Jason Dions Practice Exam 4 of 5
Which of the following commands would NOT provide domain name information and details about a host? A.dig -x [ip address] B. host [ip address] C. nslookup [ipaddress] D. sc [ip address]
D. sc [ip address] Explanation OBJ-1: Service control (sc) is a Windows command that allows you to create, start, stop, query, or delete a Windows service. The dig command will give you information on when a query was performed, the details that were sent and what flags were sent as well. In most cases, host and nslookup will also provide similar information.
Which of the following techniques would allow an attacker to get a full listing of your internal DNS information if your DNS server is not properly secured? A.Zone transfers B.Split horizon C.FQDN resolution D.DNS Poisoning
A.Zone transfers Explanation OBJ-1.2: A DNS zone transfer provides a full listing of DNS information. If your organization's internal DNS server is improperly secured, this can allow an attacker to gather this information by performing a zone transfer. Fully qualified domain name (FQDN) resolution is a normal function of DNS that converts a domain name like www.diontraining.com to its corresponding IP address. Split horizon is a method of preventing a routing loop in a network. DNS poisoning is a type of attack which uses security gaps in the Domain Name System (DNS) protocol to redirect internet traffic to malicious websites.
David noticed that port 3389 was open on one of the POS terminals in a store during a scheduled PCI compliance scan. Based on the scan results, what service should he expect to find enabled on this terminal? A.MySQL B.RDP C.LDAP D.IMAP
B.RDP Explanation OBJ-1: Port 3389 is an RDP port used for the Remote Desktop Protocol. If this port isn't supposed to be opened, then an incident response plan should be the next step since this can be used for remote access by an attacker. MySQL runs on port 3306. LDAP runs on port 389. IMAP over SSL runs on port 993.
A penetration tester is conducting an assessment of a wireless network that is secure using WPA2 Enterprise encryption. Which of the following are major differences between conducting reconnaissance of a wireless network versus a wired network? (SELECT TWO) A.Encryption B.Network Access Control C.Port security D.Authentication E.Physical accessibility F.MAC filerting
A.Encryption E.Physical accessibility Explanation OBJ-1: Most wireless networks utilize end-to-end encryption, whereas wired networks do not. Physical accessibility is another major difference between wireless and wired networks since wireless networks can be accessed from a distance using powerful antennas. Authentication, MAC filtering, and network access control (NAC) can be implemented equally on both wired and wireless networks. Port security is only applicable to wired networks.
Which security control would prevent unauthorized users from connecting to a company's wireless network? A.NAC B.Firewall C.IPS D.Segmentation
A.NAC Explanation OBJ-1.3: Network Access Control (NAC) prevents unauthorized users from connecting to a network. Firewalls and intrusion prevention systems (IPS) are meant to restrict access from external sources and block known attacks. They would not keep out an intruder who is already in range of the wireless network. Network segmentation would limit the access that an intruder has to network resources but would not block the connection itself.
Which of the following protocols could be used inside of a virtual system to manage and monitor the network? A.SNMP B.SMTP C.BGP D.EIGRP
A.SNMP Explanation OBJ-2: SNMP is used to monitor and manage networks, both physical and virtual. SMTP is used for email. BGP and EIGRP are used for routing network data.
Which of the following vulnerabilities involves leveraging access from a single virtual machine to other machines on a hypervisor? A.VM Escape B.VM Migration C.VM Sprawl D.VM data remnant
A.VM Escape Explanation OBJ-2: Virtual machine escape vulnerabilities are the most severe issue that may exist in a virtualized environment. In this attack, the attacker has access to a single virtual host and then leverages that access to intrude on the resources assigned to different virtual machines. Data remnant is the residual representation of digital data that remains even after attempts have been made to remove or erase the data. Virtualization sprawl is a phenomenon that occurs when the number of virtual machines on a network reaches a point where the administrator can no longer manage them effectively. Virtual machine migration is the task of moving a virtual machine from one physical hardware environment to another.
Keith wants to validate the application file that he downloaded from the vendor of the application. Which of the following should he compare against the file to verify the integrity of the downloaded application? A.File size and file creation date B.MD5 or SHA1 hash digest of the file C.Private key of the file D.Public key of the file
B.MD5 or SHA1 hash digest of the file Explanation OBJ-3: Keith should conduct a hash of the downloaded file and compare it against the MD5 hash digest listed on the server of this file. This file needs to be a verifiable MD5 hash file in order to validate the file integrity has not been compromised during the download. This is an important step to ensure the file was not modified in transit during the download. The other options are insufficient to guarantee the integrity of the downloaded file since integrity checking relies on comparison of hash digests. A public or private key would not be assigned solely to a single file, nor do they provide integrity on their own. Public and private keys are used to ensure the confidentiality of data, whereas a hash digest ensures integrity. The file size and file creation date are additional forms of metadata that could be used to help validate the integrity of a file, but they of a much lower quality and trust factor than using a hash digest, therefore MD5 or SHA1 is still a better choice.
A penetration tester is using a known vulnerability to compromise an Apache webserver. After they gain access to the server, what is their next step if they want to pivot to a protected system behind the DMZ? A.Vulnerability scanning B.Privilege escalation C.Patching D.Installing additional tools
B.Privilege escalation Explanation OBJ-1.4: Apache web servers are run as a limited user by default, not as an administrative or root account. To be efficient and effective, the penetration tester should attempt to conduct a privilege escalation prior to pivoting into the DMZ. As a penetration tester, they would not likely patch the system, conduct a vulnerability scan, or install additional tools, as this does not help them to achieve their goal of pivoting into the DMZ.
A penetration tester has been hired to conduct an assessment, but the company wants to exclude social engineering from the list of authorized activities. Which of the following documents would include this limitation? A.Acceptable use policy B.Service level agreement C.Rules of engagement D.Memorandum of understanding
C.Rules of engagement Explanation OBJ-1.4: While the network scope given in the contract documents will define what will be tested, the rules of engagement defines how that testing is to occur. Rules of engagement can state things like no social engineering is allowed, no external website scanning, etc. A memorandum of understanding (MOU) is a preliminary or exploratory agreement to express an intent to work together that is not legally binding and does not involve the exchange of money. A service level agreement contains the operating procedures and standards for a service contract. An acceptable use policy is a policy that governs employees' use of company equipment and Internet services.
