? A.id = "1' OR '1'==1" and certification = "cysa' OR '1=='1" B.id = "1' OR '1'=='1" and certification = "cysa' OR '1'=='1" C.certification = "cysa' OR '1'=='1" D.id = "1' OR '1'=='1"
B.id = "1' OR '1'=='1" and certification = "cysa' OR '1'=='1" Explanation OBJ-2.2: ID and certification must be crafted so that when substituted for the ".getparameter" fields, the SQL statement formed is still complete and will return a Boolean value of true for the ENTIRE statement every time it is evaluated. The AND in the middle of the WHERE clause indicates that both the courseID and certification portion must be true in every case. When this occurs, the entire table of courses would be returned. The only string that would ensure both halves of the WHERE clause always return true would be <id = "1' OR '1' =='1". The other statements either would only partially be true or are using the incorrect number and placement of single quotes in the SQL statement so that an error is returned.
While performing a vulnerability scan, Christina discovered an administrative interface to a storage system is exposed to the internet. She looks through the firewall logs and attempts to determine whether any access attempts have occurred from external sources. Which of the following IP addresses in the firewall logs would indicate a connection attempt from an external source? A.10.15.1.100 B.172.16.1.100 C.192.186.1.100 D.192.168.1.100
C.192.186.1.100 (Correct) Explanation OBJ-3.1: This question tests your ability to determine if an IP address is a publicly routable IP (external connection) or private IP (internal connection). During your CompTIA A+, Network+, and Security+ studies, you should have learned that private IP addresses are either 10.x.x.x, 172.16-31.x.x, or 192.168.x.x. All other IP addresses are considered publicly routable over the internet (except localhost and APIPA addresses). Therefore, the answer must be 192.186.1.100 since it is not a private IP address.
You suspect that your server has been the victim of a web-based attack. Which of the following ports would most likely be seen in the logs to indicate the attack's target? A.389 B.21 C.443 D.3389
C.443 Explanation OBJ-3.1: Web-based attacks would likely appear on port 80 (HTTP) or port 443 (HTTPS). An attack against Active Directory is likely to be observed on port 389 LDAP. An attack on an FTP server is likely to be observed on port 21 (FTP). An attack using the remote desktop protocol would be observed on port 3389 (RDP).
What SCAP component provides a list of entries that contains an identification number, a description, and a public reference for each publicly known weakness in a piece of software? A.XCCDF B.CPE C.CVE D.CCE
C.CVE (Correct) Explanation OBJ-3.4: The Common Vulnerabilities and Exposures (CVE) system provides a reference method for publicly known information-security vulnerabilities and exposures. XCCDF (extensible configuration checklist description format) is a language that is used in creating checklists for reporting results. The Common Configuration Enumeration (CCE) provides unique identifiers to system configuration issues to facilitate fast and accurate correlation of configuration data across multiple information sources and tools. Common Platform Enumeration (CPE) is a standardized method of describing and identifying classes of applications, operating systems, and hardware devices present among an enterprise's computing assets.
Jason has installed multiple virtual machines on a single physical server. He needs to ensure that the traffic is logically separated between each virtual machine. How can Jason best implement this requirement? A.Install a virtual firewall and establish an access control list B.Create a virtual router and disable the spanning tree protocol C.Configure a virtual switch on the physical server and create VLANs D.Conduct system partitioning on the physical server to ensure the virtual disk images are on different partitions
C.Configure a virtual switch on the physical server and create VLANs Explanation OBJ-2.1: A virtual switch is a software application that allows communication between virtual machines. A virtual local area network (VLAN) is a hardware-imposed network segmentation created by switches. This solution provides a logical separation of each virtual machine through the use of VLANs on the virtual switch.
During the analysis of data as part of ongoing security monitoring activities, which of the following is NOT a good source of information to validate the results of an analyst's vulnerability scans of the network's domain controllers? A.Configuration management systems B.SIEM systems C.DMARC and DKIM D.Log files
C.DMARC and DKIM (Correct) Explanation OBJ-3.1: Vulnerability scans should never take place in a vacuum. Analysts should correlate scan results with other information sources, including logs, SIEM systems, and configuration management systems. DMARC (domain-based message authentication, reporting, and conformance) and DKIM (domain keys identified mail) are configurations performed on a DNS server to verify whether an email is sent by a third-party are verified to send it on behalf of the organization. For example, if you are using a third-party mailing list provider, they need your organization to authorize them to send an email on your behalf by setting up DMARC and DKIM in your DNS records. While this is an important security configuration, it would not be a good source of information to validate the results of an analyst's vulnerability scans on a domain controller.
You are conducting threat hunting for an online retailer. Upon analyzing their web server, you identified that a single HTML response returned as 45 MB in size, but an average response is normally only 275 KB. Which of the following categories of potential indicators of compromise would you classify this as? A.Beaconing B.Introduction of new accounts C.Data exfiltration D.Unauthorized privilege
C.Data exfiltration Explanation OBJ-3.3: If attackers use SQL injection to extract data through a Web application, the requests issued by them will usually have a larger HTML response size than a normal request. For example, if the attacker extracts the full credit card database, then a single response for that attacker might be 20 to 50 MB, where a normal response is only 200 KB. Therefore, this scenario is an example of a data exfiltration indicator of compromise. Based on the scenario, there is no evidence that a user is conducting a privilege escalation or using unauthorized privileges. There is also no evidence of a new account having been created or beaconing occurring over the network.
Your organization requires the use of TLS or IPsec for all communications with an organization's network. Which of the following is this an example of? A.DLP B.Data in use C.Data in transit D.Data at rest
C.Data in transit (Correct) Explanation OBJ-5.1: Data in transit (or data in motion) occurs whenever data is transmitted over a network. Examples of types of data in transit include website traffic, remote access traffic, data being synchronized between cloud repositories, and more. In this state, data can be protected by a transport encryption protocol, such as TLS or IPsec. Data at rest means that the data is in persistent storage media using whole disk encryption, database encryption, and file- or folder-level encryption. Data in use is when data is present in volatile memory, such as system RAM or CPU registers and cache. Secure processing mechanisms such as Intel Software Guard Extensions can encrypt data as it exists in memory so that an untrusted process cannot decode the information. This uses a secure enclave and requires a hardware root of trust. Data loss prevention (DLP) products automate the discovery and classification of data types and enforce rules so that data is not viewed or transferred without proper authorization. DLP is a generic term that may include data at rest, data in transit, or data in use to function.
