Jason Dions Practice Exams (2 of 5)

You are deploying OpenSSL in your organization and must select a cipher suite. Which of the following ciphers should NOT be used with OpenSSL? A.DES B.AES C.RSA D.ECC

A.DES OBJ-4: DES is outdated and should not be used for any modern applications. The AES, RSA, and ECC are all current secure alternatives that could be used with OpenSSL.

If you want to conduct an operating system identification during a nmap scan, which syntax should you utilize? A.nmap -os B.nmap -O C.nmap -id D.nmap -osscan

B.nmap -O Explanation OBJ-2: The -O flag indicates to nmap that it should attempt to identify the operating system of the target during the scanning process. It does this by evaluating the responses it received during the scan against its database of signatures for each operating system.

Which of the following is the most difficult to confirm with an external vulnerability scan? A.Cross-site scritpting (XSS) B.Cross-site request forgery (XSRF/CSRF) C.Blind SQL injection D.Unpatched web server

C.Blind SQL injection Explanation OBJ-2: Vulnerability scanners typically cannot confirm that a blind SQL injection with the execution of code has previously occurred. XSS and CSRF/XSRF are typically easier to detect because the scanner can pick up information that proves a successful attack. Unpatched servers can usually be identified by the banner information.

You are trying to find a rogue device on your wired network. Which of the following options would NOT be helpful in finding the device? A.MAC validation B.Port scanning C.Site surveys D.War walking

D.War walking Explanation OBJ-3: War walking is conducted by walking around a build while trying to locate wireless networks and devices. War walking will not help find a wired rogue device. Checking valid MAC addresses against a known list, scanning for new systems or devices, and physically surveying for unexpected systems can be used to find rogue devices on a wired network.

Which of the following tools is considered a web application scanner? A.Nessus B.Qualys C.OpenVAS D.Zap

D.Zap Explanation OBJ-2: OWASP Zed Attack Proxy (ZAP) is the world's most widely used web application scanner. It is a free, open-source, and provided by the Open Web Application Security Project (OWASP). Nessus, Qualys, and OpenVAS are all classified as infrastructure vulnerability scanners.

If an administrator cannot fully remediate a vulnerability, which of the following should they implement? A.A compensating control B.An engineering tradeoff C.A policy D.Access requirements

A.A Compensating control Explanation OBJ-1.3: Based on the wording of the question, a compensating control would be most accurate for the given scenario. Compensating controls may be considered when an entity cannot meet a requirement explicitly as stated, due to legitimate technical or documented business constraints, but has sufficiently mitigated the risk associated with the requirement through implementation of other controls. Access requirements are a form of logical controls that can be implemented to protect a system and could be a form of a compensating control if used appropriately. A policy is a statement of intent and is implemented as a procedure or protocol within an organization. An engineering tradeoff is a situational decision that involves diminishing or losing one quality, quantity, or property of a set or design in return for gains in other aspects. Often, an engineering tradeoff occurs when we trade security requirements for operational requirements, or vice versa.

A forensic analyst needs to access a macOS encrypted drive that uses FileVault 2. Which of the following methods is NOT a means of unlocking the volume? A.Conduct a brute-force attack against the FileVault 2 encryption B.Retrieve the key from memory while the volume is mounted C.Acquire the recovery key D.Extraxt the keys from iCloud

A.Conduct a brute-force attack against the FileVault 2 encryption Explanation OBJ-3: FileVault 2 is a full-disk encryption system used on macOS devices. A drive can be decrypted if you have the encryption key. This key can be recovered from memory while the volume is mounted. The Recovery key can also be obtained either from the user's notes or from their storage area of iCloud. You cannot unlock the volume by conducting a brute force attack against the drive since it uses AES 256-bit encryption system, which is currently unbreakable without access to a super computer.

A.IPSec B.SSLv2 C.PPTP D.SSLv3

A.IPSec Explanation OBJ-2: IPSec is the most secure protocol that works with VPNs. The use of PPTP and SSL is discouraged for VPN security. Due to this, the use of PPTP and SSL for a VPN will likely alert during a vulnerability scan as an issue to be remediated.

William is evaluating the potential impact of a confidentiality risk and determines that the disclosure of information contained on a system could have a limited adverse effect on the organization. Using FIPS 199, how should he classify the confidentiality impact? A.Low B.Medium C.Moderate D.High

A.Low Explanation OBJ-2: FIPS 199 classifies any risk where "the unauthorized disclosure of information could be expected to have a limited adverse effect" as a low impact confidentiality risk. If there was a serious adverse effect expected, then it would be a moderate impact. If there was a severe or catastrophic adverse effect expected, then it would be a high impact. Medium is not an impact under FIPS 199. This question may seem beyond the scope of the exam, but the objectives allow for "other examples of technologies, processes, or tasks pertaining to each objective may also be included on the exam although not listed or covered" in the bulletized lists of the objectives. The exam tests the equivalent to 4 years of hands-on experience in a technical cybersecurity job role. The content examples listed in the objectives are meant to clarify the test objectives and should not be construed as a comprehensive listing of all the content of this examination. Therefore, questions like this are fair game on test day. That said, your goal isn't to score 100% on the exam, it is to pass it. Don't let questions like this throw you off on test day. If you aren't sure, take your best guess and move on!

Which of the following lists represents the four tiers of the NIST cybersecurity framework, when ordered from least mature to most mature? A.PArtial, Risk Informed, Repeatable, Adaptive B.Partial, Repeatable, Risk Informed, Adaptive C.Partial, Managed, Risk Informed, Adaptive D.Partial, Managed, Risk informed, Adaptive

A.PArtial, Risk Informed, Repeatable, Adaptive Explanation OBJ-4: From least mature to most mature, the NIST cybersecurity framework is Partial (tier 1), Risk Informed (tier 2), Repeatable (tier 3), and Adaptive (tier 4).

