CompTIA CySA+ (CS0-003) Practice Exam #5

Consider the following REGEX search string: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- \b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\. (25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\. (25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\. (25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Which of the following strings would NOT be included in the output of this search? 37.259.129.207 001.02.3.40 1.2.3.4 205.255.255.001

37.259.129.207 The \b delimiter indicates that we are looking for whole words for the complete string. The REGEX is made up of four identical repeating strings, (25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.". For now, let us refer to these octets, such as the ones used in internet protocol version 4 addresses. Each octet will allow the combination of 25[0-5] OR (|) 2[0-4][9-] OR numbers 00-99 is preceded by (?) a 0 or 1, or just a single number followed by a ".". Since the period is treated as a special character in a REGEX operator, the escape character (\) is required to enable the symbol to act as a dot or period in the output. This sequence repeats four times, allowing for all variations of normal IP addresses to be entered for values 0-255. Since 259 is outside the range of 255, this is rejected. More specifically, character strings starting with 25 must end with a number between 0 and 5 (25[0-5]). Therefore, 259 would be rejected. Now, on exam day, if you received a question like this, you can try to figure out the pattern as explained above, or you can take the logical shortcut. The logical shortcut is to look at the answer first and see that they all look like IP addresses. Remember, grep, and REGEX are used by a cybersecurity analyst to search logs for indicators of compromise (like an IP address), so don't be afraid to take a logical guess if you need to conserve time during your exam. So, which one isn't a valid IP address? Clearly, 37.259.129.107 is not a valid IP address, so if you had to guess as to what wouldn't be an output of this complex-looking command, you should guess that one!

You work in a highly secure facility that uses an isolated network with no internet connectivity. However, a malware infection has been detected in the network. What might be a plausible cause of this situation? An email phishing attack A compromised device was connected to the network A web-based exploit A network attack from an external attacker

A compromised device was connected to the network Even in an isolated network, malware can be introduced via compromised devices, such as USB drives, that are connected to the network. In an isolated network with no internet connectivity, an email phishing attack would not be a plausible cause of a malware infection. Without internet connectivity, a web-based exploit would not be a plausible cause of a malware infection in an isolated network. Without internet connectivity, a network attack from an external source would be very unlikely in an isolated network. The primary threat vectors in such scenarios are often related to internal actions or physical security breaches.

Your organization is updating its Acceptable User Policy (AUP) to implement a new password standard that requires a guest's wireless devices to be sponsored before receiving authentication. Which of the following should be added to the AUP to support this new requirement? Sponsored guest passwords must be at least 14 alphanumeric characters containing a mixture of uppercase, lowercase, and special characters All guests must provide valid identification when registering their wireless devices for use on the network Open authentication standards should be implemented on all wireless infrastructure Network authentication of all guest users should occur using the 802.1x protocol as authenticated by a RADIUS server

All guests must provide valid identification when registering their wireless devices for use on the network Sponsored authentication of guest wireless devices requires a guest user to provide valid identification when registering their wireless device for use on the network. This requires that an employee validates the guest's need for access, known as sponsoring the guest. While setting a strong password or using 802.1x are good security practices, these alone do not meet the question's sponsorship requirement. An open authentication standard only requires that the guest know the Service-Set Identifier (SSID) to gain access to the network. Therefore, this does not meet the sponsorship requirement.

While conducting a static analysis source code review of a program, you see the following line of code: String query = "SELECT * FROM CUSTOMER WHERE CUST_ID='" + request.getParameter("id") + "'"; What is the issue with the largest security issue with this line of code? This code is vulnerable to a buffer overflow attack The code is using parameterized queries The * operator will allow retrieval of every data field about this customer in the CUSTOMER table An SQL injection could occur because input validation is not being used on the id parameter

An SQL injection could occur because input validation is not being used on the id parameter This code takes the input of "id" directly from a user or other program without conducting any input validation. This could be exploited and used as an attack vector for an SQL injection. If a malicious user can alter the ID source, it might get replaced with something like' or '1' ='1. This will cause the SQL statement to become: "SELECT * FROM CUSTOMER WHERE CUST_ID='' or '1'='1'". Because '1' always equals '1', the where clause will always return 'true,' meaning that EVERY record in the database could now become available to the attacker. When creating SQL statements, there are reasons for and against the use of the * operator. Its presence alone does not necessarily indicate a weakness. With only one line of code being reviewed, you cannot make any statement about whether it is vulnerable to a buffer overflow attack. You do not see the declaration values for the initialization of the id variable. This code is not using parameterized queries, but if it did, then it would eliminate this vulnerability. A parameterized query is a type of output encoding that relies on prepared statements to reduce the risk of an SQL injection.

Which of the following type of solutions would you classify an FPGA as? Hardware security module Anti-tamper Trusted platform module Root of trust

Anti-tamper A field-programmable gate array (FPGA) is an anti-tamper mechanism that makes use of a type of programmable controller and a physically unclonable function (PUF). The PUF generates a digital fingerprint based on the unique features of the device. This means that tampering with a device, such as removing the chip or adding an unknown input/output mechanism, can be detected. A remedial action like using zero-filling cryptographic keys can be performed automatically. A hardware security module (HSM) is an appliance for generating and storing cryptographic keys. It is a solution that may be less susceptible to tampering and insider threats than a traditional software-based storage solution. A trusted platform module (TPM) is a specification for hardware-based storage of digital certificates, cryptographic keys, hashed passwords, and other user and platform identification information. A hardware root of trust (RoT) or trust anchor is a secure subsystem that can provide attestation to declare something as true.

Your company has created a baseline image for all of its workstations using Windows 10. Unfortunately, the image included a copy of Solitaire, and the CIO has created a policy to prevent anyone from playing the game on the company's computers. You have been asked to create a technical control to enforce the policy (administrative control) that was recently published. What should you implement? Application blacklist Disable removable media Application hardening Application whitelist

Application blacklist You should create and implement an application blacklist that includes the Solitaire game on it. This will prevent the application from being able to be run on any corporate workstation. Application whitelists will allow only authorized applications to be run, while application blacklists will prevent any application listed from being run. Application hardening involves updating and patching your software (not applicable to this question). Disabling removable media is a good practice, but it won't prevent the game that was already installed from being run from the hard drive. Application whitelists and blacklists can be deployed to hosts on the network using a GPO update.

Dion Training wants to implement technology within their corporate network to BEST mitigate the risk that a zero-day virus might infect their workstations. Which of the following should be implemented FIRST? Anti-malware solution Application whitelisting Host-based firewall Intrusion detection system

Application whitelisting Application whitelisting will only allow a program to execute if it is specifically listed in the approved exception list. All other programs are blocked from running. This makes it the BEST mitigation against a zero-day virus. An intrusion detection system might detect the anomalous activity created by a piece of malware, but it will only log or alert based on the activity, not prevent it. A host-based firewall may prevent a piece of malware from establishing a network connection with a remote server. Still, again, it wouldn't prevent infection or prevent it from executing. An anti-malware solution is a good investment towards improving your security. Since the threat is a zero-day virus, an anti-malware solution will not detect it using its signature database.

Which of the following techniques listed below are not appropriate to use during a passive reconnaissance exercise against a specific target company? BGP looking glass usage Registrar checks WHOIS lookups Banner grabbing

Banner grabbing Banner grabbing requires a connection to the host to grab the banner successfully. This is an active reconnaissance activity. All other options are considered passive processes and typically use information retrieved from third-parties that do not directly connect to an organization's remote host.

You are reverse engineering a malware sample using the Strings tool when you notice the code inside appears to be obfuscated. You look at the following line of output on your screen: -=-=-=--=-=-=--=-=-=--=-=-=--=-=-=--=-=-=--=-=-=--=-=-=- ZWNobygiSmFzb24gRGlvbiBjcmVhdGVkIHRoaXMgQ29tcFRJQSBDeVNBKyBwcmFjdGljZSBleGFtIHF1ZXN0aW9uLiBJZiB5b3UgZm91bmQgdGhpcyBxdWVzdGlvbiBpbiBzb21lb25lIGVsc2UncyBjb3Vyc2UsIHRoZXkgc3RvbGUgaXQhIik7 -=-=-=--=-=-=--=-=-=--=-=-=--=-=-=--=-=-=--=-=-=--=-=-=- Based on the output above, which of the following methods do you believe the attacker used to prevent their malicious code from being easily read or analyzed? XML SQL QR coding Base64

Base64 While there are many different formats used by attackers to obfuscate their malicious code, Base64 is by far the most popular. If you see a string like the one above, you can decode it using an online Base64 decoder. In fact, I recommend you copy the string above and decode it to see how easy it is to reverse a standard Base64 encoded message. Some more advanced attackers will also use XOR and a key shift in combination with Base64 to encode the message and make it harder to decode, but using a tool like CyberChef can help you decode those. Structured Query Language (SQL) is used to communicate with a database. Extensible Markup Language (XML) is a markup language that defines a set of rules for encoding documents in a human-readable and machine-readable format. SQL and XML are not considered obfuscation techniques. A QR Code is a two-dimensional version of the barcode, known from product packaging in the supermarket. QR coding is the process of converting some data into a single QR code. QR coding might be considered a form of obfuscation, but it is not shown in this question's example output.

