CySA Practice Exam #5
B. As part of your preparation phase, your organization should develop a communications plan that details which communication methods will be used during a compromise of various systems. If the analyst suspected the email server was compromised, then communications about the incident response efforts (including detection and analysis) should be shifted to a different communications path, such as encrypted chat, voice, or other secure means. Any analyst involved in working this incident should have already have prepared alternate, out-of-band communications to prevent an adversary from intercepting or altering communications.
A SOC analyst has detected the repeated usage of a compromised user credential on the company's email server. The analyst sends you an email asking you to check the server for any indicators of compromise since the email server is critical to continued business operations. Which of the following was likely overlooked by your organization during the incident response preparation phase? A. Prepare a jump bag or kit for use in the investigation B. Develop a communications plan that includes provisions for how to operate in a compromised environment C. Conduct training on how to search for indicators of compromise D. Perform a data criticality and prioritization analysis
B. his is a difficult question, but you should see a keyword in the query, "mimikatz." Mimikatz is a leading post-exploitation tool that dumps passwords from memory, as well as hashes, PINs, and Kerberos tickets. Other useful attacks it enables are pass-the-hash, pass-the-ticket, or building Golden Kerberos tickets. This makes post-exploitation lateral movement within a network easy for attackers. It is definitely considered unauthorized software and should be immediately alerted upon if discovered in your network.
A cybersecurity analyst conducts proactive threat hunting on a network by correlating and searching the Sysmon and Windows Event logs. The analyst uses the following query as part of their hunt: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-Query: "mimikatz" NOT "EventCode=4658" NOT "EventCode=4689" EventCode=10 | stats count by _time, SourceImage, TargetImage, GrantedAccess -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-Based on the query above, which of the following potential indicators of compromise is the threat hunter relying on? A. Data exfiltration B. Unauthorized software C. Processor consumption D. Irregular peer-to-peer communication
A. An exact data match (EDM) is a pattern matching technique that uses a structured database of string values to detect matches. For example, a company might have a list of actual social security numbers of its customers. But, since it is not appropriate to load these numbers into a DLP filter, they could use EDM to match the numbers' fingerprints instead based on their format or sequence.
A cybersecurity analyst has deployed a custom DLP signature to alert on any files that contain numbers in the format of a social security number (xxx-xx-xxxx). Which of the following concepts within DLP is being utilized? A. Exact data match B. Classification C. Document matching D. Statistical matching
B. This is an example of a Boolean-based SQL injection. This occurs when data input by a user is interpreted as a SQL command rather than as normal data by the backend database. In this example, notice that the statement being parsed as part of the URL after the equal sign is equivalent to 1 or 17-7=10. This means the portion of the statement that is 17-7=10 would return a value of 1 (since it is true). Then, we are left to compute if 1 = 1, and since it does, the SQL database will treat this as a positive authentication. This is simply an obfuscation technique of a 1=1 SQL injection technique.
A cybersecurity analyst is reviewing the logs of a proxy server and saw the following URL, http://test.diontraining.com/index.php?id=1%20OR%2017-7%3d10. What type of attack has likely occurred? A. Session hijacking B. SQL injection C. Buffer overflow D. XML injection
D. This is an example of a brute force attack. Unlike password spraying that focuses on attempting only one or two passwords per user, a brute force attack focuses on trying multiple passwords for a single user. The goal of this attack is to crack the user's password and gain access to their account. Password spraying, instead, refers to the attack method that takes a large number of usernames and loops them with a single password.
A cybersecurity analyst is reviewing the logs of an authentication server and saw the following output: -=-=-=-=--=-=-=-=--=-=-=-=--=-=-=-=--=-=-=-=--=-=-[443] [https-get-form] host: diontraining.com login: jason password: password [443] [https-get-form] host: diontraining.com login: jason password: CompTIACySA+ [443] [https-get-form] host: diontraining.com login: jason password: 123456 [443] [https-get-form] host: diontraining.com login: jason password: qwerty [443] [https-get-form] host: diontraining.com login: jason password: abc123 [443] [https-get-form] host: diontraining.com login: jason password: password1 =-=--=-=-=-=--=-=-=-=--=-=-=-=--=-=-=-=--=-=-=-=-What type of attack was most likely being attempted by the attacker? A. Password spraying B. Impersonation C. Credential stuffing D. Brute force
C. While the contract documents' network scope will define what will be tested, the rules of engagement define how that testing is to occur. Rules of engagement can state things like no social engineering is allowed, no external website scanning, etc.
A penetration tester has been hired to conduct an assessment, but the company wants to exclude social engineering from the list of authorized activities. Which of the following documents would include this limitation? A. Acceptable use policy B. Service level agreement C. Rules of engagement D. Memorandum of understanding
B. Apache web servers are run as a limited user by default, not as an administrative or root account. To be efficient and effective, the penetration tester should attempt to conduct a privilege escalation before pivoting into the DMZ.