As part of the reconnaissance stage of a penetration test, Kumar wants to retrieve some information about an organization's network infrastructure without causing an IPS alert. Which of the following is his best course of action? A.Perform a DNS brute-force attack B.Use a nmap ping sweep C.Perform a DNS zone transfer D.Use a nmap stealth scan

A.Perform a DNS brute-force attack OBJ-1: The best course of action is to perform a DNS brute-force attack. The DNS brute-force attack queries a list of IPs and typically bypasses IDS/IPS systems that do not alert on DNS queries. B&D.Conducting either a ping sweep or a stealth scan can be easily detected by the IPS, depending on the signatures and settings being used. C. A DNS zone transfer is also something that often has a signature search for it and will be alerted upon since it is a common attack technique.

During which phase of the incident response process does an organization assemble an incident response toolkit? A.Preparation B.Detection and analysis C.Containment, eradication and recovery D.Post-incident activity

A.Preparation Explanation OBJ-3: During the preparation phase, the incident response team conducts training, prepares their incident response kits, and researches threats and intelligence. During the detection and analysis phase, an organization focuses on monitoring and detecting any possible malicious events or attacks. During the containment, eradication, and recovery phase of an incident response, an analyst must preserve forensic and incident information for future needs, to prevent future attacks, or to bring up an attacker on criminal charges. During the post-incident activity phase, the organization conducts after-action reports, creates lessons learned, and conducts follow-up actions to better prevent another incident from occurring.

In which type of attack does the attacker begin with a normal user account and then seeks to gain additional access rights? A.Privilege escalation B.Spear phishing C.Cross-site scripting D.Remote code exploitation

A.Privilege escalation Explanation OBJ-2: Privilege escalation attacks seek to increase the level of access that an attacker has to a target system. Privilege escalation is the act of exploiting a bug, design flaw, or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. Spear phishing is an email or electronic communications scam targeted towards a specific individual, organization, or business. Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. Remote code execution is the ability an attacker has to access someone else's computing device and make changes, no matter where the device is geographically located.

Praveen is currently investigating activity from an attacker who compromised a host on the network. The individual appears to have used credentials belonging to a janitor. After breaching the system, the attacker entered some unrecognized commands with very long strings of text and then began using the sudo command to carry out actions. What type of attack has just taken place? A.Privilege escalation B.Phishing C.Social engineering D.Session hijacking

A.Privilege escalation Explanation OBJ-4: The use of long query strings points to a buffer overflow attack and the sudo command confirms the elevated privileges after the attack. This indicates a privilege escalation has occurred. While the other three options may have been used as an initial access vector, they cannot be confirmed based on the details provided in the question, only a privilege escalation is currently verified within the scenario due to the use of sudo.

Which of the following attacks would most likely be used to create an inadvertent disclosure of information from an organization's database? A.SQL injection B.Cross-site scripting C.Buffer overflow D.Denial of service

A.SQL injection Explanation OBJ-2: A SQL injection poses the most direct and more impactful threat to an organization's database. A SQL injection could allow the attacker to execute remote commands on the database server and lead to the disclosure of sensitive information. A buffer overflow attack attempts to overwrite the memory buffer in order to send additional data into adjacent memory locations. A buffer overflow attack might target a database server, but it isn't intended to cause a disclosure of information directly. Instead, a buffer overflow attack may be used to gain initial access to a server and allow for the running of other malicious code. A denial of service targets the availability of the information by attempting to take the server offline. A cross-site scripting attack typically is focused against the user, not the server or database.

Aymen is creating a procedure for the remediation of vulnerabilities discovered within his organization. He wants to ensure that any vendor patches are tested prior to deploying them into the production environment. What type of environment should his organization establish? A.Staging B.Honeypot C.Honeynet D.Development

A.Staging Explanation OBJ-2: Deploying changes in a staging or sandbox environment provides the organization with a safe, isolated place for testing changes without interfering with production systems. Staging environments can mimic the actual production environment, leading to a realistic test environment which minimizes the risk of failure during a push to the production environment. Honeypots/Honeynets are not considered a testing environment. Instead, they are designed to attract attackers. The organization should not use the development environment to test the patches since a development environment does not mimic the real production environment.

Your service desk has been receiving a large number of complaints from external users that a web application is responding slowly to requests and frequently receives a "connection timed out" error message when they attempt to submit information to the application. Which software development best practice should have been implemented in order to prevent this from occurring? A.Stress testing B.Regression Testing C.Input Validation D.Fuzzing

A.Stress Testing Explanation OBJ-4: Stress testing is a software testing activity that determines the robustness of software by testing beyond the limits of normal operation. Stress testing is particularly important for mission-critical software but can be used with all types of software. Stress testing is an important component in the capacity management process of IT service management and ensures adequate resources are available to support the needs of the end-user when an application goes into a production environment. Regression testing is defined as a type of software testing to confirm that a recent program or code change has not adversely affected existing features. Input validation is the process of ensuring any user input have undergone cleansing to ensure it is properly formatted, correct, and useful. Fuzzing is an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program.

What SCAP component could be to create a checklist to be used by different security teams within an organization and then report results in a standardized fashion? A.XCCDF B.CCE C.CPE D.CVE

A.XCCDF Explanation OBJ-2: XCCDF (extensible configuration checklist description format) is a language that is used in creating checklists for reporting results. The Common Vulnerabilities and Exposures (CVE) system provides a reference-method for publicly known information-security vulnerabilities and exposures. The Common Configuration Enumeration (CCE) provides unique identifiers to system configuration issues in order to facilitate fast and accurate correlation of configuration data across multiple information sources and tools. Common Platform Enumeration (CPE) is a standardized method of describing and identifying classes of applications, operating systems, and hardware devices present among an enterprise's computing assets.