Dion Training is hiring a penetration testing firm to conduct an assessment of its corporate network. As part of the contract, the company has specified that it will not provide any network details to the penetration testing firm. Instead, the company wants to see how much information about the network can be found by the penetration testers using open-source research and scanning the corporate network. What type of assessment is this considered? White box Red box Gray box Black box

Black box In a black box assessment, the penetration tester takes an average hacker's role with no internal knowledge of the target system. Testers are not provided with any architecture diagrams or source code that is not publicly available. A black-box penetration test determines the vulnerabilities in a system that are exploitable from outside the network.

In the event of a severe network outage due to a natural disaster, which document would you rely on to continue essential business operations? Incident Response Plan Network topology document Patch Management Document Business Continuity Plan

Business Continuity Plan A Business Continuity Plan is designed to maintain essential business functions during and after a disaster. This is the key document in a scenario where the organization is dealing with a network outage due to a storm. Patch Management involves the process of updating system software with codes intended to fix problems (patches). This document does not directly relate to sustaining business operations during a disaster. While this plan is essential in handling security incidents, it does not directly pertain to disaster scenarios like a storm-induced network outage. This document describes the layout of the network but does not guide an organization on maintaining operations during a disaster.

If a critical software application starts to slow down with each applied security patch, how might this affect vulnerability management? By ensuring seamless integration with other systems in the network By causing hesitation or delays in applying patches due to the fear of degrading system performance By making the application more robust and resistant to crashes By increasing user satisfaction with the application

By causing hesitation or delays in applying patches due to the fear of degrading system performance If patching degrades performance, an organization might hesitate to apply necessary patches, leaving the system vulnerable. Degrading performance is likely to decrease user satisfaction, not increase it, and it may discourage timely vulnerability patching. While robustness is a desirable feature, performance degradation doesn't enhance it and may actually cause hesitations in patching vulnerabilities. System integration and vulnerability management are distinct considerations; performance degradation doesn't improve integration.

Jeff has been contacted by an external security company and told that they had found a copy of his company's proprietary source code on GitHub. Upon further investigation, Jeff has determined that his organization owns the repository where the source code is located. Which of the following mitigations should Jeff apply immediately? Delete the repository Change the repository from public to private Investigate if the source code was downloaded Revaluate the organization's information management policies

Change the repository from public to private Jeff should immediately change the repository from public to private to prevent further exposure of the source code. Deleting the repository would also fix the issue but could compromise the company's ongoing business operations. Reevaluation of the company's information management policies should be done, but this is not as time-critical as changing the repository's public/private setting. Once the repository is configured to be private, then Jeff should investigate any possible compromises that may have occurred and reevaluate their policies.

An organization cannot immediately remediate a known system vulnerability due to operational constraints. Which strategy can be used to reduce the risk associated with this vulnerability in the meantime? Compensating Controls Biometric Authentication Data Loss Prevention (DLP) Digital Forensics

Compensating Controls Compensating controls are alternative measures to reduce the risk associated with a vulnerability when direct remediation isn't immediately possible. While digital forensics can investigate security incidents, it does not directly reduce the risk associated with a known vulnerability. While DLP measures protect data, they do not directly address specific system vulnerabilities. While biometric authentication can enhance system access security, it doesn't directly reduce the risk associated with a specific system vulnerability.

A forensic analyst needs to access a macOS encrypted drive that uses FileVault 2. Which of the following methods is NOT a means of unlocking the volume? Acquire the recovery key Conduct a brute-force attack against the FileVault 2 encryption Extract the keys from iCloud Retrieve the key from memory while the volume is mounted

Conduct a brute-force attack against the FileVault 2 encryption FileVault 2 is a full-disk encryption system used on macOS devices. A drive can be decrypted if you have the encryption key. This key can be recovered from memory while the volume is mounted. The Recovery key can also be obtained either from the user's notes or from their storage area of iCloud. You cannot unlock the volume by conducting a brute force attack against the drive. It uses the AES 256-bit encryption system, which is currently unbreakable without access to a supercomputer. This question may seem beyond the scope of the exam. Still, the objectives allow for "other examples of technologies, processes, or tasks about each objective may also be included on the exam although not listed or covered" in the objectives' bulletized lists. The exam tests the equivalent of 4 years of hands-on experience in a technical cybersecurity job role. The content examples listed in the objectives are meant to clarify the test objectives and should not be construed as a comprehensive listing of this examination's content. Therefore, questions like this are fair game on test day. That said, your goal isn't to score 100% on the exam; it is to pass it. Don't let questions like this throw you off on test day. If you aren't sure, take your best guess and move on!

You walked up behind a penetration tester in your organization and saw the following output on their Kali Linux terminal: [ATTEMPT] target 192.168.1.142 - login "root" - pass "abcde" 1 of 10 [ATTEMPT] target 192.168.1.142 - login "root" - pass "efghi" 2 of 10 [ATTEMPT] target 192.168.1.142 - login "root" - pass "12345" 3 of 10 [ATTEMPT] target 192.168.1.142 - login "root" - pass "67890" 4 of 10 [ATTEMPT] target 192.168.1.142 - login "root" - pass "a1b2c" 5 of 10 What type of test is the penetration tester currently conducting Conducting a Denial of Service attack on 192.168.1.142 Conducting a ping sweep of 192.168.1.142/24 Conducting a port scan of 192.168.1.142 Conducting a brute force login attempt of a remote service on 192.168.1.142

Conducting a brute force login attempt of a remote service on 192.168.1.142 The penetration tester is attempting to conduct a brute force login attempt of a remote service on 192.168.1.142, as shown by the multiple login attempts with common usernames and passwords. A brute force attack attempts to crack a password or username or find a hidden web page, or find the key used to encrypt a message, using a trial and error approach and hoping, eventually, to guess correctly. Port Scanning is the name for the technique used to identify open ports and services available on a network host. A denial-of-service (DoS) attack occurs when legitimate users cannot access information systems, devices, or other network resources due to a malicious cyber threat actor's actions. A ping sweep is a basic network scanning technique used to determine which range of IP addresses map to live hosts.

Which of the following BEST describes when a third-party takes components produced by a legitimate manufacturer and assembles an unauthorized replica sold in the general marketplace? Capitalism Entrepreneurship Counterfeiting Recycling

Counterfeiting While the unauthorized third-party may assemble a component that was legitimately made from OEM parts, the fact remains that those parts were never intended for distribution under the manufacturer's legitimate label. Therefore, this is considered counterfeiting. As a cybersecurity analyst, you need to be concerned with your organization's supply chain management. There have been documented cases of counterfeit hardware (like switches and routers) being sold with malware or lower mean time between failures, both of which affect your network's security.

An analyst's vulnerability scanner did not have the latest set of signatures installed. Due to this, several unpatched servers may have vulnerabilities that were undetected by their scanner. You have directed the analyst to update their vulnerability scanner with the latest signatures at least 24 hours before conducting any scans. However, the results of their scans still appear to be the same. Which of the following logical controls should you use to address this situation? Configure the vulnerability scanners to run in credentialed mode Create a script to automatically update the signatures every 24 hours Ensure the analyst manually validates that the updates are being performed as directed Test the vulnerability remediations in a sandbox before deploying them into production

Create a script to automatically update the signatures every 24 hours Since the analyst appears not to be installing the latest vulnerability signatures according to your instructions, it would be best to create a script and automate the process to eliminate human error. The script will always ensure that the latest signatures are downloaded and installed in the scanner every 24 hours without any human intervention. While you may want the analyst to manually validate the updates were performed as part of their procedures, this is still error-prone and likely not to be conducted properly. Regardless of whether the scanners are being run in uncredentialed or credentialed mode, they will still miss vulnerabilities if using out-of-date signatures. Finally, the option to test the vulnerability remediations in a sandbox is a good suggestion. Still, it won't solve this scenario since we are concerned with the scanning portion or vulnerability management and not remediation.

Among the following vulnerabilities, which one was reported as a "Top 10" due to its common occurrence and the potential severity of its impact? SolarWinds SUNBURST Attack Cross-Site Scripting (XSS) Poodle Attack Spectre Attack

Cross-Site Scripting (XSS) XSS vulnerabilities are widespread across web applications and can lead to serious consequences, such as user data theft, making this the correct answer. While the Poodle Attack was significant and impacted SSL 3.0 protocol, it is not categorized as a top 10 widespread vulnerability. The SolarWinds SUNBURST was a severe, targeted supply chain attack, not a common vulnerability like XSS. The Spectre attack was an impactful hardware vulnerability, but it's not typically categorized as a top 10 vulnerability.

Review the following packet captured at your NIDS: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- 23:12:23.154234 IP 86.18.10.3:54326 > 71.168.10.45:3389 Flags [P.], Seq 1834:1245, ack1, win 511, options [nop,nop, TS val 263451334 erc 482862734, length 125 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- After reviewing the packet above, you discovered there is an unauthorized service running on the host. Which of the following ACL entries should be implemented to prevent further access to the unauthorized service while maintaining full access to the approved services running on this host? DENY IP HOST 71.168.10.45 ANY EQ 25 DENY TCP ANY HOST 71.168.10.45 EQ 3389 DENY IP HOST 86.18.10.3 EQ 3389 DENY TCP ANY HOST 86.18.10.3 EQ 25

DENY TCP ANY HOST 71.168.10.45 EQ 3389 Since the question asks you to prevent unauthorized service access, we need to block port 3389 from accepting connections on 71.168.10.45 (the host). This option will deny ANY workstation from connecting to this machine (host) over the Remote Desktop Protocol service that is unauthorized (port 3389).

