ITS Cybersecurity Practice Exam
According to NIST, in which phase of the Incident Response Life Cycle do you perform event correlation?
Detection & Analysis
What is used to authenticate and verity the identity of a website?
Digital certificate
Employees in the finance department are reporting slow traffic and poor performance on an internal webserver. As a junior cybersecurity analyst, you review the output of some event logs and packet captures and notice numerous packets from the same IP address are flooding the network. What should you do first?
Escalate the issue to a more senior analyst for further investigation
Which option is the built-in MacOS file encryption tool?
FileVault
A company located in the United States wants to enter into a business relationship with a company located in Germany. Which legal regulatory framework does it need to comply with in order to protect customer privacy?
GDPR
What action taken on a Windows computer will allow you to detect an attacker running unauthorized PowerShell operations?
Enable Script Block Logging.
Your team needs to update the preventive disaster recovery controls that are used in your organization. What should you do?
Conduct end-user security training.
You receive an email from your teacher that has a link to a class poll for a pizza party. You click the link which takes you to the school portal to log in. Later, you discover this was a phishing email and your credentials were stolen. Which part of the CIA Triad was compromised in this attack?
Confidentiality
A company wants to prevent downtime and the likelihood of a vulnerability being exploited. What vulnerability management solution should be used?
Mitigation
Move each potential threat on the left to the correct mitigation strategy on the right. Hardened facilities and alternate sites Firewalls, IDS and IPS, Log Analyzers Alternate sources, inventory management Standard procedures, training
Natural disasters Cyber attack Supply-chain disruptions Employee errors
In which phase of the NIST Incident Response Life Cycle do you assemble a jump kit?
Preparation Phase
Software tools used for collecting security data, detecting threats, and investigating/analyzing threats. Software tools that are used for collecting data and analyzing threats and then using workflows to automate incident investigations to handle the threat. Monitoring tools that intercept and store network data. A protocol that enables network administrators to monitor and manage network performance.
SIEM SOAR Packet Capture SNMP
Which solution allows cybersecurity incident response teams to automate incident responses?
SOAR
Automates security operations, threat intelligence, and incident response. Analyzes and aggregates log data from different IT systems to identify security threats. Automates system vulnerability management and security compliance evaluation.
SOAR SIEM SCAP
Which two components are required to enable clients to connect to a wireless network using the WPA2-Enterprise security protocol? (Choose 2.)
SSID RADIUS
An attacker has launched a DoS attack on a target server. The attack prevents the server from responding to client requests because it is waiting to close half-open Layer 4 sessions with the attacker's computer. Which type of attack is this?
SYN flood
A company is working on a disaster recovery plan. They decide that it would be more secure to subscribe to a cloud service application for their file storage and backups. Which type of cloud service do they need?
SaaS
A new cybersecurity technician suspects that one of their network servers experienced a brute force attack. Which Windows log files should be examined to provide evidence of this attack?
Security logs
A cyber technician is worried about the security of the current driver installed on the 64-bit Windows 10 platform on a corporate laptop. The technician tries to install an updated version of the driver that was found on the web, but the driver fails to install. What is the issue?
The driver is not digitally signed.
Why would you implement Network Admission Control?
To enforce network security policy for devices that join the network.
You are conducting an internal penetration test. As part of the penetration test, you conduct an active reconnaissance attack. What is the purpose of conducting the active reconnaissance attack?
To scan systems for vulnerabilities and identify weaknesses for attack.
In a attack, threat actors will spoof the source address of the ICMP packet and send a broadcast to all computers on that network to generate enough broadcast traffic to compromise the network. is a technique used to exploit the vulnerability in the ICMP echo packet to obtain details of the operating system on the target computer. A(n). target system. When the destination target tries to reassemble them, it cannot do so and fails, which causes the target system to reboot or crash. attack is when threat actors exploit overlapping IP fragments present in the
smurf Fingerprinting teardrop
Warning Information Success audit Error Failure audit
A storage device runs low on free space. A network driver loads successfully. A user logs into the system. A service fails to load during startup. A user unsuccessfully tries to access a network drive.
Which symmetric encryption algorithm would provide the strongest data protection?
Advanced Encryption Standard (AES)
You discover malware that has been collecting data and forwarding it to another server in a different country for several months. Which type of attack is this?