Which of the following technologies could be used to ensure that users who login to a network are physically in the same building as the network they are attempting to authenticate on? (SELECT TWO) A.Port security B.NAC C.GPS location D.Geo-IP

B&D. NAC & GPS location Explanation OBJ-1.3: Network Access Control is used to identify an endpoint's characteristics when conducting network authentication. The GPS location of the device will provide the longitude and latitude of the user, which could be compared against the GPS coordinates of the building. Port security enables an administrator to configure individual switch ports to allow only a specified number of source MAC addresses ingressing the port. This would not help to locate the individual based on their location, though. Geo-IP, or geolocation and country lookup of a host-based on its IP address, would identify the country of origin of the user, but not whether or not they are within the confines of the building. Geo-IP is also easily tricked if the user logs in over a VPN connection.

You are searching a Linux server for a possible backdoor during a forensic investigation. Which part of the file system should you search for evidence of a backdoor related to a Linux service? A. /etc/passswd B. /etc/xinetd.conf C./etc/shadow D. $HOME/.ssh

B. /etc/xinetd.conf Explanation OBJ-3: Linux services are started by xinetd, but some new versions use sytemctl. Therefore, the /etc/xinetd.conf should be analyzed for any evidence of a backdoor being started as part of the Linux services. Both the /etc/passwd and /etc/shadow files contain configurations that are specifically associated with individual user accounts. The /home/.ssh directory contains SSH keys for SSH-based logins.

A cybersecurity analyst has received an alert that well-known call home messages are continuously observed by sensors at their network boundary, but the organization's proxy firewall is properly configured to successfully drop the messages prior to them leaving the network. Which of the following is MOST likely the cause of the call home messages being sent? A.An attacker is performing reconnaissance the organization's workstations B.An infected workstation is attempting to reach a command and control server C.A malicious insider is trying to exfiltrate information to a remote network D.Malware is running on a company workstation or server

B.An infected workstation is attempting to reach a command and control server Explanation OBJ-1.2: A call home message is an indicator of compromise known as beaconing. Beaconing usually occurs after a stage 1 malware program has been implanted on an organization's workstation or server, but that isn't the most correct answer to this question. Instead, beaconing indicates that a workstation or server is infected and is trying to communicate with the attacker's command and control server. This beaconing will continue until the infected system (workstation or server) is found and cleared of the malware, or until the botnet gives the infected host further instructions to perform (such as to attack). The reason that "malware is running on a company workstation or server" is incorrect is because we do not have positive verification of that based on this scenario. A beacon does not have to be malware, for example, it can simply be a single ping packet or DNS request being sent out every day at a certain time using the Windows task scheduler. Be careful on the exam to answer the question being asked and choose the "most" accurate answer to the question. Since the call home signal is coming from the internal network and attempting to connect to an external server, it cannot be evidence of an attacker performing reconnaissance on your workstations. Also, nothing in the question is indicative of an insider threat trying to exfiltrate information, since a call home message is generally very small in size and not large enough to exfiltrate data.

Which of the following techniques listed below are not appropriate to use during a passive reconnaissance exercise against a specific target company? A.WHOIS lookups B.Banner Grabbing C.BGP looking glass usage D. Registrar checks

B.Banner grabbing Explanation OBJ-1: Banner grabbing requires a connection to the host in order to successfully grab the banner. This is an active reconnaissance activity. All other options are considered to be passive processes and typically use information retrieved from third-parties that do not require a direct connection to an organization's remote host.

What technology is NOT PKI x.509 compliant and cannot be used in a variety of secure functions? A.AES B.Blowfish C.PKCS D.SSL/TLS

B.Blowfish Explanation OBJ-4: AES, PKCS, and SSL/TLS are all compatible with x.509 and can be used in a wide variety of functions and purposes. AES is used for symmetric encryption. PKCS is used as a digital signature algorithm. SSL/TLS is used for the secure key exchange.

A recent threat has been announced in the cybersecurity world stating that there is a critical vulnerability in the kernel of a particular operating system. Your company, unfortunately, has not maintained a current asset inventory, so you are unsure of how many of your servers may be affected. What should you do to find all of the affected servers within your network? A.Manually review the syslog server's logs B.Conduct an OS fingerprinting scan across the network C.Conduct a packet capture of data traversing the server network D.COnduct a service discovery scan on the network

B.Conduct an OS fingerprinting scan across the network Explanation OBJ-1.1: By utilizing operating system fingerprinting using a tool like nmap, you can identify the servers that are running each version of an operating system. This will give you an accurate list of the possibly affected servers. Once you have this list, then you can focus your attention on just those servers that need further inspection and scanning. A.Manually review the syslog server's log would take too long, and would not find any servers that are not configured to send their logs to the syslog server. C.Conducting a packet capture would only allow you to find the server actively transmitting data during the period of time you are capturing. D.Conducting a service discovery scan would not identify which servers are running which operating systems effectively. For example, if you see that the Apache web service is running on port 80, that doesn't indicate if you are running Linux or Windows as the underlying server.

When conducting forensic analysis of a hard drive, what tool would BEST prevent changing the contents of the hard drive during your analysis? A.Forensic drive duplicator B.Hardware write blocker C.Software write blocker C.Degausser

B.Hardware write blocker Explanation OBJ-3: Both hardware and software write blockers are designed to ensure that forensic software and tools cannot change a drive inadvertently by accessing it. But, since the question indicates that you need to choose the BEST solution to protect the contents of the drive from being changed during analysis, you should pick the hardware write blocker. The primary purpose of a hardware write blocker is to intercept and prevent (or 'block') any modifying command operation from ever reaching the storage device. A forensic drive duplicator simply copies a drive and validates that it matches the original drive, but cannot be used by itself during analysis. A degausser is used to wipe magnetic media. Therefore, it should not be used on the drive since it would erase the contents of the hard drive.