An analyst reviews a triple-homed firewall configuration that connects to the internet, a private network, and one other network. Which of the following would best describe the third network connected to this firewall? DMZ NIDS Subnet GPO

DMZ A triple-homed firewall connects to three networks internal (private), external (internet/public), and the demilitarized zone (DMZ). The demilitarized zone (DMZ) network hosts systems that require access from external hosts. Group Policy Object (GPO) is a collection of Group Policy settings that defines what a system looks like and how it behaves for a defined group of users. A network intrusion detection system (NIDS) is a system that attempts to detect hacking activities, denial of service attacks, or port scans on a computer network or a computer itself. A subnet is a logical subdivision of an IP network.

Joseph would like to prevent hosts from connecting to known malware distribution domains. What type of solution should be used without deploying endpoint protection software or an IPS system? Anti-malware router filters Subdomain whitelisting Route poisoning DNS blackholing

DNS blackholing DNS blackholing is a process that uses a list of known domains/IP addresses belonging to malicious hosts and uses an internal DNS server to create a fake reply. Route poisoning prevents networks from sending data somewhere when the destination is invalid. Routers do not usually have an anti-malware filter, and this would be reserved for a unified threat management system. Subdomain whitelisting would not apply here because it would imply that you are implicitly denying all traffic and only allow whitelisted subdomains to be accessed from the hosts that would affect their operational utility to the organization.

Richard attempted to visit a website and received a DNS response from the DNS cache server pointing to the wrong IP address. Which of the following attacks has occurred? DNS poisoning MAC spoofing ARP spoofing DNS brute forcing

DNS poisoning DNS poisoning (also known as DNS cache poisoning or DNS spoofing) is a type of attack which uses security gaps in the Domain Name System (DNS) protocol to redirect internet traffic to malicious websites. MAC spoofing is a technique for changing a factory-assigned Media Access Control (MAC) address of a network interface on a networked device. ARP spoofing is a type of attack in which a malicious actor sends falsified ARP (Address Resolution Protocol) messages over a local area network using layer 2 address information. DNS brute-forcing is used to check for wildcard entries using a dictionary or wordlist. This technique is used when a DNS zone transfer is not allowed by a system.

After an unexpected data breach, the cybersecurity team at a financial institution analyzed logs and found suspicious traffic originating from an IP address known to be linked with the WannaCry ransomware attack. In this scenario, what incident response activity is being performed by the cybersecurity team? Data and log analysis Eradication Containment Recovery

Data and log analysis The cybersecurity team is performing data and log analysis, a key incident response activity. They are analyzing logs to identify the cause of the data breach and determine the extent of the intrusion. Containment is the process of limiting the extent of an intrusion and preventing it from spreading further. In this scenario, the team is analyzing data and logs, not containing the breach. Eradication involves eliminating the threat from the network, which can't be done until the threat is fully understood. The team is still at the analysis stage. Recovery involves restoring systems to normal operation and implementing measures to prevent future similar attacks. The team hasn't reached this stage yet; they are still analyzing logs to understand what happened.

You are working as a junior cybersecurity analyst and utilize a SIEM to support investigations into ongoing incidents. The SIEM is configured to collect data from numerous sources across the network, including network sensors, routers, switches, firewalls, hosts, and servers. Unfortunately, due to the number of data sources, you have data about a particular event being detected by different sensors and devices. Which of the following must you ensure to make sense of all the data being collected by your SIEM before analyzing it? Data sanitization Data retention Data recovery Data correlation

Data correlation Data correlation is the first step in making sense of data from across numerous sensors. This will ensure the data is placed concerning other pieces of data within the system. For example, if your IDS detected an incident, host logs were collected, and your packet capture system collected the network traffic, the SIEM could be used to correlate all three pieces of information from these different systems to allow an analyst to understand the event better. By conducting data correlation, it allows an analyst to identify a pattern more clearly and take action. Data correlation should be performed as soon as the SIEM indexes the data.

Which of the following will an adversary so during the delivery phase of the Lockheed Martin kill chain? (SELECT THREE) Select a decoy document to present to the victim Adversary triggering exploits for non-public facing servers Deliberate social media interactions with the target's personnel Release of malicious email Direct action against public-facing servers Collect press releases, contract awards, and conference attendee lists

Deliberate social media interactions with the target's personnel Release of malicious email Direct action against public-facing servers During the delivery phase, the adversary is firing whatever exploits they have prepared during the weaponization phase. At this stage, they still do not have access to their target, though. Therefore, taking direct action against a public-facing web server, sending a spear-phishing email, placing a USB drive with malware, or starting a conversation on social media all fit within this phase. internet-facing servers were enumerated during reconnaissance. Selecting a decoy document to present to the victim occurs during weaponization. Collecting press releases, contract awards, and conference attendee lists occur during the reconnaissance phase.

You have been asked to provide some training to Dion Training's system administrators about the importance of proper patching of a system before deployment. To demonstrate the effects of deploying a new system without patching it first, you ask the system administrators to provide you with an image of a brand-new server they plan to deploy. How should you deploy the image to demonstrate the vulnerabilities that are being exposed while maintaining the security of the corporate network? Deploy the system image within a virtual machine, ensure it is in an isolated sandbox environment, then scan it for vulnerabilities Utilize a server with multiple virtual machine snapshots installed o it, restore from a known compromised image, then scan it for vulnerabilities Deploy the image to a brand new physical server, connect it to the corporate network, then conduct a vulnerability scan to demonstrate how many vulnerabilities

Deploy the system image within a virtual machine, ensure it is in an isolated sandbox environment, then scan it for vulnerabilities To ensure your corporate network's safety, any vulnerable image you deploy should be done within a sandboxed environment. This will ensure that an outside attacker is unable to exploit the vulnerabilities but will still allow you to show the vulnerabilities found during a scan to demonstrate how important patching is to the security of the server.

Your incident response team has identified a persistent threat actor who has used a spear-phishing attack to compromise a system in your network. The actor used this system to move laterally within the network, stealing sensitive data. The team wants to understand the relationship between the adversary, the victim system, the phishing infrastructure used by the attacker, and the lateral movement capability. Which framework would best help them in this analysis? Diamond Model of Intrusion Analysis Cyber Kill Chain OWASP Testing Guide MITRE ATT&CK

Diamond Model of Intrusion Analysis The Diamond Model of Intrusion Analysis provides a framework for understanding the four key elements of a cyber attack: the adversary (threat actor), the victim (compromised system), the infrastructure (phishing setup), and the capability (lateral movement). The Cyber Kill Chain describes the stages of a cyber attack, but it does not specifically analyze the relationships between the adversary, victim, infrastructure, and capability. The OWASP Testing Guide provides a methodology for testing web application security, not for analyzing a cyber attack's relationships. The MITRE ATT&CK framework details tactics, techniques, and procedures used by attackers, but it does not specifically address the relationship between adversary, victim, infrastructure, and capability.

Your organization is a financial services company. You have a team of security analysts who are responsible for gathering and analyzing intelligence about potential threats to your organization. The analysts recently published a report that identifies a new threat actor who is targeting financial services companies. The report includes information about the threat actor's tactics, techniques, and procedures (TTPs). In which phase of the security intelligence cycle will this information be provided to those who need to act on it? Collection Dissemination Analysis Feedback

Dissemination The dissemination phase refers to publishing information produced by analysis to consumers who need to develop the insights. The collection phase is usually implemented by administrators using various software suites, such as security information and event management (SIEM). This software must be configured with connectors or agents that can retrieve data from sources such as firewalls, routers, IDS sensors, and servers. The analysis phase focuses on converting collected data into useful information or actionable intelligence. The final phase of the security intelligence cycle is feedback and review, which utilizes both intelligence producers and intelligence consumers' input. This phase aims to improve the implementation of the requirements, collection, analysis, and dissemination phases as the life cycle is developed.

An organization has hired a cybersecurity analyst to conduct an assessment of their current security posture. The analyst begins by conducting an external assessment against the organization's network to determine what information is exposed to a potential external attacker. What technique should the analyst perform first? Intranet portal reviews Enumeration Technical control audits DNS query log reviews

Enumeration Scanning and enumeration are used to determine open ports and identify the software and firmware/device types running on the host. This is also referred to as footprinting or fingerprinting. This technique is used to create a security profile of an organization by using a methodological manner to conduct the scanning. If this scan is conducted from outside of the organization's network, it can be used to determine the network devices and information available to an unauthorized and external attacker. A DNS query log review, intranet portal review, or technical control audit would require internal access to the network, which is typically not accessible directly to an external attacker.

A cybersecurity analyst is reviewing the DNS logs for his company's networks and sees the following output: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- $ cat dns.log | bro-cut query gu2m9qhychvxrvh0eift.com oxboxkgtyx9veimcuyri.com 4f3mvgt0ah6mz92frsmo.com asvi6d6ogplqyfhrn0p7.com 5qlark642x5jbissjm86.com -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Based on this potential indicator of compromise (IoC), which of the following hypotheses should you make to begin threat hunting? The DNS server is running out of memory due to a memory resource exhaustion attack Fast flux DNS is being used for an attacker's C2 Data exfiltration is being attempted by an APT The DNS server's hard drive is being used as a staging location for a data exfiltration

Fast flux DNS is being used for an attacker's C2 The fast flux DNS technique rapidly changes the IP address associated with a domain. It allows the adversary to defeat IP-based blacklists, but the communication patterns established by the changes might be detectable. Based on the evidence provided above, you only know that a fast flux DNS is being used. It is impossible to tell if data exfiltration, drive capacity consumption, or memory consumption is occurring.

