Dion : CompTIA CySA+ - Practice Test 2
You are reverse engineering a malware sample using the Strings tool when you notice the code inside appears to be obfuscated. You look at the following line of output on your screen: ZWNobygiSmFzb24gRGlvbiBmcm9tIGh0dHBzOi8vd3d3LkRpb25 Based on the output above, which of the following methods do you believe the attacker used to prevent their malicious code from being easily read or analyzed?
Base64 OBJ-4.2: While there are many different formats used by attackers to obfuscate their malicious code, Base64 is by far the most popular. If you see a string like the one above, you can decode it using an online Base64 decoder. I recommend you copy the string above and decode it to see how easy it is to reverse a standard Base64 encoded message. Some more advanced attackers will also use XOR and a key shift in combination with Base64 to encode the message and make it harder to decode, but using a tool like CyberChef can help you decode those. Incorrect Structured Query Language (SQL) is used to communicate with a database. Extensible Markup Language (XML) is a markup language that defines a set of rules for encoding documents in a human-readable and machine-readable format. SQL and XML are not considered obfuscation techniques. A QR Code is a two-dimensional version of the barcode, known from product packaging in the supermarket. QR coding is the process of converting some data into a single QR code. QR coding might be considered a form of obfuscation, but it is not shown in this question's example output.
You have just run the following commands on your Linux workstation: Which of the following options would be included as part of the output for the grep command issued? (Select ANY that apply)
DIOn DION Dion dion OBJ-3.1: The grep (global search for regular expressions and print) is one of Linux's powerful search tools. The general syntax for the grep command is "grep [options] pattern [files]. The command searches within the specified files (in this case, the Names.txt file). When the command is issued with the -i optional flag, it treats the specified pattern as case insensitive. Therefore, all uppercase and lowercase variations of the word "DION" will be presented from the file and displayed as the command output. By default, grep uses case sensitivity, so "grep DION Names.txt" would only display the output as "DION" and ignore the other variations. As a cybersecurity analyst, grep is one of your most important tools. You can use regular expressions (regex) to quickly find indicators of compromise within your log files using grep.
Joseph would like to prevent hosts from connecting to known malware distribution domains. What type of solution should be used without deploying endpoint protection software or an IPS system?
DNS sinkholing OBJ-3.2: DNS sinkholing is a process that uses a list of known domains/IP addresses belonging to malicious hosts and uses an internal DNS server to create a fake reply. incorrect Route poisoning prevents networks from sending data somewhere when the destination is invalid. Routers do not usually have an anti-malware filter, and this would be reserved for a unified threat management system. Subdomain allow listing would not apply here because it would imply that you are implicitly denying all traffic and only allowing allow listed subdomains to be accessed from the hosts that would affect their operational utility to the organization.
What method might a system administrator use to replicate the DNS information from one DNS server to another, but could also be used maliciously by an attacker?
DNS zone transfers OBJ-2.3: Zone transfers provide an easy way to send all the DNS information from one DNS server to another, but an attacker could also use it for reconnaissance against your organization. For this reason, most administrators disable zone transfers from untrusted servers. Incorrect DNSSEC strengthens authentication in DNS using digital signatures based on public-key cryptography. CNAME is a Canonical Name Record or Alias Record. A type of resource record in the Domain Name System (DNS) specifies that one domain name is an alias of another canonical domain name. DNS registration is a service, which allows the owner of a domain name to use their name servers, which can match the domain name in question.
What remediation strategies are the MOST effective in reducing the risk to an embedded ICS from a network-based compromise? (Select TWO)
Disabling unused services Segmentation OBJ-2.1: Segmentation is the best method to reduce the risk to an embedded ICS system from a network-based compromise. Additionally, you could disable unused services to reduce the footprint of the embedded ICS. Many of these embedded ICS systems have a large number of default services running. So, by disabling the unused services, we can better secure these devices. By segmenting the devices off the main portion of the network, we can also better protect them. Incorrect A NIDS might detect an attack or compromise, but it would not reduce the risk of the attack succeeding since it can only detect it. Patching is difficult for embedded ICS devices since they usually rely on customized software applications that rarely provide updates.
Which role validates the user's identity when using SAML for authentication?
IdP (identity provider) OBJ-2.2: The IdP provides the validation of the user's identity. Security assertions markup language (SAML) is an XML-based framework for exchanging security-related information such as user authentication, entitlement, and attributes. SAML is often used in conjunction with SOAP. SAML is a solution for providing single sign-on (SSO) and federated identity management. It allows a service provider (SP) to establish a trust relationship with an identity provider (IdP) so that the SP can trust the identity of a user (the principal) without the user having to authenticate directly with the SP. Note The principal's User Agent (typically a browser) requests a resource from the service provider (SP). The resource host can also be referred to as the relying party (RP). If the user agent does not already have a valid session, the SP redirects the user agent to the identity provider (IdP). The IdP requests the principal's credentials if not already signed in and, if correct, provides a SAML response containing one or more assertions. The SP verifies the signature(s) and (if accepted) establishes a session and provides access to the resource.
Consider the following data: Which of the following best describes the data presented above?
JSON excerpt that describes an APT using the Structured Threat Information eXpression (STIX) format OBJ-1.2: This excerpt is a JSON object used by the STIX protocol to convey threat information. STIX (Structured Threat Information eXpression) is a standardized XML programming language for conveying data about cybersecurity threats in a common language that can be easily understood by humans and security technologies. Trusted Automated Exchange of Intelligence Information (TAXII™) is an application protocol for exchanging CTI over HTTPS. TAXII defines a RESTful API (a set of services and message exchanges) and a set of requirements for TAXII Clients and Servers. MITRE ATT&CK® is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for developing specific threat models and methodologies in the private sector, government, and the cybersecurity product and service community.
Which of the following technologies is NOT a shared authentication protocol?
LDAP OBJ-2.2: LDAP can be used for single sign-on but is not a shared authentication protocol. OpenID, OAuth, and Facebook Connect are all shared authentication protocols. Open ID Connect (OIDC) is an authentication protocol that can be implemented as special types of OAuth flows with precisely defined token fields. OAuth is designed to facilitate the sharing of information (resources) within a user profile between sites.
Which of the following is NOT considered part of the Internet of Things?
Laptop OBJ-1.5: Supervisory control and data acquisition (SCADA) systems, industrial control systems (ICS), internet-connected televisions, thermostats, and many other things examples of devices classified as the Internet of Things (IoT). Incorrect A laptop would be better classified as a computer or host than part of the Internet of Things. The Internet of things (IoT) is a system of interrelated computing devices, mechanical and digital machines provided with unique identifiers (UIDs), and the ability to transfer data over a network without requiring human-to-human or human-to-computer interaction.
You are conducting an incident response and want to determine if any account-based indicators of compromise (IoC) exist on a compromised server. Which of the following would you NOT search for on the server?
