CYSA Dion Training Practice Exams
Which of the following frameworks is commonly used for sharing threat intelligence information in a standardized format?
(STIX)Structures Threat Information Expression
QRadar
A SIEM log management, analytics, and compliance reporting platform created by IBM
OSSIM (Open Source Security Information Management)
OSSIM is an open-source SIEM developed by AlienVault. It is capable of pulling information together from a wide variety of sources. ArcSight, Qradar, and Splunk are all proprietary, commercially licensed SIEM solutions.
Tcpdump
- tcpdump is a powerful command-line tool used for capturing and analyzing network packets in real-time, which would be effective for investigating unusual network traffic.
Which of the following is a senior role with the ultimate responsibility for maintaining confidentiality, integrity, and availability in a system? • Data custodian • Data steward • Data owner Privacy officer
-Data owner A data owner is a person responsible for the confidentiality, integrity, availability, and privacy of information assets. They are usually senior executives and somebody with authority and responsibility. A data owner is responsible for labeling the asset and ensuring that it is protected with appropriate controls. The data owner typically selects the data steward and data custodian and has the authority to direct their actions, budgets, and resource allocations.
Splunk
A market-leading big data information gathering and analysis tool that can import machine-generated data via a connector or visibility add-on
VirusTotal
A service that allows anyone to analyze suspicious files, domains, URLs, and IP addresses for malicious content
IDS (Intrusion Detection System)
A software and/ or hardware system that scans, audits, and monitors the security infrastructure for signs of attacks in progress.
A cybersecurity analyst is attempting to perform an active reconnaissance technique to audit their company's security controls. Which DNS assessment technique would be classified as active? • A DNS forward or reverse lookup • A zone transfer • A whois query • Using maltego
A zone transfer
Which of the following types of attackers are considered to be a sophisticated and highly organized person or team who are typically sponsored by a nation-state? Script Kiddie • Advanced Persistent Threat • Hacktivist • Ethical Hacker
Advanced Persistent Threat -Advanced Persistent Threat (APT) attackers are sophisticated and have access to financial and technical resources typically provided by a government. An APT is an attacker with the ability to obtain, maintain, and diversify access to network systems using exploits and malware.
Your company just launched a new invoicing website for use by your five largest vendors. You are the cybersecurity analyst and have been receiving numerous phone calls that the webpage is timing out and the website overall is performing slowly. You have noticed that the website received three million requests in just 24 hours and the service has now become unavailable for use. What do you recommend should be implemented to restore and maintain the availability of the new invoicing system? • Intrusion Detection System • VPN • Allowlisting • MAC filtering
AllowListing
Allowlisting
Allowlisting is the process of configuring a spam filter to exempt certain email messages from being filtered or rejected. In this case, it refers to configuring your own corporate mail server so that it doesn't reject or filter the email campaigns you send via us Marketing Cloud.
Alexa is an analyst for a large bank that has offices in multiple states. She wants to create an alert to detect when an employee from one bank office logs into a workstation located at an office in another state. What type of detection and analysis is Alexa configuring? • Trend • Anomaly • Heuristic • Behavior
Behavior
Behavior-based detection
Behavior-based detection (or statistical- or profile-based detection) means that the engine is trained to recognize baseline traffic or expected events associated with a user account or network device. Anything that deviates from this baseline (outside a defined level of tolerance) generates an alert.
Which of the following is a characteristic of the Deep Web?
Contains information not indexed by standard search engines - The Deep Web contains information that is not indexed by standard search engines, making it invisible to conventional searches.
Which of the following is an example of an open-source intelligence feed? • IBM X-Force Exchange • Recorded Future • FireEye • Malware Information Sharing Project
Malware Information Sharing Project
A company's NetFlow collection system can handle up to 2 Gbps. Due to excessive load, this has begun to approach full utilization at various times of the day. If the security team does not have additional money in their budget to purchase a more capable collector, which of the following options could they use to collect useful data?
Enable sampling of the data
In the Cyber Kill Chain model, at which stage does an attacker take advantage of a system's vulnerabilities using the malicious payload that has been delivered, thereby initiating the actual attack?
Exploitation
In which phase of the security intelligence cycle is input collected from intelligence producers and consumers to improve the implementation of intelligence requirements?
Feedback
A supplier needs to connect several laptops to an organization's network as part of their service agreement. These laptops will be operated and maintained by the supplier. Victor, a cybersecurity analyst for the organization, is concerned that these laptops could potentially contain some vulnerabilities that could weaken the security posture of the network. What can Victor do to mitigate the risk to other devices on the network without having direct administrative access to the supplier's laptops? • Scan the laptops for vulnerabilities and patch them • Increase the encryption level of VPN used by the laptops • Implement a jumpbox system
Implement a jumpbox system - A jumpbox is a system on a network used to access and manage devices in a separate security zone. This would create network segmentation between the supplier's laptops and the rest of the network to minimize the risk. A jump-box system is a hardened and monitored device that spans two dissimilar security zones and provides a controlled means of access between them. While the other options listed are all good security practices, they do not fully mitigate the risk that insecure systems pose since Victor cannot enforce these configurations on a supplier provided laptop.
zone transfer
In DNS, the act of copying a primary name server's zone file to the secondary name server to ensure that both contain the same information.
A cybersecurity analyst is reviewing the logs of a proxy server and saw the following URL, https://www.google.com/search?q=*%40diontraining.com. Which of the following is true about the results of this search?
Returns all web pages containing an email address affiliated with diontraining.com
Jamario, a security analyst at Dion Training Solutions, received an email with the subject line "Your account is blocked by the administrator" which was flagged by the company's email security gateway. Suspicious of the email's origin, Jamario decides to conduct an email header analysis to verify the legitimacy of the email. In conducting an email header analysis, what should Jamario prioritize to verify the email's validity? • Review "Authentication-Results" for sender authorization.- • Examine the "Received From" or "By" fields for a list of all MTAs that processed the email. • Look at the "Return-Path" to see where the email would be returned if undeliverable. • Check the "Envelope From" field for hidden sender information that could indicate spoofing.
Review "Authentication-Results" for sender authorization.- The "Authentication-Results" in the email header provide crucial information regarding the sender's domain and whether the message passed various authentication checks, which is vital in determining the email's legitimacy.
