CYSA+
Option switch to grep for insensitive strings
-i
Which of the following vulnerability scans would provide the best results if you want to determine if the target's configuration settings are correct? A.) Credentialed scan B.) Non-credentialed scan C.) Internal scan D.) External scan
A
You have evidence to believe that an attacker was scanning your network from an IP address at 172.16.1.224. This network is part of a /26 subnet. You wish to quickly filter through several logs using a REGEX for anything that came from that subnet. What REGEX expression would provide the appropriate output when searching the logs for any traffic originating from only IP addresses within that subnet? A.) \b172\.16\.1\.(25[0-5]|2[0-4][0-9]|19[2-9])\b B.) \b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b C.) \b172\.16\.1\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b D.) \b172\.16\.1\.(25[0-5]|2[0-4][0-9]?)\b
A
You are creating a script to filter some logs so that you can detect any suspected malware beaconing. Which of the following is NOT a typical means of identifying a malware beacon's behavior on the network? A.) The beacon's protocol B.) The beacon's persistence C.) The beaconing interval D.) The removal of known traffic
A - A beacon can be sent over numerous protocols, including ICMP, DNS, HTTP, and numerous others. Unless you specifically knew the protocol being used by the suspected beacon, filtering out beacons by the protocol seen in the logs could lead you to eliminate malicious behavior prematurely
What is a reverse proxy commonly used for? A.) Directing traffic to internal services if the contents of the traffic comply with the policy B.) Allowing access to a virtual private cloud C.) To prevent the unauthorized use of cloud services from the local network D.) To obfuscate the origin of a user within a network
A - A reverse proxy is positioned at the cloud network edge and directs traffic to cloud services if the contents of that traffic comply with the policy. This does not require the configuration of the users' device
What type of file is commonly used to store configuration settings for a macOS system? A.) plists B.) The registry .C.) config files .D.) profile files
A - Preference and configuration files in macOS use property lists (plists) to specify the attributes, or properties, of an app or process
During a port scan, you discover a service running on a registered port. Based on this, what do you know about this service? A.) The service is running on a port between 1024 and 49151 B.) The service is running on a port between 0-1023 C.) The vulnerability status of the service on the registered port D.) The service's name on the registered port
A - Registered Ports: 1024 and 49151 - Well Known-Ports: 0 and 1023
Which security tool is used to facilitate incident response, threat hunting, and security configuration by orchestrating automated runbooks and delivering data enrichment? A.) SOAR B.) SIEM C.) MDM D.) DLP
A - SOARs help streamline IRT via orchestration - SIEMs ingest logs and event data, and is used to monitor and alert admins about security events
Which of the following is exploited by an SQL injection to give the attacker access to a database? A.) Web application B.) Database server C.) Firewall D.) Operating system
A - SQL injections target the data stored in enterprise databases by exploiting flaws in client-facing applications. These vulnerabilities being exploited are most often found in web applications
As a newly hired cybersecurity analyst, you are attempting to determine your organization's current public-facing attack surface. Which of the following methodologies or tools generates a current and historical view of the company's public-facing IP space? A.) shodan.io B.) nmap C.) Review network diagrams D.) Google hacking
A - Shodan (shodan.io) is a search engine that identifies Internet-connected devices of all types (banner grabs for firmware/OS/app type, version, vendor ID info, etc)
Which of the following tools is useful for capturing Windows memory data for forensic analysis? A.) Memdump B.) Wireshark C.) dd D.) Nessus
A - The Memdump, Volatility framework, DumpIt, and EnCase are examples of Windows memory capture tools for forensic use. - - The dd tool is used to conduct forensic disk images. - Nessus is a commonly used vulnerability scanner.
Judith is conducting a vulnerability scan of her data center. She notices that a management interface for a virtualization platform is exposed to her vulnerability scanner. Which of the following networks should the hypervisor's management interface be exposed to ensure the best security of the virtualization platform? A.) Management network B.) External zone C.) Internal zone D.) Screened subnet
A - The management interface should only be exposed to an isolated or dedicated network used for the management and configuration of the network device and platforms only - The other interfaces should NOT have the management interface exposed to them
An organization is conducting a cybersecurity training exercise. What team is Jason assigned to if he has been asked to monitor and manage the defenders' and attackers' technical environment during the exercise? A.) White team B.) Purple team C.) Blue team D.) Red team
A - White Team: acts as the judges, enforces the rules of the exercise, observes the exercise, scores teams, resolves any problems that may arise, etc - Purple Team: made up of both the blue and red teams to work together to maximize their cyber capabilities through continuous feedback and knowledge transfer between attackers and defenders.