Malicious processes OBJ-4.3: A malicious process is any process running on a system that is outside the norm. This is a host-based indicator of compromise (IOC) and not directly associated with an account-based IOC. Off-hours usage, unauthorized sessions, and failed logins are all account-based examples of an IOC. Incorrect Off-hours usage occurs when an account is observed to log in during periods outside of normal business hours. An attacker often uses this to avoid detection during business hours. Unauthorized sessions occur when a device or service is accessed without authorization. For example, if a limited privilege user is signed into a domain controlled. A failed login might be normal if a user forgets or incorrectly types their password, but repeated failures for one account could also be an indication of an attack attempting to crack a user's password.
An attacker recently compromised an e-commerce website for a clothing store. Which of the following methods did the attacker use to harvest an account's cached credentials when the user logged into an SSO system?
Pass the hash OBJ-4.3: Pass the Hash (PtH) is the process of harvesting an account's cached credentials when the user logs in to a single sign-on (SSO) system. This would then allow the attacker to use the credentials on other systems, as well. Incorrect A golden ticket is a Kerberos ticket that can grant other tickets in an Active Directory environment. Attackers who can create a golden ticket can use it to grant administrative access to other domain members, even to domain controllers. Lateral movement is an umbrella term for a variety of attack types. Attackers can extend their lateral movement by a great deal if they can compromise host credentials. Pivoting is a process similar to lateral movement. When attackers pivot, they compromise one central host (the pivot) that allows them to spread out to other hosts that would otherwise be inaccessible.
You are reviewing the logs in your HIDS and see that entries were showing SYN packets received from a remote host targeting each port on your web server from 1 to 1024. Which of the following MOST likely occurred?
Port scan OBJ-3.1: Based on the description provided, this is most likely a port scan. Using a tool like nmap, an attacker can create an SYN scan across every port in the range against the desired target. A port scan or SYN scan may trigger an alert in your IDS. While scanners support more stealthy scans, default scans may connect to each port sequentially. Incorrect The other options are incorrect because a remote host will typically connect to only a single port associated with a service. An SYN flood normally sends many SYNs to a single system. Still, it doesn't send them to unused ports, and a UDP probe will not send SYN packets.
Consider the following snippet from a log file collected on the host with the IP address of 10.10.3.6. What type of activity occurred based on the output above?
Port scan targeting 10.10.3.6 OBJ-4.4: Port Scanning is the name for the technique used to identify open ports and services available on a network host. Based on the logs, you can see a sequential scan of some commonly used ports (20, 21, 22, 23, 25, 80, 135, 443, 445) with a two-second pause between each attempt. The scan source is 10.10.3.2, and the destination of the scan is 10.10.3.6, making "Port scan targeting 10.10.3.6" the correct choice. note IP fragmentation attacks are a common form of denial of service attack, in which the perpetrator overbears a network by exploiting datagram fragmentation mechanisms. A denial-of-service (DoS) attack occurs when legitimate users cannot access information systems, devices, or other network resources due to a malicious cyber threat actor's actions.
Which of the following will an adversary do during the final phase of the Lockheed Martin kill chain? (SELECT FOUR)
Privilege escalation Exfiltrate data Lateral movement through the environment Modify data OBJ-1.2: The last phase is the actions on objectives phase. During this phase, the targeted network is now adequately controlled by the attacker. If the system or network owner does not detect the attacker, the adversary may persist for months while gaining progressively deeper footholds into the network. This is done through privilege escalation and lateral movement. Additionally, the attacker can now exfiltrate data from the network or modify data that will remain in the network. Note Waiting for a user to click on a malicious link occurs during the exploitation phase. Releasing a malicious email would occur during the delivery phase.
Which type of media sanitization would you classify degaussing as?
Purging OBJ-4.2: Degaussing is classified as a form of purging. Purging eliminates information from being feasibly recovered even in a laboratory environment. Purging includes degaussing, encryption of the data with the destruction of its encryption key, and other non-destructive techniques. Some generic magnetic storage devices can be reused after the degaussing process has finished, such as VHS tapes and some older backup tapes. For this reason, though, the technique of degaussing is classified as purging and not destruction, even though hard drives are rendered unusable after being degaussed. Incorrect Clearing data prevents data from being retrieved without the use of state-of-the-art laboratory techniques. Clearing often involves overwriting data one or more times with repetitive or randomized data. Destroying data is designed not merely to render the information unrecoverable but also to hinder any reuse of the media itself. Destruction is a physical process that may involve shredding media to pieces, disintegrating it into parts, pulverizing it to powder, or incinerating it to ash. Erasing or deleting is considered a normal operation of a computer, which erases the data file's pointer on a storage device. Erasing and deleting are easily reversed, and the data can be recovered with commercially available or open-source tools.
Which of the following lists the UEFI boot phases in the proper order?
Security, Pre-EFI initialization, Driver Execution Environment, Boot Device Select, Transient System Load, Runtime OBJ-2.3: The security must first prevent any potential contamination from advanced malware from affecting the system as it proceeds into its startup process. The security consists of initializing the code that the system executes after powering on the EFI system. Pre-EFI initialization initializes the CPU, temporary memory, and boot firmware volume (BFV). Driver Execution Environment initializes the entire system's physical memory, I/O, and MIMO (Memory Mapped Input Output) resources. Finally, it begins dispatching DXE Drivers present in the system Firmware Volumes (given in the HOBL). Boot Device Select interprets the boot configuration data and selects the Boot Policy for later implementation. Runtime focuses on clearing the UEFI program from memory and transferring control to the operating system.
Which of the following authentication protocols was developed by Cisco to provide authentication, authorization, and accounting services?
TACACS (Terminal Access Controller Access Control System) OBJ-2.1: TACACS+ is an extension to TACACS (Terminal Access Controller Access Control System) and was developed as a proprietary protocol by Cisco. incorrect The Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that operates on port 1812 and provides centralized Authentication, Authorization, and Accounting management for users who connect and use a network service, but Cisco did not develop it. Kerberos is a network authentication protocol designed to provide strong mutual authentication for client/server applications using secret-key cryptography developed by MIT. Challenge-Handshake Authentication Protocol (CHAP) is used to authenticate a user or network host to an authenticating entity. CHAP is an authentication protocol but does not provide authorization or accounting services.
You are creating a script to filter some logs so that you can detect any suspected malware beaconing. Which of the following is NOT a typical means of identifying a malware beacon's behavior on the network?
The beacon's protocol OBJ-3.3: The beacon's protocol is not typically a means of identifying a malware beacon. A beacon can be sent over numerous protocols, including ICMP, DNS, HTTP, and numerous others. Unless you specifically knew the protocol being used by the suspected beacon, filtering out beacons by the protocol seen in the logs could lead you to eliminate malicious behavior prematurely. Note Other factors like the beacon's persistence (if it remains after a reboot of the system) and the beacon's interval (how much time elapses between beaconing)are much better indicators for fingerprinting a malicious beacon. The removal of known traffic by the script can also minimize the amount of data the cybersecurity analyst needs to analyze, making it easier to detect the malicious beacon without wasting their time reviewing non-malicious traffic.