Which of the following must be combined with a threat to create risk? A.Malicious actor B.Mitigation C.Vulnerability D.Exploit
C.Vulnerability Explanation OBJ-1.4: A risk results from the combination of a threat and a vulnerability. A vulnerability is a weakness in a device, system, application, or process that might allow an attack to take place. A threat is an outside force that may exploit a vulnerability. Remember, a vulnerability is something internal to your organization's security goals. Therefore, you can control, mitigate, or remediate a vulnerability. A threat is external to your organization's security goals. A.A threat could be a malicious actor, a software exploit, a natural disaster, or other external factors. In the case of an insider threat, they are considered an external factor for the purposes of threats and vulnerabilities since their goals lie outside your organization's security goals.
Which of the following is NOT considered part of the Internet of Things? A.SCADA B.ICS C.Smart television D.Laptop
D.Laptop Explanation OBJ-2: Supervisory control and data acquisition (SCADA) systems, industrial control systems (ICS), internet-connected televisions, thermostats, and many other things examples of devices classified as the Internet of Things (IoT). A laptop would be better classified as a computer or host than as part of the Internet of Things. The Internet of things (IoT) is a system of interrelated computing devices, mechanical and digital machines provided with unique identifiers (UIDs) and the ability to transfer data over a network without requiring human-to-human or human-to-computer interaction.
What document typically contains high-level statements of management intent? A.Procedure B.Guideline C.Standard D.Policy
D.Policy Explanation OBJ-2: Policies are high-level statements of management intent. Compliance with policies by employees should be mandatory. An information security policy will generally contain broad statements around the various cybersecurity objectives. Procedures describe exactly how to use the standards and guidelines to implement the countermeasures that support the policy. Standards and baselines describe specific products, configurations, or other mechanisms to secure the systems. A guideline is a recommendation that can specify the methodology that is to be used.
Which of the following types of encryption would ensure the best security of a website? A.SSLv1 B.SSLv2 C.SSLv3 D.TLS
D.TLS Explanation OBJ-2: Transport Layer Security (TLS) is a widely adopted security protocol designed to facilitate privacy and data security for communications over the internet. A primary use case of TLS is encrypting the communication between web applications and servers, such as web browsers loading a website. TLS was developed in 1999 as SSLv3.1, but its name was changed to separate itself from Netscape, who developed the original SSL protocol. Because of this history, the terms TLS and SSL are often used interchangeably. Secure Socket Layer uses three versions: SSLv1, SSLv2, and SSLv3. All of these versions of SSL are considered obsolete and insecure.
According to the Center for Internet Security's system design recommendation, which of the following control categories would contain information on the best security practices to implement within the SLDC? A.Inventory of authorized/unauthorized devices B.Controlled use of administrative privileges C.Application software security D.Malware defenses
C.Application software security Explanation OBJ-4: Since the software development lifecycle (SDLC) is focused on building software applications, the best control category would be application software security. While all other documents hosted by the Center for Internet Security contain useful information, the application software security control is the one most likely to contain relevant information relating to best practices to implement in the SDLC.
You are troubleshooting a network connectivity issue and need to determine the packet's flow path from your system to the remote server. Which of the following tools would best help you identify the path between the two systems? A.ipconfig B.netstat C.tracert D.nbtstat
C.tracert Explanation OBJ-4: The TRACERT (trace route) diagnostic utility determines the route to a destination by sending Internet Control Message Protocol (ICMP) echo packets to the destination. In these packets, TRACERT uses varying IP Time-To-Live (TTL) values. When the TTL on a packet reaches zero (0), the router sends an ICMP "Time Exceeded" message back to the source computer. The ICMP "Time Exceeded" messages that intermediate routers send back show the route. The ipconfig tool displays all current TCP/IP network configuration values on a given system. The netstat tool is a command-line network utility that displays network connections for Transmission Control Protocol, routing tables, and a number of network interface and network protocol statistics on a single system. The nbtstat command is a diagnostic tool for NetBIOS over TCP/IP used to troubleshoot NetBIOS name resolution problems.
While performing a vulnerability scan, Christina discovered an administrative interface to a storage system is exposed to the internet. She looks through the firewall logs and attempts to determine whether any access attempts have occurred from external sources. Which of the following IP addresses in the firewall logs would indicate a connection attempt from an external source? A.10.15.1.100 B.192.186.1.100 C.172.16.1.100 D.192.168.1.100
B.192.186.1.100 Explanation OBJ-2: This question is testing your ability to determine if an IP address is a publicly routable IP (external connection) or private IP (internal connection). During your CompTIA A+, Network+, and Security+ studies, you should have learned that private IP addresses are either 10.x.x.x, 172.16-32.x.x, or 192.168.x.x. All other IP addresses are considered publicly routable over the internet (except localhost and APIPA addresses). Therefore, the answer must be 192.186.1.100, since it is not a private IP address.
During which phase of an attack would a penetration tester seek to gain complete control of a system? A.Planning B.Attack C.Reporting D.Discovery
B.Attack Explanation OBJ-1.4: During the attack phase, the attacker seeks to gain access to a system, escalate that access to obtain complete control, and then conduct browsing to identify mechanisms to gain access to additional systems. The planning phase is where the scope for the assignment is defined and management approvals, documents, and agreements are signed. The discovery phase is where the actual testing starts; it can be regarded as an information-gathering phase. The attack phase is at the heart of any penetration test, it is the part of the process where a penetration test attempts to exploit a system, conduct privilege escalation, and then pivot or laterally move around the network. The reporting phase is focused on the development of the final report that will be presented to management at the conclusion of the penetration test.