You are conducting a quick nmap scan of a target network. You want to conduct an SYN scan, but you don't have raw socket privileges on your workstation. Which of the following commands should you use to conduct the SYN scan from your workstation? A.) nmap -sT B.) nmap -sS C.) nmap -O D.) nmap -sX
A - sS: Requires raw socket access on the scanning workstation, which this user does not have
An analyst suspects that a trojan has victimized a Linux system. Which command should be run to determine where the current bash shell is being executed from on the system? A.) which bash B.) ls -l bash C.) printenv bash D.) dir bash
A - which bash: the system will report the file structure path to where the bash command is being run. printenv prints the value of the specified environment variable specified, bash in this example)
Which of the following is typically used to secure the CAN bus in a vehicular network? A.) Airgap B.) Endpoint protection C.) UEBA D.) Anti-virus
A (CAN Bus = Airgap network)
Define: Reverse Proxy
A reverse proxy is a server that sits in front of web servers and forwards client (e.g. web browser) requests to those web servers - As opposed to forward proxies, which sit in front of the clients
Define: SED
A self-encrypting drive (SED) uses cryptographic operations performed by the drive controller to encrypt a storage device's contents
Define: TPM
A trusted platform module (TPM) is a specification for hardware-based storage of digital certificates, cryptographic keys, hashed passwords, and other user and platform identification information. The TPM is implemented either as part of the chipset or as an embedded function of the CPU
You identified a critical vulnerability in one of your organization's databases. You researched a solution, but it will require the server to be taken offline during the patch installation. You have received permission from the Change Advisory Board to implement this emergency change at 11 pm once everyone has left the office. It is now 3 pm; what action(s) should you take now to best prepare for implementing this evening's change? (SELECT ALL THAT APPLY) A.) Validate the installation of the patch in a staging environment B.) Document the change in the change management system C.) Take the opportunity to install a new feature pack that has been requested D.) Ensure all stakeholders are informed of the planned outage E.) Identify any potential risks associated with installing the patch D.) Take the server offline at 10 pm in preparation for the change
A, B, D, E
Which of the following vulnerabilities can be prevented by using proper input validation? (Select ANY that apply) A.) Cross-site scripting B.) SQL injection C.) XML injection D.) Directory traversal
A,B,C,D (ALL)
What remediation strategies are the MOST effective in reducing the risk to an embedded ICS from a network-based compromise? (Select TWO) A.) Segmentation B.) Patching C.) NIDS D.) Disabling unused services
A,D - Segmentation is the best method to reduce the risk to an embedded ICS system from a network-based compromise - Additionally, you could disable unused services to reduce the footprint of the embedded ICS
What is an Exact Data match (referring to DLP systems)
An exact data match (EDM) is a pattern matching technique that uses a structured database of string values to detect matches. For example, a company might have a list of actual social security numbers of its customers. But, since it is not appropriate to load these numbers into a DLP filter, they could use EDM to match the numbers' fingerprints instead based on their format or sequence.
