Cyber Security Final Exam
Which of the following BEST describes a beaconing intrusion?
A command issued to a botnet pool to verify that a bot is still alive.
Keith, a systems administrator, forgot to change the router's default credentials. What vulnerability could this cause?
An opening for attackers to exploit.
A security analyst is reviewing an announcement from the Cybersecurity and Infrastructure Agency. Which source of Defensive OSINT does the Agency represent?
Government bulletins
An Information Security Project Manager needs to find resources that promote awareness of web application security issues and develop resources to educate developers and users. In addition, the project manager is looking for these resources to offer various testing tools to help organizations identify and fix security vulnerabilities. Which of the following resources would be BEST for the project manager to use?
OWASP
Which term describes the process of sniffing traffic between a user and server and then re-directing the traffic to the attacker's machine, where the information can be forwarded to either the user or server?
On-path
Which of the following is true about rule-writing?
Rules could be as simple as looking for unsuccessful logins or could include more complex behavioral patterns.
A support technician examines the Windows Registry for a host on a local area network (LAN). Which subkey should the technician use to find username information for accounts on the computer?
SAM
A security analyst is investigating an incident and needs to identify possible malicious activity within the network. Which technology should the analyst focus on to better manage network traffic and dynamically configure security policies?
SDN
Mary has been receiving text messages that contain links to malicious websites. Which type of attack is Mary a victim of?
SMiShing
Which of the following tools allows a domain owner to specify email servers that can send an email in the domain, and which servers are not allowed to send emails?
SPF
A security administrator wants to schedule regular vulnerability scans to maintain the security of the organization's systems and networks. What is the purpose of this process?
Scanning interval
There is an ongoing stress test of your company network that you are participating in. You have set up Ettercap to perform a DoS attack against a target server using the dos_attack plug-in, and it is currently running on a Kali Linux machine. So far, the target machine is handling the incoming traffic without noticeable service interruption. What might you do next?
Start additional DoS attacks from other machines, making this a DDoS attack.
Which of the following is a standard for sending log messages to a central logging server?
Syslog
A breach occurred in a company's customer database due to an insider threat. The incident response team has concluded its investigation and is moving on to the lessons learned phase. The team is meeting with staff to review the incident and its response. What is the purpose of this meeting?
To improve procedures for incident response
A company is implementing PKI to enhance the security of its network after a recent series of intercepted emails. What is the purpose of PKI in this context?
To verify the authenticity of digital documents and the identity of users or devices
A security analyst investigates a suspected network attack on a company's server. The analyst needs to capture and analyze network traffic to identify the source and type of attack. The analyst decides to use tcpdump and Wireshark for the analysis. Which of the following statements is true about tcpdump and Wireshark when used for network traffic analysis in a security investigation?
tcpdump and Wireshark are both network traffic capture and analysis tools that identify the source and type of an attack.
Which team is often used to oversee a tabletop exercise?
white
The recommendations in your IR report include details about what to do in response to the incident. Which of the following should be important characteristics of your response recommendations? (Select two.)
Actionable Specific
An IT professional responsible for managing critical infrastructure must ensure the SCADA system's security. Which vulnerability scanning methods would be the most appropriate?
Active Scanning
Which of the following BEST defines a vulnerability report action plan?
An action plan outlines the steps, resources, and timelines required to achieve specific goals in response to a vulnerability report.
The security team at a large organization is analyzing a recent cyberattack that targeted their network infrastructure. They must focus on the attack stages and the relationships between the adversary, infrastructure, and capabilities to understand the attack and plan for future security measures. What should the security team prioritize to address the current situation effectively and improve their security operations?
Analyzing the attack using the Diamond Model of Intrusion Analysis and the cyber kill chain
You are concerned about protecting your network from network-based attacks on the internet. Specifically, you are concerned about attacks that have not yet been identified or that do not have prescribed protections. What type of device should you use?
Anomaly-based IDS
You have performed a SQL injection attack against a website using Burp Suite and see the following results. What are you looking for
Any results that show something unexpected being passed back from the server
An attacker is browsing social media accounts associated with a targeted organization. Why is the attacker MOST likely using social media in this manner?
Attackers can leverage social media as a vector to launch attacks against targets.
Which of the following are the three metrics used to determine a CVSS score?
Base, temporal, and environmental
A company is investigating a potential incident on its network. They have collected data and logs from various sources and are preparing to validate the integrity of the data. Why should the company avoid deleting irrelevant log entries during the incident response?
Because they may contain relevant evidence.
Which of the following SQL injection attack types uses true/false questions to perform reconnaissance?
Blind injection attack
When it comes to data monitoring, heuristics programs typically take one of several approaches. Which of the following are approaches that heuristics programs often take? (Select two.)
Bring a file into a virtual testing environment and running it to identify its behavior. Detect suspicious files through identification of genetic signatures that are similar to previously known malware.