Advanced persistent threat
For each statement, select Yes if the statement is a valid reason to implement security techniques to protect or hide IP addresses from a hacker or No if the statement is not a valid reason for protecting or hiding an IP Address.
An IP address uniquely identifies a device on the network or the internet. Yes IP addresses are only used internally and must not be exposed outside of your network. No IPv4 addresses are outdated and no longer supported. No
What are the two classes of encryption algorithms? (Choose 2.)
Asymmetric Symmetric
Which term refers to the combined sum of all potential threat vectors in defense-in-depth security?
Attack surface
Which term describes a pathway that is used to illegally access a computer system?
Attack vector
What are the three components of the AAA concept in cybersecurity? (Choose 3.)
Authorization Accounting Authentication
Which type of incident response plan is broad and specifies how to keep critical business functions running in the event of a disaster?
Business Continuity Plan
You are configuring an access control list that must permit secure shell access to a server with IP address 10.0.0.1 from the 172.17.1.128/28 network. All other IP traffic to the host must be blocked. In addition, only web traffic is permitted to other hosts on the network. To meet these requirements, in what order should you enter the following access list entries? A) access-list 110 deny ip any any B) access-list 110 deny ip any host 10.0.0.1 C) access-list 110 permit tcp 172.17.1.128 0.0.0.15 host 10.0.0.1 eq 22 D) access-list 110 permit tcp any any eq 80
CBDA
Which part of the ClA Triad is exploited when shoulder surfing occurs?
Confidentiality
In which order should you collect digital evidence from a computer system?
Contents of RAM, Contents of Fixed Disk, Archived Backup
An attacker has connected a laptop to a wireless network and attempts to lease all available IP addresses from the DHCP server. Which type of attack is occurring?
DHCP Starvation
Which attack involves an attacker setting up a rogue server on the network which provides network hosts with incorrect IP address configuration information?
DHCP spoofing
Which technology allows users to access an untrusted network without compromising the internal network?
DMZ
Which type of attack occurs when an attacker compromises a company's server so that it reroutes a specific domain name to a fraudulent website?
DNS Spoofing
Which two states of data domains would require encryption and hashing to secure the data? (Choose 2.)
Data at rest Data in transit
In which phase of the NIST Incident Response Life Cycle do you investigate network intrusion detection sensor alerts?
Detection & Analysis Phase
A fire occurred in the data center of your organization. Which document will security staff consult after the fire?
Disaster Recovery Plan
Which compliance act provides a framework for US federal agencies and contractors to adhere to in order to protect their data?
FISMA
Which network intelligence organization maintains a risk assessment tool that assigns a numeric score to describe the severity of a vulnerability?
Forum of Incident Response and Security Teams (FIRST)
A company manages the personal data of citizens from several Eastern Union (EU) countries. Which compliance act must they adhere to when investigating security incidents involving EU citizens?
GDPR
Which compliance act must a hospital located in the U.S. adhere to when investigating security incidents involving patients' personal medical information?
HIPAA
An attacker has overwhelmed a server by sending more GET requests than the server can process. This results in a successful DoS attack. Which type of attack has occurred?
HTTP flooding
Which two communication protocols use encryption to secure data in transit? (Choose 2.)
HTTPS SSH
Which type of attack substitutes a source IP address to impersonate a legitimate computer system?
IP Spoofing
When setting up a home network, which security benefit does SSID cloaking provide?
It requires the SSID to be manually configured.
Condition should be corrected immediately. An error may occur if the situation is not remedied. Unusual event but not an error. Normal operation. Situation requires no intervention.
Level 1 (Alert) Level 4 (Warning) Level 5 (Notice) Level 6 (Informational)
You are reviewing Windows security logs and notice a series of suspicious failed login attempts against the Administrator user. You believe these attempts might be from a brute force attack. Which password policy should you review and modify to protect the Windows systems from this attack?
Limit the number of login retries.
A company gives each employee a mobile tablet device to work from home. The company security policy specifies all endpoint computing devices be assigned a unique identifier so the device can be tracked. What would help the company remain compliant with the security policy?
MDM software
Which framework provides a knowledge base for the tactics, techniques, and procedures used by adversaries from real-world observations?
MITRE ATT&CK
Which kind of attack intercepts and alters data sent between two hosts?