Matt is creating a scoping worksheet for an upcoming penetration test for his organization. Which of the following techniques is NOT usually included in a penetration test? A.Reverse engineering B.Physical penetration attempts C.Denial-of-service attacks D.Social engineering
C.Denial-of-service attacks (Correct) Explanation OBJ-5.2: A denial-of-service or DoS attack isn't usually included as part of a penetration test. This type of attack contains too much risk for an organization to allow it to be included in an assessment's scope. Social engineering, physical penetration attempts, and reverse engineering are all commonly included in a penetration test's scope. A penetration tester must limit the invasiveness of their assessment to the specific scope of the penetration test.
A supplier needs to connect several laptops to an organization's network as part of their service agreement. These laptops will be operated and maintained by the supplier. Victor, a cybersecurity analyst for the organization, is concerned that these laptops could contain some vulnerabilities that could weaken the network's security posture. What can Victor do to mitigate the risk to other devices on the network without having direct administrative access to the supplier's laptops? A.Require 2FA (two-factor authentication) on the laptops B.Increase the encryption level of VPN used by the laptops C.Implement a jumpbox system D.Scan the laptops for vulnerabilities and patch them
C.Implement a jumpbox system (Correct) Explanation OBJ-2.1: A jumpbox is a system on a network used to access and manage devices in a separate security zone. This would create network segmentation between the supplier's laptops and the rest of the network to minimize the risk. A jump-box system is a hardened and monitored device that spans two dissimilar security zones and provides a controlled means of access between them. While the other options listed are all good security practices, they do not fully mitigate the risk that insecure systems pose since Victor cannot enforce these configurations on a supplier-provided laptop. Instead, he must find a method of segmenting the laptops from the rest of the network, either physically, logically, using an air gap, or using a jumpbox.
Nicole's organization does not have the budget or staff to conduct 24/7 security monitoring of their network. To supplement her team, she contracts with a managed SOC service. Which of the following services or providers would be best suited for this role? A.PaaS B.SaaS C.MSSP D.IaaS
C.MSSP (Correct) Explanation OBJ-2.1: A managed security service provider (MSSP) provides security as a service (SECaaS). IaaS, PaaS, and SaaS (infrastructure, platform, and software as a service) do not include security monitoring as part of their core service offerings. Security as a service or a managed service provider (MSP) would be better suited for this role. This question may seem beyond the exam scope. Still, the objectives allow for "other examples of technologies, processes, or tasks about each objective may also be included on the exam although not listed or covered" in the objectives' bulletized lists. The exam tests the equivalent of 4 years of hands-on experience in a technical cybersecurity job role. The content examples listed in the objectives are meant to clarify the test objectives and should not be construed as a comprehensive listing of this examination's content. Therefore, questions like this are fair game on test day. That said, your goal isn't to score 100% on the exam; it is to pass it. Don't let questions like this throw you off on test day. If you aren't sure, take your best guess and move on!
After an employee complains that her computer is running abnormally slow, so you conduct an analysis of the NetFlow data from her workstation. Based on the NetFlow data, you identify a significant amount of traffic from her computer to an IP address in a foreign country over port 6667 (IRC). Which of the following is the most likely explanation for this? A.The computer has likely been compromised by an APT B.The employee is using Internet Relay Chat to communicate with her friends and family overseas C.Malware has been installed on her computer and is using the IRC protocol to communicate D.This is routine machine-to-machine communications in a corporate network
C.Malware has been installed on her computer and is using the IRC protocol to communicate OBJ-3.1: Internet Relay Chat (IRC) used to be extremely popular but was replaced by modern chat applications like Facebook Messenger, Google Hangouts, Slack, and numerous others. These days, IRC traffic is infrequent on most corporate networks. Therefore, this would be classified as suspicious and require additional investigation. The unencrypted nature of the protocol makes it easy to intercept and read communications on this port. Still, even so, many types of malware use IRC as a communication channel. Due to this cleartext transmission, an APT would avoid using IRC for their C2 channel to blend in with regular network traffic and avoid detection. IRC is not normally used for machine-to-machine communications in corporate networks. Because the scenario mentioned a connection to a foreign country, as part of your investigation, you should ask the employee if they have friends or family overseas in the country to rule out the possibility that this is acceptable traffic.
You have just completed identifying, analyzing, and containing an incident. You have verified that the company uses self-encrypting drives as part of its default configuration. As you begin the eradication and recovery phase, you must sanitize the storage devices' data before restoring the data from known-good backups. Which of the following methods would be the most efficient to use to sanitize the affected hard drives? A.Incinerate and replace the storage devices B.Conduct zero-fill on the storage devices C.Perform a cryptographic erase (CE) on the storage devices D.Use a secure erase (SE) utility on the storage devices Explanation
C.Perform a cryptographic erase (CE) on the storage devices OBJ-4.2: Sanitizing a hard drive can be done using cryptographic erase (CE), secure erase (SE), zero-fill, or physical destruction. In this case, the hard drives already used data at rest. Therefore, the most efficient method would be to choose CE. The cryptographic erase (CE) method sanitizes a self-encrypting drive by erasing the media encryption key and then reimaging the drive. A secure erase (SE) is used to perform the sanitization of flash-based devices (such as SSDs or USB devices) when cryptographic erase is not available. The zero-fill method relies on overwriting a storage device by setting all bits to the value of zero (0), but this is not effective on SSDs or hybrid drives, and it takes much longer than the CE method. The final option is to conduct physical destruction, but since the scenario states that the storage device will be reused, this is not a valid technique. Physical destruction occurs by mechanical shredding, incineration, or degaussing magnetic hard drives.
What is the term for the amount of risk that an organization is willing to accept or tolerate? A.Risk avoidance B.Risk transference C.Risk appetite D.Risk deterrence
C.Risk appetite (Correct) Explanation OBJ-5.2: An organization's willingness to tolerate risk is known as its risk appetite. If you determine that you have a greater risk appetite for a certain system or function of the business, you may choose to scan less it frequently, for example. If you have a low-risk appetite, you will place a higher amount of resources towards defending and mitigating your systems. Risk avoidance is the response of deploying security controls to reduce the likelihood and/or impact of a threat scenario. Risk deterrence is the response of deploying security controls to reduce the likelihood and/or impact of a threat scenario. Risk transference moves or shares the responsibility of risk to another entity.