A penetration tester is using a known vulnerability to compromise an Apache webserver. After they gain access to the server, what is their next step to pivot to a protected system behind the DMZ? A. Vulnerability scanning B. Privilege escalation C. Patching D. Installing additional tools
C. The most serious vulnerability discovered is one that could allow remote code execution to occur. Since this buffer overflow vulnerability is known to allow remote code execution, it must be mitigated first to prevent a security breach most effectively. While the other issues should be addressed eventually, you need to prioritize the most critical one (remote code execution) on a public-facing IP address. A public-facing IP address means the device is accessible from the internet.
A recent vulnerability scan found several vulnerabilities on an organization's public-facing IP addresses. To reduce the risk of a breach, which of the following vulnerabilities should be prioritized for remediation? A. A cryptographically weak encryption cipher B. A website utilizing a self-signed SSL certificate C. A buffer overflow that is known to allow remote code execution D. An HTTP response that reveals an internal IP address
A. Fuzzing or fuzz testing is an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program. The program is then monitored for exceptions such as crashes, failing built-in code assertions, or potential memory leaks.
A software assurance laboratory performs a dynamic assessment on an application by automatically generating random data sets and inputting them in an attempt to cause an error or failure condition. Which of the following is the laboratory performing? A. Fuzzing B. Stress testing C. User acceptance testing D. Security regression testing
A. Fuzzing is an automated software assessment technique that involves providing invalid, unexpected, or random data as inputs to a computer program. The program is then monitored for exceptions (crashes), failing built-in code assertions, or finding potential memory leaks.
A software assurance test analyst performs a dynamic assessment on an application by automatically generating random data sets and inputting them in an attempt to cause an error or failure condition. Which technique is the analyst utilizing? A. Fuzzing B. Sequential data sets C. Static code analysis D. Known bad data injection
D. A network intrusion prevention system could disrupt an adversary's C2 channel by shutting it down or blocking it. While a firewall ACL might be lucky enough to deny an adversary the ability to establish the C2 channel, a NIPS is better suited to detect and block an adversary than a static ACL entry.
According to Lockheed Martin's white paper "Intel Driven Defense," which of the following technologies could degrade an adversary's effort during the C2 phase of the kill chain? A. Anti-virus B. Port security C. Firewall ACL D. NIPS
A. The US Department of Health and Human Services (HHS) says that "Covered entities must notify affected individuals following the discovery of a breach of unsecured protected health information." HHS does not specify a minimum number of affected personnel. Therefore, the breach of a single record of PHI is sufficient to require a notification to the affected individual directly. If over 500 people are affected, then a notification to the media must also be made.
According to the US Department of Health and Human Services, notification of the individuals affected by a data breach containing PHI is required when how many individuals are affected? A. 1 B. 10 C. 100 D. 500
B. DevSecOps is a combination of software development, security operations, and systems operations and refers to the practice of integrating each discipline with the others. DevSecOps approaches are generally better postured to prevent problems like this because security is built-in during the development instead of retrofitting the program afterward.
After 9 months of C++ programming, the team at Whammiedyne systems has released their new software application. Within just 2 weeks of release, though, the security team discovered multiple serious vulnerabilities in the application that must be corrected. To retrofit the source code to include the required security controls will take 2 months of labor at the cost of $100,000. Which development framework should Whammiedyne use in the future to prevent this situation from occurring in other projects? A. Agile Model B. DevSecOps C. DevOps D. Waterfall Model
C.
An analyst just completed a port scan and received the following results of open ports:-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-TCP: 80 TCP: 110 TCP: 443 TCP: 1433 TCP: 3306 TCP: 3389 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-Based on these scan results, which of the following services are NOT currently operating? A. Web B. Database C. SSH D. RDP
A. Pass the Hash (PtH) is the process of harvesting an account's cached credentials when the user logs in to a single sign-on (SSO) system. This would then allow the attacker to use the credentials on other systems, as well.
An attacker recently compromised an e-commerce website for a clothing store. Which of the following methods did the attacker use to harvest an account's cached credentials when the user logged into an SSO system? A. Pass the hash B. Lateral movement C. Pivoting D. Golden ticket
B. While the physical security posture of the company has definitely been improved by adding the cameras, alarms, and locks, this appliance-based system may pose additional risks to the store's network. Specialized technology and appliance-based systems rarely receive security updates at the same rate as regular servers or endpoints. These devices need to be on a network to ensure that their network functions can continue, but they don't necessarily need to be on the enterprise production network.
An electronics store was recently the victim of a robbery where an employee was injured, and some property was stolen. The store's IT department hired an external supplier to expand its network to include a physical access control system. The system has video surveillance, intruder alarms, and remotely monitored locks using an appliance-based system. Which of the following long-term cybersecurity risks might occur based on these actions? A. There are no new risks due to the install and the company has a stronger physical security posture B. These devices should be isolated from the rest of the enterprise network C. These devices should be scanned for viruses before installation D. These devices are insecure and should be isolated from the internet
C. The post-incident activities phase is when report writing occurs, incident summary reports are published, evidence retention is determined, and lessons learned reports are created. An incident response has five stages: preparation, detection and analysis, containment, eradication and recovery, and post-incident activities.