Man-in-the-middle
Which network penetration tool is used t0 exploit an asset to determine it it is vulnerable
Metasploit
A cybersecurity technician needs to ensure that remote workers who have limited bandwidth can download critical patches and security updates for Windows but not feature updates. Which Windows feature will allow for this?
Metered connections
Your company has a DoS vulnerability. Which security process reduces the likelihood of a DoS attack?
Mitigation
A technician needs to identity the unsigned drivers that are installed on the system. Which three native Windows 10 tools will accomplish this task? (Choose 3.)
Msinfo32 Sigverif Driverquery
Which technology should a company use to enforce corporate policies on BYOD devices connecting to the network?
NAC
Enforcing policies for users and devices joining the network. Blocking malicious traffic from entering the private network. Securing traffic flows over an unsecured network.
NAC Firewall VPN
You are hired by a company to perform a penetration test. You begin by conducting reconnaissance and gathering information about the company's internet domain. Which command-line utility should you use to determine the public IP addresses that are mapped to the company's domain name?
Nslookup
What is used to locate potential vulnerabilities in a computer system?
Penetration testing
_____ is used to find vulnerabilities within a computer system.
Penetration testing
You are a junior cybersecurity analyst. An employee reports to you that her laptop was stolen. For which three reasons should you escalate this event to the Computer Security Incident Response Team (CSIRT)? (Choose 3.)
Potential network disruption or denial of service Exposure of sensitive or confidential information Unauthorized use of resources
Establish the incident response team. Determine if an incident has occurred. Validate the IP address of the attacking host. Hold a lessons learned meeting.
Preparation Phase Detection & Analysis Phase Containment, Eradication, and Recovery Phase Post-Incident Activity Phase
You are implementing an 802.1x network access control solution to authenticate users and devices attempting to access the network. Which type of server is required to perform authentication for network access?
RADIUS
Which three types of threat intelligence data do threat intelligence platforms collect? (Choose 3)
Reputation information Tools, techniques, and procedures Indicators of compromise
What is the term for a collection of software tools used by an attacker to obtain administrator-level access to a computer?
Rootkit
You are a part of your company's cybersecurity team. You suspect that someone is trying to hack into the company network through one of the applications on the network. You want to use Netstat to audit all the applications on the network and their TCP connections. What should you do?
Run the netstat -o command
You are a part of your company's cybersecurity team. The company's DNS server has been generating errors because it has been unable to resolve connections. You need to use NSLookup to tell the DNS server to check other servers if it doesn't have the information. What should you do?
Run the nslookup set recurse command.
You need to use tcpdump to capture a specified number of packets from the network. What should you do?
Run the tcpdump -c command.
Which algorithm is a one-way mathematical function that is used to provide data integrity?
SHA-2
Something you have Something you know Something you are
SMS token PIN number Facial recognition
An attacker targets all hosts on a network segment by sending traffic to a specific port to see if it is active on any of the hosts. Which scanning technique is the attacker using?
Sweep scan
Which network intelligence organization provides security training, certifications, and free news resources?
SysAdmin, Audit, Network, Security (SANS) Institute
Which type of physical attack involves entry into a restricted building or area?
Tailgating
Your friend wants to use your home Wi-Fi network to access the Internet from their smartphone. What are two potential security checks to verify before allowing your friend's device on your network? (Choose 2.)
Their device was scanned with the latest antivirus/anti-malware definition update. Your important or sensitive files, devices, and peripherals are on a private network.
Why is it important to block incoming IP broadcast addresses and reserved private IP addresses from entering your network?
These types of addresses are easier to use for IP spoofing attacks.
Which statement is True about advanced persistent threat (APT) attacks?
They are used to steal data.
Threat Risk Vulnerability
Threat: A phishing email is received by an employee. Malware is installed on a system. Vulnerability: A bug is discovered in a software application. An encryption algorithm is susceptible to cracking.
What are two goals of an information security change management policy: (Choose 2.)
To ensure that modifications to systems do not negatively impact security. To ensure that documentation is updated when systems are installed or modified.
You are a part of a cyber forensics team that needs to examine a hard drive for evidence. Your supervisor tells you to first make a duplicate of the hard drive. What is the purpose of making a duplicate of the hard drive?
