CySA Practice Exam #3
B. Insecure direct object references (IDOR) are a cybersecurity issue that occurs when a web application developer uses an identifier for direct access to an internal implementation object but provides no additional access control and/or authorization checks. An attacker could change the userid number and directly access any user's profile page in this scenario.
A cybersecurity analyst is reviewing the logs of a proxy server and saw the following URLs:-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-https://test.diontraining.com/profile.php?userid=1546https://test.diontraining.com/profile.php?userid=5482https://test.diontraining.com/profile.php?userid=3618-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-What type of vulnerability does this website have? A. Race condition B. Insecure direct object reference C. Improper error handling D. Weak or default configurations
A.
A vulnerability scanner has reported that a vulnerability exists in the system. Upon validating the report, the analyst determines that this reported vulnerability does not exist on the system. What is the proper term for this situation? A. False positive B. False negative C. True positive D. True negative
B. During the adversary's actions on objective phase, the adversary is already deep within the victim's network and has defeated all security mechanisms. If the adversary is attempting to exfiltrate data, implementing a quality of service approach could potentially slow down the rate at which information could be exfiltrated. This is considered a degradation to their effort by purposely manipulating service quality to decrease their transfer speeds.
According to Lockheed Martin's white paper "Intel Driven Defense," which of the following technologies could degrade an adversary's effort during the actions on the objectives phase of the kill chain? A. Honeypot B. Quality of service C. NIPS D. Audit log
D. The best option is all of the answers listed. SNMP doesn't report closed UDP ports, and SNMP servers don't respond to invalid information requests. The "no response" can mean that the systems cannot be reached (either internally or externally). If you entered an invalid community string, then SNMP will be unable to provide a response or report its findings.
An SNMP sweep is being conducted, but the sweep receives no-response replies from multiple addresses that are believed to belong to active hosts. What does this indicate to a cybersecurity analyst? A. The machines are unreachable B. The machines are not running SNMP servers C. The community string being used is invalid D. Any listed answers may be true
A. The best course of action is to perform a DNS brute-force attack. The DNS brute-force attack queries a list of IPs and typically bypasses IDS/IPS systems that do not alert on DNS queries.
As part of the reconnaissance stage of a penetration test, Kumar wants to retrieve information about an organization's network infrastructure without causing an IPS alert. Which of the following is his best course of action? A. Perform a DNS brute-force attack B. Use a nmap ping sweep C. Perform a DNS zone transfer D. Use a nmap stealth scan
C. Annual reviews are an industry standard and are typically sufficient unless circumstances happen that might require an update or revision sooner.
Dion Training's new COO is reviewing the organization's current information security policy. She notices that it was first created three years ago. Since that time, the organization has undergone multiple audits and assessments that required revisions to the policy. Which of the following is the most reasonable frequency to conduct a formal review of the organization's policies to ensure they remain up to date? A. Monthly B. Quarterly C. Annually D. Every five years
D. The collection phase is usually implemented by administrators using various software suites, such as security information and event management (SIEM).
In which phase of the security intelligence cycle do system administrators capture data to identify anomalies of interest? A. Feedback B. Analysis C. Dissemination D. Collection
C. The best solution is to design a report that provides all necessary information and configure it to send this report to the supervisor each month automatically. When possible, the use of automation should be encouraged.
Trevor is responsible for conducting the vulnerability scans for his organization. His supervisor must produce a monthly report for the CIO that includes the number of open vulnerabilities. What process should Trevor use to ensure the supervisor gets the information needed for their monthly report? A. Create an account for the supervisor to the vulnerability scanner so they can run their own reports B. Run a report each month and then email it to his supervisor C. Create a custom report that is automatically emailed each month to the supervisor with the needed information D. Create an account for the supervisor's assistant so they can create their own reports
D. The Common Vulnerabilities and Exposures (CVE) system provides a reference-method for publicly known information-security vulnerabilities and exposures.
What SCAP component provides a list of entries that contains an identification number, a description, and a public reference for each publicly known weakness in a piece of software? A. XCCDF B. CPE C. CCE D. CVE
A.
What is the utilization of insights gained from threat research and threat modeling to proactively discover evidence of adversarial TTPs within a network or system called? A. Threat hunting B. Penetration testing C. Information assurance D. Incident response
B. AES, PKCS, and SSL/TLS are all compatible with x.509 and can be used in a wide variety of functions and purposes. AES is used for symmetric encryption. PKCS is used as a digital signature algorithm. SSL/TLS is used for secure key exchange.
What technology is NOT PKI x.509 compliant and cannot be used in various secure functions? A. AES B. Blowfish C. PKCS D. SSL/TLS
B. Both hardware and software write blockers are designed to ensure that forensic software and tools cannot change a drive inadvertently by accessing it. But, since the question indicates that you need to choose the BEST solution to protect the drive's contents from being changed during analysis, you should pick the hardware write blocker. A hardware write blocker's primary purpose is to intercept and prevent (or 'block') any modifying command operation from ever reaching the storage device.
When conducting forensic analysis of a hard drive, what tool would BEST prevent changing the hard drive contents during your analysis? A. Forensic drive duplicator B. Hardware write blocker C. Software write blocker D. Degausser
A. FIPS 199 classifies any risk where "the unauthorized disclosure of information could be expected to have a limited adverse effect" as a low impact confidentiality risk. If there were a serious adverse effect expected, then it would be a moderate impact. If there were a severe or catastrophic adverse effect expected, then it would be a high impact.
