CBROPS 1

MSSP (Managed Security Service Provider)

Cisco Active Threat Analysis is an example of which of the following? Response: MSSP PSIRT Coordination centers National CSIRT

False (Digital Forensics and incident Response)

DFIR is an acronym that stands for Direct Forward Incident Respondent. Response: False True

Contamination

Digital evidence is important in bringing the culprit to justice. When a forensic examiner accidentally alters or damages digital evidence, it is referred to as what? Response: File carving Manipulation Contamination File probing

ISO 31000

Which standard provides risk management guidelines? Response: ISO 27001 ISO 31000 ISO 27005 ISO 27002

host-based firewall

Which system monitors local system operation and local network access for violations of a security policy? Response: antivirus host-based firewall systems-based sandboxing host-based intrusion detection

sandboxing

Which technique could be used by security personnel to analyze a suspicious file in a safe environment? Response: whitelisting baselining sandboxing blacklisting

detection and analysis post-incident activity

Which two elements of the incident response process are stated in NIST Special Publication 800-61 r2?(Choose two.) Response: detection and analysis post-incident activity vulnerability management risk assessment vulnerability scoring

POP POP3 (Post Office Protocol)

Which two protocols may devices use in the application process that sends email? (Choose two.) Response: HTTP POP POP3 DNS

Rainbow table attack (Performs a hash lookup)

While conducting a penetration test on a critical workload server, the penetration tester (also known as pen tester) retrieves a file containing hashed passwords. What type of attack is a hashed file susceptible to? Response: Brute-force attack MD5Sum attack Rainbow table attack Salt retrieval attack

False

With probabilistic analysis, the analysis components suggest a "probabilistic answer" to the results of the investigation, which is a definitive result. Response: True False

Provide a mirror image of the hard drive related to the incident

A court will only accept digital evidence based on its originality, and the ruling will be based on the same. Which of the following evidence collection methods is most likely to be acceptable in a court case? Response: Provide a mirror image of the hard drive related to the incident Provide list of all applications and files accessed at the time of the incident Provide a full system backup and network inventory at time of incident Provide a disk image that contains bits and fragments specific to the incident

To monitor network traffic

A security engineer placed a packet sniffer in the network as a routine corporate exercise. What is the purpose of using a packet sniffer in a network? Response: To monitor network traffic To track network connections To detect illegal packets on the network To scan network segments for faults

Application whitelisting

A security engineer wants to restrict employees to only opening certain applications on their computer. Which of the following techniques is recommended? Response: All the computer's antivirus programs handle this restriction Using sandboxing techniques Using a host-based firewall Application whitelisting

Low (Common Vulnerability Scoring System)

A security researcher recently discovered a new security vulnerability. Upon computing its CVSS base score, the researcher learned the score was 3. What risk category would this vulnerability fall into? Response: Low Medium Critical High

Detect zero-day attacks

A signature-driven IDS system cannot do which of the following? Response: Detect zero-day attacks Be implemented in promiscuous as well as in-line modes Detect network anomalies Detect passive scans

The TCP/IP implementation is functional.

A user calls to report that a PC cannot access the internet. The network technician asks the user to issue the command ping 127.0.0.1 in a command prompt window. The user reports that the result is four positive replies. What conclusion can be drawn based on this connectivity test? Response: The IP address obtained from the DHCP server is correct. The PC can access the network. The problem exists beyond the local network. The PC can access the Internet. However, the web browser may not work. The TCP/IP implementation is functional.

Digital certificate

A user wants to verify the identity of a web server. Which of the following can be used? Response: Domain name Digital certificate IP address All of the above

Revise the AUP immediately and get all users to sign the updated AUP (Acceptable Use Policy).