A security administrator is struggling to prioritize vulnerability remediation due to resource constraints. Which of the following may inhibit the security administrator's task?
Business process interruption
An employee contacts a company system administrator complaining that each time they try to change a display configuration setting in the Windows operating system, the setting is restored to its original configuration. Which of the following is MOST likely causing this issue?
CCMS
A bitcoin millionaire logs into a crypto account and simultaneously checks their email. The millionaire sees an email tempting free bitcoin for answering survey questions. The bitcoin millionaire then clicks the link to answer the survey. Unfortunately, unbeknownst to the millionaire, the link initiates a transfer of funds from the user's crypto wallet to the wallet of a hacker syndicate. What type of vulnerability does this situation describe?
CSRF
Which statement BEST explains the importance of cloud system and network architecture concepts in security operations as they relate to hybrid and on-premises systems?
Cloud system and network architecture concepts are essential for securing both hybrid and on-premises systems.
How are cloud system and network architecture concepts essential for securing hybrid and on-premises systems?
Cloud system and network architecture concepts enable organizations to consolidate and streamline their security operations, regardless of where their data resides.
A large corporation has suffered a ransomware attack, significantly disrupting its operations and losing critical data. The attacker was able to exploit a known vulnerability in the organization's software due to a lack of proper updates. What could have helped prevent this attack?
Consistently applying patches using proper patch management procedures
During which phase of the incident response life cycle do you isolate affected systems and restrict communication to only trusted individuals?
Containment
The economic impact of an incident can be tangible or intangible. Which of the following costs would be considered intangible? (Select two.
Damage to reputation Loss of potential customers
A financial institution is experiencing persistent cyberattacks from unknown sources. Which of the following active defense approaches can the company deploy to outmaneuver the attackers and gain insights into their methodologies?
Deploying honeypots to attract and identify potential attackers.
A company's cybersecurity leadership team reviews its incident response plan (IRP) and wants to ensure it is fully prepared for potential disruptions to its business operations. The team considers the role of business continuity (BC) and disaster recovery (DR) in their IRP. Which options would be the most appropriate way for the team to integrate BC/DR in their IRP?
Develop and test BC/DR plans to ensure operational resilience.
During a recent site survey, you found a rogue wireless access point on your network. Which of the following actions should you take first to protect your network while still preserving evidence?
Disconnect the access point from the network.
A security analyst performs incident response activities after a recent security incident. They need to analyze a suspicious email attachment and verify the email's authentication to determine the attack's origin. Which tool should the analyst utilize to accomplish these tasks?
Domain-based Message Authentication, Reporting, and Conformance (DMARC)
Which of the following are phases of an attack as described by the kill chain model? (Select three.)
Exploitation Actions on objectives Command and control
The chief information officer (CIO) has scheduled the quarterly vulnerability scan with a well-trusted vendor for Payment Card Industry Data Security Standard (PCI DSS). What particular scan provides a view of the company's internet-facing systems?
External Scanning
Which of the following are challenges that Key Performance Indicators (KPIs) can present to an organization? (Select two.)
False positives Irrelevant data
Troy, an expert hacker, needs to perform a pretexting operation against his target. But first, he needs to look at the building and the surrounding parking lots and entrances without driving by. Which tool would be his BEST option?
Google Maps
A cyber security specialist, responsible for threat intelligence and threat hunting in an organization, is looking to collect open-source intelligence (OSINT). The specialist wants to gather intelligence on potential cyber threats. Which sources should the cyber security specialist consider to achieve this information? (Select two.)
HTML code of an organization's web page Social Media Profiles
A hacker launches an attack that requires specialized knowledge and tools, including significant time and resources. What is the Attack Complexity score for this attack as part of the CVSS framework?
High
As a security analyst, you are tasked with monitoring a company's threat feed. Which of the following should you look for as part of your analysis?
IP addresses that might be malicious.
A company has increased the security operation center (SOC) budget to reassess its cybersecurity framework. The current company's framework revolves around the National Institute of Standards and Technology (NIST) guidelines. What other organizational framework could the company use its SOC budget for in order to achieve a better security posture?
ISO
A cybersecurity analyst has to identify active threats within their organization. To preserve relevant data and logs for potential legal proceedings, what action should the analyst take while conducting the investigation?
Implement a legal hold.
Implementing security controls is an essential component of mitigating application attacks. Which of the following security controls are often implemented for end-of-life or outdated components? (Select two.)
Implement compensating controls. Use containerization or virtualization.
A healthcare provider has recently experienced a data breach resulting from sniffing attacks against its employee web portal for authentication. The incident response team needs to provide recommendations for improving the organization's response plan. Which of the following recommendations would be the MOST effective?
