CompTIA Security+ 2023 (SY0-601) Chapter 4
Select the scenarios where containment measures, such as isolation and segmentation techniques, should be taken. (Select all that apply.)
A worm has infected a device on the network. An unauthorized user accesses a server. The investigation of a recent incident is ongoing.
A secure military intelligence site has a local network, and each machine is Linux-only and secured in every way possible. Despite causing increased support time and higher costs, the network's execution control policy ensures that malicious software, not yet identified as such, cannot run on machines at the site. Determine the type of code execution policy that would have this effect.
Allow list
A malware expert wants to examine a new worm that is infecting Windows devices. Verify the sandbox tool that will enable the expert to contain the worm and study it in its active state.
Cuckoo
An incident has recently occurred at a medium-sized business. The business suspects an employee of leaking information online. As a result of the investigation, authorities have secured the employee's computer as evidence. Identify the term that describes this type of action.
Legal hold
A system has been compromised at a local business. In response, a help desk technician began recovery by powering the system down. As a result, what has been compromised?
Order of volatility
Describe the intended usage and purpose of the tcpreplay tool.
Reruns captured network traffic
Point out the ideal tools for collecting system, network, and security logs. These tools also aggregate and normalize log data, raise alerts based on correlation rule matches, and provide advanced tools for threat analytics, as well as complete history retention. (Select all that apply.)
SIEM NXlog
An administrator of a Linux network is writing a script to transfer a list of local host names, contained in a file called hostnames, directly into the syslog file. Predict the CLI command the admin is likely to use to accomplish this.
logger -f hostnames
A network security analyst for a large company is testing system vulnerabilities by capturing system memory live while simultaneously attempting different methods of penetration and simulated attacks. The network consists of both Windows and Linux machines. Assess the tools that the analyst could employ in this process for capturing system memory on either OS. (Select all that apply.)
memdump WinHex dd
A public key infrastructure (PKI) is being set up for a logistics company, utilizing OpenSSL. Which of the following commands can the team use, when setting up the PKI, to create an encrypted RSA key pair?
openssl genrsa -out server.key 1024
During an intrusion event, the cybersecurity officer of a corporate network takes action to isolate the intruder. Choose the methods or techniques that will allow the officer to isolate the intruder. (Select all that apply.)
Blackhole Physical disconnection/air gapping Sandboxing
A nationwide telecom company provides its employees with Android smartphones. After a major incident, the company discovered that its company-provided devices listened in on private board meetings. One employee's tablet was physically accessed, and admin suspects the threat actor tracked the employee's location utilizing GPS on the company smartphone. Determine the mitigation measure that would have most likely prevented these incidents.
Mobile Device Management (MDM)
A cybersecurity investigator is investigating what is thought to be data theft by a threat actor within the company. The stolen intellectual property was transferred to an unknown party at a known location. The company has provided each employee with several types of devices with service plans, which are under contract. The company has the legal right to investigate all activity on those devices and service plans. Recommend which metadata type to start with, to tie the suspect employee to the location of the transfer.
Mobile phone metadata
Improperly tuned system sensitivity of Security Information and Event Management (SIEM) dashboards can result in both false negatives and false positives. Describe how a security specialist might adjust the sensitivity of the dashboard's automated alerts.
Reduce or increase number of rules
Image acquisition is the process of obtaining a forensically clean copy of data from a device held as evidence. Which types of storage should be carefully imaged in an investigation? (Select all that apply.)
Volatile Non-volatile
A security administrator prepares to eavesdrop on the network and determine if there are any open ports. The admin will analyze the ports to determine if they are legitimate connections and if they should be open. Which tool will the admin most likely use?
Wireshark
A cyber forensic investigator is analyzing a disk image acquired from a suspect in a major network breach and wants to generate a timeline of events from the image. Predict the tool the investigator will use to piece together a timeline of events so that they can tie the hacker's disk to the breach in question.
Autopsy
A penetration tester is experimenting with Nmap on a test network. The tester would like to know the operating system of the target device. Select all Nmap commands that will provide the tester with OS information. (Select all that apply.)
nmap xxx.xxx.x.x -O nmap xxx.xxx.x.x -A
A white-hat penetration tester is simulating an attack to check for vulnerabilities. The first step is to determine if the pen tester can scan for ports or services that have been left open, without being detected by the Intrusion Prevention System (IPS). Recommend a tool that fits the pen tester's requirements.
scanless
Select the methods of containment based on the concept of isolation. (Select all that apply.)
