CySA+ Study
Nmap scan results on a set of IP addresses returned one or more lines beginning with cpe:/o: followed by a company name, product name, and version. Which of the following wouldthis string help an administrator to identify? A. Operating system B. Running services C. Installed software D. Installed hardware
A. Operating system
8. Charles wants to provide additional security for his web application that currently stores passwords in plain text in a database. Which of the following options is his best option to prevent theft of the database from resulting in exposed passwords? A. Encrypt the database of plain-text passwords. B. Use MD5 and a salt. C. Use SHA-1 and a salt. D. Use bcrypt.
. D. bcrypt is a strong password hashing algorithm that includes salts for the stored values. If Charles uses bcrypt, he will have made the best choice from the list, as both MD5 and SHA-1 are not as strong, even with a salt. Encrypting the database may seem like a good idea, but storing plain-text passwords means that an exploit that can read the database while it is decrypted will get plain-text passwords!
An organization is experiencing degradation of critical services and availability of critical external resources. Which of the following can be used to investigate the issue? A. Netflow analysis B. Behavioral analysis C. Vulnerability analysis D. Risk analysis
A. Netflow analysis
As part of her job, Danielle sets an alarm to notify her team via email Windows server uses 80 percent of its memory and to send a text message if it reaches 90 percent utilization. What is this setting called? A. A monitoring threshold B. A preset notification level C. Page monitoring D. Perfmon calibration
A. A monitoring threshold is set to determine when an alarm or report action is taken. Thresholds are often set to specific values or percentages of capacity.
What type of control review will focus on change management as a major element in its assessment scope? A. Operational control review B. Technical control review C. Detective control review D. Responsive control review
A. A review of operational controls will often look at change management, separation of duties and other personnel controls, and process-based controls. Many administrative controls are part of an operational control review. These are sometimes conducted as Service Organization Control (SOC) audits with SOC 1, 2, and 3 reports generated depending on the level and depth of the assessment.
During a white-box penetration test, Luke finds that he is suddenly unable to connect to the target network. What has likely happened? A. Automated shunning B. Network link failure C. Back-off algorithms D. A BGP route chang
A. Automated shunning, whether via an IPS or other technology, can block attackers but can also prevent penetration testers from being able to conduct scans or attacks.
What approach to vulnerability scanning incorporates information from agents running on the target servers? A. Continuous monitoring B. Ongoing scanning C. On-demand scanning D. Alerting
A. Continuous monitoring incorporates data from agent-based approaches to vulnerability detection and reports security-related configuration changes to the vulnerability management platform as soon as they occur, providing the ability to analyze those changes for potential vulnerabilities.
Lonnie is worried about the master account for a cloud service and the access to it. This service is used to manage payment transactions. He has decided to implement a new multifactor authentication process where one individual, on the IT team, has the password to the account, but another user in the accounting department has a token to the account. What principle is identified here? A. Dual control B. Separation of duties C. Lease privilege D. Security through obscurity
A. Dual control This happens when performing a sensitive action requires participation of two individuals. Separation of duties is the closest other option but it doesn't allow the same person to perform two separate actions that would be harmful to the network/company.
A security analyst is conducting traffic analysis and observes an HTTP POST to the companys main web server. The POST header is approximately 1000 bytes in length. During transmission, one byte is delivered every ten seconds. Which of the following attacks is the traffic indicative of? A. Exfiltration B. DoS C. Buffer overflow D. SQL injection
A. Exfiltration
Jeff is investigating a system that is running malware that he believes encrypts its data on the drive. What process should he use to have the best chance of viewing that data in an unencrypted form? A. Live imaging B. Offline imaging C. Brute-force encryption cracking D. Cause a system crash and analyze the memory dump
A. Imaging the system while the program is live has the best probability of allowing Jeff to capture the encryption keys or decrypted data from memory. An offline image after the system is shut down will likely result in having to deal with the encrypted file. Brute-force attacks are typically slow and may not succeed, and causing a system crash may result in corrupted or nonexistent data
Charles wants to limit what potential attackers can gather during passive or semipassive reconnaissance activities. Which of the following actions will typically reduce his organization's footprint the most? A. Limit information available via the organizational website without authentication. B. Use a secure domain registration. C. Limit technology references in job postings. D. Purge all document metadata before posting.
A. Limiting the information available about an organization by requiring authentication will strongly limit the ability of potential attackers to gather information.
A company discovers an unauthorized device accessing network resources through one of many network drops in a common area used by visitors.The company decides that it wants to quickly prevent unauthorized devices from accessing the network but policy prevents the company from making changes on every connecting client. Which of the following should the company implement? A. Port security B. WPA2 C. Mandatory Access Control D. Network Intrusion Prevention
A. Port security
While conducting a penetration test, Ben executes the following command: ifconfig eth0 hw ether 08:00:27:06:d4 What network protection is Ben most likely attempting to avoid? A. Port security B. NAC C. A firewall D. An IPS
A. Port security filters on MAC address and the command Ben executed changed the MAC address of his PC. In most cases, simply changing a MAC address will not help him bypass NAC, and both firewalls and IPS won't care about his MAC address.
