Digital Forensics exam review ch 4 and 5
Which of the following indicate the email highlighted below may be suspicious? (Select two.)
The link in the email is to an IP address; it is not to Microsoft's website. &. There are several spelling mistakes in the email.
A recently patched Windows machine on your network no longer responds to ping, but you have confirmed it is otherwise functioning normally and servicing incoming connections to other machines on the network. No other changes were made to the machine or its connection to the network. When you use hping3, you get the following output. Which of the following BEST explains that behavior?
The machine's firewall is blocking ICMP.
Which of the following best describes a script kiddie?
A hacker who uses scripts written by much more talented individuals.
When a host initiates a connection to a server via the TCP Protocol, a three-way handshake is used. What is the host's final reply?
ACK
A security analyst and their team go through the entire list of assets in the company and assign each item a level of priority. Then they group the assets in the same levels together so they can create defense strategies for each group. What is this process called?
Bundling critical assets
Robyn, a new employee, needs to choose a password to log into the system. She doesn't want to forget it, but she needs to meet certain criteria required by security. What should she do?
Choose a password that's easy to remember but doesn't include any personal information.
Which of the following are considered DNS hardening techniques?
Clean up out-of-date zones. Optimize resources to their full potential. Learn about your web server software.
Gathering information about a system, its components, and how they work together is known as which of the following?
Footprinting
A user has reported that they can't remote into the OpenSSH service running on their Windows 10 machine that they use to transfer files from a development Linux box. You are at the Windows machine and have Task Manager running. You notice that the SSHD, the OpenSSH server process, is not in the list on the Processes tab of Task Manager. Which tab on the screenshot below would you click on, and which steps could you take to start the service and ensure it starts every time the machine is booted?
Click on the Services tab and then click Open Services at the bottom. Then find the OpenSSH SSH Server entry, double-click on it, and click the Start button. Change the Startup Type field to Automatic.
What should be the FIRST reconnaissance countermeasure taken?
Create information sharing policies.
The following output was displayed using the Social Engineering Toolkit (SET). Which attack method was used to capture the user's input?
Credential harvesting attack method
During the reconnaissance phase, an attacker is looking for common attack vectors. Which of the following services is MOST likely to be targeted?
DNS
What is vandalism?
Damaging or defacing assets
Ron, a hacker, wants to gain access to a prestigious law firm he has been watching for a while. June, an administrative assistant at the law firm, is having lunch at the food court around the corner from her office. Ron notices that June has a picture of a dog on her phone. He casually walks by and starts a conversation about dogs. Which phase of the social engineering process is Ron in?
Development phase
As a security technician who is in charge of physical security for computer and network resources, you are responsible for ensuring a quick recovery should an event occur. A physical storage device controlling data backups has failed, causing corruption for a weekly full backup. It failed on Saturday. On Monday, you noticed the errors and have since run a restore of needed data and a full backup to ensure continuity. The failed device has been replaced. Since each work day creates unique data to be backed up, which type of backup would be the preferred method to make certain each day's data was properly maintained while ensuring efficiency?
Differential backup
A hacker wants to leverage social media to glean information coming from a certain location. Which tool is BEST suited for the job?
Echosec
Compliments, misinformation, feigning ignorance, and being a good listener are tactics of which social engineering technique?
Elictitation
A speaker was invited to a company-wide training meeting. When he arrived, he identified himself at the front desk, and the receptionist gave him directions on how to find the conference room. What important step did the receptionist miss?
Escorting him to the conference room
What information will be returned from the following google search?
Excel documents with the word "password" in the title, but not from .gov and .gov.uk websites.
The receptionist receives a call from a customer who asks for the customer support manager's name and email address to send them a thank you email. How should the receptionist proceed?
Forward the call to the help desk
A hacker wants to check if a port is open using TCP Protocol. The hacker wants to be stealthy and not generate any security logs. Which type of port scan is BEST suited for this endeavor?
Half-open scan
A company is in the process of hiring Jill, a new technician. HR has checked the background and references of the candidate. What are some next steps in the hiring process that HR should take?
Have her sign an NDA and AUPs.
You are in the process of implementing policies and procedures that require employee identification. You observe employees holding a secure door for others to pass through. Which of the following training sessions should you implement to help prevent this in the future?
How to prevent piggybacking and tailgating.
A hacker doesn't want to use a computer that can be tracked back to them. They decide to use a zombie computer. Which type of scan BEST describes what the hacker is doing?
Idle scan
Hackers use social networking, dumpster diving, social engineering, and web surfing during which portion of their reconnaissance?
Information gathering techniques
John, a security analyst, conducted a review of a company's website. He discovered that sensitive company information was publicly available. Which of the following information sharing policies did he discover was being violated?
Internet
Troy, a security analyst, is tasked with reviewing company websites to see which type of information is being shared. Which sharing policy BEST describes this topic?
Internet
You are auditing your network for online hosts and open ports. You are using nmap to perform this task. There are notes left from a previous administrator listing the command that they used to perform a previous audit, but there is no explanation as to what it does. You try the command and get the following output. What did the nmap -O 192.168.122.84 command do?