Annah is deploying a new application that she received from a vendor, but she is unsure if the hardware is adequate to support a large number of users during peak usage periods. What type of testing could Annah perform to determine if the application will support the required number of users? A.USer acceptance testing B.Load testing C.Regression testing D.Fuzz testing

B.Load testing Explanation OBJ-4: Load testing or stress testing puts an application, network, or system under full load conditions to document any lapses in performance. User Acceptance Testing is the process of verifying that a created solution/software works for a user. Regression testing is defined as a type of software testing to confirm that a recent program or code change has not adversely affected existing features. Fuzz testing, or fuzzing, is a quality assurance technique used to discover coding errors and security loopholes in software, operating systems or networks. It involves inputting massive amounts of random data to the test subject in an attempt to make it crash. User acceptance testing, regression testing, and fuzz testing are not designed to test a system under heavy load conditions. Therefore, they will not be suitable for Annah's needs in this scenario.

You just finished conducting a remote scan of a class C network block using the following command "nmap -sS 202.15.73.0/24". The results only showed a single web server. Which of the following techniques would allow you to gather additional information about the network? A.Use a UDP scan B.Perform a scan from on-site C.Scan using the -p 1-65535 flag D.Use an IPS evasion technique

B.Perform a scan from on-site Explanation OBJ-1: You should request permission to conduct an on-site scan of the network. If the organization's network is set up correctly, scanning from off-site will be much more difficult as many of the devices will be hidden behind the firewall. By conducting an on-site scan, you can conduct the scan from behind the firewall and receive more detailed information on the various servers and services that are running on the internal network. While nmap does provide some capabilities to scan through a firewall, it is not as detailed as being on-site.

Which of the following is NOT a part of the security incident validation effort? A.Scanning B.Sanitization C.Patching D.Permissions

B.Sanitization Explanation OBJ-3: Patching, permissions, scanning, and verifying logging are the components of the security incident validation effort. Sanitization is a component of the security incident eradication effort.

While conducting a security test to ensure that information about your company's web server is protected from inadvertent disclosure, you request an HTML file from the webserver and received the following output:-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- HTTP/1.1 404 Object Not Found Server: Microsoft-IIS/6.0 Date: Tuesday, 5 Sep 2017 1034:12 GMT Content-Type: text/html Content-Length: 132 There is no web site configured at this address. This page is a placeholder until construction begins. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Which of the following actions should you take to remediate this vulnerability? A.Set "VerifyNormalization" to 1 in the URLScan.ini configuration file B.Set "RemoveServerHeader" to 1 in the URLScan.ini configuration file C.Set "EnableLogging" to 1 in the URLScan.ini configuration file D. Set "PerProcessLogging" to 1 in the URLScan.ini configuration file

B.Set "RemoveServerHeader" to 1 in the URLScan.ini configuration file Explanation OBJ-2: This output is an example of banner grabbing being conducted against your web server. To prevent valuable information from being sent in the response, you should configure the "RemoveServerHeader" in the Microsoft IIS configuration file (URLScan.ini). If you set "RemoveServerHeader" to 1, UrlScan will remove the server header on all responses, and the value of AlternateServerName will be ignored. If you set "EnableLogging" to 1, UrlScan will log its actions in a file called UrlScan.log that will be created in the same directory that contains UrlScan.dll. If you set "PerProcessLogging" to 1, UrlScan will append the process ID of the IIS process that is hosting UrlScan.dll to the log file name; for example, UrlScan.1234.log. If you set "VerifyNormalization" to 1, UrlScan verifies normalization of the URL and will defend against canonicalization attacks, where a URL contains a double encoded string in the URL.

What phase of the software development lifecycle is sometimes known as the acceptance, installation, and deployment phase? A.Development B.Training and transition C.Operations and maintenance D.DIsposition

B.Training and transition Explanation OBJ-4: The training and transition phase ensures that end users are trained on the software and that the software has entered general use. Because of these activities, this phase is sometimes called the acceptance, installation, and deployment phase. Disposition is focused on the retirement of an application or system. Operations and maintenance is focused on the portion of the lifecycle where the application or system goes into use to provide value to the end-users. Development is the portion of the lifecycle focused on designing and coding the application or system.

Mark works as a Department of Defense contracting officer and needs to ensure that any network devices he purchases for his organization's network are secure. He utilizes a process to verify the chain of custody for every chip and component that is used in the device's manufacturer. What program should Mark utilize? A.Gray market procurement B.Trusted Foundry C.White market procurement D.Chain of procurement

B.Trusted Foundry Explanation OBJ-1.4: The US Department of Defense (DoD) has set up a Trusted Foundry Program, operated by the Defense Microelectronics Activity (DMEA). Accredited suppliers have proved themselves capable of operating a secure supply chain, from design through to manufacture and testing. The Trusted Foundry program to help assure the integrity and confidentiality of circuits and manufacturing. The purpose is to help verify that agents of foreign governments are not able to insert malicious code or chips into the hardware being used by the military systems. This is part of ensuring hardware source authenticity and ensure purchasing is made from reputable suppliers to prevent the use of counterfeited or compromised devices.

Your company is making a significant investment in infrastructure-as-a-service (IaaS) hosting to replace its data centers. Which of the following techniques should be used to mitigate the risk of data remanence when moving virtual hosts from one server to another in the cloud? A.Zero-wipe drives before moving systems B.Use full-disk encryption C.Use data masking D.Span multiple virtual disks to fragment data

B.Use full-disk encryption Explanation OBJ-1.3: To mitigate the risk of data remanence, you should implement full disk encryption. This method will ensure that all data is encrypted and cannot be exposed to other organizations or the underlying IaaS provider. Using a zero wipe is typically impossible because VM systems may move without user intervention during scaling and elasticity operations. Data masking can mean that all or part of the contents of a field is redacted, by substituting all character strings with "x" for example. Data masking will not prevent your corporate data from being exposed by data remanence. Spanning multiple disks will leave the data accessible, even though it would be fragmented, and would make the data remanence problem worse overall.