William evaluates the potential impact of a confidentiality risk and determines that the disclosure of information contained on a system could have a limited adverse effect on the organization. Using FIPS 199, how should he classify the confidentiality impact? A. Low B. Medium C. Moderate D. High
C. Separation of duties is the concept of having more than one person required to complete a task. In business, the separation by sharing more than one individual in a single task is an internal control intended to prevent fraud and error. In this case, one person can transfer money in, while another must transfer money out.
Christina is auditing the security procedures related to the use of a cloud-based online payment service. She notices that the access permissions are set so that a single person can not add funds to the account and transfer funds out of the account. What security principle is most closely related to this scenario? A. Least privilege B. Security through obscurity C. Separation of duties D. Dual control authentication
F. User authentication is performed at a much higher level in the operating system. Trusted Platform Module (TPM) technology is designed to provide hardware-based, security-related functions. A TPM chip is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper-resistant, and malicious software cannot tamper with the security functions of the TPM. The TPM provides random number generation, secure generation of cryptographic keys, remote attestation, binding, and sealing functions securely.
Which of the following functions is not provided by a TPM? A. Random number generation B. Secure generation of cryptographic keys C. Remote attestation D. Binding E. Sealing F. User authentication
C. A Scope of Work (SOW) for a penetration test normally contains the list of excluded hosts. This ensures that the penetration tester does not affect hosts, workstations, or servers outside of the assessment scope.
Which of the following information is traditionally found in the SOW for a penetration test? A. Timing of the scan B. Format of the executive summary report C. Excluded hosts D. Maintenance windows
B. There are four phases to the incident response cycle: preparation; detection and analysis; containment, eradication and recovery; and post-incident activity.
Which of the following is NOT considered a phase in the incident response cycle? A. Containment, eradication, and recovery B. Notification and communication C. Detection and analysis D. Preparation
A. The human resource system may be a data source for identity management, but it is not part of the infrastructure itself.
Which of the following is not considered a component that belongs to the category of identity management infrastructure? A. Human resource system B. LDAP C. Provisioning engine D. Auditing system
A. Agile development can react quickly to changing customer requirements since it allows all phases of software development to run in parallel instead of a linear or sequenced approach.
Which of the following is the biggest advantage of using Agile software development? A. Reacts quickly to changing customer requirements since it allows all phases of software development to run in parallel B. Its structured and phase-oriented approach ensures that customer requirements are rigorously defined before development begins C. Its inherent agility allows developers to maintain focus on the overall goals of the project D. It can produce better, more secure, and more efficient code
B. A lessons-learned report is a technical report designed for internal use to improve incident response processes. An incident summary report is designed to distribute to stakeholders to reassure them that the incident has been properly handled. The incident summary report is usually not created to be an in-depth technical report, but instead is focused on a wider, non-technical audience.
Which of the following is the difference between an incident summary report and a lessons-learned report? A. A lessons-learned report is designed for a non-technical audience B. An incident summary report is designed for a non-technical audience C. Both a lessons learned report and an incident summary report are designed for a technical audience D. Both a lessons learned report and an incident summer report are designed for a non-technical audience
D. The majority of vehicles do not currently have a mechanism by which an attacker can access a vehicle remotely. However, there have been numerous demonstrations where the CAN bus can be accessed and corrupted through an available diagnostic port within the automobile or unmanned aerial vehicle. The most typical security measure used is an airgap between a vehicle's entertainment system (which may have internet access) and its CAN bus.
Which of the following is typically used to secure the CAN bus in a vehicular network? A. Anti-virus B. UEBA C. Endpoint protection D. Airgap
D. This would be best classified as a low technical impact. Since WHOIS data about the organization's domain name is publicly available, it is considered a low impact. This is further mitigated by the fact that your company gets to decide what information is actually published in the WHOIS data. Since only publicly available information is being queried and exposed, this can be considered a low impact.
Stephane was asked to assess the technical impact of a reconnaissance performed against his organization. He has discovered that a third party has been performing reconnaissance by querying the organization's WHOIS data. Which category of technical impact should he classify this as? A. Critical B. High C. Medium D. Low
C. Based on this transaction log entry, it appears that the ID# field was not properly validated before being passed to the SQL server. This would allow someone to conduct an SQL injection and retrieve the student's grades, and set all of this student's grades to an 'A' at the same time. It is common to look for a '1==1' type condition to identify an SQL injection.
A cybersecurity analyst working at a major university is reviewing the SQL server log of completed transactions and notices the following entry:-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-"select ID, GRADE from GRADES where ID=1235235; UPDATE GRADES set GRADE='A' where ID=1235235;"-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-Based on this transaction log, which of the following most likely occurred? A. The application and the SQL database are functioning properly B. A student with ID #1235235 used an SQL injection to give themselves straight A's C. Someone used an SQL injection to assign straight A's to the student with ID #1235235 D. The SQL server has insufficient logging and monitoring
B. In a cryptographic erase (CE), the storage media is encrypted by default. The encryption key itself is destroyed during the erasing operation. CE is a feature of self-encrypting drives (SED) and is often used with solid-state devices.
