cysa + Quiz Questions

Ace your homework & exams now with Quizwiz!

When using tcpdump, which option or flag would you use to record the ethernet frames during a packet capture? -n -e (Correct) -X (Incorrect) -nn

-e The -e option includes the ethernet header during packet capture. The -n flag will show the IP addresses in numeric form. The -nn option shows IP addresses and ports in numeric format. The -X option will capture the packet's payload in hex and ASCII formats.

Both physically and virtually segmented networks need to apply logical rules to traffic passing between segments. Define the configuration object that is used for this purpose. Asset tag VLAN ID Certificate Access control list (ACL)

Access control list (ACL) With file system security, each object in the file system has an Access control list (ACL) associated with it. The ACL contains a list of accounts (principals) allowed to access the resource and the permissions they have over it.

How can someone securely dispose of documents with classified information? Shredding Degauss Burning Sanitization

Burning Secure disposal means physical destruction by mechanical shredding or incineration, leaving the item unusable. In the case of paper, incineration is the only way to make paper unusable.

A drone pilot experiences difficulty remote controlling the aircraft. The pilot feels that a questionable firmware update is to blame. Which technology refers to the type the drone uses? Industrial control system Physical access control Modbus CAN bus

CAN bus Automobiles and unmanned aerial vehicles (UAV) contain sophisticated electronics to control engine and power systems, and more. These systems are internally connected via one or more controller area network (CAN) serial communications buses.

Identify the machine learning technique that utilizes multiple hidden layers of neural networks to learn for itself what factors are solving its task. Data enrichment Expert systems Artificial intelligence Deep learning

Deep learning Deep learning is a versatile machine learning development. With deep learning, the neural networks have a hierarchy of multiple hidden layers, where complex knowledge classes are described in relation to simpler knowledge classes in order to make more informed determinations about the environment.

What is a reverse proxy commonly used for? To obfuscate the origin of a user within a network To prevent the unauthorized use of cloud services from the local network Directing traffic to internal services if the contents of the traffic comply with the policy Allowing access to a virtual private cloud

Directing traffic to internal services if the contents of the traffic comply with the policy A reverse proxy is positioned at the cloud network edge and directs traffic to cloud services if the contents of that traffic comply with the policy. This does not require the configuration of the users' devices. This approach is only possible if the cloud application has proxy support. You can deploy a reverse proxy and configure it to listen for client requests from a public network, like the internet. The proxy then creates the appropriate request to the internal server on the corporate network and passes the server's response back to the external client.

What phishing technique implements exploits within an email allowing them to run malicious code or obtain information under false pretenses? Select all that apply. SELECT ALL THAT APPLY Embedded links "sender" address fields Attachments Sender Policy Framework (SPF)

Embedded links "sender" address fields Attachments

Identify the application category that is built directly into hardware and performs "low level" input/output device functions. Firmware Embedded Applications Web Applications Mobile Applications

Firmware Firmware is a particular computer software class that provides low-level control for the specific hardware used by a system.

Identify the application category that is built directly into hardware and performs "low level" input/output device functions. Mobile Applications Web Applications Firmware Embedded Applications

Firmware Firmware is a particular computer software class that provides low-level control for the specific hardware used by a system.

An IT cloud company in Europe lost 5 terabytes (TB) of data holding sensitive information from hospitals. The loss is affecting business relations and overall operations. The company has 72 hours to report this to their local Data Protection Authority (DPA). Why is this a requirement? GDPR guidelines U.S. Secretary of HHS requirement HIPAA guidelines H-ISAC regulation

GDPR guidelines The General Data Protection Regulation GDPR of the European Union (EU) provides strict guidelines for notification to a local Data Protection Authority (DPA) is the affected data breach is local to the area. Notification must be within 72 hours.

An engineer uses enumeration tools to identify hosts on a network. Which description relates to a footprinting approach? Analyzes general network chatter to identify the hosts Difficult to distinguish from legitimate traffic Map out open ports, OS type and version IP address usage, routing topology, and DNS namespace

IP address usage, routing topology, and DNS namespace Footprinting tools map out the layout of a network, typically in terms of IP address usage, routing topology, and DNS namespace (subdomains and hostnames).

Which approach does an attacker use as a reflected type of attack? Select all that apply. Non-persistent XSS Document Object Model (DOM) XSS Persistent XSS Cross-site scripting (XSS)

Non-persistent XSS Cross-site scripting (XSS) A cross-site scripting (XSS) attack is one of the most powerful input validation exploits. XSS involves a trusted site, a client browsing the trusted site, and the attacker's site. A cross-site scripting (XSS) attack is considered reflected (non-persistent). A non-persistent attack is a reflected type of attack. This type of attack uses malicious code from a web server and directs to a user's local browser for the attack.

While studying for your CompTIA CySA+ course at Dion Training, you decided to install a SIEM to collect data on your home network and its systems. You do not want to spend any money purchasing a license, so you decide to use an open-source option instead. Which of the following SIEM solutions utilize an open-source licensing model?

OSSIM OSSIM is an open-source SIEM developed by AlienVault. It is capable of pulling information together from a wide variety of sources. ArcSight, Qradar, and Splunk are all proprietary, commercially licensed SIEM solutions

If multiple incidents are occurring, what can an IT manager consider when creating a response plan that prioritizes? Select all that apply. Privacy breach Business essential functions Downtime Recovery time

Privacy breach Business essential functions Downtime Recovery time

What type of information may be in an after-action report? Select all that apply. Recovery time Change management Downtime Patching

Recovery time Downtime Patching

You suspect that a service called explorer.exe on a Windows server is malicious, and you need to terminate it. Which of the following tools would NOT be able to terminate it? services.msc wmic secpol.msc sc

SECPOL.MSC The security policy auditor (secpol.msc) will allow an authorized administrator the option to change a great deal about an operating system, but it cannot explicitly stop a process or service that is already running.

Which of the following protocols is commonly used to collect information about CPU utilization and memory usage from network devices? SMTP NetFlow SNMP MIB

SNMP Simple Network Management Protocol (SNMP) is commonly used to gather information from routers, switches, and other network devices. It provides information about a device's status, including CPU and memory utilization, and many other useful details about the device. NetFlow provides information about network traffic.

Who is the default owner of a resource in Discretionary Access Control (DAC)? The system administrator All users in a role matching the domain of the resource All users with a clearance level above the security tag The creator of the resource

The creator of the resource The Discretionary access control (DAC) model stresses the importance of the owner and utilizes access control lists (ACL). The DAC model is weak in areas of security.

Users have migrated to Microsoft Office 365 and can read emails from anywhere using a web browser. When opening an email, users cannot open the attachment, but can save the file to their OneDrive. Evaluate the scenario to determine the reasoning for the user's lack of options. The email has a watermark. The user is outside of jurisdiction. The user cannot download the file to the local disk. The email is encrypted.

The user cannot download the file to the local disk. Microsoft's Office 365 can enable data loss prevention policies. Outlook can restrict access to files only from a user's OneDrive. From there, the user can open up the file within a browser. Print and copy functions can also be restricted.

Patch management goes through a change control process so that the vulnerabilities at higher risk mitigate as soon as possible. Why is training an important aspect in deployment process? Select all that apply. To quickly disseminate updates To update the response documentation To test the software To understand company policies

To quickly disseminate updates To understand company policies Quickly and efficiently deploying a patch or update can preparation for the next iteration of patch deployments. Any delay or error can put the network in a higher state of risk. Clear policies and effective training on incident detection and reporting procedures equip staff with the tools they need to react calmly and positively to threatening events.

A company has a computer security incident response team (CSIRT) that includes the IT department, customer support team, and public relations. How may the company benefit from including an internal forensic analyst? To be a single point of contact for security notifications To support audit processes and record maintenance To fulfill PCI DSS requirements To relay pertinent information to affected customers

To support audit processes and record maintenance The forensic analyst's main responsibility is to investigate and reconstruct the cause of a cybersecurity incident. Other duties include supporting audit processes and record maintenance.

An organization is conducting a cybersecurity training exercise. What team is Jason assigned to if he has been asked to monitor and manage the defenders' and attackers' technical environment during the exercise? Blue team White team Purple team Red team

White jason is assigned to the white team. The white team acts as the judges, enforces the rules of the exercise, observes the exercise, scores teams, resolves any problems that may arise, handles all requests for information or questions, and ensures that the competition runs fairly and does not cause operational problems for the defender's mission

Select the scripting languages often used for automation that are domain-specific languages (DSL). Select all that apply. Bash XML SQL Python

XML SQL Scripting will often make use of domain-specific languages, such as SQL. Database maintenance tasks can be automated and scheduled to operate at prescribed times, using various methods.Scripting also takes advantage of domain-specific languages, such as XML.

You just received a notification that your company's email servers have been blocklisted due to reports of spam originating from your domain. What information do you need to start investigating the source of the spam emails? The SMTP audit log from his company's email server Firewall logs showing the SMTP connections Network flows for the DMZ containing the email servers The full email header from one of the spam messages

You should first request a copy of one of the spam messages, including the full email header. By reading through the full headers of one of the messages, you can determine where the email originated from, whether it was from your email system or external, and if it was a spoofed email or a legitimate email. Once this information has been analyzed, you can then continue your analysis based on those findings, whether that be analyzing your email server, the firewalls, or other areas of concern.

An attacker infects several systems at an organization with malware. The malware exploits a flaw in a business application. Engineers at the organization isolate the systems as they discover that a software patch does not exist. The engineers are dealing with which type of malware? Command and Control Zero-day Persistent Commodity

Zero-day A zero-day is a vulnerability that is discovered or exploited before the vendor can issue a patch to fix it. In this case a business application currently has no fix to a particular exploit.