You have received a laptop from a user who recently left the company. You went to the terminal in the operating system and typed 'history' into the prompt and see the following: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-> for I in seq 255; ping -c 1 10.1.0.$i; done-=-=-=-=-=-=-=-=-=-=-=-=-=-=-Which of the following best describes what actions were performed by this line of code? A.Attempted to conduct a SYN scan on the network B.Conducted a ping sweep of the subnet C.Conducted a sequential ICMP echo reply to the subnet D.Sequentially sent 255 ping packets to every host on the subnet
B.Conducted a ping sweep of the subnet Explanation OBJ-3: This code is performing a ping sweep of the subnet 10.1.0.0/24. The code states that for every number the sequence from 1 to 255, conduct a ping to 10.1.0.x, where x is the number from 1 to 255. When it completes this sequence, it is to return to the terminal prompt (done). The ping command uses an echo request and then receives an echo reply back from the target of the ping. A ping sweep does not use a SYN scan, that would require the use of a tool like nmap or hping.
A salesperson's laptop has become unresponsive after attempting to open a PDF in their email. A cybersecurity analyst reviews the IDS and anti-virus software for any alerts or unusual behavior but finds nothing suspicious. Which of the following threats would BEST classify this scenario? A.Ping of death B.Zero-day malware C.PII exfiltration D.RAT
B.Zero-day malware Explanation OBJ-1.2: Based on the scenario provided, it appears that the laptop has become the victim of a zero-day attack. A zero-day attack is an attack that exploits a potentially serious software security weakness that the vendor or developer may be unaware of. This means that there will not be a signature available in the IDS or anti-virus definition file. Therefore, it cannot be combatted with traditional signature-based detection methods. PII (personally identifiable information) exfiltration is the unauthorized copying, transfer or retrieval of PII data from a computer or server. A ping of death is a type of attack on a computer system that involves sending a malformed or otherwise malicious ping to a computer. A remote access Trojan (RAT) is a malware program that includes a back door for administrative control over the target computer. Based on the information provided in the scenario, we do not have any indications that a ping packet was sent, that PII has been exfiltrated, or that the attack now has remote control of the laptop. Since neither the IDS nor anti-virus alerted on the PDF, it is most likely a form of a zero-day attack.
Which of the following command-line tools would you use to identify open ports and services on a host along with the version of the application that is associated with them? A.ping B.nmap C.netstat D.Wireshark
B.nmap Explanation OBJ-4: Nmap sends specially crafted packets to the target host(s) and then analyzes the responses to determine the open ports and services running on those hosts. In addition, nmap can determine the versions of the applications being used on those ports and services. Nmap is a command-line tool for use on Linux, Windows, and macOS systems. The netstat (network statistics) tool is a command-line utility that displays network connections for both incoming and outgoing TCP packets, routing tables, and a number of network interface and network protocol statistics, but it cannot be used to identify open ports and services on a host with their version numbers. The ping tool is used to query another computer on a network to determine whether there is a valid connection to it. Wireshark is an open-source packet analyzer that is used for network troubleshooting, analysis, software and communications protocol development, and education.
An analyst suspects that a Linux system has been victimized by a trojan. Which command should be run to determine where the current bash shell is being executed from on the system? A. dir bash B. ls -l bash C. which bash D.printenv
C. which bash Explanation OBJ-1.1: By executing the "which bash" command, the system will report the file structure path to where the bash command is being run. If the directory where bash is running is different from the default directory for this Linux distribution, this would indicate that the machine has been compromised. The ls command will simply list the current directory and show any files or folders named bash. The printenv command would simply print the value of the specified environment variable specified, bash in this example. The dir command is used to list the contents of a directory, much like ls does.
Which of the following type of threats did the Stuxnet attack rely on to cross an airgap between a business and an industrial control system network? A.Directory traversal B.Cross-site scripting C.Removable media D.Session hijacking
C.Removable media Explanation OBJ-3: Airgaps are designed to remove connections between two networks in order to create a physical segmentation between them. The only way to cross an airgap is to have a physical device between these systems, such as using a removable media device to transfer files between them. A directory traversal is an HTTP attack that allows attackers to access restricted directories and execute commands outside of the web server's root directory. Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. A session hijacking attack compromises the session token by stealing or predicting a valid session token to gain unauthorized access to the Web Server. A directory traversal, cross-site scripting, or session hijacking attack cannot by itself cross an airgap.
Which of the following elements is LEAST likely to be included in an organization's data retention policy? A.Minimum retention period B.Maximum retention period C.Description of information needing to be retained D.Classification of information
C.Classification of information Explanation OBJ-4: Data retention policies highlight what types of information an organization will maintain and the length of time they will maintain it. Data classification would not be covered in the retention policy, but instead would be a key part of your organization's data classification policy.
Due to new regulations, your organization's CIO has the information security team institute a vulnerability management program. What framework would BEST support this program's establishment? A.NIST B.OWASP C.SDLC D.SANS
A.NIST Explanation OBJ-4: NIST (National Institute of Standards and Technology) produced a useful patch and vulnerability management program framework in its Special Publication (NIST SP 800-40). It would be useful during the establishment of the program and provide a series of guidelines and best practices. SANS is a company specializing in cybersecurity and secure web application development training and sponsors the Global Information Assurance Certification (GIAC). The SDLC is the software development lifecycle. It is a method for dividing programming projects into separate phases. The Open Web Application Security Project (OWASP) is a community effort that provides free access to a number of secure programming resources. The resources provided include documentation on web app vulnerabilities and mitigation tactics, software tools used to identify and handle threats that target web applications, frameworks for secure development life cycle implementation, frameworks for penetration testing web apps, general secure coding best practices, guidelines for specific web-based languages, and more.
Which of the following provides the detailed, tactical information that CSIRT members need when responding to an incident? A.Procedures B.Guidelines C.Policies D.Framework
A.Procedures Explanation OBJ-3: The incident response policy contains procedures and guidelines covering appropriate priorities, actions, and responsibilities in the event of security incidents, divided into preparation, detection/analysis, containment, eradication/recovery, and post-incident stages. Procedures provide detailed, tactical information to the CSIRT and represent the collective wisdom of team members and subject-matter experts. A policy is a statement of intent and is implemented as a procedure or protocol. A guideline is a statement by which to determine a course of action. A guideline aims to streamline particular processes according to a set routine or sound practice. A framework is a basic structure underlying a system, concept, or text.
