Final Study
What is the prefix length notation for the subnet mask 255.255.255.224?
- /27
After complaints from users, a technician identifies that the college web server is running very slowly. A check of the server reveals that there are an unusually large number of TCP requests coming from multiple locations on the Internet. What is the source of the problem?
- A DDoS attack is in progress
What will a threat actor do to create a back door on a compromised target according to the Cyber Kill Chain model?
- Add services and autorun keys
What are two problems that can be caused by a large number of ARP request and reply messages?
- All ARP request messages must be processed by all nodes on the local network - The ARP request is sent as a broadcast, and will flood the entire subnet
What is the responsibility of the human resources department when handling a security incident?
- Apply disciplinary measures if an incident is caused by an employee
What are the three impact metrics contained in the CVSS 3.0 Base Metric Group? (Choose three.)
- Availability - Confidentiality - Integrity
What three services are offered by FireEye? (Choose three.)
- Blocks attacks across the web - Identifies and stops email threat vectors - Identifies and stops latent malware on files
What are two shared characteristics of the IDS and the IPS? (Choose two.)
- Both are deployed as sensors - Both use signatures to detect malicious traffic
Which statement describes the state of the administrator and guest accounts after a user installs Windows desktop version to a new computer?
- By default, both the administrator and guest accounts are disabled
What are the two important components of a public key infrastructure (PKI) used in network security? (Choose two.)
- Certificate authority - Digital certificates
Which type of evidence supports an assertion based on previously obtained evidence?
- Corroborating evidence
What is the goal of an attack in the installation phase of the Cyber Kill Chain?
- Create a back door in the target system to allow for future access
An attacker is redirecting traffic to a false default gateway in an attempt to intercept the data traffic of a switched network. What type of attack could achieve this?
- DHCP spoofing
What kind of message is sent by a DHCPv4 client requesting an IP address?
- DHCPDISCOVER broadcast message
What is a characteristic of DNS?
- DNS servers can cache request queries to reduce DNS query traffic
Which three algorithms are designed to generate and verify digital signatures? (Choose three.)
- DSA - RSA - ECDSA
Which NIST incident response life cycle phase includes continuous monitoring by the CSIRT to quickly identify and validate an incident?
- Detection and analysis
How is the event ID assigned in Sguil?
- Each event in the series of correlated events is assigned a unique ID
A network administrator is configuring an AAA server to manage TACACS+ authentication. What are two attributes of TACACS+ authentication? (Choose two.)
- Encryption for all communication - Separate processes for authentication and authorization
What two kinds of personal information can be sold on the dark web by cybercriminals? (Choose two).
- Facebook photos - Street address
What are two elements that form the PRI value in a syslog message? (Choose two.)
- Facility - Severity
In an attempt to prevent network attacks, cyber analysts share unique identifiable attributes of known attacks with colleagues. What three types of attributes or indicators of compromise are helpful to share? (Choose three.)
- Features of malware files - IP addresses of attack servers - Changes made to end system software
How does using HTTPS complicate network security monitoring?
- HTTPS adds complexity to captured packets
Which protocol is used by the traceroute command to send and receive echo-requests and echo-replies?
- ICMP
What kind of ICMP message can be used by threat actors to perform network reconnaissance and scanning attacks?
- ICMP unreachable
A technician is configuring email on a mobile device. The user wants to be able to keep the original email on the server, organize it into folders, and synchronize the folders between the mobile device and the server. Which email protocol should the technician use?
- IMAP
Which section of a security policy is used to specify that only authorized individuals should have access to enterprise data?
- Identification and authentication policy
After containment, what is the first step of eradicating an attack?
- Identify all hosts that need remediation
Which activity is typically performed by a threat actor in the installation phase of the Cyber Kill Chain?
- Install a web shell on the target web server for persistent access
Which statement describes the anomaly-based intrusion detection approach?
- It compares the behavior of a host to an established baseline to identify potential intrusions
Why is DHCP preferred for use on large networks?