Stephanie believes that her computer had been compromised because her computer suddenly slows down and often freezes up. Worried her computer was infected with malware, she immediately unplugged the network and power cables from her computer. Per the company procedures, she contacts the help desk, fills out the appropriate forms, and is sent to a cybersecurity analyst for further analysis. The analyst was not able to confirm or deny the presence of possible malware on her computer. Which of the following should have been performed during the incident response preparation phase to prevent this issue? A.Install additional network monitoring to conduct full packet capture of all network traffic B.The computer should have been scanned for vulnerabilities and patched C.Train users to not unplug their computers when a suspected incident is occurring D.Documenting the organization's incident response procedures
C.Train users to not unplug their computers when a suspected incident is occurring (Correct) Explanation OBJ-4.2: The issue presented in this scenario is that Stephanie unplugged the computer before anyone had a chance to investigate it. During the preparation phase of the incident response process, the company should train its users on what to do in an anomaly or suspected malware intrusion. Many years ago, it was commonly assumed that unplugging the computer is the best thing to do when a system is suspected to be infected with malware. This is no longer true because many malware types are installed when the computer is running, but when you power off and reboot the machine, they can encrypt the hard drive, infect the boot sector, or corrupt the operating system. In modern cybersecurity organizations, users are instead trained to contact the service desk or the security operations center. An analyst can then decide the best course of action (i.e., segmentation, isolation, reconstruction, or disposal). Monitoring of network traffic might have detected that something was on Sue's computer. Still, it would not necessarily have provided an IOC to the same degree that a volatile memory capture might have. Based on the scenario, the company had documented procedures that were used and followed. Based on the scenario, there is no indication that the company's current scanning or patching policy is at fault. It is costly and resource-intensive to conduct full network packet capture of the network at all times. Many organizations do not require this type of extensive monitoring. Therefore, it is only done as part of threat hunting or in specific ranges, such as in the DMZ or for a specific critical server.
Which technique would provide the largest increase in security on a network with ICS, SCADA, or IoT devices? A.Implement endpoint protection platforms B.Installation of anti-virus tools C.User and entity behavior analytics D.Use of a host-based IDS or IPS
C.User and entity behavior analytics (Correct) Explanation OBJ-1.5: Since ICS, SCADA, and IoT devices often run proprietary, inaccessible, or unpatchable operating systems, the traditional tools used to detect the presence of malicious cyber activity in normal enterprise networks will not function properly. Therefore, user and entity behavior analytics (UEBA) is best suited to detect and classify known-good behavior from these systems to create a baseline. Once a known-good baseline is established, deviations can be detected and analyzed. UEBA may be heavily dependent on advanced computing techniques like artificial intelligence and machine learning and may have a higher false-positive rate. As the name suggests, the analytics software tracks user account behavior across different devices and cloud services. Entity refers to machine accounts, such as client workstations or virtualized server instances, and embedded hardware, such as the Internet of Things (IoT) devices. Traditional technologies include anti-virus tools, host-based IDS and IPS, and endpoint protection platforms.
You are trying to find a rogue device on your wired network. Which of the following options would NOT help find the device? A.Site surveys B.Port scanning C.War walking D.MAC validation
C.War walking (Correct) Explanation OBJ-1.4: War walking is conducted by walking around a build while locating wireless networks and devices. War walking will not help find a wired rogue device. Checking valid MAC addresses against a known list, scanning for new systems or devices, and physically surveying for unexpected systems can be used to find rogue devices on a wired network.
What command should a forensic analyst use to make a forensic disk image of a hard drive? A.touch B.wget C.dd (Correct) D.rm
C.dd Explanation OBJ-4.4: The dd tool is used to make bit by bit copies of a disk, drive, or partition. Once the image is created using dd, a hash of the file should be made and placed into evidence to validate the integrity of the disk image that was created. This will ensure that no modification occurs between the collection and analysis of the disk image. The wget command is a command-line utility for downloading files from the Internet. The touch command is a standard command used in the UNIX/Linux operating system used to create, change, and modify timestamps of a file. The rm command is used to delete one or more files or directories.
You are conducting a grep search on a log file using the following REGEX expression: Which of the following strings would be included in the output of the search? [email protected] [email protected] [email protected] D.www.diontraining.com
[email protected] (Correct) Explanation OBJ-3.1: In the above REGEX, the \b parameter identifies that we are looking for whole words. The strategic use of the + operator indicates the three places where the word is broken into parts. The first part ([A-Za-z0-9_%+-]" is composed of upper or lower case alphanumeric symbols "_%+-." After the first part of the word and the at sign (@) is specified, follows by another word ([A-Za-z0-9.-]), a period (\.), and another purely alphabetic (non-numeric) string that is 2-6 characters in length. This finds a standard email format of [email protected] (but could be @something.co, @something.org, @something.money, or other options as long as the top-level domain is between 2 and 6 characters). The option of www.diontraining.com is wrong because it does not have an @ sign in the string. The option of [email protected] is wrong because you cannot use a period before the @ symbol, only letters, numbers, and some specified symbols ( _ % + - ). The option of [email protected] is wrong because the last word (training) is longer than 6 characters in length. As a cybersecurity analyst, you must get comfortable creating regular expressions and understanding what type of output they generate.
Which level of logging should you configure on a Cisco device to be notified whenever they shut down due to a failure? A.7 B.5 C.2 D.0
D.0 (Correct) Explanation OBJ-3.1: The severity levels range from zero to seven, with zero being the most severe and seven being the least severe. Level 0 is used for an emergency and is considered the most severe condition because the system has become unstable. Level 1 is used for an alert condition and means that there is a condition that should be corrected immediately. Level 2 is used for a critical condition, and it means that there is a failure in the system's primary application and it requires immediate attention. Level 3 is used for an error condition, and it means that something is happening to the system that is preventing the proper function. Level 4 is used for warning conditions and it may indicate that an error will occur if action is not taken soon.Level 5 is used for notice conditions and it means that the events are unusual, but they are not error conditions. Level 6 is used for information conditions and it is a normal operational message that requires no action. Level 7 is used for debugging conditions and it just information that is useful to developers as they are debugging their networks and applications.