ArcSight
SIEM tool, SIEM log management and analytics software that can be used for reporting for legislation and regulations (HIPPA, SOX, PCI DSS)
Based on these scan results, which of the following services are NOT currently operating? • Web • Database • SSH
SSH - Based on the port numbers shown as open in the nmap scan results, SSH is not currently operating. SSH operates over port 22. Web servers use port 80 for HTTP and 443 for HTTPS. Database servers run on port 1433 (Microsoft SQL) or 3306 (MySQL).
User and Entity Behavior Analytics (UEBA)
Since ICS, SCADA and IoT devices often run proprietary, inaccessible, or unpatchable operating systems, the traditional tools used to detect the presence of malicious cyber activity in normal enterprise networks will not function properly. Therefore, the use of user and entity behavior analytics (UEBA) is best suited to detect and classify known-good behavior from these systems to create a baseline. Once a known-good baseline is established, deviations can be detected and analyzed. UEBA may be heavily dependent on advanced computing techniques like artificial intelligence and machine learning.
Which of the following techniques would be the most appropriate solution to implementing a multi-factor authentication system? • Fingerprint and retinal scan • Password and security question • Smartcard and PIN • Username and password
Smartcard and PIN - Multi-factor authentication (MFA) creates multiple layers of security to help increase the confidence that the user requesting access is who they claim to be by requiring two distinct factors for authentication. These factors can be something you know (knowledge factor), something you have (possession factor), something you are (inheritance factor), something you do (action factor), or somewhere you are (location factor). By selecting a smartcard (something you have) and a PIN (something you know), you have implemented multi-factor authentication.
You are conducting an investigation on a suspected compromise. You have noticed several files that you don't recognize. How can you quickly and effectively check if the files have been infected with malware? • Submit the files to an open-source intelligence provider like VirusTotal • Disassemble the files and conduct static analysis on them using IDA Pro • Run the Strings tool against each file to identify common malware identifiers • Scan the files using a local anti-virus/anti-malware engine
Submit the files to an open-source intelligence provider like VirusTotal
Rory is about to conduct forensics on a virtual machine. Which of the following processes should be used to ensure that all of the data is acquired forensically? • Suspend the machine and copy the contents of the directory it resides in • Perform a live acquisition of the virtual machine's memory • Suspend the machine and make a forensic copy of the drive it resides on • Shutdown the virtual machine off and make a forensic copy of its disk image
Suspend the machine and copy the contents of the directory it resides in - The best option is to suspend the machine and copy the contents of the directory as long as you ensure you protect the integrity of the files by conducting a hash on them before and after copying the files. This procedure will store the virtual machine's RAM and disk contents. Since a virtual machine stores all of its data in a single file/folder on a host's hard drive, you can simply copy then entire Copying the folder will give all the information needed, but the virtual machine should not be powered off because creating a copy of the drive is not necessary.
You are a cybersecurity analyst investigating a potential network issue at your company. You suspect there is unusual traffic on your company's network. Which of the following would be most effective command-line for capturing and analyzing network packets in real-time to investigate this issue?
Tcpdump
Threat hunting
The utilization of insights gained from threat research and threat modeling to proactively discover evidence of adversarial TTPs within a network or system.
Which of the following is NOT a host-related indicator of compromise? • Processor consumption • Drive capacity consumption • Beaconing • Memory consumption
• Malicious processes - A malicious process is one that is running on a system and is outside the norm. This is a host-based indicator of compromise (IOC) and is not directly associated with an account-based IOC. Off-hours usage, unauthorized sessions, and failed logins are all account-based examples of an IOC
What is the utilization of insights gained from threat research and threat modeling to proactively discover evidence of adversarial TTPs within a network or system called? • Incident response • Penetration testing • Threat hunting • Information assurance
Threat hunting
You have been asked to review the SIEM event logs for suspected APT activity. You have been given several indicators of compromise, such as a list of domain names and IP addresses. What is the BEST action to take in order to analyze the suspected APT activity? Use the IP addresses to search through the event logs • Analyze the trends of the events while manually reviewing them to see if any indicators match • Create an advanced query that includes all of the indicators and review any matches • Scan for vulnerabilities with exploits known to previously have been used by an APT
Use the IP addresses to search through the event logs • Analyze the trends of the events while manually reviewing them to see if any indicators match • Create an advanced query that includes all of the indicators and review any matches • Scan for vulnerabilities with exploits known to previously have been used by an APT
Which technique would provide the largest increase in security on a network with ICS, SCADA, or IoT devices? • Installation of anti-virus tools • Use of a host-based IDS or IPS • Implement endpoint protection platforms • User and entity behavior analytics
User and entity behavior analytics
You have received a laptop from a user who recently left the company. You went to the terminal in the operating system and typed 'history' into the prompt and see the following:
Which of the following best describes what actions were performed by this line of code? • Attempted to conduct a SYN scan on the network • Conducted a ping sweep of the subnet - This code is performing a ping sweep of the subnet 10.1.0.0/24. The code states that for every number the sequence from 1 to 255, conduct a ping to 10.1.0.x, where x is the number from 1 to 255. When it completes this sequence, it is to return to the terminal prompt (done). The ping command uses an echo request and then receives an echo reply back from the target of the ping. A ping sweep does not use a SYN scan, that would require the use of a tool like nmap or hping. • Conducted a sequential ICMP echo reply to the subnet • Sequentially sent 255 ping packets to every host on the subnet
Which type of threat will patches NOT effectively combat as a security control? • Zero-day attacks • Known vulnerabilities • Discovered software bugs • Malware with defined indicators of compromise
Zero-Day Attacks
Question 3: Upon discovering a vulnerability alert indicating that an attack on a device in your network could lead to unauthorized access and potential compromise of PII and sensitive data, what immediate mitigation strategy could you implement in the absence of an available patch? • Honeypot • Jumpbox • Zero-trust
Zero-trust - Zero-Trust security models assume no trust is given to devices by default, regardless of their location within or outside the network. Implementing a Zero-Trust framework could restrict access to PII and sensitive data, effectively mitigating the risk until a patch is available by continuously verifying trust before granting access to resources. Containerization
Jamie's organization is attempting to budget for the next fiscal year. Jamie has calculated that a data breach will cost them $120,000 for each occurrence. Based on her analysis, she believes that a data breach will occur once every four years and have a risk factor is 30%. What is the ALE for a data breach within Jamie's organization? • $9,000 • $36,000 • $90,000 • $360,000
• $9,000- The single loss expectancy (SLE) is the amount that would be lost in a single occurrence (AV) times the risk factor (RF). The annual loss expectancy (ALE) is the total cost of a risk to an organization on an annual basis. This is determined by multiplying the SLE by the annual rate of occurrence (ARO).