You are working as a network administrator for Dion Training. The company has decided to allow employees to connect their devices to the corporate wireless network under a new BYOD policy. You have been asked to separate the corporate network into an administrative network (for corporate-owned devices) and an untrusted network (for employee-owned devices). Which of the following technologies should you implement to achieve this goal?
VLAN OBJ-2.1: A virtual local area network (VLAN) is a type of network segmentation configured in your network switches that prevent communications between different VLANs without using a router. This allows two virtually separated networks to exist on one physical network and separates the two virtual network's data. Incorrect A virtual private network (VPN) is a remote access capability to connect a trusted device over an untrusted network back to the corporate network. A VPN would not create the desired effect. WPA2 is a type of wireless encryption, but it will not create two different segmented networks on the same physical hardware. MAC filtering is used to allow or deny a device from connecting to a network, but it will not create two network segments, as desired.
You need to determine the best way to test operating system patches in a lab environment before deploying them to your automated patch management system. Unfortunately, your network has several different operating systems in use, but you only have one machine available to test the patches on. What is the best environment to utilize to perform the testing of the patches before deployment?
Virtualization OBJ-1.3: When you have a limited amount of hardware resources to utilize but have a requirement to test multiple operating systems, you should set up a virtualized environment to test the patch across each operating system before deployment. Virtualization will allow the organization to create a lab environment without significant costs. Note You should never deploy patches directly into production without testing them first in the lab. Purchasing additional workstations would be costly and more time-consuming to configure.
Which of the following vulnerabilities is the greatest threat to data confidentiality?
Web application SQL injection vulnerability OBJ-1.4: Each vulnerability mentioned poses a significant risk, but the greatest threat comes from the SQL injection. An SQL injection could allow an attacker to retrieve our data from the backend database directly. Using this technique, the attacker could also alter the data and put it back, and nobody would notice everything that had been changed, thereby also affecting our data integrity. Incorrect The HTTP TRACE/TRACK methods are normally used to return the full HTTP request to the requesting client for proxy-debugging purposes and allow the attacker to access sensitive information in the HTTP headers. Since this only exposes information in the headers, it minimizes the risk to our system's data confidentiality. An SSL server with SSLv3 enabled is not ideal since this is an older encryption type, but it still provides some confidentiality. The phpinfo information disclosure vulnerability prints out detailed information on both the system and the PHP configuration. This information by itself doesn't disclose any information about the data stored within the system, though, so it isn't a great threat to our data's confidentiality.
A recent vulnerability scan found several vulnerabilities on an organization's public-facing IP addresses. To reduce the risk of a breach, which of the following
a buffer overflow that is known to allow remote code execution OBJ-1.4: The most serious vulnerability discovered is one that could allow remote code execution to occur. Since this buffer overflow vulnerability is known to allow remote code execution, it must be mitigated first to prevent a security breach most effectively. While the other issues should be addressed eventually, you need to prioritize the most critical one (remote code execution) on a public-facing IP address. A public-facing IP address means the device is accessible from the internet.
Dion Training Solutions is conducting a penetration test of its facilities. The penetration testing team has been augmented by an employee of the company who has general user privileges. The security staff is unaware of the testing. According to NIST, which of the following types of penetration tests is being conducted?
a covert internal test OBJ-4.2: This is considered an internal covert test. It is internal because an employee of the company is part of the team and provides them with general user privileges. This will simulate an insider threat attack. It is also considered covert because the security staff and system administrators are unaware of the ongoing test.
You are reviewing a rule within your organization's IDS. You see the following output: Based on this rule, which of the following malicious packets would this IDS alert on?
a malicious inbound TCP packet OBJ-3.1: The rule header is set to alert only on TCP packets based on this IDS rule's first line. The flow condition is set as "to_client,established," which means that only inbound traffic will be analyzed against this rule and only inbound traffic for connections that are already established. Therefore, this rule will alert on an inbound malicious TCP packet only when the packet matches all the conditions listed in this rule. This rule is an example of a Snort IDS rule. For the exam, you do not need to create your own IDS rules, but you should be able to read them and pick out generic content like the type of protocol covered by the signature, the port to be analyzed, and the direction of flow.
Which of the following is NOT one of the main criteria included in a penetration testing plan?
account credentials OBJ-5.2: The three main criteria that should be included in a penetration testing plan are timing, scope, and authorization. Note Account credentials are usually provided during a known environment test or vulnerability assessment, usually not provided for a penetration test.
While conducting a static analysis source code review of a program, you see the following line of code: String query = "SELECT * FROM CUSTOMER WHERE CUST_ID' " + request.getParameter("id") + " ' "; What is the issue with the largest security issue with this line of code?
an SQL injection could occur because input validation is not being used on the id parameter OBJ-2.2: This code takes the input of "id" directly from a user or other program without conducting any input validation. This could be exploited and used as an attack vector for an SQL injection. If a malicious user can alter the ID source, it might get replaced with something like' or '1' ='1. This will cause the SQL statement to become: "SELECT * FROM CUSTOMER WHERE CUST_ID='' or '1'='1'". Because '1' always equals '1', the where clause will always return 'true,' meaning that EVERY record in the database could now become available to the attacker. Incorrect When creating SQL statements, there are reasons for and against the use of the * operator. Its presence alone does not necessarily indicate a weakness. With only one line of code being reviewed, you cannot make any statement about whether it is vulnerable to a buffer overflow attack. You do not see the declaration values for the initialization of the id variable. This code is not using parameterized queries, but if it did, then it would eliminate this vulnerability. A parameterized query is a type of output encoding that relies on prepared statements to reduce the risk of an SQL injection.
Evaluate the following log entry: jan 11 05:52:56 1x1 kernel: iptables INPUT drop IN=eth0 OUT= MAC=00:15:5d:01:ca:55:00:15:5d:01:ca:ad:08:00 SRC=10.1.0.102 DST=10.1.0.10 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=3988 DF PROTO=TCP SPT=2583 DPT=23 WINDOW=64240 RES=0X00 SYN URGP=0 Based on this log entry, which of the following statements are true?
an attempted connection to the telnet service was prevented the packet was blocked inbound to the network OBJ-3.1: Firewall log formats will vary by vendors, but this example is a commonly used format from the Linux iptable firewall tool. This log starts with the date and time of the event and provides some key pieces of information. For example, the word "drop" shows the action this log entry recorded. In this case, the firewall dropped a packet due to an ACL rule being applied. You can also see that the packet was detected on the inbound connection over eth0, so we know that packets are being scanned and blocked when they are headed inbound to the network. Next, we see the MAC address of the source device of the packet, the source (SRC) IP address, and the destination (DST) IP address. Further down, we see the source (SPT) and destination ports (DPT). In this case, the DPT is 23 and is a well-known port for telnet. Note Based on this single log entry, we cannot tell if packets are also being blocked when they are attempting to leave the network or if they are blocking connections to the ssh service (port 22) is also being conducting.