Your organization has just migrated to provisioning its corporate desktops as virtual machines and accessing them using thin clients. The organization believes this will enhance security since the desktop can be rewritten with a new baseline image every time the user logs into it. Based on this scenario, which of the following technologies has the organization adopted? A.VPN B.VDI C.VPC D.UEBA

B.VDI Explanation OBJ-4: Virtual desktop infrastructure (VDI) is a virtualization implementation that separates the personal computing environment from a user's physical computer. Virtual private cloud (VPC) is a private network segment made available to a single cloud consumer on a public cloud. A virtual private network (VPN) is a secure tunnel created between two endpoints connected via an insecure network, typically the internet. User and entity behavior analytics (UEBA) is a system that can provide automated identification of suspicious activity by user accounts and computer hosts.

Riaan's company runs critical web applications. During a vulnerability scan, Riaan found a serious SQL injection vulnerability in one of their web applications. The system cannot be taken offline to remediate the vulnerability. Which of the following compensating controls should Riaan recommend using until the system can be remediated? A.IPS B.WAF C.Vulnerability scanning D.Encryption

B.WAF Explanation OBJ-4: WAF (web application firewall) is the best option since it has the ability to serve as a compensating control and can protect against web application vulnerabilities like an SQL injection until the application can be fully remediated. Vulnerability scanning could only be used to detect the issue. Therefore, it is a detective control, not a compensating control. Encryption would not be effective in stopping an SQL injection. An IPS is designed to protected network devices based on ports, protocols, and signatures. It would not be effective against an SQL injection and is not considered a compensating control for this vulnerability.

During a vulnerability scan, you notice that the hostname www.diontraining.com is resolving to www.diontraining.com.akamized.net instead. Based on this information, which of the following do you suspect is true? A. The server assumes you are conducting a DDoS attack B.You are scanning a CDN-hosted copy of the site C.The scan will not procure any useful information

B.You are scanning a CDN-hosted copy of the site Explanation OBJ-1: This result is occurring due to the company using a distributed server model that hosts content on Edge servers around the world as part of a CDN. A content delivery network (CDN) is a geographically distributed network of proxy servers and their data centers that provide high availability and performance by distributing the service spatially relative to end-users. Based on the requested content, it may be served from the Edge server's cache, or pull the content from the main diontraining.com servers. If you are scanning a web server or application hosted with a CDN, you need to be aware that you might be scanning an edge copy of the site and not receive accurate results. While an edge server usually maintains static content, it is still useful to determine if any vulnerabilities exist in that portion of the site content. Distributed denial-of-service (DDoS) attacks range from small and sophisticated to large and bandwidth-busting. While Akamai does provide excellent DDoS protection capabilities, nothing in this question indicates that the server is attempting to stop your scans or is assuming you are conducting a DDoS attack against it.

Consider the following file called firewall.log that contains 53,682 lines that logged every connection going into and out of this network. The log file is in the following data format, as shown below with the first two lines of the log file:-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-DATE,FACILITY,CHAIN,IN,SRC,DST,LEN,TOS,PREC,TTL,ID,PROTO,SPT,DPT Jan 11 05:33:59,lx1 kernel: iptables,INPUT,eth0,10.1.0.102,10.1.0.1,52,0x00,0x00,128,2242,TCP,2564,23 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-Which of the following commands would display all of the lines from the firewall.log file that contain the destination IP address of 10.1.0.10 and a destination port of 23? A. grep "10.1.0.10," firewall.log | grep "23$" B. grep "10\.1\0.\10\," firewall.log | grep "23" C. grep "10\.1\0.\10\," firewall.log | grep "23$" D.grep "10.1.0.10," firewall.log | grep "23"

C. grep "10\.1\0.\10\," firewall.log | grep "23$" Explanation OBJ-3: The easiest way to do this is with a grep command. In Linux, you can chain together commands by piping data from one command's output to serve as the input to another command. In this scenario, you can use grep to find all the lines with the IP address first. Then, you can use the second grep command to find all the lines using port 23. The result is a smaller, filtered list of events to analyze. When using the dot in the IP addresses, you must remember to escape this character or else grep treats it as a special character in a regular expression that is treated as any character (except a line break). By adding the \ before the dot (\.), grep treats it simply as a dot or period. You must also escape the comma for it to be processed properly. The $ after the port number is used to indicate that the number should only be counted as a match if it is at the end of the line. This ensures that we only return the destination ports (DPT) matching 23 and not the source port (SPT).

Which of the following types of attackers are considered to be a sophisticated and highly organized person or team who are typically sponsored by a nation-state? A.Script kiddies B.Hacktivists C.Advanced Persistent Threat D.Ethical hacker

C.Advanced persistent threat Explanation OBJ-3: Advanced Persistent Threat (APT) attackers are sophisticated and have access to financial and technical resources typically provided by a government. An APT is an attacker with the ability to obtain, maintain, and diversify access to network systems using exploits and malware. A hacktivist is an attacker that is motivated by a social issue or political cause. A script kiddie has little skill or sophistication, and simply uses publicly available tools and techniques. An ethical hacker is someone who specializes in penetration testing and in other testing methodologies that ensures the security of an organization's information systems. An ethical hacker is also known as a white hat hacker.

What role does the red team perform during a tabletop exercise (TTX)? A.Cyber security analyst B.System administrator C.Adversary D.Network defender

C.Adversary Explanation OBJ-1.4: The red team acts as the adversary, attempting to penetrate the network or exploit the network as a rogue internal attacker. The red team might be selected members of in-house security staff or might be a third-party company or consultant contracted to perform the role. The blue team operates the security system with a focus on detecting and repelling the red team. The blue team usually consists of system administrators, cybersecurity analysts, and network defenders.

