Exam One

Which of the following is a senior role with the ultimate responsibility for maintaining confidentiality, integrity, and availability in a system? Privacy officer Data steward Data owner Data custodian

Data owner

Which of the following tools is useful for capturing Windows memory data for forensic analysis? Wireshark dd Memdump Nessus

Memdump Explanation OBJ-4.4: The Memdump, Volatility framework, DumpIt, and EnCase are examples of Windows memory capture tools for forensic use. The dd tool is used to conduct forensic disk images. Wireshark is used for packet capture and analysis. Nessus is a commonly used vulnerability scanner.

Which of the following will an adversary do during the exploitation phase of the Lockheed Martin kill chain? (SELECT THREE) Take advantage of a software, hardware, or human vulnerability A webshell is installed on a web server Wait for a malicious email attachment to be opened A backdoor/implant is placed on a victim's client Wait for a user to click on a malicious link Select backdoor implant and appropriate command and control infrastructure for operation

Take advantage of a software, hardware, or human vulnerability Wait for a malicious email attachment to be opened Wait for a user to click on a malicious link

What should a vulnerability report include if a cybersecurity analyst wants it to reflect the assets scanned accurately? Organizational governance Log disposition Processor utilization Virtual hosts

Virtual hosts Explanation OBJ-1.3: Vulnerability reports should include both the physical hosts and the virtual hosts on the target network. A common mistake of new cybersecurity analysts is to include physical hosts, thereby missing many network assets.

Which type of threat will patches NOT effectively combat as a security control? Known vulnerabilities Discovered software bugs Zero-day attacks Malware with defined indicators of compromise

Zero-day attacks

Your company is making a significant investment in infrastructure-as-a-service (IaaS) hosting to replace its data centers. Which of the following techniques should be used to mitigate the risk of data remanence when moving virtual hosts from one server to another in the cloud? Use full-disk encryption Span multiple virtual disks to fragment data Use data masking Zero-wipe drives before moving systems

Use full-disk encryption Explanation OBJ-1.6: To mitigate the risk of data remanence, you should implement full disk encryption. This method will ensure that all data is encrypted and cannot be exposed to other organizations or the underlying IaaS provider. Using a zero wipe is typically impossible because VM systems may move without user intervention during scaling and elasticity operations. Data masking can mean that all or part of a field's contents is redacted, by substituting all character strings with "x," for example. Data masking will not prevent your corporate data from being exposed by data remanence. Spanning multiple disks will leave the data accessible, even though it would be fragmented, and would make the data remanence problem worse overall.

A new security appliance was installed on a network as part of a managed service deployment. The vendor controls the appliance, and the IT team cannot log in or configure it. The IT team is concerned about the appliance receiving the necessary updates. Which of the following mitigations should be performed to minimize the concern for the appliance and updates? Automatic updates Vulnerability scanning Configuration management Scan and patch the device

Vulnerability scanning Explanation OBJ-1.3: The best option here is vulnerability scanning as this allows the IT team to know what risks their network is taking on and where subsequent mitigations may be possible. Configuration management, automatic updates, and patching could normally be possible solutions, but these are not viable options without gaining administrative access to the appliance. Therefore, the analyst should continue to conduct vulnerability scanning of the device to understand the risks associated with it and then make recommendations to add additional compensating controls like firewall configurations, adding a WAF, providing segmentation, and other configurations outside the appliance that could minimize the vulnerabilities it presents.

An organization is conducting a cybersecurity training exercise. What team is Jason assigned to if he has been asked to monitor and manage the defenders' and attackers' technical environment during the exercise? White team Blue team Purple team Red team

White team Explanation OBJ-5.2: Jason is assigned to the white team. The white team acts as the judges, enforces the rules of the exercise, observes the exercise, scores teams, resolves any problems that may arise, handles all requests for information or questions, and ensures that the competition runs fairly and does not cause operational problems for the defender's mission. A red team is a group of people authorized and organized to emulate a potential adversary's attack or exploitation capabilities against an enterprise's security posture. A blue team is a group of people responsible for defending an enterprise's use of information systems by maintaining its security posture against a group of mock attackers. The purple team is made up of both the blue and red teams to work together to maximize their cyber capabilities through continuous feedback and knowledge transfer between attackers and defenders.

What tool is used to collect wireless packet data? Aircrack-ng Nessus John the Ripper Netcat

Aircrack-ng

A cybersecurity analyst conducts an incident response at a government agency when she discovers that attackers had exfiltrated PII. Which of the following types of breaches has occurred? Integrity breach Financial breach Privacy breach Proprietary breach

Privacy breach

Which of the following sets of Linux permissions would have the least permissive to most permissive? 111, 734, 747 711, 717, 117 544, 444, 545 777, 444, 111

111, 734, 747 Explanation OBJ-4.2: From least to most permissive, the best answer is 111, 734, and 747. Linux permissions are read "owner, group, other." They also have numbers that are 4 (read), 2 (write), and 1 (execute). If a number shown is 7, that is 4+2+1 (read/write/execute) permissions. Therefore, the least permission is 000, and the most permissive is 777. The permission set of 111 is execute-execute-execute. The permission set of 734 is read/write/execute-write/execute-read. The permission set of 747 is read/write/execute-read-read/write/execute.

(This is a simulated performance-based question.) Review the network diagram provided. Which of the following ACL entries should be added to the firewall to allow only the Human Resources (HR) computer to have SMB access to the file server (Files)? (Note: The firewall in this network is using implicit deny to maintain a higher level of security. ACL entries are in the format of Source IP, Destination IP, Port Number, TCP/UDP, Allow/Deny.) (Note: The firewall in this network is using implicit deny to maintain a higher level of security. ACL entries are in the format of Source IP, Destination IP, Port Number, TCP/UDP, Allow/Deny.) 172.16.1.3, 192.168.1.12, ANY, TCP, ALLOW 172.16.1.3, 192.168.1.12, 445, TCP, ALLOW 172.16.1.12/24, 192.168.1.3/24, 445, TCP, ALLOW 192.168.1.12, 172.16.1.3, 445, UDP, DENY

172.16.1.3, 192.168.1.12, 445, TCP, ALLOW Explanation OBJ-3.2: The ACL should be created with 172.16.1.3 as the Source IP, 192.168.1.12 as the Destination IP, 445 as the port number operating over TCP, and the ALLOW condition set. This is the most restrictive option presented (only the HR and Files server are used), and the minimal number of ports are opened to accomplish our goal (only port 445 for the SMB service).

Which of the following is typically used to secure the CAN bus in a vehicular network? Airgap Anti-virus UEBA Endpoint protection

Airgap Explanation OBJ-1.5: The majority of vehicles do not currently have a mechanism by which an attacker can access a vehicle remotely. However, there have been numerous demonstrations where the CAN bus can be accessed and corrupted through an available diagnostic port within the automobile or unmanned aerial vehicle. The most typical security measure used is an airgap between a vehicle's entertainment system (which may have internet access) and its CAN bus. Endpoint protection, anti-virus, and user and entity behavior analytics (UEBA) are not usually installed in vehicular networks as a security measure.

Which of the following threats to a SaaS deployment would be the responsibility of the consumer to remediate? SQL injections Unpatched operating systems on the server An endpoint security failure Cross-site scripting

An endpoint security failure Explanation OBJ-3.1: In a SaaS model, the consumer has to ensure that the endpoints being used to access the cloud are secure. Since the consumer owns the endpoint (laptop, desktop, tablet, smartphone, etc.), they are responsible for securing it. The entire concept behind using a SaaS product is that the service provider will patch the servers' underlying operating systems, create secure software that isn't vulnerable to SQL injection or cross-site scripting attacks, and ensure proper operations and maintenance of the backend systems.

Which term defines the collection of all points from which an adversary could interact with a system and cause it to function in a way other than how it was designed? Attack surface Attack vector Adversary capability set Threat model

Attack surface Explanation OBJ-1.2: The collection of all points from which an adversary may attack is considered the attack surface. The attack vector represents the specific points an adversary has chosen for a particular attack. The threat model defines the behavior of the adversary. An adversary capability set is the list of items an adversary can use to conduct its attack.