Dion Training's new COO is reviewing the organization's current information security policy. She notices that it was first created three years ago. Since that time, the organization has undergone multiple audits and assessments that required revisions to the policy. Which of the following is the most reasonable frequency to conduct a formal review of the organization's policies to ensure they remain up to date?
annually OBJ-5.3: Annual reviews are an industry standard and are typically sufficient unless circumstances happen that might require an update or revision sooner. Incorrect Waiting five years between policy reviews is too long and would leave the organization with constantly outdated policies. Similarly, conducting quarterly or monthly reviews is too frequent, and there will not be enough time for substantial changes to have occurred. Additionally, most formal audits and assessments are undertaken annually. Therefore, this is a reasonable frequency to use without overburdening your staff.
You work as a cybersecurity analyst at a software development firm. The software developers have begun implementing commercial and open source libraries into their codebase to minimize the time it takes to develop and release a new application. Which of the following should be your biggest concern as a cybersecurity analyst?
any security flaws present in the library will also be present in the developed application OBJ-1.2: Any security flaws present in a commercial or open-source library will also be present in the developed application. A library is vulnerable, just as any other application or code might be. There are both known (discovered) and unknown vulnerabilities in the libraries being integrated into the project. Therefore, the software development team needs to ensure that they monitor the applicable libraries for additional CVEs that might be uncovered later. They have plans for distributing appropriate patches to their customers and a plan for integrating subsequent updates into their codebase. Incorrect Open-source libraries are not more vulnerable or insecure than commercially available or in-house developed libraries. Many consider open-source software more secure because it is widely analyzed and reviewed by programmers worldwide. While ensuring the most up to date versions of the libraries is a valid concern, as a cybersecurity analyst, you should be more concerned with current security flaws in the library so you can conduct risk management and implement controls to mitigate these vulnerabilities, and determine the method for continuing updates and patch support.
You conducted a security scan and found that port 389 is being used when connecting to LDAP for user authentication instead of port 636. The security scanning software recommends that you remediate this by changing user authentication to port to 636 wherever possible. What should you do?
change all devices and servers that support it to port 636 since encrypted services run by default on port 636 OBJ-1.3: LDAP can be run on either port 389 or port 636. Port 389 is the standard port for LDAP but typically runs unencrypted LDAP services over this port. Instead, you should change all devices and servers that can technically support the change to port 636 since LDAP services over port 636 are encrypted by default.
A recent threat has been announced in the cybersecurity world, stating a critical vulnerability in a particular operating system's kernel. Unfortunately, your company has not maintained a current asset inventory, so you are unsure of how many of your servers may be affected. What should you do to find all of the affected servers within your network?
conduct an OS fingerprinting scan across the network OBJ-1.4: By utilizing operating system fingerprinting using a tool like nmap, you can identify the servers running each version of an operating system. This will give you an accurate list of the possibly affected servers. Once you have this list, you can focus your attention on just those servers that need further inspection and scanning. Incorrect Manually reviewing the Syslog server's log would take too long, and would not find servers that don't send their logs to the Syslog server. Conducting a packet capture would only allow you to find the server actively transmitting data during the period of time you are capturing. Conducting a service discovery scan would not identify which servers are running which operating systems effectively. For example, if you see that the Apache web service is running on port 80, it doesn't indicate running Linux or Windows as the underlying server.
Which of the following vulnerabilities can be prevented by using proper input validation? (Select ANY that apply)
cross-site scripting SQL injection XML injection directory traversal OBJ-2.2: Proper input validation can prevent cross-site scripting, SQL injection, directory traversal, and XML injections from occurring. When an application accepts string input, the input should be subjected to normalization or sanitization procedures before being accepted. Normalization means that a string is stripped of illegal characters or substrings and converted to the accepted character set. This can prevent SQL and XML injections from occurring. Input validation is also good at preventing cross-site scripting (XSS) in any forms that accept user input. Directory traversals can be prevented by conducting input validation in file paths or URLs accepted from the user. This prevents a canonicalization attack from disguising the nature of the malicious input that could cause a directory traversal.
What type of information will a Cisco switch log be configured to capture logs at level 7?
debugging OBJ-3.1: Level 7 is used for debugging conditions and it just information that is useful to developers as they are debugging their networks and applications. The severity levels range from zero to seven, with zero being the most severe and seven being the least severe. Note Level 0 is used for an emergency and is considered the most severe condition because the system has become unstable. Level 1 is used for an alert condition and means that there is a condition that should be corrected immediately. Level 2 is used for a critical condition, and it means that there is a failure in the system's primary application and it requires immediate attention. Level 3 is used for an error condition, and it means that something is happening to the system that is preventing the proper function. Level 4 is used for warning conditions and it may indicate that an error will occur if action is not taken soon. Level 5 is used for notice conditions and it means that the events are unusual, but they are not error conditions. Level 6 is used for information conditions and it is a normal operational message that requires no action.
You have been asked to provide some training to Dion Training's system administrators about the importance of proper patching of a system before deployment. To demonstrate the effects of deploying a new system without patching it first, you ask the system administrators to provide you with an image of a brand-new server they plan to deploy. How should you deploy the image to demonstrate the vulnerabilities exposed while maintaining the security of the corporate network?
deploy the system image within a virtual machine, ensure it is in an isolated sandbox environment, then scan it for vulnerabilities OBJ-3.2: To ensure your corporate network's safety, any vulnerable image you deploy should be done within a sandboxed environment. This will ensure that an outside attacker cannot exploit the vulnerabilities but will still allow you to show the vulnerabilities found during a scan to demonstrate how important patching is to the security of the server.
Which of the following information is traditionally found in the Scope of Work (SOW) for a penetration test?
excluded hosts OBJ-5.2: A Scope of Work (SOW) for a penetration test normally contains the list of excluded hosts. This ensures that the penetration tester does not affect hosts, workstations, or servers outside the assessment scope. note The timing of the scan and the maintenance windows are usually found in the rules of engagement (ROE). The executive summary report contents are usually not identified in any of the scoping documents, only the requirement of whether such a report is to be delivered at the end of the assessment.
