Cybersecurity Analyst (CSA+) - Practice Test
John has viewed and manipulated the ARP cache of his system using the arp command. He further wants to view the cache on all interfaces. Which of the following arp flags would John use?
-a John would use -a flag for viewing the cache on all interfaces
Which grep command option is used to reverse the grep command's default behavior, returning only lines that do not match the given string?
-v In grep command, -v option is used to reverse the grep command's default behavior, returning only lines that do not match the given string
Which grep command option is used to consider search strings as discrete words?
-w In grep command, -w option is used to consider search strings as discrete words. By default, the string "add" will also return "address." With this option, the string "add" will only return instances of the word "add" by itself
Digital evidence at a crime scene is documented with a tag stating who had possession of the evidence at a given time. Which of the following does this illustrate?
Chain of custody Chain of custody deals with how evidence is secured, where it is stored, and who has access to it. When you begin to collect evidence, you must keep track of that evidence at all times and show who has it, who has seen it, and where it has been. The evidence must always be within your custody, or you're open to dispute about possible evidence tampering. Thus, to preserve evidence during a forensic procedure, the chain of custody is of utmost importance
Which of the following mitigation strategies is established to reduce risk when performing updates to business-critical systems?
Change management Change management is a risk mitigation approach that refers to the structured approach followed to secure a company's assets. In this case performing updates to business-critical systems. It is the process through which changes to the configuration of information systems are monitored and controlled, as part of the organization's overall configuration management efforts
Refer to the structured way of changing the state of computer system, network, or IT procedure
Change management policies
In which of the following process is an attacker able to move from one part of a computing environment to another?
Lateral movement Rather than targeting the deepest parts of an environment immediately, the attacker can gain entry to a more easily accessible endpoint at the perimeter
Which of the following governs the behavior of individuals and groups in the use of computers, the Internet, and other IT domains?
Cyberlaw Cyberlaw governs the behavior of individuals and groups in the use of computers, the Internet, and other IT domains. It can vary significantly depending on the jurisdiction
Which of the following methods of analysis identifies the nature of an entity by subjecting it to a particular environment?
Heuristic The heuristic analysis identifies the nature of an entity by subjecting it to a particular environment. It uses various metrics to conclude weather an entity is or is not a threat to the environment and behaves accordingly
Rena, a network administrator, wants to check what services are exposed to the outside world. What tool would she use to accomplish this?
Port scanner Rena should use a port scanner as it is used on the periphery of a network by either administrators or hackers. It is a tool that scans a server for open ports that can be taken advantage of. By determining what ports are open, she knows what services are exposed to the outside world
An attacker performs reconnaissance on a CEO, using publicity available resources to gain access to the CEO's office. The attacker was in the CEO's office for less than five minutes, and the attack left no traces in any logs, nor was there any readily identifiable cause for the exploit. The attacker is then able to use numerous credentials belonging to the CEO to conduct a variety of further attacks. Which of the following types of exploit is described in this scenario?
Whaling Whaling is described in this scenario. Whaling is a spear phishing technique used against a high-level corporate executive, politician, or celebrity. Mostly, it is an attack meant to target upper managers in private companies. The objective is to swindle the upper manager into divulging the confidential company information
Ann, a security analyst, have initiated an assessment of an organization's security posture. As a part of this review, she would like to find how much information about the organization is exposed externally. Which of the following techniques would best help her to accomplish this goal? Each correct answer represents a complete solution. Choose two
→ Fingerprinting → Sourcing social network sites Fingerprinting is the technique of determining the type of operating system and services a target uses by studying the types of packets and the characteristics of these packets during a communication session. It relies on TCP/IP to provide this information. Sourcing social network sites are also very helpful in this situation as it will help to gain information about the organization which has been exposed externally. With social networking, a company can be exposed to as many threats as the number of users that make use of social networking and are not advised on security policy regarding the use of social networking
Which of the following search operators matches zero or one instances of the preceding character?
? The ? search operator matches zero or one instances of the preceding character. Searches are read from left to right, and can include any normal, unformatted characters
Which of the following statements are true of interception proxies? Each correct answer represents a complete solution. Choose all that apply
A passive testing tool for analyzing the communications of web app Crawl outbound web traffic based on pre-defined factors before blocking it Determine the nature of HTTPS request that the application sends and receive
Company A allows visiting business partners from Company B to utilize Ethernet ports available in Company A's conference rooms. This access is provided to allow partners the ability to establish VPNs back to Company B's network. The security architect of Company A wants to ensure that the partners from Company B are able to gain direct Internet access from available ports only, while Company A employees can gain access to the Company A's internal network from those same ports. Which of the following can be employed to allow this type of setup?
ACL (Access Control List) ACL is a list of permissions attached to an object. It specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects. Each object has a security attribute that identifies its access control list. The list has an entry for each system user with access privileges. The most common privileges include the ability to read a file, to write to the file or files, and to execute the file
Which of the following is a threat in which an unauthorized person gains access to a network and stays there undetected for a long period of time?
APT APT (advanced persistent threat) is a threat that continually exploits a target while remaining undetected for a significant period of time. APTs target large organizations to covertly compromise their business efforts. Financial institutions, companies in health care, and other organizations that store massive quantities of PII are the most common victims of an APT
Define how employees can use company resources
Acceptable use policies
Which of the following identifies potentially malicious external domains?
Access control list ACL (access control list) identifies potentially malicious external domains. ACLs have the ability to permit and deny traffics for a virtual machine endpoint
Demetrius works as a security administrator for a company. He has assigned a task to determine the project risk. For this, he wants to calculate the cost of a single breach. What formula should he use?
Asset value (AV) * Exposure factor (EF) Demetrius should use the SLE (single loss expectancy) formula to determine the cost of a single breach. It represents the financial loss expected from a specific adverse event. It is calculated by multiplying the value of the asset that could be lost times the exposure factor. So, if you have data worth 10,000 and the likelihood of a breach resulting in a loss is 5%, then you multiply 10,000 *.05 to get the SLE. SLE (single loss expectancy) = AV (asset value) X EF (exposure factor)
Ann, a cybersecurity analyst, recently discovered a Trojan on a server. She is now concerned about a security breach that still exists on a server and allows unauthorized people to access data. So, for this, she should be looking for the presence of which of the following threats?
Backdoor There has been a security breach on a computer system. Ann should now check for the existence of a backdoor. A backdoor in a computer system is a method of bypassing normal authentication, securing unauthorized remote access to a computer, obtaining access to plaintext, and so on, while attempting to remain undetected
Which of the following is a process by which a bot in a botnet sends its status to a command and control server to indicate that it is active?
Beaconing Beaconing is the process by which a bot in a botnet sends its status to a command and control server to indicate that it is alive. It is used in token ring and FDDI (Fiber Distributed Data Interface) networks to ensure that token passing is functioning properly
Which of the following best practices is used to identify areas in the network that may be vulnerable to penetration testing from known external sources?
Blue team training exercises The blue team consists of security professionals who are tasked with defending the organization against the simulated attacks in a penetration test. The term blue team is also used to refer to general network defense and incident response personnel in a real-world context, rather than just for pen tests. The blue team training exercises include accessing log data, using a SIEM, garnering threat intelligence information, and performing traffic and data flow analysis
Max, a security analyst, is concerned that the application her team is currently developing is vulnerable to unexpected user input that could lead to issues within the memory. Due to which, it is affected in a harmful manner leading to potential exploitation. Which of the following describes this application threat?
Buffer overflow A buffer overflow attack describes this application threat. A buffer overflow occurs when a program or process tries to store more data in a temporary data storage area than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information overflow into adjacent buffers, corrupting or overwriting the valid data held in them. In buffer overflow attacks, the extra data may contain codes designed to trigger specific actions, in effect sending new instructions to the attacked computer that could, for example, damage the user's files, change data, or disclose confidential information
Which of the following ESA frameworks was created by ISACA and provides a framework for IT management and governance?
COBIT COBIT (Control Objectives for Information and Related Technology) was created by ISACA (Information Systems Audit and Control Association). It provides a framework for IT management and governance that was initially released in 1996, but has since been updated periodically, with version 5 of COBIT released in 2012. It includes frameworks, process descriptions, control objectives, management guidelines, and maturity models
Which graphing and monitoring tool allows users to poll services at fixed intervals and graph the resulting data?
Cacti Cacti is an open source, web-based graphing and monitoring tool developed for front-end applications. It allows users to poll services at fixed intervals and graph the resulting data
An evidence investigation for a physical incident is going on in a building of an organization. Which tool should be used by the organization to isolate that building while the investigation is underway?
Crime tape The organization will use a crime tape to isolate the building while the investigation is underway. This will prevent employees and customers from wandering into the area and contaminating evidence
Which of the following attacks allows an attacker to take advantage of scripting and input validation vulnerabilities in an interactive website to attack legitimate users?
Cross-site scripting The XSS (cross-site scripting) attack is a type of application attack where the attacker takes advantage of scripting and input validation vulnerabilities in an interactive website to attack legitimate users
Rex, a security administrator, notices that a server with the IP address of 10.10.2.4 has been having recurrent connection issues. The logs show repeated connection attempts from the following IPs: 10.10.3.16 10.10.3.23 212.178.24.26 217.24.94.83 He discovers that this attempt is disturbing the server because of which it cannot respond to traffic. Which of the following attacks is occurring in this scenario?
DDoS A DDoS (distributed denial-of-service) attack is occurring in this scenario. A DDoS attack occurs when multiple systems flood the bandwidth or resources of a targeted system, usually one or more web servers. Such an attack is often the result of multiple compromised systems flooding the targeted system with traffic. When a server is overloaded with connections, new connections can no longer be accepted
An organization is trying to restrict the risk associated with the use of pirated USB devices to copy documents. Which of the following would be the best technology control to use in this scenario?
DLP DLP (data loss prevention) is a strategy for making sure that end users do not send sensitive or critical information outside the corporate network. The term is also used to describe software products that help a network administrator control what data end users can transfer. It is a software solution that detects and prevents sensitive information in a system from being stolen or otherwise falling into the wrong hands
Identify the level of care for maintaining confidentiality of private information
Due care policies
Ensure that IT infrastructure risks are known and managed
Due diligence policies
Which footprinting method helps attackers to reclaim important information by inspecting the contents of trash containers?
