CySA+ Chapter Test
The frequency with which a company performs vulnerability scanning is dependent upon which of the following criteria? (Choose all that apply.) A. Scanning policy B. Vulnerability management planning C. Risk appetite D. Regulatory requirements E. Limitations of time, tools, and personnel
A - E
Which of the following is a standardized format for vulnerabilities, exposures, compliance, and other security-related data? A.) SCAP B.) NBE C.) CVE D.) CVSS
A
Which phase of the SDLC model is normally where development and operations conflict? A.) Implementation B.) Testing C.) Requirements D.) Development
A
You are running an instance of OpenVAS to scan your network, but you are not getting any results back. Which tool could you run on the network to see if your scan is being sent over the network and how hosts are responding to the scan? A.) Capture traffic with Wireshark and look for traffic over TCP port 9392. B.) Use Wireshark to determine if the IP addresses for the target hosts are blocking any traffic from port 9392. C.) Use Nikto to determine if any target web servers are listening on port 9392. D.) Use nmap to scan hosts to determine if they are listening on port 9392.
A
Which NIST publication outlines various controls for government agencies and information systems? a.) SP 800-53 b.) SP 800-37 c.) ISO 27000 d.) ISO 27001
a.) 800-53
Which of the following NIST publications describes a voluntary cybersecurity structure for organizations that are part of the critical infrastructure? a.) Cyber Security Framework (CSF) b.) International Organization for Standardization (ISO) c.) The Open Group Architecture Framework (TOGAF) d.) Control Objectives for Information and related Technology (COBIT)
a.) CSF
Which of the following from the Information Security Management System (ISMS) standards covers security management? A.) ISO/IEC 27002 B.) ISO/IEC 27000 C.) ISO/IEC 27001 D.) ISO/IEC 27003
A
A company is starting the process of remediating issues discovered in a vulnerability scan. One of the more severe vulnerabilities was found on a server that happens to contain highly sensitive data and is business critical. The vulnerability would permit exfiltration of the sensitive data across the network. A possible remediation would be implementing DLP. However, being such an important system, its remediation was halted by the chief information officer. In the context of degrading functionality, what might be a good course of action? A. Do not implement DLP, but do place a sniffer upstream to monitor for exfiltration. Inform the CIO. B. Cease and desist remediation. C. Resume remediation after the CIO goes home for the day. D. Discuss with the CEO. E. Check to confirm that the CIO is not on the ROE and then proceed with the original remediation.
A
A company utilizes a resource for storing employee credentials, otherwise known as an identity repository. In general, all employees have their network access validated by a central server. Although most employees work in the headquarters building, a small set of users work in locations that provide all their needed productivity services locally, except for the authentication. Communications between headquarters and these other locations either rely on a dedicated but unreliable low-bandwidth connection or occur across the Internet. All of the following identity repositories, except one, would be acceptable as a solution. Which repository must use a fully reliable and secure network? A. RADIUS B. TACAS+ C. LDAP D. XTACACS
A
All of the following are general steps you should take during the vulnerability remediation process, EXCEPT: A.) Rebuild systems. B.) Reconcile results. C.) Determine trends. D.) Review related logs and/or other data sources.
A
Apart from policies and regulatory requirements, what creates the largest impact on establishing an effective vulnerability scanning process? A. Regular routine and workflow of personnel B. Management style of the IT director or head of security C. Mandates from the chief of information security D. Personal whims of the CEO
A
Tywin is the CEO of a factory where most employees are paid hourly. Employees must submit on paper all their expected hours for the week by Tuesday to get paid on Friday. Jon, the factory floor manager, shares with Tywin that every week he hears the same complaints from employees: "How do I know by Tuesday that my schedule won't change by Friday?" Understanding the need for a quicker way to submit hours, Tywin remembers that his neighbor's son, Sam, has been taking web development courses at a university for a few semesters. Therefore, Tywin offers Sam an opportunity to help. After a few weeks of development, Sam launches a web application. Employees are told to authenticate and enter their hours using this application. The application then submits the hours to the Finance department and tells employees how much they can expect to get paid on Friday. Hours can be submitted as late as Thursday night. Jon reports to Tywin that employees are happy with the web application and it seems to be the subject of a constant buzz around the break room. Considering the issues discovered to date, what phase of software development was likely missing during the application lifecycle? A. Security requirements definition B. Stress testing C. Security regression testing D. Operations and Maintenance E. User acceptance testing
A
What is primary value of STIGs and NSA guides? A. They are a source of "best practice" principles. B. They are a proven source of vulnerability validation steps. C. They provide checklists detailing regulatory compliance. D. They specify configuration steps for secure networking.
