CompTIA CySA Most Recent

अब Quizwiz के साथ अपने होमवर्क और परीक्षाओं को एस करें!

Vulnerability scans must be conducted continuously to meet regulatory compliance requirements for the storage of PHI. During the last vulnerability scan, a cybersecurity analyst received a report of 2,592 possible vulnerabilities and was asked by the Chief Information Security Officer (CISO) for a plan to remediate all the known issues. Which of the following should the analyst do next? Attempt to identify all the false positives and exceptions, then resolve any remaining items Place any assets that contain PHI in a sandbox environment and then remediate all the vulnerabilities Wait to perform any additional scanning until the current list of vulnerabilities have been remediated fully Filter the scan results to include only those items listed as critical in the asset inventory and remediate those vulnerabilities first

Filter the scan results to include only those items listed as critical in the asset inventory and remediate those vulnerabilities first PHI is an abbreviation for Personal Health Information. When attempting to remediate numerous vulnerabilities, it is crucial to prioritize the vulnerabilities to determine which ones should be remediated first. In this case, there is a regulatory requirement to ensure the security of the PHI data. Therefore, those critical assets to the secure handling or storage of PHI are of the highest risk should be prioritized for remediation first. It is impractical to resolve all 2,592 vulnerabilities at once. Therefore, you should not identify all the false positives and exceptions and then resolve any remaining items since they won't be prioritized for remediation. You should also not wait to perform additional scanning because a scan is only a snapshot of your current status. If it takes 30 days to remediate all the vulnerabilities and do not scan, new vulnerabilities may have been introduced. Placing all the PHI asserts into a sandbox will not work either because then you have removed them from the production environment, and they can no longer serve their critical business functions.

Vulnerability scans must be conducted continuously to meet regulatory compliance requirements for the storage of PHI. During the last vulnerability scan, a cybersecurity analyst received a report of 2,592 possible vulnerabilities and was asked by the Chief Information Security Officer (CISO) for a plan to remediate all the known issues. Which of the following should the analyst do next? Wait to perform any additional scanning until the current list of vulnerabilities have been remediated fully Attempt to identify all the false positives and exceptions, then resolve any remaining items Place any assets that contain PHI in a sandbox environment and then remediate all the vulnerabilities Filter the scan results to include only those items listed as critical in the asset inventory and remediate those vulnerabilities first

Which of the following sets of Linux permissions would have the least permissive to most permissive? 777, 444, 111 544, 444, 545 111, 734, 747 711, 717, 117

111, 734, 747 From least to most permissive, the best answer is 111, 734, and 747. Linux permissions are read "owner, group, other." They also have numbers that are 4 (read), 2 (write), and 1 (execute). If a number shown is 7, that is 4+2+1 (read/write/execute) permissions. Therefore, the least permission is 000, and the most permissive is 777. The permission set of 111 is execute-execute-execute. The permission set of 734 is read/write/execute-write/execute-read. The permission set of 747 is read/write/execute-read-read/write/execute.

Which of the following ACL entries should be added to the firewall to allow only the Human Resources (HR) computer to have SMB access to the file server (Files)? (Note: The firewall in this network is using implicit deny to maintain a higher level of security. ACL entries are in the format of Source IP, Destination IP, Port Number, TCP/UDP, Allow/Deny.)

192.168.1.12, 172.16.1.3., 445 UDP, DENY 172.16.1.3, 192.168.1.12, 445, TCP, ALLOW 172.16.1.12, 192.168.1.3/24, 445, TCP, ALLOW 172.16.1.3, 192.168.1.12, ANY, TCP, ALLOW

You have just finished running an nmap scan on a server are see the following output: -=-=-=-=-=-=--=-=-=-=-=-=--=-=-=-=-=-=--=-=-=-=-=-=- # nmap diontraining.com Starting Nmap ( http://nmap.org ) Nmap scan report for diontraining.com (64.13.134.52) Not shown: 996 filtered ports PORT STATE 22/tcp open 23/tcp open 53/tcp open 443/tcp open Nmap done: 1 IP address (1 host up) scanned in 2.56 seconds -=-=-=-=-=-=--=-=-=-=-=-=--=-=-=-=-=-=--=-=-=-=-=-=- Based on the output above, which of the following ports listed as open represents the most significant security vulnerability to your network? 53 22 23 443

23 Port 23 is used by telnet and is not considered secure because it sends all of its data in cleartext, including authentication data like usernames and passwords. As an analyst, you should recommend that telnet is disabled and blocked from use. The other open ports are for SSH (port 22), DNS (port 53), and HTTPS (port 443).

You are reviewing a rule within your organization's IDS. You see the following output: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any msg: "BROWSER-IE Microsoft Internet Explorer CacheSize exploit attempt"; flow: to_client,established; file_data; content:"recordset"; offset:14; depth:9; content:".CacheSize"; distance:0; within:100; pcre:"/CacheSize\s*=\s*/"; byte_test:10,>,0x3ffffffe,0,relative,string; max-detect-ips drop, service http; reference:cve,2016-8077; classtype: attempted-user; sid:65535;rev:1; -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Based on this rule, which of the following malicious packets would this IDS alert on? Any malicious outbound packets Any malicious inbound packets A malicious outbound TCP packet A malicious inbound TCP packet

A malicious inbound TCP packet The rule header is set to alert only on TCP packets based on this IDS rule's first line. The flow condition is set as "to_client,established," which means that only inbound traffic will be analyzed against this rule and only inbound traffic for connections that are already established. Therefore, this rule will alert on an inbound malicious TCP packet only when the packet matches all the conditions listed in this rule. This rule is an example of a Snort IDS rule. For the exam, you do not need to create your own IDS rules, but you should be able to read them and pick out generic content like the type of protocol covered by the signature, the port be analyzed, and the direction of flow.

Question A mission-critical system is offline at an organization due to a zero-day attack. The associated software vendor plans to release a patch to remediate the vulnerability. Which of the following are important patch management considerations for this scenario? (Select the three best options.) A. A patch test environment B. Immediate push delivery of critical security patches C. A specific team responsible for reviewing vendor-supplied newsletters and security patch bulletins D. A routine schedule for the rollout of noncritical patches

A. A patch test environment B. Immediate push delivery of critical security patches C. A specific team responsible for reviewing vendor-supplied newsletters and security patch bulletins A patch test environment where technicians can install, test, and analyze urgent and important patches before deployment into production would be a vital consideration for this scenario. The organization should immediately push delivery of critical security patches at the earliest availability when mission-critical services are in question. A specific team or person responsible for reviewing vendor-supplied newsletters and security patch bulletins is necessary for this type of event. While creating a routine schedule for the rollout of noncritical patches has merit, it does not illustrate important patch management considerations in this example. A security analyst would address noncritical patches at a later time.

An engineer is considering appropriate risk responses using threat modeling. They are trying to understand which threat actors are in scope for their organization. How does threat modeling identify the principal risks and tactics, techniques, and procedures (TTPs) for which their system may be susceptible? (Select the three best options.) A. By evaluating the system from an attacker's point of view B. By evaluating a system from a neutral perspective C. Through using tools such as diagrams D. By analyzing the system from the defender's perspective

A. By evaluating the system from an attacker's point of view C. Through using tools such as diagrams D. By analyzing the system from the defender's perspective Threat modeling identifies the principal risks and tactics, techniques, and procedures (TTPs) for which a system may be susceptible through evaluating systems from an attacker's point of view. Diagrams can show how a security analyst can deconstruct a system into its functional parts to analyze each area for potential weaknesses. Analyzing systems from a defender's perspective is another way that threat modeling identifies the principal risks and tactics, techniques, and procedures (TTPs) to which a system may be susceptible. Evaluating systems from a neutral perspective is not a method used in threat modeling.

A computer emergency response team (CERT) is quickly reacting to an attack on the network infrastructure of a semiconductor manufacturer. What is true about a CERT? (Select the three best options.) A. CERTS mitigate cybercrime. B. CERTS work with local law enforcement. C. CERTS provide knowledge of trending attacks. D. CERTS publish a wide variety of information concerning threats.

A. CERTS mitigate cybercrime. B. CERTS work with local law enforcement. C. CERTS provide knowledge of trending attacks. A CERT aims to mitigate cybercrime and minimize damage by responding to incidents quickly. CERTs work with local law enforcement, federal agencies, and other organizations to help prevent cyberattacks. CERTs coordinate responses to major events like natural disasters or terrorist attacks. This allows CERTs to provide knowledge and information regarding trending and observed attacks. The government is responsible for protecting the country's constituents and the national infrastructure and publishing various information and advice regarding observed threats. For example, the Department of Homeland Security and the Cybersecurity and Infrastructure Agency publishes several types of cybersecurity guidance.

A support manager is giving essential security training to the help desk. Which control class is the support manager implementing? A. Operational B. Technical C. Detective D. Managerial

A. Operational Operational controls are primarily implemented and executed by people (as opposed to systems). For instance, security guards and training programs are examples of operational controls. Firewalls, antivirus software, and operating system (OS) access control models are examples of technical controls. These are primarily executed by systems (hardware, software, or firmware). Detective controls are measures taken to detect and respond to incidents or vulnerabilities. These controls provide insight into anomalies or abnormal patterns in the environment. A managerial control gives oversight of the information system. Examples could include risk identification or a tool allowing the evaluation and selection of other security controls.

A geographically diverse group of hackers commit fraud against a small company for commercial gain. What type of threat actor committed this fraud? A. Organized crime B. Hacktivist C. Nation-state D. Insider threat

A. Organized crime An organized crime gang can operate across the internet from different jurisdictions than its victims, increasing the complexity of prosecution. Organized crime will seek any opportunity for criminal profit, but typical activities are financial fraud (against individuals and companies) and blackmail. Hacktivist groups, such as Anonymous, WikiLeaks, or LulzSec, use cyber weapons to promote a political agenda. Hacktivists might attempt to obtain and release confidential information to the public domain, perform denial of service (DoS) attacks, or deface websites. Nation-state actors have participated in many attacks, particularly on energy and electoral systems. The goals of nation-state actors are primarily espionage and strategic advantage. An insider threat arises from an actor to who an organization has identified and granted access.