Which of the following is typically used to secure the CAN bus in a vehicular network? • Anti-virus • Airgap • Endpoint protection • UEBA
• Airgap - The majority of vehicles do not currently have a mechanism by which an attacker can remotely access a vehicle. However, there have been numerous demonstrations where the CAN bus can be accessed and corrupted through an available diagnostic port within the automobile or unmanned aerial vehicle. The most typical security measure used is an airgap between a vehicle's entertainment system (which may have internet access) and the vehicle's CAN bus. Endpoint protection, anti-virus, and user and entity behavior analytics (UEBA) are not usually installed in vehicular networks as a security measure.
While reviewing the system performance logs, Jamario, a security analyst at TechDefenders Inc., observes a consistent pattern of excessive resource utilization that cannot be attributed to any known processes or applications. Given the stealthy nature of the suspected intrusion, which investigative approach would BEST help Jamario uncover hidden malicious activities that may be escaping traditional detection methods? • Analyzing persistent storage for unusual file creation. - Checking for unexpected files might miss threats that do not interact with the storage media directly. • Inspecting inter-process communication for unauthorized data exchanges. • Scanning with heuristic-based detection tools. • Conducting a thorough examination of current operational data within the system's volatile storage.
• Analyzing persistent storage for unusual file creation. - Checking for unexpected files might miss threats that do not interact with the storage media directly.
Trixy is a cybersecurity analyst at Kelly Innovations LLC has been tasked with investigating a potential breach of the company's web application. After a recent update, the application has been behaving erratically, with unexpected data outputs and system calls that were not present before the update. The analyst has several data sources at their disposal to look for indicators of compromise. Which of the following data sources would BEST help identify indicators of compromise on Trixy? • Reviewing the network flow data to assess anomalies in traffic patterns. • Analyzing the application logs for unexpected behaviors and procedural calls. • Checking the user access logs for failed or anomalous authentication attempts. • Investigating the physical access logs for any unauthorized access to the server room.
• Analyzing the application logs for unexpected behaviors and procedural calls.
What information should be recorded on a chain of custody form during a forensic investigation? • The list of individuals who made contact with files leading to the investigation • The list of former owners/operators of the workstation involved in the investigation • Any individual who worked with evidence during the investigation
• Any individual who worked with evidence during the investigation - Chain of custody forms are forms that list every person who has worked with or who has made contact with the evidence that is a part of an investigation. These forms record every action taken by each individual in possession of the evidence. Depending on the organization's procedures, manipulation of evidence may require an additional person to act as a witness to verify whatever action is being taken. While the chain of custody would record who initially collected the evidence, it does not have to record who was the first person on the scene (if that person didn't collect the evidence). • The law enforcement agent who was first on the scene
In your role as a cybersecurity consultant, your client wants to augment their authentication protocols to boost security while reducing the reliance on traditional passwords. Which authentication strategy would BEST meet these requirements? • Authentication Tokens • Password Complexity Rules Security Questions
• Authentication Tokens - Authentication tokens are a form of passwordless authentication. These tokens provide a unique, temporary code that authenticates the user's identity. This method increases security as it reduces the reliance on memorized passwords and is less susceptible to traditional password-based attacks.
You are conducting a forensic analysis of a hard disk and need to access a file that appears to have been deleted. Upon analysis, you have determined that data fragments from the file exist scattered across the unallocated and slack space of the drive. Which technique could you use to recover the data? • Hashing • Defragmentation • Disk Imaging • Carving - File carving is the process of extracting data from an image when that data has no associated file system metadata. A file-carving tool analyzes the disk at sector/page level and attempts to piece together data fragments from unallocated and slack space to reconstruct deleted files, or at least bits of information from deleted files. File carving depends heavily on file signatures or magic numbers—the sequence of bytes at the start of each file that identifies its type.
• Carving - File carving is the process of extracting data from an image when that data has no associated file system metadata. A file-carving tool analyzes the disk at sector/page level and attempts to piece together data fragments from unallocated and slack space to reconstruct deleted files, or at least bits of information from deleted files. File carving depends heavily on file signatures or magic numbers—the sequence of bytes at the start of each file that identifies its type.
Which of the following elements is LEAST likely to be included in an organization's data retention policy? • Minimum retention period • Classification of information • Maximum retention period • Description of information that needs to be retained
• Classification of information - Data retention policies highlight what types of information an organization will maintain and the length of time they will maintain it. Data classification would not be covered in the retention policy, but instead would be a key part of your organization's data classification policy.
What best describes the meaning of this output? • There is an unknown bug in an Apache server with no Bugtraq ID • Connecting to the host using a null session allows enumeration of the share names on the host • Windows Defender has a known exploit that must be resolved or patched There is no CVE present, so this is a false positive caused by Apache running on a Windows serverrrently operating. SSH operates over port 22. Web servers use port 80 for HTTP and 443 for HTTPS. Database servers run on port 1433 (Microsoft SQL) or 3306 (MySQL). Remote Desktop Protocol runs on
• Connecting to the host using a null session allows enumeration of the share names on the host - This is the result of a vulnerability scan that conducted an enumeration of open Windows shares on an Apache server. The enumeration results show three share names (print$, files, Temp), that have been found using a null session connection. There is no associated CVE with this vulnerability, but it is not a false positive. Not all vulnerabilities have a CVE associated with them. Nothing in this output indicates anything concerning Windows Defender, so this is not the correct answer. Bugtraq IDs are a different type of identification number issued for vulnerabilities by SecurityFocus.
Which of the following items represents a document that includes detailed information on when an incident was detected, how impactful the incident was, how it was remediated, the effectiveness of the incident response, and any identified gaps that might require improvement? • Forensic analysis report • Chain of custody report • Trends analysis report • Lessons learned report
• Lessons learned report - The lessons learned report provides you with the details of the incident, its severity, the remediation method, and, most importantly, how effective your response was. Additionally, it provides recommendations for improvements in the future.