A
What is the main purpose of the report after a vulnerability scan is complete? A. It is to be analyzed by the cybersecurity team responsible for the scan. B. It is used to evaluate the team responsible for the target environment. C. It is included in the full report given to executive management. D. It is used as a baseline for future vulnerability scans.
A
When configuring a vulnerability scanning tool, you may utilize at least one additional vulnerability feed beyond the product's own source. Selecting a feed that matches your needs is important. Which of the following will most influence your selection of vulnerability feed? A. Scanning frequency B. Company policy C. Regulatory requirements D. Senior management risk appetite
A
When needing a new server, a company administrator starts with installing a pre-built server image. The image has most services running and applications already installed to make the task as easy as possible. As the cybersecurity analyst, what would be your best recommendation for the administrator? A. Rebuild the server image with as few services and applications as possible. B. Rebuild the server image with all services and applications installed but not running. C. Create several server images depending on the subnet. D. Run a vulnerability scanner on the already-deployed servers.
A
Which of the following analysis techniques helps you compare new observations regarding the posture of a network to past ones, allowing you to make adjustments to the network. A.) Historical analysis B.) Regression analysis C.) Trend analysis D.) Statistical analysis
A
Which of the following drives the frequency with which you would perform vulnerability scans? A.) Governance B.) Configuration management procedures C.) Penetration testing schedule D.) Patch cycle
A
A special-purpose workstation connects with several external hosts during the normal workday. On the rare occasion, a connection triggers an alert on a network intrusion detection system or some other security device because malicious traffic is detected. This is because none of the external nodes are under the company's control or security policy. Because this is a necessary function of this particular workstation, the potential for malicious traffic is an acceptable risk. What should be the first line of defense to protect the workstation from a security incident? A. Antivirus B. Firewall C. HIDS D. Network-based IDS
A is correct. Antivirus (AV) on the host should be an obvious first line of defense. AV should be already present, at a minimum.
Vulnerability scanning does not always return reliable and accurate results. The results depend heavily on the systems being scanned. Which of the following systems would be the least likely to be identified and return genuine scan results? (Choose two.) A. CCTV camera, web-enabled with embedded Apache B. An open source firewall, customized by the scan target client C. Windows 2012 server, missing three months of patches and the latest Service Pack D. Novell NetWare 6.5
A, B
With regard to peer-to-peer network communication, which of the following observations should a cybersecurity analyst be concerned with as abnormal? (Choose all that apply.) A. Host-to-host connections using an unprivileged account B. Host-to-host connections using a privileged account C. Local user connecting to a print server on another subnet D. Client/server connections with high numbered client ports
A, B
Select from the following the data types that fall under the term "intellectual property." (Choose all that apply.) A. The patent behind a company's best-selling product B. Your favorite shoe company's trademark C. The secret recipe of a chicken flavoring D. The details about a company's marketing campaign
A, B, C
Your company plans to employ single sign-on for services and web-based applications. It needs to choose a federated identity technology for authorization and, if possible, authentication. Which of the following technologies satisfy the company's needs? (Choose all that apply.) A. SAML B. Active Directory Federated Services C. OAuth2 D. OpenID
A, B, C
Which of the following are possible consequences for unauthorized disclosure of PHI, depending on one's involvement. (Choose all that apply.) A. Documented record in employee file B. Suspension from employment C. Monetary fine D. Jail time E. Public execution
A, B, C, D
Compensating controls are available from both personnel and technology categories. Which of the following are technology-based controls? (Choose all that apply.) A. Automated log review and reporting B. Load balancers C. Dual control D. Cross-training E. Network design
A, B, E
At the company where you lead the cybersecurity team, a junior analyst misunderstands risk evaluation. You begin explaining how risk evaluation is performed by assessing probability and impact. You end with explaining the main purpose of risk evaluation as a balance between which of the following factors? (Choose two.) A. Value of a risk B. Potential cost of a risk C. Cost of the control to mitigate the risk D. Potential annual revenue lost E. Probability of a risk occurring
A, C
It's time to deliver a vulnerability report to the stakeholders. What are your options for distribution? (Choose all that apply.) A. Automated delivery via the report generation component of the vulnerability scanner B. Delivered entirely via e-mail to all administrators C. Delivered manually, through face-to-face meetings D. E-mailing only the portions immediately relevant to the individual
A, C
What are the most common vulnerabilities found in a network infrastructure? (Select two) A. Misconfiguration B. Broadcast storms C. WAP D. Enabled COM port
A, C
What are the most important types of results to identify from a vulnerability scan report? (Choose two.) A. False positives B. False negatives C. Policy validation D. Exceptions to policy
A, D
When it comes to prioritizing report outcomes, which of the following would you consider when deciding on response actions? (Select all that apply.) A. True negatives B. False positives C. Policy exceptions D. Validated vulnerabilities
A, D
Recently a few users have been complaining that their workstations are exhibiting some strange behavior. However you find no obvious events showing up in system logs and the application logs show nothing out of the ordinary. You suspect the issue could be new malware and decide to delve deeper. Select the most valuable data sources in the analysis. (Choose Two) a.) IDS/IPS b.) Router Logs c.) Security logs of affected servers d.) NGFW
A, D: IPS/IDS will have logs of behavior, while the firewall (NGFW) will have logs of the traffic.
