CySA Practice Exam #1
D. A golden ticket is a Kerberos ticket that can grant other tickets in an Active Directory environment. Attackers who can create a golden ticket can use it to grant administrative access to other domain members, even to domain controllers.
If an attacker can compromise an Active Directory domain by utilizing an attack to grant administrative access to the domain controllers for all domain members, which type of attack is being used? A. Pass the hash B. Lateral movement C. Pivoting D. Golden ticket
A.
What is the proper threat classification for a security breach that employs brute-force methods to compromise, degrade, or destroy systems? A. Attrition B. Impersonation C. Improper Usage D. Loss or theft of equipment
D. Clear applies logical techniques to sanitize data in all user-addressable storage locations for protection against simple non-invasive data recovery techniques. Clearing involves overwriting data once (and seldom more than three times) with repetitive data (such as all zeros) or resetting a device to factory settings.
What sanitization technique uses only logical techniques to remove data, such as overwriting a hard drive with a random series of ones and zeroes? A. Purge B. Degauss C. Destroy D. Clear
B. Non-disclosure agreement (NDA) is the legal basis for protecting information assets. NDAs are used between companies and employees, between companies and contractors, and between two companies. If the employee or contractor breaks this agreement and shares such information, they may face legal consequences. NDAs are useful because they deter employees and contractors from violating the trust that an employee places in them.
Which of the following agreements is used between companies and employees, between companies and contractors, and between two companies to protect information assets? A. ISA B. NDA C. SLA D. DSUA
C. Beaconing is considered a network-related indicator of compromise.
Which of the following is NOT a host-related indicator of compromise? A. Processor consumption B. Drive capacity consumption C. Beaconing D. Memory consumption
D.
Which of the following is NOT considered part of the Internet of Things? A. SCADA B. ICS C. Smart television D. Laptop
C. The three main criteria that should be included in a penetration testing plan are timing, scope, and authorization. Account credentials are usually provided during a white box test or vulnerability assessment, usually not provided for a penetration test.
Which of the following is NOT one of the main criteria included in a penetration testing plan? A. Timing B. Scope C. Account credentials D. Authorization
C. Since the software development lifecycle (SDLC) is focused on building software applications, the best control category would be application software security. While all other documents hosted by the Center for Internet Security contain useful information, the application software security control is most likely to contain relevant information relating to best practices to implement in the SDLC.
According to the Center for Internet Security's system design recommendation, which of the following control categories would contain information on the best security practices to implement within the SDLC? A. Inventory of authorized/unauthorized devices B. Controlled use of administrative privileges C. Application software security D. Malware defenses
B. The message contains a file attachment hoping that the user will execute or open it. The attachment's nature might be disguised by formatting tricks such as using a double file extension, such as Invoice1043.pdf.exe, where the user only sees the first extension since .exe is a known file type in Windows. This would explain the black popup window that appears and then disappeared, especially if the exe file was running a command-line tool.
An employee contacts the service desk because they cannot open an attachment they receive in their email. The service desk agent conducts a screen sharing session with the user and investigates the issue. The agent notices that the attached file is named Invoice1043.pdf, and a black pop-up window appears and then disappears quickly when the attachment was double-clicked. Which of the following is most likely causing this issue? A. The user doesn't have a PDF reader installed on their computer B. The attachment is using a double file extension to mask its identity C. The file contains an embedded link to a malicious website D. The email is a form of spam and should be deleted
A. Deperimeterization is a strategy for protecting a company's data on multiple levels using encryption and dynamic data-level authentication. Since the employee lost the device, which contained sensitive corporate data outside of the network, this would be classified as failed deperimeterization management.
An organization utilizes a BYOD policy with its employees. This allows the employees to store sensitive corporate data on their personally owned devices. Which of the following occurred if an employee accidentally left their device in the back of a taxi? A. Failed deperimeterization management B. Failed data loss prevention C. A data breach D. An advanced persistent threat
C. Preference and configuration files in macOS use property lists (plists) to specify the attributes, or properties, of an app or process. An example is the preferences plist for the Finder in the Library/Preferences/ folder of a user's home folder. The file is named com.apple.finder.plist.
Barrett needs to verify settings on a macOS computer to ensure that the configuration he expects is currently set on the system. What type of file is commonly used to store configuration settings for a macOS system? A. The registry B. .profile files C. plists D. .config files
A. You should contact the vendor to determine if a patch is available for installation. Since this is a vendor-supported appliance installed under a service contract, the vendor is responsible for the appliance's management and security. You should not attempt to gain access to the underlying operating system to patch the vulnerability yourself, as this could void your warranty and void your service contract.
During a vulnerability scan of your network, you identified a vulnerability on an appliance installed by a vendor on your network under an ongoing service contract. You do not have access to the appliance's operating system as the device was installed under a support agreement with the vendor. What is your best course of action to remediate or mitigate this vulnerability? A. Contact the vendor to provide an update or to remediate the vulnerability B. Try to gain access to the underlying operating system and install the patch C. Mark the identified vulnerability as a false positive D. Wait 30 days, run the scan again, and determine if the vendor corrected the vulnerability
A. Since the question asks you to prevent unauthorized service access, we need to block port 3389 from accepting connections on 71.168.10.45 (the host). This option will deny ANY workstation from connecting to this machine (host) over the Remote Desktop Protocol service that is unauthorized (port 3389).