Which of the following programs was designed to secure the manufacturing infrastructure for information technology vendors providing hardware to the military? A.Trusted Foundry (RF) B.Supplies Assured (SA) C.Supply Secure (SS) D.Trusted Access Program (TAP
A.Trusted Foundry (RF) Explanation OBJ-1.4: The Trusted Foundry program, also called the trusted suppliers program, is a United States Department of Defense program designed to secure the manufacturing infrastructure for information technology vendors providing hardware to the military. Trusted Foundry was created to provide a chain of custody for classified/unclassified integrated circuits, ensure there is no reasonable threat related to supply disruption, prevent intentional/unintentional modification of integrated circuits, and protect integrated circuits from reverse engineering and vulnerability testing.
Which of the following provides a cryptographic authentication mechanism to positively identify an organization as the authorized sender of email for a particular domain name? A.SPF B.DKIM C.SMTP D.DMARC
B.DKIM Explanation OBJ-2: DomainKeys Identified Mail (DKIM) provides a cryptographic authentication mechanism. This can replace or supplement SPF. To configure DKIM, the organization uploads a public key as a TXT record in the DNS server. Sender Policy Framework (SPF) uses a DNS record published by an organization hosting an email service. The SPF record identifies the hosts authorized to send email from that domain and there must be only one per domain. SPF does not provide a cryptographic authentication mechanism like DKIM does, though. The Domain-Based Message Authentication, Reporting, and Conformance (DMARC) framework ensures that SPF and DKIM are being utilized effectively. DMARC relies on DKMI for the cryptographic authentication mechanism, making it the incorrect option for this question. The simple mail transfer protocol (SMTP) is a communication protocol for electronic mail transmission, which does not utilize cryptographic authentication mechanisms by default.
Your company is required to remain compliant with PCI-DSS due to the type of information processed by your systems. If there was a breach of this data, which type of disclosure would you be required to provide during your incident response efforts? A.Notification to local law enforcement B.Notification to your credit card processor Notification to federal law enforcement Notification to Visa and Mastercard
B.Notification to your credit card processor Explanation OBJ-3: Any organization that processes a credit card will be required to work with their credit card processor instead of working directly with the card issuers (Visa and Mastercard). Conducting notification to your bank or credit card processor is one of the first steps in the incident response effort for a breach of this type of data. Typically, law enforcement does not have to be notified of a data breach at a commercial organization.
You are creating a script to filter some logs so that you can detect any suspected malware beaconing. Which of the following is NOT a typical means of identifying a malware beacons behavior on the network? A.The beacon's persistence B.The beacon's protocol C.The beaconing interval D.The removal of known traffic
B.The beacon's protocol Explanation OBJ-3: The beacon's protocol is not typically a means of identifying a malware beacon. A beacon can be sent over numerous protocols, including ICMP, DNS, HTTP, and numerous others. Unless you specifically knew the protocol being used by the suspected beacon, filtering out beacons by the protocol seen in the logs could lead you to eliminate malicious behavior prematurely. Other factors like the beacon's persistence (if it remains after a reboot of the system) and the beacon's interval (how much time elapses between beaconing)are much better indicators for fingerprinting a malicious beacon. The removal of known traffic by the script can also minimize the amount of data the cybersecurity analyst needs to analyze, therefore making it easier to detect the malicious beacon without wasting their time reviewing non-malicious traffic.
Which of the following is exploited by an SQL injection to give the attacker access to a database? A.Operating system B.Web application C.Database server D.Firewall
B.Web application Explanation OBJ-2: SQL injections target the data stored in enterprise databases by exploiting flaws in client-facing applications. These vulnerabilities being exploited are most often found in web applications. The database server or operating system would normally be exploited by a remote code execution, a buffer overflow, or another type of server-side attack. The firewall would not be subject to an SQL injection.
Which of the following types of information is protected by rules in the United States that specify the minimum frequency of vulnerability scanning required for devices that process it? A.Driver's license numbers B.Insurance records C.Credit card data D.Medical records
C.Credit card data Explanation OBJ-2: The Payment Card Industry Data Security Standard is an information security standard for organizations that handle branded credit cards from the major card schemes. The PCI Standard is mandated by the card brands but administered by the Payment Card Industry Security Standards Council. As part of PCI DSS compliance, organizations must conduct both internal and external scans at prescribed intervals on any devices or systems that process credit card data. Medical and insurance records are protected by HIPPA, but this law doesn't define a frequency for vulnerability scanning requirements. Driver's license numbers are considered PII, but again, there is no defined frequency scanning requirement in regards to protecting PII under law, regulation, or rule.
A cybersecurity analyst is reviewing the logs of a proxy server and saw the following URL, http://test.diontraining.com/../../../../etc/shadow. What type of attack has likely occurred? A.SQL injection B.Buffer overflow C.Directory traversal D.XML injection
C.Directory traversal Explanation OBJ-3: This is an example of a directory traversal. A directory traversal attack aims to access files and directories that are stored outside the webroot folder. By manipulating variables or URLs that reference files with "dot-dot-slash (../)" sequences and its variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system including application source code or configuration and critical system files. A buffer overflow is an exploit that attempts to write data to a buffer and exceed that buffer's boundary to overwrite an adjacent memory location. XML Injection is an attack technique used to manipulate or compromise the logic of an XML application or service. SQL injection is the placement of malicious code in SQL statements, via web page input.
Jorge and Marta are working on a programming project together. During a code review, Marta explains to Jorge the code she wrote while he looks at the code on her computer. Which of the following code review techniques is being used in this scenario? A.Pair programming B.Dual control C.Over-the-shoulder D.Tool-assisted review
C.Over-the-shoulder Explanation OBJ-4: Over-the-shoulder code reviews rely on a programmer explaining their code to a peer. This provides a chance for a review of the code and a better understanding of the code for both programmers. In this example, Marta is explaining her code to Jorge, while he looks over her shoulder. Pair programming alternates between programmers, with one strategizing and reviewing it while the other enters the code into the computer. Dual control is a personnel security process that requires more than one employee available to perform a specific task. This is used with split knowledge and is not a form of code review. A tool-assisted review is conducted using a software tool or other form of automation.