Which of the following are valid concerns when considering the timing of penetration testing? (Choose all that apply.) A. Availability of the defenders to react to attacks B. Impact on business operations during normal hours C. Availability of executive management for reporting D. Size and scope of the penetration test
A,B,D
NAC solutions grant access based on which of the following? (Choose all that apply.) A. Roles B. Rules C. Rates D. Location E. System patch level F. Time of day
A,B,D,E,F
Your CEO recently read an article titled "Security Information and Event Management—How You Can Know Everything." The CEO has always been interested in alerts you receive from the company's vast array of systems, but he now is willing to invest in real-time analysis of those alerts. Which tool would you suggest the CEO invest in? A. ArcSight B. Bro C. Cacti D. tcpdump
A.) is correct. ArcSight is a powerful trio of platforms, intended for medium to large companies. Its correlation and analytics engines are mature and well-respected in the field of SIEM solutions. The CEO would be quite proud and pleased with ArcSight integrated into the current fold of alert management systems.
Recently a few users have been complaining that their workstations are exhibiting some strange behavior. However you find no obvious events showing up in system logs and the application logs show nothing out of the ordinary. You suspect the issue could be new malware and decide to delve deeper. Which of the following SIEM would be most valuable in this scenario? a.) Bro b.) Snort c.) Splunk d.) Elk
A: Bro is both signature and anomaly based.
A large number of ARP queries might indicate which of the following type of attack? A.) Cross-site scripting (XSS) attack B.) Ping sweep C.) TCP SYN flood D.) Man-in-the-middle (MITM) attack
B
A network engineer is responding to users complaining the network is slow. Looking at the blinking lights, the engineer notices considerable activity from the HR file server. What would be the network engineer's next step? A. Unplug the network cable at the switch going to the file server. B. Monitor usage and compare it against the baseline. C. Alert the CIO to the traffic spike. D. Sample the traffic using a packet analyzer.