It tried to determine which operating system was running on the host.
Which of the following BEST describes a physical barrier used to deter an aggressive intruder?
Large flowerpots
A company has a list of high-value assets (HVAs). As a security analyst, what must you do to help protect those assets? (Select two.)
Make sure the response team can easily identify the HVAs. &. Make sure an incident involving one of the HVAs is always high priority.
While reviewing video files from your organization's security cameras, you notice a suspicious person using piggybacking to gain access to your building. The individual in question did not have a security badge. Which of the following would you most likely implement to keep this from happening in the future?
Mantraps
Which of the following are tactics social engineers might use?
Moral obligation, ignorance, and threatening
Troy, a security analyst, is looking for a vulnerability scanning tool for internal use. His boss has told him to find the industry standard tool. Which tool BEST fits his mandate?
Nessus
John, a security analyst, needs a network mapping tool that will diagram network configurations. Which of the following BEST fits this category?
NetAuditor
Which type of information contains intellectual property?
Operations
Which information type is a hacker working with when they gather geographical information, entry control points, and employee routines?
Physical security
Which scanning tool uses ICMP protocol?
Ping
Important aspects of physical security include which of the following?
Preventing interruptions of computer services caused by problems such as fire
What are the three factors to keep in mind with physical security?
Prevention, detection, and recovery
An employee not authorized to release news to the press speaks to a reporter about upcoming management changes. Which sharing policy BEST explains why this shouldn't happen?
Printed materials
Which of the following BEST describes what asset criticality does?
Prioritizes systems for scanning and remediation.
A person in a dark grey hoodie has jumped the fence at your research center. A security guard has detained this person, denying them physical access. Which of the following areas of physical security is the security guard currently in?
Security sequence
Brandon is helping Fred with his computer. He needs Fred to enter his username and password into the system. Fred enters the username and password while Brandon is watching him. Brandon explains to Fred that it is not a good idea to allow anyone to watch you type in usernames or passwords. Which type of social engineering attack is Fred referring to?
Shoulder surfing
You have a set of DVD-RW discs that were used to archive files from your latest project. You need to prevent the sensitive information on the discs from being compromised. Which of the following methods should you use to destroy the data?
Shred the discs.
Any attack involving human interaction of some kind is referred to as which of the following?
Social engineering
You are instant messaging a coworker, and you get a malicious link. Which type of social engineering attack is this?
Spim
William understands the need to keep internal and external DNS separate as a security countermeasure. Which term BEST describes this countermeasure?
Split DNS
The following header is seen when inspecting traffic from a web server to a browser client. What might a security consultant recommend be changed to reduce risk for the web server?
The administrator can disable the banner in IIS.
You are a security consultant and have been hired to evaluate an organization's physical security practices. All employees must pass through a locked door to enter the main work area. Access is restricted using a biometric fingerprint lock. A receptionist is located next to the locked door in the reception area. They use an iPad application to log any security events that may occur. They also use their iPad to complete work tasks as assigned by the organization's CEO. What could you do to add an additional layer of security to this organization?
Train the receptionist to keep his or her iPad in a locked drawer.
You want to properly dispose of papers with sensitive content. You want to ensure that it's nearly impossible for a dumpster diver to put the information back together. What should you do?
Use a crosscut shredder
You have implemented a regular backup schedule for a Windows system, backing up data files every night and creating a system image backup once per week. For security reasons, your company has decided not to store a redundant copy of the backup media at an off-site location. Which of the following would be the best backup and storage option?
Use incremental backups and store them in a locked, fireproof safe.
A resentful employee hacks into a company's website and replaces all the text and images with obscene material. They also replace all links with malicious ones. This is an example of which of the following?
Vandalism
Kjell is a security analyst and needs to see if any sensitive information is available through old website snapshots. Which tool is BEST suited for this purpose?
Wayback Machine
An attacker needs the following information about his target: domain ownership, domain names, IP addresses, and server types. Which tool is BEST matched for this operation?
Whois
When performing active reconnaissance, a malicious actor may try to do which of the following?
Work at peak hours to blend in
Which type of scan turns on an abundance of flags, causing the packet to be lit up?
Xmas tree scan
When scanning a Linux machine for running applications, you see the following output. Which kill signal should you use to clean up the offending process?
kill -9
You have been tasked with securing a Linux box that the development team needs occasional FTP access to. The developers should start the vsftpd daemon as needed and then stop it when finished with their task. To help prevent the vsftpd service from running unintentionally, you run the following command and receive the output listed. What command should you run to prevent the service from starting when the Linux machine boots?
systemctl disable vsftpd
As a security consultant, you have been tasked with checking what company data is currently visible to the public. Using theHarvester tool, you query for information and receive too much information coming from too many sources. The following image represents your query. Which of the commands below limits the number of results to 750 and only queries Google?
theHarvester -d rmksupplies.com -l 750 -b google
When performing an authorized security audit of a website, you are given only the website address and asked to find other hosts on that network that might be vulnerable to attack. Which of the following tools might be used to lead you to the following Nmap output? (Select two.)
whois.org & nslookup