Incorrect Sybex Quiz Questions
Which of the following techniques is an example of active monitoring? - Ping - RMON - Netflows - Network tap
A. Ping Active monitoring sends traffic like pings to remote devices as part of the monitoring process. RMON and netflows are both examples of router-based monitoring, whereas network taps allow passive monitoring.
Wayne is configuring a jump box server that system administrators will connect to from their laptops. Which one of the following ports should definitely not be open on the jump box? - 22 - 23 - 443 - 3389
B. 23 Port 23, used by the Telnet protocol, is unencrypted and insecure. Connections should not be permitted to the jump box on unencrypted ports. The services running on ports 22 (SSH), 443 (HTTPS), and 3389 (RDP) all use encryption.
Which format does dd produce files in? - ddf - RAW - EN01 - OVF
B. RAW dd creates files in RAW, bit-by-bit format. EN01 is the EnCase forensic file format, OVF is virtualization file format, and ddf is a made-up answer.
Which type of Windows log is most likely to contain information about a file being deleted? - httpd logs - Security logs - System logs - Configuration logs
B. Security logs Microsoft Windows security logs can contain information about files being opened, created, or deleted if configured to do so. Configuration and httpd logs are not a type of Windows logs, and system logs contain information about events logged by Windows components.
Mike is looking for information about files that were changed on a Windows system. Which of the following is least likely to contain useful information for his investigation? - The MFT - INDX files - Event logs - Volume shadow copies
C. Event logs Event logs do not typically contain significant amounts of information about file changes. The Master File Table and file indexes (INDX files) both have specific information about files, whereas volume shadow copies can help show differences between files and locations at a point in time.
Olivia suspects that a system in her datacenter may be sending beaconing traffic to a remote system. Which of the following is not a useful tool to help verify her suspicions? - Flows - A protocol analyzer - SNMP - An IDS or IPS
C. SNMP SNMP will not typically provide specific information about a system's network traffic that would allow you to identify outbound connections. Flows, sniffers (protocol analyzers), and an IDS or IPS can all provide a view that would allow the suspect traffic to be captured.
Alice is responding to a cybersecurity incident and notices a system that she suspects is compromised. She places this system on a quarantine VLAN with limited access to other networked systems. What containment strategy is Alice pursuing? - Eradication - Isolation - Segmentation - Removal
C. Segmentation In a segmentation approach, the suspect system is placed on a separate network where it has very limited access to other networked resources.
Betty is selecting a transport encryption protocol for use in a new public website she is creating. Which protocol would be the best choice? - SSL 2.0 - SSL 3.0 - TLS 1.0 - TLS 1.1
D. TLS 1.1 is a secure transport protocol that supports web traffic. The other protocols listed all have flaws that render them insecure and unsuitable for use.
Which of the following tools is best suited to querying data provided by organizations like the American Registry for Internet Numbers (ARIN) as part of a footprinting or reconnaissance exercise? - Nmap - Traceroute - Regmon - Whois
D. Whois Regional Internet registries like ARIN are best queried either via their websites or using tools like Whois. Nmap is a useful port scanning utility, traceroute is used for testing the path packets take to a remote system, and regmon is an outdated Windows Registry tool that has been supplanted by Process Monitor.
As part of her job, Danielle sets an alarm to notify her team via email if her Windows server uses 80 percent of its memory and to send a text message if it reaches 90 percent utilization. What is this setting called? - A monitoring threshold - A preset notification level - Page monitoring - Perfmon calibration
A. A monitoring threshold A monitoring threshold is set to determine when an alarm or report action is taken. Thresholds are often set to specific values or percentages of capacity.
Jeff is investigating a system compromise and knows that the first event was reported on October 5th. What forensic tool capability should he use to map other events found in logs and files to this date? - A timeline - A log viewer - Registry analysis - Timestamp validator
A. A timeline Timelines are one of the most useful tools when conducting an investigation of a compromise or other event. Forensic tools provide built-in timeline capabilities to allow this type of analysis.
What tool can administrators use to help identify the systems present on a network prior to conducting vulnerability scans? - Asset inventory - Web application assessment - Router - DLP
A. Asset inventory An asset inventory supplements automated tools with other information to detect systems present on a network. The asset inventory provides critical information for vulnerability scans.
Robert is finishing a draft of a proposed incident response policy for his organization. Who would be the most appropriate person to sign the policy? - CEO - Director of security - CIO - CSIRT leader
A. CEO The incident response policy provides the CSIRT with the authority needed to do their job. Therefore, it should be approved by the highest possible level of authority within the organization, preferably the CEO.
Which one of the following statements is not true about compensating controls under PCI DSS? - Controls used to fulfill one PCI DSS requirement may be used to compensate for the absence of a control needed to meet another requirement. - Controls must meet the intent of the original requirement. - Controls must meet the rigor of the original requirement. - Compensating controls must provide a similar level of defense as the original requirement.