Blackhole Physical disconnection/air gapping Sandboxing
A mortgage company's firewall access control list blocks all traffic from bogon networks and a specific private address range but allows any HTTP, HTTPS, or SMTP traffic from any other source. Implicit denial occurs when traffic does not match any rule. At which point in the processing of an access control list is an implicit denial likely found?
Bottom of the rules list
Select viable methods of investigation in the case of authentication attacks. (Select all that apply.)
Compare authentication logs with security and network logs. Use a SIEM dashboard to identify suspicious trends in user traffic. Search application logs for use of unauthorized applications.
A malware outbreak has impacted several development computers at a data center. These particular systems are not networked. The investigation revealed a common USB flash drive was used between the systems. The USB drive has been located and is no longer being used. What incident response lifecycle step has been enacted?
Containment
The marketing department at a local organization has detected malicious activity on several computers. In response, IT personnel have disconnected the marketing switch from the network. Identify which incident response lifecycle step IT has enacted.
Containment
Law enforcement has acquired a disk as evidence and copied the disk for analysis. Suggest a way to maximize the integrity of the analysis process to ensure non-repudiation is possible. (Select all that apply.)
Create a hash before and after analysis and compare the checksums. Use a write blocker during analysis to prevent data from being changed.
A computer system at a local company was breached. As part of the investigation, a foreign USB drive was found inserted in the machine. The technician properly removes the drive and seals it in a chain of custody bag. The next morning, the technician returns to the evidence locker and sees that the chain of custody bag, containing the USB drive, has been opened with no signatures on the chain of custody bag or documentation to justify its' opening. What concerns are now presented to the technician?
Evidence has been tampered with
Identify the forensics tool used to save entire disks as a file.
FTK Imager
A network administrator's computer desktop is full of network security tools that are useful for patching and hardening the network. However, after an audit, the admin recently discovered a Wireshark application, which alarmed management. What is it about Wireshark that makes management apprehensive about having it on company computers? (Select all that apply.)
It can eavesdrop on network communication. It can scan a network for open ports.
What will the command logger -f hostnames do?
Log the file 'hostnames' to syslog
Exploitation frameworks leverage vulnerabilities discovered by automated vulnerability scanning to exploit a target. Identify the software classified as exploitation frameworks. (Select all that apply.)
Metasploit Sn1per fireELF
A hacker has scanned the network for vulnerabilities and plans to inject malicious software into an unprotected server. The hacker wants to use this server as a jump server to gain access to the network and execute more code in the future. However, the hacker does not want to leave any trace behind, if caught. Which of the following tools would the hacker most likely use?
Meterpreter
A hacker visited a company's network a week ago and planted stagers on an unsuspecting Windows server. The hacker can connect to this server and execute more code that is affecting enterprise services at a well-known company. How is the hacker able to execute this?
Meterpreter issues the payload
A new cybersecurity analyst is working at his first job. The analyst requires a penetration test reporting and evidence gathering framework that can run automated tests through integration with Metasploit. Recommend a framework that will fulfill the analyst's needs.
Sn1per
Analyze and explain the usage and effect of the grep Linux utility.
String-match search using regex syntax
A cybersecurity specialist working for an Internet Service Provider (ISP) noticed some unusual indicators of malicious activity and suspects that there may be a remote-access trojan or botnets present in the network. The specialist will begin looking at some Domain Name System (DNS) servers. Prescribe next steps that will assist in the investigation. (Select all that apply.)
Use OSSEC to collect DNS server logs and search for known malicious domains. Use Wireshark to capture DNS traffic between clients and the DNS resolver and save it to a .pcap file. Use OSSEC to compose rules to report NXDOMAIN responses or other activity.
A government agency is getting rid of older workstations. The agency will donate these workstations, along with other excess computer systems, to nearby schools. Management reminds the systems administrators about the data sanitization and disposal policy. What policy items are applicable for these IT systems, prior to donating to the schools? (Select all that apply.)
Use the DoD 5220.22-M method Degauss media with a magnet
The majority of regions and locales have laws to notify users affected by a breach of personal data. Describe, in a general sense, the common intent of these breach notification laws and when an organization should notify users of a breach.
Users should be notified immediately.
A company is going through excess equipment and recyclables. Management will repurpose all the computer workstations and discard archived printed documents. Which of the following can help achieve the company's goals? (Select all that apply.)
Active KillDisk software Paper shredder
Identify all examples of the use of steganography to bypass data loss prevention (DLP) mechanisms. (Select all that apply.)
Encoding covert messages within TCP packets Coding information into pixels of an image Embedding information into spectrograms of audio files
A serious malware infection recently occurred at an organization. The cause was found and eliminated. Systems are now being tested and brought back online. Considering incident response procedures, how is finding the cause categorized?