While scanning a network, Frank discovers a host running a service on TCP ports 1812 and 1813. What type of server has Frank most likely discovered? A. RADIUS B. VNC C. Kerberos D. Postgres
A. RADIUS typically uses TCP ports 1812 and 1813. Kerberos is primarily a UDP service although it also uses TCP 544 and 2105, Postgres uses 5432, and VNC uses 5500.
Which of the following is a feature of virtualization that can potentially create a single point of failure? A. Server consolidation B. Load balancing hypervisors C. Faster server provisioning D. Running multiple OS instances
A. Server consolidation
Susan is reviewing files on a Windows workstation and believes that cmd.exe has been replaced with a malware package. Which of the following is the best way to validate her theory? A. Submit cmd.exe to VirusTotal. B. Compare the hash of cmd.exe to a known good version. C. Check the file using the National Software Reference Library. D. Run cmd.exe to make sure its behavior is normal
A. Susan's best option is to submit the file to a tool like VirusTotal, which will scan it for virus-like behaviors and known malware tools.
Which of the following tools does not provide real-time drive capacity monitoring for Windows? A. SCCM B. Resmon C. SCOM D. Perfmon
A. System Center Configuration Manager provides non-real-time reporting for disk space. Resmon, perfmon, and SCOM can all provide real-time reporting,
A cybersecurity analyst has been asked to follow a corporate process that will be used to manage vulnerabilities for an organization. The analyst notices the policy has not beenupdated in three years. Which of the following should the analyst check to ensure the policy is still accurate? A. Threat intelligence reports B. Technical constraints C. Corporate minutes D. Governing regulations
A. Threat intelligence reports
Chris wants to prevent users from running a popular game on Windows workstations he is responsible for. How can Chris accomplish this for Windows 10 Pro workstations? A. Using application whitelisting to prevent all unallowed programs from running B. Using Windows Defender and adding the game to the blacklist file C. By listing it in the Blocked Programs list via secpol.msc D. You cannot blacklist applications in Windows 10 without a third-party application.
A. Windows 10 Pro and Enterprise support application whitelisting. Chris can whitelist his allowed programs and then set the default mode to "disallowed", preventing all other applications from running and thus blacklisting the application. This can be a bit of a maintenance hassle but can be useful for high-security environments or those in which limiting what programs can run is critical
Which of the following represent the reasoning behind careful selection of the timelines and time-of-day boundaries for an authorized penetration test? (Select TWO). A. To schedule personnel resources required for test activities B. To determine frequency of team communication and reporting C. To mitigate unintended impacts to operations D. To avoid conflicts with real intrusions that may occur E. To ensure tests have measurable impact to operations
AC
A security administrator determines several months after the first instance that a local privileged user has been routinely logging into a server interactively as root and browsing the Internet. The administrator determines this by performing an annual review of the security logs on that server. For which of the following security architecture areas should the administrator recommend review and modification? (Select TWO). A. Log aggregation and analysis B. Software assurance C. Encryption D. Acceptable use policies E. Password complexity F. Network isolation and separation
AD
An organization wants to remediate vulnerabilities associated with its web servers. An initial vulnerability scan has been performed, and analysts are reviewing the results. Beforestarting any remediation, the analysts want to remove false positives to avoid spending time on issues that are not actual vulnerabilities. Which of the following would be an indicator ofa likely false positive? A. Reports show the scanner compliance plug-in is out-of-date. B. Any items labeled low are considered informational only. C. The scan result version is different from the automated asset inventory. D. HTTPS entries indicate the web page is encrypted securely.
B
Angela wants to gather detailed information about the hosts on a network passively. If she has access to a Wireshark pcap file from the network, which of the following tools can she use to provide automated analysis of the file? A. ettercap B. NetworkMiner C. Sharkbait D. dradis
B. Angela can use NetworkMiner, a tool that can analyze existing packet capture files to do OS identification and which identifies and marks images, files, credentials, sessions, DNS queries, parameters, and a variety of other details. Ettercap can perform passive TCP stack fingerprinting but is primarily a man-in-the-middle tool, dradis is an open source collaboration platform for security teams, and Sharkbait is not a security tool or term
Aaron is attempting to conduct a passive footprinting exercise against a specific target company. Which of the techniques listed below is not suited for a passive footprinting process? A. WHOIS lookups B. Banner grabbing C. BGP looking glass usage D. Registrar check
B. Banner grabbing
Geoff wants to stop all traffic from reaching or leaving a Linux system with an iptables firewall. Which of the following commands is not one of the three iptables commands needed to perform this action? A. #iptables-policy INPUT DROP B. #iptables-policy SERVICE DROP C. #iptables-policy OUTPUT DROP D. #iptables-policy FORWARD DROP
B. By default, an iptables firewall will have INPUT, OUTPUT, and FORWARD chains. Geoff should use the DROP command on all three to stop all traffic to or from a machine.