A CEO of a small corporation has decided to continue using a legacy system despite security concerns. This is an example of which risk management principle? A. Risk acceptance B. Risk avoidance C. Risk mitigation D. Risk transference

A. Risk acceptance Risk acceptance means the company continues to operate without change after they evaluate an identified risk item, such as using a legacy system despite security concerns. The risk item could be in relation to software, hardware, or existing processes. Risk avoidance often means that the company stops risk-bearing activity. For instance, risk managers may discover a software application has numerous high-severity security vulnerabilities. Risk mitigation is when a company reduces exposure to risk items by implementing mitigating controls to ensure that technical business operations are safe. Risk transference (or sharing) means the company would assign risk to a third party, which they would typically accomplish through insurance policies. Insurance transfers financial risks to a third party.

A systems administrator runs a scan on an application server and finds several vulnerabilities. The issues are not severe, and patches are available in each instance. The administrator decided to install the available patches. What risk management principle did they demonstrate? A. Risk mitigation B. Risk acceptance C. Risk avoidance D. Risk transference

A. Risk mitigation The system administrator is practicing risk mitigation by installing the patches and reducing the vulnerabilities. Risk mitigation is when a company reduces exposure to risk items by implementing mitigating controls to ensure that technical business operations are safe. Risk acceptance means the company continues to operate without change after they evaluate an identified risk item. Risk avoidance often means that the company stops risk-bearing activity. For instance, risk managers may discover a software application has numerous high-severity security vulnerabilities. Risk transference (or sharing) means the company would assign risk to a third party, which they would typically accomplish through insurance policies. Insurance transfers financial risks to a third party.

A system administrator is performing patchwork on their organization's system. The administrator realizes the maintenance window will close before they complete the patchwork. What action must the administrator take to abide by the change management policy? A. Rollback to the system's previous state B. Rollout earlier patches C. Rollback to a system's initial state D. Rollout system patches

A. Rollback to the system's previous state Change management policy dictates that patching must finish quickly enough to accommodate rollback plans if trouble occurs—without overrunning the maintenance window. Change management rollback is the process of undoing a system's changes to restore the system to an earlier, pre-change state. The appropriate terminology for a rollout of earlier patches is rollback. The organization performs rollouts during a maintenance window when they implement new patches. Rolling back to a system's initial state is possible but unadvisable because of security concerns. Simply rolling back to the previous state is the best course of action. Rolling out system patches is a task performed during open maintenance windows. Patch management teams rely on maintenance windows to complete patch rollouts.

While conducting a static analysis source code review of a program, you see the following line of code: String query = "SELECT * FROM CUSTOMER WHERE CUST_ID='" + request.getParameter("id") + "'"; What is the issue with the largest security issue with this line of code? The code is using parameterized queries An SQL injection could occur because input validation is not being used on the id parameter This code is vulnerable to a buffer overflow attack The * operator will allow retrieval of every data field about this customer in the CUSTOMER table

An SQL injection could occur because input validation is not being used on the id parameter This code takes the input of "id" directly from a user or other program without conducting any input validation. This could be exploited and used as an attack vector for an SQL injection. If a malicious user can alter the ID source, it might get replaced with something like' or '1' ='1. This will cause the SQL statement to become: "SELECT * FROM CUSTOMER WHERE CUST_ID='' or '1'='1'". Because '1' always equals '1', the where clause will always return 'true,' meaning that EVERY record in the database could now become available to the attacker. When creating SQL statements, there are reasons for and against the use of the * operator. Its presence alone does not necessarily indicate a weakness. With only one line of code being reviewed, you cannot make any statement about whether it is vulnerable to a buffer overflow attack. You do not see the declaration values for the initialization of the id variable. This code is not using parameterized queries, but if it did, then it would eliminate this vulnerability. A parameterized query is a type of output encoding that relies on prepared statements to reduce the risk of an SQL injection.

An SNMP sweep is being conducted, but the sweep receives no-response replies from multiple addresses that are believed to belong to active hosts. What does this indicate to a cybersecurity analyst? The community string being used is invalid Any listed answers may be true The machines are not running SNMP servers The machines are unreachable

Any listed answers may be true The best option is all of the answers listed. SNMP doesn't report closed UDP ports, and SNMP servers don't respond to invalid information requests. The "no response" can mean that the systems cannot be reached (either internally or externally). If you entered an invalid community string, then SNMP will be unable to provide a response or report its findings.

A system administrator is hardening a newly provisioned server with software patches and security updates. What functional security control is the system administrator performing? A. Detective B. Preventative C. Corrective D. Compensating

B. Preventative Preventative controls act to eliminate or reduce the likelihood that an attack can succeed. A preventative control operates before an attack can take place. Implementing software patches and security updates are examples of preventative controls. The detective control may not prevent or deter access, but it will identify and record any attempted or successful intrusion. A detective control operates during the progress of an attack. A good example of a corrective control is a backup system that can restore data damaged during an intrusion. The compensating control is a substitute for a principal control, as recommended by a security standard, and affords the same (or better) level of protection but uses a different methodology or technology.

A support team is preparing for an upcoming maintenance window. What tasks should the support team accomplish during the proactive maintenance windows? (Select the three best options.) A. Implement untested patches B. Restart devices C. Analyze events D. Restore critical services after a backup test

B. Restart devices C. Analyze events D. Restore critical services after a backup test Devices are often restarted during maintenance windows to apply updates, reset connections, and refresh systems. This is a standard maintenance procedure aimed at ensuring that services run optimally post-maintenance. Analyzing events during maintenance is important for identifying irregularities that could indicate problems with the maintenance activities or potential security issues. This analysis is proactive and helps in ensuring the health and security of the IT environment. Restoring critical services after a backup test can be part of a proactive maintenance strategy. This helps in confirming that backup systems are functioning correctly and that critical services can be restored in case of a failure, ensuring business continuity. While patch implementation is a crucial task, it is not typically done during the maintenance window without prior testing. Patches should be tested thoroughly before the maintenance window to ensure they do not cause issues when applied.

Someone with a casual interest in hacking techniques launches a random attack against a widely known enterprise using tools readily available online. What type of threat actor is likely behind this attack? A. Insider threat B. Script kiddie C. Organized crime D. Hacktivist

B. Script kiddie A script kiddie is someone who uses hacker tools without necessarily understanding how they work or having the ability to craft new attacks. An insider threat arises from an actor to an organization who has identified and granted access. An organized crime gang can operate across the Internet from different jurisdictions than its victims, increasing the complexity of prosecution. Organized crime will seek any opportunity for criminal profit, but typical activities are financial fraud (both against individuals and companies) and blackmail. Hacktivist groups, such as Anonymous, WikiLeaks, or LulzSec, use cyber weapons to promote a political agenda. Hacktivists might attempt to obtain and release confidential information to the public domain, perform denial of service (DoS) attacks, or deface websites.

A security consultant is using the dark web as a source of defensive open-source intelligence (OSINT). Which of the following should the consultant be aware of when using the dark web? (Select the three best options.) A. The dark web is protected by a single layer of encryption. B. The dark web serves as an operating platform for cybercrimes. C. Threat actors leverage the dark web for criminal activities. D. The dark web can pro

B. The dark web serves as an operating platform for cybercrimes. C. Threat actors leverage the dark web for criminal activities. D. The dark web can pro

An organization recently had an attack that resulted in system data loss. The system administrator must now restore the system with a data backup. What functional security control was the system administrator able to implement? A. Preventative B. Responsive C. Corrective D. Compensating

C. Corrective The system administrator used a corrective control after the attack. A good example of a corrective control is a backup system that can restore data that an attacker damages during an intrusion. Preventative controls act to eliminate or reduce the likelihood that an attack can succeed. A preventative control operates before an attack can take place. Responsive controls serve to direct corrective actions enacted after the organization confirms the incident. They often document these actions in a playbook. The compensating control is a substitute for a principal control, as recommended by a security standard, and affords the same (or better) level of protection but uses a different methodology or technology.

A security analyst reviews a firewall log's source IP addresses to investigate an attack. These logs are a representation of what type of functional security control? A. Corrective B. Preventative C. Detective D. Compensating

C. Detective The detective control may not prevent or deter access, but it will identify and record any attempted or successful intrusion. A detective control operates during the progress of an attack. Logs provide one of the best examples of detective-type controls. A good example of a corrective control is a backup system that can restore data that an attacker damages during an intrusion. Preventative controls act to eliminate or reduce the likelihood that an attack can succeed. A preventative control operates before an attack can take place. The compensating control is a substitute for a principal control, as recommended by a security standard, and affords the same (or better) level of protection but uses a different methodology or technology.

A security analyst is reviewing an announcement from the Cybersecurity and Infrastructure Security Agency. Which source of defensive open-source intelligence (OSINT) does the agency represent? A. CERT B. Internal sources C. Government bulletins D. CSIRT

C. Government bulletins The government is responsible for protecting the country's constituents and the national infrastructure and publishing various information and advice regarding observed threats. For example, the Department of Homeland Security and the Cybersecurity and Infrastructure Agency publishes several types of cybersecurity guidance, including basic informational content and binding operational directives that federal agencies must implement. A computer emergency response team (CERT) aims to mitigate cybercrime and minimize damage by responding to incidents quickly. It is important to consider that evidence regarding active threats, reconnaissance activities, and suspicious behavior exists within the protected environment. A computer security incident response team (CSIRT) is a group responsible for responding to security incidents involving computer systems.