Consider the following file called firewall.log that contains 53,682 lines that logged every connection going into and out of this network. The log file is in the following data format, as shown below with the first two lines of the log file: Which of the following commands would display all of the lines from the firewall.log file that contain the destination IP address of 10.1.0.10 and a destination port of 23?
grep "10\.\.\.10\," firewall.log | grep "23$" OBJ-3.1: The easiest way to do this is with a grep command. In Linux, you can chain together commands by piping data from one command's output to serve as the input to another command. In this scenario, you can use grep to find all the lines with the IP address first. Then, you can use the second grep command to find all the lines using port 23. The result is a smaller, filtered list of events to analyze. When using the dot in the IP addresses, you must remember to escape this character. Otherwise, grep treats it as a special character in a regular expression treated as any character (except a line break). Adding the \ before the dot (\.), grep treats it simply as a dot or period. You must also escape the comma for it to be processed properly. The $ after the port number is used to indicate that the number should only be counted as a match if it is at the end of the line. This ensures that we only return the destination ports (DPT) matching 23 and not the source port (SPT).
You want to search all the logs using REGEX to alert on any findings where a filename contains the word "password" (regardless of case). For example, "PASSWORD.txt," "Password.log," or "password.xlsx" should cause the alert to occur. Once deployed, this search will be conducted daily to find any instances of an employee saving their passwords in a file that could be easily found by an attacker. Which of the following commands would successfully do this?
grep -i password logfile.log OBJ-3.1: The flag (-i) in grep means that the entire string that follows will be treated as case insensitive. The absence of the whole word identifier (i.e., \b, ^) indicates that matching can occur at any part of the text being evaluated. In other words, "MyPasswords" will also be detected by this REGEX search. The (PASSWORD)|(password) REGEX will detect partial phrases of "PASSWORD" or "password" but will fail on simple things like "Password." All other options misuse the case-insensitivity flag.
During an assessment of the POS terminals that accept credit cards, a cybersecurity analyst notices a recent Windows operating system vulnerability exists on every terminal. Since these systems are all embedded and require a manufacturer update, the analyst cannot install Microsoft's regular patch. Which of the following options would be best to ensure the system remains protected and are compliant with the rules outlined by the PCI DSS?
identify, implement, and document compensating controls OBJ-5.2: Since the analyst cannot remediate the vulnerabilities by installing a patch, the next best action would be to implement some compensating controls. If a vulnerability exists that cannot be patched, compensating controls can mitigate the risk. Additionally, the analyst should document the current situation to achieve compliance with PCI DSS. Incorrect The analyst will likely not remove the terminals from the network without affecting business operations, so this is a bad option. The analyst should not build a custom OS image with the patch since this could void the support agreement with the manufacturer and introduce additional vulnerabilities. Also, it would be difficult (or impossible) to replace the POS terminals with standard Windows systems due to the custom firmware and software utilized on these systems
Your company just launched a new invoicing website for use by your five largest vendors. You are the cybersecurity analyst and have been receiving numerous phone calls that the webpage is timing out, and the website overall is performing slowly. You have noticed that the website received three million requests in just 24 hours, and the service has now become unavailable for use. What do you recommend should be implemented to restore and maintain the availability of the new invoicing system?
implement an allow list OBJ-3.2: By implementing an allow list of the authorized IP addresses for the five largest vendors, they will be the only ones who can access the webserver. This can be done by creating rules in the Access Control List (ACL) to deny ALL other users except these five vendors, thereby dropping a large number of requests from any other IP addresses, such as those from an attacker. Based on the scenario's description, it appears like the system is under some form of denial of service attack. Still, by implementing an allow list at the edge of the network and sinkholing any traffic from IP addresses that are not allow listed, the server will no longer be overwhelmed or perform slowly to respond to legitimate requests. Incorrect MAC filtering is only applicable at layer 2 of the OSI model (which would not work for traffic being sent over the internet from your vendors to your server). A VPN is a reasonable solution to secure the connection between the vendors and your systems, but it will not deal with the DoS condition being experienced. An intrusion detection system may detect the DoS condition, but an IDS cannot resolve it (whereas an IPS could).
You are the incident response team lead investigating a possible data breach at your company with 5 other analysts. A journalist contacts you and inquires about a press release from your company that indicates a breach has occurred. You quickly deny everything and then call the company's public relations officer to ask if a press release had been published, which it has not. Which of the following has likely occurred?
inadvertent release of information OBJ-5.1: It is most likely that an inadvertent release of information has occurred. Note This could have occurred due to communication not being limited to trusted parties or information being shared amongst the analyst using insecure communication methods. Based on the scenario, we cannot tell if the data breach (if one has occurred) involved the release of PII or SPI. Part of any good communications plan understands that you are required to disclose information based on regulatory requirements. When that disclosure occurs, it will usually be accompanied by a press release.
You have been asked to recommend a capability to monitor all of the traffic entering and leaving the corporate network's default gateway. Additionally, the company's CIO requests to block certain content types before it leaves the network based on operational priorities. Which of the following solution should you recommend to meet these requirements?
install NIPS on the internal interface and a firewall on the external interface of the router OBJ-2.1: Due to the requirements provided, you should install a NIPS on the gateway router's internal interface and a firewall on the external interface of the gateway router. The firewall on the external interface will allow the bulk of the malicious inbound traffic to be filtered before reaching the network. Then, the NIPS can be used to inspect the traffic entering the network and provide protection for the network using signature-based or behavior-based analysis. The NIPS installed on the internal interface would also allow various content types to be quickly blocked using custom signatures developed by the security team. Incorrect A NIPS is less powerful than a firewall and could easily "fail open" if it is overcome with traffic by being placed on the external interface. We wouldn't want to place the NIPS on the external interface in the correct choice for the same reasons. We also wouldn't choose to install a NIPS on both the internal and external connections. IP filtering on both interfaces of the router will not provide the ability to monitor the traffic or to block traffic based on content type. Finally, we would not want to rely on a NIDS on the external interface alone since it can only monitor and not provide the content blocking capabilities needed.
You work for Dion Training as a physical security manager. You are concerned that the physical security at the entrance to the company is not sufficient. To increase your security, you are determined to prevent piggybacking. What technique should you implement first?
install an access control vestibule at the entrance OBJ-1.5: An access control vestibule, or mantrap, is a device that only allows a single person to enter per authentication. This authentication can be done by RFID, a PIN, or other methods. Once verified, the mantrap lets a single person enter through a system, such as a turnstile or rotating door. Incorrect CCTV will not stop piggybacking, but it could be used as a detective control after an occurrence. Wearing security badges is useful, but it won't stop piggybacking by a skilled social engineer. RFID badges may be used as part of your entry requirements, but it won't stop a determined piggyback who follows an employee into the building after their authenticated RFID access has been performed.
The local electric power plant contains both business networks and ICS/SCADA networks to control their equipment. Which technology should the power plant's security administrators look to implement first as part of configuring better defenses for the ICS/SCADA systems?
intrusion prevention system OBJ-1.5: Since this question is focused on the ICS/SCADA network, the best solution would be implementing an Intrusion Prevention System. ICS/SCADA machines utilize very specific commands to control the equipment and to prevent malicious activity. You could set up strict IPS rules to prevent unknown types of actions from being allowed to occur. note Log consolidation is a good idea, but it won't prevent an issue and therefore isn't the most critical thing to add first. Automated patch management should not be conducted, as ICS/SCADA systems must be tested before conducting any patches. Often, patches will break ICS/SCADA functionality. Anti-virus software may or may not be able to run on the equipment, as well, since some ICS/SCADA systems often do not rely on standard operating systems like Windows.