Implementing multi-factor authentication
Which of the following is an example of a Key Performance Indicator (KPI) that can indicate a trend in an organization's cybersecurity incidents over time?
Indicators of Compromise (IoCs)
A security administrator is testing their organization's database server, which services a publicly accessible web application server. The security administrator sends unexpected input combined with arbitrary commands to the web application to determine whether the database server is vulnerable. What kind of vulnerability is the security administrator testing?
Injection flaws
Which of the following BEST describes the isolation-based containment method?
Involves disconnecting a device, VLAN, or network segment from the rest of the network
A cybersecurity team leader is working on a security incident that requires immediate remediation. To effectively address the issue and prevent further damage to the organization's systems, which of the following actions should the team take as a part of the security operations plan?
Isolate the affected systems from the network.
Which of the following BEST describes an attack methodology framework?
It assists in identifying malicious activity and providing a standardized approach to investigating and assessing potential threats.
A company's vulnerability management team has identified a critical vulnerability in its server software. The team has created an action plan to address the vulnerability and has identified patching as a key part of the plan. Why is this type of action plan a critical element of incident response activities?
It can prevent attackers from exploiting the vulnerability and causing damage to the company.
A technology company has experienced a security breach where an attacker gained unauthorized access to sensitive information on their servers. As a result, the company activates the incident response team and is investigating the breach. Why is collecting and preserving evidence important for incident response reporting and communication?
It can provide critical information for identifying the attacker and preventing future attacks.
Properly determining the scope of a security incident occurs during triage. Which of the following statements are true about the triage phase? (Select two.)
It is focused on determining a timeline of what, where, how, and when events occurred. It includes careful curation of the data and tools useful in locating any indicators of compromise.
Which of the following BEST describes the countermeasures you would take against a cross-site request forgery attack?
Log off immediately after using a web application. Clear the history after using a web application, and don't allow your browser to save your login details.
As a cybersecurity analyst dealing with a security breach that requires collecting digital evidence from multiple sources, what action should the analyst take to ensure the proper handling and preservation of the evidence?
Maintain a comprehensive log of actions during the evidence collection process.
File fingerprinting, scanning, string searches, and disassembly are all used to identify malware. When these techniques are used, what is the identifying information called?
Malware signature
A company is considering entering into a collaboration with a potential partner. The potential partner is a large, well-respected company with a strong track record in cybersecurity. The company has a concern about the potential partner's ability to comprehend and meet all its needs per its standard operating procedures. What is best to ensure mutual comprehension and communication methods short of legal recourse?
Memorandum of understanding (MoU)
During a digital forensic analysis, an analyst may generate what kinds of useful information? (Select three.)
Misconfig IoCs Vulnarabilities
Security vulnerabilities often manifest in a few common ways. Which of the following vulnerabilities involves using default settings, guessing, or using Google for help when provisioning services?
Misconfigurations
A security administrator has identified a new Zero-day vulnerability in the company's operating system. The administrator is responsible for addressing the vulnerability in the most efficient way possible. What action should the administrator take to address the vulnerability?
Mitigate the vulnerability using compensating controls.
A company has conducted a vulnerability assessment and identified multiple vulnerabilities in its system. However, the IT team has limited resources and cannot address all vulnerabilities at once. What are the MOST appropriate steps for the company to take in this situation? (Select two.)
Mitigate vulnerabilities as rapidly as possible, before a threat actor can exploit them.
A project manager needs to verify users and authorize access to systems and applications. Which security control should the project manager implement?
Multi-factor authentication
A company's IT security team must perform a comprehensive vulnerability assessment on its network infrastructure to identify potential security weaknesses and misconfigurations. The team requires a tool to scan various systems, devices, and applications and provide detailed reports with actionable recommendations. What tool can accomplish this task?
Nessus
A security analyst needs a data loss prevention (DLP) solution to prevent users from transferring data without authorization. What components typically makeup DLP solutions? (Select three.)
Network agents Endpoint agents Policy Server
Which of the following are metacharacters that need to be indicated as text when using them in a script?
New-line, space, and tab
As a member of your company's security team, you are currently monitoring data trends and investigating any deviations from those trends. Select the commonly used name for these deviations from the dropdown list below.
Outliers
Which of the following gives legal protection for information shared within an ISAC in the United States?
PCII program
Which of the following is true regarding a screened subnet (demilitarized zone)?
Packet filters on the inner firewall of the screened subnet prevent unauthorized traffic from reaching the private network.
A large financial institution is considering passwordless authentication and SSO as part of a new incident response and management plan to improve security and streamline operations. Which of the following is true about passwordless authentication and SSO in incident response and management?
Passwordless authentication and SSO can help reduce incident response and management time.
Which devices are responsible for forwarding packets in a virtual network?