Tony works for a company as a cybersecurity analyst. His company runs a website that allows public postings. Recently, users have started complaining about the website having pop-up messages asking for their username and password. Simultaneously, your security team has noticed there has been a large increase in the number of compromised user accounts on the system. What type of attack is most likely the cause of both of these events? • SQL injection • Cross-site scripting • Cross-site request forgery • Rootkit
• Cross-site scripting - This scenario is a perfect example of the effects of a cross-site scripting (XSS) attack. If your website's HTML code does not perform input validation to remove scripts that may be entered by a user, then an attacker can create a pop-up window that collects passwords and uses that information to further compromise other accounts.
Your organization is concerned about potential leaks of sensitive data. Which technology should be deployed to identify and prevent unauthorized access to such data? • DLP • Firewalls • Anti-Virus • Encryption
• DLP - Data Loss Prevention (DLP) solutions play a crucial role in protecting an organization's sensitive information from unauthorized exposure. By identifying critical data, monitoring how it moves and is used across the network, and preventing unsanctioned access or transmission, DLP tools offer comprehensive protection against data breaches. These technologies can mitigate risks from both internal and external threats, safeguarding data whether it's at rest, in use, or in transit.
You are conducting threat hunting for an online retailer. Upon analysis of their web server, you identified that a single HTML response returned as 45 MB in size, but an average response is normally only 275 KB. Which of the following categories of potential indicators of compromise would you classify this as? • Beaconing • Data exfiltration • Introduction of new accounts • Unauthorized privilege
• Data exfiltration - If attackers use SQL injection to extract data through a Web application, the requests issued by them will usually have a larger HTML response size than a normal request. For example, if the attacker extracts the full credit card database, then a single response for that attacker might be 20 to 50 MB, where a normal response is only 200 KB. Therefore, this scenario is an example of a data exfiltration indicator of compromise.
As a security analyst at a commercial organization, you are tasked with enhancing your company's defensive capabilities against cyber threats. Based on the intelligence-driven computer network defense framework by Lockheed Martin, which set of defensive actions should you prioritize to effectively protect your network, considering the legal limitations on 'hack back' activities? • Detect and Deny • Destroy and Degrade • Disrupt and Deceive Degrade and Destroy
• Detect and Deny Focusing on detecting the presence of adversaries and denying them access to your network is crucial. These defensive capabilities allow for the identification and prevention of unauthorized access, aligning with commercial legal limitations.
You are a security investigator at a high-security installation which houses significant amounts of valuable intellectual property. You are investigating the utilization of George's credentials and are trying to determine if his credentials were compromised, or if he is an insider threat. In the break room, you overhear George telling a coworker that he believes he is the target of an ongoing investigation. Which of the following step in the preparation phase of the incident response was likely missed? • Conduct background screenings on all applicants • Development of a communication plan • Creating a call list or escalation list • Developing a proper incident response form
• Development of a communication plan - An established and agreed upon communication plan, which may also include a non-disclosure agreement, should be put in place to prevent the targets of an ongoing insider threat investigations from becoming aware of it. Even if it was later determined that George was innocent, the knowledge that he was being investigated could be damaging to both him and the company. If he was an insider threat who now suspects he is under investigation, he could take steps to cover his tracks or conduct destructive action.
A cybersecurity analyst is reviewing the logs of a proxy server and saw the following URL, http://test.diontraining.com/../../../../etc/shadow. What type of attack has likely occurred? • SQL injection • Buffer overflow • Directory traversal
• Directory traversal - This is an example of a directory traversal. A directory traversal attack aims to access files and directories that are stored outside the webroot folder. By manipulating variables or URLs that reference files with "dot-dot-slash (../)" sequences and its variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on the file system, including application source code or configuration and critical system files. XML injection
Question 3: A hurricane had caused widespread power outages for your company's headquarters. Which of the following would you rely on to continue essential business operations? • Business Continuity Plan • Incident Response Plan • Network Topology Document • Disaster Recovery Plan
• Disaster Recovery Plan - A hurricane is a natural disaster, so the correct answer is the Disaster Recovery Plan. The Business Continuity Plan focuses on responses to disruptions other than natural disasters, so it is not the correct answer. Incident Response Plans focus on security events. A Network Topology Document would not be helpful if there is no power.
Which of the following BEST describes the primary concern when dealing with embedded system vulnerabilities? • Embedded systems can be difficult to patch, which can leave them vulnerable to attack • Embedded systems tend to only exist on legacy devices which means they can't be patched • Embedded systems use CANs which make them difficult to update Embedded systems all make use of RTOS which makes them vulnerable to viruses
• Embedded systems can be difficult to patch, which can leave them vulnerable to attack - Embedded systems are typically designed to perform a specific task, and their firmware is often directly written to the hardware. This can make patching or updating the system difficult, leaving them potentially vulnerable if a security issue is discovered.
A cybersecurity analyst has deployed a custom DLP signature to alert on any files that contain numbers in the format of a social security number (xxx-xx-xxxx). Which of the following concepts within DLP is being utilized? • Exact data match • Classification • Document matching • Statistical matching
• Exact data match - An exact data match (EDM) is a pattern matching technique that uses a structured database of string values to detect matches. For example, a company might have a list of actual social security numbers of its customers. But, since it is not appropriate to load these numbers into a DLP filter, they could use EDM to match fingerprints of the numbers instead based on their format or sequence.
If an attacker is able to compromise an Active Directory domain by utilizing an attack to grant administrative access to the domain controllers for all members of the domain, which type of attack is being used? • Pass the hash • Lateral movement • Pivoting • Golden ticket
• Golden ticket - A golden ticket is a Kerberos ticket that can grant other tickets in an Active Directory environment. Attackers who can create a golden ticket can use it to grant administrative access to other domain members, even to domain controllers. Pass the Hash (PtH) is the process of harvesting an account's cached credentials when the user logs in to a single sign-on (SSO) system. This would then allow the attacker to use the credentials on other systems, as well.
In a scenario where your company's web server cannot be patched due to compatibility issues with essential applications, what should be the primary action when deviations from the secure configuration baseline are detected? • System decommissioning • Enforce mandatory access controls • Implement compensating controls - If patching isn't feasible, implementing compensating controls, such as enhanced network segmentation or additional monitoring, can maintain security by providing alternative protection measures. • Increase security training for IT staff
• Implement compensating controls - If patching isn't feasible, implementing compensating controls, such as enhanced network segmentation or additional monitoring, can maintain security by providing alternative protection measures.