What containment technique is the strongest possible response to an incident?
isolating the affected systems OBJ-4.2: Isolation involves removing an affected component from whatever larger environment it is a part of. This can be everything from removing a server from the network after it has been the target of a DoS attack, placing an application in a sandbox virtual machine (VM) outside of the host environments it usually runs on. Segmentation-based containment is a means of achieving the isolation of a host or group of hosts using network technologies and architecture. Incorrect Segmentation uses VLANs, routing/subnets, and firewall ACLs to prevent a host or group of hosts from communicating outside the protected segment. Removal is not an industry term used but would be a synonym for isolation. Enumeration is defined as the process of extracting user names, machine names, network resources, shares, and services from a system. Isolating the attacker would only stop their direct two-way communication and control of the affected system. However, it would not be the strongest possible response since there could be malicious code still running on your victimized machine.
You want to provide controlled remote access to the remote administration interfaces of multiple servers hosted on a private cloud. What type of segmentation security solution is the best choice for this scenario?
jumpbox OBJ-2.1: Installing a jumpbox as a single point of entry for the administration of servers within the cloud is the best choice for this requirement. The jumpbox only runs the necessary administrative port and protocol (typically SSH). Administrators connect to the jumpbox then use the jumpbox to connect to the admin interface on the application server. The application server's admin interface has a single entry in its ACL (the jumpbox) and denies any other hosts' connection attempts. Incorrect A bastion host is a special-purpose computer on a network specifically designed and configured to withstand attacks. The computer generally hosts a single application. For example, a proxy server and all other services are removed or limited to reduce the threat to the computer. An airgap system is a network or single host computer with unique security requirements that may physically be separated from any other network. Physical separation would prevent a system from accessing the remote administration interface directly and require an airgap system to reach the private cloud.
Judith is conducting a vulnerability scan of her data center. She notices that a management interface for a virtualization platform is exposed to her vulnerability scanner. Which of the following networks should the hypervisor's management interface be exposed to ensure the best security of the virtualization platform?
management network OBJ-3.3: The management interface should only be exposed to an isolated or dedicated network used for the management and configuration of the network device and platforms only. This would also help reduce the likelihood of an attack against the virtualization platform or the hypervisor itself. Note The external zone (internet), internal zone (LAN), or screened subnet (formerly called a DMZ) should not have the management interface exposed to them.
You just finished conducting a remote scan of a class C network block using the following command "nmap -sS 202.15.73.0/24". The results only showed a single web server. Which of the following techniques would allow you to gather additional information about the network?
perform a scan from on-site OBJ-1.4: You should request permission to conduct an on-site scan of the network. If the organization's network is set up correctly, scanning from off-site will be much more difficult as many of the devices will be hidden behind the firewall. By conducting an on-site scan, you can conduct the scan from behind the firewall and receive more detailed information on the various servers and services running on the internal network. Note While nmap does provide some capabilities to scan through a firewall, it is not as detailed as being on-site.
A penetration tester is conducting an assessment of a wireless network that is secure using WPA2 Enterprise encryption. Which of the following are major differences between conducting reconnaissance of a wireless network versus a wired network? (SELECT TWO)
physical accessibility encryption OBJ-1.4: Most wireless networks utilize end-to-end encryption, whereas wired networks do not. Physical accessibility is another major difference between wireless and wired networks since wireless networks can be accessed from a distance using powerful antennas. Incorrect Authentication, MAC filtering, and network access control (NAC) can be implemented equally on wired and wireless networks. Port security is only applicable to wired networks.
Which of the following are the two most important factors when determining a containment strategy?
prevention of an ongoing data breach ensuring the safety and security of all personnel OBJ-4.2: Safety and security of personnel should always be the first and most important overriding concern. In particular, this may apply in cases where SCADA/ICS equipment is present. Once the physical danger is abated, the second priority will be to prevent any further exfiltration of data or prevent the ongoing intrusion from spreading. Note All other factors are important but should only be considered after considering safety and preventing the incident's further spread. Once that has been done, you can determine whether to use an isolation-based or segmentation-based containment technique.
Fail To Pass Systems has just been the victim of another embarrassing data breach. Their database administrator needed to work from home this weekend, so he downloaded the corporate database to his work laptop. On his way home, he left the laptop in an Uber, and a few days later, the data was posted on the internet. Which of the following mitigations would have provided the greatest protection against this data breach?
require data at rest encryption on all endpoints OBJ-5.1: The greatest protection against this data breach would have been to require data at rest encryption on all endpoints, including this laptop. If the laptop were encrypted, the data would not have been readable by others, even if it was lost or stolen. Incorrect While requiring a VPN for all telework employees is a good idea, it would not have prevented this data breach since the laptop's loss caused it. Even if a VPN had been used, the same data breach would have still occurred if the employee copied the database to the machine. Similarly, data masking and NDAs are useful techniques, but they would not have solved this particular data breach.
Dion Training wants to require students to log on using multifactor authentication to increase the security of the authorization and authentication process. Currently, students log in to diontraining.com using a username and password. What proposed solution would best meet the goal of enabling multifactor authentication for the student login process?
require students to enter a unique six digit number that is sent to them by SMS after entering their username and password OBJ-2.1: All of the options presented are knowledge factors (something you know) except the six-digit number sent by SMS to your smartphone. This SMS sent number is an example of a possession factor or something you have. In this case, it verifies you have your smartphone. By combining this possession factor with the already in use knowledge factor (username and password), you can establish multifactor security for the login process.
Jorge is working with an application team to remediate a critical SQL injection vulnerability on a public-facing server. The team is worried that deploying the fix will require several hours of downtime and block customer transactions from being completed by the server. Which of the following is the BEST action for Jorge to recommend?
schedule an emergency maintenance for an off peak time later in the day to remediate the vulnerability OBJ-5.2: Jorge should recommend that emergency maintenance windows be scheduled for an off-peak time later in the day. Since the vulnerability is critical, it needs to be remediated or mitigated as quickly as possible. But, this also needs to be balanced against the business and operational needs. Therefore, the best way to balance the risk of the vulnerability and the outage's risk is to schedule an emergency maintenance window and patch the server during that time. Note Therefore, we cannot simply remediate it immediately, as this would cause downtime for this public-facing server. It is also unreasonable to accept the risk until the next scheduled maintenance window since it is a critical vulnerability.