An incident response team is publishing an incident summary report and is determining the evidence retention requirements for the data collected during a response. Which of the following incident response phases is currently being performed by the team? A. Preparation B. Detection and analysis C. Post-incident activities D.Eradication and recovery
B, C, E. Since online sales are critical to business operations, the impact would be categorized as organizational and not localized. While the immediate impact is a loss of sales due to the slow servers causing customer frustration and abandoned carts, the longer-term impact could include losing customers who will never return. It is unlikely to include damages to the company's reputation over this event, though it isn't a major trust and security issue like a data breach.
As a SOC analyst, you receive an alert concerning a dramatic slowdown affecting the company's e-commerce server due to the load balancer's critical failure. Your company depends on online sales for all of its business, and you know the immediate impact of this event will be a loss of sales. Which of the following is an appropriate classification of the impact in terms of the total impact and notification requirements? (SELECT THREE) A. Total impact includes damages to the company's reputation B. Total impact includes a loss of customers C. Notification of external authorities is optional D. Notification of external authorities is required E. Organization impact is anticipated F. Localized impact is anticipated
C. The \b delimiter indicates that we are looking for whole words for the complete string. The REGEX is made up of four identical repeating strings, (25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.". For now, let us refer to these octets, such as the ones used in internet protocol version 4 addresses. Each octet will allow the combination of 25[0-5] OR (|) 2[0-4][9-] OR numbers 00-99 is preceded by (?) a 0 or 1, or just a single number followed by a ".". Since the period is treated as a special character in a REGEX operator, the escape character (\) is required to enable the symbol to act as a dot or period in the output. This sequence repeats four times, allowing for all variations of normal IP addresses to be entered for values 0-255. Since 259 is outside the range of 255, this is rejected. More specifically, character strings starting with 25 must end with a number between 0 and 5 (25[0-5]). Therefore, 259 would be rejected.
Consider the following REGEX search string:-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\. (25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\. (25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\. (25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-Which of the following strings would NOT be included in the output of this search? A. 1.2.3.4 B. 001.02.3.40 C. 37.259.129.207 D. 205.255.255.001
C. If the cybersecurity analyst were to reduce the scans' sensitivity, it still would not decrease the time spent scanning the network and could alter the effectiveness of the results received.
Cybersecurity analysts are experiencing some issues with their vulnerability scans aborting because the previous day's scans are still running when the scanner attempts to start the current day's scans. Which of the following recommendations is LEAST likely to resolve this issue? A. Add another vulnerability scanner B. Reduce the scope of scans C. Reduce the sensitivity of scans D. Reduce the frequency of scans
A. Multi-cloud is a cloud deployment model where the cloud consumer uses multiple public cloud services. In this example, Dave is using the Google Cloud, Amazon's AWS, and Slack's cloud-based SaaS product simultaneously.
Dave's company utilizes Google's G-Suite environment for file sharing and office productivity, Slack for internal messaging, and AWS for hosting their web servers. Which of the following cloud models type of cloud deployment models is being used? A. Multi-cloud B. Community C. Private D. Public
B. C and C++ contain built-in functions such as strcpy that do not provide a default mechanism for checking if data will overwrite the boundaries of a buffer. By ensuring that the operating system supports ASLR, you can make it impossible for a buffer overflow to work by randomizing where objects in memory are being loaded.
Dion Consulting Group has just won a contract to provide updates to an employee payroll system originally written years ago in C++. During your assessment of the source code, you notice the command "strcpy" is being used in the application. Which of the following provides is cause for concern, and what mitigation would you recommend to overcome it? A. strcpy could allow a buffer overflow to occur; you should rewrite the entire system in Java B. strcpy could allow a buffer overflow to occur; upgrade the operating system to run ASLR to prevent a buffer overflow C. strcpy could allow an integer overflow to occur; you should rewrite the entire system in Java D. strcpy could allow an integer overflow to occur; upgrade the operating system to run ASLR to prevent a buffer overflow
B. NIST's SP 800-63-3 recommends that SMS messages be deprecated as a means of delivering a second factor for multifactor authentication because they may be accessible to attackers.
During her login session, Sally is asked by the system for a code sent to her via text (SMS) message. Which of the following concerns should she raise to her organization's AAA services manager? A. SMS should be encrypted to be secure B. SMS messages may be accessible to attackers via VoIP or other systems C. SMS should be paired with a third factor D. SMS is a costly method of providing a second factor of authentication
C. The CIA Triad is a security model that helps people think about various parts of IT security. Integrity ensures that no unauthorized modifications are made to the information. The attack described here violates the integrity of the customer's bank account balance.
Edward's bank recently suffered an attack where an employee made an unauthorized modification to a customer's bank balance. Which tenant of cybersecurity was violated by this employee's actions? A. Confidentiality B. Authentication C. Integrity D. Availability
B. The greatest protection against this data breach would have been to require data at rest encryption on all endpoints, including this laptop. If the laptop were encrypted, the data would not have been readable by others, even if it was lost or stolen.