Review the following packet captured at your NIDS:-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-23:12:23.154234 IP 86.18.10.3:54326 > 71.168.10.45:3389 Flags [P.], Seq 1834:1245, ack1, win 511, options [nop,nop, TS val 263451334 erc 482862734, length 125 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- After reviewing the packet above, you discovered there is an unauthorized service running on the host. Which of the following ACL entries should be implemented to prevent further access to the unauthorized service while maintaining full access to the approved services running on this host? A. DENY TCP ANY HOST 71.168.10.45 EQ 3389 B. DENY IP HOST 71.168.10.45 ANY EQ 25 C. DENY IP HOST 86.18.10.3 EQ 3389 D. DENY TCP ANY HOST 86.18.10.3 EQ 25
A. The best option is to suspend the machine and copy the directory contents as long as you ensure you protect the integrity of the files by conducting a hash on them before and after copying the files. This procedure will store the virtual machine's RAM and disk contents. Since a virtual machine stores all of its data in a single file/folder on a host's hard drive, you can copy the entire Copying the folder will give all the information needed.
Rory is about to conduct forensics on a virtual machine. Which of the following processes should be used to ensure that all of the data is acquired forensically? A. Suspend the machine and copy the contents of the directory it resides in B. Perform a live acquisition of the virtual machine's memory C. Suspend the machine and make a forensic copy of the drive it resides on D. Shutdown the virtual machine off and make a forensic copy of its disk image
D. SCADA (supervisory control and data acquisition) networks work off of an ICS (industry control system) and is used to maintain sensors and control systems over large geographic areas.
Syed is developing a vulnerability scanner program for a large network of sensors used to monitor his company's transcontinental oil pipeline. What type of network is this? A. SoC B. CAN C. BAS D. SCADA
C. Purging the drives, validating that the purge was effective, and documenting the sanitization is the best response. Purging includes methods that eliminate information from being feasibly recovered even in a lab environment. For example, performing a cryptographic erasure (CE) would sanitize and purge the drives' data without harming the drives themselves.
Taylor needs to sanitize hard drives from some leased workstations before returning them to a supplier at the end of the lease period. The workstations' hard drives contained sensitive corporate data. Which is the most appropriate choice to ensure that data exposure doesn't occur during this process? A. Clear, validate, and document the sanitization of the drives B. Clear the drives C. Purge, validate, and document the sanitization of the drives D. The drives must be destroyed to ensure no data loss
B. Any organization that processes a credit card will be required to work with their credit card processor instead of working directly with the card issuers (Visa and Mastercard). Conducting notification to your bank or credit card processor is one of the first steps in the incident response effort to breach this type of data.
Your company is required to remain compliant with PCI-DSS due to the type of information processed by your systems. If there was a breach of this data, which type of disclosure would you be required to provide during your incident response efforts? A. Notification to local law enforcement B. Notification to your credit card processor C. Notification to federal law enforcement D. Notification to Visa and Mastercard
B. By utilizing OS fingerprinting using a tool like nmap, you can identify the servers running each version of an OS. This will give you an accurate list of the possibly affected servers. Once you have this list, you can focus your attention on just those servers that need further inspection and scanning.
A recent threat has been announced in the cybersecurity world, stating a critical vulnerability in a particular operating system's kernel. Unfortunately, your company has not maintained a current asset inventory, so you are unsure of how many of your servers may be affected. What should you do to find all of the infected servers within your network? A. Manually review the syslog server's logs B. Conduct an OS fingerprinting scan across the network C. Conduct a packet capture of data traversing the server network D. Conduct a service discovery scan on the network
A. An APT is a network attack in which an unauthorized person gains access to a network and remains undetected for a long period of time. An APT attack intends to steal data rather than to cause damage to the network.
After analyzing and correlating activity from various logs, an analyst has determined that a sophisticated breach of the network may have occurred from a group of specialized attackers in a foreign country over the past few months. Up until now, these attacks have gone unnoticed by the InfoSec team. How would you best classify this threat? A. Advanced persistent threat (APT) B. Spear phishing C. Insider threat D. Privilege escalation
A. The single loss expectancy (SLE) is the amount that would be lost in a single occurrence (AV) times the risk factor (RF). The annual loss expectancy (ALE) is the total cost of a risk to an organization annually. This is determined by multiplying the SLE by the annual rate of occurrence (ARO). SLE = AV x RF = $120,000 x 0.3 = $36,000 ALE = SLE x ARO = $36,000 x 0.25 = $9,000
Jamie's organization is attempting to budget for the next fiscal year. Jamie has calculated that a data breach will cost them $120,000 for each occurrence. Based on her analysis, she believes that a data breach will occur once every four years and have a risk factor is 30%. What is the ALE for a data breach within Jamie's organization? A. $9,000 B. $36,000 C. $90,000 D. $360,000
C. The issue presented in this scenario is that Stephanie unplugged the computer before anyone had a chance to investigate it. During the preparation phase of the incident response process, the company should train its users on what to do in an anomaly or suspected malware intrusion. Many years ago, it was commonly assumed that unplugging the computer is the best thing to do when a system is suspected to be infected with malware. This is no longer true because many malware types are installed when the computer is running, but when you power off and reboot the machine, they can encrypt the hard drive, infect the boot sector, or corrupt the operating system. In modern cybersecurity organizations, users are instead trained to contact the service desk or the security operations center.