Dion Consulting Group has recently been awarded a contract to provide cybersecurity services for a major hospital chain in 48 cities across the United States. Previously, the consultants have won numerous contracts with financial services and publicly traded companies, but they are new to the healthcare industry. Which of the following laws must the consultants review to ensure the hospital and its customers are fully protected? GLBA HIPAA SOX COSO

HIPAA The Health Insurance Portability and Accountability Act (HIPPA) was created primarily to modernize the flow of healthcare information, stipulate how Personally Identifiable Information maintained by the healthcare and healthcare insurance industries should be protected from fraud and theft, and address limitations on healthcare insurance coverage. This is a federal law that must be following in the United States. The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and safeguard sensitive data. This includes companies that offer consumers financial products or services like loans, financial or investment advice, or insurance. The Sarbanes-Oxley Act of 2002 is a federal law that established sweeping auditing and financial regulations for public companies. Lawmakers created the legislation to help protect shareholders, employees, and the public from accounting errors and fraudulent financial practices. The Committee of Sponsoring Organizations of the Treadway Commission (COSO) provides guidance on various governance-related topics, including fraud, controls, finance, and ethics. COSO's ERM-integrated framework defines risk, and related common terminology lists key components of risk management strategies and supplies direction and criteria for enhancing risk management practices.

Tierra works as a cybersecurity analyst for a large multi-national oil and gas company. She responds to an incident at her company in which their public-facing web server has been defaced with the words, "Killers of the Arctic." She believes this was done in response to her company's latest oil drilling project in the Arctic Circle. Which threat actor is most likely to blame for the website defacement? Script kiddie Hacktivist Organized crime APT

Hacktivist It appears this hack was motivated by a pro-environmentalist agenda based on the message of the website defacement. This is an example of hacktivism. In 2012, five top multi-national oil companies were targeted by members of Anonymous as a form of digital protests against drilling in the Arctic, a practice that these hacktivists believe has contributed to the melting of the ice caps in that region.

When conducting forensic analysis of a hard drive, what tool would BEST prevent changing the hard drive contents during your analysis? Hardware write blocker Forensic drive duplicator Degausser Software write blocker

Hardware write blocker Both hardware and software write blockers are designed to ensure that forensic software and tools cannot change a drive inadvertently by accessing it. But, since the question indicates that you need to choose the BEST solution to protect the drive's contents from being changed during analysis, you should pick the hardware write blocker. A hardware write blocker's primary purpose is to intercept and prevent (or 'block') any modifying command operation from ever reaching the storage device. A forensic drive duplicator copies a drive and validates that it matches the original drive but cannot be used by itself during analysis. A degausser is used to wipe magnetic media. Therefore, it should not be used on the drive since it would erase the hard drive contents.

During an assessment of the POS terminals that accept credit cards, a cybersecurity analyst notices a recent Windows operating system vulnerability exists on every terminal. Since these systems are all embedded and require a manufacturer update, the analyst cannot install Microsoft's regular patch. Which of the following options would be best to ensure the system remains protected and are compliant with the rules outlined by the PCI DSS? Replace the Windows POS terminals with standard Windows systems Build a custom OS image that includes the patch Identify, implement, and document compensating controls Remove the POS terminals from the network until the vendor releases a patch

Identify, implement, and document compensating controls Since the analyst cannot remediate the vulnerabilities by installing a patch, the next best action would be to implement some compensating controls. If a vulnerability exists that cannot be patched, compensating controls can mitigate the risk. Additionally, the analyst should document the current situation to achieve compliance with PCI DSS. The analyst will likely not remove the terminals from the network without affecting business operations, so this is a bad option. The analyst should not build a custom OS image with the patch since this could void the support agreement with the manufacturer and introduce additional vulnerabilities. Also, it would be difficult (or impossible) to replace the POS terminals with standard Windows systems due to the custom firmware and software utilized on these systems.

After a recent cybersecurity incident in your organization, an executive summary has been prepared for senior management. However, the executives have also asked for recommendations on improving security posture and preventing such incidents in the future. Where can they find this information? In the scope section of the incident response report In the public relations communication In the lessons learned section of the incident response report In the executive summary

In the lessons learned section of the incident response report The lessons learned section often contains recommendations based on the analysis of the incident, providing valuable insights on how to improve the organization's security posture. The scope section typically outlines what systems and data were impacted by the incident, not future improvement recommendations. The executive summary usually provides a high-level overview of the incident and does not typically contain detailed recommendations for future action. Public relations communications are generally outward-facing and are not typically used to present internal improvement recommendations.

You are the incident response team lead investigating a possible data breach at your company with 5 other analysts. A journalist contacts you and inquires about a press release from your company that indicates a breach has occurred. You quickly deny everything and then call the company's public relations officer to ask if a press release had been published, which it has not. Which of the following has likely occurred? Inadvertent release of information Disclosing based on regulatory requirements Communication was limited to trusted parties Release of PII and SPI

Inadvertent release of information It is most likely that an inadvertent release of information has occurred. This could have occurred due to communication not being limited to trusted parties or information being shared amongst the analyst using insecure communication methods. Based on the scenario, we cannot tell if the data breach (if one has actually occurred) involved the release of PII or SPI. Part of any good communications plan understands that you are required to disclose information based on regulatory requirements. When that disclosure occurs, it will usually be accompanied by a press release.

Which of the following utilizes a well-written set of carefully developed and tested scripts to orchestrate runbooks and generate consistent server builds across an enterprise? Software Defined Networking (SDN) Software as a Service (SaaS) Infrastructure as Code (IaC) Infrastructure as a Service (IaaS)

Infrastructure as Code (IaC) IaC is designed with the idea that a well-coded description of the server/network operating environment will produce consistent results across an enterprise and significantly reduce IT overhead costs through automation while precluding the existence of security vulnerabilities. SDN uses software to define networking boundaries but does not necessarily handle server architecture in the same way that IaC can. Infrastructure as a Service (IaaS) is a computing method that uses the cloud to provide any or all infrastructure needs. Software as a Service (SaaS) is a computing method that uses the cloud to provide users with application services.

Yoyodyne Systems has recently bought out its competitor, Whamiedyne Systems, which went out of business due to a series of data breaches. As a cybersecurity analyst for Yoyodyne, you are assessing Whamiedyne's existing applications and infrastructure. During your analysis, you discover the following URL is used to access an application: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- https://www.whamiedyne.com/app/accountInfo?acct=12345 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- You change the URL to end with 12346 and notice that a different user's account information is now displayed. Which of the following type of vulnerabilities or threats have you discovered? Race condition XML injection Insecure direct object reference SQL injection

Insecure direct object reference This is an example of an insecure direct object reference. Direct object references are typically insecure when they do not verify whether a user is authorized to access a specific object. Therefore, it is important to implement access control techniques in applications that work with private information or other sensitive data types. Based on the URL above, you cannot determine if the application is vulnerable to an XML or SQL injection attack. An attacker can modify one or more of these four basic functions in a SQL injection attack by adding code to some input within the web app, causing it to execute the attacker's own set of queries using SQL. An XML injection is similar but focuses on XML code instead of SQL queries. A race condition is a software vulnerability when the resulting outcome from execution processes is directly dependent on the order and timing of certain events. Those events fail to execute in the developer's order and timing, which is not the case in this scenario.

You've been hired as a security consultant for a small business that operates a single, isolated network with no internet connection. Given the isolated nature of the network, which of the following attack vectors should you primarily be concerned about? Data exfiltration via the internet DDoS attacks Phishing attacks Insider threats

Insider threats With no internet connection, the risk of insider threats becomes a primary concern. Insiders with malicious intent or those who unwittingly cause a security incident can be a significant threat in an isolated network environment. Phishing attacks are typically carried out via email or other forms of electronic communication. In an isolated network with no internet connection, the risk of phishing attacks is considerably less. Without an internet connection, the risk of data exfiltration via the internet is significantly less. Data could still potentially be exfiltrated through physical means, but not via the internet. DDoS attacks typically require an internet connection, as they involve overwhelming a network with traffic from multiple sources. An isolated network with no internet connection is not susceptible to this kind of attack.

Which of the following classifications would apply to patents, copyrights, and trademarks? Intellectual property PII Trade secrets PHI

Intellectual property Patents, copyrights, and trademarks are all considered to be intellectual property. Trade secrets are considered proprietary and are not protected by governments. Personally identifiable information (PII) is any data that could be used to identify a particular person. Protected health information (PHI) is any information about health status, provision of health care, or payment for health care linked to a specific individual.

Your company's cybersecurity team has been tracking vulnerability data over time. What might be the significance of observing a consistent upward trend in the discovery of new vulnerabilities? It could indicate a need for improved security measures or updated software The company's servers are becoming more efficient The company's network bandwidth is being utilized efficiently There is a decreased need for vulnerability scanning

It could indicate a need for improved security measures or updated software An upward trend in vulnerabilities may signal a need to enhance cybersecurity defenses. On the contrary, an upward trend would indicate an increased need for thorough vulnerability scanning. Network bandwidth usage isn't directly related to the trend in vulnerability discoveries. While efficiency is important, an upward trend in vulnerability discoveries is not an indicator of server efficiency.