To preserve the original state of the hard drive.
A program that appears to be useful or harmless but contains hidden code that can compromise the target system on which it runs is called a _____.
Trojan horse
For the following statement, select True or False. Threat intelligence services use the data of their subscribers to stay current with the threat landscape
True
Which classification of alert should be escalated to security investigators?
True positive
Which threat intelligence organization provides the Automated Indicator Sharing (AlS) service to governmental and private sector organizations?
U.S. Department of Homeland Security (DHS)
Minimizes attacks from automatic execution of malicious code and viruses from rogue websites Reduces risk of exposed or misused sensitive data if the device is stolen Allows the company to access, restore, and secure important features and applications in the event of theft
Unnecessary browser functions are disabled File encryption is enabled and functioning Devices are remotely managed by the CSIRT team
A company has a network policy for updating Windows 10 using a list of preset compliance guidelines. Which strategy would accomplish this?
Use Windows Update Baseline.
Which technology should be implemented to protect traffic as it crosses an unsecured network?
VPN
A technician needs to install a recently developed patch for one of the company applications running in a mixed Windows environment. Before installing the patch on the production server, the technician needs to test it in different environments . Which solution provides the method to test the patch in different environments?
Virtualized sandbox
Which attack method requires the use of a phone to obtain personal or sensitive information?
Vishing
Which social engineering attack targets high-ranking individuals in order to compromise personal or sensitive data?
Whaling
Which two network vulnerability assessment tools are used to scan networks? (Choose 2.)
Wireshark Nessus
Which two options are network security monitoring tools? (Choose 2.)
Wireshark SIEM
You need to use Netstat to display a list of only the UDP connections. What should you do?
You should run the netstat -p command.
For each server type, select Yes if it is typically located in a company's demilitarized zone (DMZ) or No if it is not
email yes web yes directory services no print no
In a DNS __ attack, threat actors change the A record for your domain's IP address to point to a predetermined address of their choice.
hijacking
In a DHCP __ attack, threat actors configure a fake DHCP server on the network to issue DHCP addresses to clients.
spoofing
In a DHCP __ attack, threat actors flood the DHCP server with DHCP requests to use up all the available IP addresses that the legitimate DHCP server can issue.
starvation
A(n) _____ is the possibility of an attack on a computer system or network.
threat
A computer can run multiple _____ that run their own operating systems and applications. A _____ is a virtualized application that consists of its dependencies. A _____ is software that enables multiple operating systems to run on the same physical machine.
virtual machines container hypervisor
An independent examination of records and activities to determine if controls exist to ensure compliance with established security policies. Documentation which provides a high degree of confidence that adequate network and data security measures are in place. Processes and procedures to evaluate the security of an entire system or in response to a single event. Real-time and ongoing awareness of activity on the network and the attached devices in order to look for anomalies.
Audit process Information assurance Security assessment System monitoring
A major power surge occurs in the middle of making authorized changes to the company payroll server which results in equipment failure. The equipment is replaced and the data is restored from a previous, good backup. Which part of the CIA Triad was preserved?
Availability
An organization is revising its network security architecture. They want to include a device or service that will enhance security by hiding their corporate IP address and by acting as a go-between for internal users and the Internet. Which type of device or service does the organization require?
A proxy server
The BYOD policy at your company requires the strongest encryption standard for guest access to your wireless networks. When scanning the guest device, which encryption method should be verified as enabled?
AES
An attacker on the local network is forwarding packets that associate the MAC address of the attacker's computer with the IP address of a legitimate server. Which type of attack is taking place?
ARP Spoofing
Which Windows tool or feature can an administrator use to ensure that the data on employee laptops is secure in the event of theft or loss?
BitLocker
Which three characteristics describe both IDS and IPS devices? (Choose 3.)
Both compare traffic to a database of known malicious activity. Both devices use signatures to detect malicious traffic. Both use sensors to read network traffic.
Which term describes the process for ensuring that evidence has not been altered or fabricated after it was collected?
Chain of custody
Which option is a common type of attack launched against loT devices?
DDoS attack
A new company needs to allow customers access to its website, but the company also needs to protect its internal network from unauthorized users. Which network tool should the company use?
DMZ
You need to analyze specific trends in actions affecting the storage of files on the network. Which log would show these trends?