Dumpster diving In dumpster diving, attackers search through garbage to find sensitive information in paper form. The names and titles of people within the organization enable the attacker to begin social engineering to gain even more private information
Which of the following is a proprietary tool that supports a wide range of forensic methods, including evidence collection, analysis, and reporting?
EnCase EnCase is a proprietary tool that supports a wide range of forensic methods, including evidence collection, analysis, and reporting
In which of the following threat intentions does an attacker try to obtain secret or confidential information without the information holder's permission?
Espionage In espionage, attackers try to obtain secret or confidential information without the permission of the holder of the information. It tends to come in two types: state-sponsored and industrial
In which of the following phases of the penetration testing does the tester start attacking the vulnerabilities defined?
Exploitation In the exploitation phase, the attacker starts attacking the vulnerabilities defined in the scanning phase
Which of the following is the process of extracting data from a computer when that data has no associated file system metadata?
File carving File carving is the process of extracting data from a computer when that data has no associated file system metadata. The file system metadata describes where a file exists in memory. Because files are often fragmented into many pieces, they do not reside in one single address
Juan, a security technician, is reviewing the IDS log files. He determines a large number of alerts for multicast packets from the switches on the network. After investigation, he discovers that this is normal activity for his network. Which of the following best describes these results?
False positive A false positive best describes these results. False positives are essentially events that are mistakenly flagged and are not really events to be concerned about. Unfortunately, false positives will continue to exist but they can be limited by the skill of the person writing the signatures or checking the logic
Which of the following can result in significant administrative overhead from incorrect reporting?
False positive False positives are essentially events that are mistakenly flagged and are not really events to be concerned about. It causes a significant administrative overhead because of the incorrect reporting. Unfortunately, false positives will continue to exist but they can be limited by the skill of the person writing the signatures or check logic
Which vulnerability assessment tool discovers coding errors and security loopholes in software, operating systems, or networks by sending large amounts of random input data to the system in an attempt to make it crash?
Fuzzer Fuzzer is a vulnerability assessment tool that discovers coding errors and security loopholes in software, operating systems, or networks by sending large amounts of random input data to the system in an attempt to make it crash. These tools can be useful in detecting any faults that will expose sensitive information in an application, and especially in web apps
You work as a security administrator for uCertify Inc. One of your primary tasks is to document everything related to security and create a manual that can be used to manage the company in your absence. Which documents should be referenced in your manual as the one that identifies the methods used to accomplish a given task?
Guidelines Guidelines document should be referenced to identify the methods used to accomplish a given task. Guidelines are recommended, non-mandatory controls that support standards or that provide a reference for decision making when no applicable standard exists
Which of the following threat actors is an attacker motivated by a social issue or political cause?
Hacktivists Hacktivists are attackers motivated by a social issue or political cause. They may be solo or work in groups; the most well-known hacktivist group is Anonymous, a loosely organized network of hackers and those who support its ideals
Andrew works as a security administrator for uCertify Inc. He wants to capture attack details on his network that are occurring while also protecting his production network. Which of the following will he implement to accomplish this task?
Honeypot Andrew should use a honeypot because it is a system whose purpose is to be attacked. It is set up to attract and slow down an attacker. The administrator can use this to learn the attacking techniques and methods that attackers employ
An analyst has received unusual alerts on the SIEM dashboard. The analyst wants to get payloads that the hackers are sending toward the target systems without impacting the business operation. Which of the following should the analyst implement?
Honeypot The analyst should implement honeypot. A honeypot is a practice that traps attackers in an isolated environment where they can be monitored and kept from compromising the systems in production. It tricks the attacker into believing that they are causing actual damage to system, which enables the security team to analyze the attacker's behavior
Ann, a security analyst, while reviewing the monthly Internet usage noticed that there is a large spike in traffic classified as "unknown" and does not appear to be within the bounds of the organizations AUP. Which of the following tool or technology will work best for her to obtain more information on this traffic?
IDS logs Ann should use IDS logs to obtain more information on this traffic. IDS (intrusion detection systems), whether wireless or otherwise, usually have a built-in logging feature that records traffic and alerts according to how the system is configured. Ann should configure the system to at least log any alerts that it generates, without logging every single non-alert event it detects
Which of the following statements are true of IDA (interactive disassembler)? Each correct answer represents a complete solution. Choose all that apply
Identifies API calls, function parameters, and constants Provides automated functionality Provides an interactive debugger An IDA provides automated functionality and an interactive debugger. It identifies API calls, function parameters, and constants. It also includes a built-in programming language for the creation of automated scripts.
Which of the following statements is not true of CheckPoint Next Generation Firewall?
Identifies network traffic based on application, content, user, and device Palo Alto Networks next-generation firewalls identifies network traffic based on applications, content, users, and devices. These are designed to safely enable applications and prevent modern threats and to reduce manual tasks and enhance security through automated means
An organization is requesting the development of a disaster recovery plan as it has grown and so has its infrastructure. Documentation, policies, and procedures do not exist. Which of the following steps should be taken first to assist in the development of the disaster recovery plan?
Identify assets. A disaster-recovery plan helps an organization respond effectively when a disaster occurs. Disasters may include system failure, network failure, infrastructure failure, and natural disaster. The primary emphasis of such a plan is reestablishing services and minimizing losses. For this, it is important to identify assets, so that further steps can be performed accordingly. Even when a small, low-value item is missing, it can result in a major impact on your business. Asset identification provides a system that allows tracking of assets, monitoring of asset status the need to replace assets, and the ability to locate needed assets
What is the follow-up process of a penetration test?
Identifying assets marked as vulnerable and determining ways to remediate the system The follow-up process of a penetration test includes identifying assets marked as vulnerable and determining ways to remediate the systems. A risk management approach is used to methodically identify security and compliance risks and involves people working in compliance and business roles
A company has recently recovered from an incident where a managed switch had been accessed and reconfigured without authorization by an insider. The incident response team is working on developing a lesson learned report with recommendations. Which of the following recommendations will best prevent the same attack from occurring in the future?
Implement a separate logical network segment for management interfaces. A company should implement a separate logical network segment for management interfaces. A network infrastructure that isn't divided into subnets may end up being a single point of compromise for an attacker's benefit. If the attacker breaches the network, they may have access to all nodes, rather than just the nodes in their segment. So, it's better to implement this and prevent the same attack from occurring in the future
Ann appointed as a new CTO (Chief Technology Officer) for a company. He is seeking recommendations for network monitoring services for the local Intranet. He would like the capability to monitor all traffic to and from the gateway, as well as the capability to block certain content. Which of the following recommendations would meet the needs of the organization?
Installation of a firewall on the internal interface and an NIDS on the external interface of the gateway router. A firewall should be installed on the internal interface as it acts as a barrier between a trusted network and an untrusted network. It controls access to the resources of a network through a positive control model. This means that the only traffic allowed onto the network is defined in the firewall policy; all other traffic is denied. NIDS should be installed on the external interface as it monitors the traffic on its network segment as a data source. This is generally accomplished by placing the network interface card in promiscuous mode to capture all network traffic that crosses its network segment. It involves looking at the packets on the network as they pass by some sensor
A security administrator wants an employee who uses email messaging to provide PII to others on a regular basis to have confidence that their messages are not intercepted or altered during transmission. A security administrator is concerned about which of the following types of security control?
Integrity Integrity means that the messages or data is not altered. PII is personally identifiable information that can be used to uniquely identify an individual. It is used to ensure the integrity of data or messages
Which of the following is a hardened server that provides access to other hosts?
Jumpbox Jumpbox is a hardened server that provides access to other hosts. An example is a Windows system on the public network and a storage management network
Your Web server crashes at exactly the point where it reaches 1 million total visits. You notice that the cause of the server crash is a malicious code. Which of the following threat best fits this description?
Logic bomb A logic bomb is a malware that executes its malicious activity when a certain condition is met, often when a certain date/time is reached. It is a malicious program that executes when a predetermined event occurs. In the given scenario, it waited for the Web server to pass a certain threshold
Rena, a software developer, has designed some code to reactivate her account one week after her account had been disabled. Which of the following is this an example of? Each correct answer represents a complete solution. Choose two
Logic bomb Backdoor This is an example of both a logic bomb and a backdoor. The logic bomb is configured to go off or activate one week after her account had been disabled. The reactivated account will provide a backdoor into the system. A logic bomb is a piece of code intentionally inserted into a software system that will set off a malicious function when specified conditions are met. For example, a programmer may hide a piece of code that starts deleting files should they ever be terminated from the company. A backdoor in a computer system is a method of bypassing normal authentication, securing unauthorized remote access to a computer, obtaining access to plaintext, and so on, while attempting to remain undetected.
Which of the following log analysis tools parses system logs and creates a report on various aspects that users specify?
Logwatch Logwatch is a customizable log analysis system available for free download. This utility parses system logs and creates a report on various aspects that you specify. It has a plug-in interface that enables a user to customize it according to your needs
Which of the following are examples of WAF (web application firewall)? Each correct answer represents a complete solution. Choose all that apply
ModSecurity NAXSI Imperva SecureSphere WAF
An incident response report discovers a virus that was introduced through a remote host connected to corporate resources. A cybersecurity analyst has been asked for a recommendation to solve this issue. Which of the following should be applied?
NAC (Network Access Control) A cybersecurity analyst should apply NAC (network access control) to solve this issue. NAC is a general term for the collected protocols, policies, and hardware that govern access on device network interconnections. The goals of NAC are to prevent/reduce zero-day attacks, enforce security policy throughout the network, and use identities to perform access control
Max, a network administrator, wants to gather information on users, groups, and services on a network without authenticating to the device. Which of the following vulnerability assessment tool should he use?
Network enumerator Max should use network enumerator. It gathers information on users, groups, and services on a network without authenticating to the device. Network enumerators often use protocols like ICMP and Simple Network Management Protocol (SNMP) to discover network hosts and retrieve the information
An attacker wants to intercept an organization's unencrypted data to reveal vulnerabilities in the organization's network infrastructure. Which technique should the attacker use?