An administrator discovers that a user is accessing a newly established website that may be detrimental to company security. What action should the administrator take first in terms of the security policy? Response: Ask the user to stop immediately and inform the user that this constitutes grounds for dismissal. Create a firewall rule blocking the respective website. Revise the AUP immediately and get all users to sign the updated AUP. Immediately suspend the network privileges of the user.

false negative

An analyst discovers that a legitimate security alert has been dismissed. Which signature caused this impact on network traffic? Response: true negative false negative false positive true positive

5-tuple

An analyst is investigating an incident in a SOC environment. Which method is used to identify a session from a group of logs? Response: sequence numbers IP identifier 5-tuple timestamps

SIEM (Security Information and Event Management)

An organization is gearing up to improve its detection and analysis capabilities. The security administrators would like to implement a system that can receive and correlate logs from multiple sources to detect (otherwise incoherent and distributed) potential security incidents. Which of the following will address this requirement? Response: IDS Firewall SIEM NAC

Capital expenditure (CapEx)

An organization is planning on migrating some of its on-premises resources to the cloud and maintaining a hybrid cloud architecture. The IT team has to classify expenses as part of the business justification. Under which of the following categories would the expenses for hardware resources be considered? Response: Annual expenditure Overall expenditure Operational expenditure (OpEx) Capital expenditure (CapEx)

Infrastructure as a Service (IaaS)

An organization is planning to deploy a number of virtual machines on its chosen cloud provider platform. Which cloud deployment solution is used for deploying the virtual machines? Response: Software as a Service (SaaS) Infrastructure as a Service (IaaS) Community Cloud (C Cloud) Platform as a Service (PaaS)

Immediately

An organization performs PCI-DSS vulnerability scans on a contractual basis for a large retail store chain. The organization conducted a vulnerability scan about a week ago. The stores upgraded their point-of-sale (PoS) systems because of a critical security update. When should the retail store chain have the vulnerability scans conducted, if at all? Response: When the next compliance cycle is due No scans are required because the audit was just conducted Immediately After six months

AnyConnect SSL VPN Clientless SSL VPN Site-to-site VPN tunneling

Cisco ASA supports which of the following VPN modes? (Choose all that apply) Response: AnyConnect SSL VPN Clientless SSL VPN Site-to-site VPN tunneling DMVPN

A DNS server spoofing attack has been discovered

During a security audit, the auditor executes the nslookup command on a Windows machine to check the IP address of a web server. The IP in the response is not the IP that should be resolved by nslookup as per the organization's inventory of IP records. What might be the cause behind the discrepancy? Response: The nslookup service is corrupted on the Windows machine An ARP spoofing attack was in progress The auditor executed the wrong command; the command should be ping A DNS server spoofing attack has been discovered

Install

In context to the Cyber Kill Chain, sometimes the ______ step is also referred to as "establishing a foothold." Response: Activate Exploit Install Deliver

Secret

In military and governmental organizations, what is the classification for an asset that, if compromised, would cause severe damage to the organization? Response: Top Secret Secret Confidential Unclassified

Authentication Header (AH)

In relation to IPsec VPN tunnels, which of the following is used to provide datagram authentication? Response: Encapsulating Security Payload (ESP) MD5 or SHA IPsec Internet Key Exchange (IKE) Authentication Header (AH)

Command and control (C2)

In which of the following stages of the Cyber Kill Chain does the attacker take control of the target system? Response: Command and control Installation Actions of objectives Weaponization

Authentication

In which phase of access control does a user need to prove his or her identity? Response: Identification Authentication Authorization Accounting

Hunt

Many organizations task their security analysts to ____ for threats that could not have been detected or blocked by the security controls they have in place. Response: Reproducibility Lookout Analyze Hunt

Defense-in-depth strategy

One of the primary benefits of a ____________ is that even if a single control (such as a firewall or IPS) fails, other controls can still protect your environment and assets. Response: DLP AMP CoPP Defense-in-depth strategy

Notify the server administrator.

Refer to the exhibit. A security analyst is reviewing the logs of an Apache web server. Which action should the analyst take based on the output shown? Response: Notify the appropriate security administration for the country. Restart the server. Notify the server administrator. Ignore the message.

TCP

Refer to the exhibit. Which application protocol is in this PCAP file? Response: SSH TCP TLS HTTP

best

Refer to the exhibit. *Aug 24 2020 09:02:31: %ASA-4-1060232: Deny tcp src outside:209.165.200.228/51585 dst inside: 192.168.150.77/22 by access-group "OUTSIDE" [0x5063b82f, 0x0] An analyst received this alert from the Cisco ASA device, and numerous activity logs were produced. How should this type of evidence be categorized? Response: indirect circumstantial corroborative best

The source host is omar.cisco.com, and the destination is www1.cisco.com. These are TCP transactions.