A large corporation's security operations center (SOC) team is processing a recent incident. The team refers to a playbook for guidance about the incident. What type of functional security control does the playbook represent? A. Corrective B. Preventative C. Responsive D. Compensati

C. Responsive Responsive controls serve to direct corrective actions enacted after the SOC team confirms the incident. The team often documents these actions in a playbook. An example of a corrective control is a backup system that can restore data that an attacker damages during an intrusion. Preventative controls act to eliminate or reduce the likelihood that an attack can succeed. A preventative control operates before an attack can take place. The compensating control is a substitute for a principal control, as recommended by a security standard, and affords the same (or better) level of protection but uses a different methodology or technology.

An IT director reviews a cyber security audit and learns that an old accounting server is significantly out of compliance. Rather than attempting repairs, the director concludes that decommissioning the server is the safest course of action. What is the risk management principle the IT director is following? A. Risk acceptance B. Risk mitigation C. Risk avoidance D. Risk transference

C. Risk avoidance The IT director is electing to follow risk avoidance because of the risk and cost of bringing the server into compliance. Risk avoidance often means that the company stops risk-bearing activity. For instance, risk managers may discover that a software application has numerous high-severity security vulnerabilities. Risk acceptance means the company continues to operate without change after they evaluate an identified risk item. Risk mitigation is when a company reduces exposure to risk items by implementing mitigating controls to ensure that technical business operations are safe. Risk transference (or sharing) means the company would assign risk to a third party, which they would typically accomplish through insurance policies. Insurance transfers financial risks to a third party.

Which of the following elements is LEAST likely to be included in an organization's data retention policy? Maximum retention period Classification of information Description of information that needs to be retained Minimum retention period

Classification of information Data retention policies highlight what types of information an organization will maintain and the length of time they will maintain it. Data classification would not be covered in the retention policy but would be a key part of your organization's data classification policy.

A forensic analyst needs to access a macOS encrypted drive that uses FileVault 2. Which of the following methods is NOT a means of unlocking the volume? Extract the keys from iCloud Retrieve the key from memory while the volume is mounted Conduct a brute-force attack against the FileVault 2 encryption Acquire the recovery key

Conduct a brute-force attack against the FileVault 2 encryption FileVault 2 is a full-disk encryption system used on macOS devices. A drive can be decrypted if you have the encryption key. This key can be recovered from memory while the volume is mounted. The Recovery key can also be obtained either from the user's notes or from their storage area of iCloud. You cannot unlock the volume by conducting a brute force attack against the drive. It uses the AES 256-bit encryption system, which is currently unbreakable without access to a supercomputer. This question may seem beyond the scope of the exam. Still, the objectives allow for "other examples of technologies, processes, or tasks about each objective may also be included on the exam although not listed or covered" in the objectives' bulletized lists. The exam tests the equivalent of 4 years of hands-on experience in a technical cybersecurity job role. The content examples listed in the objectives are meant to clarify the test objectives and should not be construed as a comprehensive listing of this examination's content. Therefore, questions like this are fair game on test day. That said, your goal isn't to score 100% on the exam; it is to pass it. Don't let questions like this throw you off on test day. If you aren't sure, take your best guess and move on

A cybersecurity analyst is working for a university that is conducting a big data medical research project. The analyst is concerned about the possibility of an inadvertent release of PHI data. Which of the following strategies should be used to prevent this? Use DevSecOps to build the application that processes the PHI Conduct tokenization of the PHI data before ingesting it into the big data application Utilize a SaaS model to process the PHI data instead of an on-premise solution Utilize formal methods of verification against the application processing the PHI

Conduct tokenization of the PHI data before ingesting it into the big data application The university should utilize a tokenization approach to prevent an inadvertent release of the PHI data. In a tokenization approach, all or part of data in a field is replaced with a randomly generated token. That token is then stored with the original value on a token server or token vault, separate from the production database. This is an example of a deidentification control and should be used since the personally identifiable medical data is not needed to be retained after ingesting it for the research project; only the medical data itself is needed. While using DevSecOps can improve the overall security posture of the applications being developed in this project, it does not explicitly define a solution to prevent this specific issue making it a less ideal answer choice for the exam. Formal verification methods can be used to prove that none of the AI/ML techniques that process the PHI data could inadvertently leak. Still, the cost and time associated with using these methods make them inappropriate for a system used to conduct research. A formal method uses a mathematical model of a system's inputs and outputs to prove that the system works as specified in all cases. It is difficult for manual analysis and testing to capture every possible use case scenario in a sufficiently complex system. Formal methods are mostly used with critical systems such as aircraft flight control systems, self-driving car software, and nuclear reactors, not big data research projects.

A cybersecurity analyst is working for a university that is conducting a big data medical research project. The analyst is concerned about the possibility of an inadvertent release of PHI data. Which of the following strategies should be used to prevent this? Utilize a SaaS model to process the PHI data instead of an on-premise solution Use DevSecOps to build the application that processes the PHI Utilize formal methods of verification against the application processing the PHI Conduct tokenization of the PHI data before ingesting it into the big data application

A vulnerability scan has returned the following results: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-Detailed Results 10.56.17.21 (APACHE-2.4) Windows Shares Category: Windows CVE ID: - Vendor Ref: - Bugtraq ID: - Service Modified - 8.30.2017 Enumeration Results: print$ c:\windows\system32\spool\drivers files c:\FileShare\Accounting Temp c:\temp -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- What best describes the meaning of this output? There is no CVE present, so this is a false positive caused by Apache running on a Windows server Windows Defender has a known exploit that must be resolved or patched There is an unknown bug in an Apache server with no Bugtraq ID Connecting to the host using a null session allows enumeration of the share names on the host

Connecting to the host using a null session allows enumeration of the share names on the host This results from the vulnerability scan conducted shows an enumeration of open Windows shares on an Apache server. The enumeration results show three share names (print$, files, Temp) were found using a null session connection. There is no associated CVE with this vulnerability, but it is not a false positive. Not all vulnerabilities have a CVE associated with them. Nothing in this output indicates anything concerning Windows Defender, so this is not the correct answer. Bugtraq IDs are a different type of identification number issued for vulnerabilities by SecurityFocus. Generally, if there is a CVE, there will also be a Bugtraq ID. Both the CVE and Bugtraq ID being blank is not suspicious since we are dealing with a null enumeration result.

You are conducting an incident response and have traced the attack source to some compromised user credentials. After performing log analysis, you discover that the attack was successfully authenticated from an unauthorized foreign country. Your management is now asking for you to implement a solution to help mitigate this type of attack from occurring again. Which of the following should you implement? Self-service password reset Single sign-on Context-based authentication Password complexity

Context-based authentication Context-based authentication can consider several factors before permitting access to a user, including their location (e.g., country, GPS location, etc.), the time of day, and other key factors to minimize the threat of compromised credentials from being utilized by an attacker. A self-service password reset is defined as any process or technology that allows users who have either forgotten their password or triggered an intruder lockout to authenticate with an alternate factor and repair their own problem without calling the help desk. While helpful, this alone would not help prevent an attacker from using the compromised credentials. Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single ID and password to any of several related yet independent software systems. Again, this is helpful since it will minimize the number of usernames and passwords that a user must remember. Still, if their credentials are stolen, then the attacker can now access every system the user had access to, extending the problem. Password complexity is also a good thing to use, but it won't address the challenge presented in how to prevent the use of compromised credentials. If the password complexity is increased, this will prevent a brute force credential compromise. However, if the credentials are compromised any other way, the attacker could still log in to our systems and cause trouble.

Which term is used in software development to refer to the method in which app and platform updates are committed to a production environment rapidly? Continuous monitoring Continuous integration Continuous delivery Continuous deployment

Continuous deployment Continuous deployment is a software development method in which app and platform updates are committed to production rapidly. Continuous delivery is a software development method in which app and platform requirements are frequently tested and validated for immediate availability. Continuous integration is a software development method in which code updates are tested and committed to development or build server/code repositories rapidly. Continuous monitoring is the technique of constantly evaluating an environment for changes so that new risks may be more quickly detected and business operations improved upon. While continuous deployment and continuous delivery sound very similar, there is one key difference. In continuous delivery, a human is still required to approve the release into the production environment. In continuous deployment, the test and release process into the production environment is automated, making the changes available for immediate release once the code is committed.

During a simulated attack on your organization's network, the red team identified several vulnerabilities and successfully exfiltrated data. The red team then used these vulnerabilities and the steps they took to create an example of a possible real-world attack. Which framework does this attack sequence BEST represent? Cyber Kill Chain OWASP Testing Guide MITRE ATT&CK Diamond Model of Intrusion Analysis

Cyber Kill Chain The Cyber Kill Chain, developed by Lockheed Martin, describes the stages of a cyber attack. The steps taken by the red team align with this model, from the identification of vulnerabilities (reconnaissance), through exploitation and installation, to achieving their objectives (exfiltration). The Diamond Model focuses on the relationship between four elements of an attack: the adversary, the victim, the infrastructure, and the capability. It doesn't represent a sequential progression of an attack. The MITRE ATT&CK framework provides a matrix of tactics, techniques, and procedures (TTPs) used by cyber adversaries. While it's useful for detailing attacker behavior, it doesn't provide a linear progression of an attack. The OWASP Testing Guide provides a methodology for testing the security of web applications. It doesn't describe the stages of a cyber attack.

During a simulated attack on your organization's network, the red team identified several vulnerabilities and successfully exfiltrated data. The red team then used these vulnerabilities and the steps they took to create an example of a possible real-world attack. Which framework does this attack sequence BEST represent? MITRE ATT&CK Diamond Model of Intrusion Analysis Cyber Kill Chain OWASP Testing Guide

A threat actor obtains and releases confidential information about a political candidate to the public domain. The information damages the person's candidacy and helps the opposing party. These actions were likely performed by which type of threat actor? A. Insider threat B. Script kiddie C. Organized crime D. Hacktivist

D. Hacktivist Hacktivist groups, such as Anonymous, WikiLeaks, or LulzSec, use cyber weapons to promote a political agenda. Hacktivists might attempt to obtain and release confidential information to the public domain, perform denial of service (DoS) attacks, or deface websites. An insider threat arises from an actor to who the organization has identified and granted access. A script kiddie is someone who uses hacker tools without necessarily understanding how they work or having the ability to craft new attacks. An organized crime gang can operate across the internet from different jurisdictions than its victims, increasing the complexity of prosecution. Organized crime will seek any opportunity for criminal profit, but typical activities are financial fraud (both against individuals and companies) and blackmail.