A. Controls used to fulfill one PCI DSS requirement may be used to compensate for the absence of a control needed to meet another requirement. PCI DSS compensating controls must be "above and beyond" other PCI DSS requirements. This specifically bans the use of a control used to meet one requirement as a compensating control for another requirement.
Joe would like to determine the appropriate disposition of a flash drive used to gather highly sensitive evidence during an incident response effort. He does not need to reuse the drive but wants to return it to its owner, an outside contractor. What is the appropriate disposition? - Destroy - Clear - Erase - Purge
A. Destroy The data disposition flowchart in Figure 8.7 directs that any media containing highly sensitive information that will leave the control of the organization must be destroyed. Joe should purchase a new replacement device to provide to the contractor.
Which one of the following is not an objective of the containment, eradication, and recovery phase of incident response? - Detect an incident in progress - Implement a containment strategy - Identify the attackers - Eradicate the effects of the incident
A. Detect an incident in progress Detection of a potential incident occurs during the detection and analysis phase of incident response. The other activities listed are all objectives of the containment, eradication, and recovery phase.
Bethany is the vulnerability management specialist for a large retail organization. She completed her last PCI DSS compliance scan in March. In April, the organization upgraded their point-of-sale system and Bethany is preparing to conduct new scans. When must she complete the new scan? - Immediately - June - December - No scans are required
A. Immediately PCI DSS requires that organizations conduct vulnerability scans quarterly, which would have Bethany's next regularly scheduled scan scheduled for June. However, the standard also requires scanning after any significant change in the payment card environment. This would include an upgrade to the point-of-sale system, so Bethany must complete a new compliance scan immediately.
Joe wants to implement an authentication protocol that is well suited to untrusted networks. Which of the following options is best suited to his needs in its default state? - Kerberos - RADIUS - LDAP - TACACS+
A. Kerberos Kerberos is designed to run on untrusted networks and encrypts authentication traffic by default. LDAP and RADIUS can be encrypted but are not necessarily encrypted by default (and LDAP has limitations as an authentication mechanism). It is recommended that TACACS+ be run only on isolated administrative networks.
During a forensic investigation Ben asks Chris to sit with him and to sign off on the actions he has taken. What is he doing? - Maintaining chain of custody - Over-the-shoulder validation - Pair forensics - Separation of duties
A. Maintaining chain of custody Ben is maintaining chain-of-custody documentation. Chris is acting as the validator for the actions that Ben takes, and acts as a witness to the process.
What type of firewall provides the greatest degree of contextual information and can include information about users and applications in its decision-making process? - NGFW - WAF - Packet filter - Stateful inspection
A. NGFW Next-generation firewalls (NGFWs) incorporate contextual information about users, applications, and business processes in their decision-making process.
Hank is responding to a security event where the CEO of his company had her laptop stolen. The laptop was encrypted but contained sensitive information about the company's employees. How should Hank classify the information impact of this security event? - None - Privacy breach - Proprietary breach - Integrity loss
A. None The event described in this scenario would not qualify as a security incident with measurable information impact. Although the laptop did contain information that might cause a privacy breach, that breach was avoided by the use of encryption to protect the contents of the laptop.
Which one of the following document types would outline the authority of a CSIRT responding to a security incident? - Policy - Procedure - Playbook - Baseline
A. Policy An organization's incident response policy should contain a clear description of the authority assigned to the CSIRT while responding to an active security incident.
Which one of the following is not a purging activity? - Resetting to factory state - Overwriting - Block erase - Cryptographic erase
A. Resetting to factory state Resetting a device to factory state is an example of a data clearing activity. Data purging activities include overwriting, block erase, and cryptographic erase activities when performed through the use of dedicated, standardized device commands.
Which of the following tools does not provide real-time drive capacity monitoring for Windows? - SCCM - Resmon - SCOM - Perfmon
A. SCCM System Center Configuration Manager provides non-real-time reporting for disk space. Resmon, perfmon, and SCOM can all provide real-time reporting, which can help to identify problems before they take a system down.
Selah believes that an organization she is penetration testing may have exposed information about their systems on their website in the past. What site might help her find an older copy of their website? - The Internet Archive - WikiLeaks - The Internet Rewinder - TimeTurner
A. The Internet Archive The Internet Archive maintains copies of sites from across the Internet, and it can be used to review the historical content of a site. WikiLeaks distributes leaked information, whereas the Internet Rewinder and TimeTurner are both made-up names.