Network sniffing Network sniffing involves sniffing a network for its packet to intercept an organization's unencrypted data to reveal vulnerabilities in the organization's network infrastructure
Due to new regulations, an organization has decided to initiate an organizational vulnerability management program and assign the function to the security team. Which of the following frameworks would best support the program? Each correct answer represents a complete solution. Choose two
OWASP ITIL OWASP (Open Web Application Security Project) and ITIL (Information Technology Infrastructure Library) frameworks will be best to support the program. OWASP is an online community that provides knowledge to the development community for several different security practices, including pen testing. ITIL is a set of IT management practices for aligning IT services with the needs of the business.
Which of the following highlights areas within an organization that requires testing?
Open Source Security Testing Methodology Manual The OSSTMM (Open Source Security Testing Methodology Manual) highlights areas within an organization that requires testing. Its primary goal is to provide transparency
Which of the following is a community effort that provides free access to a number of secure programming resources?
Open Web Application Security Project OWASP (Open Web Application Security Project) is a community effort that provides free access to a number of secure programming resources. It encourages participation from everyone related to information security and programming field so as to grow its body of knowledge. It provides cheat sheets that cover different areas of application development
Rex, a security administrator, wants to intercept the actual content of particular network packets sent using various network protocols for security purpose. What tool will he use to accomplish this?
Packet analyzer Rex would use a packet analyzer to intercept the actual content of particular network packets sent using various network protocols for security purpose. It is one of the primary tools used for network monitoring and intended primarily for troubleshooting purposes
Which of the following fuzzers provides customizable testing definitions for a wide range of computing protocols and file types?
Peach Peach fuzzers provides customizable testing definitions for a wide range of computing protocols and file types. It discovers unknown vulnerabilities and is scalable, automated, and seamless
An alert has been distributed throughout the information security community regarding a critical Apache vulnerability. Which of the following courses of action would only identify the known vulnerability?
Performing a scan for the specific vulnerability on all web servers To only identify the known vulnerability, a scan for the specific vulnerability should be performed on all web servers. Performing a scan for a specific vulnerability will be time effective and will help in identifying the known vulnerability more appropriately. A vulnerability scan uses various tools and security utilities to identify and quantify vulnerabilities within a system, such as lacking security controls and common misconfigurations but does not directly test the security features of that system
James works as a security administrator for a company. He wants to actively test that an application's security controls are in place or not. Which of the following assessments will he perform to test this?
Penetration test Penetration testing, also known as pen testing, is the practice of testing a computer system, network or Web application to find vulnerabilities that an attacker could exploit. The main objective of penetration testing is to determine security weaknesses. It can also be used to test an organization's security policy compliance, its employees' security awareness and the organization's ability to identify and respond to security incidents
An attacker uses a compromised host as a platform from which to spread an attack to other points in the network. This is best described as what type of an attack?
Pivoting In pivoting, an attacker uses a compromised host (the pivot) as a platform from which to spread an attack to other points in the network
Define controls required to maintain the data privacy
Privacy policies
Max, the security administrator, wants to quantify all traffic on his network. Which of the following tools will be best for him to use?
Protocol analyzer A protocol analyzer is a hardware device or more commonly a software program used to capture network data communications sent between devices on a network. By capturing and analyzing the packets sent between the systems on the network, Max would be able to quantify the amount of traffic on the network
Andrew, a security administrator, wants to monitor and limit users' access to external websites. Which of the following will he implement to address this?
Proxy server Andrew will install a proxy server. A proxy is a device that acts on behalf of other(s). In the interest of security, all internal user interaction with the Internet should be controlled through a proxy server. Proxy servers can be used as a method of content filtering. A user must pass through the proxy to connect outside of the private network, and the proxy can block the user from being exposed to malicious traffic
Rena works as an employee in a company. She is facing an issue that her workstation screen becomes blank other than a window with a message requesting payment or else her hard drive will be formatted. Which of the following types of malware is on Rena's workstation?
Ransomware Ransomware has occurred on Rena's workstation. Ransomware is a computer malware which holds a computer system, or the data it contains, hostage against its user by demanding a ransom for its restoration. Some forms of ransomware encrypt files on the system's hard drive, while some may simply lock the system and display messages intended to coax the user into paying
Which of the following vulnerability scanning tools generates contextual risk-based scores and reports for vulnerabilities on a wide variety of enterprise software and hardware platforms?
Rapid7 Nexpose Rapid7 Nexpose is a vulnerability scanner that generates contextual risk-based scores and reports for vulnerabilities on a wide variety of enterprise software and hardware platforms. It also offers continuous monitoring capabilities
What are the features of endpoint protection? Each correct answer represents a complete solution. Choose all that apply
Reduces data loss Provides application whitelisting functionality Provides full disk encryption Contains centralized in-house server for distributing malware signature update
What is meant by isolation?
Removing an affected component which is a part of a larger environment Isolation is the process of removing an affected component from a larger environment it is a part of. For example, removing a server from a network
Reduce the risk of losses in an organization
Separation of duties policies
An employee from neighboring office has directly logged into an account without explicit authorization from a local network administrator. What does this account refer to?
Rogue This account is referred as a rogue account. Rogue accounts present an opportunity for the APT to maintain access while injecting no illegitimate code on the target systems at all. With this rogue account in place, the attacker may be able to remote into the system and access sensitive information. If the rogue account has sufficient privileges, the APT may be able to change or delete files
Adam found that an extra NIC (network interface controller) has been installed on his computer which is creating a side channel for an attack on his computer. What is the term used for such type of unauthorized equipment?
Rogue hardware Rogue hardware is an unauthorized equipment that is attached to a network or assets which create a side channel for an attack. It is designed to exploit organizations logical infrastructure
A network security analyst, while doing a server audit, notices connections to unauthorized ports from outside the corporate network. Using specialized tools, he also discovers hidden processes running on a server. Which of the following has most likely been installed on the server?
Rootkit A rootkit has been installed on a server. A rootkit is a collection of tools that enable administrator-level access to a computer or computer network. Generally, a cracker installs a rootkit on a computer after first obtaining user-level access, either by exploiting a known vulnerability or cracking a password. Once the rootkit is installed, it allows the attacker to mask intrusion and gain root or privileged access to the computer and, possibly, other machines on the network
An attacker has maintained access in an organization's system over a long period of time. Which of the following exploits is the attacker using?
Rootkit Rootkits are used by attackers to maintain access in an organization's system over a long period of time. They bypass access control mechanisms on a host by opening up a hidden remote channel. They can also grant an attacker increased access privileges if they run at the kernel level or on device firmware
Which security organization runs the GIAC (Global Information Assurance Certification) program, and provides security resources such as the Reading Room and the Internet Storm Center?
SANS SANS Institute is a cybersecurity training organization headquartered in the U.S. It runs the GIAC (Global Information Assurance Certification) program, and provides security resources such as the Reading Room (whitepapers) and the Internet Storm Center (threat/vulnerability alerts)
Which of the following is a combination of open standards that identify flaws in security configurations?
SCAP SCAP (Security Content Automation Protocol) is a NIST framework that outlines various accepted practices for automating vulnerability scanning. It is a conglomeration of open standards that identify flaws in security configurations
Which tool provides real-time analysis of security alerts generated by applications and devices?
SIEM SIEM (security information and event management) encounters alerts provided by applications and devices in real-time or near real-time. It is available as network appliances, software applications, or managed cloud-based solutions
Which of the following enables a security personnel to take defensive actions more quickly by providing real-time or near-real-time analysis of security alerts generated by network hardware and applications?
SIEM SIEM (security information and event management) is a hardware or software solution that provides real-time or near-real-time analysis of security alerts generated by network hardware and applications. It is often used to enhance incident response capabilities by providing expanded insights into intrusion detection and prevention through aggregation and correlation of event data across multiple incidents
Which of the following devices provides load balancing and data backups during DDoS attacks and data destruction breaches?
Server Servers provide load balancing and data backups during DDoS attacks and data destruction breaches. They are used to offload raw processing power in the event of some mitigation effort
A security administrator is constructing a development environment and places the three virtual servers in a new virtual network to isolate them from the production network. Which of the following describes the environment the administrator is building?
Sandbox Sandbox describes the environment the administrator is building. Sandboxing is the process of isolating a system before installing new applications on it so as to restrict any potential malware that may be embedded in the new application from being able to cause harm to production systems
You suspect a program that contains malwares on a cloud server. You want to test the program by safely executing it in an isolated environment. Which of the following techniques will you use?
Sandboxing You should use sandboxing as it provides you a stand-alone environment that allows you to safely view or execute the program while keeping it contained. It is frequently used to test untrusted programs that may contain a virus, malwares or other malignant code, without allowing the software to harm the host device
Which of the following is an act of permanently removing all the data from a storage device?
Sanitization A sanitized device has no usable residual data and the data cannot be recovered even by using any advanced forensic tools
An organization has a website that is accessed in its partner organization. The users in the partner organization reset their passwords by pressing a button to get an email containing the reset link. Which of the following function allows the users to reset the password?
Self-service reset The self-service reset function allows users to resets their passwords by pressing a button to get an email containing the reset link. This service is generally granted by a non-SOS system
Sam, a security administrator, notices a potential fraud committed by a database administrator performing various different job functions within the company. Which of the following is the best method for him to use to prevent such activities in the future?
Separation of duties Sam should use separation of duties to prevent such activities in the future. Separation of duties divides administrator or privileged tasks into separate groupings, which in turn, are individually assigned to unique administrators. This helps in fraud prevention, error reduction, as well as conflict of interest prevention. For example, those who configure security should not be the same people who test security
Sia works as a security administrator for a company. She is concerned that there is no oversight in the finance department, in other words, a single employee alone cannot give permissions to write, sign, and distribute pay cheques, as well as other expenditures. Which of the following controls is best for her to address this concern?
Separation of duties Sia should implement separation of duties to address this concern. Separation of duties divides administrator or privileged tasks into separate groupings, which in turn, is individually assigned to unique administrators. This helps in fraud prevention, error reduction, as well as conflict of interest prevention. For example, those who configure security should not be the same people who test security.
Which of the following SIEM tools has a limited free version for individuals, a paid enterprise version, and a paid cloud-based version?
Splunk
A company wants to implement security during the SDLC (software development lifecycle). For this, it wants to employ a method which detects weaknesses in application before execution. Which code analysis method provides this feature?