Alex is observing a penetration tester who has gained access to a Windows domain controller. The penetration tester runs a program called fgdump and gathers information from the system. What type of information has the penetration tester targeted? A. File and group information B. Password and usernames C. Active Directory full GPO lists D. Nothing, because FGDump is a Linux tool
B. FGDump is a tool used for Windows password auditing. If successful, it will dump the username and password hash for every user.
Barry placed all of his organization's credit card processing systems on an isolated network dedicated to card processing. He has implemented appropriate segmentation controls to limit the scope of PCI DSS to those systems through the use of VLANs and firewalls. When Barry goes to conduct vulnerability scans for PCI DSS compliance purposes, what systems must he scan? A. Customer systems B. Systems on the isolated network C. Systems on the general enterprise network D. Both B and C
B. If Barry is able to limit the scope of his PCI DSS compliance efforts to the isolated network, then that is the only network that must be scanned for PCI DSS compliance purposes.
While reviewing output from netstat, John sees the following output. What should his next action be? [minesweeper.exe] TCP 127.0.0.1:62522 dynamo:0 LISTENING [minesweeper.exe] TCP 192.168.1.100 151.101.2.69:https ESTABLISHED A. Capture traffic to 151.101.2.69 using Wireshark. B. Initiate the organization's incident response plan. C. Check to see whether 151.101.2.69 is a valid Microsoft address. D. Ignore it, because this is a false positive.
B. John has discovered a program that is accepting connections and has an open connection, neither of which is typical for the Minesweeper game. Attackers often disguise Trojans as innocuous applications, so John should follow his organization's incident response plan.
Lucca wants to identify systems that may have been compromised and are being used for data exfiltration. Which of the following technologies should he put into place to capture data that he can analyze using his SIEM to find this behavior? A. A firewall B. A netflow collector C. A honeypot D. A BGP monitor
B. Network flows can be used to identify traffic patterns between systems that are atypical or that connect to systems that are known malware or malicious sites
A recent threat has been announced in the cyber security world stating that there is a critical vulnerability in the kernel of a particular operating system. Your company, unfortunately, has not maintained a current asset inventory, so you are unsure of how many of your servers may be affected. What technique should you perform to find all affected servers within your company? A. Manual log review from data sent to syslog B. OS fingerprinting scan across all hosts C. Packet capture of data traversing the server network. D. Service discovery scan on the network
B. OS fingerprinting scan across all hosts
Eric believes that his organization has a number of vulnerable systems that have been scanned by third parties. If he wants to check publicly available vulnerability information, which of the following methods are best suited to performing this type of passive reconnaissance? A. Use the worldwide nmap database. B. Search for his domain in Shodan. C. Use the OpenVAS central vulnerability data repository. D. Check against the CVE database for his domain.
B. Of these answers, only Shodan provides a searchable listing of vulnerable hosts including details of the system that was scanned. OpenVAS, CVE, and nmap do not provide central databases of vulnerable systems.
The Dirty COW attack is an example of what type of vulnerability? A. Malicious code B. Privilege escalation C. Buffer overflow D. LDAP injection
B. Privilege escalation
Ric is reviewing his organization's network design and is concerned that a known flaw in the border router could let an attacker disable their Internet connectivity. Which of the following is an appropriate compensatory control?A. An identical second redundant router set up in an active/passive design B. An alternate Internet connectivity method using a different routertype C. An identical second redundant router set up in an active/activedesign D. Place a firewall in front of the router to stop any potential exploitsthat could cause a failure of connectivity
B. Ric's best option is to implement backup Internet connectivity using a different make and model of router. This reduces the chance of the same exploit being able to take down both types of device while removing the single point of failure for connectivity. Adding a second identical router in either active/active or active/passive mode does not work around the flaw since an attacker could immediately repeat the attack to take down the matching router. A firewall might help, but in many cases attacks against routers take place on a channel that is required for the router to perform its function
Natalie's organization is adopting the ITIL service management strategy. Which of the following is an ITIL core activity that includes security management as a process? A. Service strategy B. Service design C. Service transition D. Service operation
B. Service design
A cybersecurity analyst has several log files to review. Instead of using grep and cat commands, the analyst decides to find a better approach to analyze the logs. Given a list of tools, which of the following would provide a more efficient way for the analyst to conduct a timeline analysis, do keyword searches, and output a report? A. Kali B. Splunk C. Syslog D. OSSIM
B. Splunk
In SAML authentication, which role of the authentication flow validates the user's identity? A. The SP B. The IDP C. The principal D. The RP
B. The IDP
Alice is conducting a penetration test of a client's systems. As part of her test, she gathers information from the social media feeds of staff members who work for her client. What phase of the NIST penetration testing process is she currently in? A. Social engineering B. Discovery C. Analysis D. Social media profiling
B. The NIST SP 800-115 guide describes four penetration testing phases: planning, discovery, attack, and reporting. Alice is conducting a discovery activity. During this phase, she might also scan systems and networks, perform passive intelligence gathering, or use tools to gather additional information about her target
Rick is auditing a Cisco router configuration and notes the following line: login block-for 120 attempt 5 with 60 What type of setting has been enabled? A. A DDoS prevention setting B. A back-off setting C. A telnet security setting D. An autologin prevention setting
B. This setting blocks all logins for 120 seconds when five failed attempts occur within 60 seconds. This can slow down brute-force hacking attempts, but Rick should recommend that the organization he is working with may want to consider properly isolating the administrative interfaces via a protected network segment instead of just using a back-off algorithm if they haven't already
While reviewing email logs for his domain's email server, Rick notices that a single remote host is sending email to usernames that appear to be in alphabetical order: [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] ... This behavior continues for thousands of entries, resulting in many bounced email messages, but some make it through. What type of reconnaissance has Rick encountered? A. Brute force B. Domain harvesting C. Domain probe D. Email list builder
B. This type of probe is known as domain harvesting and relies on message rejection error messages to help the individual running the probe to determine which email accounts actually exist.