You are working as a cybersecurity analyst, and you just received a report that many of your servers are experiencing slow response times due to what appears to be a DDoS attack. Which of the following actions should you undertake? Take no action but continue to monitor the critical systems Inform management of the issue being experienced Shutdown all of the interfaces on the affected servers Inform users regarding the affected systems

inform mgmt of the issue being experienced

You are notified by an external organization that an IP address associated with your company's email server has been sending spam emails requesting funds as part of a lottery collection scam. An investigation into the incident reveals the email account used was Connor from the sales department and that Connor's email account was only used from one workstation. You analyze Connor's workstation and discover several unknown processes running, but netflow analysis reveals no attempted lateral movement to other workstations on the network. Which containment strategy would be most effective to use in this scenario? Request disciplinary action for Connor for causing this incident Isolate the network segment Connor is on and conduct a forensic review of all workstations in the sales department Isolate the workstation computer by disabling the switch port and resetting Connor's username/password Unplug the workstation's network cable and conduct a complete reimaging of the workstation

isolate the workstation computer by disabling the switch port and resetting connor user/pw

You are conducting a quick nmap scan of a target network. You want to conduct an SYN scan, but you don't have raw socket privileges on your workstation. Which of the following commands should you use to conduct the SYN scan from your workstation?

nmap -sT The nmap TCP connect scan (-sT) is used when the SYN scan (-sS) is not an option. You should use the -sT flag when you d not have raw packet privileges on your workstation or if you are scanning an IPv6 network. This flag tells nmap to establish a connection with the target machine by issuing the connect system call instead of directly using an SYN scan. Normally, a fast scan using the -sS (SYN scan) flag is more often conducted, but it requires raw socket access on the scanning workstation. The -sX flag would conduct a Xmas scan where the FIN, PSH, and URG flags are used in the scan. The -O flag would conduct an operating system detection scan of the target system.

Jorge and Marta are working on a programming project together. During a code review, Marta explains her code to Jorge while looking at the code on her computer. Which of the following code review techniques is being used in this scenario? Pair programming Dual control Over-the-shoulder Tool-assisted review

over-the-shoulder Over-the-shoulder code reviews rely on a programmer explaining their code to a peer.

You have just completed identifying, analyzing, and containing an incident. You have verified that the company uses older unencrypted SSDs as part of their default configuration, and the manufacturer does not provide a SE utility for the devices. The storage devices contained top-secret data that would bankrupt the company if it fell into a competitor's hands. After safely extracting the device's data and saving it to a new self-encrypting drive, you have been asked to dispose of the SSDs securely. Which of the following methods should you use?

physically destroy the storage devices

Which of the following is the most important feature to consider when designing a system on a chip? Ability to be reconfigured after manufacture Space and power savings Ability to interface with industrial control systems Type of real-time operating system in use

space and power savings A system on a chip is an integrated circuit that integrates all or most components of a computer or other electronic system. These components almost always include a central processing unit, memory, input/output ports, and secondary storage - all on a single substrate or microchip, the size of a coin.

You are an analyst and have been asked to review and categorize the following output from a packet analysis in Wireshark:

this appears to be normal network traffic The first line shows that a DNS lookup was performed for a website (test.diontraining.com). The second line shows the response from the DNS server with the IP address of the website. The third line begins a three-way handshake between an internal host and the website. The fourth line is the SYN-ACK response from the website to the internal host as part of this handshake. The fifth line is a standard Windows NetBIOS query within the local area network to translate human-readable names to local IP addresses. The sixth and seventh lines appear to be inbound requests to port 443 and port 8080, both of which were sent the RST by the internal host's firewall since

Which of the following is NOT a valid reason to conduct reverse engineering? To commit industrial espionage To allow the software developer to spot flaws in their source code To allow an attacker to spot vulnerabilities in an executable To determine how a piece of malware operates

to allow the sw dev to spot flaws in their source code

An analyst suspects that a trojan has victimized a Linux system. Which command should be run to determine where the current bash shell is being executed from on the system? dir bash which bash ls -l bash printenv bash

which bash By executing the "which bash" command, the system will report the file structure path to where the bash command is being run. If the directory where bash is running is different from the default directory for this Linux distribution, this would indicate a compromised machine. The ls command will list the current directory and show any files or folders named bash. The printenv command would print the value of the specified environment variable specified, bash in this example. The dir command is used to list the contents of a directory, much like ls does.

Which of the following is a senior role with the ultimate responsibility for maintaining confidentiality, integrity, and availability in a system? Data owner Data custodian Data steward Privacy officer

A data owner is responsible for the confidentiality, integrity, availability, and privacy of information assets. They are usually senior executives and somebody with authority and responsibility. A data owner is responsible for labeling the asset and ensuring that it is protected with appropriate controls. The data owner typically selects the data steward and data custodian and has the authority to direct their actions, budgets, and resource allocations. The data steward is primarily responsible for data quality. This involves ensuring data are labeled and identified with appropriate metadata.

Users reported an unknown service set identifier (SSID) in the break room area when trying to connect to the office Wi-Fi network. Network administrators investigated the area and did not find a rogue wireless network router. Where is the rogue network most likely coming from? Select all that apply. A tethered phone. A Bluetooth speaker. A mobile hotspot. A laptop wireless network adapter.

A mobile hotspot. A laptop wireless network adapter. A hotspot allows a smartphone to share mobile data access to other devices like a wireless network router. The smartphone broadcasts its name or service set identifier (SSID) so users know which device to connect to. A laptop's wireless adapter can also broadcast itself (with a name or SSID) to initiate ad hoc, direct connections to other wireless devices. Tethering allows a device (like a laptop) to share the mobile wireless data connection on a connected smartphone. The mobile data is accessed via cable like a USB cable.

During an active security breach of military servers holding classified information, what is the best way a user can notify the Computer Security Incident Response Team (CSIRT) without tipping off the attacker? Select all that apply. A personal cellphone A VOIP phone An organizational email An OTR message

A personal cellphone An OTR message A cellphone is a basic form of contacting the Computer Security Incident Response Team (CSIRT) outside of the organizational network. A hacker who is busy with the servers, may not be trying to attack other things. An Off-the-Record (OTR) messaging is a cryptographic protocol that provides encryption for instant messaging conversations. Text and other files can be sent securely to CSIRT.

Your organization is updating its Acceptable User Policy (AUP) to implement a new password standard that requires a guest's wireless devices to be sponsored before receiving authentication. Which of the following should be added to the AUP to support this new requirement? Network authentication of all guest users should occur using the 802.1x protocol as authenticated by a RADIUS server All guests must provide valid identification when registering their wireless devices for use on the network Sponsored guest passwords must be at least 14 alphanumeric characters containing a mixture of uppercase, lowercase, and special characters Open authentication standards should be implemented on all wireless infrastructure

All guests must provide valid indentification when registering their wireless devices for use on network Sponsored authentication of guest wireless devices requires a guest user to provide valid identification when registering their wireless device for use on the network. This requires that an employee validates the guest's need for access, known as sponsoring the guest

Both physically and virtually segmented networks need to apply logical rules to traffic passing between segments. Define the configuration object that is used for this purpose. Certificate VLAN ID Access control list (ACL) Asset tag

Access control list (ACL) With file system security, each object in the file system has an Access control list (ACL) associated with it. The ACL contains a list of accounts (principals) allowed to access the resource and the permissions they have over it.

After acquiring a hard disk drive for forensic analysis, which of the following should be mentioned in the final report? Select all that apply. Acquisition methods Concluding remarks Findings List of tools

Acquisition methods Concluding remarks Findings List of tools

A cybersecurity analyst is working at a college that wants to increase its network's security by implementing vulnerability scans of centrally managed workstations, student laptops, and faculty laptops. Any proposed solution must scale up and down as new students and faculty use the network. Additionally, the analyst wants to minimize the number of false positives to ensure accuracy in their results. The chosen solution must also be centrally managed through an enterprise console. Which of the following scanning topologies would be BEST able to meet these requirements?

Active scanning engine installed on the enterprise console Since the college wants to ensure a centrally-managed enterprise console, an active scanning engine installed on the enterprise console would best meet these requirements. The college's cybersecurity analysts could then perform scans on any devices connected to the network using the active scanning engine at the desired intervals.

Which of the given options may reduce the number of false positives when testing for vulnerabilities? Select all that apply. List a missing patch as present Adjust the scope of scans Modify an exception list Establish a new baselin

Adjust the scope of scans Modify an exception list Establish a new baselin

A cloud access security broker (CASB) appliance uses connection brokers between the cloud service and the cloud consumer to mediate access to services. What mode is the CASB operating? Forward proxy mode Log collection mode Application Programming Interface (API) mode Reverse proxy mode

Application Programming Interface (API) mode The API-based CASB uses broker connections between the cloud provider and the cloud client instead of installing a CASB appliance or host in line with cloud consumers.

Dion Training wants to implement technology within their corporate network to BEST mitigate the risk that a zero-day virus might infect their workstations. Which of the following should be implemented FIRST? Host-based firewall Application allow list Anti-malware solution Intrusion detection system

Application allow list

Identify the algorithmic component of machine learning that takes inputs and uses them to generate outputs, often using complex internode feedback loops. Artificial neural networks (ANN) Data enrichment Application programming interface (API) integration Threat feed combination

Artificial neural networks (ANN) Neural network nodes take inputs and produce outputs, often using feedback loops of complex node-to-node design. An ML algorithm has goals and state errors and adjusts the neural network in order to reduce errors and optimize objectives.

Identify the algorithmic component of machine learning that takes inputs and uses them to generate outputs, often using complex internode feedback loops. Data enrichment Threat feed combination THE CORRECT ANSWER Artificial neural networks (ANN) Application programming interface (API) integration

Artificial neural networks (ANN) Neural network nodes take inputs and produce outputs, often using feedback loops of complex node-to-node design. An ML algorithm has goals and state errors and adjusts the neural network in order to reduce errors and optimize objectives.

A SOC analyst has detected the repeated usage of a compromised user credential on the company's email server. The analyst sends you an email asking you to check the server for any indicators of compromise since the email server is critical to continued business operations. Which of the following was likely overlooked by your organization during the incident response preparation phase? Develop a communications plan that includes provisions for how to operate in a compromised environment Conduct training on how to search for indicators of compromise Perform a data criticality and prioritization analysis Prepare a jump bag or kit for use in the investigation

As part of your preparation phase, your organization should develop a communications plan that details which communication methods will be used during a compromise of various systems. If the analyst suspected the email server was compromised, then communications about the incident response efforts (including detection and analysis) should be shifted to a different communications path, such as encrypted chat, voice, or other secure means. Any analyst involved in working on this incident should have already have prepared alternate, out-of-band communications to prevent an adversary from intercepting or altering communications.