Alex wants to prohibit software that is not expressly allowed by his organization's desktop management team from being installed on workstations. What type of tool should he use? - Whitelisting - Heuristic - Blacklisting - Signature comparison
A. Whitelisting Whitelisting software prevents software that is not on a preapproved list from being installed. Blacklists prevent specific software from being installed, whereas heuristic and signature-based detection systems focus on behavior and specific recognizable signatures respectively.
Which one of the following operating systems should be avoided on production networks? - Windows Server 2003 - Red Hat Enterprise Linux 7 - CentOS 7 - Ubuntu 16
A. Windows Server 2003 Microsoft discontinued support for Windows Server 2003, and it is likely that the operating system contains unpatchable vulnerabilities.
Which of the following tools cannot be used to make a forensic disk image? - Xcopy - FTK - Dd - EnCase
A. Xcopy TTK, EnCase, and dd all provide options that support their use for forensic disk image creation. Since xcopy cannot create a bitwise image of a drive, it should not be used to create forensic images.
Which of the following tools is not useful for monitoring memory usage in Linux? - df - top - ps - free
A. df The df command is used to show the amount of free and used disk space. Each of the other commands can show information about memory usage in Linux.
What ISO standard applies to information security management controls? - 9001 - 27001 - 14032 - 57033
B. 27001 The International Organization for Standardization (ISO) publishes ISO 27001, a standard document titled "Information technology — Security techniques — Information security management systems — Requirements."
Sarah would like to run an external vulnerability scan on a system for PCI DSS compliance purposes. Who is authorized to complete one of these scans? - Any employee of the organization - An approved scanning vendor - A PCI DSS service provider - Any qualified individual
B. An approved scanning vendor While any qualified individual may conduct internal compliance scans, PCI DSS requires the use of a scanning vendor approved by the PCI SSC for external compliance scans.
Which of the following vulnerability scanning methods will provide the most accurate detail during a scan? - Black box - Authenticated - Internal view External view
B. Authenticated An authenticated, or credentialed, scan provides the most detailed view of the system. Black box assessments presume no knowledge of a system and would not have credentials or an agent to work with on the system.
Which one of the following is not one of the five core security functions defined by the NIST Cybersecurity Framework? - Identify - Contain - Respond - Recover
B. Contain The five security functions described in the NIST Cybersecurity Framework are identify, protect, detect, respond, and recover.
Which one of the following terms is not typically used to describe the connection of physical devices to a network? - IoT - IDS - ICS - SCADA
B. IDS Intrusion detection systems (IDSs) are a security control used to detect network or host attacks. The Internet of Things (IoT), supervisory control and data acquisition (SCADA) systems, and industrial control systems (ICS) are all associated with connecting physical world objects to a network.
Which of the following descriptions explains an integrity loss? - Systems were taken offline, resulting in a loss of business income - Sensitive or proprietary information was changed or deleted - Protected information was accessed or exfiltrated.
B. Integrity Breaches Integrity breaches involve data being modified or deleted. Systems being taken offline is is an availability issue, protected information being accessed might be classified as a breach of proprietary information, and sensitive personally identifiable information breaches would typically be classified as privacy breaches.
Alice confers with other team members and decides that even allowing limited access to other systems is an unacceptable risk and decides instead to prevent the quarantine VLAN from accessing any other systems by putting firewall rules in place that limit access to other enterprise systems. The attacker can still control the system to allow Alice to continue monitoring the incident. What strategy is she now pursuing? - Eradication - Isolation - Segmentation - Removal
B. Isolation In the isolation strategy, the quarantine network is directly connected to the Internet or restricted severely by firewall rules so that the attacker may continue to control it but not gain access to any other networked resources.
Brian is seeking to determine the appropriate impact categorization for a federal information system as he plans the vulnerability scanning controls for that system. After consulting management, he discovers that the system contains information that, if disclosed improperly, would have a serious adverse impact on the organization. How should this system be categorized? - Low impact - Moderate impact - High impact - Severe impact
B. Moderate impact Systems have a moderate impact from a confidentiality perspective if the unauthorized disclosure of information could be expected to have a serious adverse effect on organizational operations, organizational assets or individuals.
Tom is reviewing a vulnerability scan report and finds that one of the servers on his network suffers from an internal IP address disclosure vulnerability. What protocol is likely in use on this network that resulted in this vulnerability? - TLS - NAT - SSH - VPN
B. NAT Although the network can support any of these protocols, internal IP disclosure vulnerabilities occur when a network uses Network Address Translation (NAT) to map public and private IP addresses but a server inadvertently discloses its private IP address to remote systems.
Robert's organization has a Bring Your Own Device (BYOD) policy, and he would like to ensure that devices connected to the network under this policy have current antivirus software. What technology can best assist him with this goal? - Network firewall - Network access control - Network segmentation - Virtual private network
B. Network access control Network access control (NAC) solutions are able to verify the security status of devices before granting them access to the organization's network. Devices not meeting minimum security standards may be placed on a quarantine network until they are remediated.