What techniques are commonly used by port and vulnerability scanners to enumerate the services running on a target system? Banner grabbing and UDP response timing Banner grabbing and comparing response fingerprints Using the -O option in nmap and UDP response timing Comparing response fingerprints and registry scanning

Banner grabbing and comparing response fingerprints Explanation OBJ-1.4: Service and version identification are often performed by conducting a banner grab or by checking responses for services to known fingerprints for those services. UDP response timing and other TCP/IP stack fingerprinting techniques are used to identify operating systems only. Using nmap -O will conduct an operating system fingerprint scan, but it will not identify the other services being run.

Which of the following types of output encoding is being used in the following output? Dion Training aGVsbG8gd29ybGQNCg== ASCII Hex XML Base64

Base64 Explanation OBJ-4.3: The string aGVsbG8gd29ybGQNCg== is using Base64 encoding. Base64 encoding is commonly used to convert binary data, such as ASCII text characters, into an encoded string to bypass detection mechanisms in a network. While a Base64 string won't always end with an equal or double equal sign, it is common to see them used. This is because the equal signs are used to pad the string to the proper length and complement the final processing of the message's encoding.

Alexa is an analyst for a large bank that has offices in multiple states. She wants to create an alert to detect if an employee from one bank office logs into a workstation located at an office in another state. What type of detection and analysis is Alexa configuring? Heuristic Trend Anomaly Behavior

Behavior Explanation OBJ-3.1: This is an example of behavior-based detection. Behavior-based detection (or statistical- or profile-based detection) means that the engine is trained to recognize baseline traffic or expected events associated with a user account or network device. Anything that deviates from this baseline (outside a defined level of tolerance) generates an alert. The heuristic analysis determines whether several observed data points constitute an indicator and whether related indicators make up an incident depending on a good understanding of the relationship between the observed indicators. Human analysts are typically good at interpreting context but work painfully slowly, in computer terms, and cannot hope to cope with the sheer volume of data and traffic generated by a typical network. Anomaly analysis is the process of defining an expected outcome or pattern to events and then identifying any events that do not follow these patterns. This is useful in tools and environments that enable you to set rules. Trend analysis is not used for detection but instead to better understand capacity and the system's normal baseline. Behavioral-based detection differs from anomaly-based detection. Behavioral-based detection records expected patterns concerning the entity being monitored (in this case, user logins). Anomaly-based detection prescribes the baseline for expected patterns based on its observation of what normal looks like.

A cybersecurity analyst is reviewing the logs of an authentication server and saw the following output: What type of attack was most likely being attempted by the attacker? Brute force Impersonation Credential stuffing Password spraying

Brute force Explanation OBJ-1.7: This is an example of a brute force attack. Unlike password spraying that focuses on attempting only one or two passwords per user, a brute force attack focuses on trying multiple passwords for a single user. The goal of this attack is to crack the user's password and gain access to their account. Password spraying, instead, refers to the attack method that takes a large number of usernames and loops them with a single password. We can use multiple iterations using several different passwords, but the number of passwords attempted is usually low compared to the number of users attempted. This method avoids password lockouts, and it is often more effective at uncovering weak passwords than targeting specific users. In the scenario provided, only one or two attempts are being made to each username listed. This is indicative of a password spraying attack instead of a brute force attempt against a single user. Impersonation is the act of pretending to be another person for fraudulent purposes. Credential stuffing is the automated injection of breached username/password pairs to gain user accounts access fraudulently. This is a subset of the brute force attack category: large numbers of spilled credentials are automatically entered into websites until they are potentially matched to an existing account. The attacker can then hijack the account for their purposes.

The incident response team leader has asked you to perform a forensic examination on a workstation suspected of being infected with malware. You remember from your training that you must collect digital evidence in the proper order to protect it from being changed during your evidence collection efforts. Which of the following describes the correct sequence to collect the data from the workstation? RAM, CPU cache, Swap, Hard drive Hard drive, Swap, CPU cache, RAM CPU cache, RAM, Swap, Hard drive Swap, RAML, CPU cache, Hard drive

CPU cache, RAM, Swap, Hard drive Explanation OBJ-4.4: The order of volatility states that you should collect the most volatile (least persistent) data first and the least volatile (most persistent) data last. The most volatile data resides in the CPU Cache since this small memory cache is overwritten quickly during computer operations. Next, you should collect the data in the system memory (RAM) since it will be erased if the workstation is shut down or the power is lost. Third, you should collect the Swap file, a form of temporary memory located on the hard disk. These files are also overwritten frequently during operations. Finally, you should collect the data from the hard disk, as it is the least volatile and remains on the hard disk until a command is given to delete it. Data on a hard disk remains even when power is removed from the workstation.

You are conducting a forensic analysis of a hard disk and need to access a file that appears to have been deleted. Upon analysis, you have determined that the file's data fragments exist scattered across the unallocated and slack space of the drive. Which technique could you use to recover the data? Overwrite Hashing Recovery Carving

Carving Explanation OBJ-4.4: File carving is the process of extracting data from an image when that data has no associated file system metadata. A file-carving tool analyzes the disk at the sector/page level. It attempts to piece together data fragments from unallocated and slack space to reconstruct deleted files or at least bits of information from deleted files. File carving depends heavily on file signatures or magic numbers—the sequence of bytes at the start of each file identifies its type. Hashing is a function that converts an arbitrary length string input to a fixed-length string output. Overwrite is a method of writing random bits or all zeros over a hard disk to sanitize it. Recovery is a generic term in forensics, cybersecurity incident response, and other portions of the IT industry, therefore it is not specific enough to be the correct option.

A cybersecurity analyst is analyzing what they believe to be an active intrusion into their network. The indicator of compromise maps to suspected nation-state group that has strong financial motives, APT 38. Unfortunately, the analyst finds their data correlation lacking and cannot determine which assets have been affected, so they begin to review the list of network assets online. The following servers are currently online: PAYROLL_DB, DEV_SERVER7, FIREFLY, DEATHSTAR, THOR, and DION. Which of the following actions should the analyst conduct first? Conduct a data criticality and prioritization analysis Hardening the DEV_SERVER7 server Conduct a Nessus scan of the FIREFLY server Logically isolate the PAYROLL_DB server from the production network

Conduct a data criticality and prioritization analysis Explanation OBJ-1.3: While the payroll server could be assumed to hold PII, financial information, and corporate information, the analyst would only be making that assumption based on its name. Even before an incident response occurs, it would be a good idea to conduct a data criticality and prioritization analysis to determine what assets are critical to your business operations and need to be prioritized for protection. After an intrusion occurs, this information could be used to better protect and defend those assets against an attacker. Since the question states the analyst is trying to determine which server to look at based on their names, it is clear this organization never performed a data criticality and prioritization analysis and should do that first. After all, with names like FIREFLY, DEATHSTAR, THOR, and DION, the analyst has no idea what is stored on those systems. For example, how do we know that DEATHSTAR doesn't contain their credit card processing systems that would be a more lucrative target for APT 38 than the PAYROLL_DB. The suggestions of hardening, logically isolating, or conducting a vulnerability scan of a particular server are random guesses by the analyst since they don't know which data they should focus on protecting or where the attacker is currently.