Fail To Pass Systems has just been the victim of another embarrassing data breach. Their database administrator needed to work from home this weekend, so he downloaded the corporate database to his work laptop. On his way home, he left the laptop in an Uber, and a few days later, the data was posted on the internet. Which of the following mitigations would have provided the greatest protection against this data breach? A. Require all new employees to sign an NDA B. Require data at rest encryption on all endpoints C. Require a VPN to be utilized for all telework employees D. Require data masking for any information stored in the database
A. Based on the question's wording, a compensating control would be most accurate for the given scenario. Compensating controls may be considered when an entity cannot meet a requirement explicitly, as stated due to legitimate technical or documented business constraints but has sufficiently mitigated the risk associated with the requirement by implementing other controls.
If an administrator cannot fully remediate a vulnerability, which of the following should they implement? A. A compensating control B. An engineering tradeoff C. A policy D. Access requirements
B. In CVSS 3.1, the base metric is comprised of 8 factors: access vector (AV), access complexity (AC), privileges required (PR), user interaction (UI), scope (S), confidentiality (C), integrity (I), and availability (A).
In a CVSS metric, which of the following is NOT one of the factors that comprise the base score for a given vulnerability? A. Access vector B. Authentication C. Access complexity D. Availability
A. Rootkits are usually classed as either kernel mode or user mode. CPU architectures define several protection rings. Ring 0 has complete access to any memory location and, therefore, any hardware devices connected to the system. Processes that operate with ring 0 privileges are referred to as working in kernel mode. As this suggests, only the bootloader and the core of the operating system, plus some essential device drivers, are supposed to have this access level.
In which operating system ring is a kernel rootkit typically installed? A. Ring 0 B. Ring 1 C. Ring 2 D. Ring 3
A. Privilege escalation attacks seek to increase the access level that an attacker has to a target system. Privilege escalation is the act of exploiting a bug, design flaw, or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user.
In which type of attack does the attacker begin with a normal user account and then seek additional access rights? A. Privilege escalation B. Spear phishing C. Cross-site Scripting D. Remote code exploitation
C. Over-the-shoulder code reviews rely on a programmer explaining their code to a peer. This provides a chance for a review of the code and a better understanding of both programmers' code. In this example, Marta is explaining her code to Jorge while he looks over her shoulder.
Jorge and Marta are working on a programming project together. During a code review, Marta explains her code to Jorge while looking at the code on her computer. Which of the following code review techniques is being used in this scenario? A. Pair programming B. Dual control C. Over-the-shoulder D. Tool-assisted review
B. The getfacl command allows backups of directories to include permissions, saved to a text file.
Natalie wants to create a backup of the permissions before making changes to the Linux workstation she will remediate. What Linux tool can she use to back up the permissions of the system's complete directory structure? A. chbkup B. getfacl C. aclman D. iptables
A. Using agent-based scanning, you typically get the most reliable results for systems that are not connected to the network, as well as the ones that are connected. This is ideal for traveling salespeople since their laptops are not constantly connected to the organization's network. These agent-based scans can be conducted when the laptop is offline and then sent to a centralized server the next time it is connected to the network.
Raj is working to deploy a new vulnerability scanner for an organization. He wants to verify the information he gets is the most accurate view of the configurations on the organization's traveling salespeople's laptops to determine if any configuration issues could lead to new vulnerabilities. Which of the following technologies would work BEST to collect the configuration information in this situation? A. Agent-based scanning B. Server-based scanning C. Passive network monitoring D. Non-credentialed scanning
C. Linux systems use the sshd (SSH daemon) to provide ssh connectivity. If Tim changes the sshd_config to deny root logins, it will still allow any authenticated non-root user to connect over ssh. The sshd service has a configuration setting that is named PermitRootLogin. If you set this configuration setting to no or deny, all root logins will be denied by the ssh daemon.
Tim is working to prevent any remote login attacks to the root account of a Linux system. What method would be the best option to stop attacks like this while still allowing normal users to connect using ssh? A. Add an iptables rule blocking root logins B. Add root to the sudoers group C. Change sshd_config to deny root login D. Add a network IPS rule to block root logins
D. Policies are high-level statements of management intent. Compliance with policies by employees should be mandatory. An information security policy will generally contain broad statements around the various cybersecurity objectives.
What document typically contains high-level statements of management intent? A. Procedure B. Guideline C. Standard D. Policy
D. The bottom layer is physical hardware in this environment. It is what sits beneath the hypervisor and controls access to guest operating systems. The bare-metal approach doesn't have a host operating system.
What is the lowest layer (bottom layer) of a bare-metal virtualization environment? A. Hypervisor B. Host operating system C. Guest operating system D. Physical hardware
C. The red team acts as the adversary, attempting to penetrate the network or exploit it as a rogue internal attacker. The red team might be selected members of in-house security staff, or a third-party company or consultant contracted to perform the role.
What role does the red team perform during a tabletop exercise (TTX)? A. Cybersecurity analyst B. System administrator C. Adversary D. Network defender
D.