Eradication
A penetration tester is experimenting with Nmap on a test network. The tester input the following Nmap command: nmap -O testwebsite.org. Conclude what the effect of this command will be.
Scan with OS detection
A security incident has occurred at a business that has exposed the personal data of numerous customers. In accordance with the National Institute of Standards and Technology (NIST) Computer Security Incident Handling Guide, at which stage in the incident response lifecycle should the company notify their stakeholders?
Identification
What does the command chmod a+rwx newFile do?
It gives all users read, write, and execute permissions for a file called newFile.
What tool can gather email accounts, employee names, subdomains, IPs, URLs and other OSINT data for a particular company name?
theHarvester
A network admin troubleshoots a virtual host that currently restarted. The admin wants to know when the virtual host is reachable through the network. Which ping switch would provide the most useful information?
-t
Identify security control options that can be categorized as "Preventative." (Select all that apply.)
Digital Loss Prevention (DLP) software configurations Firewall rules
Software, such as Metasploit and Sn1per, leverage vulnerabilities discovered by automated vulnerability scanning to exploit a target. Identify the software classification for this type of application.
Exploitation frameworks
A network administrator for a large oil company has discovered that a host on the company network has been compromised by an attacker spoofing digital certificates. Recommend an immediate response that does not require generating new certificates.
Revoke the host's certificate
Select the methods of containment based on the concept of segmentation. (Select all that apply.)
Sinkhole Honeynet
Continuity of Operations (COOP) and Disaster Recovery Planning (DRP) are process that need to be reflected upon routinely. This allows organizations to review and improve processes. Apply knowledge of how processes are implemented to conclude the best time to execute improvement.
After-action report
Continuity of Operations (COOP) and Disaster Recovery Planning (DRP) are processes that need to be reflected upon routinely. Doing so allows the review and improvement of processes. Consider how processes are put in place and how they are executed, then evaluate the best time to execute improvements.
After-action report
It is time to audit the network's security. Which of the following will help with the process of scanning for vulnerabilities? (Select all that apply.)
Check all computers for installed anti-virus software. Perform passive reconnaissance activities.
When a network security technician is running automated scans, the vulnerability scanner alerts the technician about a process running on a Windows system. The program that generates this process is volatile, causing lock-up and crash of processes and services of connected applications, according to the scanner. The scanner has not generated any other alerts. Recommend an initial route of investigation the technician should take.
Check application logs
A cybersecurity forensics investigation team is investigating an incident involving data theft. The team suspects an internal threat actor and has a list of several employee suspects. The team has access to the suspects' emails, but find that if there was evidence, one of the suspects deleted it. Plan a professional investigative approach to the next course of action.
Check email logs and other metadata sources related to deleted emails.
An attacker has defaced a simple and up-to-date WordPress website running on a fully-patched Ubuntu Server that a web developer administers. The forensics team has taken the computer down after the developer reached out for assistance. The forensics team has isolated the server to preserve the current status of the device and its records. They blocked remote access to the attacker, preventing interaction with all other devices on the network. In continuing the investigation, what is the most appropriate next step to determine how or where the attack was initiated?
Check network logs
A group of security professionals from several non-competing organizations address local security incidents by forming a Unified Cyber Incident Response Team (CIRT). The goal of the program is to share insights and knowledge and assist in mitigating threats. Considering the team's desire for diversity among the team's membership, determine which user type they should include.
Decision maker
What is the main difference between a snapshot and a disk image?
Disk images include bootloader and OS
A security event popped up, alerting security of a suspicious user gaining access to, and copying files from, the %SystemRoot%\NTDS\ file path on a server. What is the user trying to do?
Gather employee login credentials.
A security analyst is investigating an incident that they do not understand. To discover the attack vector, the analyst decides to run a vulnerability scan and compare the report to a list of newly developed exploits. Propose an application or software utility the analyst might use to scan for vulnerabilities.
Nessus
After a security breach, a cybersecurity analyst decides to cross-check the services and software installed on the breached network against lists of known vulnerabilities. Prescribe a software tool best suited for the analyst's purpose.
Nessus
A company is in the preparation phase of implementing an incident response plan. All technical security controls are in place. Currently, the company needs to establish guidelines for handling an incident. Evaluate and select the appropriate guideline items. (Select all that apply.)
Policies and procedures Personnel and resources
An incident involving a data breach is under investigation at a major video game software company. The incident involves the unauthorized transfer of a sensitive file to an outside source (a leak). During the investigation, employees find that they cannot access the original file at all. Verify the terminology that describes what has been done to the file in question.
Quarantine
A resident cybersecurity expert is putting together a playbook. Evaluate the elements that the security expert should include in the playbook. (Select all that apply.)