In 2014, Apple's implementation of SSL had a severe vulnerability that, when exploited, allowed an attacker to gain a privileged network position that would allow them to capture or modify data in an SSL/TLS session. This was caused by poor programming in which a failed check of the connection would exit the function too early. Based on this description, what is this an example of? • Use of insecure functions • Insufficient logging and monitoring • Improper error handling • Insecure object reference
• Improper error handling - This is an example of an improper error handling vulnerability. A well-written application must be able to handle errors and exceptions gracefully. The main goal must be for the application not to fail in a way that allows the attacker to execute code or perform some sort of injection attack. One famous example of an improper error handling vulnerability is Apple's GoTo bug, as described above. For more details on this particular vulnerability, please see CVE-2014-1266.
If your organization needs to comply with GDPR due to its interactions with European customers, which framework would be the BEST to focus on when planning data protection strategies? • International Organization for Standardization (ISO) 27000 series • Payment Card Industry Data Security Standard (PCI DSS) • Open Web Application Security Project (OWASP) Center for Internet Security (CIS) benchmarks
• International Organization for Standardization (ISO) 27000 series - The ISO 27000 series provides comprehensive guidelines for implementing a robust information security management system, crucial for complying with GDPR's strict data protection requirements.
You're working as a cybersecurity analyst at a mid-sized financial services firm. One afternoon, your network intrusion detection system (IDS) alerts you to suspicious activity on one of the company's main servers. Upon initial investigation, you confirm that the server has been infected with malware. What is the immediate next step to prevent further damage? • Isolate the infected server • Report to management • Eradicate the malware Perform a forensic analysis
• Isolate the infected server - Once malware is detected, the immediate next step is to prevent further damage or spread by isolating the server. This could involve physically disconnecting the server or logically segregating it on the network. Once that is done, you should eradicate the malware, but preventing the spread by isolating the server is your first step. You may want report to management once the immediate threat has been eliminated, but not until it has at least been isolated. Forensic analysis can take place after the threat has been isolated and eliminated.
You are the first forensic analyst to arrive on the scene of a data breach. You have been asked to begin evidence collection on the server while waiting for the rest of your team to arrive. Which of the following evidence should you capture first? • Image of the server's SSD • L3 cache • Backup tapes • ARP cache
• L3 cache - When collecting evidence, you should always follow the order of volatility. This will allow you to collect the most volatile evidence (most likely to change) first, and the least volatile (least likely to change) last. You should always begin the collection with the CPU registers and cache memory (L1/L2/L3/GPU). The contents of system memory (RAM), including a routing table, ARP cache, process tables, kernel statistics, and temporary file systems/swap space/virtual memory. Next, you would move onto the collection of data storage devices like hard drives, SSDs, and flash memory devices
Why do legacy systems pose challenges for organizations when it comes to patching and remediation? • Legacy systems often lack support and compatibility with newer patches • Legacy systems are more secure and less susceptible to vulnerabilities • Legacy systems are easier to patch due to their simplified architecture • Legacy systems have built-in security mechanisms that prevent the need for patching
• Legacy systems often lack support and compatibility with newer patches - Legacy systems are outdated and may no longer be actively supported by the vendor or manufacturer. As a result, compatibility issues arise when attempting to apply newer patches or updates, which can lead to system instability or disruptions. This challenge hinders organizations' ability to promptly remediate vulnerabilities in legacy systems. • Legacy systems are more secure and less susceptible to vulnerabilities • Legacy systems are easier to patch due to their simplified architecture • Legacy systems have built-in security mechanisms that prevent the need for patching
During the Twitter security breach involving high-profile accounts, which of the following stakeholders was crucial for effective incident response coordination? • Legal counsel to mitigate risks from potential civil lawsuits and guide actions. • Customer support to handle increased volume of inquiries from the public. • The facilities team to manage physical access to buildings. • Product development to accelerate the release of new features.
• Legal counsel to mitigate risks from potential civil lawsuits and guide actions. - Having legal counsel is important for effective incident response coordination to mitigate risks from potential civil lawsuits and guide actions.
Due to new regulations, your organization's CIO has the information security team institute a vulnerability management program. What framework would BEST support this program's establishment? • NIST • OWASP • PCI DSS • ISO 27001
• NIST - NIST (National Institute of Standards and Technology) produced a useful patch and vulnerability management program framework in its Special Publication (NIST SP 800-40). It would be useful during the establishment of the program and provide a series of guidelines and best practices.
When assessing risks to your organization's IT infrastructure, which framework allows for prioritization based on the potential impact of threats? • NIST's Cybersecurity Framework • OWASP Top 10 • Center for Internet Security (CIS) Top 20 Critical Security Controls • ISO 31000
• NIST's Cybersecurity Framework- The National Institute of Standards and Technology (NIST) Cybersecurity Framework provides guidance on risk prioritization based on the potential impact of threats, making it a valuable tool in a risk-based approach to security.
Which language would require the use of a decompiler during reverse engineering? • Ruby • Python • Objective-C • JavaScript
• Objective-C - Objective-C is a compiled language. Therefore, you will need to use a decompiler to conduct reverse engineering on it. Ruby, Python, and JavaScript are interpreted languages. Interpreted languages do not require the use of a decompiler to view the source code. • JavaScript
Which of the following are the four phases of an OODA loop? • Organize, Orchestrate, Design, Apply • Orchestrate, Observe, Deliver, Act • Orient, Organize, Detect, Apply • Observe, Orient, Decide, Act
• Observe, Orient, Decide, Act - he OODA (Observe, Orient, Decide, Act) loop was first created by US Military strategist Colonel John Boyd. COL Boyd famously demonstrated his thought model within the air-to-air combat domain with a high success rate. COL Boyd's claim was that he could begin any scenario with an adversary pilot directly behind him and within a tactically short period of time, he could reverse the alignment so that he was behind his adversary.
As a security analyst at Dion Training, an online education company, specializing in cybersecurity, you are performing an impact analysis after detecting a network intrusion. Considering the potential damage to the company's reputation and operational capabilities, which aspect should be the primary focus of your impact analysis to determine the severity of the incident and prioritize response efforts? • Localized Impact • Organizational Impact • Immediate Impact • Total Impact
• Organizational Impact - Since the incident may affect mission-essential functions and a wide range of users, understanding the organizational impact is crucial for determining the urgency and scale of the response needed.