B
A new virus called MSB3417, dubbed "Wildfire," is sweeping through organizations, infecting systems by exploiting a previously unknown vulnerability. Wildfire identifies and exfiltrates any spreadsheet documents with large dollar amounts. The documents are then covertly sent to a known and powerful adversarial country. What is this type of malware called? A. APT exploit B. Zero-day exploit C. Financial exfiltration malware D. Economic threat
B
A very honest user tells Jon that if a user enters a single quote, followed by "OR 1=1" in the password field, they can make the application reply with the hours of any employee. What part of software development did Sam likely overlook? A. Parameter validation B. Input validation C. Stress testing D. Session tokens not randomized
B
All the following are considerations in the decision to preserve or rebuild a compromised host, EXCEPT: A.) Threat intelligence value B.) Replacement value of the system C.) Crime scene evidence D.) Ability to restore
B
An important file that lists numbered bank accounts is tightly controlled, including a process for making any changes to that file. Although the file has no documented changes made in months, an analyst has determined its hashed value was changed sometime between today and last week. What would cause a different hash? A. New account added B. Unauthorized changes made C. Different hash generator used D. Drive capacity increased
B
An organization owns systems that are to be probed during a penetration test. Some of the systems intended for testing are production systems containing protected health information (PHI). What aspect of penetration testing is most in jeopardy of breaking the law due to regulatory compliance? A. Timing B. Scope C. Exploitation D. Reconnaissance
B
The cybersecurity team just finished recovering from an incident, but within a few days, similar indicators of compromise appear. The cybersecurity team determined that an attacker hijacked an account with elevated privileges. After the team investigated further, it seemed both incidents took advantage of the same attack vector. What was the root cause of the incident that the team failed to address in the earlier incident? A. Eradication B. Permissions C. Patching D. Containment
B
What detailed guides published by the CIS are equivalent to the Security Technical Implementation Guides published by the Defense Information System Agency and other government entities? A. Regression reports B. Benchmarks C. Security requirements definitions D. Secure coding best practice guides
B
What type of identity is unique in that its authorizations can vary in multiple ways? A. Services B. Roles C. Endpoints D. Applications
B
Which of the following bandwidth-consumption behaviors strongly indicates something suspicious? A. Higher-than-normal bandwidth, every day, at the same time B. Higher-than-normal bandwidth once, during off-peak hours C. Lower-than-normal bandwidth used during peak hours D. Higher-than-normal bandwidth used during peak hours
B
Which of the following host-based security technologies is especially suited for protecting Windows systems against threats, including zero-day vulnerabilities? A.) Snort B.) EMET C.) SecureSphere D.) PAM
B
Which of the following is an effective way that attackers can use an organization's bandwidth to hide data exfiltration? A.) By downloading information quickly before getting caught B.) By hiding data exfiltration during periods of peak use. C.) By exfiltrating data during periods of low use. D.) By attaching sensitive data to otherwise innocuous data while exfiltrating it.
B
Which of the following is not an essential element of exception management procedures? A. Involving the correct people B. Listing all stakeholders C. Ensuring access to the necessary information D. Documenting steps on how to handle decision disagreements
B
You are involved in an incident response and have discovered that data has been stolen that requires protection under federal law. Which the following levels of technical expertise or management determines both when and where to bring law enforcement into the response? A.) Technical experts and legal department B.) Legal department and management C.) Technical experts and management D.) Incident response team lead and legal department
B
Both qualitative analysis and quantitative analysis are approaches to evaluate what aspects of a risk? (Choose two.) A. Potential monetary loss to the company B. Likelihood of the risk occurring C. Severity of impact of the realized risk D. Material exposure
B, C
What levels of company management can provide authorization to conduct penetration testing? (Choose all that apply.) A. Director of IT security. B. Chief executive officer or a similar senior executive. C. Owner(s) of the data. D. Most senior cybersecurity analyst. E. Approval is optional until testing results show a need for further analysis.
B, C
Reference the exhibit.Which of the following ports indicate that the host 192.168.163.1 is a Windows-based host? (Choose all that apply.) A.) 902 B.) 139 C.) 135 D.) 445
B, C, D
A company has recently installed an IDS that's capable of detecting a broad set of malicious traffic and operates on signature-based identification. Which of the following types of threats will this IDS identify? (Choose all that apply.) A. Zero-day B. Threats labeled by CVE C. Unknown threats D. EICAR file E. Known threats
B, D, E
A user notices the workstation seems louder than normal—not necessarily fan noise, but the hard drive is constantly "working" without the user installing or moving any files. When the analyst asks if any other system behavior is occurring, the user replies the system seems a bit slower as well. What might be an issue the system is experiencing? A. Processor consumption B. Drive capacity consumption C. Memory consumption D. Network bandwidth consumption
C
Cybersecurity analyst Hank is conducting a risk assessment of the personnel data on an HR server. Obviously, any breach in confidentiality of that data would carry a critical impact. However, the server is hardened and maintained by junior analysts Walt and Jessie. Given the rating of "unlikely" for the likelihood of a confidentiality breach, what is the overall risk rating? (Refer to Figure 4-1.) A. The risk rating cannot be calculated. B. Low. C. Medium. D. High.