Jason has created a new password cracking tool using some Python code. When he runs the program, the following output is displayed: - jason:rover123 - tamera:Purple6! - sahra:123Password - tim:cupcakes2 A.) Rainbow Attack B.) Hybrid Attack C.) Brute Force Attack D.) Dictionary Attack
B - All of the passwords found are dictionary words with some additional characters added to the end. For example, Jason's password of rover123 is made up of the dictionary word "rover" and the number 123. The cracker likely attempted to use a dictionary word (like rover) and the attempted variations on it using brute force (such as adding 000, 001, 002, ...122, 123) to the end of the password until found
Your company launched a new invoicing website for use by your five largest vendors. You are the cybersecurity analyst and have been receiving numerous phone calls that the webpage is timing out. You noticed the website received three million requests in 24 hours, and the service has become unavailable for use. What do you recommend should be implemented to restore and maintain the availability of the new invoicing system? A.) MAC filtering B.) Implement an allow list C.) Intrusion Detection System D.) VPN
B - By implementing an allow list of the authorized IP addresses for the five largest vendors, they will be the only ones who can access the webserver
Which of the following is a senior role with the ultimate responsibility for maintaining confidentiality, integrity, and availability in a system? A.) Data custodian B.) Data owner C.) Data steward D.) Privacy officer
B - Data owner: CIA Triad and Privacy of Info Assets - Data Steward: Data Quality - Data Custodian: Managing systems where data assets are stored - Privacy Officer: Oversight of PII/HPI/SPI
Which of the following is NOT considered part of the Internet of Things? A.) Smart television B.) Laptop C.) SCADA D.) ICS
B - ICS/SCADA have many IoT devices (i.e. thermostats)f
You have been asked to conduct a forensic disk image on an internal 500 GB hard drive. You connect a write blocker to the drive and begin to image it using dd to copy the contents to an external 500 GB USB hard drive. Before completing the image, the tool reports that the imaging failed. Which of the following is most likely the reason for the image failure? A.) The data on the source drive was modified during the imaging B.) There are bad sectors on the destination drive C.) The data cannot be copied using the RAW format D.) The source drive is encrypted with BitLocker
B - If you have verified that the source and the target media are both the same size, then a failure has likely occurred due to bad media on the source drive or some bad sectors on the destination drive
You have been asked to recommend a capability to monitor all of the traffic entering and leaving the corporate network's default gateway. Additionally, the company's CIO requests to block certain content types before it leaves the network based on operational priorities. Which of the following solution should you recommend to meet these requirements? A.) Installation of a NIPS on both the internal and external interfaces of the router B.) Install a NIPS on the internal interface and a firewall on the external interface of the router C.) Configure IP filtering on the internal and external interfaces of the router D.) Install a firewall on the router's internal interface and a NIDS on the router's external interface
B - NIPS on int interface: NIPS inspects traffic and provides addition protection (less powerful than firewall, so its to be used internal) - Firewall on ext interface: Allow bulk malicious traffic to be filtered
Which of the following secure coding best practices ensures a character like < is translated into the < string when writing to an HTML page? A.) Input validation B.) Output encoding C.) Session management D.) Error handling
B - Output encoding involves translating special characters into some different but equivalent form that is no longer dangerous in the target interpreter, for example, translating the < character into the < string when writing to an HTML page
You are reviewing the latest list of important web application security controls published by OWASP. Which of these items is LEAST likely to appear on that list? A.) Leverage security frameworks and libraries B.) Obscure web interface locations C.) Implement identity and authentication controls D.) Implement appropriate access controls
B - This recommendation is based on security through obscurity and is not considered a good security practice.
Which of the following is the most difficult to confirm with an external vulnerability scan? A.) Unpatched web server B.) Blind SQL Injection C.) Cross-site request forgery (XSRF/CSRF) D.) Cross-site scripting (XSS)
B - Vulnerability scanners cant confirm blind SQL injection has previously occurred
You just received a notification that your company's email servers have been blocklisted due to reports of spam originating from your domain. What information do you need to start investigating the source of the spam emails? A.) Firewall logs showing the SMTP connections B.) The full email header from one of the spam messages C.) The SMTP audit log from his company's email server D.) Network flows for the DMZ containing the email servers
B - You should first request a copy of one of the spam messages, including the full email header. By reading through the full headers of one of the messages, you can determine where the email originated from, whether it was from your email system or external, and if it was a spoofed email or a legitimate email
Which of the following will an adversary do during the exploitation phase of the Lockheed Martin kill chain? (SELECT THREE) A.) A webshell is installed on a web server B.) Wait for a user to click on a malicious link C.) Take advantage of a software, hardware, or human vulnerability D.) Select backdoor implant and appropriate command and control infrastructure for operation E.) Wait for a malicious email attachment to be opened F.) A backdoor/implant is placed on a victim's client
B, C, E - During this phase, activities taken during the exploitation phase are conducted against the target's system. Taking advantage of or exploiting an accessible vulnerability, waiting for a malicious email attached to be opened, or waiting for a user to click on a malicious link is all part of the exploitation phase