An e-commerce website for a clothing store was recently compromised by an attacker. Which of the following methods did the attacker use if they harvested an account's cached credentials when the user logged into a SSO system? • Pass the hash • Lateral movement • Pivoting • Golden ticket
• Pass the hash - Pass the Hash (PtH) is the process of harvesting an account's cached credentials when the user logs in to a single sign-on (SSO) system. This would then allow the attacker to use the credentials on other systems, as well.
A new alert has been distributed throughout the information security community regarding a critical Apache vulnerability. What action could you take to ONLY identify the known vulnerability? • Perform an unauthenticated vulnerability scan on all servers in the environment • Perform a scan for the specific vulnerability on all web servers • Perform a web vulnerability scan on all servers in the environment • Perform an authenticated scan on all web servers in the environment
• Perform a scan for the specific vulnerability on all web servers - Since you wish to check for only the known vulnerability, you should scan for that specific vulnerability on all web servers. All web servers is chosen because Apache is a web server application. While performing an authenticated scan of all web servers or performing a web vulnerability scan of all servers would also find these vulnerabilities, it is a much larger scope and would waste time and processing power by conducting these scans instead of properly scoping the scans based on your needs.
Your organization has conducted a vulnerability scan of its network using Nessus and received a report with several vulnerabilities identified. Each vulnerability is accompanied by a Common Vulnerability Scoring System (CVSS) score, but some vulnerabilities have the same CVSS score while others have lower scores but affect critical systems. How should your organization approach these vulnerabilities? • Prioritize vulnerabilities by both CVSS score and the criticality of the affected systems • Prioritize vulnerabilities strictly by CVSS score • Remediate all vulnerabilities simultaneously • Ignore CVSS scores and prioritize by system criticality
• Prioritize vulnerabilities by both CVSS score and the criticality of the affected systems - This approach acknowledges that not all systems are equal and that some systems, if compromised, could have a more significant impact on the organization. It involves looking at the CVSS score to understand the severity of the vulnerability and also taking into account the criticality of the system when deciding on the order of remediation.
Among the following strategies for dealing with multiple known vulnerabilities, which one is deemed MOST crucial for their successful management and mitigation? • Prioritizing the risk level associated with each vulnerability • Deployment of anti-malware solutions. • Increased network monitoring. Implementing a strong firewall.
• Prioritizing the risk level associated with each vulnerability - Risk prioritization is an essential part of vulnerability management, focusing on the most significant threats in a cybersecurity landscape. It involves assessing potential vulnerabilities, considering their likelihood of exploitation, and the potential impact of such an event. After prioritizing vulnerabilities, the highest-risk ones are addressed first, using methods such as software patching or security policy enhancement. This process is continuously revisited and adjusted as new threats and vulnerabilities emerge.
Read Log File
• grep "10\.1\.0\.10\," firewall.log | grep "23$" - When using the dot in the IP addresses, you must remember to escape this character or else grep treats it as a special character in a regular expression that is treated as any character (except a line break). By adding the \ before the dot (\.), grep treats it simply as a dot or period. You must also escape the comma for it to be processed properly. The $ after the port number is used to indicate that the number should only be counted as a match if it is at the end of the line. This ensures that we only return the destination ports (DPT) matching 23 and not the source port (SPT).
A penetration tester is using a known vulnerability to compromise an Apache webserver. After they gain access to the server, what is their next step if they want to pivot to a protected system behind the DMZ? • Vulnerability scanning • Privilege escalation • Patching Installing additional tools
• Privilege escalation - Apache web servers are run as a limited user by default, not as an administrative or root account. To be efficient and effective, the penetration tester should attempt to conduct a privilege escalation prior to pivoting into the DMZ. As a penetration tester, they would not likely patch the system, conduct a vulnerability scan, or install additional tools, as this does not help them to achieve their goal of pivoting into the DMZ.
Your organization has identified several vulnerabilities in your system. The IT team is overwhelmed and unsure how to start addressing these issues while maintaining regular operations. What should be the primary strategy to manage this situation? • Proper Scheduling of Patching and Vulnerability Mitigation Ad-hoc Patching • Outsourcing • Purchasing New Equipment
• Proper Scheduling of Patching and Vulnerability Mitigation - By appropriately scheduling patching and vulnerability mitigation activities, the IT team can systematically address the vulnerabilities without disrupting regular operations.
Which party in a federation provides services to members of the federation? • IdP • SSO • RP - Relying parties (RPs) provide services to members of a federation. An identity provider (IdP) provides identities, makes assertions about those identities, and releases information about the identity holders • SAML
• RP - Relying parties (RPs) provide services to members of a federation. An identity provider (IdP) provides identities, makes assertions about those identities, and releases information about the identity holders
A popular game allows for in-app purchases to acquire extra lives in the game. When a player purchases the extra lives, the number of lives is written to a configuration file on the gamer's phone. A hacker loves the game, but hates having to buy lives all the time, so they developed an exploit that allows a player to purchase 1 life for $0.99 and then modifies the content of the configuration file to claim 100 lives were purchased prior to the application reading the number of lives purchased from the file. Which of the following type of vulnerabilities did the hacker exploit? • Sensitive data exposure • Dereferencing • Broken authentication • Race condition
• Race condition- - Race conditions occur when the outcome from execution processes is directly dependent on the order and timing of certain events, and those events fail to execute in the order and timing intended by the developer. In this scenario, the hacker's exploit is racing to modify the configuration file before the application reads the number of lives from it.
A cybersecurity analyst is experiencing some issues with their vulnerability scans aborting because the previous day scans are still running when the scanner attempts to start the current day's scans. Which of the following recommendations is LEAST likely to resolve this issue? • Add another vulnerability scanner • Reduce the scope of scans • Reduce the sensitivity of scans n the nmap scan results, SSH is not currently operating. SSH operates over port 22. Web servers use port 80 for HTTP and 443 for HTTPS. Database servers run on port 1433 (Microsoft SQL) or 3306 (MySQL). Remote Desktop Protocol runs on
• Reduce the sensitivity of scans- If the cybersecurity analyst were to reduce the sensitivity of the scans, it still would not decrease the time spent scanning the network and could alter the effectiveness of the results received. The issue in this scenario is that the scans, as currently scoped, are taking more than 24 hours to complete with the current resources. While the analyst could reduce the scope of the scans, thereby scan fewer systems or vulnerabilities signatures and taking less time to complete, this would also not meet the current requirement of scanning all the scoped assets.