What is the primary role of customer communication during an incident response? It is primarily used to inform customers about their legal obligations It maintains transparency and trust with customers by keeping them informed about the situation It helps customers to remediate the incident It collects evidence for further investigation

It maintains transparency and trust with customers by keeping them informed about the situation Timely and accurate communication with customers during an incident can help maintain their trust and reassurance, showing that the situation is being handled appropriately. While informing customers about possible actions they should take might be part of communication, the primary aim isn't to have customers remediate the incident. While customer communication might include relevant legal information depending on the situation, its main purpose isn't to inform customers about their legal obligations. The main purpose of customer communication isn't to gather evidence. That's typically the responsibility of incident response or forensics teams. Continue Retake test Course content Overview Q&AQuestions and answers Notes Announcements Reviews Learning tools

In managing the cybersecurity of a multinational banking corporation, how would the use of a specific Key Performance Indicator such as 'Time To Patch' enhance the overall effectiveness and responsiveness of the vulnerability management process, especially considering the high-risk nature of the banking sector? It would give the organization an accurate measurement of current patching efficiency To identify new market opportunities To assess employee performance across departments To evaluate the company's growth potential

It would give the organization an accurate measurement of current patching efficiency Time to patch is a key performance indicator (KPI) that measures the average amount of time it takes to patch a vulnerability. A low time to patch indicates that an organization is quickly fixing known vulnerabilities, which can help to reduce the risk of exploitation. Identifying market opportunities is typically not associated with vulnerability management KPIs; these KPIs aim to quantify the success of security practices. While business growth is an important consideration, metrics and KPIs in vulnerability management specifically measure the effectiveness of security processes. While important, this is not the primary purpose of vulnerability management KPIs; these KPIs measure the effectiveness of security management.

An organization wants to choose an authentication protocol that can be used over an insecure network without implementing additional encryption services. Which of the following protocols should they choose? RADIUS Kerberos TACACS TACACS+

Kerberos The Kerberos protocol is designed to send data over insecure networks while using strong encryption to protect the information. RADIUS, TACACS, and TACACS+ are all protocols that contain known vulnerabilities that would require additional encryption to secure them during the authentication process.

You are a security analyst for a large company. You are monitoring your network traffic when you notice a suspicious connection between one of your servers and an unfamiliar IP address. The connection is using a high number of ports and is transferring a large amount of data. You have never seen this IP address before and you are not sure what it is. What indicator of compromise (IOC) does this activity likely represent? Malware infection File system changes Irregular system processes Unauthorized software

Malware infection The server may have been infected with malware that is communicating with a command-and-control (C&C) server. The C&C server could be used to control the malware, steal data, or launch other attacks. These changes could potentially signify a compromise, but they do not directly correspond to the suspicious network traffic observed. While unauthorized software is a potential indicator of compromise, it does not correlate with the suspicious network traffic seen here. Although these could be an indicator of a system compromise, they do not directly relate to the suspicious network traffic observed in this scenario.

Judith is conducting a vulnerability scan of her data center. She notices that a management interface for a virtualization platform is exposed to her vulnerability scanner. Which of the following networks should the hypervisor's management interface be exposed to ensure the best security of the virtualization platform? External zone Management network DMZ Internal zone

Management network The management interface should only be exposed to an isolated or dedicated network used for the management and configuration of the network device and platforms only. This would also help reduce the likelihood of an attack against the virtualization platform or the hypervisor itself. The external zone (internet), internal zone (LAN), or DMZ should not have the management interface exposed to them.

Dion Training utilizes a wired network throughout the building to provide network connectivity. Jason is concerned that a visitor might plug their laptop into a CAT 5e wall jack in the lobby and access the corporate network. What technology should be utilized to prevent users from gaining access to network resources if they can plug their laptops into the network? NAC VPN DMZ UTM

NAC Network Access Control (NAC) is an approach to computer security that attempts to unify endpoint security technology, the user or system authentication, and network security enforcement. NAC restricts the data that each particular user can access and implements anti-threat applications such as firewalls, anti-virus software, and spyware detection programs. NAC also regulates and restricts the things individual subscribers or users can do once they are connected. If a user is unknown, the NAC can quarantine the device from the network upon connection.

Which of the following technologies could be used to ensure that users who log in to a network are physically in the same building as the network they are attempting to authenticate on? (SELECT TWO) Port security NAC GPS location Geo-IP

NAC GPS location Network Access Control is used to identify an endpoint's characteristics when conducting network authentication. The GPS location of the device will provide the longitude and latitude of the user, which could be compared against the GPS coordinates of the building. Port security enables an administrator to configure individual switch ports to allow only a specified number of source MAC addresses ingressing the port. This would not help to locate the individual based on their location, though. Geo-IP, or geolocation and country lookup of a host-based on its IP address, would identify the country of origin of the user, but not whether they are within the building's confines. Geo-IP is also easily tricked if the user logs in over a VPN connection.

A cybersecurity analyst is conducting a port scan of 192.168.1.45 using nmap. During the scan, the analyst found numerous ports open, and nmap could not determine the Operating System version of the system installed at 192.168.1.45. The analyst asks you to look over the results of their nmap scan results: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Starting NMAP 7.60 at 2020-06-12 21:23:15 NMAP scan report for 192.168.1.45 Host is up (0.78s latency). Not shown: 992 closed ports PORT STATE SERVICE 21/tcp open ftp 23/tcp open telnet 25/tcp open smtp 80/tcp open http 139/tcp open netbios-ssn 515/tcp open 631/tcp open ipp 9100/tcp open MAC Address: 00:0C:29:18:6B:DB -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Which of the following operating systems is most likely used by the host? Networked printer Windows server Windows workstation Linux server

Networked printer Based on the open ports, it is likely that the host is a networked printer. Port 515 is used as an LPR/LPD port for most printers and older print servers. Port 631 is used for IPP for most modern printers and CUPS-based print servers. Port 9100 is used as a RAW port for most printers and is also known as the direct-IP port. If any of these three ports are found, the host is likely a printer. If ports 135, 139, 445 are found, this is usually a good indication of a Windows file server. Port such as FTP, telnet, SMTP, and http is used by both Windows and Linux servers; therefore, they are not as helpful to indicate which operating system is in use by the host.

You are applying for a job at a cybersecurity firm. The application requests you enter your social security number, date of birth, and email address to conduct a background check as part of the hiring process. Which of the following types of information has you been asked to provide? PHI PII CUI IP

PII Personally identifiable information (PII) is data used to identify, contact, or locate an individual. Information such as social security number (SSN), name, date of birth, email address, telephone number, street address, and biometric data is considered PII. Protected health information (PHI) refers to medical and insurance records, plus associated hospital and laboratory test results. Proprietary information or intellectual property (IP) is information created and owned by the company, typically about the products or services that they make or perform. Controlled Unclassified Information (CUI) is federal non-classified information that must be safeguarded by implementing a uniform set of requirements and information security controls directed at securing sensitive government information.

You are conducting a static code analysis of a Java program. Consider the following code snippet: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- String custname = request.getParameter("customerName"); String query = "SELECT account_balance FROM user_data WHERE user_name = ? "; PreparedStatement pstmt = connection.prepareStatement( query ); pstmt.setString( 1, custname); ResultSet results = pstmt.executeQuery( ); -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Based on the code above, what type of secure coding practice is being used? Authentication Input validation Parameterized queries Session management

Parameterized queries A parameterized query (also known as a prepared statement) is a means of pre-compiling a SQL statement so that all you need to supply are the "parameters" (think "variables") that need to be inserted into the statement for it to be executed. It's commonly used as a means of preventing SQL injection attacks. This code snippet is an example of a Java implementation of a parameterized query. Input validation would involve the proper testing of any input supplied by a user to an application. Since the first line takes the custname input without any validation, this is not an example of the input validation secure coding practice. Session management refers to the process of securely handling multiple requests to a web-based application or service from a single user or entity. Authentication is the act of proving an assertion, such as the identity of a computer system user. This code snippet is neither a form of session management nor authentication. For the exam, you should not fully understand what this code is doing, but you should understand what it is not doing. There is nothing in the code that indicates session management or receiving usernames and passwords. Therefore, we can rule out session management and authentication. This leaves us with input validation and parameterized queries as our best options. Based on the code, we see the word query multiple times, which should be a hint that the answer is a parameterized query even if you can't read this Java code fully.

A threat actor infiltrates your organization's network and plants malicious software that remains dormant, only to activate and spread at a specific time. This software allows the attacker to maintain a presence within your network even after initial detection and cleaning efforts. Which stage of the MITRE ATT&CK framework does this action best represent? Defense Evasion Initial Access Command and Control Persistence

Persistence The MITRE ATT&CK framework includes Persistence as a stage that describes the techniques an adversary may use to maintain their foothold in a network despite interruptions such as system restarts or periodic credential updates. Command and Control represents the communication channel between the compromised systems and the adversary, not the tactics used to remain in the network. Defense Evasion involves techniques to avoid detection, while the scenario described pertains to maintaining presence within the network. Initial Access refers to the stage when the adversary first breaches the network, not the methods used to maintain a presence within the network.