Review the network diagram provided: Which of the following ACL entries should be added to the firewall to allow only the system administrator's computer (IT) to have SSH access to the FTP, Email, and Web servers in the DMZ?(Note: The firewall in this network is using implicit deny to maintain a higher level of security. ACL entries are in the format of Source IP, Destination IP, Port Number, TCP/UDP, Allow/Deny.) A.192.168.0.0/24, 172.16.1.4, 22, TCP, ALLOW B.192.168.0.3/24, 172.16.1.4, ANY, TCP, ALLOW C.172.16.1.0/24, 192.168.0.0/24, ANY, TCP, ALLOW D.172.16.1.4, 192.168.0.0/24, 22, TCP, ALLOW
D.172.16.1.4, 192.168.0.0/24, 22, TCP, ALLOW (Correct) Explanation OBJ-3.2: Since the scenario requires you to set up SSH access from the IT computer to all three servers in the DMZ, you will need to use a /24 subnet to set up the ACL rule correctly (or have 3 separate ACL entries). Since you can only select one in this example, you will have to use the /24 for the destination network. This means that the Source IP is 172.16.1.4 (IT computer), the Destination IP is 192.168.0.0/24 (the entire DMZ), the port is 22 for SSH and operates over TCP, and the condition is set to ALLOW
Fail to Pass Systems recently installed a break and inspect appliance that allows their cybersecurity analysts to observe HTTPS traffic entering and leaving their network. Consider the following output from a recorded session captured by the appliance: Which of the following statements is true? A.This is a normal request from a host to your web server in the screened subnet B.The passwd file was just downloaded through a webshell by an attacker C.The web browser used in the attack was Microsoft Edge D.A request to issue the cat command for viewing the passwd occurred but additional analysis is required to verify if the file was downloaded
D.A request to issue the cat command for viewing the passwd occurred but additional analysis is required to verify if the file was downloaded (Correct) Explanation OBJ-4.3: This is a post request to run the cat command against the passwd file from an outside source. It is not known from the evidence provided if this command were successful or not, but it should be analyzed further as this is not what would be expected, normal traffic. While the browser's default language was configured for Chinese (zh), this is easily changed and cannot be used to draw authoritative conclusions about the threat actor's true location or persona. The User-Agent used is listed as Mozilla, which is used by both Firefox and Google Chrome. For an in-depth analysis of the full attack this code snippet was taken from, please visit https://www.rsa.com/content/dam/en/solution-brief/asoc-threat-solution-series-webshells.pdf. This 6-page article is worth your time to look over and learn how a remote access web shell is used as an exploit.
Your organization recently suffered a large-scale data breach. The hackers successfully exfiltrated the personal information and social security numbers of your customers from your network. The CEO notified law enforcement about the breach. They will assist with the investigation and conduct evidence collection so that the hackers can be brought up on charges. What actions should your organization take in response to this event? A.Block all employee access to social media from the company's network and begin monitoring your employee's email B.Require all employees to commit to an NDA about the data breach in writing C.Require all employees to commit to an NDA about the data breach verbally D.Ask a member of law enforcement to meet with your employees
D.Ask a member of law enforcement to meet with your employees (Correct) Explanation OBJ-4.1: Since the data breach is now the subject of an active law enforcement investigation, your organization should request that a law enforcement agent speaks with your employees to give them clear guidance on what they should and should not say to people outside of the investigation. Additionally, the company's system administrators and analysts should not perform any actions on the network until they receive law enforcement guidance. This will ensure that the employees do not accidentally destroy and tamper with potential evidence of the crime.
What sanitization technique uses only logical techniques to remove data, such as overwriting a hard drive with a random series of ones and zeroes? A.Purge B.Degauss C.Destroy D.Clear
D.Clear (Correct) OBJ-2.1: Clear applies logical techniques to sanitize data in all user-addressable storage locations for protection against simple non-invasive data recovery techniques. Clearing involves overwriting data once (and seldom more than three times) with repetitive data (such as all zeros) or resetting a device to factory settings. Purging data is meant to eliminate information from being feasibly recovered even in a laboratory environment. Destroy requires physical destruction of the media, such as pulverization, melting, incineration, and disintegration. Degaussing is the process of decreasing or eliminating a remnant magnetic field. Degaussing is an effective method of sanitization for magnetic media, such as hard drives and floppy disks.
In which phase of the security intelligence cycle do system administrators capture data to identify anomalies of interest? A.Analysis B.Dissemination C.Feedback D.Collection (Correct)
D.Collection Explanation OBJ-1.2: The collection phase is usually implemented by administrators using various software suites, such as security information and event management (SIEM). This software must be configured with connectors or agents that can retrieve data from sources such as firewalls, routers, IDS sensors, and servers. The analysis phase focuses on converting collected data into useful information or actionable intelligence. The dissemination phase refers to publishing information produced by analysis to consumers who need to develop the insights. The final phase of the security intelligence cycle is feedback and review, which utilizes both intelligence producers' and intelligence consumers' input. This phase aims to improve the implementation of the requirements, collection, analysis, and dissemination phases as the life cycle develops.
You are a cybersecurity analyst, and your company has just enabled key-based authentication on its SSH server. Review the following log file: Which of the following actions should be performed to secure the SSH server? A.Disable remote root SSH logon B.Disable SSHv1 C.Disable anonymous SSH logon D.Disable password authentication for SSH
D.Disable password authentication for SSH (Correct) Explanation OBJ-3.2: It is common for attackers to log in remotely using the ssh service and the root or other user accounts. The best way to protect your server is to disable password authentication over ssh. Since your company just enabled key-based authentication on the SSH server, all legitimate users should be logging in using their RSA key pair on their client machines, not usernames and passwords. Based on the logs, you see the server runs SSHv2, so there is no need to disable SSHv1 (it may already be disabled). You don't want to fully disable remote root SSH logins, either, since this would make it difficult for administrators to conduct their work. Finally, based on the logs, it doesn't appear that anonymous SSH logins are an issue, either, as we don't see any anonymous attempts in the logs.