Which of the following is a control that allows a mobile application to access and manipulate information which should only be available by another application on the same mobile device (e.g. a music application posting the name of the current song playing on the device on a social media site)? A. Co-hosted application B. Transitive trust C. Mutually exclusive access D. Dual authentication
B. Transitive trust
Kathleen wants to verify on a regular basis that a file has not changed on the system that she is responsible for. Which of the following methods is best suited to this? A. Use sha1sum to generate a hash for the file and write a script to check it periodically. B. Install and use Tripwire. C. Periodically check the MAC information for the file using a script. D. Encrypt the file and keep the key secret so the file cannot be modified.
B. Tripwire and similar programs are designed to monitor a file for changes and to report on changes that occur. They rely on file fingerprints (hashes) and are designed to be reliable and scalable. Kathleen's best bet is to use a tool designed for the job, rather than to try to write her own.
Which of the following is not a potential issue with live imaging of a system? A. Remnant data from the imaging tool B. Unallocated space will be captured C. Memory or drive contents may change during the imaging process D. Malware may detect the imaging tool and work to avoid it
B. Unallocated space is typically not captured during a live image,potentially resulting in data being missed.
Which of the following systems would be at the GREATEST risk of compromise if found to have an open vulnerability associated with perfect forward secrecy? A. Endpoints B. VPN concentrators C. Virtual hosts D. SIEM E. Layer 2 switches
B. VPN concentrators
Shane wants to conduct an nmap scan of a firewalled subnet. Which of the following is not an nmap firewall evasion technique he could use? A. Fragmenting packets B. Changing packet header flags C. Spoofing the source IP D. Appending random data
B. nmap supports quite a few firewall evasion techniques including spoofing the MAC (hardware) address, appending random data, setting scan delays, using decoy IP addresses, spoofing the source IP or port, modifying the MTU size, or intentionally fragmenting packets
An ATM in a building lobby has been compromised. A security technician has been advised that the ATM must be forensically analyzed by multiple technicians. Which of the following items in a forensic tool kit would likely be used FIRST? (Select TWO). A. Drive adapters B. Chain of custody form C. Write blockers D. Crime tape E. Hashing utilities F. Drive imager
BC
Considering confidentiality and integrity, which of the following make servers more secure than desktops? (Select THREE). A. VLANs B. OS C. Trained operators D. Physical access restriction E. Processing power F. Hard drive capacity
BCD
A threat intelligence analyst who works for a financial services firm received this report:There has been an effective waterhole campaign residing at www.bankfinancecompsoftware.com. This domain is delivering ransomware. This ransomware variant has been called LockMaster by researchers due to its ability to overwrite the MBR, but this term is not a malware signature. Please execute a defensive operation regarding this attack vector.The analyst ran a query and has assessed that this traffic has been seen on the network. Which of the following actions should the analyst do NEXT? (Select TWO). A. Advise the firewall engineer to implement a block on the domain B. Visit the domain and begin a threat assessment C. Produce a threat intelligence message to be disseminated to the company D. Advise the security architects to enable full-disk encryption to protect the MBR E. Advise the security analysts to add an alert in the SIEM on the string LockMaster F. Format the MBR as a precaution
BD
An organization uses Common Vulnerability Scoring System (CVSS) scores to prioritize remediation of vulnerabilities.Management wants to modify the priorities based on a difficulty factor so that vulnerabilities with lower CVSS scores may get a higher priority if they are easier to implement with lessrisk to system functionality. Management also wants to quantify the priority. Which of the following would achieve managements objective? A. (CVSS Score) * Difficulty = PriorityWhere Difficulty is a range from 0.1 to 1.0 with 1.0 being easiest and lowest risk to implement B. (CVSS Score) * Difficulty = PriorityWhere Difficulty is a range from 1 to 5 with 1 being easiest and lowest risk to implement C. (CVSS Score) / Difficulty = PriorityWhere Difficulty is a range from 1 to 10 with 10 being easiest and lowest risk to implement D. ((CVSS Score) * 2) / Difficulty = PriorityWhere CVSS Score is weighted and Difficulty is a range from 1 to 5 with 5 being easiest and lowest risk to implement
C.