Static The company will use static code analysis to implement security during the SDLC. Static code analysis detects weaknesses in application before execution. It determines issues ranging from faulty logic to insecure libraries
Brena, a security analyst, notices that external users are constantly reporting that a web application is slow and frequently times out when attempting to submit information. Which of the following software development best practices will she implement to prevent this issue?
Stress testing Brena should implement stress testing to prevent this issue. Stress testing is the process of determining the ability of a computer, network, program, or device to maintain a certain level of effectiveness under unfavorable conditions. It consists of a battery of tests that are designed to evaluate how an app performs under extreme processing load. It will force an app to read and write excess data to memory, read and write excess data to storage, consume a lot of processor cycles, and overwhelm network interfaces with traffic
A technician is running an intensive vulnerability scan to detect which ports are open to exploit. During the scan, several network services are disabled and the production is affected. Which of the following sources would a technician use to evaluate which network service was interrupted?
Syslog A technician should use Syslog to evaluate which network service was interrupted. Syslog logging is provided through a simple centralized logging infrastructure that provides a common interface for log entry generation, storage, and transfer. It is a TCP/IP protocol and can run on nearly any operating system. It includes information to help identify basic information about where, when, and why the log was sent
A virtual machine has been installed in an organization for the accounting department. A cybersecurity analyst wants to enhance security in his organization by disabling certain services and remove the local accounting groups installed by default on the virtual machine. The cybersecurity analyst is adhering to which of the following security best practices?
System hardening System hardening is the process of securing the operating system by reducing its surface of vulnerability. Reducing the surface of vulnerability generally includes removing unnecessary functions and features, removing unnecessary usernames or logins, and disabling unnecessary services
Risa, a security administrator, has discovered a vulnerability in a high impact production server. A recent update was made by the vendor that addresses the vulnerability but requires a reboot of the system afterward. Which of the following steps should she implement to address the vulnerability?
Test the update in a lab environment, backup the server, schedule downtime to install the patch, install the update, reboot the server, and monitor for any changes Risa has an update to apply to fix the vulnerability. So, she should first test the update in a lab environment, not on the production server to ensure it doesn't cause any other problems with the server. After testing the update, she should backup the server to enable her to roll back any changes in the event of any unforeseen problems with the update. The question states that the server will require a reboot. This will result in downtime so she should schedule the downtime before installing the patch. After installing the update, she should monitor the server to ensure it is functioning correctly
What is the purpose of creating Trusted Foundry?
To secure integrated circuits used in critical systems throughout the entire supply chain
Rex, a security administrator, wants to examine data packet communications to reveal insights without digging into the packet content. Which of the following security techniques should he perform?
Traffic analysis Rex should perform traffic analysis, also known as packet trace analysis, to examine data packet communications. It is the act of examining data packet communications to reveal insights without digging into the packet content, such as when the packet contents are encrypted. Clues derived from packet trace analysis might help an intruder, but they are also quite useful for defensive monitoring and security intelligence analysis
Which of the following software tools calculates the SHA (Secure Hash Algorithm) hashes of a file or group of files?
shasum This tool is supported by Linux operating system
A security analyst received a compromised workstation. The workstation's hard drive may contain evidence of criminal activities. Which of the following is the first thing the analyst must do to ensure the integrity of the hard drive while performing the analysis?
Use write blockers The first thing the analyst must do is to use write blockers to ensure the integrity of the hard drive while performing the analysis. It is one of the most crucial tools in preserving the integrity of an evidence. It is a disk controller that accesses a drive in read-only mode and prevents the OS from writing data to the disk
An organization has recently recovered from a large amount of malware and virus incidents at one of its satellite offices. The incident response team has a stake in whether or not the corrective actions it suggested actually get put into place and save the organization from the same type of incident in future. Which process should the incident response team follow to ensure that its suggested control has the intended effect?
Validation The incident response team should follow the validation process to ensure that its suggested control has the intended effect on the organization. The validation process verifies that the organization implements a vulnerability scanning regimen, reconfigures user permissions to ensure that attackers cannot easily exploit privileges, and implements security patches in vulnerable systems
The method of breaking larger network address space into smaller networks is known as:
subnetting. Subnetting is a dividing process used on networks to divide larger groups of hosts into smaller collections
Sam, a security analyst, during a recent audit discovered that many services and desktops were missing security patches. Which of the following best describes the assessment that he should perform to discover this issue?
Vulnerability scan Sam should perform a vulnerability scan to discover such type of an issue. A vulnerability scan is the process of scanning the network or I.T. infrastructure for threats and vulnerabilities. Vulnerabilities include computer systems that do not have the latest security patches installed. The threats and vulnerabilities are then evaluated in a risk assessment and the necessary actions taken to resolve them.
Samuel, a cybersecurity professional, is assigned a work of actively verifying the strength of the security controls on an organization's live modem pool. Which of the following activities will be the best for him to verify this?
War dialing Samuel should perform war dialing to verify this. War dialing is a technique of using a modem to automatically scan a list of telephone numbers, usually dialing every number in a local area code to search for computers, bulletin board systems, and fax machines. It can also be used by security personnel, for example, to detect unauthorized devices, such as modems or faxes, on a company's telephone network
Which of the following is an act of searching for instances of wireless networks using wireless tracking devices with the purpose to obtain unauthorized Internet access and potentially steal data?
War dialing War dialing is an act of searching for instances of wireless networks using wireless tracking devices such as smartphones, tablets, mobile phones, or laptops with the intent to obtain unauthorized Internet access and potentially steal data. An attacker uses a modem to dial numerous phone numbers in search for any machine that will respond. This can provide an endpoint for an attacker to breach a network
Which pen testing color-coded team decides over the simulations and defines the ROE (rules of engagement)?
White The white team has decision-making powers over the simulations and defines the ROE. Security and IT managers are the members of the white team
An organization has recently launched a new billing invoice website for a few key vendors. Maxi, a security analyst, is receiving calls that the website is performing slowly and the pages sometimes time out. The analyst discovers the website is receiving millions of requests, causing the service to become unavailable. Which of the following should she implement to maintain the availability of the website?
Whitelisting She should implement whitelisting to maintain the availability of the website. Whitelisting is the process of allowing specific systems, software, services, and so on, to use a resource. It is useful in keeping a list of applications that a host can install, or a network can communicate with. If a user's workstation only needs a word processor, a spreadsheet program, and not much else, then all other software can default to being blocked while the CSIRT contains and mitigates the incident
A penetration tester wants to analyze the to and fro traffic from a company's network. Which of the following tools would the tester use?
Wireshark The penetration tester would use the Wireshark tool which is a tool for network traffic analysis. It is also used for network troubleshooting, software and communications protocol development, and education
Which of the following gears toward modifying and extracting data from files or data streams, which can be useful in preparing data for analysis?
awk awk is a tool commonly used on Unix-like systems. It is a scripting engine geared toward modifying and extracting data from files or data streams, which can be useful in preparing data for analysis
A user wants to compare two text files, iplog1.txt and iplog2.txt, to find the lines that are not same in both the files. What is the correct format that the user should follow to get the difference between these files by using diff command?
diff iplog1.txt iplog2.txt The correct format that the user should follow to get the difference between the two files is: diff iplog1.txt iplog2.txt This will display each line that is not the same. It also displays a summary of where those lines are and how they need to be changed in order to be identical
An administrator of an organization has found specific string values missing from a text file. Which of the following commands will help the administrator to search for the same?
grep The grep command will help the administrator to search for the specific string values in the entire text file. It is an extremely powerful tool which searches the entire contents of a text file for a specific pattern, and displays that pattern on the screen or dump it to another file
If you don't know the MAC address of a Linux-based machine, what command-line utility can you use to ascertain it?
ifconfig ifconfig is used to ascertain the MAC address of a Linux-based machine. This command performs a similar function to Windows' ipconfig such as displaying information about a device's network interfaces, including the IP address, netmask, and MAC address.
Which command helps in determining IP address and Domain Name System (DNS) information of a host?
ipconfig ipconfig command helps users in determining IP address and Domain Name System (DNS) information of a host. It is an easy and a quick way for determining host information
A malicious system-level kernel module which modifies the file system operation is called:
rootkit Rootkits are programs that infiltrate the operating system to gain administrator-level access. The power of rootkits is that they can alter an operating system's kernel or a device's firmware to mask just about any type of activity desired
A software assurance lab is performing a dynamic assessment on an application by automatically generating and inputting different, random data sets to attempt to cause an error/failure condition. Which of the following software assessment capabilities is the lab performing and during which phase of the SDLC should this occur? Each correct answer represents a complete solution. Choose two
→ Fuzzing → Verification phase The lab is performing fuzzing software assessment capabilities and it should be performed during the verification phase of the SDLC. In the verification phase of the SDLC, following activities are performed: dynamic analysis, fuzz testing, and attack surface review. Fuzzing is a testing method used to identify vulnerabilities and weaknesses in an application by sending the application a range of random or unusual input data and noting any failures and crashes that result
Which of the following statements are true of input validation?
→ Includes sending any unexpected or maliciously crafted input to a system → Helps to overcome buffer overflow and DoS attack → Ensures that different types of input are handled gracefully by an application Input validation ensures that different types of input are handled gracefully by an application. It Includes sending any unexpected or maliciously crafted input to a system. It helps to overcome buffer overflow, memory leakage, information disclosure, DoS, and injection attacks. It requires special characters, code injection, and other irregular forms of input to expose any security flaws during the testing process
Rex is a security administrator for a company. He wants to limit the security team's ability to remediate vulnerabilities. Which of the following business documents should he use for reference? Each correct answer represents a complete solution. Choose two
→ MOU → SLA Rex should use SLA (service-level agreement) and MOU (memorandum of understanding) business documents. They are used to limit the security team's ability to remediate vulnerabilities. MOU is usually not legally binding and generally does not involve the exchange of money. They are less formal than traditional contracts, but still have a certain degree of significance to all parties involved. SLA defines what services are to be provided to the client, and what support, if any, will be provided. Services may include everything from hardware and software to human resources. A strong SLA will outline basic service expectations for liability purposes.