A threat intelligence analyst is researching a new indicator of compromise. At the same time, the web proxy server-generated an alert for this same indicator of compromise. When asked about this alert, the analyst insists that they did not visit any of the related sites, but instead they were simply listed in the results page of their search engine query. Which of the following is the BEST explanation for what has occurred? A.The standard approved browser was not being used by the analyst B.A link related to the indicator was accidentally clicked by the analyst C.Prefetch is enabled on the analyst's web browser D.Alert is unrelated to the search that was conducted
C.Prefetch is enabled on the analyst's web browser Explanation OBJ-1.3: Prefetch is a capability in modern web browsers that is used to speed up web browsing by grabbing content that may be asked for by the user at a later time. For example, if you search for a term and the results are being shown to the user, prefetch will download the first three results in anticipation of the user clicking one of the top three links. In the scenario presented in this question, the prefetch has downloaded the malicious content and therefore caused the alert.
Christina is auditing the security procedures related to the use of a cloud-based online payment service. She notices that the access permissions are set so that a single person can not add funds to the account and transfer funds out of the account. What security principle is most closely related to this scenario? A.Least privilege B.Security through obscurity C.Separation of duties D.Dual control authentication
C.Separation of duties Explanation OBJ-4: Separation of duties is the concept of having more than one person required to complete a task. In business, the separation by sharing of more than one individual in one single task is an internal control intended to prevent fraud and error. In this case, one person can transfer money in, while another is required to transfer money out. Dual control authentication is used when performing a sensitive action and requires participation from two different users in order to log in. Least privilege is the concept and practice of restricting access rights for users, accounts, and computing processes to only those resources absolutely required to perform routine, legitimate activities. Security through obscurity is the reliance on security engineering in design or implementation by using secrecy as the main method of providing security to a system or component.
Which of the following techniques would be the most appropriate solution to implementing a multi-factor authentication system? A.Fingerprint and retinal scan B.Password and security question C.Smartcard and PIN D.Username and password
C.Smartcard and PIN Explanation OBJ-4: Multi-factor authentication (MFA) creates multiple layers of security to help increase the confidence that the user requesting access is who they claim to be by requiring two distinct factors for authentication. These factors can be something you know (knowledge factor), something you have (possession factor), something you are (inheritance factor), something you do (action factor), or somewhere you are (location factor). By selecting a smartcard (something you have) and a PIN (something you know), you have implemented multi-factor authentication. Choosing a fingerprint and retinal scan would instead use only one factor (inheritance). Choosing a username, password, and security question would also be only using one factor (knowledge). For something to be considered multi-factor, you need items from at least two different authentication factor categories: knowledge, possession, inheritance, location, or action.
Which of the following authentication protocols was developed by Cisco to provide authentication, authorization, and accounting services? A.RADIUS B.CHAP C.TACACS+ D.Kerberos
C.TACACS+ Explanation OBJ-4: TACACS+ is an extension to TACACS (Terminal Access Controller Access Control System) and was developed as a proprietary protocol by Cisco. The Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that operates on port 1812 and provides centralized Authentication, Authorization, and Accounting management for users who connect and use a network service, but it was not developed by Cisco. Kerberos is an open-source network authentication protocol designed by Matte Challenge-Handshake Authentication Protocol (CHAP) is used to authenticate a user or network host to an authenticating entity. CHAP is an authentication protocol but does not provide authorization or accounting services.
Which one of the following methods would provide the most current and accurate information about any vulnerabilities present in a system with a misconfigured operating system setting? A.On-demand vulnerability scanning B.Continuous vulnerability scanning C.Scheduled vulnerability scanning D.Agent-based monitoring
D.Agent-based monitoring Explanation OBJ-2: An agent-based monitoring solution would be the best choice to meet these requirements. Agent-based monitoring provides more details of the configuration settings for a system and can provide an internal perspective. While vulnerability scans can give you a snapshot of a system's status at a certain time, it will not remain current and accurate without continual rescanning.
Dion Training allows its visiting business partners from CompTIA to use an available Ethernet port in their conference room to establish a VPN connection back to the CompTIA internal network. The CompTIA employees should be able to obtain internet access from the Ethernet port in the conference room, but nowhere else in the building. Additionally, if a Dion Training employee uses the same Ethernet port in the conference room, they should be able to access Dion Training's secure internal network. Which of the following technologies would allow you to configure this port and support both requirements? A.Create an ACL to allow access B.Configure a SIEM C.MAC filtering D.Implement NAC
D.Implement NAC Explanation OBJ-4: Network Access Control (NAC) uses a set of protocols to define and implement a policy that describes how to secure access to network nodes whenever a device initially attempts to access the network. NAC can utilize an automatic remediation process by fixing non-compliant hosts before allowing network access. Network Access Control can control access to a network with policies, including pre-admission endpoint security policy checks and post-admission controls over where users and devices can go on a network and what they can do. In this scenario, implementing NAC can identify which machines are known and trusted Dion Training assets, and provide them with access to the secure internal network. NAC could also determine which are unknown machines (assumed to be those of CompTIA employees), and provide them with direct internet access only by placing them onto a guest network or VLAN. While MAC filtering could be used to allow or deny access to the network, it cannot by itself control which set of network resources could be utilized from a single ethernet port. A security information and event management (SIEM) system provides real-time analysis of security alerts generated by applications and network hardware. An access control list could define what ports, protocols, or IP addresses the ethernet port could be utilized, but it would be unable to distinguish between a Dion Training employee's laptop and a CompTIA employee's laptop like a NAC implementation could.
Which of the following vulnerabilities is the greatest threat to data confidentiality? A.HTTP TRACE/TRACK methods enabled B.SSL Server with SSLv3 enabled vulnerability C. phpinfo information disclosure vulnerability D.Web application SQL injection vulnerability
D.Web application SQL injection vulnerability Explanation OBJ-2: Each vulnerability mentioned poses a significant risk, but the greatest threat comes from the SQL injection. An SQL injection could allow an attacker to retrieve our data from the backend database directly. Using this technique, the attacker could also alter the data and put it back, and nobody would notice everything that had been changed, thereby also affecting our data integrity. The HTTP TRACE/TRACK methods are normally used to return the full HTTP request back to the requesting client for proxy-debugging purposes and allow the attacker to gain access to sensitive information in the HTTP headers. Since this only exposes information in the headers, it minimizes the risk to our system's data confidentiality. An SSL server with SSLv3 enabled is not ideal since this is an older encryption type, but it still provides some level of confidentiality. The phpinfo information disclosure vulnerability prints out detailed information on both the system and the PHP configuration. This information by itself doesn't disclose any information about the data stored within the system, though, so it isn't a great threat to our data's confidentiality.