A cybersecurity analyst is analyzing an active intrusion into their network. Unfortunately, the analyst finds their data correlation lacking and cannot determine which assets have been affected, so they begin to review the list of network assets online. The following servers are currently online: PAYROLL_DB, DEV_SERVER7, FIREFLY, DEATHSTAR, THOR, and DION. Which of the following actions should the analyst conduct first? A.) Logically isolate the PAYROLL_DB server from the production network B.) Conduct a Nessus scan of the FIREFLY server C.) Conduct a data criticality and prioritization analysis D.) Hardening the DEV_SERVER7 server
C - While the payroll server could be assumed to hold PII, financial information, and corporate information, the analyst would only be making that assumption based on its name. Even before an incident response occurs, it would be a good idea to conduct a data criticality and prioritization analysis to determine what assets are critical to your business operations and need to be prioritized for protection (Other names dont say purpose, they could have more important info)
Which of the following would be used to prevent a firmware downgrade? A.) HSM B.) SED C.) eFUSE D.) TPM
C - eFUSE is an Intel-designed mechanism to allow software instructions to blow a transistor in the hardware chip. One use of this is to prevent firmware downgrades, implemented on some game consoles and smartphones
Which of the following are major differences between conducting reconnaissance of a wireless network versus a wired network? (SELECT TWO) A.) Network access control B.) Authentication C.) Encryption D.) MAC filtering E.) Physical accessibility F.) Port security
C,E
Define: DNS Sinkholing
Uses list of known malicious domains/IPs and creates a fake reply from internal DNS servers (preventing data from reaching it)
Define: eFUSE
eFUSE is an Intel-designed mechanism to allow software instructions to blow a transistor in the hardware chip. One use of this is to prevent firmware downgrades, implemented on some game consoles and smartphones. Each time the firmware is upgraded, the updater blows an eFUSE. When there is a firmware update, the updater checks that the number of blown eFUSEs is not less than the firmware version number.
What is Statistical Matching (referring to DLP systems)
further refinement of partial document matching that uses machine learning to analyze various data sources using artificial intelligence or machine learning
Define: Pass the Hash (PtH)
the process of harvesting an account's cached credentials when the user logs in to a single sign-on (SSO) system - allows the attacker to use the credentials on other systems, as well.
Define: IdP
validates authentication in SAML
Define: 'Credential Stuffing'
when an attacker tests username and password combinations against multiple online sites -Since both companies share a common consumption group, it is likely that some of Yoyodyne's consumers also had a user account at Whamiedyne. If the attackers compromised the username and passwords from Whamiedyne's servers, they might attempt to use those credentials on Yoyodyne's servers, too
The local electric power plant contains both business networks and ICS/SCADA networks to control their equipment. Which technology should the power plant's security administrators look to implement first as part of configuring better defenses for the ICS/SCADA systems? A.) Automated patch deployment B.) Log consolidation C.) Intrusion prevention system D.) Anti-virus software
C - Log consolidation is a good idea, but it won't prevent an issue and therefore isn't the most critical thing to add first - Automated patches should never be conducted on ICS/SCADA networks
Which of the following actions should you perform during the post-incident activities of an incident response? A.) Create an incident summary reporting with in-depth technical recommendations for future resourcing and budgeting B.) Sanitize storage devices that contain any dd images collected to rpevent liability arising C.) Perform evidence retention under the timescale defined by the regulatory or legal impact of the incident D.) Ensure confidentiality of the lessons learned report by not sharing it beyond the IRT who handled the investigation
C - Only the evidence retention option is entirely accurate (Incident Summary reports are for non-technical audiences)
Which of the following must be combined with a threat to create risk? A.) Exploit B.) Malicious actor C.) Vulnerability D.) Mitigation
C - R(isk)=T(hreat)*V(ulnerability)
A hacker developed an exploit that allows a player to purchase 1 life in a gaming app for $0.99 and then modifies the content of the configuration file to claim 100 lives were purchased before the application reading the number of lives purchased from the file. Which of the following type of vulnerabilities did the hacker exploit? A.) Broken authentication B.) Dereferencing C.) Race condition D.) Sensitive data exposure
C - Race conditions occur when the outcome from execution processes is directly dependent on the order and timing of certain events
A new security appliance was installed on a network as part of a managed service deployment. The vendor controls the appliance, and the IT team cannot log in or configure it. The IT team is concerned about the appliance receiving the necessary updates. Which of the following mitigations should be performed to minimize the concern for the appliance and updates? A.) Automatic updates B.) Configuration management C.) Vulnerability scanning D.) Scan and patch the device
C - The best option here is vulnerability scanning as this allows the IT team to know what risks their network is taking on and where subsequent mitigations may be possible. Configuration management, automatic updates, and patching could normally be possible solutions, but these are not viable options without gaining administrative access to the appliance
A recent vulnerability scan found several vulnerabilities on an organization's public-facing IP addresses. To reduce the risk of a breach, which of the following vulnerabilities should be prioritized for remediation? A.) An HTTP response that reveals an internal IP address B.) A cryptographically weak encryption cipher C.) A buffer overflow that is known to allow remote code execution D.) A website utilizing a self-signed SSL certificate
C - The most serious vulnerability discovered is one that could allow remote code execution to occur.. Since this buffer overflow vulnerability is known to allow remote code execution, it must be mitigated first to prevent a security breach most effectively.