Refer to the following output of tcpdump. Which of the following statements are true of this packet capture?(Select all that apply.) 23:52:36.664771 IP omar.cisco.com.33498 > www1.cisco.com.http: Flags [S], seq 2841244609, win 29200,options [mss 1460,sackOK,TS val 1193036826 ecr 0,nop,wscale 7], length 0 23:52:36.694193 IP www1.cisco.com.http > omar.cisco.com.33498: Flags [S.], seq 1686130907,ack 2841244610, win 32768, options [mss 1380], length 0 *23:52:36.694255 IP omar.cisco.com.33498 > www1.cisco.com.http: Flags [.], ack 1, win 29200, length 0 *23:52:36.694350 IP omar.cisco.com.33498 > www1.cisco.com.http: Flags [P.], seq 1:74, ack 1, win 29200,length 73: HTTP: GET / HTTP/1.123:52:36.723736 IP www1.cisco.com.http > omar.cisco.com.33498: Flags [.], ack 74, win 32695, length 0 *23:52:36.724590 IP www1.cisco.com.http > omar.cisco.com.33498: Flags [P.], seq 1:505, ack 74,win 32768, length 504: HTTP: HTTP/1.1 301 Moved Permanently23:52:36.724631 IP omar.cisco.com.33498 > www1.cisco.com.http: Flags [.], ack 505, win 30016, length 0 *23:52:36.724871 IP omar.cisco.com.33498 > www1.cisco.com.http: Flags [F.], seq 74, ack 505, win 30016,length 0 *23:52:36.754313 IP www1.cisco.com.http > omar.cisco.com.33498: Flags [F.], seq 505, ack 75, win 15544,length 0 *23:52:36.754364 IP omar.cisco.com.33498 > www1.cisco.com.http: Flags [.], ack 506, win 30016, length 0 Response: The source host is omar.cisco.com, and the destination is www1.cisco.com. These are UDP transactions. These are TCP transactions. This is SIP redirect via HTTP.

Classify the potential assets and associated risks and address the risk analysis matrix

Risk analysis can be carried out in two major ways: qualitative and quantitative. Which of the following steps must be taken while conducting a qualitative risk analysis? Response: Calculate the cost to cover the risk Classify the potential assets and associated risks and address the risk analysis matrix Calculate the asset value if the risk was to be realized. Calculate the return on investment and risk expectancy

Antivirus or antimalware applications Personal (host-based) firewalls

SIEM solutions can collect logs from popular host security products, including which of the following?(Select all that apply.) Response: Antivirus or antimalware applications CloudLock logs NetFlow data Personal (host-based) firewalls

UDP (User Datagram Protocol)

Syslog and packet captures are often used in network forensics. Syslog is a client/server protocol standard for forwarding log messages across an IP network. Syslog uses which protocol to transfer log messages in clear text format? Response: UDP FTP SCP TCP

The shipper, the broker and indexer, the search and storage, and the web interface

The Elasticsearch ELK (Elasticsearch, Logstash, and Kibana) stack is a powerful open-source analytics platform. What are the four major components in the Logstash ecosystem? Response: The shipper, the broker and indexer, the search and storage, and the web interface The shipper, the broker and indexer, the search and storage, and the IIS exchanger The shipper, the broker and complexer, the search and storage, and the web interface The shipper, the indexer, the search, and the web interface

service account

When establishing a server profile for an organization, which element describes the type of service that an application is allowed to run on the server? Response: user account listening port service account software environment

Cisco NBAR

The following figure displays a Cisco IOS command output on a router. What IOS service is being used to determine the protocols and ports associated with different applications traversing the router? Response: Cisco NBAR Cisco SIO Cisco CBAC Cisco IPS

DNS name servers are responsive and cannot find the requested domain name

The following figure illustrates a Wireshark packet capture. The DNS communication is being analyzed. What conclusion can be drawn from the given capture? Response: DNS name servers are responsive and cannot find the requested domain name DNS name servers are responsive and have resolved the FQDN to IP address DNS name server is operating over a nonstandard port 25559 DNS name servers are not responding to user requests