What three options are most likely to be used to handle a memory leak? - Memory management, patching, and buffer overflow prevention - Patching, service restarts, and system reboots - Service restarts, memory monitoring, and stack smashing prevention - System reboots, memory management, and logging
B. Patching, service restarts, and system reboots The best way to deal with memory leaks is to patch the application or service. If a patch is not available, restarting the service or the underlying operating system is often the only solution. Buffer overflow and stack smashing prevention both help deal with memory-based attacks rather than memory leaks, and monitoring can help identify out-of-memory conditions but don't directly help deal with a memory leak.
The Dirty COW attack is an example of what type of vulnerability? - Malicious code - Privilege escalation - Buffer overflow - LDAP injection
B. Privilege escalation In October 2016, security researchers announced the discovery of a Linux kernel vulnerability dubbed Dirty COW. This vulnerability, present in the Linux kernel for nine years, was extremely easy to exploit and provided successful attackers with administrative control of affected systems.
What level of secure media disposition as defined by NIST SP-800-88 is best suited to a hard drive from a high-security system that will be reused in the same company by an employee of a different level or job type? - Clear - Purge - Destroy - Reinstall
B. Purge NIST SP 800-88 defines three levels of action of increasing severity: clear, purge, and destroy. In this case, purging which uses technical means to make data infeasible to recover, is appropriate for a high-security device. Destruction might be preferable but the reuse element of the question rules this out. Reinstallation is not an option in the NIST guidelines, and clearing is less secure.
Which of the following is not a common DNS anti-harvesting technique? - Blacklisting systems or networks - Registering manually - Rate limiting - CAPTCHAS
B. Registering manually Registering manually won't prevent DNS harvesting, but privacy services are often used to prevent personal or corporate information from being visible via domain registrars. CAPTCHAs, rate limiting, and blacklisting systems or networks that are gathering data are all common anti-DNS harvesting techniques.
Sue is the manager of a group of system administrators and is in charge of approving all requests for administrative rights. In her role, she files a change request to grant a staff member administrative rights and then approves it. What personnel control would best help to prevent this abuse of her role? - Mandatory vacation - Separation of duties - Succession planning - Dual control
B. Separation of duties Separation of duties would prevent Sue from both requesting and approving a change. Although this would not prevent her from having an employee make the request, it would stop her from handling the entire process herself. Mandatory vacation might help catch this issue if it were consistent but does not directly solve the problem. Succession planning identifies employees who might fill a role in the future, and dual control requires two people to work together to perform an action, neither of which is appropriate for this issue.
How can Jim most effectively locate a wireless rogue access point that is causing complaints from employees in his building? - Nmap - Signal strength and triangulation - Connecting to the rogue AP - NAC
B. Signal strength and triangulation Locating a rogue AP is often best done by performing a physical survey and triangulating the likely location of the device by checking its signal strength. If the AP is plugged into the organization's network, nmap may be able to find it, but connecting to it is unlikely to provide its location (or be safe!). NAC would help prevent the rogue device from connecting to an organizational network but won't help locate it.
Allan is developing a document that lists the acceptable mechanisms for securely obtaining remote administrative access to servers in his organization. What type of document is Allan writing? - Policy - Standard - Guideline - Procedure
B. Standard Standards describe specific security controls that must be in place for an organization. Allan would not include acceptable mechanisms in a high-level policy document, and this information is too general to be useful as a procedure. Guidelines are not mandatory, so they would not be applicable in this scenario.
A statement like "Windows workstations must have the current security configuration template applied to them before being deployed" is most likely to be part of which document? - Policies - Standards - Procedures - Guidelines
B. Standards This statement is most likely to be part of a standard. Policies contain high-level statements of management intent; standards provide mandatory requirements for how policies are carried out, including statements like that provided in the question. A procedure would include the step-by-step process, and a guideline describes a best practice or recommendation.
Barry placed all of his organization's credit card processing systems on an isolated network dedicated to card processing. He has implemented appropriate segmentation controls to limit the scope of PCI DSS to those systems through the use of VLANs and firewalls. When Barry goes to conduct vulnerability scans for PCI DSS compliance purposes, what systems must he scan? - Customer systems - Systems on the isolated network - Systems on the general enterprise network - Both B and C
B. Systems on the isolated network If Barry is able to limit the scope of his PCI DSS compliance efforts to the isolated network, then that is the only network that must be scanned for PCI DSS compliance purposes.
Which of the following options is not a valid way to check the status of a service in Windows? - Use sc at the command line - Use service --status at the command line - Use services.msc - Query service status via PowerShell
B. Use service --status at the command line The service --status command is a Linux command. Windows service status can be queried using sc, the Services snap-in for the Microsoft Management Console, or via a PowerShell query.