Stephanie believes that her computer had been compromised because her computer suddenly slows down and often freezes up. Worried her computer was infected with malware, she immediately unplugged the network and power cables from her computer. Per the company procedures, she contacts the help desk, fills out the appropriate forms, and is sent to a cybersecurity analyst for further analysis. The analyst was not able to confirm or deny the presence of possible malware on her computer. Which of the following should have been performed during the incident response preparation phase to prevent this issue? A. Documenting the organization's incident response procedures B. Install additional network monitoring to conduct full packet capture of all network traffic C. Train users to not unplug their computers when a suspected incident is occurring D. The computer should have been scanned for vulnerabilities and patched
A. The ESTABLISH message indicates that an active and established connection is created between two systems.
When using the netstat command during an analysis, which of the following connection status messages indicates whether an active connection between two systems exists? A. ESTABLISHED B. LISTENING C. LAST_ACK D. CLOSE_WAIT
A. The Federal Information Security Management Act (FISMA) is a United States federal law that defines a comprehensive framework to protect government information, operations, and assets against natural or human-made threats. FISMA requires that government agencies and other organizations that operate systems on behalf of government agencies comply with security standards.
Which law requires government agencies and other organizations that operate systems on behalf of government agencies to comply with security standards? A. FISMA B. SOX C. HIPPA D. COPPA
B. A machine learning (ML) system uses a computer to accomplish a task without being explicitly programmed. In the context of cybersecurity, ML generally works by analyzing example data sets to create its own ability to classify future items presented. If the system was presented with large datasets of malicious and benign traffic, it will learn which is malicious and categorize future traffic presented to it.
Which type of system would classify traffic as malicious or benign based on explicitly defined examples of malicious and benign traffic? A. Artificial intelligence B. Machine learning C. Deep leaning D. Generative adversarial network
B.
While performing a vulnerability scan, Christina discovered an administrative interface to a storage system is exposed to the internet. She looks through the firewall logs and attempts to determine whether any access attempts have occurred from external sources. Which of the following IP addresses in the firewall logs would indicate a connection attempt from an external source? A. 10.15.1.100 B. 192.186.1.100 C. 172.16.1.100 D. 192.168.1.100
C. Web-based attacks would likely appear on port 80 (HTTP) or port 443 (HTTPS).
You suspect that your server has been the victim of a web-based attack. Which of the following ports would most likely be seen in the logs to indicate the attack's target? A. 389 B. 3389 C. 443 D. 21
D. The first step to developing an effective disaster recovery plan is to identify the assets. The organization must understand exactly what assets they own and operate. Once identified, you can then determine what assets and services are essential to business operations, what risks are facing them, and how best to recovery in the event of a disaster.
You have been hired as a consultant to help Dion Training develop a new disaster recovery plan. Dion Training has recently grown in the number of employees and information systems infrastructure used to support its employees. Unfortunately, Dion Training does not currently have any documentation, policies, or procedures for its student and faculty networks. What is the first action you should take to assist them in developing a disaster recovery plan? A. Conduct a risk assessment B. Develop a data retention policy C. Conduct a vulnerability scan D. Identify the organization's assets
B. Virtual desktop infrastructure (VDI) is a virtualization implementation that separates the personal computing environment from a user's physical computer.
Your organization has just migrated to provisioning its corporate desktops as virtual machines and accessing them using thin clients. The organization believes this will enhance security since the desktop can be rewritten with a new baseline image every time the user logs into it. Based on this scenario, which of the following technologies has the organization adopted? A. VPN B. VDI C. VPC D. UEBA
A. A triple-homed firewall connects to three networks internal (private), external (internet/public), and the demilitarized zone (DMZ). The demilitarized zone (DMZ) network hosts systems that require access from external hosts.
An analyst reviews a triple-homed firewall configuration that connects to the internet, a private network, and one other network. Which of the following would best describe the third network connected to this firewall? A. DMZ B. Subnet C. NIDS D. GPO
B. This scenario represents the effects of a cross-site scripting (XSS) attack. If a website's HTML code does not perform input validation to remove scripts entered by a user, an attacker can create a popup window that collects passwords and use that information to compromise accounts further.