A financial services company wants to donate some old hard drives from their servers to a local charity. Still, they are concerned about the possibility of residual data being left on the drives. Which of the following secure disposal methods would you recommend the company use? A. Secure erase B. Cryptographic erase C. Zero-fill D. Overwrite
A, E. Most wireless networks utilize end-to-end encryption, whereas wired networks do not. Physical accessibility is another major difference between wireless and wired networks since wireless networks can be accessed from a distance using powerful antennas.
A penetration tester is conducting an assessment of a wireless network that is secure using WPA2 Enterprise encryption. Which of the following are major differences between conducting reconnaissance of a wireless network versus a wired network? (SELECT TWO) A. Encryption B. Network access control C. Port security D. Authentication E. Physical accessibility F. MAC filtering
C. Prefetch, a capability in modern web browsers, is used to speed up web browsing by grabbing content that may be asked for by the user at a later time. For example, if you search for a term and the results are being shown to the user, prefetch will download the first three results in anticipation of the user clicking one of the top three links. In the scenario presented in this question, the prefetch has downloaded the malicious content and therefore caused the alert.
A threat intelligence analyst is researching a new indicator of compromise. At the same time, the web proxy server-generated an alert for this same indicator of compromise. When asked about this alert, the analyst insists that they did not visit any of the related sites, but instead, they were listed on the results page of their search engine query. Which of the following is the BEST explanation for what has occurred? A. The standard approved browser was not being used by the analyst B. A link related to the indicator was accidentally clicked by the analyst C. Prefetch is enabled on the analyst's web browser D. Alert is unrelated to the search that was conducted
A. Due to the VM disk image's deletion, you will now have to conduct file carving or other data recovery techniques to recover and remediate the virtualized server.
An attacker has compromised a virtualized server. You are conducting forensic analysis as part of the recovery effort but found that the attacker deleted a virtual machine image as part of their malicious activity. Which of the following challenges do you now have to overcome as part of the recovery and remediation efforts? A. The attack widely fragmented the image across the host file system B. File formats used by some hypervisors cannot be analyzed with traditional forensic tools C. You will need to roll back to an early snapshot and then merge any checkpoints to the main image D. All log files are stored within the VM disk image, therefore, they are lost
D. The Kerberos protocol is designed to send data over insecure networks while using strong encryption to protect the information.
An organization wants to choose an authentication protocol that can be used over an insecure network without implementing additional encryption services. Which of the following protocols should they choose? A. RADIUS B. TACACS C. TACACS+ D. Kerberos
C.
An organization wants to get an external attacker's perspective on their security status. Which of the following services should they purchase? A. Vulnerability scan B. Asset management C. Penetration test D. Patch management
C. In Linux, you can chain together commands by piping data from one command's output to serve as the input to another command. In this scenario, you can use grep to find all the lines with the IP address first. Then, you can use the second grep command to find all the lines using port 23. The result is a smaller, filtered list of events to analyze. When using the dot in the IP addresses, you must remember to escape this character. Otherwise, grep treats it as a special character in a regular expression treated as any character (except a line break). Adding the \ before the dot (\.), grep treats it simply as a dot or period. You must also escape the comma for it to be processed properly. The $ after the port number is used to indicate that the number should only be counted as a match if it is at the end of the line. This ensures that we only return the destination ports (DPT) matching 23 and not the source port (SPT).
Consider the following file called firewall.log that contains 53,682 lines that logged every connection going into and out of this network. The log file is in the following data format, as shown below with the first two lines of the log file:-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-DATE,FACILITY,CHAIN,IN,SRC,DST,LEN,TOS,PREC,TTL,ID,PROTO,SPT,DPTJan 11 05:33:59,lx1 kernel: iptables,INPUT,eth0,10.1.0.102,10.1.0.1,52,0x00,0x00,128,2242,TCP,2564,23-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-Which of the following commands would display all of the lines from the firewall.log file that contain the destination IP address of 10.1.0.10 and a destination port of 23? A. grep "10.1.0.10," firewall.log | grep "23$" B. grep "10\.1\.0\.10\," firewall.log | grep "23" C. grep "10\.1\.0\.10\," firewall.log | grep "23$" D. grep "10.1.0.10," firewall.log | grep "23"
A. NIST (National Institute of Standards and Technology) produced a useful patch and vulnerability management program framework in its Special Publication (NIST SP 800-40). It would be useful during the program's establishment and provide a series of guidelines and best practices.
Due to new regulations, your organization's CIO has the information security team institute a vulnerability management program. What framework would BEST support this program's establishment? A. NIST B. OWASP C. SDLC D. SANS
C. A cybersecurity analyst must preserve evidence during the containment, eradication, and recovery phase. They must preserve forensic and incident information for future needs, prevent future attacks or bring up an attacker on criminal charges.
During which incident response phase is the preservation of evidence performed? A. Preparation B. Detection and analysis C. Containment, eradication, and recovery D. Post-incident activity
C. While the fictitious Westeros may have no privacy laws or regulations, the laws of the countries where the company's customers reside may still retain sovereignty over the data obtained from those regions during the course of the company's business there. This is called Data Sovereignty. Data sovereignty refers to a jurisdiction (such as France or the European Union) preventing or restricting processing and storage from taking place on systems that do not physically reside within that jurisdiction.