What features should be provided by sandboxes for analyzing malware? Each correct answer represents a complete solution. Choose all that apply
→ Monitoring system changes without direct user interaction → Monitoring network sockets for attempted connections → Taking periodic snapshots of the environment → Monitoring all system calls and API calls made by programs → Recording file creation/deletion during the malware's execution → Dumping the virtual machine's memory at key points during execution
Which of the following criminal offenses are introduced by the UK Computer Misuse Act?
→ Unauthorized access to computer material → Unauthorized access with intent to commit or facilitate commission of further offense → Unauthorized modification of computer material
Which of the following statements describes a EMET (Microsoft's Enhanced Mitigation Experience Toolkit)? Each correct answer represents a complete solution. Choose all that apply
→ Used as an extra layer of defense against malware attack → Adds supplemental security services to safeguard third-party application → A freeware Windows-based security toolkit EMET is a freeware Windows-based security toolkit. It adds supplemental security services to safeguard third-party application. It is used as an extra layer of defense against malware attack and uses 12 specific mitigation techniques
Which of the following statements are true of manual approach to provisioning and de-provisioning?
√ Causes interruption and service delay √ Requires human intervention for creation or deletion of user account
Which of the following software tools are cross-platform tools? Each correct answer represents a complete solution. Choose all that apply
√ Digital Forensics Framework √ log2timeline √ TestDisk √ Wireshark
Who is responsible for communicating an incident to the employees? Each correct answer represents a complete solution. Choose all that apply
√ HR √ Marketing
Which of the following steps will you perform after identifying the requirements for the vulnerability management process?
√ Identify vulnerabilities Here are the steps of the vulnerability management process: Inventory Identify requirements Identify vulnerabilities Report on results Remediate Implement continuous monitoring
Smith, a security technician, has been given a task to identify, locate, and resolve security issues of the server. Which of the following tools will he use? Each correct answer represents a complete solution. Choose two
√ Port scanner √ Protocol analyzer Protocol analyzer is a software or hardware management tool that integrates diagnostic and reporting capabilities to provide a comprehensive view of an organization's network. Port scanner is a type of software that looks for open ports on the target system and gathers information including whether the port is open or closed, what services are running on that port, and any available information about the operating system
A cybersecurity administrator wants to implement strong security on the company's assets such as smart phones and terminal servers located in the data center. Drag the applicable control to its asset type.
√ Terminal server controls: → Cable locks: It is used as a hardware lock mechanism, thus best used on a terminal server. → Network monitors: It is also known as sniffers, thus best used on a terminal server. → Antivirus software: It should be installed and definitions kept current on all hosts. In addition to active monitoring of incoming files, scans should be conducted regularly to catch any infections that have slipped through, thus best used on a terminal server. → Proximity readers: It is used as part of physical barriers which makes it more appropriate to use on a center's entrance to protect the terminal server. → Mentor app: It is an Apple application used for personal development and is best used on a terminal server. → Host-based firewall: A firewall is the first line of defense against attackers and malware. Almost every current operating system includes a firewall, and most are turned on by default, thus best used on a terminal server. √ Smart phone controls: → Remote wipe: An application that can be used on devices that are stolen to keep data safe. It is basically a command to a phone that will remotely clear the data on that phone. This process is known as a remote wipe, and it is intended to be used if the phone is stolen or going to another user. → GPS (Global Positioning System): It can be used to identify a mobile device location and allow authorities to find it, thus best used on a smart phone. → Screen Lock: The display should be configured to time out after a short period of inactivity and the screen locked with a password. To be able to access the system again, the user must provide the password. After a certain number of attempts, the user should not be allowed to attempt any additional logons; this is called lockout, thus best used on a smart phone. → Strong Password: Since passwords are always important, but even more so when you consider that the device could be stolen and in the possession of someone who has unlimited access and time to try various values, thus best use strong passwords on a smartphone as it can be stolen more easily than a terminal server in a data center. → Device Encryption: Data should be encrypted on the device so that if it does fall into the wrong hands, it cannot be accessed in a usable form without the correct passwords. It is recommended to you use Trusted Platform Module (TPM) for all mobile devices where possible. → Pop-up blocker: Not only are pop-ups irritating, but they are also a security threat. Pop-ups (including pop-unders) represent unwanted programs running on the system, and they can jeopardize the system's well-being. This will be more effective on a mobile device rather than a terminal server.
Which of the following statements describes a cyberlaw? Each correct answer represents a complete solution. Choose all that apply
√ Varies significantly depending on the jurisdiction √ Governs the behavior of individuals and groups in the use of computers and the Internet Cyberlaw governs the behavior of individuals and groups in the use of computers, the Internet, and other IT domains. It varies significantly depending on the jurisdiction. The definition and makeup differ from state-to-state and nation-to-nation
If SLE of a risk is $25,000 and ARO occurs once every four years, then what will be the ALE?
$6,250 The ALE (annual loss expectancy) value is calculated by multiplying an SLE by its ARO to determine the financial magnitude of a risk on an annual basis. ALE (annual loss expectancy) = SLE (single loss expectancy) X ARO (annual rate of occurrence) If SLE of a risk is $25,000 and ARO occurs once every four years, then ALE is $6,250 ($25,000*0.25).
Which grep command option is used to return the names of the files with matching lines rather than the lines themselves?
-l In grep command, -l option returns the names of the files with matching lines rather than the lines themselves. It is primarily used in multi-file grep searches
Which of the following statements are true of Aircrack-ng? Each correct answer represents a complete solution. Choose all that apply
→ A wireless packet sniffer → Includes a WEP and WPA/WPA2-PSK cracker → Sniffs 802.11a, 802.11b, and 802.11g traffic
Which of the following web app vulnerabilities modifies the contents of a small piece of data after it has been generated and sent by the web service to the client's browser?
Cookie poisoning Cookie poisoning modifies the contents of a small piece of data (cookie) after it has been generated and sent by the web service to the client's browser
Which of the following policies defines a set of rules and restrictions for how various internal and external stakeholders should behave with the organization's assets?
Acceptable use policy AUP (acceptable use policy) is also known as acceptable usage policy or fair use policy. It defines a set of rules and restrictions for how various internal and external stakeholders may behave with respect to the organization's assets. It generally outlines general or specific behaviors that the organization believes will either reduce, increase, or have no effect on risk
You work as a cybersecurity analyst for a company. After analyzing the company employees' activities from multiple sensors, you've determined that a group from a high-risk country is responsible for the breach of the company network and continuous administration of targeted attacks for the past three months. However, the attack went unnoticed till now. This is an example of which type of an attack?
Advanced persistent threat This is an example of APT (advanced persistent threat). APT is an attack that continually exploits a target while remaining undetected for a significant period of time. It targets large organizations to covertly compromise their business efforts. Financial institutions, companies in health care, and other organizations that store massive quantities of PII are the most common victims of an APT. Most APTs are usually not individual attackers, but a group of highly technical people that work toward a clearly defined goal
A cybersecurity analyst has several SIEM event logs to review for possible APT activity. The analyst was given several items that include lists of indicators for both IP addresses and domains. Which of the following actions is the best approach for the analyst to perform?
Analyze the trends of the events while manually reviewing to see if any of the indicators match. The analyst should analyze the trends of the events while manually reviewing to see if any of the indicators match. Trend analysis is the process of detecting patterns within a dataset over time, and using those patterns to make predictions about future events. It helps you to judge those specific events over time are likely related, and possibly indicate that an attack is imminent. It can also help you avoid unforeseen negative effects that result from an attack if you can't stop the attack altogether. Aside from predicting future events, trend analysis also enables you to review past events through a new lens
In the case of a major business interruption, the security analysis team has documented the expected loss of earnings, potential fines, and potential consequence to customer service. Which of the following documents would include the most detail on these objectives?
BIA BIA (business impact analysis) is a document which identifies present organizational risks and determines the impact to ongoing, business-critical operations and processes if such risks actually occur. BIAs contain vulnerability assessments and evaluations to determine risks and their impact on the customers. It includes all phases of the business to ensure a strong business continuation strategy
Which of the following is an automated password cracking technique that uses a random combination of upper and lower-case letters, 0-9 numbers, and special characters?
Brute force attack It is extremely resource-intensive and can take a long time to be successful, as password crackers generate every possible permutation for a given set of characters, letters, and numbers defined by a minimum and maximum length
Loy, a security administrator wants to successfully recover a user's forgotten password on a password protected file. Which of the following techniques can he use to accomplish this task?
Brute-force Loy can use the brute-force password cracking technique to recover a user's forgotten password on a password protected file. A brute-force attack is an automated attempt to open a file by using many different passwords. It is a trial-and-error method used to obtain information such as a user password or personal identification number. In this, automated software is used to generate a large number of consecutive guesses as to the value of the desired data. It may be used by criminals to crack encrypted data, or by security analysts to test an organization's network security
Which of the following tools is used as an interception proxy for analyzing traffic and modifying traffic to exploit web apps?
Burp Suite The Burp Suite tool is used as an interception proxy for analyzing traffic and modifying traffic to exploit web apps. It is used by information security professionals for identifying vulnerabilities and verifying attack vectors for web-based applications
Which of the following refers to an infrastructure of computers with which attackers direct, distribute, and control malware?
C&C In cybersecurity, C&C (command and control) refers to an infrastructure of computers with which attackers direct, distribute, and control malware. This is made possible primarily through coordinated botnets, after compromising systems and turning them into zombies, the attacker adds these systems to an ever-growing pool of resources
A cybersecurity analyst traced the source of an attack to compromise user credentials. Log analysis revealed that the attacker successfully authenticated from an unauthorized foreign country. Management asked the security analyst to research and implement a solution to help mitigate attacks based on compromised passwords. Which of the following should the analyst implement?
Context-based authentication The analyst should implement context-based authentication. Context-based authentication mechanisms verify an object's identity based on various attributes of an environment. These attributes may not be an inherent part of the object's identity, but instead, describe other factors that could influence whether or not the system accepts the access request
Rena works as a security analyst for a company. She determines that an overseas branch office within the company has more technical and non-technical security incidents than other parts of the company. Which of the following management controls she can use to improve the security of the branch office?