A company runs a website that allows public postings. Recently, users have started complaining about the website having pop-up messages asking for their username and password. Simultaneously, a large increase of compromised user account have been observed. What type of attack is most likely the cause of both of these events? A. SQL injection B. Cross-site scripting C. Cross-site request forgery D. Rootkit
B. A call home message is an indicator of compromise known as beaconing. Beaconing usually occurs after a stage 1 malware program has been implanted on an organization's workstation or server, but that isn't the most correct answer to this question. Instead, beaconing indicates that a workstation or server is infected and tries to communicate with the attacker's command and control server. This beaconing will continue until the infected system (workstation or server) is found and cleared of the malware or until the botnet gives the infected host further instructions to perform (such as to attack).
A cybersecurity analyst has received an alert that sensors continuously observe well-known call home messages at their network boundary. Still, the organization's proxy firewall is properly configured to successfully drop the messages before leaving the network. Which of the following is MOST likely the cause of the call home messages being sent? A. An attacker is performing reconnaissance the organization's workstations B. An infected workstation is attempting to reach a command and control server C. A malicious insider is trying to exfiltrate information to a remote network D. Malware is running on a company workstation or server
B, C, F. The above example searches for files with the name "password" in them (q=password) and (+) have a filetype equal to xls (filetype%3Axls, %3A is the hex-code for ':') and (+) limits the results to files hosted on diontraining.com (site%3Adiontraining.com) and (&) disables personalization (pws=0) and (&) deactivates the directory filtering function (filter=p).
A cybersecurity analyst is reviewing the logs of a proxy server and saw the following URL, https://www.google.com/search?q=password+filetype%3Axls+site%3Adiontraining.com&pws=0&filter=p. Which of the following is true about the results of this search? (SELECT THREE) A. All search filters are deactivated B. Returns only files hosted at diontraining.com C. Returns only Microsoft Excel spreadsheets D. Find sites related to diontraining.com E. Excludes Microsoft Excel spreadsheets F. Personalization is turned off
B. It is common for vulnerability reports to include some findings classified as Low or Informational. These are most likely false positives and can be ignored.
A cybersecurity analyst just finished conducting an initial vulnerability scan and is reviewing their results. To avoid wasting time, the analyst wants to remove any false positives before remediating the findings. Which of the following is an indicator that something in their results would be a false positive? A. A finding that shows the scanner compliance plug-ins are not up-to-date B. Items classified by the system as Low or Informational Purposes only C. A scan results showing a version that is different from the automated assset inventory D. A HTTPS entry that indicates the web page is securely encrypted
A. It would be best to create a script and automate the process to eliminate human error. The script will always ensure that the latest signatures are downloaded and installed.
A vulnerability scanner did not have the latest set of signatures installed. Due to this, several unpatched servers may have vulnerabilities that were undetected by their scanner. An analyst was directed to update the scanner with the latest signatures at least 24 hours before conducting any scans, however the results appear to be the same. Which of the following logical controls should be used to address this situation? A. Create a script to automatically update the signatures every 24 hours B. Ensure the analyst manually validates that the updates are being performed as directed C. Test the vulnerability remediations in a sandbox before deploying them into production D. Configure the vulnerability scanners to run in credentialed mode
A, B, D, E. Often, cybersecurity professionals fall in love with a new technological solution without fully considering the true cost of ownership and risks it poses to their organization. Even if this is the perfect security mechanism, the organization must plan for how they will respond to the alerts provided by this appliance. Additionally, you must consider if you have the right people and procedures to use the new application effectively. The appliance will also need to receive security patches, feature updates, and signature definition files routinely to remain effective and secure. At later stages of analysis, your security team may need to determine why a false-positive or false-negative occurred, which requires detailed alerts or reports from the machine. In corporate environments, privacy is limited for employees as most companies have a "right to monitor" included as part of their AUP and access policies. Therefore privacy is a minimal area of concern in this case.
CIO has recently made a purchasing decision to install a new security appliance that will automatically sandbox all attachments as they enter the enterprise network to run dynamic and static code analysis on them. Which of the following questions about the appliance should you consider as the SOC manager responsible for operating this new appliance for the company? (SELECT FOUR) A. Do you have security personnel and procedures in place to review the output from this appliance and take action where appropriate? B. Does the new appliance provide a detailed report or alert showing why it believes an attachment is malicious? C. Will the security appliance violate your employee's right to privacy? D. How will the appliance receive updated signatures and scanning engines? E. How will the appliance receive security patches and updates? F. Will the device inadvertently alter anyone's data when it is analyzed in the sandbox?
B A sophisticated adversary may discover the embedded key in the software through reverse engineering the source code. This inadvertent key disclosure could then allow an attacker to abuse the API in ways other than intended.
Jason is conducting an assessment of a network-enabled software platform that contains a published API. In reviewing the platform's key management, he discovers that API keys are embedded in the source code for the application. Which of the following statements best describes the security flaw with this coding practice? A. Key management is no longer required since the key is embedded in the source code B. The embedded key may be discovered by an attacker who reverse engineers the source code C. It is difficult to control the permission levels for embedded keys D. Changing the API key will require a corresponding software upgrade
B. Isolation involves removing an affected component from whatever larger environment it is a part of. This can be everything from removing a server from the network after it has been the target of a DoS attack, placing an application in a sandbox virtual machine (VM) outside of the host environments it usually runs on.