You are conducting an incident response and have traced the attack source to some compromised user credentials. After performing log analysis, you discover that the attack was successfully authenticated from an unauthorized foreign country. Your management is now asking for you to implement a solution to help mitigate this type of attack from occurring again. Which of the following should you implement? Context-based authentication Single sign-on Self-service password reset Password complexity

Context-based authentication Explanation OBJ-3.2: Context-based authentication can consider several factors before permitting access to a user, including their location (e.g., country, GPS location, etc.), the time of day, and other key factors to minimize the threat of compromised credentials from being utilized by an attacker. A self-service password reset is defined as any process or technology that allows users who have either forgotten their password or triggered an intruder lockout to authenticate with an alternate factor and repair their problem without calling the help desk. While helpful, this alone would not help prevent an attacker from using the compromised credentials. Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single ID and password to any of several related yet independent software systems. Again, this is helpful since it will minimize the number of usernames and passwords that a user must remember. Still, if their credentials are stolen, then the attacker can now access every system the user had access to, extending the problem. Password complexity is also a good thing to use, but it won't address the challenge presented in how to prevent the use of compromised credentials. If the password complexity is increased, this will prevent a brute force credential compromise. However, if the credentials are compromised any other way, the attacker could still log in to our systems and cause trouble.

Which of the following BEST describes when a third-party takes components produced by a legitimate manufacturer and assembles an unauthorized replica sold in the general marketplace? Capitalism Counterfeiting Recycling Entrepreneurship

Counterfeiting Explanation OBJ-2.3: While the unauthorized third-party may assemble a component that was legitimately made from OEM parts, the fact remains that those parts were never intended for distribution under the manufacturer's legitimate label. Therefore, this is considered counterfeiting. As a cybersecurity analyst, you need to be concerned with your organization's supply chain management. There have been documented cases of counterfeit hardware (like switches and routers) being sold with malware or lower mean time between failures, both of which affect your network's security.

Hilda needs a cost-effective backup solution that would allow for the restoration of data within a 24 hour RPO. The disaster recovery plan requires that backups occur during a specific timeframe each week, and then the backups should be transported to an off-site facility for storage. What strategy should Hilda choose to BEST meet these requirements? Conduct full backups daily to tape Create a daily incremental backup to tape Configure replication of the data to a set of servers located at a hot site Create disk-to-disk snapshots of the server every hour

Create a daily incremental backup to tape Explanation OBJ-5.2: Since the RPO must be within 24 hours, daily or hourly backups must be conducted. Since the requirement is for backups to be conducted at a specific time each week, hourly snapshots would not meet this requirement and are not easily transported since they are being conducted as a disk-to-disk backup. Replication to a hot site environment also doesn't allow for transportation of the data to an off-site facility for storage, and replication would continuously occur throughout the day. Therefore, a daily incremental backup should be conducted since it will require the least amount of time to conduct. The tapes could be easily transported for storage and restored incrementally from tape since the last full backup was conducted.

Which of the following vulnerability scans would provide the best results if you want to determine if the target's configuration settings are correct? Non-credentialed scan Credentialed scan Internal scan External scan

Credentialed scan Explanation OBJ-1.3: Credentialed scans log into a system and retrieve their configuration information. Therefore, it should provide you with the best results. A non-credentialed scan relies on external resources for configuration settings that can be altered or incorrect. The scanner's network location does not directly impact the ability to read the configuration information, so it would not make a difference if you conducted an external or internal scan.

Which of the following provides a cryptographic authentication mechanism to positively identify an organization as the authorized sender of email for a particular domain name? SMTP DMARC DKIM SPF

DKIM Explanation OBJ-3.1: DomainKeys Identified Mail (DKIM) provides a cryptographic authentication mechanism. This can replace or supplement SPF. To configure DKIM, the organization uploads a public key as a TXT record in the DNS server. Sender Policy Framework (SPF) uses a DNS record published by an organization hosting an email service. The SPF record identifies the hosts authorized to send emails from that domain, and there must be only one per domain. SPF does not provide a cryptographic authentication mechanism like DKIM does, though. The Domain-Based Message Authentication, Reporting, and Conformance (DMARC) framework can ensure that SPF and DKIM are being utilized effectively. DMARC relies on DKMI for the cryptographic authentication mechanism, making it the incorrect option for this question. The simple mail transfer protocol (SMTP) is a communication protocol for electronic mail transmission, which does not utilize cryptographic authentication mechanisms by default.

During a security audit, you discovered that customer service employees have been sending unencrypted confidential information to their personal email accounts via email. What technology could you employ to detect these occurrences in the future and send an automated alert to the security team? SSL MDM UTM DLP

DLP Explanation OBJ-3.2: Data loss prevention (DLP) software detects potential data breaches/data exfiltration transmissions and prevents them by monitoring, detecting, and blocking sensitive data while in use, in motion, and at rest. This can be configured to detect and alert on future occurrences of this issue. Secure Socket Layer (SSL) is a distraction in this question since the questions asked about information being sent unencrypted. The connection between the client and the email server could be encrypted using SSL. However, the information is still be sent to an employee's personal email account, which equates to a loss of control over the company's confidential data. Mobile Device Management (MDM) software is used for the configuration and securing of mobile devices like smartphones and tablets. Unified Threat Management (UTM) is a device that combines the functions of a firewall, anti-malware solution, and IDS into a single piece of hardware. Some UTM's may provide a DLP functionality, but the answer of a DLP is a better answer to this question.

Your organization has recently suffered a data breach due to a server being exploited. As a part of the remediation efforts, the company wants to ensure that the default administrator password on each of the 1250 workstations on the network is changed. What is the easiest way to perform this password change requirement? Utilize the key escrow process Deploy a new group policy Create a new security group Revoke the digital certificate

Deploy a new group policy Explanation OBJ-4.2: A group policy is used to manage Windows systems in a Windows network domain environment utilizing a Group Policy Object (GPO). GPOs can include many settings related to credentials, such as password complexity requirements, password history, password length, and account lockout settings. You can force a reset of the default administrator account password by using a group policy update.

After 9 months of C++ programming, the team at Whammiedyne systems has released their new software application. Within just 2 weeks of release, though, the security team discovered multiple serious vulnerabilities in the application that must be corrected. To retrofit the source code to include the required security controls will take 2 months of labor and will cost $100,000. Which development framework should Whammiedyne use in the future to prevent this situation from occurring in other projects? Agile Model DevSecOps Waterfall Model DevOps

DevSecOps Explanation OBJ-3.4: DevSecOps is a combination of software development, security operations, and systems operations and refers to the practice of integrating each discipline with the others. DevSecOps approaches are generally better postured to prevent problems like this because security is built-in during the development instead of retrofitting the program afterward. The DevOps development model incorporates IT staff but does not include security personnel. The agile software development model focuses on iterative and incremental development to account for evolving requirements and expectations. The waterfall software development model cascades the phases of the SDLC so that each phase will start only when all of the tasks identified in the previous phase are complete. A team of developers can make secure software using either the waterfall or agile model. Therefore, they are not the right answers to solve this issue.

A SOC analyst has detected the repeated usage of a compromised user credential on the company's email server. The analyst sends you an email asking you to check the server for any indicators of compromise since the email server is critical to continued business operations. Which of the following was likely overlooked by your organization during the incident response preparation phase? Prepare a jump bag or kit for use in the investigation Develop a communications plan that includes provisions for how to operate in a compromised environment Conduct training on how to search for indicators of compromise Perform a data criticality and prioritization analysis

Develop a communications plan that includes provisions for how to operate Explanation OBJ-4.1: As part of your preparation phase, your organization should develop a communications plan that details which communication methods will be used during a compromise of various systems. If the analyst suspected the email server was compromised, then communications about the incident response efforts (including detection and analysis) should be shifted to a different communications path, such as encrypted chat, voice, or other secure means. Any analyst involved in working on this incident should have already have prepared alternate, out-of-band communications to prevent an adversary from intercepting or altering communications. Based on the scenario provided, it is clear that a data criticality and prioritization analysis was already performed since the email server is known to be critical to operations. Based on the scenario, there is nothing to indicate that the analysts do not know how to search for IoCs properly. Based on the information provided, nothing indicates that either analyst doesn't have the appropriate tools needed, so it can be safely assumed they have their jump bag or kit available for use.