C
For years, vulnerability scanning tools output their findings with no standardization, resulting in an array of reporting styles, inconsistent levels of detail, and no guarantee a particular element was included. This was tolerated until the demand for policy compliance pushed vendors and NIST to form a solution to this problem. What was the result? A. FISMA B. NIST 800-53 C. SCAP D. ARF E. CVE
C
In the context of long-term effects from a security incident, particularly to a company's reputation and ability to gain potential business, which factor is the most impactful on an incident's severity? A. Recovery time B. Data integrity C. Economic D. System process criticality
C
Knowing the root cause and mechanics behind session hijacking, what is the most effective way to mitigate this specific attack? A. Employing extremely long session keys B. Using special character sets within sessions C. Encrypting the session key D. Ensuring sessions have a very short timeout
C
The Figures upper portion shows a portion of active connections on the author's desktop. The output is presented in the following order: protocol, local address, foreign address, connection state, and process ID. At the same time, the author opens Task Manager and takes note of a few running applications and their processes' IDs, as detailed in the lower section of the Figure. Which of these processes might the author want to investigate further? A. Dropbox.exe B. chrome.exe C. notepad.exe D. WINWORD.EXE
C
When you're securing endpoints, what is their main vulnerability in comparison to other identities with regard to authentication? A. Relative to servers, securing the endpoints is difficult to scale. B. Compared to applications, endpoints can only rely on token-based authentication. C. Relative to services, endpoints are vulnerable to replay attacks. D. Compared to personnel, endpoints are more difficult to lock down.
C
Which of the following is not a key concern for organizations relying on an outsourcing firm? A. Sufficient vetting B. Access to sensitive data by non-employees C. Redundancy of efforts D. Agreement on incident-handling responsibilities and decision-making
C
Which of the following techniques is used by attackers to hide data exfiltration using network bandwidth? A.) Exfiltrating data as fast as possible during high bandwidth usage B.) Masking data exfiltration in the network's normal traffic patterns C.) Using a low-and-slow approach to avoid detection during high bandwidth usage D.) Exfiltrating as much data as possible during high bandwidth usage
C
You are responsible for managing security on a corporate wireless network. In the past six months, you have discovered two rogue wireless access points, set up by internal users. Of the following, which would be the most effective security measure you can take to prevent this from occurring again? A.) Use IPSec. B.) Use MAC address filtering. C.) Use WPA Enterprise and IEEE 802.1x. D.) Use SSID cloaking.
C
Which of the following reasons are valid arguments for using server-based vulnerability scanning instead of agent-based scanning? (Choose all that apply.) A. Erratic connectivity to remote and mobile devices B. Limited bandwidth C. Limited personnel availability for maintenance D. Occasional rogue device connecting to the network
C, D
What Next-Generation Firewall (NGFW) company released "Wildfire," a cloud-based malware-detection service? A. Cisco B. Check Point C. Palo Alto D. Sourcefire
C.) is correct. Wildfire is a subscription service from Palo Alto. With Wildfire, Palo Alto moves malware detection to the cloud.
A security team member alerts you that a new domain account has been created, but there is no documented account request. Further, there is no legitimate way the account could be created without you or the team member's assistance. In fact, a quick look shows you the new user account has a session active now on a local host. What is your first step? A. Fire the team member. B. Log off the user session. C. Isolate the host. D. Reset the account password.
D
A vice president's workstation is acting erratically, so you investigate the laptop personally. You carefully review the system's application and security logs. You confirm the antivirus is running and nothing is quarantined. You evaluate the running processes and find nothing out of the ordinary. After using command-line utilities to confirm no strange network connections, you feel somewhat frustrated to find nothing to report. What action should you take next? A. Return the laptop to the vice president and report that all is fine. B. Reinstall and update the antivirus to rescan the system. C. Assume the laptop has a rootkit and wipe the system immediately. D. Use tools external to the laptop to explore the suspicion of a rootkit.