What techniques are commonly used by port and vulnerability scanners to identify the services running on a target system? A. Comparing response fingerprints and registry scanning B. Banner grabbing and UDP response timing C. Using the -O option in nmap and UDP response timing D. Banner grabbing and comparing response fingerprints
D. Cisco's log levels range from significant emergencies at level 0 for emergencies to level 7 for debugging.
What type of information will a Cisco switch log be configured to capture logs at level 7? A. Emergencies B. Errors C. Warnings D. Debugging
C. The Lockheed Martin cyber kill chain implicitly assumes a unidirectional workflow. Therefore, it fails to consider that an adversary may retreat during an attack. MITRE and Diamond's models are more dynamic systems that allow for a broader range of adversary behaviors. AlienVault was specifically designed to avoid the rigidity of the Lockheed Martin cyber kill chain.
Which analysis framework makes no allowance for an adversary retreat in its analysis? A. MITRE ATT&CK framework B. Diamond Model of Intrusion Analysis C. Lockheed Martin cyber kill chain D. AlienVault (AT&T Cybersecurity) Cyber Kill Chain
A. The MITRE ATT&CK framework provides explicit pseudo-code examples for detecting or mitigating a given threat within a network and ties specific behaviors back to individual actors.
Which analysis framework provides the most explicit detail regarding how to mitigate or detect a given threat? A. MITRE ATT&CK framework B. Diamond Model of Intrusion Analysis C. Lockheed Martin cyber kill chain D. OpenIOC
A. NIST defines self-checking behavior as a control used to prohibit elicit modification to hardware components. This can be done using anti-tamper technology like a field-programmable gate array (FPGA), a physically unclonable function (PUF), or other techniques.
Which of the following has occurred if a device fails to activate because it has detected an unknown modification? A. Self-checking B. Obfuscation C. Failed trusted foundry D. Improper authentication
B. Patching, permissions, scanning, and verifying logging are the components of the security incident validation effort. Sanitization is a component of the security incident eradication effort.
Which of the following is NOT a part of the security incident validation effort? A. Scanning B. Sanitization C. Patching D. Permissions
B. For the best results, the scans should be scheduled during periods of low activity. This will help to reduce the negative impact of scanning on business operations.
Which of the following is a best practice that should be followed when scheduling vulnerability scans of an organization's data center? A. Schedule scans to be conducted evenly throughout the day B. Schedule scans to run during periods of low activity C. Schedule scans to begin at the same time every day D. Schedule scans to run during peak times to simulate performance under load
A. Full packet capture records the complete payload of every packet crossing the network. The other methods will not provide sufficient information to detect a cleartext password being sent. A net flow analysis will determine where communications occurred, by what protocol, to which devices, and how much content was sent. Still, it will not reveal anything about the content itself since it only analyzes the metadata for each packet crossing the network.
Which of the following methods should a cybersecurity analyst use to locate any instances on the network where passwords are being sent in cleartext? A. Full packet capture B. Net flow capture C. SIEM event log monitoring D. Software design documentation review
A. The Trusted Foundry program, also called the trusted suppliers program, is a United States Department of Defense program designed to secure the manufacturing infrastructure for information technology vendors providing hardware to the military. Trusted Foundry was created to provide a chain of custody for classified/unclassified integrated circuits, ensure there is no reasonable threat related to supply disruption, prevent intentional/unintentional modification of integrated circuits, and protect integrated circuits from reverse engineering and vulnerability testing.
Which of the following programs was designed to secure the manufacturing infrastructure for information technology vendors providing hardware to the military? A. Trusted Foundry (RF) B. Supplies Assured (SA) C. Supply Secure (SS) D. Trusted Access Program (TAP)
C. Public relations staff should be included in incident response teams to coordinate communications with the general public and the media to manage any negative publicity from a serious incident. Information about the incident should be released in a controlled way when appropriate through known press and external public relations agencies.
Which of the following roles should coordinate communications with the media during an incident response? A. System administrators B. Senior leadership C. Public relations D. Human resources
D. From least to most permissive, the best answer is 111, 734, and 747. Linux permissions are read "owner, group, other." They also have numbers that are 4 (read), 2 (write), and 1 (execute). If a number shown is 7, that is 4+2+1 (read/write/execute) permissions. Therefore, the least permission is 000, and the most permissive is 777. The permission set of 111 is execute-execute-execute. The permission set of 734 is read/write/execute-write/execute-read. The permission set of 747 is read/write/execute-read-read/write/execute.
Which of the following sets of Linux permissions would have the least permissive to most permissive? A. 777, 444, 111 B. 544, 444, 545 C. 711, 717, 117 D. 111, 734, 747
B. The Volatility framework, DumpIt, and EnCase are examples of Windows memory capture tools for forensic use.
Which of the following tools is useful for capturing Windows memory data for forensic analysis? A. dd B. Volatility Framework C. Wireshark D. Nessus
B. A field-programmable gate array (FPGA) is an anti-tamper mechanism that makes use of a type of programmable controller and a physically unclonable function (PUF). The PUF generates a digital fingerprint based on the unique features of the device. This means that tampering with a device, such as removing the chip or adding an unknown input/output mechanism, can be detected.