When using the netstat command during an analysis, which of the following connection status messages indicates whether an active connection between two systems exists? A.ESTABLISHED B.LISTENING C.LAST_ACK D.CLOSE_WAIT
A.ESTABLISHED Explanation OBJ-4: The ESTABLISH message indicates that an active and established connection is created between two systems. The LISTENING message indicates that the socket is waiting for an incoming connection from the second system. The LAST_ACK message indicates that the remote end has shut down the connection and the socket is closed and waiting for an acknowledgement. The CLOSE_WAIT message indicates that the remote end has shut down the connection and is waiting for the socket to close.
You are trying to find some files that were deleted by a user on a Windows workstation. What two locations are most likely to contain those deleted files? (CHOOSE TWO ) A.Slack space B.Unallocated space C.Recycle bin D.Registry
A.Slack space C.Recycle bin Explanation OBJ-3: Files that users have deleted are most likely to be found in the recycle bin or in slack space. Slack space is the space left after a file has been written to a cluster. Slack space may contain remnant data from previous files after the pointer to the files was deleted by a user. Unallocated space is space that has not been partitioned and therefore, would typically not have been written to. The registry will not store files that have been deleted but may contain a reference to the file, such as the name of the file.
You are conducting an investigation on a suspected compromise. You have noticed several files that you don't recognize. How can you quickly and effectively check if the files have been infected with malware? A.Submit the files to an open-source intelligence provider like VirusTotal B.Disassembly the files and conduct static analysis on them using IDA Pro C.Run the Strings tool against each file to identify common malware identifiers D.Scan the files using a local anti-virus/anti-malware engine
A.Submit the files to an open-source intelligence provider like VirusTotal Explanation OBJ-3: The best option is to submit them to an open-source intelligence provider like VirusTotal. VirusTotal allows you to quickly analyze suspicious files and URLs to detect types of malware. It then automatically shares them with the security community, as well. Disassembly and static analysis would require a higher level of knowledge and more time to complete. Running the Strings tool can help identify text if the code is not encoded in a specific way within the malware, but you have to know what you are looking for, such as a malware signature. You should never scan the files using a local anti-virus or anti-malware engine if you suspect the workstation or server has already been compromised, because the scanner may also be compromised.
You are conducting an intensive vulnerability scan to detect which ports might be open to exploitation. During the scan, one of the network services becomes disabled and causes an impact on the production server. Which of the following sources of information would provide you with the most relevant information for you to use in determining which network service was interrupted and why? A.Syslog B.Network mapping C.Firewall logs D.NIDS
A.Syslog Explanation OBJ-3: The syslog server is a centralized log management solution. By looking through the logs on the syslog server, the technician could determine which service failed on which server, since all the logs are retained on the syslog server from all of the network devices and servers. Network mapping is conducted using active and passive scanning techniques and could assist in determining which server was offline, but not what caused the interruption. Firewall logs would only assist in determining why the network connectivity between a host and destination may have been disrupted. A network intrusion detection system (NIDS) is used to detect hacking activities, denial of service attacks, and port scans on a computer network. It is unlikely to provide the details needed to identify why the network service was interrupted.
Which of the following protocols is considered insecure and should never be used in your networks? A.Telnet B.SSH C.SFTP D.HTTPS
A.Telnet Explanation OBJ-2: Telnet is an application protocol used on the internet or local area network to provide a bidirectional interactive text-oriented communication facility using a virtual terminal connection. It is considered insecure and should never be used in secure networks because it transmits everything in cleartext, including your authentication credentials. Telnet should be replaced with a more secure option, such as the secure shell (SSH) protocol. SSH performs the same functions as telnet, but uses an encrypted tunnel to maintain the confidentiality of the data be sent over it. SSH File Transfer Protocol (SFTP) is a network protocol that provides file access, file transfer, and file management over any reliable data stream. Hypertext Transfer Protocol Secure (HTTPS) is an extension of HTTP that is used for secure communication over a computer network by encrypting data being transferred over it with either TLS or SSL.
You have been tasked to create some baseline system images in order to remediate vulnerabilities found in different operating systems. Before any of the images can be deployed, they must be scanned for malware and vulnerabilities. You must ensure the configurations meet industry-standard benchmarks and that the baselining creation process can be repeated frequently. What vulnerability option would BEST create the process requirements to meet the industry-standard benchmarks? A.Utilizing an operating system SCAP plugin B.Utilizing an authorized credential scan C.Utilizing a non-credential scan D.Utilizing a known malware plugin
A.Utilizing an operating system SCAP plugin Explanation OBJ-2: Security Content Automation Protocol (SCAP) is a multi-purpose framework of specifications that supports automated configuration, vulnerability and patch checking, technical control compliance activities, and security measurement. It is an industry-standard and support testing for compliance. The other options will not allow for a truly repeatable process since individual scans would occur each time, instead of comparing against a known good baseline.
What method might a system administrator use to replicate the DNS information from one DNS server to another, but could also be used maliciously by an attacker? A.Zone transfers B.DNS registration C.CNAME D.DNSSEC
A.Zone transfers Explanation OBJ-2: Zone transfers provide an easy way to send all the DNS information from one DNS server to another, but an attacker could also use it for reconnaissance against your organization. For this reason, most administrators disable zone transfers from untrusted servers. DNSSEC strengthens authentication in DNS using digital signatures based on public-key cryptography. CNAME is a Canonical Name Record or Alias Record. A type of resource record in the Domain Name System (DNS) that specifies that one domain name is an alias of another canonical domain name. DNS registration is a service, which allows the owner of a domain name to use their name servers, which can match the domain name in question.