What containment technique is the strongest possible response to an incident? A. Segmentation B. Isolating affected systems C. Isolating the attacker D. Enumeration
C. The -e option includes the ethernet header during packet capture. The -n flag will show the IP addresses in numeric form. The -nn option shows IP addresses and ports in numeric format. The -X option will capture the packet's payload in hex and ASCII formats.
When using tcpdump, which option or flag would you use to record the ethernet frames during a packet capture? A. -n B. -nn C. -e D. -X
D. Filtering the available PCAP with just the http "post" methods would display any data sent when accessing a REST API, regardless of the destination IP. Filtering the available PCAP with just the desired IP address would show all traffic to that host (10.1.2.3). Combining both of these can minimize the data displayed to only show things posted to the API located at 10.1.2.3.
Which of the following Wireshark filters should be applied to a packet capture to detect applications that send passwords in cleartext to a REST API located at 10.1.2.3? A. http.request.method=="POST" B. ip.proto==tcp C. ip.dst==10.1.2.3 D. http.request.method=="POST" && ip.dst==10.1.2.3
D. US Military strategist Colonel John Boyd first created the OODA (Observe, Orient, Decide, Act) loop.
Which of the following are the four phases of an OODA loop? A. Organize, Orchestrate, Design, Apply B. Orchestrate, Observe, Deliver, Act C. Orient, Organize, Detect, Apply D. Observe, Orient, Decide, Act
B. Firewalls, intrusion detection systems, and a RADIUS server are all examples of technical controls. Technical controls are implemented as a system of hardware, software, or firmware.
Which of the following categories of controls are firewalls, intrusion detection systems, and a RADIUS server classified as? A. Administrative controls B. Technical controls C. Physical controls D.Compensating controls
D. The three phases of the vulnerability management lifecycle are detection, remediation, and testing.
Which of the following is NOT a part of the vulnerability management lifecycle? A. Remediation B. Testing C. Detection D. Investigating
B. An APT refers to an adversary's ongoing ability to compromise network security by using a variety of tools and techniques to obtain and maintain access. An APT is usually a highly sophisticated nation-state threat actor that quietly gathers information from compromised systems and can lay in waiting for several months during an ongoing attack. In general, an APT is primarily focused on espionage and strategic advantage, but some target companies purely for commercial gain.
Which of the following is a common attack model of an APT attack? A. Involves sophisticated DDoS attacks B. Quietly gathers information from compromised systems C. Relies on worms to spread laterally D. Holds an organization's data hostage using encryption
C. A data owner is responsible for the confidentiality, integrity, availability, and privacy of information assets. They are usually senior executives and somebody with authority and responsibility. A data owner is responsible for labeling the asset and ensuring that it is protected with appropriate controls. The data owner typically selects the data steward and data custodian and has the authority to direct their actions, budgets, and resource allocations.
Which of the following is a senior role with the ultimate responsibility for maintaining confidentiality, integrity, and availability in a system? A. Data custodian B. Data steward C. Data owner D. Privacy officer
D. Endpoint security includes software host-based firewalls, host-based intrusion protection systems (HIPS), and anti-virus software. A VPN is not typically considered an endpoint security tool because it is a network security tool.
Which of the following is not normally part of an endpoint security suite? A. IPS B. Software firewall C. Anti-virus D. VPN
C. The tcpdump tool is used to conduct packet capturing of network traffic. The host option specifies a filter to capture all traffic going to (destination) and from (source) the designated IP address. If the DST filter is used, this only captures data going to the designated IP address. If the SRC filter is used, this only captures data going from the designated IP. If the proto filter is used, this will capture all traffic going to or from a designated port, such as FTP is proto 21 was used.
Which of the following is the correct usage of the tcpdump command to create a packet capture filter for all traffic going to and from the server located at 10.10.1.1? A. tcpdump -i eth0 proto 10.10.1.1 B. tcpdump -i eth0 host 10.10.1.1 C. tcpdump -i eth0 dst 10.10.1.1 D. tcpdump -i eth0 src 10.10.1.1
D. The lessons learned report provides you with the details of the incident, its severity, the remediation method, and, most importantly, how effective your response was. Additionally, it provides recommendations for improvements in the future.
Which of the following items represents a document that includes detailed information on when an incident was detected, how impactful the incident was, how it was remediated, the effectiveness of the incident response, and any identified gaps that might require improvement? A. Forensic analysis report B. Chain of custody report C. Trends analysis report D. Lessons learned report
B. While patching is a great way to combat threats and protect your systems, it is not effective against zero-day threats. By definition, a zero-day threat is a flaw in the software, hardware, or firmware that is unknown to the party or parties responsible for patching or otherwise fixing the flaw. This attack has no time (or days) between the time the vulnerability is discovered and the first attack, and therefore no patch would be available to combat it.