OpenProject

There have been multiple technologies and solutions to manage, deploy, and orchestrate containers in the industry. Which of the following isn't a valid container orchestration tool/platform? Response: OpenProject Kubernetes Nomad Apache Mesos

router advertisement

Which ICMPv6 message type provides network addressing information to hosts that use SLAAC? Response: router solicitation neighbor advertisement neighbor solicitation router advertisement

Rule-based access controls

What type of access control is being used in the following example? User <level> A = <read/write/list/delete> access to file storage B User 1 <Level 0>: Can read, write, list, delete the objects User2 <Level 1>: Can read, write, list the objects User3 <Level 2>: Can read, list the objects User4 <Level 3>: Can only list the objects Response: Resource-based access controls Rule-based access controls Checksum-based access controls Mandatory access controls

Rule-based access controls

What type of access control is typically used by firewalls? Response: Rule-based access controls Task-based access controls Mandatory access controls Discretionary access controls

Access control policies allow you to specify, inspect, and log the traffic that can traverse your network. An access control policy determines how the system handles traffic on your network. Next-generation firewalls and next-generation IPSs help you identify and mitigate the effects of malware. The FMC file control, network file trajectory, and advanced malware protection (AMP) can detect, track, capture, analyze, log, and optionally block the transmission of files, including malware files and nested files inside archive files.

What are some of the characteristics of next-generation firewall and next-generation IPS logging capabilities?(Select all that apply.) Response: With next-generation firewalls, you can only monitor malware activity and not access control policies. Access control policies allow you to specify, inspect, and log the traffic that can traverse your network. An access control policy determines how the system handles traffic on your network. Next-generation firewalls and next-generation IPSs help you identify and mitigate the effects of malware. The FMC file control, network file trajectory, and advanced malware protection (AMP) can detect, track, capture, analyze, log, and optionally block the transmission of files, including malware files and nested files inside archive files. AMP is supported by Cisco next-generation firewalls, but not by IPS devices.

Syslog, Console, ASDM, Email, Buffered

What are some of the common logging destinations used by administrators on Cisco ASA? Response: Syslog, Console, ASDM, Email, Buffered Syslog, Console, Buffered, Flash, TrustSec RAM, Flash, Terminal, SDM, LDAP Console, Syslog, Firepower, SNTP

Individual investigations: These investigations often take the form of ediscovery Public investigations: These investigations are resolved in the court of law Private investigations: These are corporate investigations

What are the three broad categories of digital forensic investigations? Response: Individual investigations: These investigations often take the form of ediscovery Open investigations: These are conducted by the press and media Public investigations: These investigations are resolved in the court of law Private investigations: These are corporate investigations

CRL OCSP

What are two methods to maintain certificate revocation status? (Choose two.) Response: CRL DNS subordinate CA OCSP LDAP

WinDBG

What debugging security tool can be used by black hats to reverse engineer binary files when writing exploits? Response: WinDbg Firesheep Skipfish AIDE

Shared responsibility model

What does the following figure represent (blue boxes represents customer, light blue represents cloud provider)? Response: Cloud service models None of these Mutual responsibility models Shared responsibility model

EMM life cycle

What does the following image represent? Initiation==>Development==>Implementation==>Operation & Maintenance==>Disposal Response: BYOD life cycle BYOL life cycle ENM life cycle EMM life cycle

It provides a centralized platform

What is a benefit of agent-based protection when compared to agentless protection? Response: It Lowers maintenance costs It provides a centralized platform It collects and detects all traffic locally It manages numerous devices simultaneously

A computer program that runs as a background process rather than being under direct control of an interactive user

What is a daemon? Response: A program that manages the system's motherboard A program that runs other programs A computer program that runs as a background process rather than being under direct control of an interactive user The only program that runs in the background of a Linux system

They cannot detect zero-day (or day-0) attacks.

What is a shortcoming of a signature-driven intrusion detection system (IDS)? Response: They cannot be implemented in promiscuous mode, only in inline mode They cannot detect traffic anomalies They cannot detect zero-day (or day-0) attacks. They are available only in network mode and not in host mode.