Your organization is updating its Acceptable User Policy (AUP) to implement a new password standard that requires a guest's wireless devices to be sponsored before receiving authentication. Which of the following should be added to the AUP to support this new requirement? A.Sponsored guest passwords must be at least 14 alphanumeric characters containing a mixture of uppercase, lowercase, and special characters B.Open authentication standards should be implemented on all wireless infrastructure C.All guests must provide valid identification when registering their wireless devices for use on the network D.Network authentication of all guest users should occur using the 802.1x protocol as authenticated by a RADIUS server

C.All guests must provide valid identification when registering their wireless devices for use on the network Explanation OBJ-4: Sponsored authentication of guest wireless devices requires a guest user to provide valid identification when registering their wireless device for use on the network. This requires that an employee validates the guest's need for access, which is known as sponsoring the guest. While setting a strong password or using 802.1x are both good security practices, these alone do not meet the sponsorship requirement posed by the question. An open authentication standard only requires that the guest be aware of the Service-Set Identifier (SSID) to gain access to the network. Therefore, this does not meet the sponsorship requirement.

What information should be recorded on a chain of custody form during a forensic investigation? A.The list of individuals who made contact with files leading to the investigation B.The list of former owners/operators of the workstation involved in the investigation C.Any individual who worked with evidence during the investigation D.The law enforcement agent who was first on the scence

C.Any individual who worked with evidence during the investigation Explanation OBJ-3: Chain of custody forms are forms that list every person who has worked with or who has made contact with the evidence that is a part of an investigation. These forms record every action taken by each individual in possession of the evidence. Depending on the organization's procedures, manipulation of evidence may require an additional person to act as a witness to verify whatever action is being taken. While the chain of custody would record who initially collected the evidence, it does not have to record who was the first person on the scene (if that person didn't collect the evidence). The other options presented by the question are all good pieces of information to record in your notes, but it is not required to be on the chain of custody form.

A company's NetFlow collection system can handle up to 2 Gbps. Due to excessive load, this has begun to approach full utilization at various times of the day. If the security team does not have additional money in their budget to purchase a more capable collector, which of the following options could they use to collect useful data? A.Enable QoS B.Enable NetFlow compression C.Enabling sampling of the data D.Enable full packet capture

C.Enable sampling of the data Explanation OBJ-1.2: The organization should enable sampling of the data collected. Sampling can help them to capture network flows that could be useful without collecting everything passing through the sensor. This reduces the bottleneck of 2 Gbps and still provide useful information. Quality of Service (QoS) is a set of technologies that work on a network to guarantee its ability to run high-priority applications and traffic dependably, but that does not help in this situation. Compressing NetFlow data helps save disk space, but it does not increase the capacity of the bottleneck of 2 Gbps during collection. Enabling full packet capture would take even more resources to process and store, as well as not minimizing the bottleneck of 2 Gbps during collection.

Which of the following roles should coordinate communications with the media during an incident response? A.System administrators B.Senior leadership C.Public relations D.Human resources

C.Public relations Explanation OBJ-3: Public relations staff should be included in incident response teams to coordinate communications with the general public and the media so that any negative publicity from a serious incident can be managed. Information about the incident should be released in a controlled way when appropriate through known press and external public relations agencies. Senior leadership should be focused on how the incident affects their departments or functional areas in order to make the best decisions. The senior leadership should not talk to the media without guidance from the public relations team. System administrators are part of the incident response team since they know the normal baseline behavior of the network and its system better than anyone else. System administrators should not talk to the media during an incident response. Human resources is part of the incident response team in order to contact any suspected insider threats appropriately and ensure no breaches of employment law or employment contracts are made.

Which of the following does a User Agent request a resource from when conducting a SAML transaction? A.Relying party (RP) B.Identity provider (IdP) C.Service provider (SP) D.SIngle sign-on (SSO)

C.Service Provider Explanation OBJ-4: Security assertions markup language (SAML) is an XML-based framework for exchanging security-related information such as user authentication, entitlement, and attributes. SAML is often used in conjunction with SOAP. SAML is a solution for providing single sign-on (SSO) and federated identity management. It allows a service provider (SP) to establish a trust relationship with an identity provider (IdP) so that the identity of a user (the principal) can be trusted by the SP without the user having to authenticate directly with the SP. The principal's User Agent (typically a browser) requests a resource from the service provider (SP). The resource host can also be referred to as the relying party (RP). If the user agent does not already have a valid session, the SP redirects the user agent to the identity provider (IdP). The IdP requests the principal's credentials if not already signed in and, if correct, provides a SAML response containing one or more assertions. The SP verifies the signature(s) and (if accepted) establishes a session and provides access to the resource.

You need to perform an architectural review and select a view that focuses on the technologies, settings, and configurations used within the architecture. Which of the following views should you select? A.Operational view B.Acquisition view C.Technical view D.Logical view

C.Technical view Explanation OBJ-4: A technical view focuses on technologies, settings, and configurations. An operational view looks at how a function is performed or what it accomplishes. A logical view describes how systems interconnect. An acquisition views focus on the procurement process.

You just received a notification that your company's email servers have been blacklisted due to reports of spam originating from your domain. What information do you need to start investigating the source of the spam emails? A.Firewall logs showing the SMTP connections B.The SMTP audit log from his companys email server C.The full email header from one of the spam messages D.Network flows for the DMZ containing the email servers

C.The full email header from one of the spam messages Explanation OBJ-1: You should first request a copy of one of the spam messages that include the full email header. By reading through the full headers of one of the messages, you can determine where the email originated from, whether it was from your email system or if it was external, and if it was a spoofed email or a legitimate email. Once this information has been analyzed, you can then continue your analysis further based on those findings, whether that be analyzing your email server, the firewalls, or other areas of concern. If enough information cannot be found by analyzing the email headers, then you will need to conduct more research to determine the best method to solve the underlying problem.