An access control system that relies on the operating system to constrain the ability of a subject to perform operations is an example of what type of access control system? A. A discretionary access control system B. A role-based access control system C. A mandatory access control system D. A level-based access control system
C. A mandatory access control system relies on the operating system to constrain what actions or access a subject can perform on an object. Role-based access control uses roles to determine access to resources, and discretionary access control allows subjects to control access to objects that they own or are responsible for. Level-based access control is a type of role-based access control.
As Jason is studying the computer forensics playbook for his company, he notices that forensic investigators are required to use a chain of custody form. What information would be recorded on this form if he were conducting an investigation? A. The list of individuals who made contact with files leading to the investigation. B. The list of former owners/operators of the PC involved in the investigation C. All individuals who work with evidence during the investigation D. The police officers who take possession of the evidence
C. All individuals who work with evidence during the investigation
Attackers have been attempting to log into Alaina's Cisco routers, causing thousands of log entries, and she is worried they may eventually succeed. Which of the following options should she recommend to resolve this issue? A. Prevent console login via ssh. B. Implement a login-block feature with back-off settings. C. Move the administrative interface to a protected network. D. Disable console access entirely.
C. Best practice for most network devices is to put their administrative interfaces on a protected network. Many organizations then require administrators to connect via a jump box, adding another layer of protection.
Jason is writing a report about a potential security vulnerability in a software product and wishes to use standardized product names to ensure that other security analysts understand the report. Which SCAP component can Jason turn to for assistance? A. CVSS B. CVE C. CPE D. OVAL
C. Common Product Enumeration (CPE) is an SCAP component that provides standardized nomenclature for product names and versions
What minimum level of impact must a system have under FISMA before the organization is required to determine what information about the system is discoverable by adversaries? A. Low B. Moderate C. High D. Severe
C. Control enhancement number 4 requires that an organization determine what information about the system is discoverable by adversaries. This enhancement only applies to FISMA high systems
The security configuration management policy states that all patches must undergo testing procedures before being moved into production. The security analyst notices a single web application server has been downloading and applying patches during non-business hours without testing. There are no apparent adverse reactions, server functionality does not seem to be affected, and no malware was found after a scan.Which of the following actions should the analyst take? A. Reschedule the automated patching to occur during business hours. B. Monitor the web application service for abnormal bandwidth consumption. C. Create an incident ticket for anomalous activity. D. Monitor the web application for service interruptions caused from the patching.
C. Create an incident ticket for anomalous activity.
Mike is looking for information about files that were changed on a Windows system. Which of the following is least likely to contain useful information for his investigation? A. The MFT B. INDX files C. Event logs D. Volume shadow copies
C. Event logs do not typically contain significant amounts of information about file changes.
Adam is reviewing his organization's security footprint by conducting reconnaissance activities. After reviewing a list of Google dorks, he runs the following search: "mysqli_connect" ext:inc If it returns data, what should he recommend in his report to management? A. Block MySQL connections from remote hosts. B. Initiate the organization's incident response process. C. Immediately change MySQL passwords and review configurations. D. Change all MySQL connection strings.
C. If this Google search returns information, it will show MySQL connection information, including passwords. Adam should immediately report this finding to management and should recommend that all exposed passwords be changed immediately and that the misconfiguration that resulted in the files being exposed should be fixed, and the reason it occurred should be identified.
A zero-day crypto-worm is quickly spreading through the internal network on port 25 and exploiting a software vulnerability found within the email servers.Which of the following countermeasures needs to be implemented as soon as possible to mitigate the worm from continuing to spread? A. Implement a traffic sinkhole. B. Block all known port/services. C. Isolate impacted servers. D. Patch affected systems.
C. Isolate impacted servers.
Jennifer is an Active Directory domain administrator for her company and knows that a quickly spreading botnet relies on a series of domain names for command and control and that preventing access to those domain names will cause the malware infection that connects to the botnet to fail to take further action. Which of the following actions is her best option if she wants to prevent off-site Windows users from connecting to botnet command-and-control systems? A. Force a BGP update. B. Set up a DNS sinkhole. C. Modify the hosts file. D. Install an anti-malware application.
C. Jennifer can push an updated hosts file to her domain-connected systems that will direct traffic intended for known bad domains to the localhost or a safe system. She might want to work with a security analyst or other IT staff member to capture queries sent to that system to track any potentially infected workstations.
Which of the following stakeholders would need to be aware of an e-discovery notice received by the security office about an ongoing case within the manufacturing department? A. Board of trustees B. Human resources C. Legal D. Marketing
C. Legal
While conducting a topology scan of a remote web server, Susan notes that the IP addresses returned for the same DNS entry change over time. What has she likely encountered? A. A route change B. Fast flux DNS C. A load balancer D. An IP mismatch
C. Load balancers can alias multiple servers to the same hostname. This can be confusing when conducting scans, as it may appear that multiple IP addresses or hosts are responding for the same system.