A small manufacturer for credit card processing devices sold some units to a restaurant chain. What are some of the standards that the restaurant must adhere to per the Payment Card Industry Data Security Standard (PCI DSS)? Select all that apply Assign a unique ID to each administrator. Encrypt transmission across public networks. Maintain instructional documentation. Design physical security of the device.

Assign a unique ID to each administrator. Encrypt transmission across public networks.

Which of the following ensures multi-threaded processing is conducted securely? Atomic execution Processor security extensions Trusted execution Secure enclave

Atomic execution Atomic execution by operations and distributes their processing across the multi-threaded processing environment securely.

Machine learning techniques for detecting obfuscated malware are in development. Malware can escape routines for signature detection by modifying the code structure so that it no longer matches any signature contained in an anti-virus product. Describe a machine-learning method for detecting obfuscated malware that analyzes the features present in an executable and matches them to features of known malware. Threat feed combination Security Content Automation Protocol (SCAP) Automated malware signature creation Data enrichment

Automated malware signature creation Machine learning techniques like automated malware signature creation are being developed for detecting obfuscated malware. By changing the code structure, malware will escape signature detection routines so that it no longer matches any signature found in an anti-virus software.

Identify the elemental component of security orchestration. Automation scripts Application programming interface (API) integration Data enrichment Continuous integration (CI)

Automation scripts It is important to run operations on several files under certain conditions according to a schedule. In order to do this, use the commands inside a script.

List tools that are commonly used to identify anomalous behavior. Select all that apply. Autoruns grep Process Monitor Process Explorer

Autoruns Process Monitor Process Explorer Process Explorer, an enhanced version of Task Manager, allows people to see parent/child relationships between processes, DLLs loaded, where the process launched from, eRegistry keys interacting with the process, code strings, and network connections. Process Monitor allows people to record data points about processes, such as every operation each process is undertaking, its status and any additional I/O details. The Autoruns tool displays processes configured to auto-start and display where the Registry and File system configures auto-start entries. In one of these locations, user-mode malware which is attempting to run at startup should be detectable.

What techniques are commonly used by port and vulnerability scanners to enumerate the services running on a target system? Banner grabbing and UDP response timing Using the -O option in nmap and UDP response timing Banner grabbing and comparing response fingerprints Comparing response fingerprints and registry scanning

Banner grabbing and comparing response fingerprints Service and version identification are often performed by conducting a banner grab or by checking responses for services to known fingerprints for those services. UDP response timing and other TCP/IP stack fingerprinting techniques are used to identify operating systems only. Using nmap -O will conduct an operating system fingerprint scan, but it will not identify the other services being run.

Which of the following indicators of compromise does NOT point to a worm-type malware infecting hosts in the network? Select all that apply. Bandwidth consumption Beaconing Scan sweep Rogue network device

Beaconing Scan sweep Rogue network device A rogue network device indicates an unauthorized use of a network device like a wireless access point, that can provide access to an organization's network.Beaconing is the process by which a Command and Control (C2) server (similar to the one used in a botnet) pings other bots to verify they are still alive.A scan sweep is performed by a rogue device on the network to find other hosts on the network plus any vulnerabilities that might allow them to be exploited.

A cybersecurity analyst discovered evidence that under unknown conditions, logic bombs were going off. The analyst knows the effect (encrypting the user's drive) and that it spreads through several specific TCP/IP ports. The analyst responds by explicitly blocking those ports. By which mechanism will the analyst block the ports? Blacklisting Sandboxing Sinkholing Whitelisting

Blacklisting Blacklisting works by keeping a list of known programs, utilities, traffic, and other communication to and from systems which are to be denied access and blocked from installing or running. A whitelist is "the cybersecurity list" which only grants programs approved by the administrator and certain IP and email addresses access to the network. Everything is blocked in a whitelist except that which is trusted. Sinkhole routing can be used as a DDoS mitigation strategy to redirect the traffic that floods an IP address to another network where it can be analyzed.

What is the best way to reduce attack surface area? Block attack vectors Use threat actor profiles and threat intelligence to identify IoCs Establish a hypothesis for how a threat might have infiltrated the system Develop threat hunting tactics to search for IoCs, such as performing process analysis

Block attack vectors The attack surface is all the points at which an attacker might interact and potentially interfere with the device. By identifying and blocking these attack vectors, security personnel can improve security.

A developer discovers that an application under test has a vulnerability. If the development team does not remedy, application users are prone to a stack frame memory exploit. Which overflow type do the developers look to fix? Race condition Heap Integer Buffer

Buffer A buffer is an area within a stack frame (in memory) used to store a variable. An overflow vulnerability allows the function to overwrite memory locations adjacent to the buffer in the stack frame. An integer is a positive or negative number usually with a fixed lower and upper bound. An integer overflow attack causes a value that exceeds these bounds. The heap is an area of memory allocated by the application during execution to store a variable. A heap overflow can overwrite a variable and allow arbitrary code execution. Race conditions occur when the outcome from a process is dependent on the order and timing of events, and those events fail to execute in the order and timing intended.

Evaluate the technology Digital Rights Management (DRM) software that will most effectively prevent content from playing on TVs that are not High-bandwidth Digital Content Protection (HDCP) compatible. Measured boot attestation Anti-tamper mechanism Bus encryption e-Fuse

Bus encryption Often used by DRM software, bus encryption ensures the device at the end of the bus is trusted to decrypt the data when the data is transferred to another device over a bus, such as PCIe, USB, or HDMI.

Recommend a method for preventing attackers from gaining access during transfer via USB or HDMI. Trusted platform module (TPM) Hardware security module (HSM) Bus encryption Trusted foundry

Bus encryption Bus encryption ensures the device at the end of the bus is trusted to decrypt the data when the data is transferred to another device over a bus. It enhances security when transferring data.

If multiple incidents are occurring, what can an IT manager consider when creating a response plan that prioritizes? Select all that apply. Business essential functions Downtime Recovery time Privacy breach

Business essential functions Downtime Recovery time Privacy breach

You are conducting a forensic analysis of a hard disk and need to access a file that appears to have been deleted. Upon analysis, you have determined that the file's data fragments exist scattered across the unallocated and slack space of the drive. Which technique could you use to recover the data?

Carving File carving is the process of extracting data from an image when that data has no associated file system metadata. A file-carving tool analyzes the disk at the sector/page level. It attempts to piece together data fragments from unallocated and slack space to reconstruct deleted files or at least bits of information from deleted files. File carving depends heavily on file signatures or magic numbers—the sequence of bytes at the start of each file identifies its type.

A cybersecurity analyst is analyzing what they believe to be an active intrusion into their network. The indicator of compromise maps to suspected nation-state group that has strong financial motives, APT 38. Unfortunately, the analyst finds their data correlation lacking and cannot determine which assets have been affected, so they begin to review the list of network assets online. The following servers are currently online: PAYROLL_DB, DEV_SERVER7, FIREFLY, DEATHSTAR, THOR, and DION. Which of the following actions should the analyst conduct first? Logically isolate the PAYROLL_DB server from the production network Conduct a Nessus scan of the FIREFLY server Hardening the DEV_SERVER7 server Conduct a data criticality and prioritization analysis

Conduct a data criticality and prioritization analysis While the payroll server could be assumed to hold PII, financial information, and corporate information, the analyst would only be making that assumption based on its name. Even before an incident response occurs, it would be a good idea to conduct a data criticality and prioritization analysis to determine what assets are critical to your business operations and need to be prioritized for protection. After an intrusion occurs, this information could be used to better protect and defend those assets against an attacker. Since the question states the analyst is trying to determine which server to look at based on their names, it is clear this organization never performed a data criticality and prioritization analysis and should do that first

You have received a laptop from a user who recently left the company. You went to the terminal in the operating system and typed 'history' into the prompt and see the following:

Conducted a ping sweep of the subnet This code is performing a ping sweep of the subnet 10.1.0.0/24. The code states that for every number in the sequence from 1 to 255, conduct a ping to 10.1.0.x, where x is the number from 1 to 255. When it completes this sequence, it is to return to the terminal prompt (done).

What is the development principle that focuses on making changes to the production environment to support the new app version? Continuous Integration Continuous Deployment Continuous Delivery Security Orchestration Automation and Response (SOAR)

Continuous Deployment Continuous Deployment (CD) is the process of actually making changes to the production environment to support the new app version. Continuous Delivery (CD) is about testing all of the infrastructure that supports the app, including networking, database functionality, client software, etc. Continuous Integration (CI) is a theory of development that states developers should regularly commit and test changes to identify and minimize the chances of code conflicts and use automated testing to accomplish this mission. Security Orchestration is a part of CI.

Which term is used in software development to refer to the method in which app and platform updates are committed to a production environment rapidly?

Continuous Deployment Continuous deployment is a software development method in which app and platform updates are committed to production rapidly. Continuous delivery is a software development method in which app and platform requirements are frequently tested and validated for immediate availability. Continuous integration is a software development method in which code updates are tested and committed to development or build server/code repositories rapidly. Continuous monitoring is the technique of constantly evaluating an environment for changes so that new risks may be more quickly detected and business operations improved upon.

A disk drive was removed from a client workstation to hold as evidence in a security case. Which action can a forensic analyst take to confirm integrity of the data as it moves through the chain of custody? Use a write blocker. Create a cryptographic hash. Capture a vmdk file. Create a snapshot.

Create a cryptographic hash. A cryptographic hash is taken of an image or disk before it goes through the chain of custody and before in-depth analysis. Analyst can compare the hash from collection and from the destination and ensure they are the same.

Hilda needs a cost-effective backup solution that would allow for the restoration of data within a 24 hour RPO. The disaster recovery plan requires that backups occur during a specific timeframe each week, and then the backups should be transported to an off-site facility for storage. What strategy should Hilda choose to BEST meet these requirements? Configure replication of the data to a set of servers located at a hot site Create a daily incremental backup to tape Create disk-to-disk snapshots of the server every hour Conduct full backups daily to tape

Create a daily incremental backup to tape Since the RPO must be within 24 hours, daily or hourly backups must be conducted. Since the requirement is for backups to be conducted at a specific time each week, hourly snapshots would not meet this requirement and are not easily transported since they are being conducted as a disk-to-disk backup. Replication to a hot site environment also doesn't allow for transportation of the data to an off-site facility for storage, and replication would continuously occur throughout the day. Therefore, a daily incremental backup should be conducted since it will require the least amount of time to conduct. The tapes could be easily transported for storage and restored incrementally from tape since the last full backup was conducted.