D
An incoming CIO starts their first day on the job by reading and becoming familiar with the company's security policies. The CIO dusts off policies about the management of pagers, fax machines, and CRT monitors, among other policies that seem to apply to technology no longer applicable to the business's goals and operations today. What might the incoming CIO add to their to-do list to address this issue? A. Retirement of processes B. Automated reporting C. Deputy CIO D. Scheduled reviews
D
Another honest user, Arya, reports that if she changes the user ID in the URL to someone else's ID number, she can get the paycheck total for that other person's week. The same user claims by changing other parameters in the URL, she can make the server reveal much information about itself and the application. If you could hire this Arya to perform security analysis work, what type of work does her experience seem to match? A. Regression testing B. Interception proxy C. User acceptance testing D. Vulnerability scanning
D
For which of the following types of data is it suggested that a company take additional steps, beyond policy and legal guidance, to protect the data's confidentiality from unauthorized eyes? Not protecting the selected data type might jeopardize the company's sustainability. A. HR personnel information B. PII C. Payment card information D. Accounting data
D
On this particular day, Walter has invited a vendor to come demonstrate a log review tool. At the last minute, the vendor mentions he will need a specially named account. Walter assures the vendor that the account will be ready in time for their 3:00 P.M. appointment. Walter informs the Director of UDE (DUDE) that the account is needed urgently and thus requests that he handle both steps of filling in the account info and the account approval. The DUDE abides. What particular security control is Walter breaking by circumventing the change request? A. Dual control B. Outsourcing C. Succession planning D. Separation of duties
D
Prioritizing vulnerabilities is made standard and fair given the Common Vulnerability Scoring System (CVSS). The CVSS ranks vulnerabilities on a 10-point scale using an equation based on several metrics. Which of the following is not a group of metrics used in scoring vulnerabilities? A. Attack Complexity/Attack Vector/Privileges Required/User Interaction B. Confidentiality Impact/Integrity Impact/Availability Impact C. Exploit Code Maturity/Remediation Level/Report Confidence D. Exploit Age/Attack Speed/Ease of Exploitation
D
Referring again to the Figure; consider the roles that should be involved when the company's server for handling payment transactions is compromised by an external hacker. Which of the following list of names includes all the stakeholders? A. Brown, Vaughn, Jobu, Cerrano, Hays B. Phelps, Brown, Jobu, Hays C. Phelps, Brown, Vaughn, Hays D. Phelps, Brown, Vaughn, Cerrano, Hays
D
The bureau has procured the new log review application. However, the task of integrating this application in with current systems is apparently quite challenging and specialized. Integration requires a high level of experience in database optimization, which only Walter possesses, at an intermediate level. The integration process is described by the vendor as "quick and painless" because all their sales engineers are both skilled and experienced in the requisite knowledge. What might be the best action to take, and who will be involved? A. Training (vendor trains Donnie) B. Dual control (vendor and Walter) C. Separation of duties (Donnie and Walter) D. Consultant (vendor)
D
What type of control is a hardware-based firewall? A. Administrative control B. Physical control C. Test control D. Logical control
D
Which are the key functions of the Framework Core of the CSF? a.) Identify, Protect, Detect, Respond, Recover b.) Identify, Process, Detect, Respond, Recover c.) Identify, Process, Detect, Delay, Recover d.) Identify, Protect, Detect, Delay, Recover
a.) ID, Protect, Detect, Respond, Recover!
Which of the following processes is focused on ensuring that you have identified the corresponding attack vectors and implemented effective countermeasures against them? a.) Validation b.) Verification c.) Eradication d.) Containment
a.) Validation - is the proper name of the processes within IR that is focused on identifying the AV and implement appropriate countermeasures.
Which of the following would NOT be considered in context-based authentication? a.) One-Time Password used for authentication was incorrect b.) Login attempt occurred outside of regular working hours c.) Session was initiated from a foreign country d.) commands that should have been manually entered were entered much faster than a human could
a.) one-time passwords are not considered in context based systems
When conducting a full packet capture of network traffic, which of the following is NOT a concern? a.) Easily identifying the source and destination of the traffic b.) Legal Consequences c.) Privacy Implications d.) data storage capacity
a.) with full capture identifying source and destination information is very simple
Which of the following two are features of Kerberos Authentication Protocol?(choose two) a.) Uses asymmetric encryption for authentication b.) Uses symmetric encryption for authentication c.) Requires the use of AS, KDC, and TGS d.) Requires the use of AD, KDC, GTS
b and c
All of the following are valid methods used to sanitize a drive, EXCEPT? a.) Encrypting b.) Formatting c.) Overwriting d.) Degaussing
b.) Formatting - does not remove data from the drive, it only deletes the file table entry for the data. The data per se still exists until overwritten.