Susan is worried about the security of the master account associated with a cloud service and access to it. This service is used to manage payment transactions. She has decided to implement a new multifactor authentication process where one individual has the password to the account. Still, another user in the accounting department has a physical token to the account. To log in to the cloud service with this master account, both users would need to come together. What principle is Susan implementing by using this approach? A.Least privilege B.Transitive trust C.Security through obscurity D.Dual control authentication
D.Dual control authentication (Correct) Explanation OBJ-2.1: This approach is an example of dual control authentication. Dual control authentication is used when performing a sensitive action. It requires the participation of two different users to log in (in this case, one with the password and one with the token). Transitive trust is a technique via which a user/entity has already undergone authentication by one communication network to access resources in another communication network without having to undergo authentication a second time. Least privilege is the concept and practice of restricting access rights for users, accounts, and computing processes to only those resources required to perform routine, legitimate activities. Security through obscurity is the reliance on security engineering in the design or implementation of secrecy as the main method of providing security to a system or component.
An incident response team is publishing an incident summary report and is determining the evidence retention requirements for the data collected during a response. Which of the following incident response phases is currently being performed by the team? A.Detection and analysis B.Eradication and recovery C.Preparation D.Post-incident activities
D.Post-incident activities (Correct) Explanation OBJ-4.2: The post-incident activities phase is when report writing occurs, incident summary reports are published, evidence retention is determined, and lessons learned reports are created. An incident response has five stages: preparation, detection and analysis, containment, eradication and recovery, and post-incident activities.
Which of the following type of threats did the Stuxnet attack rely on to cross an air gap between a business and an industrial control system network? A.Session hijacking B.Directory traversal C.Cross-site scripting D.Removable media
D.Removable media (Correct) Explanation OBJ-2.1: Air gaps are designed to remove connections between two networks to create a physical segmentation between them. The only way to cross an air gap is to have a physical device between these systems, such as using a removable media device to transfer files between them. A directory traversal is an HTTP attack that allows attackers to access restricted directories and execute commands outside of the web server's root directory. Cross-Site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites. A session hijacking attack compromises the session token by stealing or predicting a valid session token to gain unauthorized access to the Web Server. A directory traversal, cross-site scripting, or session hijacking attack cannot by itself cross an air gap.
You are analyzing the logs of a forensic analysts workstation and see the following: What does the bs=1M signify in the command list above? A.Sets the beginning sector B.Sends output to a blank sector C.Removes error messages and other incorrect data D.Sets the block size
D.Sets the block size (Correct) Explanation OBJ-4.4: The dd command is used in forensic data acquisition to forensically create a bit by bit copy of a hard drive to a disk image. The bs operator sets the block size when using the Linux dd command. This question may seem beyond the scope of the exam. Still, the objectives allow for "other examples of technologies, processes, or tasks about each objective may also be included on the exam although not listed or covered" in the objectives' bulletized lists. The content examples listed in the objectives are meant to clarify the test objectives and should not be construed as a comprehensive listing of this examination's content. Therefore, questions like this are fair game on test day. That said, your goal isn't to score 100% on the exam; it is to pass it. Don't let questions like this throw you off on test day. If you aren't sure, take your best guess and move on!
The Pass Certs Fast corporation has recently been embarrassed by several high-profile data breaches. The CIO proposes improving the company's cybersecurity posture by migrating images of all the current servers and infrastructure into a cloud-based environment. What, if any, is the flaw in moving forward with this approach? A.This approach assumes that the on-site administrators will provide better security than the cloud provider B.This is a reasonable approach that will increase the security of the servers and infrastructure C.The company has already paid for the physical servers and will not fully realize their ROI on them due to the migration D.This approach only changes the location of the network and not the network's attack surface
D.This approach only changes the location of the network and not the network's attack surface (Correct) Explanation OBJ-5.2: A poorly implemented security model at a physical location will still be a poorly implemented security model in a virtual location. Unless the fundamental causes of the security issues that caused the previous data breaches have been understood, mitigated, and remediated, then migrating the current images into the cloud will change where the processing occurs without improving the network's security. While the statement concerning unrealized ROI may be accurate, it simply demonstrates the sunk cost argument's fallacy. These servers were already purchased, and the money was spent. Regardless of whether we maintain the physical servers or migrate to the cloud, that money is gone. Those servers could also be repurposed, reused, or possibly resold to recoup some of the capital invested. While the company's physical security will potentially improve in some regards, the physical security of the endpoints on-premises is still a concern that cannot be solved by this cloud migration. Additionally, the scenario never stated that physical security was an issue that required being addressed, so it is more likely that the data breach occurred due to a data exfiltration over the network. As a cybersecurity analyst, you must consider the business case and the technical accuracy of a proposed approach or plan to add the most value to your organization.
Your organization has recently been the target of a spearphishing campaign. You have identified the website associated with the link in the spearphishing emails and want to deny access to it. Which of the following techniques would be the MOST effective in this situation? A.Containment B.Quarantine C.Application blocklist D.URL filter
D.URL filter (Correct) Explanation OBJ-3.1: A URL filter can be used to block a website based on its website address or universal resource locator (URL). This is not a containment technique but a blocking and filtering technique. Quarantine would be used against an infected machine, and it would not be effective against trying to block access to a given website across the entire organization. An application blocklist is used to prevent an application from running, so this cannot be used to block a single malicious or suspicious website or URL.
What SCAP component could be to create a checklist to be used by different security teams within an organization and then report results in a standardized fashion? A.CCE B.CVE C.CPE D.XCCDF
D.XCCDF (Correct) Explanation OBJ-3.4: XCCDF (extensible configuration checklist description format) is a language that is used in creating checklists for reporting results. The Common Vulnerabilities and Exposures (CVE) system provides a reference method for publicly known information-security vulnerabilities and exposures. The Common Configuration Enumeration (CCE) provides unique identifiers to system configuration issues to facilitate fast and accurate correlation of configuration data across multiple information sources and tools. Common Platform Enumeration (CPE) is a standardized method of describing and identifying classes of applications, operating systems, and hardware devices present among an enterprise's computing assets.
Which of the following tools is considered a web application scanner? A.OpenVAS B.Nessus C.Qualys D.ZAP
D.ZAP Explanation OBJ-1.4: OWASP Zed Attack Proxy (ZAP) is the world's most widely used web application scanner. It is free, open-source, and provided by the Open Web Application Security Project (OWASP). Nessus, Qualys, and OpenVAS are all classified as infrastructure vulnerability scanners.