Which of the following type of solutions would you classify an FPGA as? A. Hardware security module B. Anti-tamper C. Trusted platform module D. Root of trust
B. The on-demand nature of cloud services means that instances are often created and destroyed again, with no real opportunity for forensic recovery of any data. Cloud providers can mitigate this to some extent by using extensive logging and monitoring options. A CSP might also provide an option to generate a file system and memory snapshots from containers and VMs in response to an alert condition generated by a SIEM.
Which of the following types of digital forensic investigations is most challenging due to the on-demand nature of the analyzed assets? A. Employee workstations B. Cloud services C. Mobile devices D. On-premise servers
C. The Payment Card Industry Data Security Standard is an information security standard for organizations that handle branded credit cards from the major card schemes. The PCI Standard is mandated by the card brands but administered by the Payment Card Industry Security Standards Council. As part of PCI DSS compliance, organizations must conduct internal and external scans at prescribed intervals on any devices or systems that process credit card data.
Which of the following types of information is protected by rules in the United States that specify the minimum frequency of vulnerability scanning required for devices that process it? A. Driver's license numbers B. Insurance records C. Credit card data D. Medical records
D. The string aGVsbG8gd29ybGQNCg== is using Base64 encoding. Base64 encoding is commonly used to convert binary data, such as ASCII text characters, into an encoded string to bypass detection mechanisms in a network. While a Base64 string won't always end with an equal or double equal sign, it is common to see them used. This is because the equal signs are used to pad the string to the proper length and complement the final processing of the message's encoding.
Which of the following types of output encoding is being used in the following output? -=-=-=-=-=-=-=-=-=-=-=-=-=-=-aGVsbG8gd29ybGQNCg== -=-=-=-=-=-=-=-=-=-=-=-=-=-=- A. ASCII B. Hex C. XML D. Base64
C. IaC is designed with the idea that a well-coded description of the server/network operating environment will produce consistent results across an enterprise and significantly reduce IT overhead costs through automation while precluding the existence of security vulnerabilities. SDN uses software to define networking boundaries but does not necessarily handle server architecture in the same way that IaC can.
Which of the following utilizes a well-written set of carefully developed and tested scripts to orchestrate runbooks and generate consistent server builds across an enterprise? A. Software as a Service (SaaS) B. Infrastructure as a Service (IaaS) C. Infrastructure as Code (IaC) D. Software Defined Networking (SDN)
A. Nikto is a web application scanner that can perform comprehensive tests against web servers for multiple items, including over 6700 potentially dangerous files/programs, checks for outdated versions of over 1250 servers, and version specific problems on over 270 servers.
Which of the following vulnerability scanning tools would be used to conduct a web application vulnerability assessment? A. Nikto B. OpenVAS C. Nessus D. Qualys
A, B, D, F. During the installation phase, the adversary is taking actions to establish a footprint on the target system and is attempting to make it difficult for a defender to detect their presence. The attack may also attempt to confuse any attempts to remove the adversary from the system if the detection of their presence occurs. Due to this, an attacker will attempt to install multiple backdoors, implants, web shells, scheduled tasks, services, or AutoRun keys to maintain their access to the target.
Which of the following will an adversary do during the installation phase of the Lockheed Martin kill chain? (SELECT FOUR) A. Install a webshell on a server B. Install a backdoor/implant on a client victim C. Collect user credentials D. "Time stomp" on a malware file to appear as if it is part of the operating system E. Open two-way communications channel to an established C2 infrastructure F. Create a point of presence by adding services, scheduled tasks, or AutoRun keys
C. Measured boot is a feature where a log of all boot actions is taken and stored in a trusted platform module for later retrieval and analysis by anti-malware software on a remote server.
Which operating system feature is designed to detect malware that is loaded early in the system startup process or before the operating system can load itself? A. Advanced anti-malware B. Startup Control C. Measured boot D. Master Boot Record analytics
C.
Which party in a federation provides services to members of the federation? A. IdP B. SSO C. RP D. SAML
A.
Which security control would prevent unauthorized users from connecting to a company's wireless network? A. NAC B. Firewall C. IPS D. Segmentation
A. An insider threat is a type of threat actor assigned privileges on the system that cause an intentional or unintentional incident. Insider threats can be used as unwitting pawns of external organizations or make crucial mistakes that can open up exploitable security vulnerabilities.
Which type of threat actor can accidentally or inadvertently cause a security incident in your organization? A. Insider threat B. Hacktivist C. Organized Crime D. APT
C. Integer overflows and other integer manipulation vulnerabilities frequently result in buffer overflows. An integer overflow occurs when an arithmetic operation results in a large number to be stored in the space allocated for it. Integers are stored in 32 bits on the x86 architecture; therefore, if an integer operation results in a number greater than 0xffffffff, an integer overflow occurs, as was the case in this example.
You are conducting a code review of a program and observe the following calculation of 0xffffffff + 1 was attempted, but the result was returned as 0x0000000. Based on this, what type of exploit could be created against this program? A. SQL injection B. Impersonation C. Integer overflow attack D. Password spraying
D. Before any changes to a baseline occurs, a Request for Change should be submitted. This submission will start the change management process within your organization.