Lauren wants to be able to detect a denial-of-service attack against her web server. Which of the following tools should she avoid? A. Log analysis B. Flow monitoring C. iPerf D. IPS
C. Log analysis, flow monitoring, and deploying an IPS are all appropriate solutions to help detect denial-of-service attacks. iPerf is a performance testing tool used to establish the maximum bandwidth available on a network connection
A port scan of a remote system shows that port 3306 is open on a remote database server. What database is the server most likely running? A. Oracle B. Postgres C. MySQL D. Microsoft SQL
C. MySQL uses port 3306 as its default port. Oracle uses 1521, Postgres uses 5432, and Microsoft SQL uses 1433/1434
Which one of the following criteria is not normally used when evaluating the appropriateness of a cyber security incident containment strategy? A. Effectiveness of the strategy B. Evidence preservation requirements C. Log records generated by the strategy D. Cost of the strategy
C. NIST recommends using six criteria to evaluate a containment strategy: the potential damage to resources, the need for evidence preservation, service availability, time and resources required (including cost), effectiveness of the strategy, and duration of the solution.
Adam knows that netcat is a useful penetration testing tool. Which of the following is not a way that he can use netcat, if he is using it as his only tool? A. File transfer B. Port scanner C. Encrypted shell D. Reverse shell
C. Netcat can act as a relay, file transfer tool, reverse shell, TCP banner grabber, TCP port scanner, and in a multitude of other roles, but it does not include encryption capabilities
Laura's organization has been receiving a large amount of spam email sent specifically to the email addresses listed in her organization's domain registrations. Which of the following techniques will help her organization limit this type of spam? A. DNS query rate limiting B. CAPTCHAs C. Using a proxy service D. Blacklisting
C. While spam to a registrant's email address may seem trivial, it may mean that important messages related to the domain are missed. The best way to limit this is to use a privacy or proxy service to register the domain. Many, if not most, popular registration services offer a privacy service, sometimes at an extra charge.
After a popular website is hacked, Chris begins to hear reports that email addresses from his company's domain are listed in the hacker's data dump. Chris knows that the list includes passwords and is concerned that his users may have used the same password for the site and their own company account. If the hackers recovered MD5 hashed passwords, how can he check them against the strong password hashes his company uses? A. Reverse the MD5 hashes and then rehash using the company's method and compare. B. Reverse the MD5 and strong company hashes and then compare the password. C. Use rainbow tables to recover the passwords from the dump and then rehash using the company's strong method and compare. D. Chris cannot accomplish this task; hashes cannot be reversed
C. Rainbow tables exist for most reasonable MD5 passwords, which means that Chris can likely recover the majority of the passwords belonging to his users relatively quickly. Once he is done, he can apply his company's strong hashing method and compare them to the existing hashed passwords his organization stores
The new Chief Technology Officer (CTO) is seeking recommendations for network monitoring services for the local intranet. The CTO would like the capability to monitor all traffic to and from the gateway, as well as the capability to block certain content. Which of the following recommendations would meet the needs of the organization? A. Recommend setup of IP filtering on both the internal and external interfaces of the gateway router. B. Recommend installation of an IDS on the internal interface and a firewall on the external interface of the gateway router. C. Recommend installation of a firewall on the internal interface and a NIDS on the external interface of the gateway router. D. Recommend installation of an IPS on both the internal and external interfaces of the gateway router.
C. Recommend installation of a firewall on the internal interface and a NIDS on the external interface of the gateway router.
A software patch has been released to remove vulnerabilities from companys software. A security analyst has been tasked with testing the software to ensure the vulnerabilities havebeen remediated and the application is still functioning properly. Which of the following tests should be performed NEXT? A. Fuzzing B. User acceptance testing C. Regression testing D. Penetration testing
C. Regression Testing
What SABSA architecture layer corresponds to the designer's view of security architecture? A. Contextual security architecture B. Conceptual security architecture C. Logical security architecture D. Component security architecture
C. The logical security architecture corresponds to the designer's view in the SABSA model. The contextual architecture is the business view, the conceptual architecture is the architect's view, and the component architecture is the tradesman's view.
Selah suspects that the Linux system she has just logged into may be Trojaned and wants to check where the bash shell she is running is being executed from. What command should she run to determine this? A. where bash B. ls -l bash C. which bash D. printenv bash
C. The which command will show Selah where the bash executable is being run from, typically /bin/bash. If she finds that bash is running from a user directory or somewhere else suspicious, she should immediately report it!
While reviewing the command history for an administrative user, Chris discovers a suspicious command that was captured, shown here: ln /dev/null ~/.bash_history What action was this user attempting to perform? A. Enabling the bash history B. Appending the contents of /dev/null to the bash history C. Logging all shell commands to /dev/null D. Allowing remote access from the null shell
C. This command will prevent commands entered at the bash shell prompt from being logged, as they are all sent to /dev/null. This type of action is one reason that administrative accounts are often logged to remote hosts, preventing malicious insiders or attackers who gain administrative access from hiding their tracks.