Rory is about to conduct forensics on a virtual machine. Which of the following processes should be used to ensure that all of the data is acquired forensically? A.) Shutdown the virtual machine off and make a forensic copy of its disk image B.) Perform a live acquisition of the virtual machine's memory C.) Suspend the machine and copy the contents of the directory it resides in D.) Suspend the machine and make a forensic copy of the drive it resides on
C - This procedure will store the virtual machine's RAM and disk contents
Your company is making a significant investment in infrastructure-as-a-service (IaaS) hosting to replace its data centers. Which of the following techniques should be used to mitigate the risk of data remanence when moving virtual hosts from one server to another in the cloud? A.) Use data masking B.) Span multiple virtual disks to fragment data C.) Use full-disk encryption D.) Zero-wipe drives before moving systems
C - To mitigate the risk of data remanence, you should implement full disk encryption -
You have tried to email yourself a file named "passwords.xlsx" from your corporate workstation to your Gmail account. Instead of receiving the filbe in your email, you received a description of why this was a policy violation and what you can do to get the file released or resent. Which of the following DLP remediation actions has occurred? A.) Blocking B.) Alert only C.) Tombstone D.) Quarantine
C - Tombstone: quarantines and replaces the original file with one describing the policy violation and how the user can rerelease it - Quarantine: denies access to the original file to the user (or possibly any user). - Blocking: prevents the user from copying the original file but retains access to it. - Alert Only: allows the copying to occur, but the management system records an incident and may alert an administrator.
You are investigating a suspected compromise. You have noticed several files that you don't recognize. How can you quickly and effectively check if the files have been infected with malware? A.) Disassemble the files and conduct static analysis on them using IDA Pro B.) Scan the files using a local anti-virus/anti-malware engine C.) Submit the files to an open-source intelligence provider like VirusTotal D.) Run the Strings tool against each file to identify common malware identifiers
C - VirusTotal allows you to quickly analyze suspicious files and URLs to detect types of malware. It then automatically shares them with the security community, as well.
What type of information will a Cisco switch log be configured to capture logs at level 7? A.) Emergencies B.) Warnings C.) Errors D.) Debugging
D
Which of the following BEST describes when a third-party takes components produced by a legitimate manufacturer and assembles an unauthorized replica sold in the general marketplace? A.) Capitalism B.) Entrepreneurship C.) Recycling D.) Counterfeiting
D
Which of the following threats to a SaaS deployment would be the responsibility of the consumer to remediate? A.) Unpatched operating systems on the server B.) SQL injections C.) Cross-site scripting D.) An endpoint security failure
D -
Fail to Pass Systems has suffered a data breach. Your analysis of suspicious log activity traced the source of the data breach to an employee in the accounting department's personally-owned smartphone connected to the company's wireless network. The smartphone has been isolated from the network now, but the employee refuses to allow you to image their smartphone to complete your investigation forensically. According to the employee, the company's BYOD policy does not require her to give you her device, and it is an invasion of their privacy. Which of the following phases of the incident response process is at fault for creating this situation? A.) Detection and analysis phase B.) Containment phase C.) Eradication and recovery phase D.) Preparation phase
D - As part of the preparation phase, obtaining authorization to seize devices (including personally owned electronics) should have been made clear and consented to by all employees.
You are analyzing a Linux server that you suspect has been tampered with by an attacker. You went to the terminal and typed 'history' into the prompt and see the output: - echo 127.0.0.1 diontraining.com >> /etc/hosts Which of the following best describes what actions were performed by this line of code? A.) Added the website to the system's allow list in the hosts file B.) Routed traffic destined for the localhost to the diontraining.com domain C.) Attempted to overwrite the host file and deleted all data except this entry D.) Routed traffic destined for the diontraining.com domain to the localhost
D - Based on the output provided, it appears that the attacker has attempted to route all traffic destined for diontraining.com to the IP address specified (127.0.0.1). This is typically done to prevent a system from communicating with a specific domain to redirect a host to a malicious site
Which of the following provides a cryptographic authentication mechanism to positively identify an organization as the authorized sender of email for a particular domain name? A.) SMTP B.) SPF C.) DMARC D.) DKIM
D - DomainKeys Identified Mail (DKIM) provides a cryptographic authentication mechanism.