Query strings to identify incident types When to report compliance incidents Incident categories and definitions
A cybersecurity forensics investigation team is investigating a compromised Windows system. The team has determined that being the only Windows machine on the network, the vulnerability may be at the OS level. The team proceeds to acquire OS-level information from Windows. Determine appropriate methods the team can use to accomplish this task. (Select all that apply.)
Reboot and analyze memory dump files. Initiate sleep mode and analyze the hibernation file. Check system and security logs.
When submitting digital evidence, it is important to prove the provenance of the evidence. If the evidence is in doubt, then it may become inadmissible in a court of law, or it may become impossible to reach non-repudiation. Recommend strategies for establishing the provenance of the evidence during the acquisition process. (Select all that apply.)
Record the process on video. Provide time stamps of the acquisition process. Collect evidence according to the order of volatility.
A malware outbreak recently occurred at a local organization. Systems were compromised, and business operations had to shut down during this time. All systems were brought to a secure state over the course of ten business days. Which incident response life cycle stage took ten days to complete?
Recovery
An organization planned a week of security exercises. Each day of the week focused on different scenarios and goals. Consider the elements of disaster recovery exercises and select the option that accomplishes the organization's goal during the exercises.
Roles and responsibilities
Security experts are performing disaster recovery exercises with employees at a software development company. Which key element should the security experts focus on as a goal of these activities?
Roles and responsibilities
A new site includes a Windows domain controller, a DHCP (dynamic host configuration protocol) server, a Linux file server, and a Windows web server. An independent auditing team arrived to assess basic security guidelines and company policies. Today, the auditing team will perform the following tasks: (1) dynamically assign addresses on client Windows computers, and (2) verify the installation of antivirus software. Which of these actions will provide any of the information needed for today's assessment?
Run ipconfig /all on a client computer.
What is another term for an incident playbook? (Select all that apply.)
Runbook Incident Response Plan
The admin of a large corporate network is updating the log management systems for the network. The company only installed a basic central collection of system, network, web, and security logs. The administrator needs a solution that provides advanced tools for threat analytics, and also provides complete history retention and aggregates and normalizes the log data it collects. The administrator also wants a tool that raises alerts based on correlation rule matches, which simplifies the threat analysis process. Recommend potential solutions for the admin. (Select all that apply.)
SIEM NXlog
A cybersecurity forensics investigation team has possession of a hard disk thought to contain evidence, as well as a possible virus. To avoid interfering with evidence and to safely investigate within a sandbox, the team resolves to acquire a disk image. Outline possible tools or methods the team can use to accomplish this task. (Select all that apply.)
Save disk image with FTK Imager Copy disk with dd command Create snapshots of all volumes
During an interview, a security analyst is presented with four code blocks and asked to identify which one correctly defines and calls a function to search a keyword in a file using PowerShell on Windows. Validate the analyst's choice.
Select-String -Path C:\temp\sample.txt -Pattern "Test"
A security consulting firm will be working with the staff of a local business to perform a disaster recovery exercise. After discussing options for performing the exercise, the firm decides to apply a specific approach to best meet the organization's needs by "ghosting" the same procedures as they would occur in an actual disaster. Apply knowledge of the scenario to conclude which exercise method the firm uses.
Tabletop
A network tech is installing an intrusion detection system (IDS) on a corporate network. The system is intended to be a long-term monitoring solution and would ideally split or copy network signals on the physical layer, to avoid frame loss. Anticipate the type of sensor the tech will install in conjunction with the IDS.
Test access point (TAP)
What are the main features that distinguish a Test Access Point (TAP) from a switched port analyzer (SPAN)? (Select all that apply.)
Test access point (TAP) is a separate hardware device. Test access point (TAP) avoids frame loss.
An IT security expert investigated a computer crime scene using computer forensic investigation best practices. After analyzing the following terms, which best fits the criteria of preservation of evidence?
Timeline
Analyze the following terms and consider computer forensic investigation best practices. Which best fits the criteria of preservation of evidence?
Timeline
Investigators pulled a drive out of a Windows workstation. As the investigation begins on the drive, it is discovered that the timestamps between volumes on the drive do not match. A fat volume seems much different and correct by a few hours compared to an NT file system (NTFS) volume. While evaluating the evidence, what determination do the investigators conclude as the reasoning behind the odd timestamps on the NTFS volume?
Timestamps are in coordinated universal time
After a recent incident, investigators are performing forensics on a Windows server. While using various tools to examine damaged data, they discover the timestamps on an NT file system (NTFS) volume do not seem correct and are a few hours different from local time. What determination should the experts conclude as the reason for the timestamp discrepancy?