Agents from a sovereign region in North Africa perform a cyber attack against the energy infrastructure of a neighboring republic. What type of threat actor does this scenario illustrate? A. Insider threat B. Organized crime C. Hacktivist D. Nation-state

D. Nation-state Nation-state actors have participated in many attacks, particularly on energy and electoral systems. The goals of nation-state actors are primarily espionage and strategic advantage. An insider threat arises from an actor to who an organization has identified and granted access. An organized crime gang can operate across the internet from different jurisdictions than its victims, increasing the complexity of prosecution. Organized crime will seek any opportunity for criminal profit, but typical activities are financial fraud (against individuals and companies) and blackmail. Hacktivist groups, such as Anonymous, WikiLeaks, or LulzSec, use cyber weapons to promote a political agenda. Hacktivists might attempt to obtain and release confidential information to the public domain, perform denial of service (DoS) attacks, or deface websites.

The legal affairs team of an international conglomerate elects to assign certain risks to a third party. Which risk management principle are they implementing? A. Risk acceptance B. Risk avoidance C. Risk mitigation D. Risk transference

D. Risk transference Risk transference (or sharing) means the company would assign risk to a third party, which they would typically accomplish through insurance policies. Insurance transfers financial risks to a third party. Risk acceptance means the company continues to operate without change after they evaluate an identified risk item. The risk item could be in relation to software, hardware, or existing processes. Risk avoidance often means that the company stops risk-bearing activity. For instance, risk managers may discover a software application has numerous high-severity security vulnerabilities. Risk mitigation is when a company reduces exposure to risk items by implementing mitigating controls to ensure that technical business operations are safe.

A security engineer installs a next-generation firewall on the perimeter of a network. This installation is an example of what type of security control class? A. Managerial B. Operational C. Detective D. Technical

D. Technical Firewalls, antivirus software, and operating system (OS) access control models are examples of technical controls. The engineer would implement technical control as a system (hardware, software, or firmware). The managerial control gives oversight of the information system. Examples could include risk identification or a tool allowing the evaluation and selection of other security controls. People primarily implement operational control rather than systems. For example, security guards and training programs are operational controls rather than technical controls. The detective control is a functional control that is not a security control class.

What type of information will a Cisco switch log be configured to capture logs at level 7? Debugging Errors Warnings Emergencies

Debugging Cisco's log levels range from significant emergencies at level 0 for emergencies to level 7 for debugging, which can be quite noisy but provides large amounts of information for analysis during an incident response.

Matt is creating a scoping worksheet for an upcoming penetration test for his organization. Which of the following techniques is NOT usually included in a penetration test? Reverse engineering Denial-of-service attacks Physical penetration attempts Social engineering

Denial-of-service attacks A denial-of-service or DoS attack isn't usually included as part of a penetration test. This type of attack contains too much risk for an organization to allow it to be included in an assessment scope. Social engineering, physical penetration attempts, and reverse engineering are all commonly included in a penetration test's scope.

You are a security investigator at a high-security installation which houses significant amounts of valuable intellectual property. You are investigating the utilization of George's credentials and are trying to determine if his credentials were compromised or if he is an insider threat. In the break room, you overhear George telling a coworker that he believes he is the target of an ongoing investigation. Which of the following step in the preparation phase of the incident response was likely missed? Development of a communication plan Developing a proper incident response form Conduct background screenings on all applicants Creating a call list or escalation list

Development of a communication plan

You are a security investigator at a high-security installation which houses significant amounts of valuable intellectual property. You are investigating the utilization of George's credentials and are trying to determine if his credentials were compromised or if he is an insider threat. In the break room, you overhear George telling a coworker that he believes he is the target of an ongoing investigation. Which of the following step in the preparation phase of the incident response was likely missed? Creating a call list or escalation list Your answer is incorrect Conduct background screenings on all applicants Correct answer Development of a communication plan Developing a proper incident response form

Development of a communication plan An established and agreed upon communication plan, which may also include a non-disclosure agreement, should be put in place to prevent the targets of an ongoing insider threat investigations from becoming aware of it. Even if it was later determined that George was innocent, the knowledge that he was being investigated could be damaging to both him and the company. If he was an insider threat who now suspects he is under investigation, he could take steps to cover his tracks or conduct destructive action. While background screenings may prevent some people from becoming insiders, it would not prevent the unauthorized disclosure of information concerning the investigation. A call list/escalation list will help manage this kind of problem and keep the right people informed, but it will not explicitly deal with the issue of inadvertent disclosure. Similarly, a proper incident response form may include guidance for communication but would have been orchestrated as part of a larger communications plan that detailed the proper channels to use.

You are a security investigator at a high-security installation which houses significant amounts of valuable intellectual property. You are investigating the utilization of George's credentials and are trying to determine if his credentials were compromised or if he is an insider threat. In the break room, you overhear George telling a coworker that he believes he is the target of an ongoing investigation. Which of the following step in the preparation phase of the incident response was likely missed? Developing a proper incident response form Development of a communication plan Conduct background screenings on all applicants Creating a call list or escalation list

A cybersecurity analyst has deployed a custom DLP signature to alert on any files that contain numbers in the format of a social security number (xxx-xx-xxxx). Which of the following concepts within DLP is being utilized? Exact data match Classification Statistical matching Document matching

Exact data match

After issuing the command "telnet diontraining.com 80" and connecting to the server, what command conducts the banner grab? PUT / HTTP/2.0 PUT / HTTP/1.1 HEAD / HTTP/1.1 HEAD / HTTP/2.0

HEAD / HTTP/1.1 To conduct a banner grab using telnet, you first must connect to the server using "telnet webserver 80". Once the connection establishes, you will receive a blank prompt, and you then issue the command "HEAD / HTTP/1.1". It requests the document header from the server and provides information such as the server software version and the server's operating system.

A supplier needs to connect several laptops to an organization's network as part of their service agreement. These laptops will be operated and maintained by the supplier. Victor, a cybersecurity analyst for the organization, is concerned that these laptops could contain some vulnerabilities that could weaken the network's security posture. What can Victor do to mitigate the risk to other devices on the network without having direct administrative access to the supplier's laptops? Increase the encryption level of VPN used by the laptops Require 2FA (two-factor authentication) on the laptops Implement a jumpbox system Scan the laptops for vulnerabilities and patch them

Implement a jumpbox system A jumpbox is a system on a network used to access and manage devices in a separate security zone. This would create network segmentation between the supplier's laptops and the rest of the network to minimize the risk. A jump-box system is a hardened and monitored device that spans two dissimilar security zones and provides a controlled means of access between them. While the other options listed are all good security practices, they do not fully mitigate the risk that insecure systems pose since Victor cannot enforce these configurations on a supplier provided laptop. Instead, he must find a method of segmenting the laptops from the rest of the network, either physically, logically, using an airgap, or using a jumpbox.

Which element of the preparation phase of the incident management life cycle primarily involves the creation of detailed strategies and procedures to effectively detect, respond to, and recover from network security incidents? Incident response plan Tools Business continuity disaster recovery Playbooks

Incident response plan The incident response plan is the core strategy document outlining procedures for detecting, responding to, and recovering from network security incidents. While playbooks are closely related and provide a detailed step-by-step guide on how to respond to specific types of incidents, they don't represent the broad strategic overview provided by an incident response plan. Tools are technical resources used in incident response but they don't represent the overall strategic plan for responding to incidents. While business continuity and disaster recovery planning is a crucial part of the preparation, it typically focuses on maintaining operations and recovering from serious incidents that disrupt normal business operations rather than handling a wide range of potential network security incidents.

Why is 'Alert Volume' a significant metric in the context of incident response? It measures the impact of an incident on the organization It can indicate the scale of an incident and help assess the performance and capacity of detection systems It provides a timeline of the incident for legal purposes It determines the time taken to detect an incident

It can indicate the scale of an incident and help assess the performance and capacity of detection systems Alert Volume refers to the number of alerts generated during an incident. It can provide insights into the scale of an incident and the performance of detection systems. While an unusually high alert volume could indicate a problem that needs addressing, this metric itself does not determine the time taken to detect an incident. Alert volume can give an idea of the scale of an incident, but it does not directly measure its impact on an organization. The alert volume metric does not provide a detailed timeline of the incident, which is typically required for legal or investigative purposes.

Stephane was asked to assess the technical impact of a reconnaissance performed against his organization. He has discovered that a third party has been performing reconnaissance by querying the organization's WHOIS data. Which category of technical impact should he classify this as? High Low Critical Medium

Low This would be best classified as a low technical impact. Since WHOIS data about the organization's domain name is publicly available, it is considered a low impact. This is further mitigated by the fact that your company gets to decide what information is actually published in the WHOIS data. Since only publicly available information is being queried and exposed, this can be considered a low impact.

You are conducting an incident response and want to determine if any account-based indicators of compromise (IoC) exist on a compromised server. Which of the following would you NOT search for on the server? Malicious processes Off-hours usage Unauthorized sessions Failed logins

Malicious processes A malicious process is one that is running on a system and is outside the norm. This is a host-based indicator of compromise (IOC) and not directly associated with an account-based IOC. Off-= hours usage, unauthorized sessions, and failed logins are all account-based examples of an IOC. Off-hours usage occurs when an account is observed to log in during periods outside of normal business hours. An attacker often uses this to avoid detection during business hours. Unauthorized sessions occur when a device or service is accessed without authorization. For example, if a limited privilege user is signed into a domain controlled. A failed login might be normal if a user forgets or incorrectly types their password, but repeated failures for one account could also be an indication of an attacked to crack a user's password.