Continuous monitoring processes Rena should perform continuous monitoring processes to improve the security of the branch office. Continuous monitoring involves regular measurements of network traffic levels, routine evaluations for regulatory compliance, and checks of network security device configurations. It defines exactly what events and environments should be monitored based on a prior risk analysis. It also points toward the never-ending review of what resources a user actually accesses, which is critical for preventing insider threats.
James, as a security technician wants to ensure security controls are functioning as intended by taking the regular measurements of network traffic levels to maintain an appropriate security posture. Which of the following security techniques is most appropriate for him to do this?
Continuous security monitoring James should perform continuous security monitoring that involves regular measurements of network traffic levels, routine evaluations for regulatory compliance, and checks of network security device configurations. Once the baseline has been applied, it must be maintained or improved. Maintaining the security baseline requires continuous monitoring
Click the Exhibit button. Collect Evidence → Analyze and Store → Present in Court Which of the following process is shown in the above figure?
Chain of custody The figure shows the process of chain of custody. It is a record of evidence handling from collection through presentation in court. The evidence can be a telephone system, electronic data, or hardware components
Rex, a forensic analyst, after receiving the hard drive from detectives used a log to capture corresponding events prior to sending the evidence to lawyers for a court case. Which of the following do these actions indicate?
Chain of custody These actions indicate the chain of custody. It is the record of evidence handling from collection through presentation in court. The evidence can be hardware components, electronic data, or telephone systems. The chain of evidence reinforces the integrity and proper custody of evidence from collection, to analysis, to storage, and finally to presentation. Every person in the chain who handles evidence must log the methods and tools they used
An attacker tricks a client into accessing a web page link different from where they had intended to go. This is best described as what type of an attack?
Clickjacking Clickjacking occurs when an attacker tricks a client into clicking a web page link that is different from where they had intended to go. After the victim clicks the link, they may be redirected to what appears to be a legitimate page where they input sensitive information
After visiting a website, Reya receives an email thanking her for a purchase which she did not request. Upon investigation, the security administrator sees the following source code in a pop-up window: <HTML> <body onload="document.getElementByID('badForm').submit()"> <form id="badForm" action="shoppingsite.company.com/purchase.php" method="post" > <input name="Perform Purchase" value="Perform Purchase"/> </form> </body> </HTML> Which of the following has most likely occurred?
Cross-site request forgery XSRF (cross-site request forgery) attack has most likely occurred. XSRF applies to web applications and is an attack that exploits the web application's trust of a user who known or is supposed to have been authenticated. This is often accomplished without the user's knowledge
Joe, an investigator, wants to scan a hard drive to view the deleted communication. Which of the following tools should Joe use?
FTK Joe should use an FTK (Forensic Toolkit) tool for scanning a hard drive to view the deleted communication. It is a multi-purpose proprietary utility supported by Windows operating system which also has password cracking utility
James, a network security administrator, is concerned about the security of his organization as the database residing on the network has all information about the employees, which can help an unauthorized person to recognize an individual. Which PII (Personally Identifiable Information) should be removed from the database so that the unauthorized person cannot identify an individual?
Email address According to the scenario, email address is uniquely identified information that can help an unauthorized person to recognize an individual. Therefore, James should remove email addresses of all the employees from the database
Which of the following statements are not true of benchmarks?
Enables an organization to defend against active threat CIS (Center for Internet Security) enables an organization to defend against active threat. They are free for non-commercial use and are presented as short checklists of high-priority actions for the organization to take to secure itself against major sources of risk
Jason, a network administrator, used to access the Internet frequently. This makes the company's files susceptible to attacks from unauthorized access. He wants to protect his company's network from external attacks. Which of the following options will help him to achieve his aim?
Firewall Jason should use a firewall because it is a software program used to protect an organization's network from external attacks by intruders who access it via the Internet. The role of a firewall is to prevent direct communication between a company's internal computers and the external network computers, which are used through the Internet. Instead, all communication is done through a proxy server, outside the organization's network, which decides whether it is safe to let a file pass through or not
An organization has limited the traffic flow on its network's border. For this, the organization is using a type of log which can manage user activity, control bandwidth usage, monitor IDS activity, and permit or deny connections. Which of the following types of the log is used by the organization?
Firewall The organization is using a firewall log. A firewall log can manage user activity, control bandwidth usage, monitor IDS activity, permit or deny connections, and much more
A security manager is preparing the training portion of an incident plan. Which of the following job roles should receive training on forensics, chain of custody, and the order of volatility?
First responders First responders should receive training on forensics, chain of custody, and the order of volatility. The primary focus as a first responder is to analyze threats and handle incidents, you may be called on to resolve problems that are inherent in the organization's defenses
Which of the following reports represents a document that includes detailed information on when an incident was detected, how impactful the incident was, and how it was remediated?
Forensic analysis Forensic analysis report represents a document that includes detailed information on when an incident was detected, how impactful the incident was, and how it was remediated, in addition to incident response effectiveness and any identified gaps needing improvement
An organization wants to update its acceptable use policy to ensure it relates to the newly implemented password standard, which requires sponsored authentication of guest wireless devices. Which of the following is most likely to be incorporated in the AUP?
Guests using the wireless network should provide valid identification when registering their wireless devices. Guests using the wireless network should provide valid identification when registering their wireless devices should be incorporated in the AUP. Acceptable use policies define a set of rules and restrictions for how various internal and external stakeholders may behave with respect to the organization's assets. These policies typically outline general or specific behaviors that the organization believes will either reduce, increase, or have no effect on risk. This will majorly help in an authentication of guest wireless devices
The security team of an organization has trapped an attacker in an isolated environment where they are being monitored. The team has also tricked the attacker into believing that they are causing damage to the organization's systems. Which of the following practices is used by the security team?
Honeypot The security team is using honeypot which is a practice of trapping an attacker in an isolated environment where they are being monitored and kept from compromising systems in production. It tricks the attacker into believing that they are causing damage to the organization's systems, which enables the security team to analyze the attacker's behavior
Which of the following facilitates a series of standards that governments and industries can follow to have common guidelines for processes and operations at the international level?
ISO ISO (International Organization for Standardization) is an organization with global reach that promotes standards for many different industries. It facilitates a series of standards that governments and industries can adhere to have common guidelines for processes and operations at the international level. Each new standard goes through several phases before it is finalized
Sam, a cybersecurity analyst, has received a report that multiple systems are experiencing slowness as a result of a DDoS attack. Which of the following would be the best action for him to perform?
Inform management of the incident. The analyst should immediately inform the management about the incident as they might have other concerns too. Management can further consult with your ISP if it offers some sort of DDoS protection services. Ultimately, it's important to have a plan in place you need to escalate your mitigation efforts to a specialist or other third party
Rena, as a security network administrator of a corporate network wants to monitor all network traffic on her local network for suspicious activities and receive a notification when a possible attack is in process. What will she do?
Install a network-based IDS. Rena should install a network-based IDS as it monitors all traffic on entire network. This would give her coverage for all network traffic. It can detect malicious packets that are designed to be overlooked by a firewall's simplistic filtering rules
To gain more insights into the processes of a company, the company changes the positions of employees. Which of the following is an example of this practice?
Job rotation This practice is an example of job rotation. Job rotation is practiced to allow qualified employees to gain more insights into the processes of a company. It was designed to promote flexibility within an employee and to keep employees interested into staying with the company they are employed with. It is an approach to management development where an individual is moved through a schedule of assignments designed to give him or her the breadth of exposure throughout the entire operation
Which of the following log analysis tools collects Linux syslog and Windows event log data from different networking and host-based appliances?
Kiwi Syslog Server Kiwi Syslog Server collects Linux syslog and Windows event log data from different networking and host-based appliances. It also generates alerts based on the received log data, and can be configured to take action on these alerts
Which of the following is a component of the COBIT framework that allows a company to have its methods and processes assessed according to management best practice, against a clear set of external benchmarks?
Maturity model Maturity model is a component of the COBIT framework that allows a company to have its methods and processes assessed according to management best practice, against a clear set of external benchmarks. It is used to assess the formality and optimization of a process and address any gaps. It enables the reviewer to gain a more accurate perspective of how an organization's products or services may be putting the organization at risk, and guides risk management strategies as a response
Sia, a cybersecurity analyst, wants to use a command utility to identify open ports and running services on a host along with the application associated with those services and port. Which of the following should she use to achieve this?
Netstat Sia should use the netstat command to identify open ports and running services on a host along with the application associated with those services and port. Netstat is a common command utility available in most versions of Windows, Linux, UNIX and other operating systems. It provides information and statistics about protocols in use and active TCP/IP network connections
A security analyst is examining a database server to verify that the correct security measures are in place to protect the data. In which, some of the fields consist of data like people's first name, last name, home address, date of birth, and mother's last name. Which of the following illustrates this type of data?
PII PII (personal identifiable information) is used to illustrate this type of data. It is a catchall for any data that can be used to uniquely identify an individual. This data can be anything from the person's name to a fingerprint (think biometrics), credit card number, or patient record. It generally includes data such as first names, last names, home address, date of birth, etc
A reverse engineer was analyzing malware found on a retailer's network and found code extracting customer payment data. Which of the following threats did the engineer most likely uncover?
POS malware The reverse engineer most likely uncovered POS (point-of-sale) malware. It is a malicious software written to steal customer payment data, especially credit card data from retail checkout systems. Criminals purchase POS malware to steal customer data from a retail organization with the intention of selling the data rather than using it directly
Sam, a security administrator, wants to keep vulnerabilities safe from being exploited by a malicious user. Which of the following should he implement to accomplish this task?
Patching Sam should implement patching to accomplish this task. Patching is a vital procedure that keeps these vulnerabilities from being exploited by a malicious user. In an organization, patching procedures are often not just a simple press of an update button or even an automated process
Martha receives an e-mail message containing a notice that appears to be from her bank, asking her to call and update her password. Which type of attack is this?
Phishing In this scenario, Martha is a victim of a phishing attack. The perpetrator sends an e-mail message containing a bank notice, asking Martha to call and update her password. The phone number provided in the message rings in the perpetrator's phone system, rather than in the bank's system. Phishing attacks are used to try to trick users into giving up personal information, including user account names and passwords
A user is able to obtain access to additional resources or functionality that they are normally not allowed to access. This is best described as what type of an attack?