A security team runs a scan on a company network to check for vulnerabilities. An in-depth scan of installed and missing patches on servers is of great interest. Which scan type does the team use? Non-credentialed Credentialed Behavioral Proprietary

Credentialed Credentialed is a type of security scan that gives a user account with log-on rights to various hosts, plus whatever other permissions are appropriate for the testing routines. This test allows much more in-depth analysis.

Which approach does an attacker use as a reflected type of attack? Select all that apply. Non-persistent XSS Persistent XSS Document Object Model (DOM) XSS Cross-site scripting (XSS

Cross-site scripting (XSS Non-persistent XSS A cross-site scripting (XSS) attack is one of the most powerful input validation exploits. XSS involves a trusted site, a client browsing the trusted site, and the attacker's site. A cross-site scripting (XSS) attack is considered reflected (non-persistent).A non-persistent attack is a reflected type of attack. This type of attack uses malicious code from a web server and directs to a user's local browser for the attack.

Identify the machine learning technique that utilizes multiple hidden layers of neural networks to learn for itself what factors are solving its task. Data enrichment Artificial intelligence Expert systems Deep learning

Deep learning Deep learning is a versatile machine learning development. With deep learning, the neural networks have a hierarchy of multiple hidden layers, where complex knowledge classes are described in relation to simpler knowledge classes in order to make more informed determinations about the environment. Expert systems are a type of software system using static information based on a specific domain to use if-then rules to draw inferences from this limited set of data (knowledge base).

Applications built into hardware are likely to use flash memory storage and are executed in system memory by the processor, similar to other applications. An attacker can use this as a point of attack. Compile a list of vulnerable application types, due to execution from flash memory if hardware root of trust is not established. Select all that apply. Embedded Application Firmware Web Applications Mobile Applications

Embedded Application Firmware An embedded application is designed to run on a dedicated hardware platform. An embedded application performs "high level" processing features, such as connecting a smart TV to the Internet, and running custom apps, or implementing the functions of an Ethernet switch. Firmware is a particular computer software class that provides low-level control for the specific hardware used by a system.

Determine the types of applications that require placement of software assurance methods prior to production and cannot be easily updated or upgraded post-market. Select all that apply. Web applications Embedded Application System-on-a-Chip (SoC) Firmware

Embedded Application System-on-a-Chip (SoC) Firmware An embedded application is designed to run on a dedicated hardware platform. An embedded application performs "high level" processing features, such as connecting a smart TV to the Internet, and running custom apps, or implementing Ethernet switch functions.Firmware is a particular computer software class that provides low-level control for the specific hardware used by a system.An on-chip design is an integrated circuit containing all elements of a computer or other electronic device.

To perform security vulnerability testing, an engineer performs an On-path attack on a Windows network. Which tool does the engineer configure? Reaver Prowler Pacu Responder

Responder Responder is an On-path tool that exploits name resolution on Windows networks.

Which of the following should a domain administrator utilize to BEST protect their Windows workstations from buffer overflow attacks?

Enable DEP in Windows Windows comes with DEP, which is a built-in memory protection resource. This prevents code from being run in pages that are marked as nonexecutable. DEP, by default, only protects Windows programs and services classified as essential, but it can be used for all programs and services, or all programs and services except the ones on an exception list.

A company's NetFlow collection system can handle up to 2 Gbps. Due to excessive load, this has begun to approach full utilization at various times of the day. If the security team does not have additional money in their budget to purchase a more capable collector, which of the following options could they use to collect useful data? Enable full packet capture Enable NetFlow compression Enable sampling of the data Enable QoS

Enable sampling of the data The organization should enable sampling of the data collected. Sampling can help them capture network flows that could be useful without collecting everything passing through the sensor. This reduces the bottleneck of 2 Gbps and still provides useful information. Quality of Service (QoS) is a set of technologies that work on a network to guarantee its ability to run high-priority applications and traffic dependably, but that does not help in this situation.

A single host on a network has become compromised by malware. Rather than preventing the initial execution of the code, the security software in place provides real-time and historical insight throughout the breach, isolates the malware inside the host, and promotes the host's remediation to its original state. What mechanism responded? Intrusion prevention system (IPS) User and Entity Behavior Analytics (UEBA) Endpoint Protection Platform (EPP) Endpoint Detection and Response (EDR)

Endpoint Detection and Response (EDR) Endpoint detection and response (EDR) focuses on the monitoring of measurable endpoints and indicators in conjunction with behavioral and anomaly-based analyses to provide real-time and historical visibility in the compromise, contain the malware within a single host, and enable the host's remediation.

A company lost a significant amount of proprietary data to outside hackers. Luckily, though, customer information remained protected. Company executives required an immediate deployment of a Security Information and Event Management (SIEM) solution to better predict threats before they occur. Return on security investment (ROSI) would be marginal, at best. Analyze and determine which factor the company took into consideration the most during this situation. Engineering trade off Reduction in ALE Source of the hardware Sharing the risk

Engineering trade off An engineering trade off deploys a security monitoring solution immediately, without much thought to the cost. The company did not want to risk another incident where customer information could be stolen.

An analyst is reviewing log files for threat hunting purposes. What is the important first step the analyst would have taken prior to getting started? Establish a hypothesis Reduce the attack surface area Improve detection capabilities Profile threat actors and activities

Establish a hypothesis It is a fruitless job to search log files and packet traces for TTP proof unless it is driven by some theory of what to look for. A hypothesis may be of benefit to the modeling of risks.

You are attending a cybersecurity conference and just watched a security researcher demonstrating the exploitation of a web interface on a SCADA/ICS component. This caused the device to malfunction and be destroyed. You recognize that the same component is used throughout your company's manufacturing plants. Which of the following mitigation strategies would provide you with the most immediate protection against this emergent threat? Replace the affected SCADA/ICS components with more secure models from a different manufacturer Evaluate if the web interface must remain open for the system to function; if it isn't needed, block the web interface Demand that the manufacturer of the component release a patch immediately and deploy the patch as soon as possible Logically or physically isolate the SCADA/ICS component from the enterprise network (Incorrect)

Evaluate if the web interface must remain open for the system to function; if it isn't needed, block the web interface

Identify the type of software system that uses a static knowledge based in a specific domain to use if-then rules to draw inferences from this limited data set (knowledge base). Deep learning system Expert system Artificial neural network (ANN) Vulnerability scanner

Expert system Expert systems are a type of software system using static information based on a specific domain to use if-then rules to draw inferences from this limited set of data (knowledge base).

A network engineer initiates vulnerability scanning for an organization's network. The engineer uses multiple approaches by utilizing a protected company workstation and a cloud-based virtual server as hosts. Which of the following resources does the engineer use? Select all that apply. External system Proprietary system Legacy system Internal system

External system Internal system Scanning hosts on a local network can be referred to as internal scanning. The scanner is local to the network and can be configured with permissions to perform detailed data collection from each host. An external scan takes place from a scanning host on a different network, such as an Internet-based host launching a scan against a web server, firewall, or other external facing device.

A network admin remotely accessed a server to investigate an unexpected shutdown event. All web services are running as normal; however, the admin was unsure about the website's output when visiting the web page. What may have indicated an issue with the server? HTTP 500 error High memory usage High CPU usage TCP port 25 outbound connection

HTTP 500 error An HTTP 500 Internal Server Error is a catch-all response code indicating the server is experiencing an unexpected condition and cannot fulfill the request. This requires an in-depth analysis because the error is not specific.

After acquiring a hard disk drive for forensic analysis, which of the following should be mentioned in the final report? Select all that apply. Findings Concluding remarks List of tools Acquisition methods

Findings Concluding remarks List of tools Acquisition methods During the reporting phase of the digital forensics procedures, the method used to acquire the data or media must be mentioned. It will provide the basis on whether a media can be used as legal evidence in a case.A list of tools used to acquire the data is required in the final report. The legality of the evidence may be based on the tools used to acquire the data.The main part of the digital forensic reports is to know what was found. The report may review the type of malware on the media, or also understand how the system was compromised.Concluding remarks are also available in the final report to determine the next steps.

If an attacker can compromise an Active Directory domain by utilizing an attack to grant administrative access to the domain controllers for all domain members, which type of attack is being used? Golden ticket Lateral movement Pivoting Pass the hash

Golden ticket A golden ticket is a Kerberos ticket that can grant other tickets in an Active Directory environment. Attackers who can create a golden ticket can use it to grant administrative access to other domain members

Which phase in the digital forensic procedure may require labeling a hard drive disk (HDD) as "official evidence"? Analysis Legal hold Data acquisition Identification

Identification In the identification phase an analyst secures the scene to prevent contamination and identify the scope of the evidence collected. Evidence can be labeled appropriately here.

A network admin remotely accessed a server to investigate an unexpected shutdown event. All web services are running as normal; however, the admin was unsure about the website's output when visiting the web page. What may have indicated an issue with the server? High memory usage TCP port 25 outbound connection HTTP 500 error High CPU usage

HTTP 500 error An HTTP 500 Internal Server Error is a catch-all response code indicating the server is experiencing an unexpected condition and cannot fulfill the request. This requires an in-depth analysis because the error is not specific.

When conducting forensic analysis of a hard drive, what tool would BEST prevent changing the hard drive contents during your analysis? Software write blocker (Incorrect) Forensic drive duplicator Hardware write blocker (Correct) Degausser

Hardware write blocker Both hardware and software write blockers are designed to ensure that forensic software and tools cannot change a drive inadvertently by accessing it. But, since the question indicates that you need to choose the BEST solution to protect the drive's contents from being changed during analysis, you should pick the hardware write blocker. A hardware write blocker's primary purpose is to intercept and prevent (or 'block') any modifying command operation from ever reaching the storage device.