You are conducting a routine vulnerability scan of a server when you find a vulnerability. You locate a patch for the vulnerability on the software vendor's website. What should you do next? A. Start the incident response process B. Establish continuous monitoring C. Rescan the server to ensure the vulnerability still exists D. Submit a Request for Change using the change management process
D. A parameterized query (also known as a prepared statement) is a means of pre-compiling a SQL statement so that all you need to supply are the "parameters" (think "variables") that need to be inserted into the statement for it to be executed. It's commonly used as a means of preventing SQL injection attacks. This code snippet is an example of a Java implementation of a parameterized query.
You are conducting a static code analysis of a Java program. Consider the following code snippet: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-String custname = request.getParameter("customerName"); String query = "SELECT account_balance FROM user_data WHERE user_name = ? ";PreparedStatement pstmt = connection.prepareStatement( query );pstmt.setString( 1, custname);ResultSet results = pstmt.executeQuery( ); -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-Based on the code above, what type of secure coding practice is being used? A. Input validation B. Session management C. Authentication D. Parameterized queries
C. Context-based authentication can consider several factors before permitting access to a user, including their location (e.g., country, GPS location, etc.), the time of day, and other key factors to minimize the threat of compromised credentials from being utilized by an attacker.
You are conducting an incident response and have traced the attack source to some compromised user credentials. After performing log analysis, you discover that the attack was successfully authenticated from an unauthorized foreign country. Your management is now asking for you to implement a solution to help mitigate this type of attack from occurring again. Which of the following should you implement? A. Self-service password reset B. Single sign-on C. Context-based authentication D. Password complexity
B. If attackers use SQL injection to extract data through a Web application, the requests issued by them will usually have a larger HTML response size than a normal request. For example, if the attacker extracts the full credit card database, then a single response for that attacker might be 20 to 50 MB, where a normal response is only 200 KB.
You are conducting threat hunting for an online retailer. Upon analyzing their web server, you identified that a single HTML response returned as 45 MB in size, but an average response is normally only 275 KB. Which of the following categories of potential indicators of compromise would you classify this as? A. Beaconing B. Data exfiltration C. Introduction of new accounts D. Unauthorized privilege
C. The default macOS file system for the drive is HFS+ (Hierarchical File System Plus).
You are going to perform a forensic disk image of a macOS laptop. What type of hard drive format should you expect to encounter? A. FAT32 B. exFAT C. HFS+ D. NTFS
C. Since your team could not determine the root cause of the compromise, you would most likely conduct system and network hardening actions as part of the recovery and remediation. The only option that is not considered a hardening action is proactively sanitizing and reimaging your routers and switches. If you performed this action, you could have unwanted disruptive effects on the company.
You are in the recovery steps of an incident response. Throughout the incident, your team never successfully determined the root cause of the network compromise. Which of the following options would you LEAST likely perform as part of your recovery and remediation actions? A. Disable unused user accounts B. Review and enhance patch management policies C. Proactively sanitize and reimage all of your routers and switches D. Restrict host access to peripheral protocols like USB or Bluetooth
C. All of the options listed are the best security practices to implement before and after a detected intrusion, but scanning for additional instances of this vulnerability should be performed first. Often, an enterprise network uses the same baseline configuration for all servers and workstations. Therefore, if a vulnerability is exploited on one device (such as an insecure configuration), that same vulnerability could exist on many other assets across the network. During your recovery, you must identify if any other network systems share the same vulnerability and mitigate them. If you don't, the attacker could quickly reinfect your network by simply attacking another machine using the same techniques used during this intrusion.
You are in the recovery steps of an incident response. Your analysis revealed that the attacker exploited an unpatched vulnerability on a public-facing web server as the initial intrusion vector in this incident. Which of the following mitigations should be implemented first during the recovery? A. Disable unused user account and reset the administrator credentials B. Restrict shell commands per user or per host for least privilege purposes C. Scan the network for additional instances of this vulnerability and patch the affected assets D. Restrict host access to peripheral protocols like USB and Bluetooth
C. LDAP can be run on either port 389 or port 636. Port 389 is the standard port for LDAP but typically runs unencrypted LDAP services over this port. Instead, you should change all devices and servers that can technically support the change to port 636 since LDAP services over port 636 are encrypted by default.
You conducted a security scan and found that port 389 is being used when connecting to LDAP for user authentication instead of port 636. The security scanning software recommends that you remediate this by changing user authentication to port to 636 wherever possible. What should you do? A. Conduct remediation actions to update encryption keys on each server to match port 636 B. Mark this as a false positive in your audit report since the services that typically run on ports 389 and 636 are identical C. Change all devices and servers that support it to port 636 since encrypted services run by default on port 636 D. Change all devices and servers that support it to port 636 since port 389 is a reserved port that requires root access and can expose the server to privilege escalation attacks
A. journalctl is a command for viewing logs collected by systemd. The systemd-journald service is responsible for systemd's log collection, and it retrieves messages from the kernel, systemd services, and other sources. These logs are gathered in a central location, which makes it easy to review. If you specify the parameter of _UID=1003, you will only receive entries made under the authorities of the user with ID (UID) 1003. In this case, that is Terri. Using the piping function, we can send that list of entries into the grep command as an input and then filter the results before returning them to the screen.