Fail to Pass Systems has recently moved its corporate offices from France to Westeros, a country with no meaningful privacy regulations. The marketing department believes that this move will allow the company to resell all of its customer's data to third-party companies and shield the company from any legal responsibility. Which policy is violated by this scenario? A. Data limitation B. Data minimization C. Data sovereignty D. Data enrichment
C. Anti-counterfeit training is part of the NIST 800-53r4 control set (SA-19(1)) and should be a mandatory part of your supply chain management training within your organization.
Following a root cause analysis of an edge router's unexpected failure, a cybersecurity analyst discovered that the system administrator had purchased the device from an unauthorized reseller. The analyst suspects that the router may be a counterfeit device. Which of the following controls would have been most effective in preventing this issue? A. Increase network vulnerability scan frequency B. Ensure all anti-virus signatures are up to date C. Conduct secure supply chain management training D. Verify that all routers are patched to the latest release
B. Since an incident has just occurred, it is important to act swiftly to prevent a reoccurrence. The organization should still take a defined and deliberate approach to choosing the proper controls and risk mitigations. Therefore, execution through a rational business management process is the best approach, including creating a prioritized list of recommendations. Once this list has been created, the organization can conduct a cost/benefit analysis of each recommendation and determine which controls and items will be implemented in the network-based upon resource availability in terms of time, person-hours, and money. This process does not need to be a long term study or filled with complexity. Instead, it should be rapidly conducted due to the probability that an attacker may compromise the network again.
Following an incident, the incident response team has generated many recommendations for additional controls and items to be purchased to prevent future recurrences. Which of the following approaches best describes what the organization should do next? A. Immediately procure and install all of them because the adversary may reattack at any time B. Submit a prioritized list with all of the recommendations for review, procurement, and installation C. Conduct a cost/benefit analysis of each recommendation against the company's current fiscal posture D. Contract an outside security consultant to provide an independent assessment of the network and outsource the remediation efforts
A. Jeff should immediately change the repository from public to private to prevent further exposure of the source code.
Jeff has been contacted by an external security company and told that they had found a copy of his company's proprietary source code on GitHub. Upon further investigation, Jeff has determined that his organization owns the repository where the source code is located. Which of the following mitigations should Jeff apply immediately? A. Change the repository from public to private B. Delete the repository C. Revaluate the organization's information management policies D. Investigate if the source code was downloaded
B. Keith should conduct a hash of the downloaded file and compare it against the MD5 hash digest listed on the server of this file. This file needs to be a verifiable MD5 hash file to validate the file integrity has not been compromised during the download. This is an important step to ensure the file was not modified in transit during the download.
Keith wants to validate the application file that he downloaded from the vendor of the application. Which of the following should he compare against the file to verify the integrity of the downloaded application? A. File size and file creation date B. MD5 or SHA1 hash digest of the file C. Private key of the file D. Public key of the file
C. Objective-C is a compiled language. Therefore, you will need to use a decompiler to conduct reverse engineering on it. Ruby, Python, and JavaScript are interpreted languages. Interpreted languages do not require the use of a decompiler to view the source code.
Which language would require the use of a decompiler during reverse engineering? A. Ruby B. Python C. Objective-C D. JavaScript
A. Most of these options are partially true, but only the evidence retention option is entirely accurate. If there is a legal or regulatory impact, evidence of the incident must be preserved for at least the timescale defined by the regulations. This can be a period of many years. If a civil or criminal prosecution of the incident perpetrators is expected, the evidence must be collected and stored using forensics procedures.
Which of the following actions should you perform during the post-incident activities of an incident response? A. Perform evidence retention in accordance with the timescale defined by the regulatory or legal impact of the incident B. Sanitize storage devices that contain any dd images collected to prevent liability arising from evidence collection C. Create an incident summary reporting with in-depth technical recommendations for future resourcing and budgeting D. Ensure confidentiality of the lessons learned report by not sharing it beyond the incident response team who handled the investigation
B, D. Safety and security of personnel should always be the first and most important overriding concern. In particular, this may apply in cases where SCADA/ICS equipment is present. Once the physical danger is abated, the second priority will be to prevent any further exfiltration of data or prevent the ongoing intrusion from spreading.
Which of the following are the two most important factors when determining a containment strategy? A. Preservation of evidence B. Ensuring the safety and security of all personnel C. Identification of whether the intrusion is the primary attack or a secondary one (i.e., part of a more complex campaign) D. Prevention of an ongoing intrusion or data breach E. Avoidance of alerting the attacker that they have been discovered
B. Nmap sends specially crafted packets to the target host(s) and then analyzes the responses to determine the open ports and services running on those hosts. Also, nmap can determine the versions of the applications being used on those ports and services. Nmap is a command-line tool for use on Linux, Windows, and macOS systems.
Which of the following command-line tools would you use to identify open ports and services on a host along with the version of the application that is associated with them? A. ping B. nmap C. netstat D. Wireshark
C. Bollards are a physical security control that is designed to prevent a vehicle-ramming attack. Bollards are typically designed as a sturdy, short, vertical post.
Which of the following physical security controls would be the most effective in preventing an attacker from driving a vehicle through the glass doors at the front of the organization's headquarters? A. Mantraps B. Security guards C. Bollards D. Intrusion alarm
A. Common Vulnerabilities and Exposures (CVE) is an element of the Security Content Automation Protocol (SCAP) that provides a standard nomenclature for describing security flaws or vulnerabilities.