You are conducting an incident response and want to determine if any account-based indicators of compromise (IoC) exist on a compromised server. Which of the following would you NOT search for on the server? Malicious processes Unauthorized sessions Off-hours usage Failed logins

After an employee complains that her computer is running abnormally slow, so you conduct an analysis of the NetFlow data from her workstation. Based on the NetFlow data, you identify a significant amount of traffic from her computer to an IP address in a foreign country over port 6667 (IRC). Which of the following is the most likely explanation for this? The employee is using Internet Relay Chat to communicate with her friends and family overseas This is routine machine-to-machine communications in a corporate network Malware has been installed on her computer and is using the IRC protocol to communicate The computer has likely been compromised by an APT

Malware has been installed on her computer and is using the IRC protocol to communicate Internet Relay Chat (IRC) used to be extremely popular but was replaced by modern chat applications like Facebook Messenger, Google Hangouts, Slack, and numerous others. These days, IRC traffic is infrequent on most corporate networks. Therefore, this would be classified as suspicious and require additional investigation. The unencrypted nature of the protocol makes it easy to intercept and read communications on this port. Still, even so, there are many types of malware use IRC as a communication channel. Due to this cleartext transmission, an APT would avoid using IRC for their C2 channel to blend in with regular network traffic and avoid detection. IRC is not normally used for machine-to-machine communications in corporate networks. Because the scenario mentioned a connection to a foreign country, as part of your investigation, you should ask the employee if they have friends or family overseas in the country to rule out the possibility that this is acceptable traffic.

After an employee complains that her computer is running abnormally slow, so you conduct an analysis of the NetFlow data from her workstation. Based on the NetFlow data, you identify a significant amount of traffic from her computer to an IP address in a foreign country over port 6667 (IRC). Which of the following is the most likely explanation for this? This is routine machine-to-machine communications in a corporate network The employee is using Internet Relay Chat to communicate with her friends and family overseas The computer has likely been compromised by an APT Malware has been installed on her computer and is using the IRC protocol to communicate

Judith is conducting a vulnerability scan of her data center. She notices that a management interface for a virtualization platform is exposed to her vulnerability scanner. Which of the following networks should the hypervisor's management interface be exposed to ensure the best security of the virtualization platform? DMZ Internal zone External zone Correct answer Management network

Management network The management interface should only be exposed to an isolated or dedicated network used for the management and configuration of the network device and platforms only. This would also help reduce the likelihood of an attack against the virtualization platform or the hypervisor itself. The external zone (internet), internal zone (LAN), or DMZ should not have the management interface exposed to them.

A cyber security consultant is examining security control classes for an Infrastructure as a Service (IaaS) provider. The classes measure how effectively assets are protected. Which security control class would the consultant examine to gain oversight of the information system? A. Technical B. Managerial C. Operational D. Detective

Managerial The managerial control gives oversight of the information system. Examples could include risk identification or a tool allowing the evaluation and selection of other security controls. Firewalls, antivirus software, and operating system (OS) access control models are examples of technical controls. The consultant would implement technical controls as a system (hardware, software, or firmware). The consultant would primarily implement operational control rather than systems. For example, security guards and training programs are operational controls rather than technical controls. The detective control is a functional control that is not a security control class.

According to Lockheed Martin's white paper "Intel Driven Defense," which of the following technologies could disrupt an adversary's effort during the C2 phase of the kill chain? Port security Firewall ACL DNS redirect NIPS

NIPS A network intrusion prevention system could disrupt an adversary's C2 channel by shutting it down or blocking it. While a firewall ACL might be lucky enough to deny an adversary the ability to establish the C2 channel, a NIPS is better suited to detect and block an adversary than a static ACL entry. A conventional anti-virus would potentially disrupt the installation phase of an adversary's attack, but it is unlikely to affect the C2 phase once installed. Port security is useful only against layer 2 addressing, which is not used for adversary C2 over the internet.

Which of the following vulnerability scanning tools would be used to conduct a web application vulnerability assessment? Nikto Nessus Qualys OpenVAS

Nikto Nikto is a web application scanner that can perform comprehensive tests against web servers for multiple items, including over 6700 potentially dangerous files/programs, checks for outdated versions of over 1250 servers, and version specific problems on over 270 servers. While OpenVAS, Nessus, and Qualys have the ability to scan the web servers themselves for vulnerabilities, they are not the best option to conduct a web application vulnerability assessment. OpenVAS, Nessus, and Qualys are infrastructure vulnerability scanners that focus on vulnerabilities with hosts and network devices.

Which protocol is paired with OAuth2 to provide authentication of users in a federated identity management solution? SAML ADFS Kerberos OpenID Connect

OpenID Connect OAuth 2 is explicitly designed to authorize claims and not to authenticate users. The implementation details for fields and attributes within tokens are not defined. Open ID Connect (OIDC) is an authentication protocol that can be implemented as special types of OAuth flows with precisely defined token fields. Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. SAML is an XML-based markup language for security assertions. Active Directory Federation Services (ADFS) is a software component developed by Microsoft that can run on Windows Server operating systems to provide users with single sign-on access to systems and applications located across organizational boundaries. Kerberos is a computer network authentication protocol that works based on tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner.

Which of the following vulnerabilities was a zero-day exploit, meaning it was exploited before a patch became available? Petya Operation Aurora Krack Attack SMBGhost

Operation Aurora Operation Aurora was a series of cyberattacks that targeted government agencies, defense contractors, and technology companies in the United States and Canada. The attacks, which took place in 2009, used spear-phishing emails to deliver malicious software to victims' computers. Operation Aurora involved sophisticated cyber attacks that exploited a zero-day vulnerability in Internet Explorer, making this the correct answer. Petya is a ransomware computer worm that encrypts a victim's files and demands a ransom payment in Bitcoin in order to decrypt them. It was first discovered in March 2016, and has since been used in a number of high-profile attacks, including the 2017 Ukraine cyberattacks. Petya was a significant ransomware attack, but it was not a zero-day exploit. KRACK, also known as Key Reinstallation Attacks, is a serious security vulnerability in the Wi-Fi Protected Access (WPA2) protocol. WPA2 is the most commonly used security protocol for Wi-Fi networks. KRACK allows attackers to decrypt data that is being transmitted over a Wi-Fi network, including passwords, emails, and credit card numbers. The Krack Attack was a serious vulnerability but it was not a zero-day exploit. SMBGhost, also known as CVE-2020-0796, is a remote code execution vulnerability in the Server Message Block (SMB) protocol. SMB is a network protocol used for file sharing, printing, and other network services. SMBGhost is a critical vulnerability that can be exploited by attackers to execute arbitrary code on a vulnerable system. While SMBGhost was a significant vulnerability, it was not exploited before a patch was available.

Your organization is transitioning to a cloud environment and wants to ensure its new infrastructure is secure. What tool could you utilize to assess the security of your cloud infrastructure? Burp Suite Pacu Nessus Nmap

Pacu Pacu is a comprehensive security tool specifically designed for AWS environments. It is a widely-used tool for cloud infrastructure assessments, offering features like security scanning, credential checking, and the ability to execute sophisticated attack scenarios. Nessus is a very useful tool for vulnerability scanning, but it's not specifically designed for cloud infrastructure assessments. It can identify vulnerabilities within network devices, operating systems, databases, and web applications, but does not offer the specialized capabilities of a tool like Pacu for cloud environments. Nmap is a free and open-source network scanner designed to discover hosts and services on a computer network, but it is not a specialized tool for cloud infrastructure assessments. Burp Suite is a tool primarily used for testing web application security and is not designed to assess the security of cloud infrastructure.

You are conducting a static code analysis of a Java program. Consider the following code snippet: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- String custname = request.get Parameter("customerName"); String query = "SELECT account_balance FROM user_data WHERE user_name = ? "; PreparedStatement pstmt = connection.prepareStatement( query ); pstmt.setString( 1, custname); ResultSet results = pstmt.executeQuery( ); -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Based on the code above, what type of secure coding practice is being used? Session management Input validation Parameterized queries Authentication

Parameterized queries A parameterized query (also known as a prepared statement) is a means of pre-compiling a SQL statement so that all you need to supply are the "parameters" (think "variables") that need to be inserted into the statement for it to be executed. It's commonly used as a means of preventing SQL injection attacks. This code snippet is an example of a Java implementation of a parameterized query. Input validation would involve the proper testing of any input supplied by a user to an application. Since the first line takes the custname input without any validation, this is not an example of the input validation secure coding practice. Session management refers to the process of securely handling multiple requests to a web-based application or service from a single user or entity. Authentication is the act of proving an assertion, such as the identity of a computer system user. This code snippet is neither a form of session management nor authentication. For the exam, you should not fully understand what this code is doing, but you should understand what it is not doing. There is nothing in the code that indicates session management or receiving usernames and passwords. Therefore, we can rule out session management and authentication. This leaves us with input validation and parameterized queries as our best options. Based on the code, we see the word query multiple times, which should be a hint that the answer is a parameterized query even if you can't read this Java code fully.

You just finished conducting a remote scan of a class C network block using the following command "nmap -sS 202.15.73.0/24". The results only showed a single web server. Which of the following techniques would allow you to gather additional information about the network? Perform a scan from on-site Use a UDP scan Use an IPS evasion technique Scan using the -p 1-65535 flag

Perform a scan from on-site You should request permission to conduct an on-site scan of the network. If the organization's network is set up correctly, scanning from off-site will be much more difficult as many of the devices will be hidden behind the firewall. By conducting an on-site scan, you can conduct the scan from behind the firewall and receive more detailed information on the various servers and services running on the internal network. While nmap does provide some capabilities to scan through a firewall, it is not as detailed as being on-site.