Which of the following would NOT be useful in defending against a zero-day threat? A. Segmentation B. Patching C. Threat intelligence D. Whitelisting
A. he security must first prevent any potential contamination from advanced malware from affecting the system as it proceeds into its startup process. The security consists of initializing the code that the system executes after powering on the EFI system. Pre-EFI initialization initializes the CPU, temporary memory, and boot firmware volume (BFV). Driver Execution Environment initializes the entire system's physical memory, I/O, and MIMO (Memory Mapped Input Output) resources. Finally, it begins dispatching DXE Drivers present in the system Firmware Volumes (given in the HOBL). Boot Device Select interprets the boot configuration data and selects the Boot Policy for later implementation. Runtime focuses on clearing the UEFI program from memory and transferring control to the operating system.
Which of the following lists the UEFI boot phases in the proper order? A. Security, Pre-EFI initialization, Driver Execution Environment, Boot Device Select, Transient System Load, Runtime B. Pre-EFI initialization, Security, Boot Device Select, Transient System Load, Driver Execution Environment, Runtime C. Boot Device Select, Security, Pre-EFI initialization, Driver Execution Environment, Transient System Load, Runtime D. Driver Execution Environment, Boot Device Select, Security, Transient System Load, Pre-EFI initialization, Runtime
C. A risk results from the combination of a threat and a vulnerability. A vulnerability is a weakness in a system that might allow an attack to take place. A threat is an outside force that may exploit a vulnerability.
Which of the following must be combined with a threat to create risk? A. Malicious actor B. Mitigation C. Vulnerability D. Exploit
C. The software development lifecycle (SDLC) can be conducted using waterfall or agile methods. The waterfall method moves through seven phases: planning, requirements, design, implementation, testing, deployment, and maintenance.
Which of the following options places the correct phases of the Software Development Lifecycle's waterfall method in the correct order? A. Planning, requirements analysis, design, implementation, deployment, testing, maintenance B. Requirements analysis, planning, design, implementation, testing, deployment, and maintenance C. Planning, requirements analysis, design, implementation, testing, deployment, and maintenance D. Requirements analysis, planning, design, implementation, deployment, testing, maintenance
B. DomainKeys Identified Mail (DKIM) provides a cryptographic authentication mechanism. This can replace or supplement SPF. To configure DKIM, the organization uploads a public key as a TXT record in the DNS server.
Which of the following provides a cryptographic authentication mechanism to positively identify an organization as the authorized sender of email for a particular domain name? A. SPF B. DKIM C. SMTP D. DMARC
D. Mandatory vacation policies require employees to take time away from their job and help to detect fraud or malicious activities. Even if other controls such as separation of duties, least privilege, and dual control are used, an employee could collude with others to conduct fraud. By utilizing mandatory vacation policies, this fraud can often be discovered since a new person will be conducting the duties assigned to the person on vacation.
Which of the following security policies could help detect fraudulent cases that occur even when other security controls are already in place? A. Separation of duties B. Least privilege C. Dual control D. Mandatory vacations
B. A behavior-based analysis tool can capture/analyze normal behavior and then alert when an anomaly occurs. Configuring a behavior-based analysis tool requires more effort to set up properly, but it requires less work and manual monitoring once it is running.
Which of the following tools could be used to detect unexpected output from an application being managed or monitored? A. A log analysis tool B. A behavior-based analysis tool C. A signature-based detection tool D. Manual analysis
D. Transport Layer Security (TLS) is a widely adopted security protocol designed to facilitate privacy and data security for communications over the internet. A primary use case of TLS is encrypting the communication between web applications and servers, such as web browsers loading a website.
Which of the following types of encryption would ensure the best security of a website? A. SSLv1 B. SSLv2 C. SSLv3 D. TLS
A. Virtual machine escape vulnerabilities are the most severe issue that may exist in a virtualized environment. In this attack, the attacker can access a single virtual host and then leverages that access to intrude on the resources assigned to different virtual machines.
Which of the following vulnerabilities involves leveraging access from a single virtual machine to other machines on a hypervisor? A. VM escape B. VM migration C. VM sprawl D. VM data remnant
A, C. During the command and control (C2) phase, an adversary is testing that they have control over any implants that have been installed. This can be conducted using the web, DNS, or email protocols to control the target and relies on an established two-way communication infrastructure to control the target system using remote access.
Which of the following will an adversary do during the command and control phase of the Lockheed Martin Kill Chain? (SELECT TWO) A. Open up a two-way communication channel to an established infrastructure B. Create a point of presence by adding services, scheduled tasks, or AutoRun keys C. Utilize web, DNS, and email protocols to conduct control of the target D. Conduct internal reconnaissance of the target network E. Destroy systems F. Release of malicious email
A, D, E. During the delivery phase, the adversary is firing whatever exploits they have prepared during the weaponization phase. At this stage, they still do not have access to their target, though. Therefor, taking direct action against a public-facing server, sending a spear-phishing email, placing a USB drive with malware, or starting a conversation on social media all fit within this phase.
Which of the following will an adversary do during the delivery phase of the Lockheed Martin Kill Chain? (SELECT THREE) A. Direct action against public-facing servers B. Select a decoy document to present to the victim C. Collect press releases, contract awards, and conference attendee lists D. Deliberate social media interactions with the target's personnel E. Release of malicious email F. Adversary triggering exploits for non-public facing servers
A. Infrastructure as a Service (IaaS) is a computing method that uses the cloud to provide any or all infrastructure needs. In a VPC environment, an organization may provision virtual servers in a cloud-hosted network. The service consumer is still responsible for maintaining the IP address space and routing internally to the cloud.