Privilege escalation This is best described as the privilege escalation attack. With privilege escalation, the user is able to obtain access to additional resources or functionality which they are normally not allowed access to. One of the most common scenarios is when a normal user is able to exploit some vulnerability in a system to gain administrator or root level privileges
A company is hiring a penetration tester and wants to exclude social engineering from the list of authorized activities. Which of the following documents should include these details?
SLA SLA (Service-level Agreement) document includes all of these details. SLA defines what services are to be provided to the client, and what support, if any, will be provided. Services may include everything from hardware and software to human resources. A strong SLA will outline basic service expectations for liability purposes. The document may include timeframes within which failures will be repaired or serviced; guarantees of uptime; or, in the case of a network provider, guarantees of data upload and download rates.
Mark is attempting to evaluate the potential impact of a firewall breach at his company. He is only looking at the relationship between the threats, vulnerabilities, and controls to evaluate the impact of a hypothetical breach. What type of approach to risk analysis is this?
Qualitative Mark is using the qualitative approach which uses descriptions and words to measure the likelihood and impact of a risk. Examining the relationships between threats, vulnerabilities, and controls without quantitative measurements is a qualitative approach. Because some aspects of security can be difficult to measure, the qualitative approach is commonly used.
Which of the following is a collection of documents that detail standards and protocols for Internet-related technologies?
RFC RFC (Request for Comments) is a collection of documents that detail standards and protocols for Internet-related technologies. It was designed during the early creation of the Internet to help organize new information and ideas. Based around the idea of peer review, the RFC process itself has evolved over time, and now serves as a testing ground for new ideas and technologies relating to the Internet
Eric is a security administrator of uCertify Inc. John, a sales manager, reports Eric about an e-mail through which an attacker is asking for money to decrypt the source code that he has encrypted. Which of the following type of threat is it?
Ransomware In this scenario, it states that the attacker is asking for money to decrypt a source code. These types of e-mails come under ransomware. Ransomware is a computer malware which holds a computer system, or the data it contains, hostage against its user by demanding a ransom for its restoration
An enterprise has a vulnerability scanning tool installed that generates contextual risk-based scores and reports for vulnerabilities on enterprise software and hardware platform. Which of the following vulnerability scanning tool is being used in the enterprise?
Rapid7 Nexpose The enterprise has a Rapid7 Nexpose tool installed which generates contextual risk-based scores and reports for vulnerabilities on enterprise software and hardware platform. It provides continuous monitoring capabilities
Which of the following best describes the offensive participants in a tabletop exercise?
Red team The red team best describes the offensive participants in a tabletop exercise. The red team consists of security professionals who are tasked with conducting simulated attacks on the organization. The term red team is also used to refer to penetration testers in general, if no other teams are defined
A company has developed an application which is undergoing the testing process. According to the results of the testing process, some changes have been made to the application. The company now wishes to check whether or not the changes made in the application have caused the previously existing functionality to fail. Which test should the company perform?
Regression The company should perform regression testing which will evaluate the application to check whether or not the changes made in the application have caused the previously existing functionality to fail. This can also identify the security mechanism that was working before but is now broken due to the latest changes
Which of the following information is limited to a very small subset of the organization and to which access is granted on the basis of some criteria?
Restricted Restricted information, which might be limited to a very small subset of the organization primarily at the executive level (e.g., corporate accounting data), where unauthorized access to it might cause a serious disruption to the business. It is not available to all and its access is granted on the basis of some criteria. It includes proprietary processes, trade secrets, strategic information, and marketing plans. This information should never be disclosed to an outside party unless senior management gives specific authorization
An organization wishes to update its network resources for which it provides access only to its network managers and other network experts. It also wants the entries in the database table to be monitored for which it provides access to a database administrator. Which of the following factors is the organization using for providing access to a particular entity based on the entity's responsibilities?
Role-based The organization is following a role-based approach which involves providing network resource access to a particular entity in an organization based on the entity's roles and responsibilities
An organization wishes to conduct a pen test to assess organization's security posture. To conduct the test, the organization needs to specify various guidelines and constraints. Which of the following documents the same? Each correct answer represents a complete solution. Choose all that apply
Rules of engagement The ROE (rules of engagement) documents the guidelines and constraints necessary to conduct the testing process. It eliminates the process of taking continuous permission from the management for conducting any task
Which of the following is a type of ICS that generally monitors water, gas, and electrical assets, and can issue remote commands to those assets?
SCADA ICS (Industrial control systems) provide mechanisms for controlling machinery used in critical infrastructure, like power suppliers, water suppliers, health services, telecommunications, and national security services. SCADA (Supervisory control and data acquisition) is a type of ICS that enables network-based control over these critical utilities by sending remote control signals from a controller to a system, and vice versa
A company has purchased a new system, but security personnel are spending a lot of time on system maintenance. A new third party vendor has been appointed for maintaining the company's system. Which of the following documents should be created before assigning the job to the vendor?
SLA The SLA (Service Level Agreement) should be created before assigning the job to the vendor. This document is a one way to obtain guarantee as to what level of service the third-party vendor is agreeing to provide. It also specifies the uptime, response time, and maximum outage time that both parties are agreeing to.
An attack is performed on a web application where a string of characters is entered and input validation is bypassed to display some additional information. Which of the following types of attack is this?
SQL injection In the scenario, the SQL injection attack is performed. SQL injection involves adding SQL programming statements to input supplied by a user or an application. To identify SQL injection vulnerabilities in a web app, an attacker must test every single input to include elements such as URL parameters, form fields, cookies, POST data, and HTTP headers
Roy, a cybersecurity analyst, is reviewing IDS logs and notices the following entry: where [email protected] and password= 'or 1==1' Which of the following attacks had Roy discovered?
SQL injection Roy had discovered an SQL injection attack. The code in the question is an example of an SQL Injection attack. The code '1==1' will always provide a value of true. This can be included in a statement designed to return all rows in an SQL table. SQL injection is an attack that injects an SQL query into the input data directed at a server by accessing the client side of the application. In an SQL injection attack, an attacker can modify one or more of these four basic functions by adding code to some input within the web app, causing it to execute the attacker's own set of queries using SQL
Which of the following threat actors is an unskilled individual who uses tools or programs developed by others to attack computer systems and networks?
Script kiddies Script kiddies are inexperienced, unskilled attackers that use tools and scripts created by others. The term is primarily derogatory and used to criticize an attacker as having childish motives with a limited appreciation of the technical aspect of their attacks
In an organization, several employees clicked on a link in a malicious message that bypassed the spam filter and their PCs were infected with malware as a result. Which of the following would best prevent this situation from occurring in the future?
Security awareness training Security awareness and training include explaining policies, procedures, and current threats to both users and management. A security awareness and training program can do much to assist in your efforts to improve and maintain security. A good security awareness training program for the entire organization should cover the following areas: importance of security; responsibilities of people in the organization; policies and procedures; usage policies; account and password selection criteria as well as social engineering prevention
Which of the following remediation strategies are most effective in reducing the risk of a network-based compromise of embedded ICS? Each correct answer represents a complete solution. Choose two.
Segmentation Disabling unused services Segmentation and disabling unused services are two most effective remediation strategies in reducing the risk of a network-based compromise of embedded ICS. Segmentation should be effective as a network infrastructure that isn't divided into subnets may end up being a single point of compromise for an attacker's benefit. Disabling unused services is also necessary, as enabled services that are not needed on a system provide a door through which attackers can gain access. You should disable all services that are not needed immediately
As a security administrator, you've implemented privacy screens and password protected screen savers on all servers and client computers. Which of the following attacks are you trying to mitigate?
Shoulder surfing As a security administrator, you're trying to mitigate the shoulder surfing social engineering attack. It is an act by a person who watches "over your shoulder" as you enter sensitive information, such as a password. The spying can actually be done from a large distance. People have been caught watching potential victims with telescopes, trying to learn long-distance calling codes and ATM PINs. Privacy screens, password masking, and password protected screen savers can be used to mitigate such attacks
Which of the following is the practice of deceiving people into giving away access or confidential information to unauthorized parties?
Social engineering Social engineering is the practice of deceiving people into giving away access or confidential information to unauthorized parties. The social engineer typically performs some sort of confidence trick on a privileged target
Ron, a cybersecurity analyst, is performing a forensic analysis on a machine that was the subject of some historic SIEM alerts. He found some network connections utilizing SSL on non-common ports, copies of svchost.exe and cmd.exe in %TEMP% folder, and RDP files that had connected to external IPs. Which of the following threats did he discover?
Software vulnerability Ron has discovered a software vulnerability threat. A software vulnerability is a security flaw or weakness found in software or in an operating system that can lead to security concerns. However, this commonly encountered error becomes a security concern when attackers uncover the vulnerability, conduct research about it, and create a malicious code or exploit that targets this flaw to launch their schemes
Which of the following attack techniques goes undetected for a long time as they do not necessarily show overt signs of compromise?
Stealth Stealth attack techniques go undetected for a long time as they do not necessarily show overt signs of compromise. It could be an active person querying data packets from and to the network so as to find a method to compromise the security. Once the security is compromised, the person utilizes it for a short period of time for his gains and then, removes all traces of the network being compromised
Rex, a security analyst, has been asked to remediate a server vulnerability. Once he has located a patch for the vulnerability, which of the following should he perform next?
Start the change control process. Rex should start the change control process next after locating the patch for the vulnerability. The change control process is used to initiate, record, assess, approve, and resolve project changes. The purpose of the change control process is to manage change requests so that approved changes will be controlled, ensuring the project remains on schedule, within budget, and provides the agreed deliverables
In Linux, which of the following commands is used when users need to search for specific strings in a log file, like a particular source or event ID?
grep In Linux, the grep command is used when users need to search for specific strings in a log file, like a particular source or event ID
A security administrator finds an image file that has several plain text documents hidden in it. Which of the following security goals is met by hiding data inside of other files?
Steganography Steganography is the practice of hiding the presence of information within other information. Using steganography, an attacker might be able to evade intrusion detection and data loss countermeasures if they hide information within images or videos. Modern tools hide digital information so well that the human eye cannot tell the difference; likewise, computer programs not equipped for steganographic analysis may also fail to spot the hidden information
Joe and Rick are two security guards of your organization. They are on duty at the main center gate. As the number of staff is quite high, this location has lots of traffic. The guards must be concerned about which of the following social engineering attacks?