Tommy is assessing the security of several database servers in his datacenter and realizes that one of them is missing a critical Oracle security patch. What type of situation has Tommy detected? - Risk - Vulnerability - Hacker - Threat
B. Vulnerability In this scenario, Tommy identified a deficiency in the security of his web server that renders it vulnerable to attack. This is a security vulnerability. Tommy has not yet identified a specific risk because he has not identified a threat (such as a hacker) that might exploit this vulnerability.
Kevin would like to implement a specialized firewall that can protect against SQL injection, cross-site scripting, and similar attacks. What technology should he choose? - NGFW - WAF - Packet filter - Stateful inspection
B. WAF Web application firewalls (WAFs) are specialized firewalls designed to protect against web application attacks, such as SQL injection and cross-site scripting.
What method used to replicate DNS information between DNS servers can also be used to gather large amounts of information about an organization's systems? - traceroute - Zone transfer - DNS sync - Dig
B. Zone transfers Zone transfers are intended to allow DNS database replication, but an improperly secured DNS server can also allow third parties to request a zone transfer, exposing all of their DNS information. Traceroute is used to determine the path and latency to a remote host, whereas dig is a useful DNS query tool. DNS sync is a made-up technical term.
What flag does nmap use to enable operating system identification? - -os - -id - -o - -osscan
C. -o Nmap's operating system identification flag is -o. This enables OS detection. -A also enables OS identification and other features. -osscan with modifiers like -limit and -guess set specific OS identification features. -os and -id are not nmap flags.
During passive intelligence gathering, you are able to run netstat on a workstation located at your target's headquarters. What information would you not be able to find using netstat on a Windows system? - Active TCP connections - A list of executables by connection - Active IPX connections - Route table information
C. Active IPX connections IPX connections are not shown by netstat. IPX is a non-IP protocol. Active TCP connections, executables that are associated with them, and route table information are all available via netstat.
Which one of the CVSS metrics would contain information about the number of times that an attacker must successfully authenticate to execute an attack? - AV - C - Au - AC
C. Au The authentication metric describes the authentication hurdles that an attacker would need to clear to exploit a vulnerability.
Jason is writing a report about a potential security vulnerability in a software product and wishes to use standardized product names to ensure that other security analysts understand the report. Which SCAP component can Jason turn to for assistance? - CVSS - CVE - CPE - OVAL
C. CPE Common Product Enumeration (CPE) is an SCAP component that provides standardized nomenclature for product names and versions.
Tamara is a cybersecurity analyst for a private business that is suffering a security breach. She believes the attackers have compromised a database containing sensitive information. Which one of the following activities should be Tamara's first priority? - Identifying the source of the attack - Eradication - Containment - Recovery
C. Containment Tamara's first priority should be containing the attack. This will prevent it from spreading to other systems and also potentially stop the exfiltration of sensitive information. Only after containing the attack should Tamara move on to eradication and recovery activities. Identifying the source of the attack should be a low priority.
Which phase of the incident response process is most likely to include gathering additional evidence such as information that would support legal action? - Preparation - Detection and Analysis - Containment, Eradication, and Recovery - Post-Incident Activity and Reporting
C. Containment, Eradication, and Recovery The Containment, Eradication, and Recovery Phase of an incident includes steps to limit damage and document what occurred, including potentially identifying the attacker and tools used for the attack. This means that information useful to legal actions is most likely to be gathered during this phase.
What federal law requires the use of vulnerability scanning on information systems operated by federal government agencies? - HIPAA - GLBA - FISMA - FERPA
C. FISMA The Federal Information Security Management Act (FISMA) requires that federal agencies implement vulnerability management programs for federal information systems.
Which type of organization is the most likely to face a regulatory requirement to conduct vulnerability scans? - Bank - Hospital - Government agency - Doctor's office
C. Government agency The Federal Information Security Management Act (FISMA) requires that government agencies conduct vulnerability scans. HIPAA, which governs hospitals and doctors' offices, does not include a vulnerability scanning requirement, nor does GLBA, which covers financial institutions.
What type of analysis is best suited to identify a previously unknown malware package operating on a compromised system? - Trend analysis - Signature analysis - Heuristic analysis - Regression analysis
C. Heuristic analysis Heuristic analysis focuses on behaviors, allowing a tool using it to identify malware behaviors instead of looking for a specific package. Trend analysis is typically used to identify large-scale changes from the norm, and it is more likely to be useful for a network than for a single PC. Regression analysis is used in statistical modeling.
What minimum level of impact must a system have under FISMA before the organization is required to determine what information about the system is discoverable by adversaries? - Low - Moderate - High - Severe
C. High Control enhancement number 4 requires that an organization determine what information about the system is discoverable by adversaries. This enhancement only applies to FISMA high systems.