You have been hired to investigate a possible insider threat from a user named Terri. Which command would you use to review all sudo commands ever issued by Terri (whose login account is terri and UID=1003) on a Linux system? (Select the MOST efficient command) A. journalctl _UID=1003 | grep sudo B. journalctl _UID=1003 | grep -e 1003 | grep sudo C. journalctl _UID=1003 | grep -e [Tt]erri | grep sudo D. journalctl _UID=1003 | grep -e [Tt]erri | grep -e 1003 | grep sudo
D. The find command will by default look at every single file starting in a designated subdirectory (in this case /var/log) and will execute whatever command is specified between "-exec" and "\;" with the 'found' file being substituted for the "{}." Executing grep on every file with a parameter of -H will ensure the filename with the full path is displayed. The -e option in grep will use a REGEX expression. "[Tt]erri" is the correct REGEX expression to look for "Terri" or "terri."
You have been hired to investigate a possible insider threat from a user named Terri. Which of the following commands would successfully look through all the log files in "/var/log" for any references to "Terri" or "terri" on a Linux server? A. find /var/log/ -name *.log -exec grep -H -e "'Terri' OR 'terri'" {} \; 2>/dev/null B. find /var/log/ -exec grep -H -e "'terri' OR 'Terri'" {} \; 2> /dev/null C. find /var/log/ -name "*.log" -exec grep -H -e "[Tt]erri" {} \; 2>/dev/null D. find /var/log/ -exec grep -H -e "[Tt]erri" {} \; 2> /dev/null
A, B. While scanning for viruses is a good idea and should be done, that alone is insufficient to detect all the ways an advanced adversary could have manipulated your laptop if it were outside of your custody for any significant length of time, such as leaving it in your hotel room. A 'before' image would be needed to compare the laptop to upon returning to detect possible hardware modifications.
You have just returned from a business trip to a country with a high intellectual property theft rate. Which of the following precautions should you take before reconnecting your laptop to your corporate network? (SELECT TWO) A. The laptop should be scanned for malware B. The laptop should be physically inspected and compared with images made before you left C. The laptop should be permanently destroyed D. The laptop should be sanitized and reimaged E. The laptop's hard drive should be degaussed prior to use F. The laptop's hard drive should have full-disk encryption enabled
D. Tombstone remediation quarantines and replaces the original file with one describing the policy violation and how the user can rerelease it.
You have tried to email yourself a file named "passwords.xlsx" from your corporate workstation to your Gmail account. Instead of receiving the file in your email, you received a description of why this was a policy violation and what you can do to get the file released or resent. Which of the following DLP remediation actions has occurred? A. Alert only B. Blocking C. Quarantine D. Tombstone
B. Guidance from various laws and regulations must be considered when deciding who must be notified to avoid fines and judgments. The requirements for different types of data breaches are set out in laws/regulations. The requirements indicate who must be notified.
Your organization is updating its incident response communications plan. A business analyst in the working group recommends that if the company discovers they are the victims of a data breach, they should only notify the affected parties to minimize media attention and bad publicity. Which of the following recommendations do you provide in response to the business analyst's statement? A. The first responder should contact law enforcement upon confirmation of a security incident for a forensic team to preserve the chain of custody B. Guidance from laws and regulations should be considered when deciding who must be notified to avoid fines and judgments from non-compliance C. An externally hosted website should be prepared in advance to ensure that when an incident occurs victims have timely access to notifications from a non-compromised resource D. The Human Resources department should have information security personnel who are involved in the investigation of the incident sign non-disclosure agreements so the company cannot be held liable for customer data that is viewed during an investigation
D. Since the data breach is now the subject of an active law enforcement investigation, your organization should request that a law enforcement agent speaks with your employees to give them clear guidance on what they should and should not say to people outside of the investigation. Additionally, the company's system administrators and analysts should not perform any actions on the network until they receive law enforcement guidance. This will ensure that the employees do not accidentally destroy and tamper with potential evidence of the crime.
Your organization recently suffered a large-scale data breach. The hackers successfully exfiltrated the personal information and social security numbers of your customers from your network. The CEO notified law enforcement about the breach. They will assist with the investigation and conduct evidence collection so that the hackers can be brought up on charges. What actions should your organization take in response to this event? A. Require all employees to commit to an NDA about the data breach verbally B. Require all employees to commit to an NDA about the data breach in writing C. Block all employee access to social media from the company's network and begin monitoring your employee's email D. Ask a member of law enforcement to meet with your employees
B. Data in transit (or data in motion) occurs whenever data is transmitted over a network. Examples of types of data in transit include website traffic, remote access traffic, data being synchronized between cloud repositories, and more. In this state, data can be protected by a transport encryption protocol, such as TLS or IPsec.
Your organization requires the use of TLS or IPSec for all communications with an organization's network. Which of the following is this an example of? A. Data at rest B. Data in transit C. Data in use D. DLP