An analyst reviews a triple-homed firewall configuration that connects to the internet, a private network, and one other network. Which of the following would best describe the third network connected to this firewall?
screened subnet OBJ-3.2: A triple-homed firewall connects to three networks internal (private), external (internet/public), and a screened subnet (formerly called a demilitarized zone or DMZ). The screened subnet is used to host systems that require access from external hosts. Incorrect Data zones describe the state and location of data to help isolate and protect it from unauthorized/inappropriate use-for example, as data transitions from raw storage, processing, production, and analytical use. Data zones are associated with data lakes and designed to help manage big data used by analysts and scientists for data exploration and discovery tasks. An availability zone is an individual data center within a region of a cloud service provider's network. A staging environment is a pre-production enclave used for testing and development.
You are developing a containment and remediation strategy to prevent the spread of an APT within your network. Your plan suggests creating a mirror of the company's databases, routing all externally sourced network traffic to it, and gradually updating with pseudo-realistic data to confuse and deceive the APT as they attempt to exfiltrate the data. Once the attacker has downloaded the corrupted database, your company would then conduct remediation actions on the network and restore the correct database information to the production system. Which of the following types of containment strategies does the plan utilize?
segmentation based containment that deceives the attack into believing their attack was successful OBJ-4.2: There are two types of containment: segmentation and isolation. This is an example of a segmentation-based containment strategy that utilizes deception. Segmentation-based containment is a means of achieving the isolation of a host or group of hosts using network technologies and architecture. As opposed to completely isolating the hosts, you might configure the protected segment to deceive him or her into thinking the attack is progressing successfully, such as in the database modification example. Note The scenario is not a hack-back approach since the APT is not directly attacked, only deceived. Isolation-based containment involves removing an affected component from whatever larger environment it is a part of. In this scenario, the original database was never isolated from the network, nor were any other affected assets during the deception.
Christina is auditing the security procedures related to the use of a cloud-based online payment service. She notices that the access permissions are set so that a single person can not add funds to the account and transfer funds out of the account. What security principle is most closely related to this scenario?
separation of duties OBJ-5.2: Separation of duties is the concept of having more than one person required to complete a task. In business, the separation by sharing more than one individual in a single task is an internal control intended to prevent fraud and error. In this case, one person can transfer money in, while another must transfer money out. Incorrect Dual control authentication is used when performing a sensitive action and requires two different users to log in. Least privilege is the concept and practice of restricting access rights for users, accounts, and computing processes to only those resources required to perform routine, legitimate activities. Security through obscurity is the reliance on security engineering in design or implementation by using secrecy as the main method of providing security to a system or component.
Dion Consulting Group has just won a contract to provide updates to an employee payroll system originally written years ago in C++. During your assessment of the source code, you notice the command "strcpy" is being used in the application. Which of the following provides is cause for concern, and what mitigation would you recommend to overcome it?
strcpy could allow a buffer overflow to occur; upagrade the OS to run ASLR to prevent a buffer overflow OBJ-2.2: C and C++ contain built-in functions such as strcpy that do not provide a default mechanism for checking if data will overwrite the boundaries of a buffer. The developer must identify such insecure functions and ensure that every call made to them by the program is performed securely. Many development projects use higher-level languages, such as Java, Python, and PHP. These interpreted languages will halt execution if an overflow condition is detected. However, changing languages may be infeasible in an environment that relies heavily on legacy code. By ensuring that the operating system supports ASLR, you can make it impossible for a buffer overflow to work by randomizing where objects in memory are being loaded. Incorrect Rewriting the source code would be highly desirable but could be costly, time-consuming, and would not be an immediate mitigation to this problem. The strcpy function (which is short for String copy) does not work on integers, and it only works on strings. As strcpy does not check for boundary conditions, buffer overflows are certainly possible using this deprecated method.
Rory is about to conduct forensics on a virtual machine. Which of the following processes should be used to ensure that all of the data is acquired forensically?
suspend the machine and copy the contents of the directory it resides in OBJ-4.4: The best option is to suspend the machine and copy the directory contents as long as you ensure you protect the integrity of the files by conducting a hash on them before and after copying the files. This procedure will store the virtual machine's RAM and disk contents. Since a virtual machine stores all of its data in a single file/folder on a host's hard drive, you can copy the entire virtual hard drive by copying the file/folder from the host operating system (such as Windows), and this will give you all the information needed for your analysis. Incorrect The virtual machine should not be powered off to create a copy of the drive since it could alter the files in the virtual disk image during the shutdown process. Live acquisition relies on a specialist hardware or software tool that can capture memory contents while the computer is running. This is unnecessary for a virtual machine since suspending a virtual machine writes the entire memory contents to a file on the hard disk. Shutting down the machine is a bad idea since this runs the risk that the malware will detect the shutdown process and perform anti-forensics to remove traces of itself. While you could image the entire drive the virtual machine resides on, it is unnecessary, will take much longer, and requires you to shut down the host machine to conduct the bit-by-bit copy.
Your company was recently the victim of a cross-site scripting attack. The system administrators claim this wasn't possible since they performed input validation using REGEX to alert on any strings that contain the term "[Ss]cript" in them. Which of the following statements concerning this attack is true?
the REGEX expression to filter using "[Ss]cript" is insufficient since an attacker could use SCRIPT or SCRipt or %53CrIPT to evade it
You are conducting threat hunting on your organization's network. Every workstation on the network uses the same configuration baseline and contains a 500 GB HDD, 4 GB of RAM, and the Windows 10 Enterprise operating system. You know from previous experience that most of the workstations only use 40 GB of space on the hard drives since most users save their files on the file server instead of the local workstation. You discovered one workstation that has over 250 GB of data stored on it. Which of the following is a likely hypothesis of what is happening, and how would you verify it?
the host might use a staging area for data exfiltration -- you should conduct volume-based trend analysis on the host's storage device OBJ-3.3: Based on your previous experience, you know that most workstations only store 40 GB of data. Since client workstations don't usually need to store data locally, and you noticed that a host's disk capacity has suddenly diminished, you believe it could indicate that it is used to stage data for exfiltration. To validate this hypothesis, you should configure monitoring and conduct volume-based trend analysis to see how much data is added over the next few hours or days. Incorrect If you suspect the machine is the victim of a remote access trojan, you should not reimage it immediately. By reimaging the host, you would lose any evidence or the ability to confirm your hypothesis. Based on the scenario, you have no evidence that the system is offline or conducting backups locally. If you did suspect this, you could confirm this by checking the network connectivity or analyzing the files stored on the system. If you suspect the host used as a command and control (C2) node for a botnet, you should conduct network monitoring to validate your hypothesis before disconnecting the host from the network. If the host were a C2 node, that would not explain the excessive use of disk space observed.
During a port scan, you discover a service running on a registered port. Based on this, what do you know about this service?
the service is running on a port between 1024 and 49151 OBJ-1.4: Registered ports are assigned a port number between 1024 and 49151 by the Internet Assigned Numbers Authority. Just because you find one of those ports in use, that does not guarantee that the service running on it will match the normally registered service. For example, RDP uses the registered port of 3389, but nothing prevents an administrator from running a different service over port 3389 instead. Also, discovering a service using a port scanner does not necessarily identify the service correctly or provide its vulnerability status. Any ports between 0 and 1023 are known as the well-known ports.