Timestamps are in coordinated universal time.
A cyber forensic investigator is acquiring evidence for a case. The investigator is recording the entire acquisition process on video, as well as recording timestamps for each action and collecting evidence in order of most to least volatile. Describe the purpose of these extra steps. (Select all that apply.)
To establish provenance of the evidence. To ensure non-repudiation. To ensure no evidence is missed.
The computer system was breached at a large business, and the suspect is a high-level executive. Several employees have been called as witnesses, and investigators are evaluating a questioning approach. Considering how evidence may be collected and documented, which method is more reliable but may make witnesses less willing to provide a statement?
Video
A forensics analyst is attempting a live acquisition of the contents of the memory of a running Linux device. In order to copy the blocked /dev/mem file with memdump or dd, the analyst must install a kernel driver. Recommend a framework that will enable the analyst to install a kernel driver.
Volatility
A network security analyst for a large company is testing system vulnerabilities by capturing system memory live while simultaneously attempting different methods of penetration and simulated attacks. The network consists of only Windows machines. Assess the tools that the analyst could employ in this process for capturing system memory of machines in this network. (Select all that apply.)
WinHex FTK Imager
A cybersecurity investigator is investigating an incident. Considering the possibility of an On-path attack, the investigator decides the first course of action is to check the MAC address of the default gateway IP to ensure it is the true MAC address of the router, to rule out spoofing. Dictate the topological tool or command the investigator can use for this purpose.
arp
A computer science major is interning with a multinational technology corporation. The intern is attempting to access a file generated by the company's quantum computer, saving it to a drive on a separate Linux server. The intern only has access to the server's command line interface (CLI) and needs to read the file immediately. Outline the command that will easily enable the intern to view the file from the command line.
cat -n security.log
A network technician working for a three-letter intelligence organization has to troubleshoot a specialized, air-gapped Linux device without asking any questions. The technician only has access to the CLI and needs to read a log file, without a GUI, and without network access. Outline the command that will easily enable the technician to view the file from the command line.
cat -n security.log
Identify the command-line tool that performs data transfers over a network.
curl
A cybersecurity student has been using dig and whois to query hosting records and check external DNS services when a fellow student recommends a tool that packages similar functions and tests into a single query. Conclude what tool the student recommended.
dnsenum
During an interview, a security analyst is presented with four code blocks and asked to identify which one correctly defines and calls a function that uses grep to search a file in Python. Validate the analyst's choice.
filename= "sample.txt" pattern = "test" def search_file(name_of_file, grep_pattern) file = open(filename, "r") for line in file: if re.search(pattern, line): print(line) search_file(filename, pattern)
A security analyst is investigating an incident involving a known attack vector identified through security logs. Rather than read every log manually, the analyst decides to perform a string search on the relevant log files. Recommend a tool that will accomplish the analyst's goal. (The machines in question run the Linux OS.)
grep
Identify the command that will output the 15 oldest entries in the log file called hostnames.
head /var/log/hostnames -n 15
An administrator wants to quickly assess the open ports of a Windows server. Which command will provide the admin with the right information?
netstat
A cybersecurity investigator is investigating a breach, and the method of entry is not yet known. The investigator decides to begin by checking for suspicious entries in the routing table. Select the command-line tool that will enable the investigator to directly access the table.
route
A company that produces and sells financial software uses a Structured Query Language (SQL) database for its marketing data, employee data as well as financial data. The IT team reports irregularities in relational queries, reporting data being accessed haphazardly and randomly. The team leader reviews the application, network and DNS logs and suggests an intruder has been examining the database, and likely used UNION attacks and modified queries to retrieve extra data and data from other tables. Deduce what kind of attack(s) the investigation is likely to discover.
server-side injection attacks
Identify the command that will output the 15 most recent entries in the log file called hostnames.
tail /var/log/hostnames -n 15
The resident IT administrator at a small community bank has hired an outside consultant to assist in investigating a suspected network intrusion. The administrator asks the consultant what tools or methods can determine if anything suspicious is happening on the network. Predict which tools would be components of a viable response from the contractor. (Select all that apply.)
tcpdump Wireshark tcpreplay
A systems administrator recently hardened two servers (Linux and Windows), disabling unused ports and setting up a software firewall to specific port connections and protocols. These servers support employees at an external branch that operates on wireless network connections and laptops. Which of the following tools will help audit the server's security settings with the least amount of effort? (Select all that apply.)
tcpdump tshark
A cybersecurity analyst is analyzing a rerun of captured suspicious traffic. Determine what software tool the analyst would use for this purpose.
tcpreplay