You have just received some unusual alerts on your SIEM dashboard and want to collect the payload associated with it. Which of the following should you implement to effectively collect these malicious payloads that the attackers are sending towards your systems without impacting your organization's normal business operations? Jumpbox Honeypot Containerization Sandbox

Honeypot

IT engineers configure a cloud deployment while utilizing software coded orchestration tools for interconnectivity. Which deployment model do the engineers configure for the organization while utilizing more than one platform? Public Hybrid Private Community

Hybrid A hybrid cloud is composed of public cloud, private cloud, and on-premises infrastructure. Interconnections within this hybrid infrastructure are made by software coded orchestration tools.

Which of the following is an example of a qualitative risk calculation? Annual loss expectancy Single loss expectancy Corporate reputation value Impact rating is high

Impact rating is high Qualitative risk analysis is generally scenario-based. For example, impact ratings can be severe/high, moderate/medium, or low; and likelihood ratings can be likely, unlikely, or rare.

In 2014, Apple's implementation of SSL had a severe vulnerability that, when exploited, allowed an attacker to gain a privileged network position that would allow them to capture or modify data in an SSL/TLS session. This was caused by poor programming in which a failed check of the connection would exit the function too early. Based on this description, what is this an example of? Improper error handling Use of insecure functions Insecure object reference Insufficient logging and monitoring

Improper error handling

A vendor is supporting a military agency to resolve issues with their network intrusion detection system and provide a better solution. The salesperson is requesting information about the network to provide good feedback. Which types of documentation is the military point of contact (POC) allowed to provide to the vendor with a signed non-disclosure agreement (NDA)? Internal use only Secret Public Unclassified

Internal use only Classified documentation is labeled as private, internal use only, and office use only data. Viewing is restricted to authorized persons in the organization and third parties under a non-disclosure agreement (NDA).

After a recent software update, several thermostat devices in an office stop responding to commands. The user mentions that the controller software is installed on a rooted mobile device and fears that the devices became compromised. Which technology should the user troubleshoot? Modbus Internet of Things (IoT) Physical access control CAN bus

Internet of Things (IoT) The term Internet of Things (IoT) describes the global network of devices that have been equipped with sensors, software, and network connectivity.

What type of containment method is appropriate for analyzing a hard drive disk (HDD) when the server has malware? Reconstruction Patching Segmentation Isolation

Isolation Isolation-based containment involves removing an affected component from the larger environment it is a part of. This includes removing an infected server from the network.

Which classification best describes the security control function of a security camera? Physical Corrective Detective Deterrent

Physical Physical controls include alarms, gateways, locks, lighting, security cameras, and guards that deter and detect access to premises.

What type of containment method is appropriate for analyzing a hard drive disk (HDD) when the server has malware? Patching Reconstruction Isolation Segmentation

Isolation Isolation-based containment involves removing an affected component from the larger environment it is a part of. This includes removing an infected server from the network. Segmentation-based containment is a means of achieving the isolation of a host or group of hosts using network technologies and architecture. You might configure the protected segment as a sinkhole or honeynet and attract hackers.

A recent audit of a gaming application revealed the application broke basic privacy laws. The company is making revenue from a third-party marketing company. The European Union (EU) General Data Protection Regulation (GDPR) requires companies to follow strict guidelines pertaining to user data. Which steps must the company take to be compliant? Select all that apply. Keep data within jurisdiction. Request consent from users. Require NDA with users. Encrypt user data.

Keep data within jurisdiction. Request consent from users. Privacy regulations, such as the General Data Protection Regulation (GDPR), stipulate data can only be collected for a defined purpose, for which the data subject must give explicit consent. This limits the purpose of the data and users must consent to third-party marketing ads. Keeping data within the company's jurisdiction allows regulations like the GDPR to enforce rules in the European Union (EU). Cloud service providers allow choice of data centers for processing and storage.

What is the lowest layer (bottom layer) of a bare-metal virtualization environment? Physical Hardware Hypervisor Host OS Guest OS

Physical Hardware The bottom layer is physical hardware in this environment. It is what sits beneath the hypervisor and controls access to guest operating systems. The bare-metal approach doesn't have a host operating system

A machine learning malware detection system must be trained on datasets of known malware images, false positive images, and images of legitimate software. What is the labor-intensive method for perfecting this software that is unique to this category of techniques? Debugging Writing of rules Labeling of datasets Compiling

Labeling of datasets A machine learning system must be trained on the datasets of documented images of malware, plus false positive images and valid software images. It can be a labor-intensive process to mark these data sets with features and to adjust the output to minimize false positives.

When determining risk, an engineer should assess which areas? Select all that apply. Likelihood Impact Reputational Behavioral

Likelihood Impact Impact (magnitude) is the effect of a successful exploit or a risk event such as the value of the impacted asset or the cost of disruption if the asset is compromised.Likelihood (probability) is the chance of a threat being realized and is used in risk measurement. For example, an organization is exposed to hundreds of phishing attempts, but only a few resulted in a breach incident.

A patient portal website in Europe asks for patient information regarding their personal and health information. Users agree to the website's privacy statement, which will keep patient information confidential and for doctor use only. What protection does the General Data Protection Regulation (GDPR) provide for these patients? Self-certification Encryption Data minimization Limited purpose

Limited purpose The General Data Protection Regulation (GDPR) stipulates that data can only be collected for a defined purpose, for which the data subject must give explicit consent.

William evaluates the potential impact of a confidentiality risk and determines that the disclosure of information contained on a system could have a limited adverse effect on the organization. Using FIPS 199, how should he classify the confidentiality impact? Low Medium Moderate High

Low FIPS 199 classifies any risk where "the unauthorized disclosure of information could be expected to have a limited adverse effect" as a low impact confidentiality risk. If there were a serious adverse effect expected, then it would be a moderate impact. If there were a severe or catastrophic adverse effect expected, then it would be a high impact. Medium is not an impact under FIPS 199.

A hospital sent an encrypted email with patient information for ten individuals to an external business associate that does lab work. The patients need some blood tests. The lab lost some of the patient data in a recent robbery. What is the business associate required to do in response to this incident? Select all that apply. Maintain proof of notification. Notify the hospital after 90 days. Notify the U.S. Secretary of HHS. Provide names of the individuals.

Maintain proof of notification. Provide names of the individuals.

Because modern malware often uses fileless techniques, scanning the file system for malware is often insufficient. What technique can detect fileless malware? Flow analysis Memory analysis User entity behavior analytics (UEBA) Trend analysis

Memory analysis A memory analysis tool lets one reverse the code used by processes, figure out how processes communicate with the file system and registry, analyze network links, retrieve cryptographic keys, and extract interesting strings. User and entity behavior analytics (UEBA) is a process of analysis enabling the detection of suspicious behaviors as compared to a baseline. Analytics software monitors user account behavior across devices and cloud services. Flow analysis is a form of network security analysis that enables operators to enhance their network situational awareness by utilizing tools that parse and display security-relevant network data. Trend analysis is the process of finding patterns over time within a dataset and using those patterns to forecast future events. previousfinish

A law enforcement agency experiences issues with electronic door locking mechanisms in its offices. Experts feel that someone has tampered with the system. Which system do the experts troubleshoot? Physical access control systems Building automation systems Embedded systems Workflow and process automation systems

Physical access control systems A physical access control system (PACS) is a network of monitored locks, intruder alarms, and video surveillance. A PACS can be implemented as part of a building automation system or a separate system.

A cybersecurity analyst is collecting data for an investigation into a server breach and is writing SIEM correlation rules to help organize the data in order to verify further details of the breach. Compile a list of considerations the analyst should keep in mind when writing SIEM correlation rules. Select all that apply. Memory and load considerations Manually obtaining logs from each network device Normalizing the data Local time values and clock synchronization

Normalizing the data Local time values and clock synchronization Memory and load considerations Having many correlation rules, or overly complex ones, can take a lot of memory and put the server under a lot of load.When writing SIEM correlation rules, it is very important that data from all sources matches in a way that the data can be correctly correlated. For instance, when someone is comparing an internal IP with external IP addresses.When correlating logs, it is important to be aware of differences in clock synchronization, as this can cause logs to have a disparity in their timestamps.

Select the Security Content Automation Protocol (SCAP) components that can accomplish SCAP functions. Select all that apply. "Assess" component Open Vulnerability and Assessment Language (OVAL) Extensible Configuration Checklist Description Format (XCCDF) "Respond" component

Open Vulnerability and Assessment Language (OVAL) Extensible Configuration Checklist Description Format (XCCDF) Open Vulnerability and Assessment Language (OVAL) is an XML schema for describing system security state and querying vulnerability reports and information.Extensible Configuration Checklist Description Format (XCCDF) is an XML schema for developing and auditing best-practice configuration checklists and rules.

What type of information may be in an after-action report? Select all that apply. Downtime Change management Patching Recovery time

Patching Recovery time Downtime Downtime information in an after-action report can include the time services were known to be down. This can be verified with logs or consistent user reports.Recovery time refers to amount of time it took to bring services back to normal. This information may also include the company's recovery time objective (RTO).Patching information will be recorded if a vulnerability requires a patch or an update. Details can include name, version, date and time deployed, etc.

A new alert has been distributed throughout the information security community regarding a critical Apache vulnerability. What action could you take to ONLY identify the known vulnerability?

Perform a scan for the specific vuln on all web servers

Which of the following options places the correct phases of the Software Development Lifecycle's waterfall method in the correct order? Requirements analysis, planning, design, implementation, deployment, testing, maintenance Planning, requirements analysis, design, implementation, deployment, testing, maintenance Planning, requirements analysis, design, implementation, testing, deployment, and maintenance Requirements analysis, planning, design, implementation, testing, deployment, and maintenance

Planning, requirements analysis, design, implementation, testing, deployment, and maintenance The software development lifecycle (SDLC) can be conducted using waterfall or agile methods. The waterfall method moves through seven phases: planning, requirements, design, implementation, testing, deployment, and maintenance. Planning involves training the developers and testers in security issues, acquiring security analysis tools, and ensuring the development environment's security. Requirements analysis is used to determine security and privacy needs in terms of data processing and access controls. Design identifies threats and controls or secure coding practices to meet the requirements. Implementation performs known environment source code analysis and code reviews to identify and resolve vulnerabilities. Testing performs known or unknown environment testing to test for vulnerabilities in the published application and its publication environment. Deployment installs and operates the software packages and best practice configuration guides.