You have been asked to conduct a forensic disk image on an internal 500 GB hard drive. You connect a write blocker to the drive and begin to image it using dd to copy the contents to an external 500 GB USB hard drive. Before completing the image, the tool reports that the imaging failed. Which of the following is most likely the reason for the image failure?
there are bad sectors on the destination drive OBJ-4.4: If you have verified that the source and the target media are both the same size, then a failure has likely occurred due to bad media on the source drive or some bad sectors on the destination drive. Incorrect The data can always be copied into a RAW format since it is a bit by bit copy and will copy even the source drive's bad sectors. Even if the source disk were encrypted, the dd program would create a bit by bit copy to the destination drive for later cryptoanalysis attempts. Even if the data were modified, this would not cause the copy to fail. Instead, the copy would continue and record the modified data instead of the original data.
An electronics store was recently the victim of a robbery where an employee was injured, and some property was stolen. The store's IT department hired an external supplier to expand its network to include a physical access control system. The system has video surveillance, intruder alarms, and remotely monitored locks using an appliance-based system. Which of the following long-term cybersecurity risks might occur based on these actions?
these devices should be isolated from the rest of the enterprise network OBJ-1.5: While the physical security posture of the company has been improved by adding the cameras, alarms, and locks, this appliance-based system may pose additional risks to the store's network. Specialized technology and appliance-based systems rarely receive security updates at the same rate as regular servers or endpoints. These devices need to be on a network to ensure that their network functions can continue, but they don't necessarily need to be on the enterprise production network. A good option would be to set up a parallel network that is physically or logically isolated from the enterprise network and install the video cameras, alarms, and lock on that one. Note These devices cannot be isolated from the internet without compromising their functions, such as allowing remote monitoring of the system and locks. The devices should be scanned for viruses before installation, but that is a short-term consideration and doesn't protect them long-term.
A cybersecurity analyst at Yoyodyne Systems just finished reading a news article about their competitor, Whamiedyne Systems, being hacked by an unknown threat actor. Both companies sell to the same basic group of consumers over the internet since their products are used interchangeably by consumers. Which of the following is a valid cybersecurity concern for Yoyodyne Systems?
they may be vulnerable to a credential stuffing attack OBJ-1.1: The largest and most immediate cybersecurity concern that the analyst should have is credential stuffing. Credential stuffing occurs when an attacker tests username and password combinations against multiple online sites. Since both companies share a common consumption group, it is likely that some of Yoyodyne's consumers also had a user account at Whamiedyne. If the attackers compromised the username and passwords from Whamiedyne's servers, they might attempt to use those credentials on Yoyodyne's servers, too. Incorrect There is no definitive reason to believe that both companies are using the same infrastructure. Therefore, the same vulnerability that was exploited by the attacker may not exist at Yoyodyne. The question doesn't mention an SQL database. Therefore, there is no direct threat of an SQL injection. An on-path attack occurs when the attacker sits between two communicating hosts and transparently captures, monitors, and relays all communications between the host. Nothing in this question indicates that an on-path was utilized or is a possible threat.
A cybersecurity analyst conducts proactive threat hunting on a network by correlating and searching the Sysmon and Windows Event logs. The analyst uses the following query as part of their hunt: Based on the query above, which of the following potential indicators of compromise is the threat hunter relying on?
unauthorized software OBJ-3.3: This is a difficult question, but you should see a keyword in the query, "mimikatz." Mimikatz is a leading post-exploitation tool that dumps passwords from memory, as well as hashes, PINs, and Kerberos tickets. Other useful attacks it enables are pass-the-hash, pass-the-ticket, or building Golden Kerberos tickets. This makes post-exploitation lateral movement within a network easy for attackers. It is considered unauthorized software and should be immediately alerted upon if discovered in your network. Incorrect Data exfiltration is the process by which an attacker takes data that is stored inside of a private network and moves it to an external network. Processor consumption is an IoC that monitors the per-process percentage of CPU time to show what causes the problem. Irregular peer-to-peer communication occurs when hosts within a network establish connections over unauthorized ports or data transfers.
Which of the following is exploited by an SQL injection to give the attacker access to a database?
web application OBJ-1.7: SQL injections target the data stored in enterprise databases by exploiting flaws in client-facing applications. These vulnerabilities being exploited are most often found in web applications. Note The database server or operating system would normally be exploited by a remote code execution, a buffer overflow, or another type of server-side attack. The firewall would not be subject to an SQL injection
A cybersecurity analyst is preparing to run a vulnerability scan on a dedicated Apache server that will be moved into a DMZ. Which of the following vulnerability scans is most likely to provide valuable information to the analyst?
web application vulnerability scan OBJ-2.1: Since Apache is being run on the scanned server, this indicates a web server. Therefore, a web application vulnerability scan would be the most likely to provide valuable information. Note A network vulnerability scan or port scan can provide valuable information against any network-enabled server. Since an Apache server doesn't contain a database by default, running a database vulnerability scan is not likely to provide any valuable information to the analyst.
You are a cybersecurity analyst who has been given the output from a system administrator's Linux terminal. Based on the output provided, which of the following statements is correct?
your email server is running on a non standard port OBJ-3.1: As shown in the nmap scans' output, only two standard ports are being utilized: 22 (SSH) and 80 (HTTP). But, when netcat is run against port 80, the banner provided shows the SMTP server is running on port 80. SMTP is normally run on port 25 by default, so running it on port 80 means your email server (SMTP) runs on a non-standard port.
A salesperson's laptop has become unresponsive after attempting to open a PDF in their email. A cybersecurity analyst reviews the IDS and anti-virus software for any alerts or unusual behavior but finds nothing suspicious. Which of the following threats would BEST classify this scenario?
zero day malware OBJ-3.1: Based on the scenario provided, it appears that the laptop has become the victim of a zero-day attack. A zero-day attack is an attack that exploits a potentially serious software security weakness that the vendor or developer may be unaware of. This means that there will not be a signature available in the IDS or anti-virus definition file. Therefore, it cannot be combatted with traditional signature-based detection methods. Incorrect PII (personally identifiable information) exfiltration is the unauthorized copying, transfer, or retrieval of PII data from a computer or server. A ping of death is a type of attack on a computer system that involves sending a malformed or otherwise malicious ping to a computer. A remote access Trojan (RAT) is a malware program that includes a back door for administrative control over the target computer. Based on the scenario's information, we do not have any indications that a ping packet was sent, that PII has been exfiltrated, or that the attack now has remote control of the laptop. Since neither the IDS nor anti-virus alerted on the PDF, it is most likely a form of a zero-day attack.