Which of the following vulnerabilities is the greatest threat to data confidentiality? A.) phpinfo information disclosure vulnerability B.) HTTP TRACE/TRACK methods enabled C.) SSL Server with SSLv3 enabled vulnerability D.) Web application SQL injection vulnerability
D - Each vulnerability mentioned poses a significant risk, but the greatest threat comes from the SQL injection. An SQL injection could allow an attacker to retrieve our data from the backend database directly. Using this technique, the attacker could also alter the data and put it back, and nobody would notice everything that had been changed, thereby also affecting our data integrity.
A cybersecurity analyst has deployed a custom DLP signature to alert on any files that contain numbers in the format of a social security number (xxx-xx-xxxx). Which of the following concepts within DLP is being utilized? A.) Classification B.) Statistical matching C.) Document matching D.) Exact data match
D - Exact Data Match: pattern matching technique that uses a structured database of string values to detect matches. For example, a company might have a list of actual social security numbers of its customers. But, since it is not appropriate to load these numbers into a DLP filter, they could use EDM to match the numbers' fingerprints instead based on their format or sequence
You are going to perform a forensic disk image of a macOS laptop. What type of hard drive format should you expect to encounter? A.) exFAT B.) FAT32 C.) NTFS D.) HFS+
D - HFS+ (Hierarchial File System Plus) is the default MacOS file system
Which type of media sanitization would you classify degaussing as? A.) Clearing B.) Erasing C.) Destruction D.) Purging
D - Purging eliminates information from being feasibly recovered even in a laboratory environmentf
Which of the following is ordered from MOST Volatile to LEAST Volatile? A.) Hard drive, Swap, CPU cache, RAM B.) RAM, CPU cache, Swap, Hard drive C.) Swap, RAML, CPU cache, Hard drive D.) CPU cache, RAM, Swap, Hard drive
D - The most volatile data resides in the CPU Cache since this small memory cache is overwritten quickly during computer operations. - Next, you should collect the data in the system memory (RAM) since it will be erased if the workstation is shut down or the power is lost. - Third, you should collect the Swap file, a form of temporary memory located on the hard disk. These files are also overwritten frequently during operations
Which of the following is usually not considered when evaluating the attack surface of an organization? A.) External and internal users B.) Websites and cloud entities C.) Software applications D.) Software development lifecycle model
D - The software development lifecycle model used by a company is purely an internal function relevant only to the development of custom software within the organization. Regardless of whether a waterfall or agile methodology is chosen, it does not directly affect the organization's attack surface
Dion Training is concerned with the possibility of a data breach causing a financial loss to the company. After performing a risk analysis, the COO decides to purchase data breach insurance to protect the company from an incident. Which of the following best describes the company's risk response? A.) Acceptance B.) Mitigation C.) Avoidance D.) Transference
D - Transference (or sharing) means assigning risk to a third party - Avoidance means that the company stops doing an activity that is risk-bearing - Risk mitigation is the overall process of reducing exposure to or the effects of risk factors (Patching)
Which of the following functions is not provided by a TPM? A.) Binding B.) Sealing C.) Random number generation D.) User authentication E.) Remote attestation F.) Secure generation of cryptographic keys
D - User authentication is performed at a much higher level in the operating system
Define: HSM
A hardware security module (HSM) is an appliance for generating and storing cryptographic keys. An HSM solution may be less susceptible to tampering and insider threats than software-based storage.