ISO 27000 describes which of the following? a.) Control Objectives for Information and related Technology (COBIT) b.) Information Security Management System (ISMS) c.) Architecture Development Method (ADM) d.) International Electrotechnical Commission (IEC)
b.) ISMS
Which component of the CSF describes the degree of sophistication of cybersecurity practices? a.) Framework Core b.) Implementation Tiers c.) NIST SP 800-53 controls d.) ITIL processes
b.) Implementation Tiers
What device is part of a formal process to improve a cybersecurity posture by developing comprehensive and repeatable security processes unique to the organization? a.) Verification b.) Maturity Model c.) Quality Control d.) Regulatory Compliance
b.) Maturity Model
Popular framework that aims to standardize automated vulnerability assessment, management and compliance level is known as what? a.) CVSS b.) SCAP c.) CVE d.) PCAP
b.) Security Content Automation Protocol - a method of using open standards, called components, to identify software flaws and configuration issues.
According to the Center for Internet Security (CIS) Critical Security Controls (CSC), what is the number one aspect of managing security in your organization? a.) Cost to protect assets b.) Risk to the organization c.) Assets d.) Regulatory Governance
c.) Assets - in particular a proper inventory
During which type of reverse engineering analysis is a sandbox used to execute malware? a.) Code Analysis b.) Execution Analysis c.) Dynamic Analysis d.) Static Analysis
c.) Dynamic Analysis - requires a sandbox to which to run the malware.
A Security Analyst could test a team against social engineering attacks by all except which of the following? a.) Pretexting b.) Spear-Fishing c.) Footprinting d.) tailgating
c.) Footing printing is a technical operation gathering data on a logical device.
Which of the following statements is true about vulnerability assessments under the Health Insurance Portability and Accountability Act (HIPAA)? a.) HIPAA requires vulnerabilities to be remediated within 90 days. b.) HIPAA specifically excludes medical devices from vulnerability assessments. c.) HIPAA does not explicitly require vulnerability assessments, but does require mitigations for any discovered vulnerabilities d.) HIPAA requires vulnerability assessments on a quarterly basis
c.) HIPAA does not explicitly require vulnerability assessments, but does require mitigations for any discovered vulnerabilities.
What two factors are considered in making a quantitative assessment on risk? a.) Expected value and probability of occurrence b.) Expected value and probability of vulnerability c.) Potential loss and probability of occurrence d.) Potential loss and expected value
c.) Potential Loss and Probability of Occurrence
Which of the following statements is true about false positives? a.) False positives are not generally a problem but true negatives might be b.)False positives are indicative of human error in an automated scanning process. c.) False positives are more problematic for smaller organizations then larger ones. d.) False positives waste Organizational resources
d.) False Positives waste resources and thus should be identified early
Which network device might an attacker use to intercept all traffic on a network segment? a.) Switch b.) Wireless Router c.) Router d.) Hub
d.) Hub - connects all devices to the same physical network link, the attacker can see ALL traffic
Which of the following standards, composed of 5 core volumes, is widely accepted for service and information systems? a.) Information Security Management System (ISMS) b.) Cyber Security Framework (CSF) c.) The Open Group Architecture Framework (TOGAF) d.) Information Technology Infrastructure Library (ITIL)
d.) ITIL
You consult for a small business with no real IT staff. They want to install a network intrusion and network protection system on their perimeter. Cost is an issue, and they are NOT opposed to open source products, as long as you can support the solution. You've had limited experience with intrusion detection systems. of the following; which product would be most appropriate for this business? a.) Sourcefire b.) Palo Alto NFG c.) Bro d.) Snort
d.) Snort - free, open source IDS/IPS. t requires very little experience but can perform very well with someone who knows a little bit about its scripting language.
Which of the following are parameters that organizations should NOT use to determine the classification of data? a.) The level of damage probable if data is disclosed b.) Legal, regulatory, or contractual responsibilities to protect the data c.) The age of data d.) The types of controls that have been assigned to safeguard the data
d.) The types of controls already in place are NOT a consideration when determining the classification of data
Which of the following data sources would offer the least diverse, most precise kind of information? a.) Syslog b.) Firewall Logs c.) Packet Captures d.) Nmap Results
d.) nmap results are specifically focused around the command line argument given.
When performing a capture for wireless analysis, what mode must the wireless card support? a.) Managed b.) Ad Hoc c.) Mesh d.) Monitor
d.) the wireless card must be capable of entering monitor mode in order to capture AP beacons and traffic.
Netstat can provide all the following information except? a.) Listening Ports b.) Remotely Connected hosts IP address c.) Name of Program that opened the Socket d.) Name of the User who opened the Socket
d.) while it is possible to correlate the running process with netstat and process manager, netstat alone cannot give you the user that opened a socket.