The management at Steven's work is concerned about rogue devices being attached to the network. Which of the following solutions would quickly provide the most accurate information that Steve could use to identify rogue devices on a wired network? • A discovery scan using a port scanner • Router and switch-based MAC address reporting • A physical survey • Reviewing a central administration tool like a SCCM
• Router and switch-based MAC address reporting - The best option is MAC address reporting coming from a source device like a router or a switch. If the company uses a management system or inventory process to capture these addresses, then a report from one of these devices will show what is connected to the network even when they are not currently in the inventory. This information could then be used to track down rogue devices based on the physical port it is connected to on a network device.
Syed is developing a vulnerability scanner program for a large network of sensors that are used to monitor his company's transcontinental oil pipeline. What type of network is this? • SoC • CAN • BAS • SCADA
• SCADA - SCADA (supervisory control and data acquisition) network is a type of network that works off of an ICS (industry control system) and is used to maintain sensors and control systems over large geographic areas. A building automation system (BAS) for offices and data centers ("smart buildings") can include physical access control systems, but also heating, ventilation, and air conditioning (HVAC), fire control, power and lighting, and elevators and escalators. Vehicular networks are called a controller area network (CAN). A CAN uses serial communication buses to connect electronic control units.
What type of attack is being performed? • XML injection • SQL injection • Header manipulation • Cross-site scripting
• SQL injection - SQL injection is a code injection technique that is used to attack data-driven applications. SQL injections are conducted by inserting malicious SQL statements into an entry field for execution. For example, an attacker may try to dump the contents of the database by using this technique. A common technique in SQL injection is to insert a statement that is always true, such as 1 == 1, or in this example, 7 == 7.
If you want to conduct an operating system identification during an nmap scan, which syntax should you utilize? • nmap -os • nmap -O • nmap -id • nmap -osscan
• nmap -O The -O flag indicates to nmap that it should attempt to identify the operating system of the target during the scanning process. It does this by evaluating the responses it received during the scan against its database of signatures for each operating system.
You are in the recovery steps of an incident response. Your analysis revealed that the attacker exploited an unpatched vulnerability on a public-facing web server as the initial intrusion vector in this incident. Which of the following mitigations should be implemented first during the recovery? • Disable unused user account and reset the administrator credentials • Restrict shell commands per user or per host for least privilege purposes • Scan the network for additional instances of this vulnerability and patch the affected assets • Restrict host access to peripheral protocols like USB and Bluetooth
• Scan the network for additional instances of this vulnerability and patch the affected assets - All of the options listed are the best security practices to implement before and after a detected intrusion, but scanning for additional instances of this vulnerability should be performed first. Often, an enterprise network uses the same baseline configuration for all servers and workstations. Therefore, if a vulnerability is exploited on one device (such as an insecure configuration), that same vulnerability could exist on many other assets across the network.
Your organization has been experiencing several cybersecurity incidents, including data breaches and compliance violations, that seems to stem from the software your team develops. What approach can you implement to systematically reduce these incidents? • Secure Software Development Life Cycle (SDLC) • Waterfall Model • Agile Development • Patch Management
• Secure Software Development Life Cycle (SDLC) - Implementing a Secure SDLC involves integrating security considerations into every phase of software development. This not only helps prevent security vulnerabilities but also ensures data protection, compliance with regulations, and reduces the chances of operational disruptions, making it the ideal approach to decrease the cybersecurity incidents your organization is experiencing.
You are conducting an incident response and have already eradicated the malware from a victimized system. Which of the following actions should you perform as part of the recovery phase? • Sanitization • Reimaging • Setting permissions • Secure disposal
• Setting permissions - Following an incident, all types of permissions should be reviewed and reinforced. This especially affects file and firewall ACLs and system privileges assigned to administrative user or group accounts. This is performed during the recovery phase. During the eradication phase, you would conduct sanitization, secure disposal, and reimaging.
Talia, a security analyst at Secure Solutions Inc., is tasked with improving the company's security posture by analyzing logs from various systems and applications. To streamline her workflow and enable real-time security alert analysis, which of the following tools would be BEST implemented in this situation?• Elastic Stack (ELK) • QRadar • Gray Log • Splunk
• Splunk- Splunk specializes in big data analytics and provides real-time analysis of security alerts, fitting Talia's needs for immediate event correlation and analysis.
You are conducting an intensive vulnerability scan to detect which ports might be open to exploitation. During the scan, one of the network services becomes disabled and causes an impact on the production server. Which of the following sources of information would provide you with the most relevant information for you to use in determining which network service was interrupted and why? • Syslog • Network mapping • Firewall logs • NIDS
• Syslog- The syslog server is a centralized log management solution. By looking through the logs on the syslog server, the technician could determine which service failed on which server, since all the logs are retained on the syslog server from all of the network devices and servers.
Which of the following types of encryption would ensure the best security of a website? • SSLv1 • SSLv2 • SSLv3 • TLS
• TLS - Transport Layer Security (TLS) is a widely adopted security protocol designed to facilitate privacy and data security for communications over the internet. A primary use case of TLS is encrypting the communication between web applications and servers, such as web browsers loading a website. TLS was developed in 1999 as SSLv3.1, but its name was changed to separate itself from Netscape, who developed the original SSL protocol.
You are interpreting a Nessus vulnerability scan report and identified a vulnerability in the system which has a CVSS attack vector rating of A. Based on this information, which of the following statements would be true? • The attacker must have physical or logical access to the affected system • Exploiting the vulnerability requires the existence of specialized conditions • The attacker must have access to the local network that the system is connected to • Exploiting the vulnerability does not require any specialized conditions
• The attacker must have access to the local network that the system is connected to - The attack vector explains what type of access that the attacker must have to a system or network and does not refer to the types of specialized conditions that must exist. In this case, the A rating refers to Adjacent, where the attacker must launch the attack from the same shared physical (such as Bluetooth or Wi-Fi network), logical network (such as a local subnet), or a limited administrative domain (such as a VPN or MPLS)
You just received a notification that your company's email servers have been blacklisted due to reports of spam originating from your domain. What information do you need to start investigating the source of the spam emails? • Firewall logs showing the SMTP connections • The SMTP audit log from his company's email server • The full email header from one of the spam messages • Network flows for the DMZ containing the email servers
• The full email header from one of the spam messages - You should first request a copy of one of the spam messages that include the full email header. By reading through the full headers of one of the messages, you can determine where the email originated from, whether it was from your email system or if it was external, and if it was a spoofed email or a legitimate email. Once this information has been analyzed, you can then continue your analysis further based on those findings, whether that be analyzing your email server, the firewalls, or other areas of concern.