Kevin recently identified a new security vulnerability and computed its CVSS base score as 6.5. Which risk category would this vulnerability fall into? - Low - Medium - High - Critical
C. High Vulnerabilities with a CVSS score higher than 6.0 but less than 10.0 fall into the High risk category.
Ben is preparing to conduct a cybersecurity risk assessment for his organization. If he chooses to follow the standard process proposed by NIST, which one of the following steps would come first? - Determine likelihood - Determine impact - Identify threats - Identify vulnerabilities
C. Identify threats The NIST risk assessment process says that organizations should identify threats before identifying vulnerabilities or determining the likelihood and impact of risks.
Who is the best facilitator for a post-incident lessons-learned session? - CEO - CSIRT leader - Independent facilitator - First responder
C. Independent facilitator Lessons-learned sessions are most effective when facilitated by an independent party who was not involved in the incident response effort.
Which one of the following criteria is not normally used when evaluating the appropriateness of a cybersecurity incident containment strategy? - Effectiveness of the strategy - Evidence preservation requirements - Log records generated by the strategy - Cost of the strategy
C. Log records generated by the strategy NIST recommends using six criteria to evaluate a containment strategy: the potential damage to resources, the need for evidence preservation, service availability, time and resources required (including cost), effectiveness of the strategy, and duration of the solution.
What SABSA architecture layer corresponds to the designer's view of security architecture? - Contextual security architecture - Conceptual security architecture - Logical security architecture - Component security architecture
C. Logical security architecture The logical security architecture corresponds to the designer's view in the SABSA model. The contextual architecture is the business view, the conceptual architecture is the architect's view, and the component architecture is the tradesman's view.
Chris wants to use an active monitoring approach to test his network. Which of the following techniques is appropriate? - Collecting NetFlow data - Using a protocol analyzer - Pinging remote systems - Enabling SNMP
C. Pinging remote systems Active monitoring is focused on reaching out to gather data using tools like ping and iPerf. Passive monitoring using protocol analyzers collects network traffic and router-based monitoring using SNMP, and flows gather data by receiving or collecting logged information.
Karen is responding to a security incident that resulted from an intruder stealing files from a government agency. Those files contained unencrypted information about protected critical infrastructure. How should Karen rate the information impact of this loss? - None - Privacy breach - Proprietary breach - Integrity loss
C. Proprietary breach In a proprietary breach, unclassified proprietary information is accessed or exfiltrated. Protected critical infrastructure information (PCII) is an example of unclassified proprietary information.
Which one of the following activities is not part of the vulnerability management life cycle? - Detection - Remediation - Reporting - Testing
C. Reporting While reporting and communication are an important part of vulnerability management, they are not included in the life cycle. The three life-cycle phases are detection, remediation, and testing.
Ryan is planning to conduct a vulnerability scan of a business critical system using dangerous plug-ins. What would be the best approach for the initial scan? - Run the scan against production systems to achieve the most realistic results possible. - Run the scan during business hours. - Run the scan in a test environment. - Do not run the scan to avoid disrupting the business.
C. Run the scan in a test environment. Ryan should first run his scan against a test environment to identify likely vulnerabilities and assess whether the scan itself might disrupt business activities.
Frederick wants to determine if a thumb drive was ever plugged into a Windows system. How can he test for this? - Review the MFT - Check the system's live memory - Use USB Historian - Create a forensic image of the drive
C. Use USB Historian USB Historian provides a list of devices that are logged in the Windows Registry. Frederick can check the USB device's serial number and other identifying information against the Windows system's historical data. If the device isn't listed, it is not absolute proof, but if it is listed, it is reasonable to assume that it was used on the device.
What is the most recent version of CVSS that is currently available? - 1.0 - 2.0 - 2.5 - 3.0
D. 3.0 Version 3.0 of CVSS is currently available but is not as widely used as the more common CVSS version 2.0.
Which tool is not commonly used to generate the hash of a forensic copy? - MD5 - FTK - SHA1 - AES
D. AES While AES does have a hashing mode, MD5, SHA1, and built-in hashing tools in FTK and other commercial tools are more commonly used for forensic hashes.
Which one of the following is an example of an attrition attack? - SQL injection - Theft of a laptop - User installs file sharing software - Brute-force password attack
D. Brute-force password attack An attrition attack employs brute-force methods to compromise, degrade, or destroy systems, networks, or services—for example, a DDoS attack intended to impair or deny access to a service or application or a brute-force attack against an authentication mechanism.
In what type of attack does the attacker place more information in a memory location than is allocated for that use? - SQL injection - LDAP injection - Cross-site scripting - Buffer overflow
D. Buffer overflow Buffer overflow attacks occur when an attacker manipulates a program into placing more data into an area of memory than is allocated for that program's use. The goal is to overwrite other information in memory with instructions that may be executed by a different process running on the system.