What is a reverse proxy commonly used for? Directing traffic to internal services if the contents of the traffic comply with the policy To obfuscate the origin of a user within a network To prevent the unauthorized use of cloud services from the local network Allowing access to a virtual private cloud

Directing traffic to internal services if the contents of the traffic comply with the policy Explanation OBJ-1.6: A reverse proxy is positioned at the cloud network edge and directs traffic to cloud services if the contents of that traffic comply with the policy. This does not require the configuration of the users' devices. This approach is only possible if the cloud application has proxy support. You can deploy a reverse proxy and configure it to listen for client requests from a public network, like the internet. The proxy then creates the appropriate request to the internal server on the corporate network and passes the server's response back to the external client. They are not generally intended to obfuscate the source of communication, nor are they necessarily specific to the cloud. A cloud access security broker (CASB) can be used to prevent unauthorized use of cloud services from the local network.

You identified a critical vulnerability in one of your organization's databases. You researched a solution, but it will require the server to be taken offline during the patch installation. You have received permission from the Change Advisory Board to implement this emergency change at 11 pm once everyone has left the office. It is now 3 pm; what action(s) should you take now to best prepare for implementing this evening's change? (SELECT ALL THAT APPLY) Take the opportunity to install a new feature pack that has been requested Document the change in the change management system Ensure all stakeholders are informed of the planned outage Take the server offline at 10 pm in preparation for the change Validate the installation of the patch in a staging environment Identify any potential risks associated with installing the patch

Document the change in the change management system Ensure all stakeholders are informed of the planned outage Validate the installation of the patch in a staging environment Identify any potential risks associated with installing the patch Explanation OBJ-2.1: You should send out a notification to the key stakeholders to ensure they are notified of the planned outage this evening. You should test and validate the patch in a staging environment before installing it on the production server. You should identify any potential risks associated with installing this patch. You should also document the change in the change management system. You should not take the server offline before your change window begins at 11 pm, which could affect users who are relying on the system. You should not take this opportunity to install any additional software, features, or patches unless you have received approval from the Change Advisory Board (CAB).

When using the netstat command during an analysis, which of the following connection status messages indicates whether an active connection between two systems exists? LAST_ACK ESTABLISHED CLOSE_WAIT LISTENING

ESTABLISHED Explanation OBJ-3.1: The ESTABLISH message indicates that an active and established connection is created between two systems. The LISTENING message indicates that the socket is waiting for an incoming connection from the second system. The LAST_ACK message indicates that the remote end has shut down the connection, and the socket is closed and waiting for an acknowledgment. The CLOSE_WAIT message indicates that the remote end has shut down the connection and is waiting for the socket to close. This question may seem beyond the scope of the exam. Still, the objectives allow for "other examples of technologies, processes, or tasks about each objective may also be included on the exam although not listed or covered" in the objectives' bulletized lists. The content examples listed in the objectives are meant to clarify the test objectives and should not be construed as a comprehensive listing of this examination's content. Therefore, questions like this are fair game on test day. That said, your goals aren't to score 100% on the exam; it is to pass it. Don't let questions like this throw you off on test day. If you aren't sure, take your best guess and move on!

A company's NetFlow collection system can handle up to 2 Gbps. Due to excessive load, this has begun to approach full utilization at various times of the day. If the security team does not have additional money in their budget to purchase a more capable collector, which of the following options could they use to collect useful data? Enable sampling of the data Enable full packet capture Enable QoS Enable NetFlow compression

Enable sampling of the data Explanation OBJ-3.1: The organization should enable sampling of the data collected. Sampling can help them capture network flows that could be useful without collecting everything passing through the sensor. This reduces the bottleneck of 2 Gbps and still provides useful information. Quality of Service (QoS) is a set of technologies that work on a network to guarantee its ability to run high-priority applications and traffic dependably, but that does not help in this situation. Compressing NetFlow data helps save disk space, but it does not increase the capacity of the bottleneck of 2 Gbps during collection. Enabling full packet capture would take even more resources to process and store and not minimize the bottleneck of 2 Gbps during collection.

Dion Consulting Group has been hired to analyze the cybersecurity model for a new videogame console system. The manufacturer's team has come up with four recommendations to prevent intellectual property theft and piracy. As the cybersecurity consultant on this project, which of the following would you recommend they implement first? Ensure that all games for the console are distributed as encrypted so that they can only be decrypted on the game console Ensure that each individual console has a unique key for decrypting individual licenses and tracking which console has purchased which game Ensure that all games require excessive storage sizes so that it is difficult for unauthorized parties to distribute Ensure that all screen capture content is visibly watermarked

Ensure that each individual console has a unique key for decrypting individual licenses and tracking which console has purchased which game Explanation OBJ-2.2: Ensuring that each console has a unique key will allow the console manufacturer to track who has purchased which games when using digital rights management licensing. This can be achieved using a hardware root of trust, such as a TPM module in the processor. While encrypting the games during distribution will provide some security, the games could be decrypted and distributed by unauthorized parties if the encryption key were ever compromised. The recommendation of making the game arbitrarily large will frustrate both authorized and unauthorized, which could negatively impact sales, so it is a poor recommendation to implement. Visibly watermarking everything will only aggravate the user, provide a negative customer experience, and not help fight software piracy.

An organization has hired a cybersecurity analyst to conduct an assessment of its current security posture. The analyst begins by conducting an external assessment against the organization's network to determine what information is exposed to a potential external attacker. What technique should the analyst perform first? DNS query log reviews Technical control audits Enumeration Intranet portal reviews

Enumeration Explanation OBJ-1.3: Scanning and enumeration are used to determine open ports and identify the software and firmware/device types running on the host. This is also referred to as footprinting or fingerprinting. This technique is used to create a security profile of an organization by using a methodological manner to conduct the scanning. If this scan is conducted from outside of the organization's network, it can be used to determine the network devices and information available to an unauthorized and external attacker. A DNS query log review, intranet portal review, or technical control audit would require internal access to the network, which is typically not accessible directly to an external attacker.

A cybersecurity analyst has deployed a custom DLP signature to alert on any files that contain numbers in the format of a social security number (xxx-xx-xxxx). Which of the following concepts within DLP is being utilized? Statistical matching Document matching Exact data match Classification

Exact data match Explanation OBJ-3.2: An exact data match (EDM) is a pattern matching technique that uses a structured database of string values to detect matches. For example, a company might have a list of actual social security numbers of its customers. But, since it is not appropriate to load these numbers into a DLP filter, they could use EDM to match the numbers' fingerprints instead based on their format or sequence. Document matching attempts to match a whole document or a partial document against a signature in the DLP. Statistical matching is a further refinement of partial document matching that uses machine learning to analyze various data sources using artificial intelligence or machine learning. Classification techniques use a rule based on a confidentiality classification tag or label attached to the data. For example, the military might use a classification-based DLP to search for any files labeled as secret or top secret.

A vulnerability scanner has reported that a vulnerability exists in the system. Upon validating the report, the analyst determines that this reported vulnerability does not exist on the system. What is the proper term for this situation? False positive False negative True positive True negative

False positive Explanation OBJ-1.3: A false positive occurs when a scanner detects a vulnerability, but the vulnerability does not exist on the scanned system. A true positive occurs when a scanner detects a vulnerability, and the vulnerability exists on the scanned system. A true negative occurs when a scanner does not detect a vulnerability because the vulnerability does not exist on the scanned system. A false negative occurs when a scanner does not detect a vulnerability, but the vulnerability exists on the scanned system.

You are going to perform a forensic disk image of a macOS laptop. What type of hard drive format should you expect to encounter? HFS+ FAT32 NTFS exFAT

HFS+ Explanation OBJ-4.4: The default macOS file system for the drive is HFS+ (Hierarchical File System Plus). While macOS does provide support for FAT32 and exFAT, they are not the default file system format used by the macOS system. NTFS is not supported by macOS without additional drivers and software tools. This question may seem beyond the scope. Still, the exam objectives allow for "other examples of technologies, processes, or tasks about each objective may also be included on the exam although not listed or covered" in the objectives' bulletized lists. The content examples listed in the objectives are meant to clarify the test objectives and should not be construed as a comprehensive listing of this examination's content. Therefore, questions like this are fair game on test day. That said, your goal isn't to score 100% on the exam; it is to pass it. Don't let questions like this throw you off on test day. If you aren't sure, take your best guess and move on!