Which of the following provides a standard nomenclature for describing security-related software flaws? A. CVE B. SOX C. SIEM D. VPC
C. Multi-factor authentication (MFA) creates multiple security layers to help increase the confidence that the user requesting access is who they claim to be by requiring two distinct factors for authentication. These factors can be something you know (knowledge factor), something you have (possession factor), something you are (inheritance factor), something you do (action factor), or somewhere you are (location factor). By selecting a smartcard (something you have) and a PIN (something you know), you have implemented multi-factor authentication.
Which of the following techniques would be the most appropriate solution to implementing a multi-factor authentication system? A. Fingerprint and retinal scan B. Password and security question C. Smartcard and PIN D. Username and password
B, C. Network Access Control is used to identify an endpoint's characteristics when conducting network authentication. The GPS location of the device will provide the longitude and latitude of the user, which could be compared against the GPS coordinates of the building.
Which of the following technologies could be used to ensure that users who log in to a network are physically in the same building as the network they are attempting to authenticate on? (SELECT TWO) A. Port security B. NAC C. GPS location D. Geo-IP
B. LDAP can be used for single sign-on but is not a shared authentication protocol.
Which of the following technologies is NOT a shared authentication protocol? A. OpenID Connect B. LDAP C. OAuth D. Facebook Connect
A, C, D. During this phase, activities taken during the exploitation phase are conducted against the target's system. Taking advantage of or exploiting an accessible vulnerability, waiting for a malicious email attached to be opened, or waiting for a user to click on a malicious link is all part of the exploitation phase.
Which of the following will an adversary do during the exploitation phase of the Lockheed Martin kill chain? (SELECT THREE) A. Take advantage of a software, hardware, or human vulnerability B. Select backdoor implant and appropriate command and control infrastructure for operation C. Wait for a malicious email attachment to be opened D. Wait for a user to click on a malicious link E. A webshell is installed on a web server F. A backdoor/implant is placed on a victim's client
B, C, E. Active defense refers to controls that perform a counterattack. Active defense means an engagement with the adversary, but this can be interpreted in several different ways. Laying traps such as decoy assets or deploying honeypots would be classified as an active defense. Another active defense technique is to implement fictitious DNS entries that can also be used to delay or slow down an adversary's enumeration of your network.
Which of the following would be part of an active defense strategy? (SELECT THREE) A. Blocking adversary C2 infrastructure B. Deploy a honeypot C. Implement decoy assets D. Installing a new IDS signature E. Implement fictitious DNS entries F. Deletion of adversary malware
B. ASLR randomizes where components of a running process (such as the base executable, APIs, and the heap) are placed in memory, which makes it more difficult to conduct a buffer overflow at specific points in the address space.
Which protective feature is used to prevent a buffer overflow attack from specific applications by randomizing where a program's components are run from in memory? A. DLP B. ASLR C. DLL D. DEP
C. Due to the considerable increase in network utilization on dbsvr01, it should be suspected of compromise and further investigated. The server has a historical average utilization of only 3.15 GB per month, but this month there has been an increase to 24.6 GB of usage. This increase is nearly 8x more than the previous month when all of the other servers stayed relatively constant. This indicates a possible compromise of the database server (dbsvr01) and a data breach or data exfiltration.
You are analyzing the following network utilization report because you suspect one of the servers has been compromised. -=-=-=-=-=--=-=-=-=-=--=-=-=-=-=--=-=-=-=-=--=-=-=-=-=--=-=-=-=-=-IP Address Name Uptime Historical Current192.168.20.2 web01 7D 12H 32M 06S 42.6 GB 44.1 GB192.168.20.3 webdev02 4D 07H 12M 45S 1.95 GB 2.13 GB192.168.20.4 dbsvr01 12D 02H 46M 14S 3.15 GB 24.6 GB192.168.20.5 marketing01 2D 17H 18M 41S 5.2 GB 4.9 GB-=-=-=-=-=--=-=-=-=-=--=-=-=-=-=--=-=-=-=-=--=-=-=-=-=--=-=-=-=-=-Based on the report above, which of the following servers do you suspect has been compromised and should be investigated further? A. web01 B. webdev02 C. dbsvr01 D. marketing01
C. The dd command is used in forensic data acquisition to forensically create a bit by bit copy of a hard drive to a disk image. The bs operator sets the block size when using the Linux dd command.
You are analyzing the logs of a forensic analysts workstation and see the following:-=-=-=-=-=-=-=-=-=-=-=-=-=-=-root@DionTraining:/home# dd if=/dev/sdc of=/dev/sdb bs=1M count=1000-=-=-=-=-=-=-=-=-=-=-=-=-=-=-What does the bs=1M signify in the command list above? A. Sends output to a blank sector B. Sets the beginning sector C. Sets the block size D. Removes error messages and other incorrect data
B. The tcpdump command is a command-line packet capture utility for Linux. The tcpdump command uses the -w option to write the capture output results to a file.
You are attempting to run a packet capture on a Linux workstation using the tcpdump command. Which of the following would allow you to conduct the packet capture and write the output to a file for later analysis? A. tcpdump -i eth0 -r diontraining.pcap B. tcpdump -i eth0 -w diontraining.pcap C. tcpdump -i eth0 -n diontraining.pcap D. tcpdump -i eth0 -e diontraining.pcap
C. The nmap TCP connect scan (-sT) is used when the SYN scan (-sS) is not an option. You should use the -sT flag when you d not have raw packet privileges on your workstation or if you are scanning an IPv6 network. This flag tells nmap to establish a connection with the target machine by issuing the connect system call instead of directly using an SYN scan. Normally, a fast scan using the -sS (SYN scan) flag is more often conducted, but it requires raw socket access on the scanning workstation.