You want to provide controlled remote access to the remote administration interfaces of multiple servers hosted on a private cloud. What type of segmentation security solution is the best choice for this scenario? A.) Bastion hosts B.) Jumpbox C.) Airgap D.) Physical
B
You are conducting a forensic analysis of a hard disk and need to access a file that appears to have been deleted. Upon analysis, you have determined that the file's data fragments exist scattered across the unallocated and slack space of the drive. Which technique could you use to recover the data? A.) Hashing B.) Carving C.) Recovery D.) Overwrite
B
You are conducting an incident response and want to determine if any account-based indicators of compromise (IoC) exist on a compromised server. Which of the following would you NOT search for on the server? A.) Failed logins B.) Malicious processes C.) Unauthorized sessions D.) Off-hours usage
B
Define: Password Spraying
Authentication attack that focuses on attempting only one or two passwords per user
A company's NetFlow collection system can handle up to 2 Gbps. Due to excessive load, this has begun to approach full utilization at various times of the day. If the security team does not have additional money in their budget to purchase a more capable collector, which of the following options could they use to collect useful data? A.) Enable QoS B.) Enable sampling of the data C.) Enable NetFlow compression D.) Enable full packet capture
B
A cybersecurity analyst conducts an incident response at a government agency when she discovers that attackers had exfiltrated PII. Which of the following types of breaches has occurred? A.) Financial breach B.) Privacy breach C.) Integrity breach D.) Proprietary breach
B
What should a vulnerability report include if a cybersecurity analyst wants it to reflect the assets scanned accurately? A.) Processor utilization B.) Virtual hosts C.) Organizational governance D.) Log disposition
B
Which of the following techniques would be the most appropriate solution to implementing a multi-factor authentication system? A.) Fingerprint and retinal scan B.) Smartcard and PIN C.) Password and security question D.) Username and password
B
Which type of threat will patches NOT effectively combat as a security control? A.) Discovered software bugs B.) Zero-day attacks C.) Malware with defined indicators of compromise D.) Known vulnerabilities
B
You are attempting to prioritize your vulnerability scans based on the data's criticality. This will be determined by the asset value of the data contained in each system. Which of the following would be the most appropriate metric to use in this prioritization? A.) The cost of acquisition of the system B.) The type of data processed by the system C.) The depreciated hardware cost of the system D.) The cost of hardware replacement of the system
B
A cybersecurity analyst reviews the logs of a proxy server and saw the following URL, https://www.google.com/search?q=*%40diontraining.com. Which of the following is true about the results of this search? A.) Returns no useful results for an attacker B.) Returns all web pages containing the text diontraining.com C.) Returns all web pages containing an email address affiliated with diontraining.com D.) Returns all web pages hosted at diontraining.com
C - Google interprets this statement as <anything>@diontraining.com and understands that the user is searching for email addresses since %40 is the hex code for the @ symbol The * is a wild card character meaning that any text could be substituted for the * in the query. This type of search would provide an attacker with a list of email addresses associated with diontraining.com, which could be used as part of a spear phishing campaign
During your analysis, you discover the following URL is used to access an application: - https://www.whamiedyne.com/app/accountInfo?acct=12345 You change the URL to end with 12346 and notice that a different user's account information is displayed. Which of the following type of vulnerabilities or threats have you discovered? A.) Race condition B.) XML injection C.) Insecure direct object reference D.) SQL injection
C
Which of the following is the most reasonable frequency to conduct a formal review of the organization's policies to ensure they remain up to date? A.) Quarterly B.) Every five years C.) Annually D.) Monthly
C
Which of the following is not considered a component that belongs to the category of identity management infrastructure? A.) LDAP B.) Auditing System C.) HR System D.) Provisioning Engine
C - A Provisioning Engine is reponsible for coordination user account creation, and physical resources for users
A SOC analyst has detected the repeated usage of a compromised user credential on the company's email server. The analyst sends you an email asking you to check the server for any indicators of compromise since the email server is critical to continued business operations. Which of the following was likely overlooked by your organization during the incident response preparation phase? A.) Perform a data criticality and prioritization analysis B.) Conduct training on how to search for indicators of compromise C.) Develop a communications plan that includes provisions for how to operate in a compromised environment D.) Prepare a jump bag or kit for use in the investigation
C - As part of your preparation phase, your organization should develop a communications plan that details which communication methods will be used during a compromise of various systems. If the analyst suspected the email server was compromised, then communications about the incident response efforts (including detection and analysis) should be shifted to a different communications path, such as encrypted chat, voice, or other secure means.
Alexa is an analyst for a large bank that has offices in multiple states. She wants to create an alert to detect if an employee from one bank office logs into a workstation located at an office in another state. What type of detection and analysis is Alexa configuring? A.) Anomaly B.) Heuristic C.) Behavior D.) Trend
C - Behavior: engine is trained to recognize baseline traffic - Anomaly: prescribes the baseline for expected patterns based on its observation of what normal looks like - Heuristic: determines whether several observed data points constitute an indicator and whether related indicators make up an incident depending on a good understanding of the relationship between the observed indicators - Trend: not used for detection but instead to better understand capacity and the system's normal baseline.