In 2014, Sony Pictures Entertainment suffered a major cyberattack that led to the theft and leak of confidential data. In response to the incident, a pre-established set of procedures were invoked. These procedures contained detailed guidelines for handling such scenarios, from initial detection to post-incident recovery. What term is typically used to refer to these detailed procedural guidelines? Tabletop exercise Playbooks Business continuity disaster recovery planning Training

Playbooks Playbooks provide detailed instructions on how to handle specific types of incidents. They are part of the preparation phase of the incident management life cycle. Training involves educating the workforce about potential incidents and how to respond, but it does not specifically focus on creating detailed instructions for handling specific types of incidents. Tabletop exercises are used to test the effectiveness of an organization's incident response plan and team by role-playing a hypothetical incident. They do not involve creating detailed instructions for specific incident types. Business continuity disaster recovery planning involves planning for maintaining business operations during and after a disruptive incident. It does not involve creating detailed instructions for specific incident types.

Which term refers to the process of determining which vulnerabilities to address first based on their risk scores, impact, and other factors? Patch Distribution Firewall Configuration Prioritization Intrusion Detection

Prioritization When prioritizing vulnerabilities, several factors come into play. The severity of a vulnerability determines its potential impact, with high-impact vulnerabilities, like those granting system control, given higher priority. The likelihood of exploitation also plays a role, favoring vulnerabilities with higher probabilities, such as publicly disclosed ones. Additionally, the cost of remediation influences prioritization, as expensive fixes may require allocation within the organization's budget. By considering these factors, informed decisions can be made on vulnerability prioritization, leading to benefits such as saved resources, improved security, and compliance with regulations. Ultimately, prioritizing vulnerabilities enhances security posture and reduces the risk of attack. This refers to the process of delivering patches or updates to systems, not determining the order in which vulnerabilities are addressed. This is a process of setting up a firewall's settings to control network traffic, not the process of deciding which vulnerabilities to address first. Intrusion detection refers to the methods used to detect unauthorized access to a system or network.

Among the following strategies for dealing with multiple known vulnerabilities, which one is deemed MOST crucial for their successful management and mitigation? The type of vulnerabilities Prioritizing the risk level associated with each vulnerability The number of vulnerabilities The location of vulnerabilities

Prioritizing the risk level associated with each vulnerability Risk prioritization is an essential part of vulnerability management, focusing on the most significant threats in a cybersecurity landscape. It involves assessing potential vulnerabilities, considering their likelihood of exploitation, and the potential impact of such an event. After prioritizing vulnerabilities, the highest-risk ones are addressed first, using methods such as software patching or security policy enhancement. This process is continuously revisited and adjusted as new threats and vulnerabilities emerge. The type of vulnerabilities may provide some context, but it is the risk associated with each that should primarily drive prioritization. While knowing where vulnerabilities reside is important, it's not the main factor in prioritization. The risk each vulnerability carries is more critical. The number alone does not give an accurate picture of prioritization. Not all vulnerabilities pose the same level of risk.

A cybersecurity analyst conducts an incident response at a government agency when she discovers that attackers had exfiltrated PII. Which of the following types of breaches has occurred? Privacy breach Financial breach Integrity breach Proprietary breach

Privacy breach A data breach is an incident where information is stolen or taken from a system without the system's owner's knowledge or authorization. If sensitive personally identifiable information (PII) was accessed or exfiltrated, then a privacy breach has occurred. If information like trade secrets were access or exfiltrated, then a proprietary breach has occurred. If any data is modified or altered, then an integrity breach has occurred. If any information related to payroll, tax returns, banking, or investments is accessed or exfiltrated, then a financial breach has occurred.

Taylor needs to sanitize hard drives from some leased workstations before returning them to a supplier at the end of the lease period. The workstations' hard drives contained sensitive corporate data. Which is the most appropriate choice to ensure that data exposure doesn't occur during this process? Purge, validate, and document the sanitization of the drives Clear the drives The drives must be destroyed to ensure no data loss Clear, validate, and document the sanitization of the drives

Purge, validate, and document the sanitization of the drives Purging the drives, validating that the purge was effective, and documenting the sanitization is the best response. Purging includes methods that eliminate information from being feasibly recovered even in a lab environment. For example, performing a cryptographic erasure (CE) would sanitize and purge the drives' data without harming the drives themselves. Clearing them leaves the possibility that some tools would allow data recovery. Since the scenario indicates that these were leased drives that must be returned at the end of a lease, they cannot be destroyed.

You've been asked to create a script to automate your organization's vulnerability scanning process and report any detected vulnerabilities. The tool you're integrating with has an API that can be utilized for this purpose. What language, often used in cybersecurity for scripting, could you use to write this script? Python AbuseIPDB SQL SOAR

Python Python is a popular language for scripting in cybersecurity due to its readability and extensive library support, making it ideal for automating tasks like vulnerability scanning. SQL stands for Structured Query Language. It is a programming language designed for managing data held in a relational database management system (RDBMS), or for stream processing in a relational data stream management system (RDSMS). This language is not usually used for scripting tools. SOAR stands for Security Orchestration, Automation, and Response, which is a concept in cybersecurity that helps unify and automate security operations, but it is not a scripting language. AbuseIPDB is a tool for reporting and checking potentially malicious IP addresses and is not a language used for scripting.

Which phase of the Cyber Kill Chain involves the gathering of information about the target system, its technologies, potential vulnerabilities, and users? Weaponization Exploitation Delivery Reconnaissance

Reconnaissance Reconnaissance is the initial phase of the Cyber Kill Chain that involves gathering information about the target system, its technologies, potential vulnerabilities, and users. The weaponization phase involves packaging an exploit into a deliverable payload, not gathering information about a target system. Exploitation involves the execution of the delivered exploit, not gathering information about a target system. The delivery phase involves transmitting the weaponized bundle to the victim, not gathering information about a target system.

A buffer overflow vulnerability in Dion Cybertronix Corporation's system was resolved and verified. However, after some weeks, the same vulnerability was identified again. What does this situation demonstrate? Secure Coding Access Control Mitigation Recurrence

Recurrence This situation demonstrates recurrence, as a previously resolved vulnerability has appeared again. The growing complexity of modern systems adds to the challenge, making it harder to identify and address all vulnerabilities. Mitigation reduces the likelihood of the vulnerability being exploited. While secure coding aims to prevent vulnerabilities, the reappearance of a vulnerability does not directly relate to it. Access control manages who can access resources in a system. It does not directly relate to the reappearance of a vulnerability.

Dion Training's security team recently discovered a bug in their software's code. The development team released a software patch to remove the vulnerability caused by the bug. What type of test should a software tester perform on the application to ensure that it is still functioning properly after the patch is installed? Regression testing Fuzzing Penetration testing User acceptance testing

Regression testing Regression testing is re-running functional and non-functional tests to ensure that previously developed and tested software still performs after a change. After installing any patch, it is important to conduct regression testing to confirm that a recent program or code change has not adversely affected existing features or functionality. Fuzzing is an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program. The program is then monitored for exceptions such as crashes, failing built-in code assertions, or potential memory leaks. User acceptance testing is a test conducted to determine if the specifications or contract requirements have been met. A penetration test is an authorized simulated cyberattack on a computer system, performed to evaluate the system's security.

Dion Training has just suffered a website defacement of its public-facing webserver. The CEO believes the company's biggest competitor may have done this act of vandalism. The decision has been made to contact law enforcement so that evidence can be collected properly for use in a potential court case. Laura is a digital forensics investigator assigned to collect the evidence. She creates a bit-by-bit disk image of the web server's hard drive as part of her evidence collection. What technology should Laura use after creating the disk image to verify the copy's data integrity matches that of the original web server's hard disk? SHA-256 3DES AES RSA

SHA-256 SHA-256 is the Secure Hash Algorithm with a 256-bit length output. This is one of the most common hash algorithms in use and is employed in many applications and protocols. SHA-256 and other hashing algorithms are used to ensure the data integrity of a file has not been altered. RSA, 3DES, and AES are all encryption algorithms. These algorithms can ensure confidentiality but not integrity.

During her login session, Sally is asked by the system for a code sent to her via text (SMS) message. Which of the following concerns should she raise to her organization's AAA services manager? SMS should be encrypted to be secure SMS is a costly method of providing a second factor of authentication SMS messages may be accessible to attackers via VoIP or other systems SMS should be paired with a third factor

SMS messages may be accessible to attackers via VoIP or other systems NIST's SP 800-63-3 recommends that SMS messages be deprecated as a means of delivering a second factor for multifactor authentication because they may be accessible to attackers. SMS is unable to be encrypted (at least without adding additional applications to phones). A third factor is typically not a user-friendly recommendation and would be better handled by replacing SMS with the proposed third factor. SMS is not a costly method since it can be deployed for less than $20/month at scale.

Your organization has been experiencing several cybersecurity incidents, including data breaches and compliance violations, that seems to stem from the software your team develops. What approach can you implement to systematically reduce these incidents? Patch Management Waterfall Model Secure Software Development Life Cycle (SDLC) Agile Development

Secure Software Development Life Cycle (SDLC) Implementing a Secure SDLC involves integrating security considerations into every phase of software development. This not only helps prevent security vulnerabilities but also ensures data protection, compliance with regulations, and reduces the chances of operational disruptions, making it the ideal approach to decrease the cybersecurity incidents your organization is experiencing. The waterfall model is a linear approach to software development where one phase must be completed before the next begins. While it provides structure to the development process, it does not inherently emphasize security considerations, and therefore may not help to reduce security incidents. While patch management is crucial for maintaining up-to-date security, it is a reactive approach. It may help to fix known vulnerabilities but does not prevent the introduction of new vulnerabilities during software development. Hence, it does not offer a comprehensive solution to the problem at hand. Agile development focuses on rapid and iterative development, which allows for flexibility and quick changes. However, without integrating a focus on security into each sprint, this method alone might not be effective in reducing cybersecurity incidents.