Alex wants to list all of the NetBIOS sessions open on a workstation. What command should he issue to do this? A. nbtstat -o B. nbtstat -r C. nbtstat -s D. nbtstat -c
C. To show current NetBIOS sessions and their status, Alex can issue the nbtstat -s command. The -c flag shows the NetBIOS name cache, while the -r command displays the count of NetBIOS names resolved through a WINS server query and by broadcast. There is no -o flag
While conducting reconnaissance of his own organization, Chris discovers that multiple certificates are self-signed. What issue should he report to his management? A. Self-signed certificates do not provide secure encryption for site visitors. B. Self-signed certificates can be revoked only by the original creator. C. Self-signed certificates will cause warnings or error messages. D. None of the above
C. Using self-signed certificates for services that will be used by the general public or organizational users outside of a small testing group can be an issue because they will result in an error or warning in most browsers
While conducting reconnaissance, Greg discovers what he believes is an SMTP service running on an alternate port. What technique should he use to manually validate his guess? A. Send an email via the open port. B. Send an SMTP probe. C. telnet to the port. D. ssh to the port.
C. Using telnet to connect to remote services to validate their response is a useful technique for service validation. It doesn't always work but can allow you to interact with the service to gather information manually
A security analyst has noticed that a particular server has consumed over 1TB of bandwidth over the course of the month. It has port 3333 open; however, there have not been any alerts or notices regarding the server or its activities. Which of the following did the analyst discover? A. APT B. DDoS C. Zero day D. False positive
C. Zero day
While reviewing Apache logs, Cynthia notices the following log entries. What has occurred? 10.0.1.1 - POST /wordpress/wp-content/r57.php?1 200 10.0.1.1 - GET /wordpress/wp-content/r57.php 200 A. A file was downloaded and verified. B. A file was emailed. C. A file was moved to the wp-content directory. D. A file was uploaded and verified
D. The POST shows a file being uploaded, and the GET shows an attempt to retrieve it
A university wants to increase the security posture of its network by implementing vulnerability scans of both centrally managed and student/employee laptops. The solution should beable to scale, provide minimum false positives and high accuracy of results, and be centrally managed through an enterprise console. Which of the following scanning topologies is BEST suited for this environment? A. A passive scanning engine located at the core of the network infrastructure B. A combination of cloud-based and server-based scanning engines C. A combination of server-based and agent-based scanning engines D. An active scanning engine installed on the enterprise console
D. An active scanning engine installed on the enterprise console
An SNMP sweep is being conducted. The sweep receives no-response replies from multiple addresses that are believed to belong to active hosts. What does this mean? A. The machines are unreachable B. The machines are not running SNMP server C. The community string begin used is invalid D. Any listed answers may be true
D. Any listed answers may be true
Jason sets up an alert that detects when users login from other companies, who typically do not travel there. What type of analysis is this? A. Trend B. Availability C. Heuristic D. Behavior
D. Behavior
As part of her malware analysis process, Caitlyn diagrams the high-level functions and processes that the malware uses to accomplish its goals. What is this process known as? A. Static analysis B. Composition C. Dynamic analysis D. Decomposition
D. Caitlyn is preparing a decomposition diagram that maps the high-level functions to lower-level components. This will allow her to better understand how the malware package works and may help her identify areas she should focus on
Renee is configuring her vulnerability management solution to perform credentialed scans of servers on her network. What type of account should she provide to the scanner? A. Domain administrator B. Local administrator C. Root D. Read-only
D. Credentialed scans only require read-only access to target servers.Renee should follow the principle of least privilege and limit the accessavailable to the scanner.
John has reason to believe that systems on his network have been compromised by an APT actor. He has noticed a large number of file transfers outbound to a remote site via TLS-protected HTTP sessions from unknown systems. Which of the following techniques is most likely to detect the APT infections? A. Network traffic analysis B. Network Forensics C. Endpoint behavior analysis D. Endpoint forensics
D. Endpoint forensics
Sondra determines that an attacker has gained access to a server containing critical business files and wishes to ensure that the attacker cannot delete those files. Which one of the following strategies would meet Sondra's goal? A. Isolation B. Segmentation C. Removal D. None of the above
D. Even removing a system from the network doesn't guarantee that the attack will not continue. In the example given in this chapter, an attacker can run a script on the server that detects when it has been removed from the network and then proceeds to destroy data stored on the server.