You have been asked to conduct a forensic disk image on an internal 500 GB hard drive. You connect a write blocker to the drive and begin to image it using dd to copy the contents to an external 500 GB USB hard drive. Before completing the image, the tool reports that the imaging failed. Which of the following is most likely the reason for the imaging failure? A.The data on the source drive was modified during the imaging B.The source drive is encrypted with BitLokcer C.There are bad sectors on the destination drive D.The data cannot be copied using the RAW format

C.There are bad sectors on the destionation drive Explanation OBJ-3: If you have verified that the source and the target media are both the same size, then a failure has likely occurred due to bad media on the source drive or some bad sectors on the destination drive. The data can always be copied into a RAW format since it is a bit by bit copy and will copy even the bad sectors of the source drive. Even if the source disk was encrypted, the dd program would create a bit by bit copy to the destination drive for later attempts at cryptoanalysis. Even if the data was modified, this would not cause the copy to fail. Instead, the copy would simply continue and record the modified data instead of the original data.

You are attempting to prioritize your vulnerability scans based on the data's criticality. This will be determined by the asset value of the data contained in each system. Which of the following would be the most appropriate metric to use in this prioritization? A.Cost of acquisition of the system B.Cost of hardware replacement of the system C.Type of data processed by the system D.Depreciated hardware cost of the system

C.Type of data processed by the system Explanation OBJ-2: The data's asset value is a metric or classification that an organization places on data stored, processed, and transmitted by an asset. Different data types, such as regulated data, intellectual property, and personally identifiable information can help to determine its value. The cost of acquisition, cost of hardware replacement, and depreciated costs refer to the financial value of the hardware or system itself. This can be significantly different than the value of the information and data that the system stores and processes, though.

You are conducting a vulnerability assessment when you discover a critical web application vulnerability on one of your Apache servers. Which of the following files would contain the logs for this Apache server if your organization is using the default naming convention? A.httpd_log B.apache_log C.access_log D.http_log

C.access_log Explanation OBJ-2: On Apache web servers, the logs are stored in a file named access_log. By default, the file can be located at /var/log/httpd/access_log. This file records all requests processed by the Apache server. The httpd_log file is used by the WebSphere Application Server for z/OS, which is a very outdated server from the early 2000s. The http_log file is actually a header class file in C used by the Apache web server's pre-compiled code that provides the logging library but does not contain any actual logs itself. The file called apache_log is actually an executable program that parses Apache log files within in Postgres database.

You are conducting a quick nmap scan of a target network. You want to conduct a SYN scan, but you don't have raw socket privileges on your workstation. Which of the following commands should you use to conduct the SYN scan from your workstation? A.nmap -sS B.nmap -O C.nmap -sT D.nmap -sX

C.nmap -sT Explanation OBJ-1: The nmap TCP connect scan (-sT) is used when the SYN scan (-sS) is not an option. You should use the -sT flag when you d not have raw packet privileges on your workstation or if you are scanning an IPv6 network. This flag tells nmap to establish a connection with the target machine by issuing the connect system call instead of using a SYN scan directly. Normally, a fast scan using the -sS (SYN scan) flag is more often conducted, but it requires raw socket access on the scanning workstation. The -sX flag would conduct a Xmas scan where the FIN, PSH, and URG flags are used in the scan. The -O flag would conduct an operating system detection scan of the target system.

Barrett needs to verify settings on a macOS computer to be sure that the configuration he expects is what is currently set on the system. What type of file is commonly used to store configuration settings for a macOS system? A.The registry B..profile files C.plists D. .config files

C.plists Explanation OBJ-3: Preference and configuration files in macOS use property lists (plists) to specify the attributes, or properties, of an app or process. An example is the preferences plist for the Finder in the Library/Preferences/ folder of a user's home folder. The file is named com.apple.finder.plist. The registry is used to store registration configuration settings on Windows systems. A profile (.profile) file is a start-up file of an UNIX user, like the autoexec.bat file of DOS. A configuration (.config) file is a configuration file used by various applications containing plain text parameters that define settings or preferences for building or running a program. This is commonly used in Windows systems.

You are developing your vulnerability scanning plan and attempting to properly scope your scans. You have decided to focus on the criticality of a system to the organization's operations when prioritizing the system in the scope of your scans. Which of the following would be the best place to gather the criticality of a system? A.Ask the CEO for a list of the critical systems B.Conduct a nmap scan of the network to determine the OS of each system C.Scope the scan based on IP subnets D. Review the asset inventory and BCP

D. Review the asset inventory and BCP Explanation OBJ-2: To best understand the criticality of a system, you should review the asset inventory and the BCP. Most organizations classify each asset in its inventory based on its criticality to the organization's operations. This helps to determine how many spare parts to have on hand, the warranty requirements, service agreements, and other key factors to help keep these assets online and running at all times. Additionally, you can review the business continuity plan (BCP), since this will provide the organization's plan for continuing business operations in the event of a disaster or other outage. Generally, the systems or operations listed in a BCP are the most critical ones to support business operations. While the CEO may be able to provide a list of the most critical systems, in a large organization it is difficult to get them to take the time to do it if they did know the answer. Worse, in most large organizations, the CEO isn't going to know what systems he relies on, but instead just the business functions they serve, again making this a bad choice. While conducting a nmap scan may help you determine what OS is being run on each system, this information doesn't help you determine criticality to operations. The same is true of using IP subnets since a list of subnets by itself doesn't provide criticality or prioritization of the assets.