Tor browser

What is illustrated in the following figure? Response: Onion routing Tor browser Encrypted traffic analysis Tor network

Windows Event Viewer

What is shown in the following image? Response: Linux Syslog Linux Event Viewer Windows Event Viewer Random OS startup eventsx

Deploying a proxy or inline security solution

What is the best defense for traffic fragmentation attacks? Response: Deploying a passive security solution that monitors internal traffic for unusual traffic and traffic fragmentation Deploying a next-generation application layer firewall Configuring fragmentation limits on a security solution Deploying a proxy or inline security solution

Statistical detection defines legitimate data of users over a period of time and rule-based detection defines it on an IF/THEN basis

What is the difference between statistical detection and rule-based detection models? Response: Rule-based detection involves the collection of data in relation to the behavior of legitimate users over a period of time Statistical detection defines legitimate data of users over a period of time and rule-based detection defines it on an IF/THEN basis Statistical detection involves the evaluation of an object on its intended actions before it executes that behavior Rule-based detection defines legitimate data of users over a period of time and statistical detection defines it on an IF/THEN basis

edge router

What is the first line of defense when an organization is using a defense-in-depth approach to network security? Response: proxy server firewall IPS edge router

It provides log correlation.

What is the main advantage of SIEM compared to a traditional log collector? Response: It provides log storage. It provides log correlation. It provides a GUI. It provides a log search functionality.

All of these

What sorts of attacks can be inferred from the following FMC dashboard? Response: All of these Malware activity URL phishing DNS phishing

255.255.240.0 Explain: The slash notation /20 represents a subnet mask with 20 1s. This would translate to: 11111111.11111111.11110000.0000, which in turn would convert into 255.255.240.0.

What subnet mask is represented by the slash notation /20? Response: 255.255.255.0 255.255.255.248 255.255.255.192 255.255.240.0 255.255.224.0

PKCS #7

Which one of the following defines standards for encrypting and decrypting messages and disseminating certificates under a PKI? Response: PKCS #7 PKCS #1 PKCS #3 PKCS #10

management

Which NIST IR category stakeholder is responsible for coordinating incident response among various business units, minimizing damage, and reporting to regulatory agencies? Response: CSIRT PSIRT public affairs management

management

Which NIST-defined incident response stakeholder is responsible for coordinating incident response with other stakeholders and minimizing the damage of an incident? Response: human resources IT support the legal department management

role-based

Which access control model assigns security privileges based on the position, responsibilities, or job classification of an individual or group within an organization? Response: rule-based role-based discretionary mandatory

The security offered is a result of the difficulty of calculating the product of two large prime numbers

Which answer is incorrect in context to the Diffie-Hellman (DH) algorithm? Response: The security offered is a result of the difficulty of calculating the product of two large prime numbers It is used for distribution of a shared key, not for message encryption and decryption It was the first public key exchange algorithm It is most commonly used with virtual private networks (VPNs)

ipconfig /all

Which command can be used to verify the MAC address on a Windows system? Response: ifconfig ipconfig ipconfig /all ifconfig /all

CDFS

Which file system type was specifically created for optical disk media? Response: ext3 HFS+ CDFS ext2

EXT4

Which filesystem is currently being used on Linux systems? Response: HFS+ FAT32 EXT4 APFS

MAC (Mandatory Access Control)

Which of the following access control models is implemented in government agencies? Response: MAC DAC Role-based Time-based

nmap Nexpose Nessus

Which of the following are examples of vulnerability and port scanners?(Select all that apply.) Response: SuperScan nmap Nexpose Nessus

All of the answers are correct.

Which of the following are steps in the cyber kill chain? Response: Weaponization C2 Installation All of the answers are correct.

DES, AES

Which of the following are symmetric encryption ciphers? Response: RSA, AES MD5, DES AES, MD5 DES, AES

DNScat-P DNScat-B

Which of the following are the most common tools used for deploying DNS tunneling and can also be used to detect DNS tunneling? Response: DNScat-P OpenVAS DNScat-B Scapy

Whaling

Which of the following attacks is designed to target the high-profile employees of an organization? Response: Vishing Whaling Spear-phishing Social engineering

Secure Hash Algorithm (SHA) Message Digest Algorithm 5 (MD5)

Which of the following hashing algorithms are used in IPsec?(Select all that apply.) Response: AES 192 AES 256 Secure Hash Algorithm (SHA) Message Digest Algorithm 5 (MD5)

All of these answers are correct.

Which of the following is an example of an action step from the cyber kill chain? Response: Attacking another target Taking data off the network Listening to traffic inside the network All of these answers are correct.