From least mature to most mature, the NIST cybersecurity framework is
Partial (tier 1), Risk Informed (tier 2), Repeatable (tier 3), and Adaptive (tier 4). This question may seem beyond the scope of the exam.
The Metasploit Project is
a computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development.
Degaussing
a hard drive involves demagnetizing a hard drive to erase its stored data. You cannot reuse a hard drive once it has been degaussed
XCCDF (extensible configuration checklist description format) is
a language that is used in creating checklists for reporting results.
The nmap tool is
a port scanner.
The Common Vulnerabilities and Exposures (CVE) system provides
a reference method for publicly known information-security vulnerabilities and exposures.
he Common Vulnerabilities and Exposures (CVE) system provides
a reference method for publicly known information-security vulnerabilities and exposures.
Common Platform Enumeration (CPE) is
a standardized method of describing and identifying classes of applications, operating systems, and hardware devices present among an enterprise's computing assets.
Nessus is
a very popular vulnerability scanner. It can be used to check how vulnerable your network is by using various plugins to test for vulnerabilities. Also, Nessus can perform compliance auditing, like internal and external PCI DSS audit scans.
Port security is useful only
against layer 2 addressing, which is not used for adversary C2 over the internet.
A network intrusion prevention system could disrupt
an adversary's C2 channel by shutting it down or blocking it. While a firewall ACL might be lucky enough to deny an adversary the ability to establish the C2 channel, a NIPS is better suited to detect and block an adversary than a static ACL entry.
Nessus, Qualys, and OpenVAS
are all classified as infrastructure vulnerability scanners.
DMARC (domain-based message authentication, reporting, and conformance) and DKIM (domain keys identified mail)
are configurations performed on a DNS server to verify whether an email is sent by a third-party are verified to send it on behalf of the organization.
A URL filter can
be used to block a website based on its website address or universal resource locator (URL). This is not a containment technique but a blocking and filtering technique.
Data wiping or clearing occurs
by using a software tool to overwrite the data on a hard drive to destroy all electronic data on a hard disk or other media. Data wiping may be performed with a 1x, 7x, or 35x overwriting, with a higher number of times being more secure. This allows the hard drive to remain functional and allows for hardware reuse.
Physical destruction occurs by
mechanical shredding, incineration, or degaussing magnetic hard drives.
Serverless is a
modern design pattern for service delivery. With serverless, all the architecture is hosted within a cloud, but unlike "traditional" virtual private cloud (VPC) offerings, services such as authentication, web applications, and communications aren't developed and managed as applications running on servers located within the cloud.
The zero-fill method relies on
overwriting a storage device by setting all bits to the value of zero (0), but this is not effective on SSDs or hybrid drives, and it takes much longer than the CE method.
A conventional anti-virus would
potentially disrupt the installation phase of an adversary's attack, but it is unlikely to affect the C2 phase once installed.
An incident response has five stages:
preparation, detection and analysis, containment, eradication and recovery, and post-incident activities.
Purging involves
removing sensitive data from a hard drive using the device's internal electronics or an outside source such as a degausser, or by using a cryptographic erase function if the drive supports one.
The cryptographic erase (CE) method
sanitizes a self-encrypting drive by erasing the media encryption key and then reimaging the drive.
A managed security service provider (MSSP) provides
security as a service (SECaaS). IaaS, PaaS, and SaaS (infrastructure, platform, and software as a service) do not include security monitoring as part of their core service offerings.
WAF (web application firewall) is
the best option since it can serve as a compensating control and protect against web application vulnerabilities like an SQL injection until the application can be fully remediated.
Shredding involves
the physical destruction of the hard drive. This is a secure method of destruction but doesn't allow for device reuse.
OWASP Zed Attack Proxy (ZAP) is
the world's most widely used web application scanner. It is free, open-source, and provided by the Open Web Application Security Project (OWASP).
Internet Relay Chat (IRC) used
to be extremely popular but was replaced by modern chat applications like Facebook Messenger, Google Hangouts, Slack, and numerous others. These days, IRC traffic is infrequent on most corporate networks.
The Common Configuration Enumeration (CCE) provides
unique identifiers to system configuration issues to facilitate fast and accurate correlation of configuration data across multiple information sources and tools
Autopsy is
used in digital forensic investigations.
A secure erase (SE) is
used to perform the sanitization of flash-based devices (such as SSDs or USB devices) when cryptographic erase is not available.
An application blocklist is
used to prevent an application from running, so this cannot be used to block a single malicious or suspicious website or URL.
The post-incident activities phase is
when report writing occurs, incident summary reports are published, evidence retention is determined, and lessons learned reports are created
private IP addresses are
10.x.x.x, 172.16-31.x.x, or 192.168.x.x.
XCCDF (extensible configuration checklist description format) is:
:a language that is used in creating checklists for reporting results.
Common Platform Enumeration (CPE) is a:
:standardized method of describing and identifying classes of applications, operating systems, and hardware devices present among an enterprise's computing assets.
The Common Configuration Enumeration (CCE) provides:
:unique identifiers to system configuration issues to facilitate fast and accurate correlation of configuration data across multiple information sources and tools.
Based on some old SIEM alerts, you have been asked to perform a forensic analysis on a given host. You have noticed that some SSL network connections are occurring over ports other than port 443. The SIEM alerts indicate that copies of svchost.exe and cmd.exe have been found in the host's %TEMP% folder. The logs indicate that RDP connections have previously connected with an IP address that is external to the corporate intranet, as well. What threat might you have uncovered during your analysis? A.APT B.DDoS C.Ransomware D.Software vulnerability
A.APT (Correct) Explanation OBJ-1.1: The provided indicators of compromise appear to be from an Advanced Persistent Threat (APT). These attacks tend to go undetected for several weeks or months and utilize secure communication to external IPs and Remote Desktop Protocol connections to provide the attackers with access to the infected host. While an APT might use a software vulnerability to gain their initial access, the full description provided in the question that includes the files being copied and executed from the %TEMP% folder and the use of SSL/RDP connections indicates longer-term exploitation, such as one caused by an APT.