Jason has created a new password cracking tool using some Python code. When he runs the program, the following output is displayed: Based on the output, what type of password cracking method does Jason's new tool utilize? Hybrid attack Brute force attack Rainbow attack Dictionary attack

Hybrid attack Explanation OBJ-1.7: Based on the passwords found in the example, Jason's new password cracker is most likely using a hybrid approach. All of the passwords found are dictionary words with some additional characters added to the end. For example, Jason's password of rover123 is made up of the dictionary word "rover" and the number 123. The cracker likely attempted to use a dictionary word (like rover) and the attempted variations on it using brute force (such as adding 000, 001, 002, ...122, 123) to the end of the password until found. Combining the dictionary and brute force methods into a single tool is known as a hybrid password cracking approach.

Yoyodyne Systems has recently bought out its competitor, Whamiedyne Systems, which went out of business due to a series of data breaches. As a cybersecurity analyst for Yoyodyne, you are assessing Whamiedyne's existing applications and infrastructure. During your analysis, you discover the following URL is used to access an application: You change the URL to end with 12346 and notice that a different user's account information is displayed. Which of the following type of vulnerabilities or threats have you discovered? Insecure direct object reference SQL injection XML injection Race condition

Insecure Direct Object Reference Explanation OBJ-2.2: This is an example of an insecure direct object reference. Direct object references are typically insecure when they do not verify whether a user is authorized to access a specific object. Therefore, it is important to implement access control techniques in applications that work with private information or other sensitive data types. Based on the URL above, you cannot determine if the application is vulnerable to an XML or SQL injection attack. An attacker can modify one or more of these four basic functions in a SQL injection attack by adding code to some input within the web app, causing it to execute the attacker's own set of queries using SQL. An XML injection is similar but focuses on XML code instead of SQL queries. A race condition is a software vulnerability when the resulting outcome from execution processes is directly dependent on the order and timing of certain events. Those events fail to execute in the developer's order and timing, which is not the case in this scenario.

William evaluates the potential impact of a confidentiality risk and determines that the disclosure of information contained on a system could have a limited adverse effect on the organization. Using FIPS 199, how should he classify the confidentiality impact? Moderate Medium Low High

Low Explanation OBJ-5.3: FIPS 199 classifies any risk where "the unauthorized disclosure of information could be expected to have a limited adverse effect" as a low impact confidentiality risk. If there were a serious adverse effect expected, then it would be a moderate impact. If there were a severe or catastrophic adverse effect expected, then it would be a high impact. Medium is not an impact under FIPS 199. This question may seem beyond the scope of the exam. Still, the objectives allow for "other examples of technologies, processes, or tasks about each objective may also be included on the exam although not listed or covered" in the objectives' bulletized lists. The content examples listed in the objectives are meant to clarify the test objectives and should not be construed as a comprehensive listing of this examination's content. Therefore, questions like this are fair game on test day. That said, your goal isn't to score 100% on the exam; it is to pass it. Don't let questions like this throw you off on test day. If you aren't sure, take your best guess and move on!

You received an incident response report indicating a piece of malware was introduced into the company's network through a remote workstation connected to the company's servers over a VPN connection. Which of the following controls should be applied to prevent this type of incident from occurring again? MAC filtering ACL SPF NAC

NAC Explanation OBJ-2.1: Network Access Control (NAC) is an approach to computer security that attempts to unify endpoint security technology (such as anti-virus, host intrusion prevention, and vulnerability assessment), user or system authentication, and network security enforcement. When a remote workstation connects to the network, NAC will place it into a segmented portion of the network (sandbox), scan it for malware and validate its security controls, and then based on the results of those scans, either connect it to the company's networks or place the workstation into a separate quarantined portion of the network for further remediation. An access control list (ACL) is a network traffic filter that can control incoming or outgoing traffic. An ACL alone would not have prevented this issue. MAC Filtering refers to a security access control method whereby the MAC address assigned to each network card is used to determine access to the network. MAC filtering operates at layer 2 and is easy to bypass. Sender Policy Framework (SPF) is an email authentication method designed to detect forging sender addresses during email delivery.

You are reviewing the latest list of important web application security controls published by OWASP. Which of these items is LEAST likely to appear on that list? Obscure web interface locations Implement identity and authentication controls Leverage security frameworks and libraries Implement appropriate access controls

Obscure web interface locations Explanation OBJ-2.2: The least likely option to appear in the list is to obscure web interface locations. This recommendation is based on security through obscurity and is not considered a good security practice. The other options are all considered best practices in designing web application security controls and creating software assurance in our programs.

Which of the following secure coding best practices ensures a character like < is translated into the &lt string when writing to an HTML page? Input validation Session management Output encoding Error handling

Output encoding Explanation OBJ-2.2: Output encoding involves translating special characters into some different but equivalent form that is no longer dangerous in the target interpreter, for example, translating the < character into the &lt; string when writing to an HTML page. Input validation is performed to ensure only properly formed data is entering the workflow in an information system, preventing malformed data from persisting in the database and triggering the malfunction of various downstream components. Improper error handling can introduce various security problems where detailed internal error messages such as stack traces, database dumps, and error codes are displayed to an attacker. The session management implementation defines the exchange mechanism that will be used between the user and the web application to share and continuously exchange the session ID.

What document typically contains high-level statements of management intent? Guideline Standard Policy Procedure

Policy Explanation OBJ-5.3: Policies are high-level statements of management intent. Compliance with policies by employees should be mandatory. An information security policy will generally contain broad statements around the various cybersecurity objectives. Procedures describe exactly how to use the standards and guidelines to implement the countermeasures that support the policy. Standards and baselines describe specific products, configurations, or other mechanisms to secure the systems. A guideline is a recommendation that can specify the methodology that is to be used.

Fail to Pass Systems has suffered a data breach. Your analysis of suspicious log activity traced the source of the data breach to an employee in the accounting department's personally-owned smartphone connected to the company's wireless network. The smartphone has been isolated from the network now, but the employee refuses to allow you to image their smartphone to complete your investigation forensically. According to the employee, the company's BYOD policy does not require her to give you her device, and it is an invasion of their privacy. Which of the following phases of the incident response process is at fault for creating this situation? Preparation phase Detection and analysis phase Eradication and recovery phase Containment phase

Preparation phase Explanation OBJ-5.1: As part of the preparation phase, obtaining authorization to seize devices (including personally owned electronics) should have been made clear and consented to by all employees. If the proper requirements were placed into the BYOD policy before the incident occurred, this would have prevented this situation. Either the employee would be willing to hand over their device for imaging following the BYOD policy, or they would never have connected their device to the company wireless network in the first place if they were concerned with their privacy and understood the BYOD policy. Based on the scenario provided, the detection and analysis phase was conducted properly since the analyst was able to identify the breach and detect the source. The containment phase would be responsible for the segmentation and isolation of the device which has occurred. Eradication and recovery would involve patching, restoring, mitigating, and remediating the vulnerability, which was the employee's smartphone. Evidence retention is conducted in post-incident activities, but this cannot be done due to the lack of proper preparation concerning the BYOD policy.

Praveen is currently investigating activity from an attacker who compromised a host on the network. The individual appears to have used credentials belonging to a janitor. After breaching the system, the attacker entered some unrecognized commands with very long text strings and then began using the sudo command to carry out actions. What type of attack has just taken place? Session hijacking Privilege escalation Phishing Social engineering

Privilege escalation Explanation OBJ-4.3: The use of long query strings points to a buffer overflow attack, and the sudo command confirms the elevated privileges after the attack. This indicates a privilege escalation has occurred. While the other three options may have been used as an initial access vector, they cannot be confirmed based on the question's details. Only a privilege escalation is currently verified within the scenario due to the use of sudo

Which of the following types of data breaches would require that the US Department of Health and Human Services and the media be notified if more than 500 individuals are affected by a data breach? Protected health information Personally identifiable information Credit card information Trade secret information

Protected health information Explanation OBJ-5.1: Protected health information (PHI) is defined as any information that identifies someone as the subject of medical and insurance records, plus their associated hospital and laboratory test results. This type of data is protected by the Health Insurance Portability and Accountability Act (HIPAA). It requires notification of the individual, the Secretary of the US Department of Health and Human Services (HHS), and the media (if more than 500 individuals are affected) in the case of a data breach. Personally identifiable information (PII) is any data that can be used to identify, contact, or impersonate an individual. Credit card information is protected under the PCI DSS information security standard. Trade secret information is protected by the organization that owns those secrets.