Which of the following would a virtual private cloud infrastructure be classified as? A. Infrastructure as a Service B. Platform as a Service C. Software as a Service D. Function as a Service
C. The SIFT (SANS investigative forensics toolkit) Workstation is a group of free, open-source incident response and forensic tools designed to perform detailed digital forensic examinations in various settings.
Which one of the following is an open-source forensic tool suite? A. FTK B. EnCase C. SIFT D. Helix
D. OAuth 2 is explicitly designed to authorize claims and not to authenticate users. The implementation details for fields and attributes within tokens are not defined. Open ID Connect (OIDC) is an authentication protocol that can be implemented as special types of OAuth flows with precisely defined token fields.
Which protocol is paired with OAuth2 to provide authentication of users in a federated identity management solution? A. Kerberos B. ADFS C. SAML D. OpenID Connect
C. Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry, and process/thread activity.
Which tool should a malware analyst utilize to track the registry's changes and the file system while running a suspicious executable on a Windows system? A. ProcDump B. DiskMon C. Process Monitor D. Autoruns
B. This output is an example of banner grabbing being conducted against your web server. To prevent valuable information from being sent in the response, you should configure the "RemoveServerHeader" in the Microsoft IIS configuration file (URLScan.ini). If you set "RemoveServerHeader" to 1, UrlScan will remove the server header on all responses, and the value of AlternateServerName will be ignored.
While conducting a security test to ensure that information about your company's web server is protected from inadvertent disclosure, you request an HTML file from the webserver and receive the following output:-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-HTTP/1.1 404 Object Not FoundServer: Microsoft-IIS/6.0Date: Tuesday, 5 Sep 2017 1034:12 GMTContent-Type: text/htmlContent-Length: 132 There is no web site configured at this address. This page is a placeholder until construction begins.-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Which of the following actions should you take to remediate this vulnerability? A. Set "VerifyNormalization" to 1 in the URLScan.ini configuration file B. Set "RemoveServerHeader" to 1 in the URLScan.ini configuration file C. Set "EnableLogging" to 1 in the URLScan.ini configuration file D. Set "PerProcessLogging" to 1 in the URLScan.ini configuration file
B. It is common for attackers to log in remotely using the ssh service and the root or other user accounts. The best way to protect your server is to disable password authentication over ssh. Since your company just enabled key-based authentication on the SSH server, all legitimate users should be logging in using their RSA key pair on their client machines, not usernames and passwords.
You are a cybersecurity analyst and your company has just enabled key-based authentication on its SSH server. Review the following log file: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- BEGIN LOG ------------- Sep 09 13:15:24 diontraining sshd[3423]: Failed password for root from 192.168.3.2 port 45273 ssh2 Sep 09 15:43:15 diontraining sshd[3542]: Failed password for root from 192.168.2.24 port 43543 ssh2 Sep 09 15:43:24 diontraining sshd[3544]: Failed password for jdion from 192.168.2.24 port 43589 ssh2 Sep 09 15:43:31 diontraining sshd[3546]: Failed password for tmartinez from 192.168.2.24 port 43619 ssh2Sep 09 15:43:31 diontraining sshd[3546]: Failed password for jdion from 192.168.2.24 port 43631 ssh2 Sep 09 15:43:37 diontraining sshd[3548]: Failed password for root from 192.168.2.24 port 43657 ssh2 ------------- END LOG-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Which of the following actions should be performed to secure the SSH server? A. Disable anonymous SSH logon B. Disable password authentication for SSH C. Disable SSHv1 D. Disable remote root SSH logons
B. Based on the output provided, it appears that the attacker has attempted to route all traffic destined for diontraining.com to the IP address specified (127.0.0.1). This is typically done to prevent a system from communicating with a specific domain to redirect a host to a malicious site. In this example, the IP/domain name pair of 127.0.0.1 and diontraining.com is being written to the /etc/hosts file
You are analyzing a Linux server that you suspect has been tampered with by an attacker. You went to the terminal and typed 'history' into the prompt and see the output:-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=->echo 127.0.0.1 diontraining.com >> /etc/hosts-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Which of the following best describes what actions were performed by this line of code? A. Added the website to system's whitelist in the hosts file B. Routed traffic destined for the diontraining.com domain to the localhost C. Routed traffic destined for the localhost to the diontraining.com domain D. Attempted to overwrite the host file and deleted all data except this entry
A. DES is outdated and should not be used for any modern applications. The AES, RSA, and ECC are all current secure alternatives that could be used with OpenSSL.
You are deploying OpenSSL in your organization and must select a cipher suite. Which of the following ciphers should NOT be used with OpenSSL? A. DES B. AES C. RSA D. ECC
B. While there are many different formats used by attackers to obfuscate their malicious code, Base64 is by far the most popular.