Which of the following should a domain administrator utilize to BEST protect their Windows workstations from buffer overflow attacks? A.) Install anti-malware tool B.) Conduct bound checking before executing a program C.) Enable DEP in Windows D.) Install anti-spyware tool
C - DEP prevents code from being run in pages that are marked as nonexecutable. - Bounds checking is an effective way to prevent buffer overflows, but this must be written into the installed programs
Dion Consulting Group has been hired to analyze the cybersecurity model for a new videogame console system. The manufacturer's team has come up with four recommendations to prevent intellectual property theft and piracy. As the cybersecurity consultant on this project, which of the following would you recommend they implement first? A.) Ensure that all games for the console are distributed as encrypted so that they can only be decrypted on the game console B.) Ensure that all screen capture content is visibly watermarked C.) Ensure that each individual console has a unique key for decrypting individual licenses and tracking which console has purchased which game D.) Ensure that all games require excessive storage sizes so that it is difficult for unauthorized parties to distribute
C - Ensuring that each console has a unique key will allow the console manufacturer to track who has purchased which games when using digital rights management licensing. This can be achieved using a hardware root of trust, such as a TPM module in the processor
William evaluates the potential impact of a confidentiality risk and determines that the disclosure of information contained on a system could have a limited adverse effect on the organization. Using FIPS 199, how should he classify the confidentiality impact? A.) Medium B.) Moderate C.) Low D.) High
C - FIPS 199 classifies any risk where "the unauthorized disclosure of information could be expected to have a limited adverse effect" as a low impact confidentiality risk Limited = Low Serious = Moderate severe/catastrophic = High
You have been hired to investigate a possible insider threat from a user named Terri. Which command would you use to review all sudo commands ever issued by Terri (whose login account is terri and UID=1003) on a Linux system? (Select the MOST efficient command) A.) journalctl _UID=1003 | grep -e [Tt]erri | grep -e 1003 | grep sudo B.) journalctl _UID=1003 | grep -e [Tt]erri | grep sudo C.) journalctl _UID=1003 | grep -e 1003 | grep sudo D.) journalctl _UID=1003 | grep sudo
D - journalactl views logs collected by systemd
During a security audit, you discovered that customer service employees have been sending unencrypted confidential information to their personal email accounts via email. What technology could you employ to detect these occurrences in the future and send an automated alert to the security team? A.) MDM B.) SSL C.) UTM D.) DLP
D
Define: Credential Stuffing
Credential stuffing is the automated injection of breached username/password pairs to gain user accounts access fraudulently
What techniques are commonly used by port and vulnerability scanners to enumerate the services running on a target system? A.) Comparing response fingerprints & Registry scanning B.) Banner grabbing and UDP response timing C.) Using the -O option in nmap and UDP response timing D.) Banner Grabbing and comparing response fingerprints
D
Define: Bastion Host
a special-purpose computer on a network specifically designed and configured to withstand attacks.
Define Network Access Control (NAC)
an approach to computer security that attempts to unify endpoint security technology (such as anti-virus, host intrusion prevention, and vulnerability assessment), user or system authentication, and network security enforcement
What is Document Matching (referring to DLP systems)
attempts to match a whole document or a partial document against a signature in the DLP
Define: DevSecOps
DevSecOps is a combination of software development, security operations, and systems operations and refers to the practice of integrating each discipline with the others
A vulnerability scanner has reported that a vulnerability exists in the system. Upon validating the report, the analyst determines that this reported vulnerability does not exist on the system. What is the proper term for this situation?
False Positive
Define: Fuzzing
Fuzzing is an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program.
Define: Regression Testing for code/software
Regression testing confirms that a recent program or code change has not adversely affected existing features
What is the correct order of the following steps in the Software Development Lifecycle's waterfall method? - Verification - Implementation - Testing - Requirements Analysis - Maintenance - Design - Retirement
Requirements Analysis, Design, Implementation, Verification, Testing, Maintenance, Retirement
UEFI Boot phases (in order)
Security -> Pre-EFI initialization -> Driver Execution Environment -> Boot Device Select -> Transient System Load -> Runtime