You are conducting a quick nmap scan of a target network. You want to conduct an SYN scan, but you don't have raw socket privileges on your workstation. Which of the following commands should you use to conduct the SYN scan from your workstation? A. nmap -sS B. nmap -O C. nmap -sT D. nmap -sX
C. On Apache web servers, the logs are stored in a file named access_log. By default, the file can be located at /var/log/httpd/access_log. This file records all requests processed by the Apache server.
You are conducting a vulnerability assessment when you discover a critical web application vulnerability on one of your Apache servers. Which of the following files would contain the Apache server's logs if your organization is using the default naming convention? A. httpd_log B. apache_log C. access_log D. http_log
B. A malicious process is one that is running on a system and is outside the norm. This is a host-based indicator of compromise (IOC) and not directly associated with an account-based IOC. Off-= hours usage, unauthorized sessions, and failed logins are all account-based examples of an IOC. Off-hours usage occurs when an account is observed to log in during periods outside of normal business hours. An attacker often uses this to avoid detection during business hours. Unauthorized sessions occur when a device or service is accessed without authorization. For example, if a limited privilege user is signed into a domain controlled. A failed login might be normal if a user forgets or incorrectly types their password, but repeated failures for one account could also be an indication of an attacked to crack a user's password.
You are conducting an incident response and want to determine if any account-based indicators of compromise (IoC) exist on a compromised server. Which of the following would you NOT search for on the server? A. Off hours usage B. Malicious processes C. Unauthorized sessions D. Failed logins
B. The beacon's protocol is not typically a means of identifying a malware beacon. A beacon can be sent over numerous protocols, including ICMP, DNS, HTTP, and numerous others. Unless you specifically knew the protocol being used by the suspected beacon, filtering out beacons by the protocol seen in the logs could lead you to eliminate malicious behavior prematurely.
You are creating a script to filter some logs so that you can detect any suspected malware beaconing. Which of the following is NOT a typical means of identifying a malware beacons behavior on the network? A. The beacon's persistence B. The beacon's protocol C. The beaconing interval D. The removal of known traffic
C. There are two types of containment: segmentation and isolation. This is an example of a segmentation-based containment strategy that utilizes deception. Segmentation-based containment is a means of achieving the isolation of a host or group of hosts using network technologies and architecture. As opposed to completely isolating the hosts, you might configure the protected segment to deceive him or her into thinking the attack is progressing successfully, such as in the database modification example.
You are developing a containment and remediation strategy to prevent the spread of an APT within your network. Your plan suggests creating a mirror of the company's databases, routing all externally sourced network traffic to it, and gradually updating with pseudo-realistic data to confuse and deceive the APT as they attempt to exfiltrate the data. Once the attacker has downloaded the corrupted database, your company would then conduct remediation actions on the network and restore the correct database information to the production system. Which of the following types of containment strategies does the plan utilize? A. Segmentation-based containment disrupts the APT by using a hack-back approach B. Isolation-based containment by removing the affected database from production C. Segmentation-based containment that deceives the attack into believing their attack was successful D. Isolation-based containment by disconnecting the APT from the affected network
A. The best option is to submit them to an open-source intelligence provider like VirusTotal. VirusTotal allows you to quickly analyze suspicious files and URLs to detect types of malware. It then automatically shares them with the security community, as well.
You are investigating a suspected compromise. You have noticed several files that you don't recognize. How can you quickly and effectively check if the files have been infected with malware? A. Submit the files to an open-source intelligence provider like VirusTotal B. Disassembly the files and conduct static analysis on them using IDA Pro C. Run the Strings tool against each file to identify common malware identifiers D. Scan the files using a local anti-virus/anti-malware engine
B. The correct option is \b(192\.168\.66\.6)|(10\.66\.6\.10)|(172\.16\.66\.1)\b, which uses parenthesis and "OR" operators (|) to delineate the possible whole-word variations of the three IP addresses. Using square braces indicates that any of the letters contained in the square braces are matching criteria. Using the + operator indicates an allowance for one more instance of the preceding element. In all cases, the period must have an escape (\) sequence preceding it as the period is a reserved operator internal to REGEX.
You are investigating traffic involving three separate IP addresses (192.168.66.6, 10.66.6.10, and 172.16.66.1). Which REGEX expression would you use to be able to capture ONLY those three IP addresses in a single statement? A. \b[192\.168\.66\.6]|[10\.66\.6\.10]|[172\.16\.66\.1]\b B. \b(192\.168\.66\.6)|(10\.66\.6\.10)|(172\.16\.66\.1)\b C. \b(192\.168\.66\.6)+(10\.66\.6\.10)+(172\.16\.66\.1)\b D. \b[192\.168\.66\.6]+[10\.66\.6\.10]+[172\.16\.66\.1]\b
C. Based on the description provided, this is most likely a port scan. Using a tool like nmap, an attacker can create an SYN scan across every port in a range against the desired target. A port scan or SYN scan may trigger an alert in your IDS. While scanners support more stealthy scans, default scans may connect to each port sequentially.