Which of the following actions should you perform during the post-incident activities of an incident response? Perform evidence retention in accordance with the timescale defined by the regulatory or legal impact of the incident Sanitize storage devices that contain any dd images collected to prevent liability arising from evidence collection Create an incident summary reporting with in-depth technical recommendations for future resourcing and budgeting Ensure confidentiality of the lessons learned report by not sharing it beyond the incident response team who handled the investigation

Perform evidence retention in accordance with the timescale defined by the regulatory or legal impact of the incident

Which of the following actions should you perform during the post-incident activities of an incident response? Ensure confidentiality of the lessons learned report by not sharing it beyond the incident response team who handled the investigation Create an incident summary reporting with in-depth technical recommendations for future resourcing and budgeting Perform evidence retention in accordance with the timescale defined by the regulatory or legal impact of the incident Sanitize storage devices that contain any dd images collected to prevent liability arising from evidence collection

Perform evidence retention in accordance with the timescale defined by the regulatory or legal impact of the incident Most of these options are partially true, but only the evidence retention option is entirely accurate. If there is a legal or regulatory impact, evidence of the incident must be preserved for at least the timescale defined by the regulations. This can be a period of many years. If a civil or criminal prosecution of the incident perpetrators is expected, the evidence must be collected and stored using forensics procedures. The sanitizing of storage devices should not be performed to prevent liability but instead to prepare your evidence collection jump bag or kit for the next incident response. This should only be done once the evidence (dd images) have been transferred to a secure storage device following the evidence retention requirements. The incident summary report is generally used to provide recommendations to a wider, non-technical audience. Therefore, it should not be written in an in-depth technical manner. The lessons learned report should be widely shared across all incident response teams and the company's technical organization. If the lessons learned report is kept confidential and not shared, then the lessons are collected on paper and not actually becoming lessons learned by others to prevent future incidents.

In 2014, Sony Pictures Entertainment suffered a major cyberattack that led to the theft and leak of confidential data. In response to the incident, a pre-established set of procedures were invoked. These procedures contained detailed guidelines for handling such scenarios, from initial detection to post-incident recovery. What term is typically used to refer to these detailed procedural guidelines? Tabletop exercise Business continuity disaster recovery planning Training Playbooks

Playbooks Playbooks provide detailed instructions on how to handle specific types of incidents. They are part of the preparation phase of the incident management life cycle. Training involves educating the workforce about potential incidents and how to respond, but it does not specifically focus on creating detailed instructions for handling specific types of incidents. Business continuity disaster recovery planning involves planning for maintaining business operations during and after a disruptive incident. It does not involve creating detailed instructions for specific incident types. Tabletop exercises are used to test the effectiveness of an organization's incident response plan and team by role-playing a hypothetical incident. They do not involve creating detailed instructions for specific incident types.

Which tool should a malware analyst utilize to track the registry's changes and the file system while running a suspicious executable on a Windows system? Autoruns ProcDump DiskMon Process Monitor

Process Monitor Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry, and process/thread activity. Autoruns shows you what programs are configured to run during system bootup or login. ProcDump is a command-line utility whose primary purpose is monitoring an application for CPU spikes and generating crash dumps during a spike that an administrator or developer can use to determine the cause of the spike. DiskMon is an application that logs and displays all hard disk activity on a Windows system. This question may seem beyond the scope of the exam. Still, the objectives allow for "other examples of technologies, processes, or tasks about each objective may also be included on the exam although not listed or covered" in the objectives' bulletized lists. The exam tests the equivalent of 4 years of hands-on experience in a technical cybersecurity job role. The content examples listed in the objectives are meant to clarify the test objectives and should not be construed as a comprehensive listing of this examination's content. Therefore, questions like this are fair game on test day. That said, your goal isn't to score 100% on the exam; it is to pass it. Don't let questions like this throw you off on test day. If you aren't sure, take your best guess and move on!

Which party in a federation provides services to members of the federation? IdP SSO SAML RP

RP Relying parties (RPs) provide services to members of a federation. An identity provider (IdP) provides identities, makes assertions about those identities, and releases information about the identity holders. The Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data between parties between an identity provider and a service provider (SP) or a relying party (RP). Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single ID and password to any of several related yet independent software systems across a federation. SAML and SSO are not parties.

What are the 7 phases of the Cyber Kill Chain?

Reconnaissance. Weaponization. Delivery. Exploitation. Installation. Command and control. Action.

Dion Training's security team recently discovered a bug in their software's code. The development team released a software patch to remove the vulnerability caused by the bug. What type of test should a software tester perform on the application to ensure that it is still functioning properly after the patch is installed? Fuzzing User acceptance testing Penetration testing Regression testing

Regression testing Regression testing is re-running functional and non-functional tests to ensure that previously developed and tested software still performs after a change. After installing any patch, it is important to conduct regression testing to confirm that a recent program or code change has not adversely affected existing features or functionality. Fuzzing is an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program. The program is then monitored for exceptions such as crashes, failing built-in code assertions, or potential memory leaks. User acceptance testing is a test conducted to determine if the specifications or contract requirements have been met. A penetration test is an authorized simulated cyberattack on a computer system, performed to evaluate the system's security

A cybersecurity analyst reviews the logs of a proxy server and saw the following URL, https://www.google.com/search?q=*%40diontraining.com. Which of the following is true about the results of this search? Returns all web pages containing an email address affiliated with diontraining.com Returns no useful results for an attacker Returns all web pages hosted at diontraining.com Returns all web pages containing the text diontraining.com

Returns all web pages containing an email address affiliated with diontraining.com Google interprets this statement as @diontraining.com and understands that the user is searching for email addresses since %40 is the hex code for the @ symbol. The * is a wild card character meaning that any text could be substituted for the * in the query. This type of search would provide an attacker with a list of email addresses associated with diontraining.com, which could be used as part of a spear-phishing campaign. To return all web pages hosted at diontraining.com, you should use the "site:" modifier in the query. To return all web pages with the text diontraining.com, enter "diontraining.com" into the Google search bar with no modifiers to return those results.

Which of the following protocols is commonly used to collect information about CPU utilization and memory usage from network devices? NetFlow SMTP SNMP MIB

SNMP Simple Network Management Protocol (SNMP) is commonly used to gather information from routers, switches, and other network devices. It provides information about a device's status, including CPU and memory utilization, and many other useful details about the device. NetFlow provides information about network traffic. A management information base (MIB) is a database used for managing the entities in a communication network. The Simple Mail Transfer Protocol (SMTP) is a communication protocol for electronic mail transmission.

A security analyst is conducting a log review of the company's web server and found two suspicious entries: [12Nov2020 10:07:23] "GET /logon.php?user=test'+oR+7>1%20—HTTP/1.1" 200 5825 [12Nov2020 10:10:03] "GET /logon.php?user=admin';%20—HTT{/1.1" 200 5845 The analyst contacts the web developer and asks for a copy of the source code to the logon.php script. The script is as follows: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= php include('../../config/db_connect.php'); $user = $_GET['user']; $pass = $_GET['pass']; $sql = "SELECT * FROM USERS WHERE username = '$user' AND password = '$pass'"; $result = MySQL_query($sql) or die ("couldn't execute query"); if (MySQL_num_rows($result) !=0 ) echo 'Authentication granted!'; else echo 'Authentication failed!'; ?> Based on source code analysis, which type of vulnerability is this web server vulnerable to? LDAP injection Directory traversal SQL injection Command injection

SQL injection Based on the log entries, it appears the attack was successful in conducting a SQL injection. Notice the escape character (') used in the log. A connection to the MySQL database is being used in the script, which could be exploited since no input validation is being performed. Command injection is an attack in which the goal is to execute arbitrary commands on the host operating system via a vulnerable application. SQL injection is a specific type of command injection. LDAP injection is a code injection technique used to exploit web applications that could reveal sensitive user information or modify information represented in the LDAP (Lightweight Directory Access Protocol) data stores. Directory traversal or Path Traversal is an HTTP attack that allows attackers to access restricted directories and execute commands outside of the web server's root directory.

A web developer wants to protect their new web application from a man-in-the-middle attack. Which of the following controls would best prevent an attacker from stealing tokens stored in cookies? Forcing the use of SSL for the web application Setting the secure attribute on the cookie Hashing the cookie value Forcing the use of TLS for the web application

Setting the secure attribute on the cookie When a cookie has the Secure attribute, the user agent includes the cookie in an HTTP request only if transmitted over a secure channel (typically HTTPS). Although seemingly useful for protecting cookies from active network attackers, the Secure attribute protects only the cookie's confidentiality. Forcing the web application to use TLS or SSL does not force the cookie to be sent over TLS/SSL, so you still need to set the cookie's Secure attribute. Hashing the cookie provides the cookie's integrity, not confidentiality; therefore, it will not solve the issue presented by this question.

Aymen is creating a procedure for the remediation of vulnerabilities discovered within his organization. He wants to ensure that any vendor patches are tested before deploying them into the production environment. What type of environment should his organization establish? Development Honeynet Honeypot Staging

Staging

Which of the following vulnerabilities was a zero-day exploit, meaning it was exploited before a patch was available? Stuxnet BlueKeep Heartbleed Meltdown

Stuxnet Stuxnet was a sophisticated worm that exploited several zero-day vulnerabilities in Windows systems, making this the correct answer. Meltdown was a critical vulnerability affecting processors, but it was not a zero-day exploit. BlueKeep was a critical vulnerability in Microsoft's Remote Desktop Protocol (RDP), but it was not exploited before a patch was available. Heartbleed was a serious vulnerability in the OpenSSL library, but it was not a zero-day exploit.