What document typically contains high-level statements of management intent? Procedure Standard Guideline Policy

Policies are high-level statements of management intent. Compliance with policies by employees should be mandatory. An information security policy will generally contain broad statements around the various cybersecurity objectives. Procedures describe exactly how to use the standards and guidelines to implement the countermeasures that support the policy. Standards and baselines describe specific products, configurations, or other mechanisms to secure the systems. A guideline is a recommendation that can specify the methodology that is to be used.

A developer uses a fuzzing approach to test software for vulnerabilities. The developer utilizes a technique to test for header values. Which fuzzing method does the developer use? File Format Stress test Protocol Application UI

Protocol Fuzzing can be used for protocol testing. Manipulated packets may be transmitted packets, using unexpected values in the headers or payload.

A major security breach is occurring at the branch office which is affecting clients in the regional area. An attacker is actively copying data to a remote server that contains sensitive information. What should the response team NOT do during this event? Public media IT director CSIRT Third-party software provider

Public media The inadvertent release of information beyond the authorized team must be prevented. During an active incident, sharing information may tip off the attacker, and the team may not be able to gather information to find the culprit.

Taylor needs to sanitize hard drives from some leased workstations before returning them to a supplier at the end of the lease period. The workstations' hard drives contained sensitive corporate data. Which is the most appropriate choice to ensure that data exposure doesn't occur during this process? Clear the drives Clear, validate, and document the sanitization of the drives Purge, validate, and document the sanitization of the drives The drives must be destroyed to ensure no data loss

Purge, validate, and document the sanitization of the drives Purging the drives, validating that the purge was effective, and documenting the sanitization is the best response. Purging includes methods that eliminate information from being feasibly recovered even in a lab environment. For example, performing a cryptographic erasure (CE) would sanitize and purge the drives' data without harming the drives themselves.

Which business impact metric describes the period following a disaster where an individual IT system may remain offline? RPO MTD RTO WRT

RTO Recovery time objective (RTO) is the period following a disaster where an individual IT system may remain offline. This is the amount of time it takes to identify there is a problem and perform recovery. Maximum tolerable downtime (MTD) dictates the longest period that a business function outage may occur without causing irrecoverable business failure.

A popular game allows for in-app purchases to acquire extra lives in the game. When a player purchases the extra lives, the number of lives is written to a configuration file on the gamer's phone. A hacker loves the game but hates having to buy lives all the time, so they developed an exploit that allows a player to purchase 1 life for $0.99 and then modifies the content of the configuration file to claim 100 lives were purchased before the application reading the number of lives purchased from the file. Which of the following type of vulnerabilities did the hacker exploit? Dereferencing Broken authentication Sensitive data exposure Race condition

Race conditions occur when the outcome from execution processes is directly dependent on the order and timing of certain events. Those events fail to execute in the order and timing intended by the developer. In this scenario, the hacker's exploit is racing to modify the configuration file before the application reads the number of lives from it. Sensitive data exposure is a fault that allows privileged information (such as a token, password, or PII) to be read without being subject to the proper access controls.

Dion Consulting Group has recently been awarded a contract to provide cybersecurity services for a major hospital chain in 48 cities across the United States. You are conducting a vulnerability scan of the hospital's enterprise network when you detect several devices that could be vulnerable to a buffer overflow attack. Upon further investigation, you determine that these devices are PLCs used to control the hospital's elevators. Unfortunately, there is not an update available from the elevator manufacturer for these devices. Which of the following mitigations do you recommend? Conduct a penetration test of the elevator control system to prove that the possibility of this kind of attack exists Recommend immediate replacement of the PLCs with ones that are not vulnerable to this type of attack Recommend immediate disconnection of the elevator's control system from the enterprise network Recommend isolation of the elevator control system from the rest of the production network through the change control process

Recommend isolation of the elevator control system from the rest of the production network through the change control process The best recommendation is to conduct the elevator control system's logical or physical isolation from the rest of the production network and the internet. This should be done through the change control process that brings the appropriate stakeholders together to discuss the best way to mitigate the vulnerability to the elevator control system that defines the business impact and risk of the decision.

You are trying to find some files that were deleted by a user on a Windows workstation. What two locations are most likely to contain those deleted files? Recycle Bin Unallocated Space Registry Slack Space

Recycle Bin Slack Space Files that users have deleted are most likely found in the Recycle Bin or slack space. Slack space is the space left after a file has been written to a cluster. Slack space may contain remnant data from previous files after the pointer to the files was deleted by a user

Proactive threat hunting often leads to the discovery of previously unknown vulnerabilities which can then be secured. Choose the description that fits this process Analyzing executable processes Profiling threat actors and activities Reducing the attack surface area Bundling critical assets

Reducing the attack surface area The attack surface is all the points at which an attacker might interact and potentially interfere with the device.

Identify the key feature of Network Access Control (NAC) solutions that refers to what happens if a device operating within the network does not meet the security profile Posture assessment Remediation Pre-admission control Post-admission control

Remediation Remediation refers to what happens if the device does not meet the security profile. A non-compliant device may be refused connection completely or put in a captive portal from which general network access is prevented.

A user reported a USB drive inserted into a desktop client, and the computer became unusable. After removing the drive, what may an administrator do next to further understand the incident? Retain evidence Monitor services Initiate change control process Submit after-action report

Retain evidence The USB drive must be retained for forensic analysis and possible reverse engineering to understand what it did to the desktop computer to make it unusable.

A cybersecurity analyst reviews the logs of a proxy server and saw the following URL, https://www.google.com/search?q=*%40diontraining.com. Which of the following is true about the results of this search? Returns all web pages containing the text diontraining.com Returns all web pages hosted at diontraining.com Returns all web pages containing an email address affiliated with diontraining.com Returns no useful results for an attacker

Returns all web pages containing an email address affiliated with diontraining.com Google interprets this statement as <anything>@diontraining.com and understands that the user is searching for email addresses since %40 is the hex code for the @ symbol. The * is a wild card character meaning that any text could be substituted for the * in the query. This type of search would provide an attacker with a list of email addresses associated with diontraining.com, which could be used as part of a spear phishing campaign. To return all web pages hosted at diontraining.com, you should use the "site:" modifier in the query. To return all web pages with the text diontraining.com, enter "diontraining.com" into the Google search bar with no modifiers to return those results.

An attacker exploits a service using supervisory controls. Which approach does the attacker use? Rootkit Persistent Reflected Dereferencing

Rootkit A rootkit allows unrestricted root-level access to the computing device. A rootkit will allow the adversary to arbitrarily install other malware, persist between computer reboot and user logoff events, and modify monitoring tools to conceal its presence.

Syed is developing a vulnerability scanner program for a large network of sensors to monitor his company's transcontinental oil pipeline. What type of network is this? CAN BAS SCADA SoC

SCADA SCADA (supervisory control and data acquisition) networks work off an ICS (industry control system) and maintain sensors and control systems over large geographic areas.

Which security tool is used to facilitate incident response, threat hunting, and security configuration by orchestrating automated runbooks and delivering data enrichment?

SOAR A security orchestration, automation, and response (SOAR) is used to facilitate incident response, threat hunting, and security configuration by orchestrating automated runbooks and delivering data enrichment. A SOAR may be implemented as a standalone technology or integrated within a SIEM as a next-gen SIEM. A SOAR can scan the organization's store of security and threat intelligence, analyze it using machine/deep learning techniques, and then use that data to automate and provide data enrichment for the workflows that drive incident response and threat hunting.

Which of the following categories would contain information about a French citizen's race or ethnic origin? SPI DLP PII PHI

SPI According to the GDPR, information about an individual's race or ethnic origin is classified as Sensitive Personal Information (SPI).

Which of the following tools would you use to audit a multi-cloud environment? Prowler ScoutSuite (Correct) OpenVAS (Incorrect) Pacu

Scoutsuite : ScoutSuite is used to audit instances and policies created on multi-cloud platforms. Prowler is a cloud auditing tool, but it can only be used on AWS. Pacu is an exploitation framework that is used to test the security configurations of an AWS account. OpenVAS is a general-purpose vulnerability scanner but does not deal with cloud-specific issues.

An automation tool that uses parameters as input data alters flow of execution based on conditional logic statements, error checks, and unit tests to complete cloud-related administrative tasks without human intervention. What automation method is this? Automated malware signature creation Scripting Data enrichment Application programming interface (API) integration

Scripting It is important to run operations on several files under certain conditions and according to a schedule. Commands inside a script accomplish this.

A security key is required from the CPU vendor to make buffer overflow attacks impossible. This allows application processes to be identified as trusted. Define the security method that accomplishes this goal. Secure enclave Bus encryption Measured boot attestation Unified Extensible Firmware Interface (UEFI)

Secure enclave To create a secure enclave, the software developer must obtain a key from the CPU vendor to identify the trusted process. A typical usage of this process is for an application to use a secure enclave to store encryption keys. Measured boot is the capability to transmit an attestation report containing a boot log to an external server, such as a network access control server.

Name the protocol that validates that scanning and detection tools adhere to NIST standards. SOAR (Security Orchestration, Automation and Response) Security Content Automation Protocol (SCAP) Simple Object Access Protocol (SOAP) Internet Protocol (IP)

Security Content Automation Protocol (SCAP) The Security Content Automation Protocol (SCAP) enables compatible scanners to determine whether a device meets a baseline configuration.

A company is upgrading their entire network. Management is considering replacing their current services with a more modern, non-traditional cloud model that does not require them to manage servers themselves. Recommend a cloud model that will provide dynamically managed servers off-premises. Virtual Private Cloud (VPC) Virtual Desktop Infrastructure (VDI) Serverless cloud (FaaS) Software Defined Networking (SDN)

Serverless cloud (FaaS) Serverless is a modern design pattern for service delivery. Billing is based on execution time, rather than hourly rates. This type of service provision is also called function as a service (FaaS) .Virtual desktop infrastructure (VDI) refers to using a virtual machine as a means of provisioning corporate desktops. When a VDI client machine starts, it boots a minimal OS, and allows the user to log on to a VM stored on the company server infrastructure.

Which of the following does a User-Agent request a resource from when conducting a SAML transaction? Single sign-on (SSO) Identity provider (IdP) Relying party (RP) Service provider (SP)

Service provider (SP) SAML is a solution for providing single sign-on (SSO) and federated identity management. It allows a service provider (SP) to establish a trust relationship with an identity provider (IdP) so that the SP can trust the identity of a user (the principal) without the user having to authenticate directly with the SP.