You have been asked to review the SIEM event logs for suspected APT activity. You have been given several indicators of compromise, such as a list of domain names and IP addresses. What is the BEST action to take in order to analyze the suspected APT activity? A.Use the IP addresses to search through the event logs B.Analyze the trends of the events while manually reviewing them to see if any indicators match C.Create an advanced query that includes all of the indicators and review any matches D.Scan for vulnerabilities with exploits known to previously have been used by an APT
B.Analyze the trends of the events while manually reviewing them to see if any indicators match Explanation OBJ-1: You should begin by analyzing the trends of the events while manually reviewing each of them to determine if any of the indicators match. If you only searched through the event logs using the IP addresses, this would not be sufficient as many APTs hide their activity by compromising and using legitimate networks and their IP addresses. If you only use the IP addresses to search the event logs, you would miss any events that correlated only to the domain names. If you create an advanced query will all of the indicators, your search of the event logs will find nothing because no single event will include all of these IPs and domain names. Finally, while scanning for vulnerabilities known to have been used by the APTs is a good practice, it would only be effective in determining how to stop future attacks from occurring, not for determining whether or not an attack has already occurred.
A cybersecurity analyst is reviewing the logs of a Citrix NetScaler Gateway running on a FreeBSD 8.4 server and saw the following output:-=-=-=-=--=-=-=-=--=-=-=-=--=-=-=-=--=-=-=-=--=-=-=-=--=-=-=-=-10.1.1.1 - - [10/Jan/2020:13:23:51 +0000] "POST /vpn/../vpns/portal/scripts/newbm.pl HTTP/1.1" 200 143 "https://10.1.1.2/" "USERAGENT " 10.1.1.1 - - [10/Jan/2020:13:23:53 +0000] "GET /vpn/../vpns/portal/backdoor.xml HTTP/1.1" 200 941 "-" "USERAGENT" 10.1.1.1 - - [10/Jan/2020:16:12:31 +0000] "POST /vpns/portal/scripts/newbm.pl HTTP/1.1" 200 143 "https://10.1.1.2/" "USERAGENT"-=-=-=-=--=-=-=-=--=-=-=-=--=-=-=-=--=-=-=-=--=-=-=-=--=-=-=-=-What type of attack was most likely being attempted by the attacker? A.SQL injection B.Directory traversal C.XML injection D.Password spraying
B.Directory traversal Explanation OBJ-2: A directory traversal attack aims to access files and directories that are stored outside the webroot folder. By manipulating variables or URLs that reference files with "dot-dot-slash (../)" sequences and its variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system including application source code or configuration and critical system files. The example output provided comes from a remote code execution vulnerability being exploited in which a directory traversal is used to access the files. XML Injection is an attack technique used to manipulate or compromise the logic of an XML application or service. SQL injection is the placement of malicious code in SQL statements via web page input. Password spraying attempts to crack various user's passwords by attempting a compromised password against multiple user accounts.
You are working as a cybersecurity analyst, and you just received a report that many of your servers are experiencing slow response times due to what appears to be a DDoS attack. Which of the following actions should you undertake? A.Inform users regarding the affected systems B.Inform management of the issue being experienced C.Shutdown all of the interfaces on the affected servers D.Take no action but continue to monitor the critical systems
B.Inform management of the issue being experienced Explanation OBJ-3: Your first action as an analyst would be to inform management of the issues being experienced so a decision on the proper course of action can be determined. If you shut down the interfaces on the affected servers, you would make the situation worse by effectively ensuring a denial of service condition. Taking no action is not suitable either, as this would allow the DDoS to continue indefinitely. Informing the users of the affected systems may be acceptable, but this should be a managerial decision since it would be publicly disclosing the fact that your systems were under attack.
A cybersecurity analyst is reviewing the logs of a proxy server and saw the following URLs:-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-https://test.diontraining.com/profile.php?userid=1546https://test.diontraining.com/profile.php?userid=5482https://test.diontraining.com/profile.php?userid=3618-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-What type of vulnerability does this website have? A.Race condition B.Insecure direct object reference C.Improper error handling D.Weak or default configurations
B.Insecure direct object reference Explanation OBJ-4: Insecure direct object references (IDOR) are a cybersecurity issue that occurs when a web application developer uses an identifier for direct access to an internal implementation object but provides no additional access control and/or authorization checks. In this scenario, an attacker could simply change the userid number and directly access any user's profile page. A race condition is a software vulnerability when the resulting outcome from execution processes is directly dependent on the order and timing of certain events, and those events fail to execute in the order and timing intended by the developer. Weak or default configurations are commonly a result of incomplete or ad-hoc configurations, open cloud storage, misconfigured HTTP headers, unnecessary HTTP methods, permissive Cross-Origin resource sharing (CORS), and verbose error messages containing sensitive information. Improper handling of errors can reveal implementation details that should never be revealed, such as detailed information that can provide hackers important clues on potential flaws in the system.
Which model of software development emphasizes individuals and interactions over processes and tools, customer collaboration over contract negotiation, and working software over comprehensive documentation? A.Waterfall B.Spiral C.Agile D.RAD
C.Agile Explanation OBJ-4: Agile software development is characterized by the principles of the Agile Manifesto. The Agile Manifesto emphasizes individuals and interactions over the processes and tools that Spiral and Waterfall rely on. It also focuses on working software, customer collaboration, and responding to change as key elements of the Agile process. The waterfall model is a breakdown of project activities into linear sequential phases, where each phase depends on the deliverables of the previous one and corresponds to a specialization of tasks. Rapid Application Development (RAD) is a form of agile software development methodology that prioritizes rapid prototype releases and iterations. Unlike the Waterfall method, RAD emphasizes the use of software and user feedback over strict planning and requirements recording. Spiral development is a risk-driven software development model that guides a team to adopt elements of one or more process models, such as incremental, waterfall, or evolutionary prototyping
In 2014, Apple's implementation of SSL had a severe vulnerability that, when exploited, allowed an attacker to gain a privileged network position that would allow them to capture or modify data in an SSL/TLS session. This was caused by poor programming in which a failed check of the connection would exit the function too early. Based on this description, what is this an example of? A.Use of insecure functions B.Insufficient logging and monitoring C.Improper error handling D.Insecure object reference
C.Improper error handling Explanation OBJ-3: This is an example of an improper error handling vulnerability. A well-written application must be able to handle errors and exceptions gracefully. The main goal must be for the application not to fail in a way that allows the attacker to execute code or perform some sort of injection attack. One famous example of an improper error handling vulnerability is Apple's GoTo bug, as described above. For more details on this particular vulnerability, please see CVE-2014-1266. Insecure object reference refers to when a reference to an internal implementation object, such as a file or database key, is exposed to users without any other access control. Insufficient logging and monitoring allows attackers to achieve their goals without being detected due to the lack of monitoring and timely response by defenders. The use of insecure functions occurs in the C language when legacy functions like strcpy() are used. These insecure functions can lead to buffer overflow and other exploits being successful against a program.