A popular game allows for in-app purchases to acquire extra lives in the game. When a player purchases the extra lives, the number of lives is written to a configuration file on the gamer's phone. A hacker loves the game but hates having to buy lives all the time, so they developed an exploit that allows a player to purchase 1 life for $0.99 and then modifies the content of the configuration file to claim 100 lives were purchased before the application reading the number of lives purchased from the file. Which of the following type of vulnerabilities did the hacker exploit? Dereferencing Broken authentication Race condition Sensitive data exposure

Race condition Explanation OBJ-1.7: Race conditions occur when the outcome from execution processes is directly dependent on the order and timing of certain events. Those events fail to execute in the order and timing intended by the developer. In this scenario, the hacker's exploit is racing to modify the configuration file before the application reads the number of lives from it. Sensitive data exposure is a fault that allows privileged information (such as a token, password, or PII) to be read without being subject to the proper access controls. Broken authentication refers to an app that fails to deny access to malicious actors. Dereferencing attempts to access a pointer that references an object at a particular memory location.

Dion Consulting Group has recently been awarded a contract to provide cybersecurity services for a major hospital chain in 48 cities across the United States. You are conducting a vulnerability scan of the hospital's enterprise network when you detect several devices that could be vulnerable to a buffer overflow attack. Upon further investigation, you determine that these devices are PLCs used to control the hospital's elevators. Unfortunately, there is not an update available from the elevator manufacturer for these devices. Which of the following mitigations do you recommend? Recommend immediate replacement of the PLCs with ones that are not vulnerable to this type of attack Recommend immediate disconnection of the elevator's control system from the enterprise network Conduct a penetration test of the elevator control system to prove that the possibility of this kind of attack exists Recommend isolation of the elevator control system from the rest of the production network through the change control process

Recommend isolation of the elevator control system from the rest of the production network through the change control process Explanation OBJ-2.2: The best recommendation is to conduct the elevator control system's logical or physical isolation from the rest of the production network and the internet. This should be done through the change control process that brings the appropriate stakeholders together to discuss the best way to mitigate the vulnerability to the elevator control system that defines the business impact and risk of the decision. Sudden disconnection of the PLCs from the rest of the network might have disastrous results (i.e., sick and injured trapped in an elevator) if there were resources that the PLCs were dependent on in the rest of the network. Replacement of the elevators may be prohibitively expensive, time-consuming, and likely something that the hospital would not be able to justify to mitigate this vulnerability. Attempting further exploitation of the buffer overflow vulnerability might inadvertently trap somebody in an elevator or cause damage to the elevators themselves.

Which of the following options places the correct phases of the Software Development Lifecycle's waterfall method in the correct order? Planning, requirements analysis, design, implementation, testing, deployment, and maintenance Planning, requirements analysis, design, implementation, deployment, testing, maintenance Requirements analysis, design, implementation, verification, testing, maintenance, retirement Requirements analysis, planning, design, implementation, deployment, testing, maintenance See all questionsBackSkip question

Requirements analysis, planning, design, implementation, deployment, testing, maintenance Explanation OBJ-2.2: The software development lifecycle (SDLC) can be conducted using waterfall or agile methods. The waterfall method moves through seven phases: Requirements, design, implementation, verification, testing, maintenance, retirement. Planning involves training the developers and testers in security issues, acquiring security analysis tools, and ensuring the development environment's security. Requirements analysis is used to determine security and privacy needs in terms of data processing and access controls. Design identifies threats and controls or secure coding practices to meet the requirements. Implementation performs known environment source code analysis and code reviews to identify and resolve vulnerabilities. Testing performs known or unknown environment testing to test for vulnerabilities in the published application and its publication environment. Deployment installs and operates the software packages and best practice configuration guides. Maintenance involves ongoing security monitoring and incident response procedures, patch development and management, and other security controls. For a question like this on the real certification exam, you may be asked to drag and drop the seven steps into the proper order instead of receiving this as a multiple-choice question.

A cybersecurity analyst reviews the logs of a proxy server and saw the following URL, https://www.google.com/search?q=*%40diontraining.com. Which of the following is true about the results of this search? Returns all web pages containing an email address affiliated with diontraining.com Returns all web pages containing the text diontraining.com Returns all web pages hosted at diontraining.com Returns no useful results for an attacker

Returns all web pages containing an email address affiliated with diontraining.com Explanation OBJ-1.3: Google interprets this statement as <anything>@diontraining.com and understands that the user is searching for email addresses since %40 is the hex code for the @ symbol. The * is a wild card character meaning that any text could be substituted for the * in the query. This type of search would provide an attacker with a list of email addresses associated with diontraining.com, which could be used as part of a spear phishing campaign. To return all web pages hosted at diontraining.com, you should use the "site:" modifier in the query. To return all web pages with the text diontraining.com, enter "diontraining.com" into the Google search bar with no modifiers to return those results.

You are analyzing a Linux server that you suspect has been tampered with by an attacker. You went to the terminal and typed 'history' into the prompt and see the output: Which of the following best describes what actions were performed by this line of code? Routed traffic destined for the diontraining.com domain to the localhost Routed traffic destined for the localhost to the diontraining.com domain Added the website to the system's allow list in the hosts file Attempted to overwrite the host file and deleted all data except this entry

Routed traffic destined for the diontraining.com domain to the localhost Explanation OBJ-3.1: Based on the output provided, it appears that the attacker has attempted to route all traffic destined for diontraining.com to the IP address specified (127.0.0.1). This is typically done to prevent a system from communicating with a specific domain to redirect a host to a malicious site. In this example, the IP/domain name pair of 127.0.0.1 and diontraining.com are being written to the hosts file. Modifying your hosts file enables you to override the domain name system (DNS) for a domain on a specific machine. The command echo >> redirects the output of the content on the left of the >> to the end of the file on the right of the >> symbol. If the > were used instead of >>, then this command would have overwritten the host file completely with this entry. The hosts file is not a system allow list file.

Which of the following techniques would be the most appropriate solution to implementing a multi-factor authentication system? Username and password Smartcard and PIN Fingerprint and retinal scan Password and security questions

Smartcard and PIN Explanation OBJ-2.1: Multi-factor authentication (MFA) creates multiple security layers to help increase the confidence that the user requesting access is who they claim to be by requiring two distinct factors for authentication. These factors can be something you know (knowledge factor), something you have (possession factor), something you are (inheritance factor), something you do (action factor), or somewhere you are (location factor). By selecting a smartcard (something you have) and a PIN (something you know), you have implemented multi-factor authentication. Choosing a fingerprint and retinal scan would instead use only one factor (inheritance). Choosing a username, password, and security question would also be only using one factor (knowledge). For something to be considered multi-factor, you need items from at least two different authentication factor categories: knowledge, possession, inheritance, location, or action.

Which of the following is usually not considered when evaluating the attack surface of an organization? Websites and cloud entities Software development lifecycle model External and internal users Software applications

Software development lifecycle model Explanation OBJ-3.3: The software development lifecycle model used by a company is purely an internal function relevant only to the development of custom software within the organization. Regardless of whether a waterfall or agile methodology is chosen, it does not directly affect the organization's attack surface. The attack surface represents the set of things that could be attacked by an adversary. External and internal users, websites, cloud entities, and software applications used by an organization are all possible entry points that an adversary could attempt an attack upon.