What two files may contain encryption keys normally stored only in memory on a Window system? - The MFT and the hash file - The Registry and hibernation files - Core dumps and encryption logs - Core dumps and hibernation files
D. Core dumps and hibernation files Core dumps and hibernation files both contain an image of the live memory of a system, potentially allowing encryption keys to be retrieved from the stored file. The MFT provides information about file layout, and the Registry contains system information but shouldn't have encryption keys stored in it. There is no hash file or encryption log stored as a Windows default file.
Which one of the following is not a common use of the NIST Cybersecurity Framework? - Describe the current cybersecurity posture of an organization. - Describe the target future cybersecurity posture of an organization. - Communicate with stakeholders about cybersecurity risk. - Create specific technology requirements for an organization.
D. Create specific technology requirements for an organization. The NIST Cybersecurity Framework is designed to help organizations describe their current cybersecurity posture, describe their target state for cybersecurity, identify and prioritize opportunities for improvement, assess progress, and communicate with stakeholders about risk. It does not create specific technology requirements.
Cindy is conducting a cybersecurity risk assessment and is considering the impact that a failure of her city's power grid might have on the organization. What type of threat is she considering? - Adversarial - Accidental - Structural - Environmental
D. Environmental Widespread infrastructure failures, such as those affecting the power grid or telecommunications circuits, are considered man-made disasters and fall under the category of environmental threats.
What type of network information should you capture to be able to provide a report about how much traffic systems in your network sent to remote systems? - Syslog data - WMI data - Resmon data - Flow data
D. Flow data Flow data provides information about the source and destination IP address, protocol, and total data sent and would provide the detail needed. Syslog, resmon, and WMI data is all system log information and would not provide this information.
Gary is the system administrator for a federal agency and is responsible for a variety of information systems. Which systems must be covered by vulnerability scanning programs? - Only high-impact systems - Only systems containing classified information - High- or moderate-impact systems - High-, moderate-, or low-impact systems
D. High-, moderate-, or low-impact systems The Federal Information Security Management Act (FISMA) requires vulnerability management programs for all federal information systems, regardless of their assigned impact rating.
What software component is responsible for enforcing the separation of guest systems in a virtualized infrastructure? - Guest operating system - Host operating system - Memory controller - Hypervisor
D. Hypervisor In a virtualized data center, the virtual host hardware runs a special operating system known as a hypervisor that mediates access to the underlying hardware resources.
What organization manages the global IP address space? - NASA - ARIN - WorldNIC - IANA
D. IANA The Internet Assigned Numbers Authority manages the global IP address space. ARIN is the American Registry for Internet Numbers, WorldNIC is not an IP authority, and NASA tackles problems in outer space, not global IP space.
Which one of the following control models describes the five core activities associated with IT service management as service strategy, service design, service transition, service operation, and continual service improvement? - COBIT - TOGAF - ISO 27001 - ITIL
D. ITIL The Information Technology Infrastructure Library (ITIL) is a framework that offers a comprehensive approach to IT service management (ITSM) within the modern enterprise. ITIL covers five core activities: Service Strategy, Service Design, Service Transition, Service Operation, and Continual Service Improvement.
Which one of the following data elements would not normally be included in an evidence log? - Serial number - Record of handling - Storage location - Malware signatures
D. Malware signatures Malware signatures would not normally be included in an evidence log. The log would typically contain identifying information (e.g., the location, serial number, model number, hostname, MAC addresses and IP addresses of a computer), the name, title and phone number of each individual who collected or handled the evidence during the investigation, the time and date (including time zone) of each occurrence of evidence handling, and the locations where the evidence was stored.
Sondra determines that an attacker has gained access to a server containing critical business files and wishes to ensure that the attacker cannot delete those files. Which one of the following strategies would meet Sondra's goal? - Isolation - Segmentation - Removal - None of the above
D. None of the above Even removing a system from the network doesn't guarantee that the attack will not continue. In the example given in this chapter, an attacker can run a script on the server that detects when it has been removed from the network and then proceeds to destroy data stored on the server.
What process uses information such as the way that a system's TCP stack responds to queries, what TCP options it supports, and the initial window size it uses? - Service identification - Fuzzing - Application scanning - OS detection
D. OS detection Operating system detection often uses TCP options support, IP ID sampling, and window size checks, as well as other indicators that create unique fingerprints for various operating systems. Service identification often leverages banners since TCP capabilities are not unique to a given service. Fuzzing is a code testing method, and application scanning is usually related to web application security.
Which one of the following elements is not normally found in an incident response policy? - Performance measures for the CSIRT - Definition of cybersecurity incidents - Definition of roles, responsibilities, and levels of authority - Procedures for rebuilding systems
D. Procedures for rebuilding systems Procedures for rebuilding systems are highly technical and would normally be included in a playbook or procedure document rather than an incident response policy.