You are reverse engineering a malware sample using the Strings tool when you notice the code inside appears to be obfuscated. You look at the following line of output on your screen: -=-=-=--=-=-=--=-=-=--=-=-=--=-=-=--=-=-=--=-=-=--=-=-=-ZWNobygiSmFzb24gRGlvbiBjcmVhdGVkIHRoaXMgQ29tcFRJQSBDeVNBKyBwcmFjdGljZSBleGFtIHF1ZXN0aW9uLiBJZiB5b3UgZm91bmQgdGhpcyBxdWVzdGlvbiBpbiBzb21lb25lIGVsc2UncyBjb3Vyc2UsIHRoZXkgc3RvbGUgaXQhIik7=-=-=-=--=-=-=--=-=-=--=-=-=--=-=-=--=-=-=--=-=-=--=-=-=-Based on the output above, which of the following methods do you believe the attacker used to prevent their malicious code from being easily read or analyzed? A. QR coding B. Base64 C. XML D. SQL
C. The least likely option to appear in the list is to obscure web interface locations. This recommendation is based on security through obscurity and is not considered a good security practice.
You are reviewing the latest list of important web application security controls published by OWASP. Which of these items is LEAST likely to appear on that list? A. Implement identity and authentication controls B. Implement appropriate access controls C. Obscure web interface locations D. Leverage security frameworks and libraries
A. A honeypot is a host set up to lure attackers away from the actual network components and/or discover attack strategies and weaknesses in the security configuration.
You have just received some unusual alerts on your SIEM dashboard and want to collect the payload associated with it. Which of the following should you implement to effectively collect these malicious payloads that the attackers are sending towards your systems without impacting your organization's normal business operations? A. Honeypot B. Jumpbox C. Sandbox D. Containerization
C. You should first request a copy of one of the spam messages, including the full email header. By reading through the full headers of one of the messages, you can determine where the email originated from, whether it was from your email system or external, and if it was a spoofed email or a legitimate email. Once this information has been analyzed, you can then continue your analysis based on those findings, whether that be analyzing your email server, the firewalls, or other areas of concern. If enough information cannot be found by analyzing the email headers, you will need to conduct more research to determine the best method to solve the underlying problem.
You just received a notification that your company's email servers have been blacklisted due to reports of spam originating from your domain. What information do you need to start investigating the source of the spam emails? A. Firewall logs showing the SMTP connections B. The SMTP audit log from his company's email server C. The full email header from one of the spam messages D. Network flows for the DMZ containing the email servers
B. According to the European Union's General Data Protection Regulation (GDPR), personal data collected can only be used for the exact purpose in which explicit consent was obtained. To use email addresses for marketing purposes, separate explicit consent should have been obtained. Since the company operates in Germany, it must follow the GDPR privacy standard. Even if a company doesn't operate within the European Union, its customers might be European Union citizens, and therefore the company should still optional follow the GDPR guidelines.
Your company explicitly obtains permission from its customers to use their email address as an account identifier in its CRM. Max, who works at the marketing department in the company's German headquarters, just emailed all their customers to let them know about a new sales promotion this weekend. Which of the following privacy violations has occurred, if any? A. There was no privacy violation because only corporate employees had access to their email addresses B. There was a privacy violation since the customer's explicitly gave permission to use the email address as an identifier and did not consent to receiving marketing emails C. There was no privacy violation since the customer's were emailed securely through the customer relationship management tool D. There was a privacy violation since data minimization policies were not followed properly
B. By implementing whitelisting of the authorized IP addresses for the five largest vendors, they will be the only ones who will access the webserver. This can be done by creating rules in the Access Control List (ACL) to deny ALL other users except these five vendors, thereby dropping a large number of requests from any other IP addresses, such as those from an attacker. Based on the scenario's description, it appears like the system is under some form of denial of service attack. Still, by implementing a whitelist at the edge of the network and blackholing any traffic from IP addresses that are not whitelisted, the server will no longer be overwhelmed or perform slowly to respond to legitimate requests.
Your company just launched a new invoicing website for use by your five largest vendors. You are the cybersecurity analyst and have been receiving numerous phone calls that the webpage is timing out, and the website overall is performing slowly. You have noticed that the website received three million requests in just 24 hours, and the service has now become unavailable for use. What do you recommend should be implemented to restore and maintain the availability of the new invoicing system? A. Intrusion Detection System B. Whitelisting C. VPN D. MAC filtering
C. Sponsored authentication of guest wireless devices requires a guest user to provide valid identification when registering their wireless device for use on the network. This requires that an employee validates the guest's need for access, known as sponsoring the guest.
Your organization is updating its Acceptable User Policy (AUP) to implement a new password standard that requires a guest's wireless devices to be sponsored before receiving authentication. Which of the following should be added to the AUP to support this new requirement? A. Sponsored guest passwords must be at least 14 alphanumeric characters containing a mixture of uppercase, lowercase, and special characters B. Open authentication standards should be implemented on all wireless infrastructure C. All guests must provide valid identification when registering their wireless devices for use on the network D. Network authentication of all guest users should occur using the 802.1x protocol as authenticated by a RADIUS server