A cybersecurity analyst is working at a college that wants to increase the security of its network by implementing vulnerability scans of centrally managed workstations, student laptops, and faculty laptops. Any proposed solution must be able to scale up and down as new students and faculty use the network. Additionally, the analyst wants to minimize the numbrt of false positives to ensure accuracy in their results. The chosen solution must also be centrally-managed through an enterprise console. Which of the following scanning topologies would be BEST able to meet these requirements? A.Passive scanning engine located at the core of the network infrastructure B.COmbination of cloud-based and server-based scanning enginers C.Combination of server-based and agnet based scanning engines D.Active scanning engine installed on the enterprise console

D.Active scanning engine installed on the enterprise console Explanation OBJ-2: Since the college wants to ensure there is a centrally-managed enterprise console, using an active scanning engine installed on the enterprise console would best meet these requirements. Then, the college's cybersecurity analysts could perform scans on any devices that are connected to the network using the active scanning engine at the desired intervals. Agent-based scanning would be ineffective since the college cannot force the installation of the agents onto each of the personally owned devices brought in by the students or faculty. A cloud-based or server-based engine may be useful, but it won't address the centrally-managed requirement. Passive scanning is less intrusive but is subject to a high number of false positives.

An SNMP sweep is being conducted, but the sweep receives no-response replies from multiple addresses that are believed to belong to active hosts. What does this indicate to a cybersecurity analyst? A.The machines are unreachable B. The machines are not running the SNMP servers C.The community string being used is invalid D.Any listed answers may be true

D.Any listed answered may be true Explanation OBJ-1.2: The best option is all of the answers listed. SNMP doesn't report closed UDP ports and SNMP servers don't respond to requests with invalid information. The "no response" can mean that the systems cannot be reached (either internally or externally). Also, if you entered an invalid community string, then SNMP will be unable to provide a response or report its findings.

What SCAP component provides a list of entries that contains an identification number, a description, and a public reference for each publicly known weakness in a piece of software? A.XCCDF B.CPE C.CCE D.CVE

D.CVE Explanation OBJ-2: The Common Vulnerabilities and Exposures (CVE) system provides a reference-method for publicly known information-security vulnerabilities and exposures. XCCDF (extensible configuration checklist description format) is a language that is used in creating checklists for reporting results. The Common Configuration Enumeration (CCE) provides unique identifiers to system configuration issues in order to facilitate fast and accurate correlation of configuration data across multiple information sources and tools. Common Platform Enumeration (CPE) is a standardized method of describing and identifying classes of applications, operating systems, and hardware devices present among an enterprise's computing assets.

What sanitization technique uses only logical techniques to remove data, such as overwriting a hard drive with a random series of ones and zeroes? A.Purge B.Degauss C.Destro D.Clear

D.Clear Explanation OBJ-3: Clear applies logical techniques to sanitize data in all user-addressable storage locations for protection against simple non-invasive data recovery techniques. Clearing involves overwriting data once (and seldom more than three times) with repetitive data (such as all zeros) or resetting a device to factory settings. Purging data is meant to eliminate information from being feasibly recovered even in a laboratory environment. Destroy requires physical destruction of the media, such as pulverization, melting, incineration, and disintegration. Degaussing is the process of decreasing or eliminating a remnant magnetic field. Degaussing is an effective method of sanitization for magnetic media, such as hard drives and floppy disks.

Which of the following secure coding best practices ensures special characters like <, >, /, and ' are not accepted from the user via a web form? A.Session management B.Output encoding C.Error Handling D.Input validation

D.Input validation Explanation OBJ-4: Input validation is performed to ensure only properly formed data is entering the workflow in an information system, preventing malformed data from persisting in the database and triggering a malfunction of various downstream components. Input validation should happen as early as possible in the data flow, preferably as soon as the data is received from the user. Improper error handling can introduce a variety of security problems where detailed internal error messages such as stack traces, database dumps, and error codes are displayed to an attacker. The session management implementation defines the exchange mechanism that will be used between the user and the web application to share and continuously exchange the session ID. Output encoding involves translating special characters into some different but equivalent form that is no longer dangerous in the target interpreter, for example translating the < character into the &lt; string when writing to an HTML page.

Which of the following classifications would apply to patents, copyrights, and trademarks? A.PII B.PHI C.Trade secrets D.Intellectual property

D.Intellectual property Explanation OBJ-3: Patents, copyrights, and trademarks are all considered to be intellectual property. Trade secrets are considered proprietary and are not protected by governments. Personally identifiable information (PII) is any data that could potentially be used to identify a particular person. Protected health information (PHI) is any information about health status, provision of health care, or payment for health care that can be linked to a specific individual.

Which of the following is NOT a part of the vulnerability management lifecycle? A.Remediation B.Testing C.Detection D.Investigating

D.Investigating Explanation OBJ-2: The three phases of the vulnerability management lifecycle are detection, remediation, and testing.

An organization wants to choose an authentication protocol that can be used over an insecure network without having to implement additional encryption services. Which of the following protocols should they choose? A.RADIUS B.TACAS C.TACAS+ D.Kerberos

D.Kerberos Explanation OBJ-4: The Kerberos protocol is designed to send data over insecure networks while using strong encryption to protect the information. RADIUS, TACACS, and TACACS+ are all protocols that contain known vulnerabilities that would require additional encryption to secure them during the authentication process.

You are reverse engineering a piece of malware recovered from a retailer's network for analysis. They found that the malicious code was extracting track data from their customer's credit cards during processing. Which of the following types of threats would you classify this malware as? A.Rookit B.Keylogger C.Ransomware D.POS malware

D.POS malware Explanation OBJ-1.4: Point-of-sale malware (POS malware) is usually a type of malicious software (malware) that is used by cybercriminals to target point of sale (POS) and payment terminals with the intent to obtain credit card and debit card information, a card's track 1 or track 2 data and even the CVV code, by various man-in-the-middle attacks, that is the interception of the processing at the retail checkout point of sale system. Ransomware is a type of malware that threatens to publish the victim's data or perpetually block access to it unless a ransom is paid. Keyloggers are a type of monitoring software designed to record keystrokes made by a user. These keyloggers can record the information you type into a website or application and send to back to an attacker. A rootkit is a class of malware that modifies system files, often at the kernel level, to conceal its presence.