During the 2017 WannaCry ransomware attack, cybersecurity professionals across organizations globally rushed to contain the spread and impact of the ransomware. In this effort, they used a variety of software solutions designed to detect, analyze, and respond to security incidents. A popular open-source platform that provides comprehensive capabilities for network traffic analysis and log management was used extensively. What is the name of this platform? Kali Linux Metasploit Wireshark Security Onion

Security Onion Security Onion is a free and open-source Linux distribution for intrusion detection, enterprise security monitoring, and log management. It includes a collection of tools to monitor and analyze networks and helps in effective incident response. Metasploit is a penetration testing platform that is used for developing and executing exploit code against a remote target machine. It is not primarily a tool for network traffic analysis and log management. While Wireshark is a useful tool for analyzing network traffic, it doesn't provide the comprehensive log management features offered by Security Onion. While Kali Linux is a popular Linux distribution for cybersecurity professionals, it is primarily used for penetration testing and security auditing, rather than network traffic analysis and log management.

Which of the following vulnerabilities was the MOST critical due to its high potential impact and exploitability? Logjam Shellshock Drupalgeddon Stagefright

Shellshock Shellshock, also known as the Bash bug, is a critical vulnerability that was discovered in 2014. It affected the Bash shell, a widely used command-line interface in Unix-based systems, and allowed attackers to execute arbitrary commands remotely, posing a severe risk to the security and integrity of affected systems. Drupalgeddon refers to a highly critical vulnerability discovered in the Drupal content management system in 2014. The vulnerability allowed remote code execution, enabling attackers to gain unauthorized access to Drupal-based websites and potentially compromise sensitive data. Although Drupalgeddon was a serious vulnerability in the Drupal content management system, it didn't reach the same level of impact or exploitability as Shellshock. Stagefright was a critical security vulnerability discovered in 2015 that affected the Android operating system. It allowed attackers to exploit vulnerabilities in the multimedia messaging system, enabling remote execution of malicious code through a multimedia message (MMS). While Stagefright was a serious vulnerability affecting Android devices, it didn't have the same level of impact or exploitability as Shellshock. Logjam is a security vulnerability that was discovered in 2015, affecting the Diffie-Hellman key exchange protocol used in TLS encryption. It allowed attackers to downgrade encrypted connections to weaker key sizes, making it easier to decrypt and intercept secure communications. While Logjam was a significant vulnerability affecting Diffie-Hellman key exchange, it did not have the same level of exploitability and impact as Shellshock.

You are trying to find some files that were deleted by a user on a Windows workstation. What two locations are most likely to contain those deleted files? Slack space Unallocated space Recycle bin Registry

Slack space Recycle bin Files that users have deleted are most likely found in the Recycle Bin or slack space. Slack space is the space left after a file has been written to a cluster. Slack space may contain remnant data from previous files after the pointer to the files was deleted by a user. Unallocated space has not been partitioned and, therefore, would typically not have been written to. The registry will not store files that have been deleted but may contain a reference to the file, such as the file's name.

Which of the following authentication protocols was developed by Cisco to provide authentication, authorization, and accounting services? CHAP RADIUS TACACS+ Kerberos

TACACS+ TACACS+ is an extension to TACACS (Terminal Access Controller Access Control System) and was developed as a proprietary protocol by Cisco. The Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that operates on port 1812 and provides centralized Authentication, Authorization, and Accounting management for users who connect and use a network service, but Cisco did not develop it. Kerberos is a network authentication protocol designed to provide strong mutual authentication for client/server applications using secret-key cryptography developed by MIT. Challenge-Handshake Authentication Protocol (CHAP) is used to authenticate a user or network host to an authenticating entity. CHAP is an authentication protocol but does not provide authorization or accounting services.

What describes the infrastructure needed to support the other architectural domains in the TOGAF framework? Applications architecture Business architecture Technical architecture Data architecture

Technical architecture TOGAF is a prescriptive framework that divides the enterprise architecture into four domains. Technical architecture describes the infrastructure needed to support the other architectural domains. Business architecture defines governance and organization and explains the interaction between enterprise architecture and business strategy. Applications architecture includes the applications and systems an organization deploys, the interactions between those systems, and their relation to the business processes. Data architecture provides the organization's approach to storing and managing information assets. This question may seem beyond the scope of the exam. Still, the objectives allow for "other examples of technologies, processes, or tasks about each objective may also be included on the exam although not listed or covered" in the objectives' bulletized lists. The exam tests the equivalent of 4 years of hands-on experience in a technical cybersecurity job role. The content examples listed in the objectives are meant to clarify the test objectives and should not be construed as a comprehensive listing of this examination's content. Therefore, questions like this are fair game on test day. That said, your goal isn't to score 100% on the exam; it is to pass it. Don't let questions like this throw you off on test day. If you aren't sure, take your best guess and move on!

In the Diamond Model of Intrusion Analysis, what does the Victim component represent? The tools and techniques used in the attack I The entity that is targeted by the attack The entity conducting the attack The physical and virtual resources utilized in the attack

The entity that is targeted by the attack The Victim in the Diamond Model of Intrusion Analysis represents the entity that is targeted by the cyber attack. The entity conducting the attack is represented by the Adversary, not the Victim. The physical and virtual resources utilized in the attack are represented by Infrastructure, not the Victim. The tools and techniques used in the attack are represented by Capability, not the Victim.

You are conducting threat hunting on your organization's network. Every workstation on the network uses the same configuration baseline and contains a 500 GB HDD, 4 GB of RAM, and the Windows 10 Enterprise operating system. You know from previous experience that most of the workstations only use 40 GB of space on the hard drives since most users save their files on the file server instead of the local workstation. You discovered one workstation that has over 250 GB of data stored on it. Which of the following is a likely hypothesis of what is happening, and how would you verify it? The host might be used as a command and control node for a botnet -- you should immediately disconnect the host from the network The host might use as a staging area for data exfiltration -- you should conduct volume-based trend analysis on the host's storage device The host might be offline and conducted backups locally -- you should c

The host might use as a staging area for data exfiltration -- you should conduct volume-based trend analysis on the host's storage device Based on your previous experience, you know that most workstations only store 40 GB of data. Since client workstations don't usually need to store data locally, and you noticed that a host's disk capacity has suddenly diminished, you believe it could indicate that it is used to stage data for exfiltration. To validate this hypothesis, you should configure monitoring and conduct volume-based trend analysis to see how much data is added over the next few hours or days. If you suspect the machine is the victim of a remote access trojan, you should not reimage it immediately. By reimaging the host, you would lose any evidence or the ability to confirm your hypothesis. Based on the scenario, you have no evidence that the system is offline or conducting backups locally. If you did suspect this, you could confirm this by checking the network connectivity or analyzing the files stored on the system. If you suspect the host used as a command and control (C2) node for a botnet, you should conduct network monitoring to validate your hypothesis before disconnecting the host from the network. If the host were a C2 node, that would not explain the excessive use of disk space observed.

You have just returned from a business trip to a country with a high intellectual property theft rate. Which of the following precautions should you take before reconnecting your laptop to your corporate network? (SELECT TWO) The laptop should be physically inspected and compared with images made before you left The laptop's hard drive should have full-disk encryption enabled The laptop should be permanently destroyed The laptop's hard drive should be degaussed prior to use The laptop should be scanned for malware The laptop should be sanitized and reimaged

The laptop should be physically inspected and compared with images made before you left The laptop should be scanned for malware While scanning for viruses is a good idea and should be done, that alone is insufficient to detect all the ways an advanced adversary could have manipulated your laptop if it were outside of your custody for any significant length of time, such as leaving it in your hotel room. A 'before' image would be needed to compare the laptop to upon returning to detect possible hardware modifications. Destruction might be wasteful without evidence of a possible crime. Therefore, this is not the best option. Reimaging may be advantageous but will not remove any hardware modifications an attacker may have installed. Degaussing is considered a purging activity, but it will also destroy the laptop's hard drive. While enabled full disk encryption is a good security practice, it should have been enabled before the trip. Once you return, encrypting the drive will not help if the attacker already modified the laptop.

What does the Infrastructure component of the Diamond Model of Intrusion Analysis refer to? The entity that is targeted by the attack The physical and virtual resources utilized in the attack The tools and techniques used in the attack The entity conducting the attack

The physical and virtual resources utilized in the attack The Infrastructure component of the Diamond Model of Intrusion Analysis refers to the physical and virtual resources utilized in the attack. The tools and techniques used in the attack are represented by Capability, not Infrastructure. The entity conducting the attack is represented by the Adversary, not Infrastructure. The entity that is targeted by the attack is represented by the Victim, not Infrastructure.