In which phase of the security intelligence cycle is information from several different sources aggregated into useful repositories? A.Collection B.Analysis C.Dissemination D.Feedback
A.Collection (Correct) Explanation OBJ-1.2: The collection phase is usually implemented by administrators using various software suites, such as security information and event management (SIEM). This software must be configured with connectors or agents that can retrieve data from sources such as firewalls, routers, IDS sensors, and servers. The analysis phase focuses on converting collected data into useful information or actionable intelligence. The dissemination phase refers to publishing information produced by analysis to consumers who need to develop the insights. The final phase of the security intelligence cycle is feedback and review, which utilizes both intelligence producers' and intelligence consumers' input. This phase aims to improve the implementation of the requirements, collection, analysis, and dissemination phases as the life cycle is developed.
Trevor is responsible for conducting vulnerability scans for his organization. His supervisor must produce a monthly report for the CIO that includes the number of open vulnerabilities. What process should Trevor use to ensure the supervisor gets the information needed for their monthly report? A.Create a custom report that is automatically emailed each month to the supervisor with the needed information (Correct) B.Run a report each month and then email it to his supervisor C.Create an account for the supervisor's assistant so they can create the reports D.Create an account for the supervisor to the vulnerability scanner so they can run the reports themselves
A.Create a custom report that is automatically emailed each month to the supervisor with the needed information (Correct) OBJ-1.4: The best solution is to design a report that provides all necessary information and configure it to send this report to the supervisor each month automatically. It is not a good practice to create additional accounts on the vulnerability scanner beyond what is necessary per the concept of least privilege. It is also inefficient for Trevor to run the reports each month and then email them to his supervisor. When possible, the use of automation should be encouraged.
Which of the following types of information is protected by rules in the United States that specify the minimum frequency of vulnerability scanning required for devices that process it? A.Credit card data B.Insurance records C.Driver's license numbers D.Medical records
A.Credit card data (Correct) Explanation OBJ-5.1: The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that handle branded credit cards from the major card schemes. The PCI Standard is mandated by the card brands but administered by the Payment Card Industry Security Standards Council. As part of PCI DSS compliance, organizations must conduct internal and external scans at prescribed intervals on any devices or systems that process credit card data. HIPAA protects medical and insurance records, but this law doesn't define a frequency for vulnerability scanning requirements. Driver's license numbers are considered PII, but again, there is no defined frequency scanning requirement regarding protecting PII under law, regulation, or rule.
Sarah has reason to believe that systems on her network have been compromised by an APT. She has noticed many file transfers outbound to a remote site via TLS-protected HTTPS sessions from unknown systems. Which of the following techniques would most likely detect the APT? A.Endpoint forensics B.Endpoint behavior analysis C.Network forensics D.Network traffic analysis
A.Endpoint forensics (Correct) Explanation OBJ-4.4: An advanced persistent threat (APT) is a stealthy computer network threat actor, typically a nation-state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period. APTs usually send encrypted traffic so that they are harder to detect through network traffic analysis or network forensics. This means that you need to focus on the endpoints to detect an APT. Unfortunately, APTs are very sophisticated, so endpoint behavioral analysis is unlikely to detect them easily, so Sarah will need to conduct endpoint forensics as her most likely method to detect an APT and their associated infections on her systems.
While investigating a data breach, you discover that the account credentials used belonged to an employee who was fired several months ago for misusing company IT systems. The IT department never deactivated the employee's account upon their termination. Which of the following categories would this breach be classified as? A.Insider Threat B.Advanced persistent threat C.Zero-day D.Known threat
A.Insider Threat (Correct) Explanation OBJ-1.1: An insider threat is any current or former employee, contractor, or business partner who has or had authorized access to an organization's network, system, or data and intentionally exceeded or misused that access in a manner that negatively affected the confidentiality, integrity, or availability of the organization's information or information systems. Based on the details provided in the question, it appears the employee's legitimate credentials were used to conduct the breach. This would be classified as an insider threat. A zero-day is a vulnerability in software unpatched by the developer or an attack that exploits such a vulnerability. A known threat is a threat that can be identified using a basic signature or pattern matching. An advanced persistent threat (APT) is an attacker with the ability to obtain, maintain, and diversify access to network systems using exploits and malware.
What type of malware changes its binary pattern in its code on specific dates or times to avoid detection by antimalware software? A.Polymorphic virus B.Logic bomb C.Ransomware D.Trojan
A.Polymorphic virus (Correct) Explanation OBJ-1.1: A polymorphic virus alters its binary code to avoid detection by antimalware scanners that rely on signature-based detection. By changing its signature, the virus can avoid detection.
Dion Training's security team recently discovered a bug in their software's code. The development team released a software patch to remove the vulnerability caused by the bug. What type of test should a software tester perform on the application to ensure that it is still functioning properly after the patch is installed? A.Regression testing B.Penetration testing C.Fuzzing D.User acceptance testing
A.Regression testing (Correct) Explanation OBJ-2.2: Regression testing is re-running functional and non-functional tests to ensure that previously developed and tested software still performs after a change. After installing any patch, it is important to conduct regression testing to confirm that a recent program or code change has not adversely affected existing features or functionality. Fuzzing is an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program. The program is then monitored for exceptions such as crashes, failing built-in code assertions, or potential memory leaks. User acceptance testing is a test conducted to determine if the specifications or contract requirements have been met. A penetration test is an authorized simulated cyberattack on a computer system, performed to evaluate the system's security.
You were conducting a forensic analysis of an iPad backup and discovered that only some of the information is within the backup file. Which of the following best explains why some of the data is missing? A.The backup is a differential backup B.The backup was interrupted C.The backup is stored in iCloud. D.The backup is encrypted
A.The backup is a differential backup Explanation OBJ-4.4: iPhone/iPad backups can be created as full or differential backups. In this scenario, the backup being analyzed is likely a differential backup containing the information that has changed since the last full backup. If the backup were encrypted, you would be unable to read any of the contents. If the backup were interrupted, the backup file would be in an unusable state. If the backup were stored in iCloud, you would need access to their iCloud account to retrieve and access the file. Normally, during an investigation, you will not have access to the user's iCloud account.