Data log
Which type of anti-malware tool can identify malicious activity based on behavior?
Heuristics-based detection
Which field in a syslog message indicates the location of the device which is experiencing the event being logged?
Hostname
A company has remote employees working from home who need to securely access resources on the company's private LAN. Which technology protects traffic between the employees and the company private LAN?
IPsec
You notice that the number of phishing emails received by your organization has increased. What can the security team do to reduce detection and response times to these threats automatically or with minimal human intervention?
Implement SOAR.
Which Windows host log event type describes the successful operation of an application, driver, or service?
Information
Which network intelligence organization maintains a list of common vulnerabilities and exposures (CVE) that serves as a dictionary of common names for publicly known cybersecurity vulnerabilities?
MITRE Corporation
A French company sells items online and processes credit card payments. Which compliance framework must this company adhere to in order to reduce security incidents involving credit card purchases?
PCI-DSS
Threat actors send emails randomly to a very large number of recipients with the intent to gather information for fraud or identity theft. Threat actors send emails that are carefully designed to get a single recipient within an organization to respond and unknowingly install malware onto their system. Threat actors create fraudulent text messages to try to lure victims into revealing account information or installing malware. Threat actors use voice calls to manipulate an individual into releasing confidential data.
Phishing Spear phishing Smishing Vishing
Your company has a VPN server and a few routers that allow remote access by authorized employees. You are a network administrator and ready to implement the AAA framework for access control. Which server component should you install and configure to support a centralized AAA solution?
RADIUS server
A cybersecurity technician is concerned that one of the corporate systems in the company may have been compromised by an advanced persistent threat (APT) type of malware. The cybersecurity technician has quarantined the infected system and unplugged it from the network. What should the technician do next?
Reinstall the operating systems and applications and then restore the data from known good backups.
This is a type of malware used to secretly gather data on a target computer and send it back to threat actors. This is a collection of malware tools that can be used by threat actors to remotely access and control target computers. This is a type of malware used by threat actors to encrypt the hard drive content of a target computer. This is a type of malware that redirects the browser on target computers to various predetermined websites chosen by threat actors. This is a type of malware used by threat actors on target computers to take over computer resources for the purposes of mining.
Spyware Rootkit Ransomware Adware Cryptojacking
Which type of encryption algorithm uses a pre-shared key to encrypt and decrypt data?
Symmetric
Which three options are standards that enable the exchange of cyber threat intelligence (CTI) in an automated, consistent, and machine-readable format? (Choose 3.)
TAXII STIX CyboX
What is an advantage of using the MAC address of a device rather than the IP address to permit or deny access on your guest wireless network?
The MAC address of the device remains the same, but the IP address can change.
Which statement is True about fileless malware attacks that leverage the Windows PowerShell process?
They are seen as trusted and legitimate processes by most applications.
What happens during a source route attack?
Threat actors gain access to the source path and modify the options in the route for a data packet to take.
How can a company protecta device from unwanted access and malware that may have gotten past its firewall?
Use a host-based firewall on the device.
An adversary is obtaining an automated tool to deliver a malware payload after having identified a potential vulnerability in the email server of an organization. Which step of the Cyber Kill Chain framework does this represent?
Weaponization
You need to test a new software patch before a company-wide deployment. You are worried about the possibility of malicious code within the new software patch. Which technology should you use to test the patch before the company-wide deployment?
Virtualization
Which security practice is designed to proactively prevent the exploitation of weaknesses in a computer system or software?
Vulnerability management
In a DNS __ attack, threat actors use publicly accessible open DNS servers to flood a target with DNS response traffic.
amplification
You need to edit the default Linux permissions on a file to remove the write and execute permission for all users except the file's owner. Which command would change the permissions as needed?
chmod og-wx filename
A_cloud describes an environment shared by a set of organizations in a similar industry, such as medicine or banking. cloud is usually hosted behind a firewall and is used by a single organization. A_cloud is used by some organizations that require a private cloud for internal employees but would use a public cloud for non-critical applications.
community private hybrid
A computer malware code that replicates itself on the target computer and spreads through the network causing damage and distributing additional harmful payloads is called a _____.
virus
A self-propagating malicious code that can propagate to other systems on the network and consume resources that could lead to a denial-of-service attack is called a _____.
worm