You are conducting a code review of a program and observe the following calculation of 0xffffffff + 1 was attempted, but the result was returned as 0x0000000. Based on this, what type of exploit could be created against this program? A.SQL injection B.Impersonation C.Integer Overflow attack D.Password Spraying
C.Integer Overflow attack Explanation OBJ-1.2: Integer overflows and other integer manipulation vulnerabilities frequently result in buffer overflows. An integer overflow occurs when an arithmetic operation results in a number that is too large to be stored in the space allocated for it. Integers are stored in 32 bits on the x86 architecture; therefore, if an integer operation results in a number greater than 0xffffffff, an integer overflow occurs, as was the case in this example. SQL injection is an attack that injects a database query into the input data directed at a server by accessing the client-side of the application. Password spraying is a type of brute force attack in which multiple user accounts are tested with a dictionary of common passwords. Impersonation is the act of pretending to be another person or system for the purpose of fraud.
You are reviewing the logs in your IDS and see that there were entries showing SYN packets received from a remote host targeting each port on your web server from 1 to 1024. Which of the following MOST likely occurred? A.Remote host cannot find the right service port B.SYN Flood C.Port scan D.UDP Probe
C.Port scan Explanation OBJ-1: Based on the description provided, this is most likely a port scan. Using a tool like nmap, an attacker can create a SYN scan across every port in a range against a desired target. A port scan or SYN scan may trigger an alert in your IDS. While scanners support more stealthy scans, default scans may connect to each port sequentially. The other options are incorrect because a remote host will typically connect to only a single port associated with a service, a SYN flood normally sends many SYNs to a single system but doesn't send them to unused ports, and a UDP probe will not send SYN packets.
You are analyzing the logs of a web server and see the following entry: -=-=-=-=-=--=-=-=-=-=--=-=-=-=-=- 192.168.1.25 - - [05/Aug/2020:15:16:42 -0400] "GET /%27%27;!-%22%3CDION%3E=&{() } HTTP/1.1″ 404 310 "-" "Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.12) Gecko/2009070812 Ubuntu/19.04 (disco dingo) Firefox/3.0.12″ -=-=-=-=-=--=-=-=-=-=--=-=-=-=-=- Based on this entry, which of the following attacks was attempted? A.XML injection B.Buffer overflow C.XSS D.SQL injection
C.XSS Explanation OBJ-4: This is an example of an XSS attack as recorded by the log of a web server. In this example, the XSS attack was obfuscated by the attacker using HTML encoding. The encoding of %27%27 translates to two single quote marks (' '). While you don't need to be able to decode the exact string used in the logs, when you see HTML encoding on the exam it is usually going to be a XSS attack unless you see SQL or XML statements in the string, which in this case there are neither of those. Cross-site scripting (XSS) attacks use a specially crafted URL that includes attack code that will cause information that a user enters into their web browser to be sent to the attacker. An attacker finds a web server that is vulnerable to XSS and sends a legitimate looking URL with XSS attack code appended to the end of the URL through a phishing email or other message to trick the user into clicking the link. A buffer overflow is any attempt to write data to a buffer that overruns the buffer's boundary and write data into the adjacent memory locations, which is not occurring in this example.
Your organization recently suffered a large-scale data breach. The hackers successfully exfiltrated the personal information and social security numbers of your customers from your network. The CEO notified law enforcement about the breach and they are going to assist with the investigation and conduct evidence collection so that the hackers can be brought up on charges. What actions should your organization take in response to this event? A.Require all employees to commit to an NDA about the data breach verbally B.Require all employees to commit to an NDA about the data breach in writing C.Block all employee access to social media from the company's network and begin monitoring your employee's email D.Ask a member of law enforcement to meet with your employees
D.Ask a member of law enforcement to meet with your employees Explanation OBJ-3: Since the data breach is now the subject of an active law enforcement investigation, your organization should request that a law enforcement agent speaks with your employees to give them clear guidance on what they should and should not say to people outside of the investigation. Additionally, the company's system administrators and analysts should not perform any actions on the network until they receive guidance from law enforcement. This will ensure that the employees do not accidently destroy and tamper with potential evidence of the crime.
What control provides the best protection against both SQL injection and cross-site scripting attacks? A.Hypervisors B.Network layer firewalls C.CSRF D.Input validation
D.Input validation Explanation OBJ-2: Input validation prevents the attacker from sending invalid data to an application and is a strong control against both SQL injection and cross-site scripting attacks. A network layer firewall is a device that is designed to prevent unauthorized access, thereby protecting the computer network. It blocks unauthorized communications into the network and only permits authorized access based on the IP address, ports, and protocols in use. Cross-site request forgery (CSRF) is another attack type. A hypervisor controls access between virtual machines.
Which of the following would be used to prevent a firmware downgrade? SED eFUSE TPM HSM
eFUSE Explanation OBJ-3: eFUSE is an Intel-designed mechanism to allow a software instruction to blow a transistor in the hardware chip. One use of this is to prevent firmware downgrades, implemented on some games consoles and smartphones. Each time the firmware is upgraded, the updater blows an eFUSE. When there is a firmware update, the updater checks that the number of blown eFUSEs is not less than the firmware version number. A self-encrypting drive (SED) uses cryptographic operations performed by the drive controller to encrypt the contents of a storage device. A trusted platform module (TPM) is a specification for hardware-based storage of digital certificates, cryptographic keys, hashed passwords, and other user and platform identification information. The TPM is implemented either as part of the chipset or as an embedded function of the CPU. A hardware security module (HSM) is an appliance for generating and storing cryptographic keys. A HSM solution may be less susceptible to tampering and insider threats than software-based storage.