You have just begun an investigation by reviewing the security logs. During the log review, you notice the following lines of code: What BEST describes what is occurring and what action do you recommend to stop it? A.The host is using the Windows Task Scheduler at 10:42 to run nc.exe from the temp directory to create a remote connection to 123.12.34.12; you should recommend removing the host from the network B.The host (123.12.34.12) is a rogue device on the network; you should recommend removing the host from the network C.The host is beaconing to 123.12.34.12 every day at 10:42 by running nc.exe from the temp directory; you should recommend removing the host from the network D.The host (123.12.34.12) is running nc.exe from the temp directory at 10:42 using the auto cron job remotely; No recommendation is required since this is not malicious activity
A.The host is using the Windows Task Scheduler at 10:42 to run nc.exe from the temp directory to create a remote connection to 123.12.34.12; you should recommend removing the host from the network (Correct) Explanation OBJ-4.3: The code is setting up a task using Windows Task Scheduler (at). This task will run netcat (nc.exe) each day at the specified time (10:42). This is the netcat program and is being run from the c:\temp directory to create a reverse shell by executing the command shell (-e cmd.exe) and connecting it back to the attacker's machine at 172.16.34.12 over port 443.
Your company explicitly obtains permission from its customers to use their email address as an account identifier in its CRM. Max, who works at the marketing department in the company's German headquarters, just emailed all their customers to let them know about a new sales promotion this weekend. Which of the following privacy violations has occurred, if any? A.There was a privacy violation since the customers explicitly gave permission to use the email address as an identifier and did not consent to receive marketing emails B.There was a privacy violation since data minimization policies were not followed properly C.There was no privacy violation because only corporate employees had access to their email addresses D.There was no privacy violation since the customers were emailed securely through the customer relationship management tool Explanation
A.There was a privacy violation since the customers explicitly gave permission to use the email address as an identifier and did not consent to receive marketing emails (Correct) OBJ-5.1: According to the European Union's General Data Protection Regulation (GDPR), personal data collected can only be used for the exact purpose in which explicit consent was obtained. To use email addresses for marketing purposes, separate explicit consent should have been obtained. Since the company operates in Germany, it must follow the GDPR privacy standard. Even if a company doesn't operate within the European Union, its customers might be European Union citizens, and therefore the company should still optional follow the GDPR guidelines. While data minimization is a good internal policy to utilize, not following it doesn't equate to a privacy violation or breach. Data minimization is the principle that data should only be processed and stored, if necessary, to perform the purpose for which it is collected. The option concerning the customer relationship management (CRM) tool is a distractor since the issue is using the data in ways that were not consented to by the customer, not which system the email was sent through. A privacy violation can occur when corporate employees view data if those employees do not have a need to know, a valid business requirement to use the data, or consent from the customer to use the data for a specific purpose (as was the case in this scenario).
Your company has just finished replacing all of its computers with brand new workstations. Colleen, one of your coworkers, has asked the company's owner if she can have the old computers that are about to be thrown away. Colleen would like to refurbish the old computers by reinstalling a new operating system and donating them to a local community center for disadvantaged children in the neighborhood. The owner thinks this is a great idea but is concerned that the private and sensitive corporate data on the old computer's hard drives might be placed at risk of exposure. You have been asked to choose the best solution to sanitize or destroy the data while ensuring the computers will still be usable by the community center. What type of data destruction or sanitization method do you recommend? A.Wiping B.Purging C.Shredding D.Degaussing
A.Wiping (Correct) Explanation OBJ-4.2: Data wiping or clearing occurs by using a software tool to overwrite the data on a hard drive to destroy all electronic data on a hard disk or other media. Data wiping may be performed with a 1x, 7x, or 35x overwriting, with a higher number of times being more secure. This allows the hard drive to remain functional and allows for hardware reuse. Degaussing a hard drive involves demagnetizing a hard drive to erase its stored data. You cannot reuse a hard drive once it has been degaussed. Therefore, it is a bad solution for this scenario. Purging involves removing sensitive data from a hard drive using the device's internal electronics or an outside source such as a degausser, or by using a cryptographic erase function if the drive supports one. Shredding involves the physical destruction of the hard drive. This is a secure method of destruction but doesn't allow for device reuse.
You have been asked to scan your company's website using the OWASP ZAP tool. When you perform the scan, you received the following warning:"The AUTOCOMPLETE output is not disabled in HTML FORM/INPUT containing password type input. Passwords may be stored in browsers and retrieved."You begin to investigate further by reviewing a portion of the HTML code from the website that is listed below: Based on your analysis, which of the following actions should you take? A.You tell the developer to review their code and implement a bug/code fix B.You recommend that the system administrator pushes out a GPO update to reconfigure the web browsers security settings C.You recommend that the system administrator disables SSL on the server and implements TLS instead D.This is a false positive and you should implement a scanner exception to ensure you don't receive this again during your next scan
A.You tell the developer to review their code and implement a bug/code fix (Correct) Explanation OBJ-1.7: Since your company owns the website, you can require the developer to implement a bug/code fix to prevent the form from allowing the AUTOCOMPLETE function to work on this website. The code change to perform is quite simple, simply adding "autocomplete=off" to the code's first line. The resulting code would be <form action="authenticate.php" autocomplete="off">.
You just visited an e-commerce website by typing in its URL during a vulnerability assessment. You discovered that an administrative web frontend for the server's backend application is accessible over the internet. Testing this frontend, you discovered that the default password for the application is accepted. Which of the following recommendations should you make to the website owner to remediate this discovered vulnerability? (SELECT THREE) A.the username and default password B.Create an allow list for the specific IP blocks that use this application C.Require two-factor authentication for access to the application D.Require an alphanumeric passphrase for the application's default password E.Rename the URL to a more obscure name F.Conduct a penetration test against the organization's IP space
A.the username and default password (Correct) B.Create an allow list for the specific IP blocks that use this application (Correct) C.Require two-factor authentication for access to the application (Correct) Explanation OBJ-3.2: First, you should change the username and default password since using default credentials is extremely insecure. Second, you should implement an allow list for any specific IP blocks with access to this application's administrative web frontend since it should only be a few system administrators and power users. Next, you should implement two-factor authentication to access the application since two-factor authentication provides more security than a simple username and password combination. You should not rename the URL to a more obscure name since security by obscurity is not considered a good security practice. You also should not require an alphanumeric passphrase for the application's default password. Since it is a default password, you can not change the password requirements without the vendor conducting a software update to the application. Finally, while it may be a good idea to conduct a penetration test against the organization's IP space to identify other vulnerabilities, it will not positively affect remediating this identified vulnerability.