John wanted to grab the banner from a web server using common tools. Which of the following tools would not be used to grab the banner from the remote host? A. Netcat B. Telnet C. Wget D. Ftp
D. Ftp
The Chief Information Security Officer (CISO) has asked the security staff to identify a framework on which to base the security program. The CISO would like to achieve a certification showing the security program meets all required best practices. Which of the following would be the BEST choice? A. OSSIM B. SDLC C. SANS D. ISO
D. ISO
What NIST publication contains guidance on cyber security incident handling? A. SP 800-53 B. SP 800-88 C. SP 800-18 D. SP 800-61
D. NIST SP 800-61 is the Computer Security Incident Handling Guide. NIST SP 800-53 is Security and Privacy Controls for Federal Information Systems and Organizations. NIST SP 800-88 is Guidelines for Media Sanitization. NIST SP 800-18 is the Guide for Developing Security Plans for Federal Information Systems
A SIEM analyst noticed a spike in activities from the guest wireless network to several electronic health record (EHR) systems. After further analysis, the analyst discovered that a large volume of data has been uploaded to a cloud provider in the last six months. Which of the following actions should the analyst do FIRST? A. Contact the Office of Civil Rights (OCR) to report the breach B. Notify the Chief Privacy Officer (CPO) C. Activate the incident response plan D. Put an ACL on the gateway router
D. Put an ACL on the gateway router
Which of the following is MOST effective for correlation analysis by log for threat management? A. PCAP B. SCAP C. IPS D. SIEM
D. SIEM
During her forensic copy validation process Danielle received the following MD5 sums from her original drive and the cloned image after using dd. What is likely wrong?b49794e007e909c00a51ae208cacb169 original.imgd9ff8a0cf6bc0ab066b6416e7e7abf35 clone.img A. The original was modified. B. The clone was modified. C. dd failed. D. An unknown change or problem occurred
D. Since Danielle did not hash her source drive prior to cloning, you cannot determine where the problem occurred.
What describes the infrastructure needed to support the other architectural domains in the TOGAF framework? A. Business architecture B. Applications architecture C. Data architecture D. Technical architecture
D. Technical architecture
Which one of the following is not a common use of the NIST Cybersecurity Framework? A. Describe the current cybersecurity posture of an organization. B. Describe the target future cybersecurity posture of an organization. C. Communicate with stakeholders about cybersecurity risk. D. Create specific technology requirements for an organization.
D. The NIST Cybersecurity Framework is designed to help organizations describe their current cybersecurity posture, describe their target state for cybersecurity, identify and prioritize opportunities assess progress, and communicate with stakeholders about risk. It does not create specific technology requirements.
Ben wants to quickly check a suspect binary file for signs of its purpose or other information that it may contain. What Linux tool can quickly show him potentially useful information contained in the file? A. grep B. more C. less D. strings
D. The strings command extracts strings of printable characters from files, allowing Ben to quickly determine the contents of files. Grep would require knowing what he is looking for, either the more or less command will simply display the file, which is often not a useful strategy for binaries.
Alex is conducting a forensic examination of a Windows system and wants to determine if an application was installed. Where can he find the Windows installer log files for a user named Jim? A. C:\Windows\System 32\Installers B. C:\Windows\Install.log C. C:\Windows\Jim\Install.log D. C:\Windows\Jim\AppData\Local\Temp
D. Windows installer logs are typically kept in the user's temporary app data folder. Windows does not keep install log files, and System32 does not contain an Installers directory
Geoff wants to gather a list of all Windows services and their current state using a command-line tool. What tool can he use to gather this information for later processing? A. svcctl -l B. service list C. service -l D. sc query
D. sc query
A company has several internal-only, web-based applications on the internal network. Remote employees are allowed to connect to the internal corporate network with a company supplied VPN client. During a project to upgrade the internal application, contractors were hired to work on a database server and were given copies of the VPN client so they could work remotely. A week later, a security analyst discovered an internal web-server had been compromised by malware that originated from one of the contractors laptops. Which of the following changes should be made to BEST counter the threat presented in this scenario? A. Create a restricted network segment for contractors, and set up a jump box for the contractors to use to access internal resources. B. Deploy a web application firewall in the DMZ to stop Internet-based attacks on the web server. C. Deploy an application layer firewall with network access control lists at the perimeter, and then create alerts for suspicious Layer 7 traffic. D. Require the contractors to bring their laptops on site when accessing the internal network instead of using the VPN from a remote location. E. Implement NAC to check for updated anti-malware signatures and location-based rules for PCs connecting to the internal network
E. Implement NAC to check for updated anti-malware signatures and location-based rules for PCs connecting to the internal network.
Given the following output from a Linux machine : file2cable i eth0 -f file.pcap Which of the following BEST describes what a security analyst is trying to accomplish? A. The analyst is attempting to measure bandwidth utilization on interface eth0. B. The analyst is attempting to capture traffic on interface eth0. C. The analyst is attempting to replay captured data from a PCAP file. D. The analyst is attempting to capture traffic for a PCAP file. E. The analyst is attempting to use a protocol analyzer to monitor network traffic
E. The analyst is attempting to use a protocol analyzer to monitor network traffic.
DV Certificates
Requires domain ownership validation
OV Certificates
Requires proof of the right to manage domain names.
MIB
Management Information Base - provides monitoring groups to get information about networks and focuses on flow-based information.
Extended Validation (EV) Certificates
certificates require additional action to validate that the requester's legal identity is known, as well as the operational and physical presence of the website owner