An attacker has compromised a virtualized server. You are conducting forensic analysis as part of the recovery effort but found that the attacker deleted a virtual machine image as part of their malicious activity. Which of the following challenges do you now have to overcome as part of the recovery and remediation efforts? The attack widely fragmented the image across the host file system You will need to roll back to an early snapshot and then merge any checkpoints to the main image File formats used by some hypervisors cannot be analyzed with traditional forensic tools All log files are stored within the VM disk image, therefore, they are lost

The attack widely fragmented the image across the host file system Due to the VM disk image's deletion, you will now have to conduct file carving or other data recovery techniques to recover and remediate the virtualized server. If the server's host uses a proprietary file system, such as VMFS on ESXi, this can further limit support by data recovery tools. The attacker may have widely-fragmented the image across the host file system when they deleted the disk image. VM instances are most useful when they are elastic (meaning they optimally spin up when needed) and then destroyed without preserving any local data when security has performed the task, but this can lead to the potential of lost system logs. To prevent this, most VMs also save their logs to an external Syslog server or file. Virtual machine file formats are image-based and written to a mass storage device. Depending on the configuration and VM state, security must merge any checkpoints to the main image, using a hypervisor tool, not recovery from an old snapshot, and then roll forward. It is possible to load VM data into a memory analysis tool, such as Volatility. However, some hypervisors' file formats require conversion first, or it may not support the analysis tool.

An attacker has compromised a virtualized server. You are conducting forensic analysis as part of the recovery effort but found that the attacker deleted a virtual machine image as part of their malicious activity. Which of the following challenges do you now have to overcome as part of the recovery and remediation efforts? You will need to roll back to an early snapshot and then merge any checkpoints to the main image All log files are stored within the VM disk image, therefore, they are lost File formats used by some hypervisors cannot be analyzed with traditional forensic tools The attack widely fragmented the image across the host file system

You were interpreting a Nessus vulnerability scan report and identified a vulnerability in the system with a CVSS attack vector rating of A. Based on this information, which of the following statements would be true? The attacker must have access to the local network that the system is connected to Exploiting the vulnerability does not require any specialized conditions The attacker must have physical or logical access to the affected system Exploiting the vulnerability requires the existence of specialized conditions

The attacker must have access to the local network that the system is connected to The attack vector explains what type of access that the attacker must have to a system or network and does not refer to the types of specialized conditions that must exist. In this case, the A rating refers to Adjacent, where the attacker must launch the attack from the same shared physical (such as Bluetooth or Wi-Fi network), logical network (such as a local subnet), or a limited administrative domain (such as a VPN or MPLS). An attack vector of Network (N) would allow the attack to extend beyond these options and conduct remote exploitation of the vulnerability. An attack vector of Local (L) would require the attacker to locally exploit the workstation via the keyboard or over an SSH connection. An attack vector of Physical (P) would require the attacker to physically touch or manipulate the vulnerable component themselves, such as conducting a cold boot attack.

A cybersecurity analyst is reviewing the logs for his company's server and sees the following output: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Process spawned by services.exe (c:\windows\system32\inetsrv\svchost.exe) Process spawned by services.exe (c:\windows\system32\cmd.exe) Command line (cmd /c start C:\WINDOWS\system32\wmiprvse.exe c:\WINDOWS\system32\ 2006) -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Based on this potential indicator of compromise (IoC), which of the following hypotheses should you make to begin threat hunting? Unauthorized privileges are being utilized Data exfiltration is occurring over the network A common protocol is being used over a non-standard port Beaconing is establishing a connection to a C2 server

Unauthorized privileges are being utilized This appears to be an indication that unauthorized privileges are being used. The first binary, svchost.exe, executes from an odd location that indicates it might be malicious). The process svchost.exe doesn't usually reside in the inetsrv folder in a Windows system since this folder contains the Windows IIS web server files. Additionally, this file then spawned a binary that appears to be masquerading as a Windows process, the WMI Provider Host called wmiprvse.exe. This appears to be the beginning of a privilege escalation attack. Based on the output above, there is no evidence that data is being exfiltrated or stolen from the network. Based on the output above, there is no evidence that any network protocol is currently used over a non-standard port. Finally, there is no evidence of beaconing or network activity in this output.

A cybersecurity analyst conducts proactive threat hunting on a network by correlating and searching the Sysmon and Windows Event logs. The analyst uses the following query as part of their hunt: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Query: "mimikatz" NOT "EventCode=4658" NOT "EventCode=4689" EventCode=10 | stats count by _time, SourceImage, TargetImage, GrantedAccess -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Based on the query above, which of the following potential indicators of compromise is the threat hunter relying on? Processor consumption Unauthorized software Irregular peer-to-peer communication Data exfiltration

Unauthorized software This is a difficult question, but you should see a keyword in the query, "mimikatz." Mimikatz is a leading post-exploitation tool that dumps passwords from memory, as well as hashes, PINs, and Kerberos tickets. Other useful attacks it enables are pass-the-hash, pass-the-ticket, or building Golden Kerberos tickets. This makes post-exploitation lateral movement within a network easy for attackers. It is definitely considered unauthorized software and should be immediately alerted upon if discovered in your network. Data exfiltration is the process by which an attacker takes data that is stored inside of a private network and moves it to an external network. Processor consumption is an IoC that monitors the per-process percentage of CPU time to show what causes the problem. Irregular peer-to-peer communication occurs when hosts within a network establish connections over unauthorized ports or data transfers.

Which of the following functions is not provided by a TPM? Secure generation of cryptographic keys Sealing Random number generation User authentication Binding Remote attestation

User authentication User authentication is performed at a much higher level in the operating system. Trusted Platform Module (TPM) technology is designed to provide hardware-based, security-related functions. A TPM chip is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper-resistant, and malicious software cannot tamper with the security functions of the TPM. The TPM provides random number generation, secure generation of cryptographic keys, remote attestation, binding, and sealing functions securely.

Which of the following techniques would best mitigate malware that utilizes a fast flux network for its command and control infrastructure? Blacklisting known malicious domain names Conduct detailed statistical analysis of the structure of domain names to detect anomalies Utilize a secure recursive DNS resolver to a third-party secure DNS resolver Blacklisting known malicious IP addresses

Utilize a secure recursive DNS resolver to a third-party secure DNS resolver Third-party DNS resolvers, particularly those of ISPs, will typically have elaborate algorithms designed to detect command and control (C2) via fast flux networks. Fast flux DNS utilizes a technique that rapidly changes the IP address associated with a domain to allow an adversary to defeat IP-based blacklists. Often, these fast flux networks have communication patterns that might be detectable, though. While in-house statistical analysis might be possible (and could be done in parallel), the commercial resources available to a large scale ISP or dedicated secure DNS providers will be better tailored to combatting this issue.

Your organization has just migrated to provisioning its corporate desktops as virtual machines and accessing them using thin clients. The organization believes this will enhance security since the desktop can be rewritten with a new baseline image every time the user logs into it. Based on this scenario, which of the following technologies has the organization adopted? VPC UEBA VDI VPN

VDI Virtual desktop infrastructure (VDI) is a virtualization implementation that separates the personal computing environment from a user's physical computer. Virtual private cloud (VPC) is a private network segment made available to a single cloud consumer on a public cloud. A virtual private network (VPN) is a secure tunnel created between two endpoints connected via an insecure network, typically the internet. User and entity behavior analytics (UEBA) is a system that can provide automated identification of suspicious activity by user accounts and computer hosts.

Which of the following vulnerabilities involves leveraging access from a single virtual machine to other machines on a hypervisor? VM data remnant VM escape VM sprawl VM migration

VM escape Virtual machine escape vulnerabilities are the most severe issue that may exist in a virtualized environment. In this attack, the attacker can access a single virtual host and then leverages that access to intrude on the resources assigned to different virtual machines. Data remnant is the residual representation of digital data that remains even after attempts have been made to remove or erase it. Virtualization sprawl is a phenomenon that occurs when the number of virtual machines on a network reaches a point where the administrator can no longer manage them effectively. Virtual machine migration is the task of moving a virtual machine from one physical hardware environment to another.

Which of the following is not normally part of an endpoint security suite? VPN Anti-virus IPS Software firewall

VPN Endpoint security includes software host-based firewalls, host-based intrusion protection systems (HIPS), and anti-virus software. A VPN is not typically considered an endpoint security tool because it is a network security tool.

VPN Virtual desktop infrastructure (VDI) is a virtualization implementation that separates the personal computing environment from a user's physical computer. Virtual private cloud (VPC) is a private network segment made available to a single cloud consumer on a public cloud. A virtual private network (VPN) is a secure tunnel created between two endpoints connected via an insecure network, typically the internet. User and entity behavior analytics (UEBA) is a system that can provide automated identification of suspicious activity by user accounts and computer hosts.

A new security appliance was installed on a network as part of a managed service deployment. The vendor controls the appliance, and the IT team cannot log in or configure it. The IT team is concerned about the appliance receiving the necessary updates. Which of the following mitigations should be performed to minimize the concern for the appliance and updates? Configuration management Automatic updates Vulnerability scanning Scan and patch the device

Vulnerability scanning The best option here is vulnerability scanning as this allows the IT team to know what risks their network is taking on and where subsequent mitigations may be possible. Configuration management, automatic updates, and patching could be a possible solution. These are not viable options without gaining administrative access to the appliance. Therefore, the analyst should continue to conduct vulnerability scanning of the device to understand the risks associated with it and then make recommendations to add additional compensating controls like firewall configurations, adding a WAF, providing segmentation. Other configurations outside the appliance to minimize the vulnerabilities it presents.

You have run a vulnerability scan and received the following output: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- CVE-2011-3389 QID 42366 - SSLv3.0/TLSv1.0 Protocol weak CBC mode Server side vulnerability Check with: openssl s_client -connect login.diontraining.com:443 - tls -cipher "AES:CAMELLISA:SEED:3DES:DES" -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Which of the following categories should this be classified as? Web application cryptography vulnerability PKI transfer vulnerability VPN tunnel vulnerability Active Directory encryption vulnerability

Web application cryptography vulnerability This vulnerability should be categories as a web application cryptographic vulnerability. This is shown by the weak SSLv3.0/TLSv1.0 protocol being used in cipher block chaining (CBC) mode. Specifically, the use of the 3DES and DES algorithms during negotiation is a significant vulnerability. A stronger protocol should be used, such as forcing the use of AES.