Select the authentication model that passes a cryptographic hash as the means of signing on. Single sign-on (SSO) Location-based authentication Multifactor Authentication (MFA) Certificate-based authentication

Single sign-on (SSO) Single sign-on (SSO) allows a user to authenticate to a system only once to gain access to all the resources they have been granted rights for.

Developers look to use a cloud-based solution that provides on-demand app services. They utilize an implementation where the provider provides the platform security but not the app security. Which solution do they implement? Software as a Service (SaaS) Platform as a Service (PaaS) Infrastructure as a Service (IaaS) Function as a Service (FaaS)

Software as a Service (SaaS) Software as a service (SaaS) uses virtual infrastructure to provision on-demand applications. The CSP handles the security of the platform and the consumer is responsible for application security.

An independent cybersecurity researcher has contacted your company to prove a buffer overflow vulnerability exists in one of your applications. Which technique would have been most likely to identify this vulnerability in your application during development? Static code analysis Dynamic code analysis Manual Peer Review Pair programming

Static code analysis Buffer overflows are most easily detected by conducting a static code analysis.

A pentest exercise is underway. The red team has already taken over the web server and defaced the website. The blue (security) team suggests that the website defacing was not part of the objective. As a member of the white team, select the parameters of the exercise for the red team. Select all that apply. Make recommendations. Diagnose lessons learned. Steal customer data. Access a server.

Steal customer data. Access a server. The red team acts as the adversary. The white team will determine the parameters for the exercise, such as what the red team should attempt to do. Stealing customer data is an acceptable parameter for a red team to execute. The red team accessing a server remotely is an acceptable parameter for a pentest exercise. This will be set by the white team.

You are investigating a suspected compromise. You have noticed several files that you don't recognize. How can you quickly and effectively check if the files have been infected with malware? Submit files to Open source intell provider like VirusTotal Run the Strings tool against each file to id common malware identifiers Scan files using local AV-AM engine

Submit files to Open source intell provider like VirusTotal The best option is to submit them to an open-source intelligence provider like VirusTotal. VirusTotal allows you to quickly analyze suspicious files and URLs to detect types of malware.

Describe the type of embedded application that uses field programmable gate arrays (FPGAs) to create built-in functions based on pre-developed IP blocks representing logic-gate configurations. Firmware Internet-of-Things (IoT) appliances System-on-a-Chip (SoC) Graphical Processing Units (GPUs)

System-on-a-Chip (SoC) An on-chip design is an integrated circuit containing all elements of a computer or other electronic device.

Which of the following scan types are useful for probing firewall rules? TCP ACK TCP SYN XMAS TREE TCP RST

TCP ACK TCP ACK scans can be used to determine what services are allowed through a firewall. An ACK scan sends TCP packets with only the ACK bit set. Whether ports are open or closed, the target is required to respond with an RST packet. Firewalls that block the probe usually make no response or send back an ICMP destination unreachable error. This distinction allows Nmap to report whether the ACK packets are being filtered

An admin runs a netstat -a command to audit a few outbound connections on a Windows server. The server is only running Windows file services to host user home drives. Which Transmission Control Protocol/User Datagram Protocol (TCP/UDP) ports would be most alarming to the admin if it was active? Select all that apply. UDP port 3389 TCP port 22 TCP port 25 TCP port 23

TCP port 25 TCP port 23 TCP port 23 is commonly used for Telnet services, which is an unsecure, plain text communication protocol for remote tasks. This should be blocked or disabled.TCP port 25 is commonly used for Simple Mail Traffic Protocol (SMTP) traffic. However, this server does not have any email services running. This is a security concern and should be investigate immediately.

You need to perform an architectural review and select a view that focuses on the technologies, settings, and configurations used within the architecture. Which of the following views should you select? Logical view Acquisition view Operational view (Incorrect) Technical view (Correct)

Technical view (Correct) A technical view focuses on technologies, settings, and configurations. An operational view looks at how a function is performed or what it accomplishes. A logical view describes how systems interconnect. An acquisition views focus on the procurement process.

You are interpreting a Nessus vulnerability scan report and identified a vulnerability in the system with a CVSS attack vector rating of A. Based on this information, which of the following statements would be true? The attacker must have physical or logical access to the affected system Exploiting the vulnerability requires the existence of specialized conditions The attacker must have access to the local network that the system is connected to Exploiting the vulnerability does not require any specialized conditions

The attacker must have physical or logical access to the affected system A rating refers to Adjacent, where the attacker must launch the attack from the same shared physical (such as Bluetooth or Wi-Fi network), logical network (such as a local subnet), or a limited administrative domain (such as a VPN or MPLS).

You have evidence to believe that an attacker was scanning your network from an IP address at 172.16.1.224. This network is part of a /26 subnet. You wish to quickly filter through several logs using a REGEX for anything that came from that subnet. What REGEX expression would provide the appropriate output when searching the logs for any traffic originating from only IP addresses within that subnet? \b172\.16\.1\.(25[0-5]|2[0-4][0-9]|19[2-9])\b \b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b \b172\.16\.1\.(25[0-5]|2[0-4][0-9]?)\b \b172\.16\.1\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b

The correct answer is \b172\.16\.1\.(25[0-5]|19[2-9]|2[0-4][0-9])\b. The \b delimiter indicates that we are looking for whole words for the complete string. To answer this question, you have to rely on your networking knowledge and what you learned back in Network+. First, you need to calculate what is the IP range for this subnet. Since this is a /26, it would have 64 IP addresses in the range. Since the IP provided was 172.16.1.224, the range would be 172.16.1.192 to 172.16.1.255. The correct answer allows all values of 200-249 through the use of the phrase 2[0-4][0-9]. The values of 250-255 are specified by 25[0-5]. The values of 192-199 are specified through the use of 19[2-9]. All other REGEX expressions either allow too much or too little of the available IP space to be effective and precise filters for the subnet given. If you had this on the exam, I would calculate the IP address range first (as we did in this explanation). Then, I would see which parts are static in the IP address (172.16.1. in this case). Three of our answer choices provide this, so we now know the large REGEX is the wrong answer. Next, we need to figure out how only to show the values of 192-255. As you look at the three options, you need to look for the differences only between the options and see which would allow for the addresses needed. All three options have the same two first terms in the last octet, which covers 200-255, so you need to determine how to represent the values of 192-199 best.

Dion Training Solutions has just installed a backup generator for their offices that use SCADA/ICS for remote monitoring of the system. The generator's control system has an embedded cellular modem that periodically connects to the generator's manufacturer to provide usage statistics. The modem is configured for outbound connections only, and the generator has no data connection with any of Dion Training's other networks. The manufacturer utilizes data minimization procedures and uses the data to recommend preventative maintenance service and ensure maximum uptime and reliability by identifying parts that need to be replaced. Which of the following cybersecurity risk is being assumed in this scenario? There is a minimal risk being assumed since the cellular modem is configured for outbound connections only There is a high risk being assumed since the presence of a cellular modem could allow an attacker to remotely disrupt the generator There is a medium risk being assumed since the manufacturer could use the data for purposes other than originally agreed upon There is a critical risk being assumed since the cellular modem represents a threat to the enterprise network if an attacker exploits the generator and then pivots to the production environment

There is a minimal risk being assumed since the cellular modem is configured for outbound connections only There is a minimal risk being assumed in this scenario since the cellular modem is configured for outbound connections only. This also minimizes the risk of an attacker gaining remote access to the generator.

The servers of a biotech company have a type of malware infection that degrades performance but does not pose a risk of data breach. In fact, the attack was a masking attack used as a diversion, as the attacker wanted to access data on a single database server that contained top secret data. Public disclosure of that information could halt the company's operation. Assess the level of impact. Select all that apply. Total impact Immediate impact Localized impact Organizational impact

Total impact Organizational impact An organizational impact is one that affects vital functions of the mission, meaning the organization cannot operate as expected.Total impact refers to costs that occur after an incident, including harm to the credibility of the company.

What are a few actions a company can take during the preparation phase of an incident response plan? Select all that apply. Reverse engineering malware Training employees Testing software Documenting SOPs

Training employees Testing software Documenting SOPs Training is part of the first step of an incident response plan. Team members on a computer security incident response team (CSIRT) must know things like point of contacts and network tools, and how to use them. Testing software is also the first part of the incident response because it can help prevent issues from happening. Applications with known vulnerabilities should not be deployed until resolved. Documenting the standard operating procedures (SOP) of a response team makes it easier for the team to check all the right areas to support and close out the incident. Reverse engineering is part of the second step of the incident response plan or the detection and analysis phase.

Select the security functions invoked by a CPUs security extensions to verify that a trusted OS is running for trusted execution. Select all that apply. Trusted Platform Module (TPM) Trusted Firmware Updates Secure boot attestation Bus encryption

Trusted Platform Module (TPM) Trusted Firmware Updates Secure boot attestation In a computer device, the RoT is usually established by a type of cryptoprocessor called a trusted platform module (TPM) for hardware-based storage of digital certificates, cryptographic keys, hashed passwords. Measured boot is the capability to transmit an attestation report containing a boot log to an external server, such as a network access control server. Intel Boot Guard uses special keys and configuration settings to validate attempted firmware updates.

Which of the following is an indicator of compromise within a server? Select all that apply. Unauthorized software installed Regular user account with admin privileges Rogue wireless access point Unknown sanitized hard drive disk

Unauthorized software installed Regular user account with admin privileges A regular user account should not have admin privileges, especially to a server. A user that is also an administrator should have another administrative account for admin work. Unauthorized software installed on a server is an indicator of compromise. Whether the application is known malware or commercial software, it opens another layer of attack options for hackers.

The team deployed a new security monitoring application and backup solution because the legacy applications were out-of-date. A recent incident response revealed that the team was not able to meet their recovery time objective. What are some actions that can improve future recovery times? Select all that apply. Update the documentation. Perform continuous monitoring. Create an after-action report. Follow the change control process.

Update the documentation Follow the change control process. The change control process is the organization's way of performing corrective actions and remediating controls in a planned way. Following these steps will ensure all the other follow-up items are completed like updating documentation or initiate training on new software. Updating the incident response plan will integrate the new monitoring software and backup solution to the response workflow. This will make work efficient because the admins will know what to do.