You are a cybersecurity analyst for a mid-sized company. One day, you decided to perform a routine scan of your internal network using the Angry IP Scanner tool. The output returned was as follows: IP Ping Hostname Ports TTL 192.168.1.1 34 ms router.domain.com 80, 443 64 192.168.1.2 40 ms pc1.domain.com 22, 80, 443 128 192.168.1.3 Timeout pc2.domain.com - - 192.168.1.4 45 ms unknown.device 21, 23, 25, 80, 443, 3389 64 Based on this output, which of the following represents a potential indicator of compromise (IoC) that should be investigated further? • The timeout response from 192.168.1.3 • The open ports 80 and 443 on 192.168.1.1 • The open port 22 on 192.168.1.2 • The unknown device 192.168.1.4 with multiple open ports, including 21, 23, 25, and 3389
• The unknown device 192.168.1.4 with multiple open ports, including 21, 23, 25, and 3389 - The unknown device at 192.168.1.4 is a potential indicator of compromise (IoC) due to several reasons. First, the device is unknown, which suggests that it's not a recognized system within the network, thus raising suspicions. Secondly, it has multiple ports open, including 21 (FTP), 23 (Telnet), 25 (SMTP), 80 (HTTP), 443 (HTTPS), and 3389 (RDP). These ports being open could indicate services that are vulnerable to exploitation or are already being exploited, especially when they are on an unrecognized device. The combination of an unknown device and open ports commonly used for management or
You are an analyst and have been asked to review and categorize the following output from a packet analysis in Wireshark: (See image) Based on your review, what does this scan indicate? You are an analyst and have been asked to review and categorize the following output from a packet analysis in Wireshark: Based on your review, what does this scan indicate? • 192.168.3.145 might be infected with malware • 173.12.15.23 might be infected with malware • 173.12.15.23 might be infected and beaconing to a C2 server • 192.168.3.145 might be infected and beaconing to a C2 server • This appears to be normal network traffic
• This appears to be normal network traffic- The first line shows that a DNS lookup was performed. The second shows the response from the DNS server with the IP. The third begins a three-way handshake between an internal host and the site. The fourth is the SYN-ACK response from the site. The fifth is a standard Windows NetBIOS query that occurs within the LAN to translate human-readable names to local IP addresses. The sixth and seventh appear to be inbound requests to port 443 and port 8080, which sent the RST by the firewall of the internal host since it is not running those services. None of this traffic appears to be suspicious.
Why is it important for organizations to have a clear understanding of the legal requirements regarding the disclosure of cyber incidents? • To comply with legal obligations and protect individuals' rights • To gain a competitive advantage in the market • To avoid negative stories circulating in the media and avoid reputational damage • To increase internal operational efficiency
• To comply with legal obligations and protect individuals' rights - Understanding the legal requirements for disclosing cyber incidents is essential to comply with relevant laws and regulations. It ensures that organizations fulfill their legal obligations to report incidents accurately and timely. Additionally, understanding these requirements helps protect individuals' rights by handling and disclosing information appropriately, and mitigates potential legal risks by avoiding non-compliance penalties or lawsuits.
Dion Training is concerned with the possibility of a data breach causing a financial loss to the company. After performing a risk analysis, the COO decides to purchase data breach insurance to protect the company in the event of an incident. Which of the following best describes the company's risk response? • Avoidance • Transference • Acceptance • Mitigation
• Transference - Transference (or sharing) means assigning risk to a third party (such as an insurance company or a contract with a supplier that defines liabilities).
You suspect that a system's firmware has been compromised. Which type of firmware would provide resistance against such an attack? • Trusted Firmware - • Standard Firmware • Custom Firmware • BIOS
• Trusted Firmware - Trusted Firmware is designed to be resistant to attacks, providing a secure foundation for system boot and operating system load.
Mark works as a Department of Defense contracting officer and needs to ensure that any network devices he purchases for his organization's network are secure. He utilizes a process to verify the chain of custody for every chip and component that is used in the device's manufacturer. What program should Mark utilize? • Zero Trust • Trusted Foundry • Secure Enclave Processor Security Extensions
• Trusted Foundry - The US Department of Defense (DoD) has set up a Trusted Foundry Program, operated by the Defense Microelectronics Activity (DMEA). Accredited suppliers have proved themselves capable of operating a secure supply chain, from design through to manufacture and testing. The Trusted Foundry program to help assure the integrity and confidentiality of circuits and manufacturing. The purpose is to help verify that agents of foreign governments are not able to insert malicious code or chips into the hardware being used by the military systems.
You have been investigating how a malicious actor was able to exfiltrate confidential data from a web server to a remote host. After an in-depth forensic review, you determine that the web server's BIOS had been modified by the installation of a rootkit. After you remove the rootkit and reflash the BIOS to a known good image, what should you do in order to prevent the malicious actor from affecting the BIOS again? • Install an anti-malware application • Install a host-based IDS • Utilize secure boot • Utilize file integrity monitoring
• Utilize secure boot - Since you are trying to protect the BIOS, utilizing secure boot is the best choice. Secure boot is a security system offered by UEFI. It is designed to prevent a computer from being hijacked by a malicious OS. Under secure boot, UEFI is configured with digital certificates from valid OS vendors. The system firmware checks the operating system boot loader using the stored certificate to ensure that it has been digitally signed by the OS vendor. This prevents a boot loader that has been changed by malware (or an OS installed without authorization) from being used.
Jamario, a security analyst at Dion Training Solutions, is investigating a potential impersonation attack where an employee received a request to transfer funds. Which of the following is the MOST effective step Jamario should take to examine and confirm the legitimacy of the email? • Review recent company-wide email communications. • Verify the email's internet header for origin clues. • Check with the finance department for similar requests.
• Verify the email's internet header for origin clues. - The internet header includes critical information such as the originating IP address and the path the email took, which can be instrumental in spotting impersonation or spoofing attempts.