You are reviewing the logs in your IDS and see that entries were showing SYN packets received from a remote host targeting each port on your web server from 1 to 1024. Which of the following MOST likely occurred? A. Remote host cannot find the right service port B. SYN flood C. Port scan D. UDP probe
B. Due to the requirements provided, you should install a NIPS on the gateway router's internal interface and a firewall on the external interface of the gateway router. The firewall on the external interface will allow the bulk of the malicious inbound traffic to be filtered before reaching the network. Then, the NIPS can be used to inspect the traffic entering the network and provide protection for the network using signature-based or behavior-based analysis. A NIPS is less powerful than a firewall and could easily "fail open" if it is overcome with traffic by being placed on the external interface. The NIPS installed on the internal interface would also allow various content types to be quickly blocked using custom signatures developed by the security team.
You have been asked to recommend a capability to monitor all of the traffic entering and leaving the corporate network's default gateway. Additionally, the company's CIO requests to block certain content types before it leaves the network based on operational priorities. Which of the following solution should you recommend to meet these requirements? A. Configure IP filtering on the internal and external interfaces of the router B. Install a NIPS on the internal interface and a firewall on the external interface of the route C. Install a firewall on the router's internal interface and a NIDS on the router's external interface D. Installation of a NIPS on both the internal and external interfaces of the router
B.
You have been asked to review the SIEM event logs for suspected APT activity. You have been given several indicators of compromise, such as a list of domain names and IP addresses. What is the BEST action to take to analyze the suspected APT activity? A. Use the IP addresses to search through the event logs B. Analyze the trends of the events while manually reviewing them to see if any indicators match C. Create an advanced query that includes all of the indicators and review any matches D. Scan for vulnerabilities with exploits known to previously have been used by an APT
A. The net use command will list network shares that the workstation is using. This will help to identify file servers and print servers on the network.
You have been given access to a Windows system located on an Active Directory domain as part of a white box penetration test. Which of the following commands would provide information about other systems on this network? A. net use B. net user C. net group D. net config
A. The best option is to conduct physical destruction since the scenario states that the storage device was already replaced with a new self-encrypting drive (SED). The old SSD contained top-secret data crucial to maintaining a corporate advantage over the company's competitors. Physical destruction occurs by mechanical shredding, incineration, or degaussing magnetic hard drives.
You have just completed identifying, analyzing, and containing an incident. You have verified that the company uses older unencrypted SSDs as part of their default configuration, and the manufacturer does not provide a SE utility for the devices. The storage devices contained top-secret data that would bankrupt the company if it fell into a competitor's hands. After safely extracting the device's data and saving it to a new self-encrypting drive, you have been asked to dispose of the SSDs securely. Which of the following methods should you use? A. Physically destroy the storage devices B. Conduct zero-fill on the storage devices C. Use a secure erase (SE) utility on the storage devices D. Perform a cryptographic erase (CE) on the storage devices
B. Once the scoping document has been prepared, you must get concurrence with your plan before you begin your penetration test. Therefore, you must get the scoping plan signed off by the organization's leadership as your next action. You should never begin a penetration test before you have written permission and concurrence from the target organization.
You have just completed writing the scoping document for your next penetration test, which clearly defines what tools, techniques, and targets you intend to include during your assessment. Which of the following actions should you take next? A. Conduct a port scan of the target network B. Get leadership concurrence on the scoping document C. Conduct passive fingerprinting on the target servers D. Provide a copy of the scoping document to local law enforcement
A. Since you scanned the system with the latest anti-virus signatures and did not find any signs of infection, it would most likely be evidence of a zero-day attack. A zero-day attack has a clear sign of compromise (the web tunnel being established to a known malicious server).
You have noticed some unusual network traffic outbound from a certain host. The host is communicating with a known malicious server over port 443 using an encrypted TLS tunnel. You ran a full system anti-virus scan of the host with an updated anti-virus signature file, but the anti-virus did not find any infection signs. Which of the following has MOST likely occurred? A. Zero-day attack B. Password spraying C. Session hijacking D. Directory traversal
B. You should request permission to conduct an on-site scan of the network. If the organization's network is set up correctly, scanning from off-site will be much more difficult as many of the devices will be hidden behind the firewall. By conducting an on-site scan, you can conduct the scan from behind the firewall and receive more detailed information on the various servers and services running on the internal network.
You just finished conducting a remote scan of a class C network block using the following command "nmap -sS 202.15.73.0/24". The results only showed a single web server. Which of the following techniques would allow you to gather additional information about the network? A. Use a UDP scan B. Perform a scan from on-site C. Scan using the -p 1-65535 flag D. Use an IPS evasion technique
B, D, E. First, you should change the username, and default password since using default credentials is extremely insecure. Second, you should implement a whitelist for any specific IP blocks that should have access to this application's administrative web frontend since it should only be a few system administrators and power users. Next, you should implement two-factor authentication to access the application since two-factor authentication provides more security than a simple username and password combination.