- It is a more efficient way to manage IP addresses than static address assignment
What is the Internet?
- It provides connections through interconnected global networks
Which two actions can be taken when configuring Windows Firewall (Choose two.)
- Manually open ports that are required for specific applications - Allow a different software firewall to control access
How might corporate IT professionals deal with DNS-based cyber threats?
- Monitor DNS proxy server logs and look for unusual DNS queries
Which two types of messages are used in place of ARP for address resolution in IPv6? (Choose two.)
- Neighbor Solicitation - Neighbor Advertisement
What are two ICMPv6 messages that are not present in ICMP for IPv4? (Choose two.)
- Neighbor Solicitation - Router Advertisement
What is indicated by a true negative security alert classification?
- Normal traffic is correctly ignored and erroneous alerts are not being issued
Which two statements describe attacks? (Choose two.)
- Password attacks can be implemented by the use of brute-force attack methods, Trojan horses, or packet sniffers. - Buffer overflow attacks write data beyond the allocated buffer memory to overwrite valid data or to exploit systems to execute malicious code
What are two monitoring tools that capture network traffic and forward it to network monitoring devices? (Choose two.)
- SPAN - Network tap
Which two types of network traffic are from protocols that generate a lot of routine traffic? (Choose two.)
- STP traffic - Routing updates traffic
What is the TCP mechanism used in congestion avoidance?
- Sliding window
Which three pieces of information are found in session data? (Choose three.)
- Source and destination port numbers - Layer 4 transport protocol - Source and destination IP addresses
Which two protocols are associated with the transport layer? (Choose two).
- TCP - UDP
A flood of packets with invalid source IP addresses requests a connection on the network. The server busily tries to respond, resulting in valid requests being ignored. What type of attack occurred?
- TCP SYN flood
A network administrator is creating a network profile to generate a network baseline. What is included in the critical asset address space element?
- The IP addresses or the logical location of essential systems or data
If the default gateway is configured incorrectly on the host, what is the impact on communications?
- The host can communicate with other hosts on the local network, but is unable to communicate with hosts on remote network.
What are three benefits of using symbolic links over hard links in Linux? (Choose three.)
- They can link to a directory - They can show the location of the original file - They can link to a file in a different file system
What is the most common goal of search engine optimization (SEO) poisoning?
- To increase web traffic to malicious sites
What is the purpose of CSMA/CA?
- To prevent collisions
Which statement describes a typical security policy for a DMZ firewall configuration?
- Traffic that originates from the DMZ interface is selectively permitted to the outside interface
When dealing with a security threat and using the Cyber Kill Chain model, which two approaches can an organization use to help block potential exploitations on a system? (Choose two.)
- Train web developers for securing code - Perform regular vulnerability scanning and penetration testing
When a connectionless protocol is in use at a lower layer of the OSI model, how is missing data detected and retransmitted if necessary?
- Upper-layer connection-oriented protocols keep track of the data received and can request retransmission from the upper-level protocols on the sending host
Which network monitoring tool is in the category of network protocol analyzers?
- Wireshark
Which network monitoring tool saves captured network frames in PCAP files?
- Wireshark
How does a security information and event management system (SIEM) in a SOC help the personnel fight against security threats?
- by combining data from multiple techologies
A network security specialist is tasked to implement a security measure that monitors the status of critical files in the data center and sends an immediate alert if any file is modified. Which aspect of secure communications is addressed by this security measure?
- data integrity
At which OSI layer is a source IP address added to a PDU during the encapsulation process?
- network layer
Users report that a database file on the main server cannot be accessed. A database administrator verifies the issue and notices that the database file is now encrypted. The organization receives a threatening email demanding payment for the decryption of the database file. What type of attack has the organization experienced.
- ransomware
Based on the command output shown, which file permission or permissions have been assigned to the other user group for the data.txt file?
- read
What is a purpose of entering the nslookup cisco.com command on a Windows PC?
- to check if the DNS service is running