Your service desk has received many complaints from external users that a web application is responding slowly to requests and frequently receives a "connection timed out" error message when they attempt to submit information to the application. Which software development best practice should have been implemented to prevent this from occurring? Input validation Regression testing Stress testing Fuzzing

Stress testing Explanation OBJ-2.2: Stress testing is a software testing activity that determines the robustness of software by testing beyond normal operating limits. Stress testing is essential for mission-critical software but can be used with all types of software. Stress testing is an important component of the capacity management process of IT service management. It ensures adequate resources are available to support the end user's needs when an application goes into a production environment. Regression testing confirms that a recent program or code change has not adversely affected existing features. Input validation is the process of ensuring any user input has undergone cleansing to ensure it is properly formatted, correct, and useful. Fuzzing is an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program.

You are investigating a suspected compromise. You have noticed several files that you don't recognize. How can you quickly and effectively check if the files have been infected with malware? Run the Strings tool against each file to identify common malware identifiers Submit the files to an open-source intelligence provider like VirusTotal Disassemble the files and conduct static analysis on them using IDA Pro Scan the files using a local anti-virus/anti-malware engine

Submit the files to an open-source intelligence provider like VirusTotal Explanation OBJ-4.2: The best option is to submit them to an open-source intelligence provider like VirusTotal. VirusTotal allows you to quickly analyze suspicious files and URLs to detect types of malware. It then automatically shares them with the security community, as well. Disassembly and static analysis would require a higher level of knowledge and more time to complete. Running the Strings tool can help identify text if the code is not encoded in a specific way within the malware, but you have to know what you are looking for, such as a malware signature. You should never scan the files using a local anti-virus or anti-malware engine if you suspect the workstation or server has already been compromised because the scanner may also be compromised.

Which of the following types of encryption would ensure the best security of a website? SSLv1 SSLv2 TLS SSLv3

TLS Explanation OBJ-2.1: Transport Layer Security (TLS) is a widely adopted security protocol designed to facilitate privacy and data security for communications over the internet. A primary use case of TLS is encrypting the communication between web applications and servers, such as web browsers loading a website. TLS was developed in 1999 as SSLv3.1, but its name was changed to separate itself from Netscape, which developed the original SSL protocol. Because of this history, the terms TLS and SSL are often used interchangeably. Secure Socket Layer uses three versions: SSLv1, SSLv2, and SSLv3. All of these versions of SSL are considered obsolete and insecure.

You just received a notification that your company's email servers have been blocklisted due to reports of spam originating from your domain. What information do you need to start investigating the source of the spam emails? Firewall logs showing the SMTP connections The full email header from one of the spam messages Network flows for the DMZ containing the email servers The SMTP audit log from his company's email server

The full email header from one of the spam messages Explanation OBJ-3.1: You should first request a copy of one of the spam messages, including the full email header. By reading through the full headers of one of the messages, you can determine where the email originated from, whether it was from your email system or external, and if it was a spoofed email or a legitimate email. Once this information has been analyzed, you can then continue your analysis based on those findings, whether that be analyzing your email server, the firewalls, or other areas of concern. If enough information cannot be found by analyzing the email headers, you will need to conduct more research to determine the best method to solve the underlying problem.

You are attempting to prioritize your vulnerability scans based on the data's criticality. This will be determined by the asset value of the data contained in each system. Which of the following would be the most appropriate metric to use in this prioritization? The depreciated hardware cost of the system The type of data processed by the system The cost of acquisition of the system The cost of hardware replacement of the system

The type of data processed by the system Explanation OBJ-4.2: The data's asset value is a metric or classification that an organization places on data stored, processed, and transmitted by an asset. Different data types, such as regulated data, intellectual property, and personally identifiable information, can determine its value. The cost of acquisition, cost of hardware replacement, and depreciated costs refer to the financial value of the hardware or system itself. This can be significantly different from the value of the information and data that the system stores and processes.

You have tried to email yourself a file named "passwords.xlsx" from your corporate workstation to your Gmail account. Instead of receiving the file in your email, you received a description of why this was a policy violation and what you can do to get the file released or resent. Which of the following DLP remediation actions has occurred? Blocking Tombstone Alert only Quarantine

Tombstone Explanation OBJ-3.2: Tombstone remediation quarantines and replaces the original file with one describing the policy violation and how the user can rerelease it. Quarantine denies access to the original file to the user (or possibly any user). This might be accomplished by encrypting the file in place or by moving it to a quarantine area in the file system. Block prevents the user from copying the original file but retains access to it. The user may or may not be alerted to the policy violation, but it will be logged as an incident by the management engine. Alert only allows the copying to occur, but the management system records an incident and may alert an administrator.

Dion Training is concerned with the possibility of a data breach causing a financial loss to the company. After performing a risk analysis, the COO decides to purchase data breach insurance to protect the company from an incident. Which of the following best describes the company's risk response? Mitigation Transference Acceptance Avoidance

Transference Explanation OBJ-5.2: Transference (or sharing) means assigning risk to a third party (such as an insurance company or a contract with a supplier that defines liabilities). Avoidance means that the company stops doing an activity that is risk-bearing. Risk mitigation is the overall process of reducing exposure to or the effects of risk factors, such as patching a vulnerable system. Acceptance means that no countermeasures are put in place either because the risk level does not justify the cost or because there will be an unavoidable delay before the countermeasures are deployed.

A cybersecurity analyst is reviewing the logs for his company's server and sees the following output: Based on this potential indicator of compromise (IoC), which of the following hypotheses should you make to begin threat hunting? A common protocol is being used over a non-standard port Data exfiltration is occurring over the network Unauthorized privileges are being utilized Beaconing is establishing a connection to a C2 server

Unauthorized privileges are being utilized Explanation OBJ-4.3: This appears to be an indication that unauthorized privileges are being used. The first binary, svchost.exe, executes from an odd location that indicates it might be malicious). The process svchost.exe doesn't usually reside in the inetsrv folder in a Windows system since this folder contains the Windows IIS web server files. Additionally, this file then spawned a binary that appears to be masquerading as a Windows process, the WMI Provider Host called wmiprvse.exe. This appears to be the beginning of a privilege escalation attack. Based on the output above, there is no evidence that data is being exfiltrated or stolen from the network. Based on the output above, there is no evidence that any network protocol is currently used over a non-standard port. Finally, there is no evidence of beaconing or network activity in this output.

Which of the following functions is not provided by a TPM? Remote attestation Random number generation Secure generation of cryptographic keys Sealing User authentication Binding

User authentication Explanation OBJ-2.3: User authentication is performed at a much higher level in the operating system. Trusted Platform Module (TPM) technology is designed to provide hardware-based, security-related functions. A TPM chip is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper-resistant, and malicious software cannot tamper with the security functions of the TPM. The TPM provides random number generation, secure generation of cryptographic keys, remote attestation, binding, and sealing functions securely.

Which of the following must be combined with a threat to create risk? Exploit Malicious actor Vulnerability Mitigation

Vulnerability Explanation OBJ-1.2: A risk results from the combination of a threat and a vulnerability. A vulnerability is a weakness in a device, system, application, or process that might allow an attack to take place. A threat is an outside force that may exploit a vulnerability. Remember, a vulnerability is something internal to your organization's security goals. Therefore, you can control, mitigate, or remediate a vulnerability. A threat is external to your organization's security goals. A threat could be a malicious actor, a software exploit, a natural disaster, or other external factors. In the case of an insider threat, they are considered an external factor for threats and vulnerabilities since their goals lie outside your organization's security goals.