Physical networking devices
A security analyst has identified a compromised system on the network and needs to take action to prevent further damage. The analyst has decided to implement compensating controls to limit the potential damage. After implementing compensating controls, the security analyst wants to isolate the compromised system from the network for further analysis. Which of the following is the BEST approach for isolating the system?
Physically disconnecting the system from the network
Which of the following attacks is a SYN flood attack an example of?
Protocol DDoS
The CIS benchmark implementation tool allows your organization to select and configure a set of CIS Benchmarks based on their industry and organization type. What else does the implementation tool allow you to do?
Provides access to a repository of detailed configuration settings for specific technologies and systems.
An attacker targets a web application and manipulates the URL to include a file path located on a separate server. Since the application does not properly validate the input, it executes the code residing in the remote file. As a result, the attacker can take control of the web application due to the code's execution. What type of vulnerability does this situation describe?
RFI
What are the benefits of network segmentation in security operations, specifically in relation to system and network architecture concepts and operating system (OS) concepts? (Select two.)
Reducing the attack surface by limiting access to sensitive resources Allowing for more effective monitoring of network traffic and detection of anomalous activity
Which type of KPI (Key Performance Indicator) indicates the percentage of cybersecurity resources an organization assigns to different areas (such as prevention and detection)? Select the correct answer from the drop-down list.
Resource Allocation
The following are several common Linux commands with a brief description on the right. Drag a command on the left to its appropriate description on the right.
Retrieves content from an HTTP server.-wget Displays the contents of a directory.-Ls Displays the content of a file.-cat Copies a file or directory.-cp Creates an empty file.-touch
A security engineer is looking to improve the security of their email system. The system has a built-in reporting mechanism showing what can improve overall security and rates the current setup. What component of vulnerability reporting does this feature relate to?
Risk Score
A tire sales and servicing company has implemented a security patch to fix a known vulnerability in their web server's ordering system. But shortly after implementation, the company receives calls from customers that the ordering system is no longer functioning as intended. What is the BEST course of action to take next?
Rollback
EternalBlue, also known as CVE-2017-0148, has a CVSS score of 9.3. It is an exploit that allows remote attackers to execute arbitrary code via crafted packets and applies to many Windows operating systems prior to recent versions of Windows 10, an extremely popular and ubiquitous operating system. Which CVSS metric is likely the most influential factor in generating such a high CVSS score?
Scope
Which of the following could inhibit vulnerability remediation and conflict with the implementation of security changes due to governing relationships with third-party service providers, being legally binding, and having the potential for significant financial impacts for failing to meet requirements?
Service-level agreement (SLA)
The lead security administrator of a diploma manufacturing and distribution company has discovered a vulnerability in the company's ordering software. Luckily, the software vendor has come out with a patch. The administrator would like to start work on this effort during the upcoming maintenance window. What is the BEST way to ensure that the patch does not cause any unintended consequences or disruptions to the system?
TEsting
Costs that are easily identifiable and quantifiable (such as damaged hardware, stolen passwords, and lost or corrupted data) are considered which type of impact?
Tangible
While analyzing network traffic on your company network, you see the following in Wireshark. What appears to be happening?
There is an ICMP flood attack.
Which of the following BEST describes the purpose of the wireless attack type known as wardriving?
To find information that will help breach a victim's wireless network.
A company experiences a security incident that results in a data breach. The incident response team conducts an investigation and implements the incident response plan. After the incident, the team reviews the lessons learned and identifies areas for improvement in the incident response plan. They decided to provide additional training to staff members to improve their knowledge of incident response procedures. What is the primary reason the team should review the lessons learned after the security incident?
To identify areas for improvement in the incident response plan
A company has experienced a series of cyber attacks over the past few months, including phishing emails, malware infections, and ransomware attacks. The security team wants to implement a new system to monitor and identify potential vulnerabilities. What type of metric can help the company process and prioritize remediation efforts?
Top 10 lists
Which of the following analysis methods involves looking at data over a period of time and then uses those patterns to make predictions about future events?
Trend
Converting the word ATTACK to \u0041 \u0054 \u0054 \u0041 \u0043 \u004b is an example of what obfuscation technique?
Unicode evasion
A security analyst is evaluating the company's infrastructure to optimize security operations. How can the analyst best improve the company's security operations?
Utilize virtualization
During which phase of the kill chain framework is malware code encapsulated into commonly used file formats, such as PDF files, image files, or Word documents?
Weaponization
You are testing a new application using a combination of known and unknown testing. How would you BEST describe this approach?
You are engaged in partially known testing.
There are different variations of shells that are used in Linux and Unix operating systems and each has its own syntax. Which of the following shell command processor types supports many plugins to expand its functionality?
Z Shell (zsh)
You want to display the following text on a command line from a shell script: Watermelons cost $6.99 today only! Which of the following commands would you use to make sure the text is displayed?
echo "Watermelons cost $6.99 today only!"