Your company is making a significant investment in infrastructure-as-a-service (IaaS) hosting to replace its data centers. Which of the following techniques should be used to mitigate the risk of data remanence when moving virtual hosts from one server to another in the cloud? Zero Wipe Data Masking Use FDE Span numlt virtual disks to fragment data

Use FDE To mitigate the risk of data remanence, you should implement full disk encryption. This method will ensure that all data is encrypted and cannot be exposed to other organizations or the underlying IaaS provider. Using a zero wipe is typically impossible because VM systems may move without user intervention during scaling and elasticity operations. Data masking can mean that all or part of a field's contents is redacted, by substituting all character strings with "x," for example. Data masking will not prevent your corporate data from being exposed by data remanence. Spanning multiple disks will leave the data accessible, even though it would be fragmented, and would make the data remanence problem worse overall.

Police investigators acquired a locked Android smartphone and performed a file system extraction of photos and documents. They used the data in a recent legal case to convict a criminal. How did the investigators gather clean data from the smartphone? Subpoena the cloud provider. Extract call data. Browse Windows File Explorer. Use a UFED software.

Use a UFED software. A forensic extraction devices (UFED) is a physical device or software used to acquire "clean," data that can be analyzed and used in a legal case.

Office employees are unable to reach the Intranet portal. An IT administrator visits the site and receives a 403 ("Forbidden") response. Establishing a telnet connection to the web server with root credentials presents no issue. What could possibly be wrong with the Intranet portal? File not available Firewall block Users not authorized Upstream server is down

Users not authorized HTTP error codes in the 400 range indicate client-based errors. The 403 ("Forbidden") response indicates that the server is rejecting a client's attempts to access resources they are not authorized to. A firewall block is in line with HTTP errors codes in the 500 range that indicate server-based errors. A 502 ("Bad Gateway") response could indicate that communications between the target server and its upstream server are being blocked. An error code of 404 ("Not Found") indicates the client has access to the web server, but the requested file or resource cannot be found. A 502 ("Bad Gateway") response may also indicated that the server is down, which is a server-based issues.

Representational state transfer (REST) is a software architectural style that defines a set of constraints used for creating Web services. Your company is following REST protocols for web application development. A variety of security and configuration options are discussed in a general meeting. Appraise the following choices and select the option that is inconsistent with REST protocols. Developing a uniform interface Statelessness between requests Using cookies Use a client/server architecture

Using cookies Cookies is one way a web browser stores the stateful user information. This can also be a potential vulnerability and is against REST protocols for remaining stateless.

Your organization has recently migrated to a SaaS provider for its enterprise resource planning (ERP) software. Before this migration, a weekly port scan was conducted to help validate the on-premise systems' security. Which of the following actions should you take to validate the security of the cloud-based solution? Utilize a VPN to scan inside the vendor's security perimeter Utilize vendor testing and audits Utilize a different scanning tool Utilize a third-party contractor to conduct the scans

Utilize vendor testing and audits The best option is to utilize vendor testing and audits in a cloud-based environment. Most SaaS providers will not allow customers to conduct their own port scans or vulnerability scans against the SaaS service

Your organization has just migrated to provisioning its corporate desktops as virtual machines and accessing them using thin clients. The organization believes this will enhance security since the desktop can be rewritten with a new baseline image every time the user logs into it. Based on this scenario, which of the following technologies has the organization adopted? UEBA VPN VDI VPC

VDI Virtual desktop infrastructure (VDI) is a virtualization implementation that separates the personal computing environment from a user's physical computer. Virtual private cloud (VPC) is a private network segment made available to a single cloud consumer on a public cloud

Which of the following vulnerabilities involves leveraging access from a single virtual machine to other machines on a hypervisor?

VM escape Virtual machine escape vulnerabilities are the most severe issue that may exist in a virtualized environment. In this attack, the attacker can access a single virtual host and then leverages that access to intrude on the resources assigned to different virtual machines.

Which of the following is not normally part of an endpoint security suite? IPS VPN Software firewall Anti-virus (Incorrect)

VPN

What should a vulnerability report include if a cybersecurity analyst wants it to reflect the assets scanned accurately? Virtual hosts Log disposition Processor utilization

Virtual hosts Vulnerability reports should include both the physical hosts and the virtual hosts on the target network. A common mistake of new cybersecurity analysts is to include physical hosts, thereby missing many network assets.

Which of the following must be combined with a threat to create risk? Mitigation Exploit Malicious Actor Vuln

Vuln A risk results from the combination of a threat and a vulnerability. A vulnerability is a weakness in a device, system, application, or process that might allow an attack to take place. A threat is an outside force that may exploit a vulnerability. Remember, a vulnerability is something internal to your organization's security goals. Therefore, you can control, mitigate, or remediate a vulnerability. A threat is external to your organization's security goals. A threat could be a malicious actor, a software exploit, a natural disaster, or other external factors. In the case of an insider threat, they are considered an external factor for threats and vulnerabilities since their goals lie outside your organization's security goals.

You work as the incident response team lead at Fail to Pass Systems. Sierra, a system administrator, believes an incident has occurred on the network and contacts the SOC. At 2:30 am, you are woken up by a phone call from the CEO of Fail to Pass stating an incident has occurred and that you need to solve this immediately. As you are getting dressed to drive into the office, your phone rings again. This time, the CIO starts asking you a lot of technical questions about the incident. The first you heard of this incident was 5 minutes ago from the CEO, so you don't have the answers to the CIO's questions, yet. Based on this scenario, which of the following issues needs to be documented in your lessons learned report once this incident is resolved?

a call list/escalation list To maintain a disciplined approach to incident response, the organization needs to document and follow procedures developed during the preparation phase. The SOC should have a call list or an escalation list as part of those procedures. This list should detail who should be called, what order, and how high up the organizational leadership chart a particular issue would reach

Which of the following is the difference between an incident summary report and a lessons-learned report?

an incident summary report is designed for a non technical audience A lessons-learned report is a technical report designed for internal use to improve incident response processes. An incident summary report is designed to distribute to stakeholders to reassure them that the incident has been properly handled.

During which incident response phase is the preservation of evidence performed? Containment, eradication, and recovery Post-incident activity Detection and analysis Preparation

containment eradication and recovery A cybersecurity analyst must preserve evidence during the containment, eradication, and recovery phase. They must preserve forensic and incident information for future needs, prevent future attacks or bring up an attacker on criminal charges.

When you purchase an exam voucher at diontraining.com, the system only collects your name, email, and credit card information. Which of the following privacy methods is being used by Dion Training? Data masking Data minimization Tokenization Anonymization

data minimization Data minimization involves limiting data collection to only what is required to fulfill a specific purpose. Reducing what information is collected reduces the amount and type of information that must be protected. Since we only need your name and email to deliver the voucher and your credit card to receive payment for the voucher, we do not collect any additional information, such as your home address or phone number. Data masking can mean that all or part of a field's contents are redacted, by substituting all character strings with x, for example

Identify a hardware-based method for firmware security assurance. e-Fuse anti-tamper device Bus encryption self-encrypting drive

e-Fuse e-FUSE is a method for blowing a transistor in a hardware chip using a program instruction to verify the number of the firmware version. An anti-tamper mechanism makes use of a field programmable gate array (FPGA) and a physically unclonable function (PUF). The PUF generates a digital fingerprint based on unique features of the device, enabling detection of tampering. Bus encryption ensures the device at the end of the bus is trusted to decrypt the data when the data is transferred to another device over a bus, such as PCIe, USB, or HDMI. It enhances security when transferring data.

A cybersecurity analyst is reviewing the DNS logs for his company's networks and sees the following output:

fast flux dns is being used ffor an attackers C2 he fast flux DNS technique rapidly changes the IP address associated with a domain. It allows the adversary to defeat IP-based blocklists, but the communication patterns established by the changes might be detectable

Natalie wants to create a backup of the permissions before making changes to the Linux workstation she will remediate. What Linux tool can she use to back up the permissions of the system's complete directory structure?

getfacl The getfacl command allows backups of directories to include permissions, saved to a text file. The setfacl command is used to restore the permissions from the backup created. The aclman and chbkup are not legitimate Linux commands. The iptables command is used to configure the Linux firewall, not the directory structure's file permissions

You have been hired as a cybersecurity analyst for a privately-owned bank. Which of the following regulations would have the greatest impact on your bank's cybersecurity program?

glba The Gramm-Leach-Bliley Act (GLBA) is a United States federal law that requires financial institutions to explain how they share and protect their customers' private information.

An admin needs to understand the design of legitimate procedures in order to determine what may be suspicious on a standard Windows host. Which of the following processes does not appear legitimate? lsass.exe svchosta.exe smss.exe userinit.exe

svchosta.exe When identifying suspicious running processes, look for unrecognized process names, particularly names that mimic a legitimate system process (for example, scvhost) or names that are generated at random. userinit.exe is a legitimate Windows process that sets up the shell (usually explorer.exe) and exit. Upon logging in, someone can see this process only momentarily. lsass.exe handles the authorization and authentication of users. Only one instance should exist, running as a child of wininit.exe. SMSS is the first user-mode process and should only appear as a child of System.exe and should start from the System32 folder.

You are conducting an intensive vulnerability scan to detect which ports might be open to exploitation. During the scan, one of the network services becomes disabled and impacts the production server. Which of the following sources of information would provide you with the most relevant information for you to use in determining which network service was interrupted and why?

syslog The Syslog server is a centralized log management solution. By looking through the Syslog server's logs, the technician could determine which service failed on which server since all the logs are retained on the Syslog server from all of the network devices and servers.


Related study sets

Microbiology Chapter 1: Introduction to Microbes and Their Building Blocks

View Set

Chapter 14: Musculoskeletal System

View Set

Apex APUSH - 3.2.2 Quiz: Triumph of the Middle Class

View Set

Business Management Unit 3- The Operations Management Function, Chapter 1: Using Operations to create value, Chapter 2 - Process Strategy And Analysis - Textbook, Quality Management, Chapter S5 - Strategic Capacity Planning, ch. 7 Lean Thinking and L...

View Set

Chapter 11 - Media, media buyers

View Set