You just visited an e-commerce website by typing in its URL during a vulnerability assessment. You discovered that an administrative web frontend for the server's backend application is accessible over the internet. Testing this frontend, you discovered that the default password for the application is accepted. Which of the following recommendations should you make to the website owner to remediate this discovered vulnerability? (SELECT THREE) A. Rename the URL to a more obscure name B. Require two-factor authentication for access to the application C. Conduct a penetration test against the organization's IP space D. Whitelist all specific IP blocks that use this application E. Change the username and default password F. Require an alphanumeric passphrase for the application's default password
C. A technical view focuses on technologies, settings, and configurations. An operational view looks at how a function is performed or what it accomplishes. A logical view describes how systems interconnect. An acquisition views focus on the procurement process.
You need to perform an architectural review and select a view that focuses on the technologies, settings, and configurations used within the architecture. Which of the following views should you select? A. Operational view B. Acquisition view C. Technical view D. Logical view
B. Network Access Control (NAC) is an approach to computer security that attempts to unify endpoint security technology (such as anti-virus, host intrusion prevention, and vulnerability assessment), user or system authentication, and network security enforcement. When a remote workstation connects to the network, NAC will place it into a segmented portion of the network (sandbox), scan it for malware and validate its security controls, and then based on the results of those scans, either connect it to the company's networks or place the workstation into a separate quarantined portion of the network for further remediation.
You received an incident response report indicating a piece of malware was introduced into the company's network through a remote workstation connected to the company's servers over a VPN connection. Which of the following controls should be applied to prevent this type of incident from occurring again? A. ACL B. NAC C. SPF D. MAC filtering
D. The flag (-i) in grep means that the entire string that follows will be treated as case insensitive. The absence of the whole word identifier (i.e., \b, ^) indicates that matching can occur at any part of the text being evaluated. In other words, "MyPasswords" will also be detected by this REGEX search.
You want to search all the logs using REGEX to alert on any findings where a filename contains the word "password" (regardless of case). For example, "PASSWORD.txt," "Password.log," or "password.xlsx" should cause the alert to occur. Once deployed, this search will be conducted daily to find any instances of an employee saving their passwords in a file that could be easily found by an attacker. Which of the following commands would successfully do this? A. grep \i password logfile.log B. grep "(PASSWORD)|(password)" logfile.log C. grep password /i logfile.log D. grep -i password logfile.log
C. iPhone/iPad backups can be created as full or differential backups. In this scenario, the backup being analyzed is likely a differential backup containing the information that has changed since the last full backup.
You were conducting a forensic analysis of an iPad backup and discovered that only some of the information is within the backup file. Which of the following best explains why some of the data is missing? A. The backup was interrupted B. The backup is encrypted C. The backup is a differential backup D. The backup is stored in iCloud.
C. When implementing an API, objects in memory from one computer can be serialized and passed to another for deserialization. If the API user is malicious, they may create a fictitious object, appropriately serialize it, and then send it through the API for execution. The only model for defeating this approach is to allow the API to be exposed to trusted sources or to not serialize anything with potentially executable source code (i.e., non-primitive data types).
Your company has just announced a change to an "API first" model of software development. As a cybersecurity analyst, you are immediately concerned about the possibility of an insecure deserialization vulnerability in this model. Which of the following is the primary basis for an attack against this vulnerability? A. Lack of input validation could allow for a SQL attack B. Insufficient logging and monitoring makes it impossible to detect when insecure deserialization vulnerabilities are exploited C. Accepting serialized objects from untrusted sources or the use of serialized non-primitive data may lead to remote code execution D. Lack of input validation could lead to a cross-site scripting attack
B. The best option is to utilize vendor testing and audits in a cloud-based environment. Most SaaS providers will not allow customers to conduct their own port scans or vulnerability scans against the SaaS service.
Your organization has recently migrated to a SaaS provider for its enterprise resource planning (ERP) software. Before this migration, a weekly port scan was conducted to help validate the on-premise systems' security. Which of the following actions should you take to validate the security of the cloud-based solution? A. Utilize a different scanning tool B. Utilize vendor testing and audits C. Utilize a third-party contractor to conduct the scans D. Utilize a VPN to scan inside the vendor's security perimeter
A, B. There are two reasonable choices presented: (1) the vulnerability assessment scan is returning a false positive, or (2) this critical patch did not remediate the vulnerability. It is impossible to know which is based on the description in the question. If the patch was installed successfully, as the question states, then it is possible that the critical patch was coded incorrectly and did not actually remediate the vulnerability. While most operating system vendors test their patches before release to prevent this, they are sometimes rushed into production with extremely critical patches. The patch does not actually remediate the vulnerability on all systems. When this occurs, the vendor will issue a subsequent patch to fix it and supersede the original patch. The other option is that the vulnerability assessment tool is incorrectly configured and is returning a false positive. This can occur when the signature used to detect the vulnerability is too specific or too generic to actually detect whether the system was patched for the vulnerability or not.
Your organization's primary operating system vendor just released a critical patch for your servers. Your system administrators have recently deployed this patch and verified the installation was successful. This critical patch was designed to remediate a vulnerability that can allow a malicious actor to execute code on the server over the Internet remotely. You ran a vulnerability scan of the network and determined that all servers are still being reported as having the vulnerability. You verified all your scan configurations are correct. Which of the following might be the reason that the scan report still showing the servers as vulnerable? (SELECT ALL THAT APPLY) A. The vulnerability assessment scan is returning a false positive B. This critical patch did not remediate the vulnerability C. You conducted the vulnerability scan without waiting long enough after the patch was installed D. The wrong IP address range was scanned during your vulnerability assessment