Tonya is configuring vulnerability scans for a system that is subject to the PCI DSS compliance standard. What is the minimum frequency with which she must conduct scans? - Daily - Weekly - Monthly - Quarterly
D. Quarterly PCI DSS requires that organizations conduct vulnerability scans on at least a quarterly basis, although many organizations choose to conduct scans on a much more frequent basis.
When performing 802.1x authentication, what protocol does the authenticator use to communicate with the authentication server? - 802.11g - EAP - PEAP - RADIUS
D. RADIUS The Remote Access Dial-In User Service (RADIUS) is an authentication protocol used for communications between authenticators and the authentication server during the 802.1x authentication process.
What NIST publication contains guidance on cybersecurity incident handling? - SP 800-53 - SP 800-88 - SP 800-18 - SP 800-61
D. SP 800-61 NIST SP 800-61 is the Computer Security Incident Handling Guide. NIST SP 800-53 is Security and Privacy Controls for Federal Information Systems and Organizations. NIST SP 800-88 is Guidelines for Media Sanitization. NIST SP 800-18 is the Guide for Developing Security Plans for Federal Information Systems.
Which one of the following techniques might be used to automatically detect and block malicious software that does not match known malware signatures? - MAC - Hashing - Decompiling - Sandboxing
D. Sandboxing Sandboxing is an approach used to detect malicious software based on its behavior rather than its signatures. Sandboxing systems watch systems and the network for unknown pieces of code and, when they detect an application that has not been seen before, immediately isolate that code in a special environment known as a sandbox where it does not have access to any other systems or applications.
During a forensic investigation, Shelly is told to look for information in slack space on the drive. Where should she look, and what is she likely to find? - She should look at unallocated space, and she is likely to find file fragments from deleted files. - She should look at unused space where files were deleted, and she is likely to find complete files duplicated there. - She should look in the space reserved on the drive for spare blocks, and she is likely to find complete files duplicated there. - She should look at unused space left when a file is written, and she is likely to find file fragments from deleted files.
D. She should look at unused space left when a file is written, and she is likely to find file fragments from deleted files. Slack space is the space left when a file is written. Since the space may have previously been filled by another file, file fragments are likely to exist and be recoverable. Unallocated space is space that has not been partitioned and could contain data, but looking there isn't part of Shelly's task. The reserved space maintained by drives for wear leveling (for SSDs) or to replace bad blocks (for spinning disks) may contain data, but again, this was not part of her task.
Which software development life cycle model uses linear development concepts in an iterative, four-phase process? - Waterfall - Agile - RAD - Spiral
D. Spiral The Spiral model uses linear development concepts like those used in Waterfall but repeats four phases through its life cycle: requirements gathering, design, build, and evaluation.
Jennifer wants to perform memory analysis and forensics for Windows, macOS, and Linux systems. Which of the following is best suited to her needs? - LiME - DumpIt - fmem - The Volatility Framework
D. The Volatility Framework The Volatility Framework is designed to work with Windows, macOS, and Linux, and it provides in-depth memory forensics and analysis capabilities. LiME and fmem are Linux tools, whereas DumpIt is a Windows-only tool.
Grace is the CSIRT team leader for a business unit within NASA, a federal agency. What is the minimum amount of time that Grace must retain incident handling records? - Six months - One year - Two years - Three years
D. Three years National Archives General Records Schedule (GRS) 24 requires that all federal agencies retain incident handling records for at least three years.
While studying an organization's risk management process under the NIST Cybersecurity Framework, Rob determines that the organization adapts its cybersecurity practices based on lessons learned and predictive indicators derived from previous and current cybersecurity activities. What tier should he assign based on this measure? - Tier 1 - Tier 2 - Tier 3 - Tier 4
D. Tier 4 The description provided matches the definition of a Tier 4 (Adaptive) organization's risk management practices under the NIST Cybersecurity Framework.
What technique is being used in this command? dig axfr @dns-server example.com - DNS query - Nslookup - Dig scan - Zone transfer
D. Zone transfer The axfr flag indicates a zone transfer in both the dig and host utilities
What method is used to replicate DNS information for DNS servers but is also a tempting exploit target for attackers? - DNSSEC - AXR - DNS registration - Zone transfers
D. Zone transfers DNS zone transfers provide a method to replicate DNS information between DNS servers, but they are also a tempting target for attackers due to the amount of information that they contain. A properly secured DNS server will only allow zone transfers to specific, permitted peer DNS servers. DNSSEC is a suite of DNS security specifications, AXR is a made up term (AXFR is the zone transfer command), and DNS registration is how you register a domain name.