What SCAP component could be used to create a checklist to be used by different security teams within an organization and then report results in a standardized fashion? CVE XCCDF CPE CCE

XCCDF XCCDF (extensible configuration checklist description format) is a language that is used in creating checklists for reporting results. The Common Vulnerabilities and Exposures (CVE) system provides a reference-method for publicly known information-security vulnerabilities and exposures. The Common Configuration Enumeration (CCE) provides unique identifiers to system configuration issues to facilitate fast and accurate correlation of configuration data across multiple information sources and tools. Common Platform Enumeration (CPE) is a standardized method of describing and identifying classes of applications, operating systems, and hardware devices present among an enterprise's computing assets.

You are a cybersecurity analyst who has been given the output from a system administrator's Linux terminal. Based on the output provided, which of the following statements is correct? -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- BEGIN OUTPUT ———————--------- # nmap win2k16.local Nmap scan report for win2k16 (192.168.2.15) Host is up (0.132452s latency) Not shown: 997 closed ports PORT STATE SERVICE 22/tcp open ssh80/tcp open http # nc win2k16.local 80 220 win2k16.local DionTraining SMTP Server (Postfix/2.4.1) # nc win2k16.local 22 SSH-2.0-OpenSSH_7.2 Debian-2 # ———————--------- END OUTPUT -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Your web server has been compromised Your email server is running on a non-standard port Your organization has a vulnerable version of the SSH server software installed Your email server has been compromised

Your email server is running on a non-standard port As shown in the nmap scans' output, only two standard ports being utilized: 22 (SSH) and 80 (HTTP). But, when netcat is run against port 80, the banner provided shows the SMTP server is running on port 80. SMTP is normally run on port 25 by default, so running it on port 80 means your email server (SMTP) runs on a non-standard port.

Which of the following tools is considered a web application scanner? Qualys Nessus ZAP OpenVAS

ZAP OWASP Zed Attack Proxy (ZAP) is the world's most widely used web application scanner. It is free, open-source, and provided by the Open Web Application Security Project (OWASP). Nessus, Qualys, and OpenVAS are all classified as infrastructure vulnerability scanners.

Natalie wants to create a backup of the permissions before making changes to the Linux workstation she will remediate. What Linux tool can she use to back up the permissions of the system's complete directory structure? aclman getfacl chbkup iptables

getfacl The getfacl command allows backups of directories to include permissions, saved to a text file. The setfacl command is used to restore the permissions from the backup created. The aclman and chbkup are not legitimate Linux commands. The iptables command is used to configure the Linux firewall, not the directory structure's file permissions. This question may seem beyond the scope of the exam. Still, the objectives allow for "other examples of technologies, processes, or tasks about each objective may also be included on the exam although not listed or covered" in the objectives' bulletized lists. The exam tests the equivalent of 4 years of hands-on experience in a technical cybersecurity job role. The content examples listed in the objectives are meant to clarify the test objectives and should not be construed as a comprehensive listing of this examination's content. Therefore, questions like this are fair game on test day.

You are conducting static analysis of an application's source code and see the following: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- String query = "SELECT * FROM courses WHERE courseID='" + request.getParameter("id") + "' AND certification='"+ request.getParameter("certification")+"'"; -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- If an attacker wanted to get a complete copy of the courses table and was able to substitute arbitrary strings for "id" and "certification", which of the following strings allow this to occur? certification = "cysa' OR '1'=='1" id = "1' OR '1'=='1" id = "1' OR '1'==1" and certification = "cysa' OR '1=='1" id = "1' OR '1'=='1" and certification = "cysa' OR '1'=='1"

id = "1' OR '1'=='1" and certification = "cysa' OR '1'=='1"

You are conducting static analysis of an application's source code and see the following: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- String query = "SELECT * FROM courses WHERE courseID='" + request.getParameter("id") + "' AND certification='"+ request.getParameter("certification")+"'"; -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- If an attacker wanted to get a complete copy of the courses table and was able to substitute arbitrary strings for "id" and "certification", which of the following strings allow this to occur? id = "1' OR '1'==1" and certification = "cysa' OR '1=='1" id = "1' OR '1'=='1" id = "1' OR '1'=='1" and certification = "cysa' OR '1'=='1" certification = "cysa' OR '1'=='1"

id = "1' OR '1'=='1" and certification = "cysa' OR '1'=='1" ID and certification must be crafted so that when substituted for the ".getparameter" fields, the SQL statement formed is still complete and will return a Boolean value of true for the ENTIRE statement every time it is evaluated. The AND in the middle of the WHERE clause indicates that both the courseID and certification portion must be true to be true in every case. When this occurs, the entire table of courses would be returned. The only string that would ensure both halves of the WHERE clause always return true would be

You have been hired to investigate a possible insider threat from a user named Terri. Which command would you use to review all sudo commands ever issued by Terri (whose login account is terri and UID=1003) on a Linux system? (Select the MOST efficient command) journalctl _UID=1003 | grep -e [Tt]erri | grep sudo journalctl _UID=1003 | grep sudo journalctl _UID=1003 | grep -e [Tt]erri | grep -e 1003 | grep sudo journalctl _UID=1003 | grep -e 1003 | grep sudo

journalctl _UID=1003 | grep sudo journalctl is a command for viewing logs collected by systemd. The systemd-journald service is responsible for systemd's log collection, and it retrieves messages from the kernel, systemd services, and other sources. These logs are gathered in a central location, which makes it easy to review. If you specify the parameter of _UID=1003, you will only receive entries made under the authorities of the user with ID (UID) 1003. In this case, that is Terri. Using the piping function, we can send that list of entries into the grep command as an input and then filter the results before returning them to the screen. This command will be sufficient to see all the times that Terri has executed something as the superuser using privilege escalation. If there are too many results, we could further filter the results using regular expressions with grep using the -e flag. Since the UID of 1003 is only used by Terri, it is unnecessary to add [Tt]erri to your grep filter as the only results for UID 1003 (terri) will already be shown. So, while all four of these would produce the same results, the most efficient option to accomplish this is by entering "journalctl _UID=1003 | grep sudo" in the terminal. Don't get afraid when you see questions like this; walk through each part of the command step by step and determine the differences. In this question, you may not have known what journalctl is, but you didn't need to. You needed to identify which grep expression was the shortest that would still get the job done. By comparing the differences between the options presented, you could likely take your best guess and identify the right one.

You have been given access to a Windows system located on an Active Directory domain as part of a white box penetration test. Which of the following commands would provide information about other systems on this network? net group net config net use net user

net use The net use command will list network shares that the workstation is using. This will help to identify file servers and print servers on the network. The net group command can only be used on domain controllers. The net config command will allow servers and workstations services to be controlled once they have already been identified. The net user command would show any user accounts on the local Windows workstation you are using.

Dion Consulting Group has just won a contract to provide updates to an employee payroll system originally written years ago in C++. During your assessment of the source code, you notice the command "strcpy" is being used in the application. Which of the following provides is cause for concern, and what mitigation would you recommend to overcome it? strcpy could allow an integer overflow to occur; you should rewrite the entire system in Java strcpy could allow a buffer overflow to occur; upgrade the operating system to run ASLR to prevent a buffer overflow strcpy could allow a buffer overflow to occur; you should rewrite the entire system in Java strcpy could allow an integer overflow to occur; upgrade the operating system to run ASLR to prevent an integer overflow

strcpy could allow a buffer overflow to occur; upgrade the operating system to run ASLR to prevent a buffer overflow C and C++ contain built-in functions such as strcpy that do not provide a default mechanism for checking if data will overwrite the boundaries of a buffer. The developer must identify such insecure functions and ensure that every call made to them by the program is performed securely. Many development projects use higher-level languages, such as Java, Python, and PHP. These interpreted languages will halt execution if an overflow condition is detected. However, changing languages may be infeasible in an environment that relies heavily on legacy code. By ensuring that the operating system supports ASLR, you can make it impossible for a buffer overflow to work by randomizing where objects in memory are being loaded. Rewriting the source code would be highly desirable but could be costly, time-consuming, and is not an immediate mitigation to the problem. The strcpy function (which is short for String copy) does not work on integers, and it only works on strings. As strcpy does not check for boundary conditions, buffer overflows are certainly possible using this deprecated method.

You are troubleshooting a network connectivity issue and need to determine the packet's flow path from your system to the remote server. Which of the following tools would best help you identify the path between the two systems? tracert nbtstat ipconfig netstat

tracert The TRACERT (trace route) diagnostic utility determines the route to a destination by sending Internet Control Message Protocol (ICMP) echo packets to the destination. In these packets, TRACERT uses varying IP Time-To-Live (TTL) values. When the TTL on a packet reaches zero (0), the router sends an ICMP "Time Exceeded" message back to the source computer. The ICMP "Time Exceeded" messages that intermediate routers send back show the route. The ipconfig tool displays all current TCP/IP network configuration values on a given system. The netstat tool is a command-line network utility that displays network connections for Transmission Control Protocol, routing tables, and some network interface and network protocol statistics on a single system. The nbtstat command is a diagnostic tool for NetBIOS over TCP/IP used to troubleshoot NetBIOS name resolution problems.

CompTIA CySA Most Recent

संबंधित स्टडी सेट्स

nutritions 1b

Plate Tectonics & Plate Boundaries

APES Exam Missed Questions MC

Chapter 3 part 1 test

BIOL 400 Ch. 16

CSD 417 Exam 2

Chapter 15

Quiz Chapter 4

Chapter 16

todays test

Spanish Test

Adult Health Exam 3 EAQs

MICROBIOLOGY 230 Chapter 12 questions @@@@@@@@@@

Databricks Competition Study

Practice Quiz 1 - Chapters 16, 17, 18

Series 7 part 1 (prac quiz)

BCOR 350 Assignment 3 & 4

Unit 4 review

AGRI 61 - Extension approaches (MOD 4.5)

Safety and Infection Control (6)