You have evidence to believe that an attacker was scanning your network from an IP address at 172.16.1.224. This network is part of a /26 subnet. You wish to quickly filter through several logs using a REGEX for anything that came from that subnet. What REGEX expression would provide the appropriate output when searching the logs for any traffic originating from only IP addresses within that subnet? \b172\.16\.1\.(25[0-5]|2[0-4][0-9]?)\b \b172\.16\.1\.(25[0-5]|2[0-4][0-9]|19[2-9])\b \b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b \b172\.16\.1\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b

\b172\.16\.1\.(25[0-5]|2[0-4][0-9]|19[2-9])\b Explanation OBJ-3.1: The correct answer is \b172\.16\.1\.(25[0-5]|19[2-9]|2[0-4][0-9])\b. The \b delimiter indicates that we are looking for whole words for the complete string. To answer this question, you have to rely on your networking knowledge and what you learned back in Network+. First, you need to calculate what is the IP range for this subnet. Since this is a /26, it would have 64 IP addresses in the range. Since the IP provided was 172.16.1.224, the range would be 172.16.1.192 to 172.16.1.255. The correct answer allows all values of 200-249 through the use of the phrase 2[0-4][0-9]. The values of 250-255 are specified by 25[0-5]. The values of 192-199 are specified through the use of 19[2-9]. All other REGEX expressions either allow too much or too little of the available IP space to be effective and precise filters for the subnet given. If you had this on the exam, I would calculate the IP address range first (as we did in this explanation). Then, I would see which parts are static in the IP address (172.16.1. in this case). Three of our answer choices provide this, so we now know the large REGEX is the wrong answer. Next, we need to figure out how only to show the values of 192-255. As you look at the three options, you need to look for the differences only between the options and see which would allow for the addresses needed. All three options have the same two first terms in the last octet, which covers 200-255, so you need to determine how to represent the values of 192-199 best.

Which of the following tools could be used to detect unexpected output from an application being managed or monitored? Manual analysis A behavior-based analysis tool A signature-based detection tool A log analysis tool

behavior based Explanation OBJ-4.3: A behavior-based analysis tool can capture/analyze normal behavior and then alert when an anomaly occurs. Configuring a behavior-based analysis tool requires more effort to set up properly, but it requires less work and manual monitoring once it is running. Signature-based detection is a process where a unique identifier is established about a known threat so that the threat can be identified in the future. Manual analysis requires a person to read all the output and determine if it is erroneous. A log analysis tool would only be useful to analyze the logs, but it would not detect unexpected output by itself. Instead, the log analysis tool would need to use a behavior-based or signature-based detection system.

You are analyzing the following network utilization report because you suspect one of the servers has been compromised. Based on the report above, which of the following servers do you suspect has been compromised and should be investigated further? web01 webdev02 marketing01 dbsvr01

dbsvr01 Explanation OBJ-3.1: Due to the considerable increase in network utilization on dbsvr01, it should be suspected of compromise and further investigated. The server has a historical average utilization of only 3.15 GB per month, but this month there has been an increase to 24.6 GB of usage. This increase is nearly 8x more than the previous month when all of the other servers stayed relatively constant. This indicates a possible compromise of the database server (dbsvr01) and a data breach or data exfiltration.

Which of the following would be used to prevent a firmware downgrade? HSM SED eFUSE TPM

eFUSE Explanation OBJ-4.2: eFUSE is an Intel-designed mechanism to allow software instructions to blow a transistor in the hardware chip. One use of this is to prevent firmware downgrades, implemented on some game consoles and smartphones. Each time the firmware is upgraded, the updater blows an eFUSE. When there is a firmware update, the updater checks that the number of blown eFUSEs is not less than the firmware version number. A self-encrypting drive (SED) uses cryptographic operations performed by the drive controller to encrypt a storage device's contents. A trusted platform module (TPM) is a specification for hardware-based storage of digital certificates, cryptographic keys, hashed passwords, and other user and platform identification information. The TPM is implemented either as part of the chipset or as an embedded function of the CPU. A hardware security module (HSM) is an appliance for generating and storing cryptographic keys. An HSM solution may be less susceptible to tampering and insider threats than software-based storage.

You have been hired to investigate a possible insider threat from a user named Terri. Which command would you use to review all sudo commands ever issued by Terri (whose login account is terri and UID=1003) on a Linux system? (Select the MOST efficient command) journalctl _UID=1003 | grep sudo journalctl _UID=1003 | grep -e 1003 | grep sudo journalctl _UID=1003 | grep -e [Tt]erri | grep -e 1003 | grep sudo journalctl _UID=1003 | grep -e [Tt]erri | grep sudo

journalctl _UID=1003 | grep sudo Explanation OBJ-3.1: journalctl is a command for viewing logs collected by systemd. The systemd-journald service is responsible for systemd's log collection, and it retrieves messages from the kernel, systemd services, and other sources. These logs are gathered in a central location, which makes them easy to review. If you specify the parameter of _UID=1003, you will only receive entries made under the authorities of the user with ID (UID) 1003. In this case, that is Terri. Using the piping function, we can send that list of entries into the grep command as an input and then filter the results before returning them to the screen. This command will be sufficient to see all the times that Terri has executed something as the superuser using privilege escalation. If there are too many results, we could further filter the results using regular expressions with grep using the -e flag. Since the UID of 1003 is only used by Terri, it is unnecessary to add [Tt]erri to your grep filter as the only results for UID 1003 (terri) will already be shown. So, while all four of these would produce the same results, the most efficient option to accomplish this is by entering "journalctl _UID=1003 | grep sudo" in the terminal. Don't get afraid when you see questions like this; walk through each part of the command step by step and determine the differences. In this question, you may not have known what journalctl is, but you didn't need to. You needed to identify which grep expression was the shortest that would still get the job done. By comparing the differences between the options presented, you could likely take your best guess and identify the right one.

As a newly hired cybersecurity analyst, you are attempting to determine your organization's current public-facing attack surface. Which of the following methodologies or tools generates a current and historical view of the company's public-facing IP space? shodan.io Review network diagrams Google hacking nmap

shodan.io Explanation OBJ-3.3: Shodan (shodan.io) is a search engine that identifies Internet-connected devices of all types. The engine uses banner grabbing to identify the type of device, firmware/OS/app type, and version, plus vendor and ID information. This involves no direct interaction with the company's public-facing internet assets since this might give rise to detection. This is also the first place an adversary might use to conduct reconnaissance on your company's network. The nmap scanning tool can provide an analysis of the current state of public exposure but has no mechanism to determine the history, nor will it give the same depth of information that shodan.io provides. Google Hacking can determine if a public exposure occurred over public-facing protocols, but it cannot conclusively reveal all the exposures present. Google hacking relies on using advanced Google searches with advanced syntax to search for information across the internet. Network diagrams can show how a network was initially configured. Unless the diagrams are up-to-date, which they usually aren't, they cannot show the current "as is" configuration. If you can only select one tool to find your attack surface's current and historical view, shodan is your best choice.

Which of the following is the correct usage of the tcpdump command to create a packet capture filter for all traffic going to and from the server located at 10.10.1.1? tcpdump -i eth0 src 10.10.1.1 tcpdump -i eth0 proto 10.10.1.1 tcpdump -i eth0 dst 10.10.1.1 tcpdump -i eth0 host 10.10.1.1

tcpdump -i eth0 host 10.10.1.1 Explanation OBJ-4.4: Knowing tcpdump is an essential skill that will come in handy for any system administrator, network engineer, or security professional. The tcpdump tool is used to conduct packet capturing of network traffic. The host option specifies a filter to capture all traffic going to (destination) and from (source) the designated IP address. If the DST filter is used, this only captures data going to the designated IP address. If the SRC filter is used, this only captures data going from the designated IP. If the proto filter is used, this will capture all traffic going to or from a designated port, such as FTP if proto 21 was used.

An analyst suspects that a trojan has victimized a Linux system. Which command should be run to determine where the current bash shell is being executed from on the system? which bash dir bash printenv bash ls -l bash

which bash Explanation OBJ-4.3: By executing the "which bash" command, the system will report the file structure path to where the bash command is being run. If the directory where bash is running is different from the default directory for this Linux distribution, this would indicate a compromised machine. The ls command will list the current directory and show any files or folders named bash. The printenv command would print the value of the specified environment variable specified, bash in this example. The dir command is used to list the contents of a directory, much like ls does.