Phishing

Which of the following is not a direct threat to access control mechanisms? Response: Phishing Cross-site scripting Dictionary attacks Man-in-the-middle attacks

It does not have visibility into encrypted traffic.

Which of the following is not a disadvantage of host-based antimalware? Response: It requires updating multiple endpoints. It does not have visibility into encrypted traffic. It does not have visibility of all events happening in the network. It may require working with different operating systems.

Color of eyes

Which of the following is not an example of PII? Response: Name Date of birth Color of eyes Email address

Adversaries use only one infrastructure component or capability to compromise a victim.

Which of the following is not true about the Diamond Model of Intrusion? Response: Adversaries use only one infrastructure component or capability to compromise a victim. Meta-features are not a required component of the Diamond Model. Technology and social metadata features establish connections between relations. A diamond represents a single event.

Services control panel applet

Which of the following is used to disable a service on a Windows device? Response: Task Manager Services control panel applet Performance Monitor All of the above

Recovery

Which of the following phases of incident response focuses on performing data recovery? Response: Recovery Eradication Post-incident activity Detection

DNS (Domain Name System)

Which of the following protocols is associated with the service port 53? Response: DHCP SMTP HTTP DNS

system|log

Which of the following regexes allows you to show data containing either the word system or log? Response: .system|log system|log /system|log None of the above

10\.10\.0\..*

Which of the following regular expressions (regex) will match any IP address on the 10.10.0.0/24 network? Response: 10\.10\.0\..* %10.10.0.0* %10.10.0\.$ 10.[10..0].0

10\.1\.2\..*

Which of the following regular expressions will match any IP address on the 10.1.2.0/24 network? Response: %10.1.2\.$ 10\.1\.2\..* ^10.1.2.0 10.[1..2].0

Latency is a delay in throughput detected at the gateway of the network.

Which of the following statements is not true about host profiling? Response: Latency is a delay in throughput detected at the gateway of the network. Throughput is typically measured in bandwidth. In a valley there is an unusually low amount of throughput compared to the normal baseline. In a peak there is a spike in throughput compared to the normal baseline.

RAT

Which of the following types of malware allows a hacker to gain remote control of a victim's system? Response: Spyware Worm Ransomware RAT

WPA2

Which of the following wireless security standards uses AES to handle data encryption? Response: WPA2 WPA WEP All of the above

grep invalid\ user.*ssh /var/log/auth.log

You are responding to a security incident and collected logs from a Linux system. You notice that there are thousands of entries in /var/log/auth.log, but you need to filter out valid connections and display only invalid user entries. The following example shows a few of the log entries: Apr 8 04:17:01 us-dev1 CRON[3754]: pam_unix(cron:session): session opened for user root by (uid=0) Apr 8 04:17:01 us-dev1 CRON[3754]: pam_unix(cron:session): session closed for user root Apr 8 05:17:01 us-dev1 CRON[3808]: pam_unix(cron:session): session opened for user root by (uid=0) Apr 8 05:17:01 us-dev1 CRON[3808]: pam_unix(cron:session): session closed for user root Apr 8 05:18:21 us-dev1 sshd[31199]: Failed password for invalid user admin from 10.1.2.3 port 49821 ssh2 Which of the following regular expression commands will display log messages for any invalid users attempting to connect to the Linux server? Response: grep invalid\ user.*ssh /var/log/auth.log grep $invalid-user$ssh2 /var/log/auth.log grep invalid^user.*10.1.2.3 /var/log/auth.log grep invalid.^user\ssh /var/log/auth.log

Peercoin

___ is a P2P crypto currency that utilizes both proof-of-stake and proof-of-work systems. Response: Peercoin Peercurrency Spotify Lionshare

MITRE

____ also provides a list of software (tools and malware) that adversaries use to carry out their attacks. Response: Cisco Talos SOCs OWASP MITRE

Agile

____ is a software development and project management process where a project is managed by breaking it up into several stages and involving constant collaboration with stakeholders and continuous improvement and iteration at every stage. Response: CI/CD model DevOps Agile Scrum

Caldera

_____ is an automated adversary emulation tool that was originally created by MITRE, but many security experts across the industry contribute to it. Response: Metasploit Caldera Cain MITRE ATT&CK