Your organization's primary operating system vendor just released a critical patch for your servers. Your system administrators have recently deployed this patch and verified the installation was successful. This critical patch was designed to remediate a vulnerability that can allow a malicious actor to execute code on the server over the Internet remotely. You ran a vulnerability scan of the network and determined that all servers are still being reported as having the vulnerability. You verified all your scan configurations are correct. Which of the following might be the reason that the scan report still showing the servers as vulnerable? (SELECT ALL THAT APPLY) The wrong IP address range was scanned during your vulnerability assessment This critical patch did not remediate the vulnerability The vulnerability assessment scan is returning a false positive You conducted the vulnerability scan without waiting

This critical patch did not remediate the vulnerability The vulnerability assessment scan is returning a false positive There are two reasonable choices presented: (1) the vulnerability assessment scan is returning a false positive, or (2) this critical patch did not remediate the vulnerability. It is impossible to know which is based on the description in the question. If the patch was installed successfully, as the question states, then it is possible that the critical patch was coded incorrectly and did not actually remediate the vulnerability. While most operating system vendors test their patches before release to prevent this, they are sometimes rushed into production with extremely critical patches. The patch does not actually remediate the vulnerability on all systems. When this occurs, the vendor will issue a subsequent patch to fix it and supersede the original patch. The other option is that the vulnerability assessment tool is incorrectly configured and is returning a false positive. This can occur when the signature used to detect the vulnerability is too specific or too generic to actually detect whether the system was patched for the vulnerability or not. The other options are incorrect, as you do not have to wait a certain period of time after installation before scanning. It is assumed that you are scanning the same IP range both times as you have verified your scan configuration.

You're an incident response team member at a prominent financial institution. A recent intrusion, such as the infamous Equifax breach, has potentially exposed customer financial data. As part of your incident response duties, you need to liaise with the legal department to address potential liabilities and discuss the way forward. What primarily makes this interaction imperative? To request additional funding for cybersecurity tools To ensure compliance with data breach laws To educate them about cybersecurity To inform them of the technical details of the breach

To ensure compliance with data breach laws Data breach laws and regulations require institutions to take certain actions in the event of a data breach, which could include notifying affected customers and regulatory bodies within a specific time frame. While it's important to share some details with the legal team, they typically do not need to know the intricate technical aspects of the breach. The focus should be more on legal implications and steps to manage potential liabilities. Although securing funding for improved cybersecurity could be a long-term goal, it's not the primary reason to communicate with the legal department after a breach. Legal should be involved to ensure regulatory compliance and address potential liabilities. Though educating everyone about cybersecurity is beneficial, it's not the primary reason for communicating with the legal department in this situation. The main aim is to ensure the company's response aligns with legal requirements.

What is the primary purpose of compensating controls in information security? To replace existing security controls To provide alternative security measures when a primary control is not feasible To decrypt encrypted data To test the effectiveness of security controls

To provide alternative security measures when a primary control is not feasible Compensating controls indeed offer alternative ways of achieving the same level of defense when a primary security control cannot be applied for some reason. Compensating controls do not generally replace primary controls, but supplement them when they can't be implemented. Compensating controls are security measures in their own right, not tools for testing other controls. Compensating controls are not related to data decryption, which is a cryptographic operation.

You have been investigating how a malicious actor could exfiltrate confidential data from a web server to a remote host. After an in-depth forensic review, you determine that a rootkit's installation had modified the web server's BIOS. After removing the rootkit and reflash the BIOS to a known good image, what should you do to prevent the malicious actor from affecting the BIOS again? Utilize file integrity monitoring Install a host-based IDS Utilize secure boot Install an anti-malware application

Utilize secure boot Since you are trying to protect the BIOS, utilizing secure boot is the best choice. Secure boot is a security system offered by UEFI. It is designed to prevent a computer from being hijacked by a malicious OS. Under secure boot, UEFI is configured with digital certificates from valid OS vendors. The system firmware checks the operating system boot loader using the stored certificate to ensure that the OS vendor has digitally signed it. This prevents a boot loader that has been changed by malware (or an OS installed without authorization) from being used. The TPM can also be invoked to compare hashes of key system state data (boot firmware, boot loader, and OS kernel) to ensure they have not been tampered with by a rootkit. The other options are all good security practices, but they only apply once you have already booted into the operating system. This makes them ineffective against boot sector or rootkit attacks.

You have been tasked to create some baseline system images to remediate vulnerabilities found in different operating systems. Before any of the images can be deployed, they must be scanned for malware and vulnerabilities. You must ensure the configurations meet industry-standard benchmarks and that the baselining creation process can be repeated frequently. What vulnerability option would BEST create the process requirements to meet the industry-standard benchmarks? Utilizing a non-credential scan Utilizing an operating system SCAP plugin Utilizing an authorized credential scan Utilizing a known malware plugin

Utilizing an operating system SCAP plugin Security Content Automation Protocol (SCAP) is a multi-purpose framework of specifications supporting automated configuration, vulnerability and patch checking, technical control compliance activities, and security measurement. It is an industry-standard and support testing for compliance. The other options will not allow for a truly repeatable process since individual scans would occur each time instead of comparing against a known good baseline.

A new security appliance was installed on a network as part of a managed service deployment. The vendor controls the appliance, and the IT team cannot log in or configure it. The IT team is concerned about the appliance receiving the necessary updates. Which of the following mitigations should be performed to minimize the concern for the appliance and updates? Vulnerability scanning Scan and patch the device Automatic updates Configuration management

Vulnerability scanning The best option here is vulnerability scanning as this allows the IT team to know what risks their network is taking on and where subsequent mitigations may be possible. Configuration management, automatic updates, and patching could be a possible solution. These are not viable options without gaining administrative access to the appliance. Therefore, the analyst should continue to conduct vulnerability scanning of the device to understand the risks associated with it and then make recommendations to add additional compensating controls like firewall configurations, adding a WAF, providing segmentation. Other configurations outside the appliance to minimize the vulnerabilities it presents.

You have run a vulnerability scan and received the following output: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- CVE-2011-3389 QID 42366 - SSLv3.0/TLSv1.0 Protocol weak CBC mode Server side vulnerability Check with: openssl s_client -connect login.diontraining.com:443 - tls -cipher "AES:CAMELLISA:SEED:3DES:DES" -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Which of the following categories should this be classified as? PKI transfer vulnerability Web application cryptography vulnerability VPN tunnel vulnerability Active Directory encryption vulnerability

Web application cryptography vulnerability This vulnerability should be categories as a web application cryptographic vulnerability. This is shown by the weak SSLv3.0/TLSv1.0 protocol being used in cipher block chaining (CBC) mode. Specifically, the use of the 3DES and DES algorithms during negotiation is a significant vulnerability. A stronger protocol should be used, such as forcing the use of AES.

Which of the following techniques would allow an attacker to get a full listing of your internal DNS information if your DNS server is not properly secured? FQDN resolution Split horizon Zone transfers DNS poisoning

Zone transfers A DNS zone transfer provides a full listing of DNS information. If your organization's internal DNS server is improperly secured, an attacker can gather this information by performing a zone transfer. Fully qualified domain name (FQDN) resolution is a normal function of DNS that converts a domain name like www.diontraining.com to its corresponding IP address. Split horizon is a method of preventing a routing loop in a network. DNS poisoning is a type of attack which uses security gaps in the Domain Name System (DNS) protocol to redirect internet traffic to malicious websites.

Which of the following Wireshark filters should be applied to a packet capture to detect applications that send passwords in cleartext to a REST API located at 10.1.2.3? http.request.method=="POST" && ip.dst==10.1.2.3 ip.dst==10.1.2.3 ip.proto==tcp http.request.method=="POST"

http.request.method=="POST" && ip.dst==10.1.2.3 Filtering the available PCAP with just the http "post" methods would display any data sent when accessing a REST API, regardless of the destination IP. Filtering the available PCAP with just the desired IP address would show all traffic to that host (10.1.2.3). Combining both of these can minimize the data displayed to only show things posted to the API located at 10.1.2.3. The ip.proto==tcp filter would display all TCP traffic on a network, regardless of the port, IP address, or protocol being used. It would simply produce too much information to analyze.

As a newly hired cybersecurity analyst, you are attempting to determine your organization's current public-facing attack surface. Which of the following methodologies or tools generates a current and historical view of the company's public-facing IP space? Google hacking nmap Review network diagrams shodan.io

shodan.io Shodan (shodan.io) is a search engine that identifies Internet-connected devices of all types. The engine uses banner grabbing to identify the type of device, firmware/OS/app type, and version, plus vendor and ID information. This involves no direct interaction with the company's public-facing internet assets since this might give rise to detection. This is also the first place an adversary might use to conduct reconnaissance on your company's network. The nmap scanning tool can provide an analysis of the current state of public exposure but has no mechanism to determine the history, nor will it give the same depth of information that shodan.io provides. Google Hacking can determine if a public exposure occurred over public-facing protocols, but it cannot conclusively reveal all the exposures present. Google hacking relies on using advanced Google searches with advanced syntax to search for information across the internet. Network diagrams can show how a network was initially configured. Unless the diagrams are up-to-date, which they usually aren't, they cannot show the current "as is" configuration. If you can only select one tool to find your attack surface's current and historical view, shodan is your best choice.

An analyst suspects that a trojan has victimized a Linux system. Which command should be run to determine where the current bash shell is being executed from on the system? printenv bash which bash ls -l bash dir bash

which bash By executing the "which bash" command, the system will report the file structure path to where the bash command is being run. If the directory where bash is running is different from the default directory for this Linux distribution, this would indicate a compromised machine. The ls command will list the current directory and show any files or folders named bash. The printenv command would print the value of the specified environment variable specified, bash in this example. The dir command is used to list the contents of a directory, much like ls does.