Tailgating The guards must be concerned about the tailgating attack. It is a human-based attack where the attacker slips in through a secure area following a legitimate employee. The employee does not know the attacker is even behind them. To prevent this type of attack, organizations often install access control mechanisms at each entrance
Rosy wants to implement a security control to monitor and prevent threats and attacks to computer systems and services. Which of the following security controls should she implement to accomplish the task?
Technical Rosy should implement technical controls to accomplish the task. Technical controls, also called logical controls, are hardware or software installations implemented to monitor and prevent threats and attacks to computer systems and services.
Rose, a security administrator, implements screen savers that lock the PC after five minutes of inactivity to help prevent unauthorized access to PC. Which of the following controls is being described in this situation?
Technical The controls described in this scenario such as preventing unauthorized access to PCs and applying screensavers that lock the PC after five minutes of inactivity is a type of a technical control. Technical controls, also called logical controls, are hardware or software installations implemented to monitor and prevent threats and attacks to computer systems and services. It also includes controls such as identification and authentication, access control, audit and accountability as well as system and communication protection
Which of the following factors restricts an organization's access control policy to mitigate risk?
Time Time-based factor restricts an organization's access control policy to mitigate risk. This system only verifies object during certain hours of a day or days of the year
Which of the following is the process of detecting patterns within a dataset over time, and using those patterns to make predictions about future events?
Trend analysis Trend analysis is the process of detecting patterns within a dataset over time, and using those patterns to make predictions about future events. When applied to security intelligence, trend analysis can help you to judge that specific events over time are likely related, and possibly indicate that an attack is imminent
You are responsible for network security at a school. You find that someone has logged on as a student, but is able to access high privileged resources. What is this an example of?
Vertical privilege escalation This is an example of vertical privilege escalation. Vertical privilege escalation, also called privilege elevation, occurs when a user can perform functions that are not normally assigned to their role or explicitly permitted. In this case, a lower privilege application or user gains access to content or functions that are reserved for a higher-privileged-level user, such as root or an administrator
Rosy works as a security administrator for a company. She wants to evaluate system's security and ability to meet compliance requirements based on its configuration. Which of the following should she perform to accomplish this task?
Vulnerability assessment Rosy should perform vulnerability assessment to accomplish this task. A vulnerability assessment is an evaluation of a system's security and ability to meet compliance requirements based on the configuration state of the system, as represented by information collected from the system. Essentially, the vulnerability assessment determines if the current configuration matches the ideal configuration
Your company is about to add wireless connectivity to the existing LAN. You are concerned about the security of wireless access and want to implement encryption. Which of the following would be the best option for you to use?
WPA2 WPA2 (Wi-Fi Protected Access) would be the best option as it is based on the Advanced Encryption Standard (AES) cipher along with strong message authenticity and integrity checking that is significantly stronger in protection for both privacy and integrity. In wireless environment, this can prevent the attacker from reading a packet's contents, unless the attacker is able to capture the authentication handshakes between a node and the access point
You've tasked Rex, one of your network specialists, for configuring new wireless routers in the building to extend the range of your network. Which of the following wireless encryption protocols should you recommend him to use to keep your network secure?
WPA2 with WPS disabled You should recommend the WPA2 protocol with WPS disabled. WEP was superseded by the much more secure WPA (Wi-Fi Protected Access) protocol and its successor, WPA2. Unlike WEP, WPA actually generates a 128-bit key for each individual packet sent, which prevents easy cracking of encrypted information. Although WPA used the same RC4 stream cipher, WPA2 uses the more secure AES block cipher for encryption. Currently, WPA2 is considered the most secure wireless encryption protocol and should be used instead of WPA. But a serious flaw in both WPA and WPA2 is the WPS (Wi-Fi Protected Setup) feature. Even routers that implement WPA2 can be vulnerable to cracking if they use WPS. A PIN validated by WPS one half at a time reduces the possible combinations from 100 million to 10 thousand. So, it will be more secure to use WPA2 with WPS disabled
Which of the following strengthens wireless security encryption by adding more methods to authenticate key generation, in case a user chose a weak password?
WPS WPS (Wi-Fi Protected Setup) was intended to strengthen wireless security encryption by adding more methods to authenticate key generation, in case a user chose a weak password
An attacker targets company's director and CEO by sending e-mails to fetch out private information. This is best described as what type of social engineering attack?
Whaling Whaling is a spear phishing technique used against a high-level corporate executive, politician, or celebrity. Mostly, it is an attack meant to target upper managers in private companies. The objective is to swindle the upper manager into divulging the confidential company information
The CEO of a company receives an apprehensive voice mail warning of credit card fraud. No one else in the company received the voice mail. Which of the following best describes this attack?
Whaling Whaling is a spear phishing technique used against a high-level corporate executive, politician, or celebrity. Mostly, it is an attack meant to target upper managers in private companies. The objective is to swindle the upper manager into divulging the confidential company information
A forensic analyst is asked to respond to an ongoing network attack on a server. Click to select the items, and then drag them into the correct order in which the forensic analyst should preserve them.
When dealing with multiple issues, address them in OOV (order of volatility); always deal with the most volatile first. Volatility can be thought of as the amount of time that you must collect certain data before a window of opportunity is gone. Naturally, in an investigation, you want to collect everything, but some data will exist longer than others, and you cannot possibly collect all of it once. OOV allows you to capture system images as a snapshot of what exists, look at network traffic and logs, capture any relevant video/screenshots/hashes, record time offset on the systems, talk to witnesses, and track total man-hours and expenses associated with the investigation. In the given scenario, according to OOV, the forensic analyst should preserve the items in the following order: CPU cache RAM Swap Hard drive
Which of the following approaches simulates an inside attacker with an extensive knowledge about the target?
White box
A web application is configured to target browsers and allow access to bank accounts to drain money to a foreign account. This is an example of which of the following attacks?
XSS This is an example of an XSS (cross-site scripting) attack. It is a type of application attack where the attacker takes advantage of scripting and input validation vulnerabilities in an interactive website to attack legitimate users. The malicious code injected into a user's browser through an XSS attack can steal a user's web cookies, enabling an attacker to hijack a session, and assume the user's identity. With the assumed identity, the attacker is fully authenticated into whatever system the cookie applies to
Ann, a security analyst, discovers unusual network traffic from a workstation. She notices that the workstation is communicating with a known malicious site over an encrypted tunnel. A full antivirus scan with an updated antivirus signature file does not show any sign of this infection. Which of the following attacks has occurred on the workstation?
Zero-day attack A zero-day vulnerability refers to a hole in software unknown to the vendor. This security hole is then exploited by hackers before the vendor becomes aware and hurries to fix it. This exploit is called a zero-day attack. It includes infiltrating malware, spyware or allowing unwanted access to user information
Which of the following commands would a cybersecurity analyst use to make a copy of an image for forensics use?
dd A cybersecurity analyst should use the dd command to make a copy of an image for forensics use. The dd command enables you to make full copies of individual files or entire disks. If you copy individual files, you can retain their file format like any standard copy operation; if you copy entire disks or partitions, you can clone them by creating a disk image, like an ISO
Sam works as a cybersecurity analyst for a company. He wants to make a full copy of an image for forensics use. Which of following command utilities would he use to achieve this?
dd Sam should use the dd command to achieve this. The dd command enables you to make full copies of individual files or entire disks. If you copy individual files, you can retain their file format like any standard copy operation; if you copy entire disks or partitions, you can clone them by creating a disk image, like an ISO
In piping, which of the following command utilities are combined together to form a single command? Each correct answer represents a complete solution. Choose three
diff - cut - grep Linux commands like grep, cut, and diff are beneficial to security analysts because they can be combined into a single command—a process called piping. Piping uses the pipe character (|) to separate commands
Which of the following statements are true of SDEE (Security Device Event Exchange) server? Each correct answer represents a complete solution. Choose all that apply
→ Based on Simple Object Access Protocol → Uses HTTP/HTTPS and XML protocols to communicate between different types of systems → An IDS alert format and transport protocol specification SDEE (Security Device Event Exchange) is an IDS alert format and transport protocol specification based on SOAP (Simple Object Access Protocol). It uses various web protocols such as HTTP/HTTPS and XML to communicate with different types of systems
An attacker wants to gain sensitive information of a company and for that he needs the company password. Which of the following tools he can use to achieve the password? Each correct answer represents a complete solution. Choose two
→ Cain & Abel → John the Ripper John the Ripper is a fast password cracker , currently available for Unix, Windows, DOS, and OpenVMS. Its main purpose is to detect weak Unix passwords. Cain & Abel is a password cracker Microsoft Operating Systems. It allows easy recovery of various kind of passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks, recording VoIP conversations, and so on
Which of the following statements are true of online password attacks? Each correct answer represents a complete solution. Choose all that apply.
→ Logs in to a live system by guessing user's password → Unreliable and slow
Which of the following statements are true of RADIUS (Remote Authentication Dial-In User Service)? Each correct answer represents a complete solution. Choose all that apply
→ Uses a two-step process for managing network access → Uses User Datagram Protocol for communication → Implements AAA for users requesting remote access to a network service RADIUS uses a two-step process for managing network access and implements AAA for users requesting remote access to a network service. Its communication is done over UDP (User Datagram Protocol), which means that there is no inherent reliability or error correction involved, which could impact the availability of the AAA mechanism
Reconnaissance cyberattack comprises of which of the following processes to help attackers to collect intelligence on their target? Each correct answer represents a complete solution. Choose three
√ Footprinting √ Scanning √ Enumeration Footprinting, scanning, and enumeration are the three processes that make up reconnaissance. The information revealed in these processes can aid the attacker by exposing vulnerabilities or easily exploitable vectors that can be used to attack an organization. Here are the phases: Footprinting is a phase in which the attacker gathers general information about a target and the people or systems that use it. Scanning is a more active way of gathering information about a target. Attackers will use scanning tools to discover information about various hosts and services running on a network. Enumeration helps an attacker to map the network as a whole. This can include enumerating particular networking protocols to discover how a network is structured and how it is vulnerable.